Destinationrule clientTLSSettings TLS SIMPLE stops working from Istio v1.14 onward

### Bug Description

After upgrading Istio from v1.13.8 to 1.14.3, destinationrule used to originate TLS connection to the upstream endpoint stops working.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: nginx-dst-rule
spec:
  exportTo:
  - "istio-system"
  host: nginx.apps.svc.cluster.local
  trafficPolicy:
    tls:
      mode: SIMPLE
```
`istioctl bug-report` produced below error log says it needs caCertificates but that field is optional as mentioned in istio document https://istio.io/v1.14/docs/reference/config/networking/destination-rule/#ClientTLSSettings
```bash
Running istio analyze on all namespaces and report as below:
Analysis Report:
Error [IST0128] (DestinationRule apps/nginx-dst-rule) DestinationRule apps/nginx-dst-rule in namespace apps has TLS mode set to SIMPLE but no caCertificates are set to validate server identity for host: nginx.apps.svc.cluster.local
```

### Version

```prose
$ istioctl version
client version: 1.14.3
control plane version: 1.14.3
data plane version: 1.14.3 (2 proxies)
$ kubectl version --short
Client Version: v1.22.11
Server Version: v1.22.11
```


### Additional Information

Below is the full bug report
[bug-report.tar.gz](https://github.com/istio/istio/files/10403272/bug-report.tar.gz)

To reproduce the issue please follow the guideline here https://github.com/nathluu/istio-upgrade-test.
It will work with istio v1.13.8 but not for v1.14 onward.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Destinationrule clientTLSSettings TLS SIMPLE stops working from Istio v1.14 onward #42790

Bug Description

Version

Additional Information

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development