Trying to access an external server from within a mesh. That server has it's own certificate from a 3rd party CA, but can only do 1-way TLS. I need the egress gateway to check against that CA key (not a public CA).
istio is configured to translate an HTTP request from the mesh to an HTTPS towards that server.
With this:
kind: DestinationRule
metadata:
name: external-acme
spec:
host: acme.default.svc.cluster.local
workloadSelector:
matchLabels:
app: myapp
trafficPolicy:
tls:
mode: SIMPLE
...
The external server's certificate is never checked (any cert is accepted, connection succeeds).
Adding this to the TLS section:
credentialName: acme
and adding a secret name "acme" with the 3rd part CA public key fails the connection, with the error
connection failure, transport failure reason: TLS error: Secret is not supplied by SDS]
How can I force CA key checking and where should I place that CA key?
Does the secret name matter?
What about the key name (such as in " --from-file=<<key>>=ca-root.cer").
Does it matter?