fix(cli): drop --with-mtls; --mtls-cluster-issuer is the single mtls switch#336
Conversation
…switch Per design review: --with-mtls was redundant. Naming a workload issuer with --mtls-cluster-issuer already expresses intent to use mtls, so it is now the sole enable switch outside test mode. Test mode still defaults the bundled mcp-runtime-ca automatically; prod names an enterprise issuer, or names mcp-runtime-ca to have setup provision a managed CA. Either way requires --with-tls (test mode exempt). Removes the flag/env/plan/validation fields; setupWorkloadPKI + preflight provision/exempt the bundled issuer whenever it is the chosen one. Updates tests, golden help, and docs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Code Review
This pull request simplifies the mTLS configuration by removing the --with-mtls flag. Instead, the mTLS auth path is now enabled directly by specifying a workload issuer via the --mtls-cluster-issuer flag. In test mode, the issuer defaults to the bundled mcp-runtime-ca automatically. This change reduces CLI flag redundancy and simplifies the internal planning and validation logic. I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
The cli-platform scenario logs in via platform-api but exercises runtime CLI commands through MCP_PLATFORM_API_URL on the sentinel gateway port. Ensure that port-forward is started alongside platform-api so PRs that select cli-platform do not fail with connection refused on :18083. Co-authored-by: Cursor <cursoragent@cursor.com>
Design-review follow-up to #333.
--with-mtlswas redundant — naming a workload issuer with--mtls-cluster-issueralready expresses intent to use mtls, so it is now the sole mtls enable switch outside test mode.mcp-runtime-caautomatically (batteries-included, no mtls flag).--mtls-cluster-issuer <your-CA>; or namemcp-runtime-cato have setup provision a managed CA. Either way requires--with-tls(test mode exempt).Removes the flag, env (
MCP_SETUP_WITH_MTLS), and theWithMTLSplan/Input fields;setupWorkloadPKI+ preflight now provision/exempt the bundled issuer whenever it is the chosen one (not gated on a separate toggle). Updates unit tests, goldensetup --help, and docs.Good-defaults: one knob; the common test-mode path needs no flag, and prod doesn't carry a redundant toggle.
🤖 Generated with Claude Code