istio: Destinationrule clientTLSSettings TLS SIMPLE stops working from Istio v1.14 onward

Bug Description

After upgrading Istio from v1.13.8 to 1.14.3, destinationrule used to originate TLS connection to the upstream endpoint stops working.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: nginx-dst-rule
spec:
  exportTo:
  - "istio-system"
  host: nginx.apps.svc.cluster.local
  trafficPolicy:
    tls:
      mode: SIMPLE

istioctl bug-report produced below error log says it needs caCertificates but that field is optional as mentioned in istio document https://istio.io/v1.14/docs/reference/config/networking/destination-rule/#ClientTLSSettings

Running istio analyze on all namespaces and report as below:
Analysis Report:
Error [IST0128] (DestinationRule apps/nginx-dst-rule) DestinationRule apps/nginx-dst-rule in namespace apps has TLS mode set to SIMPLE but no caCertificates are set to validate server identity for host: nginx.apps.svc.cluster.local

Version

$ istioctl version
client version: 1.14.3
control plane version: 1.14.3
data plane version: 1.14.3 (2 proxies)
$ kubectl version --short
Client Version: v1.22.11
Server Version: v1.22.11

Additional Information

Below is the full bug report bug-report.tar.gz

To reproduce the issue please follow the guideline here https://github.com/nathluu/istio-upgrade-test. It will work with istio v1.13.8 but not for v1.14 onward.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 20 (10 by maintainers)

Most upvoted comments

May also be related to #40680

Yes, i will file a patch to fix the istioctl bug-report error

@nathluu I think he was referring to the Error “report” returned by istioctl - that it was incorrectly reporting an invalid error