Add mtls/apikey auth setting commands for namespace#88
Merged
Conversation
anekkanti
reviewed
Jun 25, 2026
anekkanti
reviewed
Jun 25, 2026
Member
|
/review |
There was a problem hiding this comment.
Pull request overview
Adds first-class CLI support for managing namespace authentication (API key + mTLS), including the ability to toggle these settings on existing namespaces and set mTLS enabled on namespace creation. This fits into the Temporal Cloud CLI’s namespace-management surface area by exposing auth settings as dedicated subcommands and regrouping related mTLS certificate management under a single namespace mtls command tree.
Changes:
- Add
temporal cloud namespace api-key(get/set) andtemporal cloud namespace mtls(get/set) commands backed byGetNamespace+UpdateNamespace. - Add
--mtls-auth-enabledto namespace create and always populateSpec.MtlsAuthduring create. - Move certificate CA / certificate filter commands under
temporal cloud namespace mtls cert-ca|cert-filter(path rename).
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| temporalcloudcli/commands.yml | Registers new namespace api-key and namespace mtls commands and moves cert-ca/cert-filter under namespace mtls. |
| temporalcloudcli/commands.namespace.mtls.go | Implements namespace mtls get/set using CloudService GetNamespace/UpdateNamespace. |
| temporalcloudcli/commands.namespace.mtls_test.go | Unit tests for namespace mtls get/set including prompt + RV/async overrides. |
| temporalcloudcli/commands.namespace.go | Adds create-time MtlsAuthEnabled wiring and always initializes Spec.MtlsAuth. |
| temporalcloudcli/commands.namespace.create_test.go | Updates namespace-create spec expectations and adds coverage for --mtls-auth-enabled. |
| temporalcloudcli/commands.namespace.cert_filter.go | Renames cert-filter command receivers to the new namespace mtls cert-filter command types. |
| temporalcloudcli/commands.namespace.cert_filter_test.go | Updates cert-filter tests to use the new namespace mtls cert-filter command constructors/types. |
| temporalcloudcli/commands.namespace.cert_ca.go | Renames cert-ca command receivers to the new namespace mtls cert-ca command types. |
| temporalcloudcli/commands.namespace.cert_ca_test.go | Updates cert-ca tests to use the new namespace mtls cert-ca command constructors/types. |
| temporalcloudcli/commands.namespace.apikey.go | Implements namespace api-key get/set using CloudService GetNamespace/UpdateNamespace. |
| temporalcloudcli/commands.namespace.apikey_test.go | Unit tests for namespace api-key get/set. |
| temporalcloudcli/commands.gen.go | Regenerates Cobra command tree to include namespace api-key and namespace mtls (and removes old top-level cert-ca/cert-filter). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
anekkanti
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What was changed
Adds dedicated mtls/api key commands, also allows setting mtls to true on creation
Why?
so we can switch on and off auth methods
Checklist
Closes
How was this tested:
local tested
3. Any docs updates needed?
Note
High Risk
Changes namespace authentication configuration and breaks existing CLI paths for cert-ca/cert-filter; mis-toggling auth or outdated scripts could lock out clients or fail automation.
Overview
Reorganizes Temporal Cloud namespace authentication in the CLI and adds explicit toggles for API key and mTLS.
New command groups:
temporal cloud namespace api-key(get,enable,disable) andtemporal cloud namespace mtls(get,enable,disable). Enable/disable flows fetch the namespace, patchApiKeyAuthorMtlsAuth.Enabled, prompt for apply confirmation, thenUpdateNamespacewith optional resource-version and async polling—same pattern as other namespace mutations.mTLS cert management moved: Client CA and certificate filter commands are no longer top-level under
namespace; they live undernamespace mtls cert-caandnamespace mtls cert-filter(examples and generated cobra wiring updated). This is a breaking CLI path change for anyone using the oldcert-ca/cert-filtersubcommands.Namespace create: Adds
--mtls-auth-enabledand always setsMtlsAuth.Enabledon the create spec; CA certs and cert filters are applied on the sameMtlsAuthobject instead of implicitly creating it only when certs are present.Tests cover api-key/mtls get/enable/disable and create-time mTLS flag wiring; cert CA/filter tests were renamed to the new
Mtls*command types.Reviewed by Cursor Bugbot for commit 8dd41e1. Bugbot is set up for automated code reviews on this repo. Configure here.