istio: Destinationrule clientTLSSettings TLS SIMPLE stops working from Istio v1.14 onward

Bug Description

After upgrading Istio from v1.13.8 to 1.14.3, destinationrule used to originate TLS connection to the upstream endpoint stops working.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: nginx-dst-rule
spec:
  exportTo:
  - "istio-system"
  host: nginx.apps.svc.cluster.local
  trafficPolicy:
    tls:
      mode: SIMPLE

istioctl bug-report produced below error log says it needs caCertificates but that field is optional as mentioned in istio document https://istio.io/v1.14/docs/reference/config/networking/destination-rule/#ClientTLSSettings

Running istio analyze on all namespaces and report as below:
Analysis Report:
Error [IST0128] (DestinationRule apps/nginx-dst-rule) DestinationRule apps/nginx-dst-rule in namespace apps has TLS mode set to SIMPLE but no caCertificates are set to validate server identity for host: nginx.apps.svc.cluster.local

Version

$ istioctl version
client version: 1.14.3
control plane version: 1.14.3
data plane version: 1.14.3 (2 proxies)
$ kubectl version --short
Client Version: v1.22.11
Server Version: v1.22.11

Additional Information

Below is the full bug report bug-report.tar.gz

To reproduce the issue please follow the guideline here https://github.com/nathluu/istio-upgrade-test. It will work with istio v1.13.8 but not for v1.14 onward.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 20 (10 by maintainers)

Most upvoted comments

May also be related to #40680

+1
keithmattix on Feb 8, 2023

Yes, i will file a patch to fix the istioctl bug-report error

+1
hzxuzhonghu on Jan 19, 2023

@nathluu I think he was referring to the Error “report” returned by istioctl - that it was incorrectly reporting an invalid error

+1
GregHanson on Jan 18, 2023
Read more comments on GitHub
← istio: destination_service_namespace unknown in a lot of the istio_requests_total metric
istio: Disabling only Policy does not work →