TLS traffic policy not recognized in v1alpha3 DestinationRule

[frankbu]

The tls field doesn't seem to be recognized in the trafficPolicy of a DestinationRule:

$ cat <<EOF | istioctl create -f -
> apiVersion: config.istio.io/v1alpha2 #TODO apiVersion: networking.istio.io/v1alpha3
> kind: DestinationRule
> metadata:
>   name: google-destination
> spec:
>   name: www.google.com
>   trafficPolicy:
>     tls:
>       mode: SIMPLE # initiates HTTPS when talking to www.google.com
> EOF
Error: configuration is invalid: traffic policy must have at least one field

One can get past the istioctl validation error by adding a second trafficPolicy field:

$ cat <<EOF | istioctl create -f -
> apiVersion: config.istio.io/v1alpha2 #TODO apiVersion: networking.istio.io/v1alpha3
> kind: DestinationRule
> metadata:
>   name: google-destination
> spec:
>   name: www.google.com
>   trafficPolicy:
>     loadBalancer:
>       simple: ROUND_ROBIN
>     tls:
>       mode: SIMPLE # initiates HTTPS when talking to www.google.com
> EOF
Created config destination-rule//google-destination at revision 410029

However, the rule doesn't seem to work anyway. If you create a corresponding ExternalService and try to curl (from the sleep service), it produces an upstream error:

$ cat <<EOF | istioctl create -f -
> apiVersion: config.istio.io/v1alpha2 #TODO apiVersion: networking.istio.io/v1alpha3
> kind: ExternalService
> metadata:
>   name: google-external-svc
> spec:
>   hosts:
>   - www.google.com
>   ports:
>   - number: 443
>     name: https
>     protocol: http
> EOF
Created config external-service//google-external-svc at revision 410141
$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
$ kubectl exec -it $SOURCE_POD -c sleep bash
root@sleep-8499f49589-7ds78:/# curl http://www.google.com:443
upstream connect error or disconnect/reset before headers