I have been having some difficulty understanding the mechanism by which certificates are validated by either party in a mutual TLS handshake.
I have SDS enabled on my ingress gateway(s) and the certificates are read by the Ingress SDS container (
secretFetcher) from a
Secret of type
tls keys/value pairs present.
My question however is, how exactly does envoy trust a certificate down to the RootCA based on the cacert (or maybe I am completely off and I am mixing concepts up ) ?
A RootCA is usually a trusted entity and I understand how browsers and mobile devices can establish a chain of trust using a Trusted CA/ICA store.
However with Envoy, how does it know to trust a RootCA like verisign/docusign/letsencrypt ? Are these preloaded into the container at build time (or maybe as a part of the base image) ?
So if we have the following scenario,
How would Ingress Gateway validate a certificate presented by Service A (which was signed by ICA_A and RootCA_A) provided that the ICA -> RootCA used by the Ingress Gateway itself are ICA_B and RootCA_B ?
PS: This might be a very basic question for someone with a better understanding of certificate validation than me. I am only trying to get a better understanding of the concepts. I would really appreciate if some one could explain the mechanics of how this works for Envoy specifically.