LinuxCommandLibrary

cmctl

Manage cert-manager from the command line

TLDR

Check if the cert-manager API is ready

$ cmctl check api
copy

Check the status of a certificate
$ cmctl status certificate [cert_name]
copy

Create a new certificate request based on an existing certificate
$ cmctl create certificaterequest my-cr --from-certificate-file [cert.yaml]
copy

Create a new certificate request, fetch the signed certificate, and set a maximum wait time
$ cmctl create certificaterequest my-cr --from-certificate-file [cert.yaml] --fetch-certificate --timeout [20m]
copy

SYNOPSIS

cmctl [flags] <command> [<args>]

PARAMETERS

--context string
    Kubeconfig context name to use

-k, --kubeconfig string
    Path to kubeconfig file

--log-level string
    Set log level (debug, info, warning, error; default "info")

--log-format string
    Log format (text, json; default "text")

-o, --output string
    Output format (table, json, yaml; default "table")

--remote
    Use remote cmctl server

--help
    Show help for command

--version
    Show cmctl version

DESCRIPTION

cmctl is the command-line interface for Cilium Mesh, a solution enabling secure multi-cluster connectivity in Kubernetes environments using Cilium's eBPF-based networking. It allows operators to manage cluster peering, service discovery across clusters, identity management, and observability for mesh-wide traffic.

Key capabilities include listing and approving clusters for peering, inspecting service endpoints across the mesh, monitoring identities, and configuring policies. cmctl interacts with the Cilium agent via Kubernetes APIs, requiring a valid kubeconfig and Cilium Mesh deployment.

Designed for GitOps workflows, it supports non-interactive scripting and integrates with tools like kubectl. Usage typically involves specifying a context or kubeconfig for the target cluster, then subcommands like cluster list to view peered clusters or service list for distributed services. It provides JSON output for automation and verbose logging for troubleshooting.

cmctl simplifies Day 2 operations in multi-cluster setups, ensuring zero-trust security with mutual TLS and identity-aware routing powered by Cilium's Hubble observability.

CAVEATS

Requires Cilium >=1.15 with Mesh enabled; kubeconfig must point to a cluster with Cilium operator. Not for single-cluster use; subcommands fail without peering config. High-privilege RBAC needed for some operations.

COMMON SUBCOMMANDS

cluster: Manage peered clusters (list, approve, delete).
identity: List and inspect mesh identities.
service: View distributed services and endpoints.
monitor: Real-time traffic flows across mesh.

INSTALLATION

Install via curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz, extract, and add to PATH. Or brew install cilium/tap/cilium-cli on macOS.

HISTORY

Introduced in Cilium 1.15 (2023) by Isovalent/Cisco for Cilium Mesh. Evolved from Hubble CLI patterns; active development focuses on multi-tenancy and federation support.

SEE ALSO

cilium(8), hubble(8), kubectl(1)

Copied to clipboard