diff --git a/clustermesh/clustermesh.go b/clustermesh/clustermesh.go
index cb385c40de..0191851657 100644
--- a/clustermesh/clustermesh.go
+++ b/clustermesh/clustermesh.go
@@ -1854,45 +1854,30 @@ func (k *K8sClusterMesh) ConnectWithHelm(ctx context.Context) error {
 		return fmt.Errorf("remote and local cluster have the same, non-unique ID: %s", aiLocal.ClusterID)
 	}
 
-	// TODO (ajs): Support more than two clusters (dynamically append to config)
-	helmValues := map[string]interface{}{
-		"clustermesh": map[string]interface{}{
-			"config": map[string]interface{}{
-				"enabled": true,
-				"clusters": []map[string]interface{}{
-					map[string]interface{}{
-						"name": aiLocal.ClusterName,
-						// TODO (ajs): Support hostname-based endpoints
-						//   include logic from patchConfig
-						"ips":  []string{aiLocal.ServiceIPs[0]},
-						"port": aiLocal.ServicePort,
-					},
-					map[string]interface{}{
-						"name": aiRemote.ClusterName,
-						"ips":  []string{aiRemote.ServiceIPs[0]},
-						"port": aiRemote.ServicePort,
-					},
-				},
-			},
-		},
-	}
+	helmValuesLocal := genClusterMeshConfig(aiLocal, aiRemote)
+	// We need a deep copy of these Helm values because `helm.Upgrade` mutates them!
+	helmValuesRemote := genClusterMeshConfig(aiRemote, aiLocal)
+
+	// TODO (ajs): Support hostname-based endpoints via --helm-values override
+	//   Using the Helm value `extraDnsNames` should work as-is.
+	//   This can be useful for LoadBalancer reachability.
 
 	// Enable clustermesh using a Helm Upgrade command
 	upgradeParams := helm.UpgradeParameters{
 		Namespace:   k.params.Namespace,
 		Name:        defaults.HelmReleaseName,
-		Values:      helmValues,
+		Values:      helmValuesLocal,
 		ResetValues: false,
 		ReuseValues: true,
 	}
 
-	// TODO (ajs): After classic mode removal, use a k8s.Client for k.client
+	// TODO (ajs): After classic mode removal, use a k8s.Client for this k.client
 	_, err = helm.Upgrade(ctx, k.client.(*k8s.Client).RESTClientGetter, upgradeParams)
 	if err != nil {
 		return err
 	}
 
-	// TODO (ajs): After classic mode removal, use a k8s.Client for k.client
+	upgradeParams.Values = helmValuesRemote
 	_, err = helm.Upgrade(ctx, remoteCluster.RESTClientGetter, upgradeParams)
 	if err != nil {
 		return err
@@ -1901,3 +1886,28 @@ func (k *K8sClusterMesh) ConnectWithHelm(ctx context.Context) error {
 	k.Log("✅ Connected cluster %s and %s!", k.client.ClusterName(), remoteCluster.ClusterName())
 	return nil
 }
+
+func genClusterMeshConfig(aiLocal, aiRemote *accessInformation) map[string]interface{} {
+	// TODO (ajs): Support more than two clusters
+	return map[string]interface{}{
+		"clustermesh": map[string]interface{}{
+			"config": map[string]interface{}{
+				"enabled": true,
+				// Use certgen to support Cilium versions less than v0.14
+				"method": "cronJob",
+				"clusters": []map[string]interface{}{
+					{
+						"name": aiLocal.ClusterName,
+						"ips":  []string{aiLocal.ServiceIPs[0]},
+						"port": aiLocal.ServicePort,
+					},
+					{
+						"name": aiRemote.ClusterName,
+						"ips":  []string{aiRemote.ServiceIPs[0]},
+						"port": aiRemote.ServicePort,
+					},
+				},
+			},
+		},
+	}
+}