DevOps & Infra Skill
Bash Defensive Patterns
Master defensive Bash programming techniques for production-grade scripts.
$15
mTLS Configuration
Configure mutual TLS (mTLS) for zero-trust service-to-service communication.
A hands-on guide to configuring mutual TLS for zero-trust service-to-service communication. It covers certificate hierarchy, automated rotation, and identity-based authorization with ready-to-apply templates for Istio, Linkerd, cert-manager, and SPIFFE/SPIRE, so internal traffic is encrypted and verified on both ends.
$15 one-time
Add to a kit → Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in
- Type Skill
- Category DevOps & Infra
- Delivery Email · instant
- License One-time
Inside the run · no black box
See the actual work before you buy it.
In a zero-trust mesh, every service proves who it is on every call. Certificates rotate in hours, not quarters, and this wiring treats manual renewal as a scheduled outage.
- Sets the policy posture first: Istio PeerAuthentication STRICT mesh-wide, with PERMISSIVE allowed only as a dated migration window for legacy namespaces, plus port-level exceptions (a metrics port can be explicitly excluded).
- Configures both directions of trust: DestinationRule ISTIO_MUTUAL inside the mesh, SIMPLE or MUTUAL with explicit client cert, key and CA paths for external partners, so outbound trust is as deliberate as inbound.
- Automates certificate life with cert-manager: workload certs at 24-hour duration with 8-hour renewBefore, correct SAN list and both server auth and client auth usages; manual rotation is treated as a future outage.
- Builds the CA hierarchy for blast radius: offline root CA, per-cluster intermediate CAs, so a compromised cluster CA revokes one cluster's certs without touching the rest; SPIFFE/SPIRE identities are added for multi-cluster federation.
- Verifies instead of trusting: istioctl authn tls-check per service, proxy-config secret decoded through openssl to read real expiry dates, linkerd viz edges where Linkerd carries the mTLS.
- Debugs handshake failures along the lifecycle order: TLS version mismatch, then CA trust chain, then SAN mismatch or expired cert, then cipher negotiation, each with its own check, so the failure point is located instead of guessed.
One power source. 6 lines out.
mtls-configuration · core
core active · 6 lines
- ✓ enforcing strict mutual
Enforcing strict mutual TLS across a service mesh and migrating safely from permissive mode
- ✓ setting up short-lived w…
Setting up short-lived workload certificates with automatic rotation
- ✓ debugging failed tls han…
Debugging failed TLS handshakes step by step from cert expiry to chain trust
- ✓ securing cross-cluster and
Securing cross-cluster and multi-cloud communication with federated trust
- ✓ meeting compliance requi…
Meeting compliance requirements for encrypted internal communication
- ✓ assigning platform-agnos…
Assigning platform-agnostic workload identities with SPIFFE and SPIRE
Yours to keep.
Drag time forward. Watch what stays.
Forever
That's what owning means.
The rented stack
ai writing tool: subscription
expired · access lostanalytics suite: subscription
expired · access lostdesign platform: subscription
expired · access lost(nothing left)
Your forge
-
Shut down lateral-movement attacks by verifying every internal connection
license: perpetual -
Prevent silent service outages from expired certificates through automated rotation
license: perpetual -
Contain the blast radius of a compromise with a layered CA hierarchy
license: perpetual -
Cut handshake failures to zero with a fail-secure, deny-by-default posture
license: perpetual
subscriptions expire · deeds don't
Everything in the box.
Pick a piece up. Watch it work.
Istio PeerAuthentication and DestinationRule templates for strict and mutual modes
6 parts · one working system · ships instantly by email
This wasn't forged for everyone.
- Not for you if you'd rather rent a tool than own one.
- Not for you if you want someone else to run your stack.
- Not for you if you're happy guessing.
Platform and security engineers implementing zero-trust networking and certificate management across Kubernetes service meshes.
then this was forged for you.Works with
Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.
- Claude Native format
- ChatGPT Adapts via open standards
- Gemini Adapts via open standards
- Cursor Adapts via open standards
- Copilot Adapts via open standards
Catch what's on your mind.
the air is clear. nothing between you and the forge.
catch a spark: the forge will answer
-
We run Linkerd, not Istio. Am I covered?
Both meshes are covered: Istio gets PeerAuthentication and DestinationRule templates for strict and mutual modes, Linkerd gets automatic-mTLS verification and external-service handling. The cert-manager and SPIFFE/SPIRE setups apply regardless of mesh.
-
How do we stop expired certificates from silently taking services down?
Certificates are issued short-lived with renew-before windows in the cert-manager configs, so rotation happens automatically well before expiry. The rotation commands and the do/don't checklist cover the operational side, and the handshake-debugging sequence catches what still slips through.
-
Does it handle user-facing TLS, like browsers hitting our public site?
No. The scope is zero-trust service-to-service traffic inside and across clusters. Public edge TLS, CDN certificates, and browser-facing termination are a different problem with different tooling.
-
How is it delivered?
By email right after purchase: ready to run, downloaded instantly, no setup wait.
-
One-time or subscription?
A one-time purchase; no subscription or hidden fees. VAT (20%) is included.
-
Can I get a refund?
As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.