istio: Destinationrule clientTLSSettings TLS SIMPLE stops working from Istio v1.14 onward
Bug Description
After upgrading Istio from v1.13.8 to 1.14.3, destinationrule used to originate TLS connection to the upstream endpoint stops working.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: nginx-dst-rule
spec:
exportTo:
- "istio-system"
host: nginx.apps.svc.cluster.local
trafficPolicy:
tls:
mode: SIMPLE
istioctl bug-report
produced below error log says it needs caCertificates but that field is optional as mentioned in istio document https://istio.io/v1.14/docs/reference/config/networking/destination-rule/#ClientTLSSettings
Running istio analyze on all namespaces and report as below:
Analysis Report:
Error [IST0128] (DestinationRule apps/nginx-dst-rule) DestinationRule apps/nginx-dst-rule in namespace apps has TLS mode set to SIMPLE but no caCertificates are set to validate server identity for host: nginx.apps.svc.cluster.local
Version
$ istioctl version
client version: 1.14.3
control plane version: 1.14.3
data plane version: 1.14.3 (2 proxies)
$ kubectl version --short
Client Version: v1.22.11
Server Version: v1.22.11
Additional Information
Below is the full bug report bug-report.tar.gz
To reproduce the issue please follow the guideline here https://github.com/nathluu/istio-upgrade-test. It will work with istio v1.13.8 but not for v1.14 onward.
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 20 (10 by maintainers)
May also be related to #40680
Yes, i will file a patch to fix the
istioctl bug-report
error@nathluu I think he was referring to the
Error
“report” returned by istioctl - that it was incorrectly reporting an invalid error