TLS traffic policy not recognized in v1alpha3 DestinationRule #4105
Description
The tls field doesn't seem to be recognized in the trafficPolicy of a DestinationRule:
$ cat <<EOF | istioctl create -f -
> apiVersion: config.istio.io/v1alpha2 #TODO apiVersion: networking.istio.io/v1alpha3
> kind: DestinationRule
> metadata:
> name: google-destination
> spec:
> name: www.google.com
> trafficPolicy:
> tls:
> mode: SIMPLE # initiates HTTPS when talking to www.google.com
> EOF
Error: configuration is invalid: traffic policy must have at least one field
One can get past the istioctl validation error by adding a second trafficPolicy field:
$ cat <<EOF | istioctl create -f -
> apiVersion: config.istio.io/v1alpha2 #TODO apiVersion: networking.istio.io/v1alpha3
> kind: DestinationRule
> metadata:
> name: google-destination
> spec:
> name: www.google.com
> trafficPolicy:
> loadBalancer:
> simple: ROUND_ROBIN
> tls:
> mode: SIMPLE # initiates HTTPS when talking to www.google.com
> EOF
Created config destination-rule//google-destination at revision 410029
However, the rule doesn't seem to work anyway. If you create a corresponding ExternalService and try to curl (from the sleep service), it produces an upstream error:
$ cat <<EOF | istioctl create -f -
> apiVersion: config.istio.io/v1alpha2 #TODO apiVersion: networking.istio.io/v1alpha3
> kind: ExternalService
> metadata:
> name: google-external-svc
> spec:
> hosts:
> - www.google.com
> ports:
> - number: 443
> name: https
> protocol: http
> EOF
Created config external-service//google-external-svc at revision 410141
$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
$ kubectl exec -it $SOURCE_POD -c sleep bash
root@sleep-8499f49589-7ds78:/# curl http://www.google.com:443
upstream connect error or disconnect/reset before headers