cli: clustermesh: use ca bundle to connect clusters#42833
Merged
MrFreezeex merged 1 commit intomainfrom Jan 20, 2026
Merged
Conversation
Member
Author
|
/test |
304c79c to
6fee887
Compare
Member
Author
|
/test |
1 similar comment
Member
Author
|
/test |
f8b44e4 to
b49a8d3
Compare
Member
Author
|
/test |
b49a8d3 to
c7a35f1
Compare
Member
Author
|
/test |
373c1ce to
3caaa67
Compare
Member
Author
|
/test |
|
This pull request has been automatically marked as stale because it |
3caaa67 to
0d8f02b
Compare
Member
Author
|
/test |
0d8f02b to
46b7977
Compare
Member
Author
|
/test |
e0b068d to
f4ec988
Compare
Member
Author
|
/test |
Member
Author
|
/test |
3c42e8b to
0a3a0df
Compare
Member
Author
|
/test |
1 similar comment
Member
Author
|
/test |
Member
Author
|
Ok! I think this should work out with what we just discussed! It does not set a ca bundle if not necessary which make the CI works without ignoring any warning/error and it restart the clustermesh-apiserver pods if the CA bundle changes. I tested locally by removing the cilium-ca copy and it seems to work fine 👀 |
giorio94
requested changes
Jan 19, 2026
Member
giorio94
left a comment
There was a problem hiding this comment.
Thanks! Overall looks good to me, with a few (mostly minor) comments inline.
527c95f to
382a7db
Compare
Member
Author
|
/test |
giorio94
approved these changes
Jan 20, 2026
Member
giorio94
left a comment
There was a problem hiding this comment.
Thanks! A few nits inline, looks good to me otherwise.
382a7db to
be6ff17
Compare
Member
Author
|
/test |
giorio94
reviewed
Jan 20, 2026
be6ff17 to
62df61a
Compare
Member
Author
|
/test |
Make the CLI use ca bundle instead of the deprecated per cluster key/certs. Also introduce a ``--allow-mismatching-ca`` flag to make it explicit that the user should allow adding clusters with different CAs and error out otherwise. Signed-off-by: Arthur Outhenin-Chalandre <git@mrfreezeex.fr>
62df61a to
40e4d05
Compare
Member
Author
|
/test |
derailed
approved these changes
Jan 20, 2026
lambchop4prez
added a commit
to lambchop4prez/network
that referenced
this pull request
Feb 26, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [aqua:cilium/cilium-cli](https://redirect.github.com/cilium/cilium-cli) | patch | `0.19.0` → `0.19.2` | --- ### Release Notes <details> <summary>cilium/cilium-cli (aqua:cilium/cilium-cli)</summary> ### [`v0.19.2`](https://redirect.github.com/cilium/cilium-cli/compare/v0.19.1...v0.19.2) [Compare Source](https://redirect.github.com/cilium/cilium-cli/compare/v0.19.1...v0.19.2) ### [`v0.19.1`](https://redirect.github.com/cilium/cilium-cli/releases/tag/v0.19.1) [Compare Source](https://redirect.github.com/cilium/cilium-cli/compare/v0.19.0...v0.19.1) ## Summary of Changes **Minor Changes:** - cli: clustermesh: use ca bundle to connect clusters ([cilium/cilium#42833](https://redirect.github.com/cilium/cilium/issues/42833), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) **Bugfixes:** - cilium-cli: Fix NodePort deployment check in dual-stack clusters ([cilium/cilium#43888](https://redirect.github.com/cilium/cilium/issues/43888), [@​gandro](https://redirect.github.com/gandro)) - Fix GKE conformance test NodePort timeouts by skipping unreachable external IP validation on GKE ([cilium/cilium#44014](https://redirect.github.com/cilium/cilium/issues/44014), [@​pillai-ashwin](https://redirect.github.com/pillai-ashwin)) **CI Changes:** - cli: Relax warning exclusion for "unable to find key in local cache" ([cilium/cilium#44149](https://redirect.github.com/cilium/cilium/issues/44149), [@​brb](https://redirect.github.com/brb)) **Misc Changes:** - chore(deps): update all-dependencies (main) ([cilium/cilium#43700](https://redirect.github.com/cilium/cilium/issues/43700), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#43824](https://redirect.github.com/cilium/cilium/issues/43824), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#43965](https://redirect.github.com/cilium/cilium/issues/43965), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#44090](https://redirect.github.com/cilium/cilium/issues/44090), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#44235](https://redirect.github.com/cilium/cilium/issues/44235), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (main) ([cilium/cilium#43827](https://redirect.github.com/cilium/cilium/issues/43827), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (main) ([cilium/cilium#43969](https://redirect.github.com/cilium/cilium/issues/43969), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (main) ([cilium/cilium#44239](https://redirect.github.com/cilium/cilium/issues/44239), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - cilium-cli: Fix container name in connectivity test logs ([cilium/cilium#44076](https://redirect.github.com/cilium/cilium/issues/44076), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - docs: fix typos in comments ([cilium/cilium#43821](https://redirect.github.com/cilium/cilium/issues/43821), [@​NAM-MAN](https://redirect.github.com/NAM-MAN)) - feat(cilium-cli): Add -r(estart) parameter to cilium upgrade ([cilium/cilium#43722](https://redirect.github.com/cilium/cilium/issues/43722), [@​alagoutte](https://redirect.github.com/alagoutte)) - Introduce end-to-end tests for Cilium's ZTunnel integration. ([cilium/cilium#43166](https://redirect.github.com/cilium/cilium/issues/43166), [@​ldelossa](https://redirect.github.com/ldelossa)) - Replace Index{,Byte} with Cut,Contains ([cilium/cilium#43708](https://redirect.github.com/cilium/cilium/issues/43708), [@​joestringer](https://redirect.github.com/joestringer)) - sysdump: Use label selectors for Hubble UI/Relay deployment collection ([cilium/cilium#44227](https://redirect.github.com/cilium/cilium/issues/44227), [@​darox](https://redirect.github.com/darox)) - chore(deps): update dependency cilium/cilium to v1.18.6 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3168](https://redirect.github.com/cilium/cilium-cli/pull/3168) - Update stable release to v0.19.0 by [@​tklauser](https://redirect.github.com/tklauser) in [#​3169](https://redirect.github.com/cilium/cilium-cli/pull/3169) - chore(deps): update go to v1.25.6 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3170](https://redirect.github.com/cilium/cilium-cli/pull/3170) - chore(deps): update docker.io/library/golang:1.25.6 docker digest to [`ce63a16`](https://redirect.github.com/cilium/cilium-cli/commit/ce63a16) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3172](https://redirect.github.com/cilium/cilium-cli/pull/3172) - chore(deps): update actions/checkout action to v6.0.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3171](https://redirect.github.com/cilium/cilium-cli/pull/3171) - ci: Harden the image build process by [@​ferozsalam](https://redirect.github.com/ferozsalam) in [#​3174](https://redirect.github.com/cilium/cilium-cli/pull/3174) - chore(deps): update gcr.io/distroless/static:latest docker digest to [`972618c`](https://redirect.github.com/cilium/cilium-cli/commit/972618c) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3176](https://redirect.github.com/cilium/cilium-cli/pull/3176) - chore(deps): update all github action dependencies by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3175](https://redirect.github.com/cilium/cilium-cli/pull/3175) - chore(deps): update go to v1.25.7 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3178](https://redirect.github.com/cilium/cilium-cli/pull/3178) - chore(deps): update golangci/golangci-lint docker tag to v2.9.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3179](https://redirect.github.com/cilium/cilium-cli/pull/3179) - chore(deps): update go to v1.26.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3181](https://redirect.github.com/cilium/cilium-cli/pull/3181) - chore(deps): update docker/build-push-action action to v6.19.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3180](https://redirect.github.com/cilium/cilium-cli/pull/3180) - chore(deps): update docker/build-push-action action to v6.19.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3183](https://redirect.github.com/cilium/cilium-cli/pull/3183) - Prepare for v0.19.1 release by [@​tklauser](https://redirect.github.com/tklauser) in [#​3184](https://redirect.github.com/cilium/cilium-cli/pull/3184) #### New Contributors - [@​ferozsalam](https://redirect.github.com/ferozsalam) made their first contribution in [#​3174](https://redirect.github.com/cilium/cilium-cli/pull/3174) **Full Changelog**: <cilium/cilium-cli@v0.19.0...v0.19.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/lambchop4prez/network). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My4zNi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItcmVsZWFzZXMiLCJ0eXBlL3BhdGNoIl19-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TLS keys inside values was recently deprecated (#42576), so this commit changes the CLI connect command to trust each clusters CA in CA bundle.