Two-way secure channels between multiple services across service groups

What is claimed is: 1. A method, comprising: providing, by a first service in a first service group, a first handshake communication with a first token to a second service in a second service group, wherein the first service obtains the first token by authenticating with an identity and access management service having a first certificate signed by a certificate authority associated with the first service group, wherein the first handshake communication between the first service and the second service succeeds in response to the second service having a second certificate signed by the certificate authority, and wherein the second service obtains a second token by authenticating with the identity and access management service having the first certificate; receiving, by the first service, a second handshake communication from the second service with the second token; and enabling communications between the first service and the second service over a two-way authenticated channel in response to the first service having a third certificate signed by the certificate authority; wherein the method is performed by at least one processing device comprising a processor coupled to a memory. 2. The method of claim 1 , wherein a trust of the certificate authority is established in one or more of: (i) the first service group by storing a public key of the certificate authority to a data store of one or more services in the first service group, and (ii) the second service group by storing the public key of the certificate authority to a data store of one or more services in the second service group. 3. The method of claim 1 , wherein one or more services in the first service group perform an onboarding of one or more of at least one service and at least one server in the second service group. 4. The method of claim 1 , wherein a deployment of the second service, by a deployment service in the first service group using a secure protocol, comprises: establishing a role for the second service with the certificate authority; registering the second service with the identity and access management service to obtain credentials for the second service with the identity and access management service; storing a public key of the certificate authority in a data store of the second service; and storing the credentials of the second service with the identity and access management service in a data store of the second service. 5. The method of claim 1 , wherein the second service uses a third token obtained from the identity and access management service to authenticate with the certificate authority to obtain a fourth token from the certificate authority, and wherein the second service uses the fourth token from the certificate authority to obtain the second certificate signed from the certificate authority. 6. The method of claim 5 , wherein the certificate authority provides the third token after validating that the second token is signed by the identity and access management service and wherein the certificate authority provides the second certificate after verifying one or more permissions of the second service. 7. The method of claim 1 , wherein the second service obtains the second certificate in response to a certificate signing request provided by the second service to the certificate authority. 8. The method of claim 1 , wherein the first service comprises one or more of a management service and a deployment service in a trusted control plane and wherein the second service comprises a data plane service in a data plane. 9. The method of claim 1 , wherein the first service obtains the third certificate using a certificate management service in the first service group. 10. The method of claim 1 , wherein the identity and access management service employs token-based authentication. 11. The method of claim 1 , wherein a given service identifies one or more additional services in another service group using one or more certificates signed by the certificate authority. 12. An apparatus comprising: at least one processing device comprising a processor coupled to a memory; the at least one processing device being configured to implement the following steps: providing, by a first service in a first service group, a first handshake communication with a first token to a second service in a second service group, wherein the first service obtains the first token by authenticating with an identity and access management service having a first certificate signed by a certificate authority associated with the first service group, wherein the first handshake communication between the first service and the second service succeeds in response to the second service having a second certificate signed by the certificate authority, and wherein the second service obtains a second token by authenticating with the identity and access management service having the first certificate; receiving, by the first service, a second handshake communication from the second service with the second token; and enabling communications between the first service and the second service over a two-way authenticated channel in response to the first service having a third certificate signed by the certificate authority. 13. The apparatus of claim 12 , wherein one or more services in the first service group perform an onboarding of one or more of at least one service and at least one server in the second service group. 14. The apparatus of claim 12 , wherein the first service comprises one or more of a management service and a deployment service in a trusted control plane and wherein the second service comprises a data plane service in a data plane. 15. The apparatus of claim 12 , wherein the first service obtains the third certificate using a certificate management service in the first service group. 16. The apparatus of claim 12 , wherein a given service identifies one or more additional services in another service group using one or more certificates signed by the certificate authority. 17. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device to perform the following steps: providing, by a first service in a first service group, a first handshake communication with a first token to a second service in a second service group, wherein the first service obtains the first token by authenticating with an identity and access management service having a first certificate signed by a certificate authority associated with the first service group, wherein the first handshake communication between the first service and the second service succeeds in response to the second service having a second certificate signed by the certificate authority, and wherein the second service obtains a second token by authenticating with the identity and access management service having the first certificate; receiving, by the first service, a second handshake communication from the second service with the second token; and enabling communications between the first service and the second service over a two-way authenticated channel in response to the first service having a third certificate signed by the certificate authority. 18. The non-transitory processor-readable storage medium of claim 17 , wherein one or more services in the first service group perform an onboarding of one or more of at least one service and at least one server in the second service group.