Skip to content

fix(cli): drop --with-mtls; --mtls-cluster-issuer is the single mtls switch#336

Merged
Agent-Hellboy merged 2 commits into
mainfrom
cli/drop_with_mtls_flag
Jun 29, 2026
Merged

fix(cli): drop --with-mtls; --mtls-cluster-issuer is the single mtls switch#336
Agent-Hellboy merged 2 commits into
mainfrom
cli/drop_with_mtls_flag

Conversation

@Agent-Hellboy

Copy link
Copy Markdown
Owner

Design-review follow-up to #333. --with-mtls was redundant — naming a workload issuer with --mtls-cluster-issuer already expresses intent to use mtls, so it is now the sole mtls enable switch outside test mode.

  • test-mode → still defaults the bundled mcp-runtime-ca automatically (batteries-included, no mtls flag).
  • prod--mtls-cluster-issuer <your-CA>; or name mcp-runtime-ca to have setup provision a managed CA. Either way requires --with-tls (test mode exempt).

Removes the flag, env (MCP_SETUP_WITH_MTLS), and the WithMTLS plan/Input fields; setupWorkloadPKI + preflight now provision/exempt the bundled issuer whenever it is the chosen one (not gated on a separate toggle). Updates unit tests, golden setup --help, and docs.

Good-defaults: one knob; the common test-mode path needs no flag, and prod doesn't carry a redundant toggle.

🤖 Generated with Claude Code

…switch

Per design review: --with-mtls was redundant. Naming a workload issuer with
--mtls-cluster-issuer already expresses intent to use mtls, so it is now the sole
enable switch outside test mode. Test mode still defaults the bundled
mcp-runtime-ca automatically; prod names an enterprise issuer, or names
mcp-runtime-ca to have setup provision a managed CA. Either way requires
--with-tls (test mode exempt). Removes the flag/env/plan/validation fields;
setupWorkloadPKI + preflight provision/exempt the bundled issuer whenever it is
the chosen one. Updates tests, golden help, and docs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request simplifies the mTLS configuration by removing the --with-mtls flag. Instead, the mTLS auth path is now enabled directly by specifying a workload issuer via the --mtls-cluster-issuer flag. In test mode, the issuer defaults to the bundled mcp-runtime-ca automatically. This change reduces CLI flag redundancy and simplifies the internal planning and validation logic. I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

The cli-platform scenario logs in via platform-api but exercises runtime
CLI commands through MCP_PLATFORM_API_URL on the sentinel gateway port.
Ensure that port-forward is started alongside platform-api so PRs that
select cli-platform do not fail with connection refused on :18083.

Co-authored-by: Cursor <cursoragent@cursor.com>
@Agent-Hellboy Agent-Hellboy merged commit 5ceeabe into main Jun 29, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant