Each domain controls requests for a specific host:port. This permits different handling of requests to domains like localhost:8080 or catalog:8080 if desired. If uniform handling is required, wildcards are understood to apply to all domains. A domain set to match *:8080 will match both of the above domains.
NOTEThe domain port should, in most cases, match the port of the exposed on the proxy. If they do not match, users will need to supply HOST: header keywords to all requests to match the virtual domain.
Virtual host:port matching and redirecting
TLS Configuration
NOTE Do not set an ssl_config on any domain object whose service you want to use SPIFFE/SPIRE. If a domain ssl_config is set, it will override the secret set on the corresponding listener and the mesh configuration will be wrong.
The domain object has an optional ssl_config field, which can be used to set up TLS and specify it's configuration. The Domain SSL Config Object appears as follows:
The Domain SSL Configuration is used to populate a for the Envoy Listener.
The sni field for a domain accepts a list of strings and configures the Envoy Listener to detect the requested Server Name Indication.
To specify a minimum and maximum TLS protocol version, set the protocols field to one of the following: "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3". If one protocol is specified, it will be set as both the minimum and maximum protocol versions in Envoy. If more than one protocol version is specified in the list, the lowest will set the minimum TLS protocol version and the highest will set the maximum TLS protocol version. If this field is left empty, Envoy will choose the default TLS version.
The cipher_filter field takes a colon : delimited string to populate the cipher_suites cipher list in envoy for TLS.
This field can be used to configure redirect routes for the domain. See for details.
Fields:
Envoy Reference
A unique key used to identify this particular domain configuration. This key is used in proxy, listener, and route objects.
The zone in which this object will live. It will only be able to be referenced by objects or sent to Sidecars that live in the same zone.
The name of this virtual domain, e.g. localhost, www.greymatter.io, or catalog.svc.local. Only requests coming in to the named host will be matched and handled by attached . Is used in conjunction with the field.
This field can be set to a wildcard (*) which will match against all hostnames.
Set the specific port of the virtual host to match. Is used in conjunction with the field.
E.g. port: 8080 and name: * will setup a virtual domain matching any request made to port 8080 regardless of the host.
for this cluster. Setting the SSL Config at the domain level set this same config on all that are directly linked to this domain.
Array of URL
DEPRECATION: This field has been deprecated and will be removed in the next major version release.
This field has no effect.
A to attach to this domain.
An array of additional hostnames that should be matched in this domain. E.g. name: "www.greymatter.io" with aliases: ["greymatter.io", "localhost"]
If true, listeners attached to this domain will only accept HTTPS connections. In this case, one of the or fields should be set. If false, attached listeners will only accept plaintext HTTP connections.
An array of header key, value pairs to set on all requests that pass through this domain.
E.g.
An API calculated checksum. Can be used to verify that the API contains the expected object before performing a write.