Skip to content

feat: add dstack-ingress for custom domain TLS (CPL-152) #181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Garandor merged 18 commits into from
Mar 26, 2026
Merged

feat: add dstack-ingress for custom domain TLS (CPL-152) #181

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
d5d5214
feat: add dstack-ingress for custom domain TLS (CPL-152)
Garandor Mar 26, 2026
b122c80
feat: use test.chipotle.litprotocol.com for next branch
Garandor Mar 26, 2026
bb54b0c
fix: rename Route 53 secret refs to AWS_*_CERTBOT
Garandor Mar 26, 2026
01f7aea
refactor: remove compose profiles, strip dstack-ingress when no domain
Garandor Mar 26, 2026
eaea3a6
fix: rename secrets to CERTBOT_AWS_ACCESS_KEY_ID prefix convention
Garandor Mar 26, 2026
1d43a41
fix: rename AWS credential placeholders to CERTBOT_ prefix
Garandor Mar 26, 2026
f61e23b
docs: note dstack-ingress expected env var names with Phala docs link
Garandor Mar 26, 2026
b198a3b
fix: rename DOMAIN placeholder to CERTBOT_DOMAIN for consistency
Garandor Mar 26, 2026
62bd230
fix: replace dead Phala docs link with working blog post URL
Garandor Mar 26, 2026
609c6c8
fix: link to dstack-ingress DNS_PROVIDERS.md for Route 53 docs
Garandor Mar 26, 2026
9c890cc
docs: show optional AWS_ROLE_ARN/AWS_REGION for Route 53 role assumption
Garandor Mar 26, 2026
5fe1d10
fix: add missing GATEWAY_DOMAIN for dstack-ingress
Garandor Mar 26, 2026
5afa3ea
fix: restore underscore prefix in GATEWAY_DOMAIN
Garandor Mar 26, 2026
e95b571
fix: resolve merge conflict — keep lit-static removed, keep dstack-in…
Garandor Mar 26, 2026
8019956
fix: CERTBOT_AWS_ACCESS_KEY_ID is a var, not a secret
Garandor Mar 26, 2026
a8f0dee
refactor: remove optional domain logic — custom domain is mandatory
Garandor Mar 26, 2026
0b23a51
fix: hardcode CERTBOT_EMAIL to admin@litprotocol.com
Garandor Mar 26, 2026
d1db34a
refactor: derive base_url and api_root_url from domain
Garandor Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions .github/workflows/deploy-phala.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ jobs:
instance_type: ${{ steps.set.outputs.instance_type }}
gcp_project_id: ${{ steps.set.outputs.gcp_project_id }}
node_config: ${{ steps.set.outputs.node_config }}
domain: ${{ steps.set.outputs.domain }}
steps:
- name: Set deployment target
id: set
Expand All @@ -58,19 +59,20 @@ jobs:
echo "instance_type=tdx.large" >> "$GITHUB_OUTPUT"
echo "gcp_project_id=chipotle-dev" >> "$GITHUB_OUTPUT"
echo "node_config=NodeConfig.main.toml" >> "$GITHUB_OUTPUT"
BASE_URL="https://f8fce543471dc9f5f5643aa217422398c36e5edc-8000.dstack-base-prod5.phala.network"
DOMAIN="api.chipotle.litprotocol.com"
elif [ "${{ github.ref }}" = "refs/heads/next" ]; then
echo "phala_app_name=chipotle-next" >> "$GITHUB_OUTPUT"
echo "instance_type=tdx.small" >> "$GITHUB_OUTPUT"
echo "gcp_project_id=chipotle-next" >> "$GITHUB_OUTPUT"
echo "node_config=NodeConfig.next.toml" >> "$GITHUB_OUTPUT"
BASE_URL="https://969a8c14c9e13420705b19c7246aeed27897e7ea-8000.dstack-base-prod5.phala.network"
DOMAIN="test.chipotle.litprotocol.com"
else
echo "Unsupported branch for deployment"
exit 1
fi
echo "base_url=$BASE_URL" >> "$GITHUB_OUTPUT"
echo "api_root_url=${BASE_URL}/core/v1" >> "$GITHUB_OUTPUT"
echo "domain=${DOMAIN}" >> "$GITHUB_OUTPUT"
echo "base_url=https://${DOMAIN}" >> "$GITHUB_OUTPUT"
echo "api_root_url=https://${DOMAIN}/core/v1" >> "$GITHUB_OUTPUT"

build:
needs: [determine-target]
Expand Down Expand Up @@ -145,11 +147,15 @@ jobs:
DIGEST_LIT_ACTIONS=$(cat digest-lit-actions.txt | tr -d '\n' | sed 's/}[}]*$//')
DIGEST_LIT_API_SERVER=$(cat digest-lit-api-server.txt | tr -d '\n' | sed 's/}[}]*$//')
DIGEST_OTEL_COLLECTOR=$(cat digest-otel-collector.txt | tr -d '\n' | sed 's/}[}]*$//')
DOMAIN="${{ needs.determine-target.outputs.domain }}"
sed \
-e "s|\${DOCKER_IMAGE_LIT_ACTIONS}|${{ vars.DOCKER_IMAGE }}-lit-actions@${DIGEST_LIT_ACTIONS}|g" \
-e "s|\${DOCKER_IMAGE_LIT_API_SERVER}|${{ vars.DOCKER_IMAGE }}-lit-api-server@${DIGEST_LIT_API_SERVER}|g" \
-e "s|\${DOCKER_IMAGE_OTEL_COLLECTOR}|${{ vars.DOCKER_IMAGE }}-otel-collector@${DIGEST_OTEL_COLLECTOR}|g" \
-e "s|\${GCP_PROJECT_ID}|${{ needs.determine-target.outputs.gcp_project_id }}|g" \
-e "s|\${CERTBOT_DOMAIN}|${DOMAIN}|g" \
-e "s|\${CERTBOT_AWS_ACCESS_KEY_ID}|${{ vars.CERTBOT_AWS_ACCESS_KEY_ID }}|g" \
Comment thread
Garandor marked this conversation as resolved.
-e "s|\${CERTBOT_AWS_SECRET_ACCESS_KEY}|${{ secrets.CERTBOT_AWS_SECRET_ACCESS_KEY }}|g" \
docker-compose.phala.yml > docker-compose.deploy.yml
cat docker-compose.deploy.yml

Expand Down
34 changes: 34 additions & 0 deletions docker-compose.phala.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@
# Required secrets (set as encrypted Phala CVM environment variables):
# GCP_SERVICE_ACCOUNT_JSON - GCP service account key (raw JSON or base64-encoded)
# GCP_PROJECT_ID - GCP project ID (e.g. "my-gcp-project")
# CERTBOT_DOMAIN - Custom domain for TLS (e.g. "api.chipotle.litprotocol.com")
# CERTBOT_AWS_ACCESS_KEY_ID - Route 53 IAM credentials for DNS-01 challenge
# CERTBOT_AWS_SECRET_ACCESS_KEY - Route 53 IAM credentials for DNS-01 challenge

# RUST_LOG filter shared by lit-actions and lit-api-server.
# App code stays at trace; per-module overrides suppress low-value internals:
Expand Down Expand Up @@ -92,5 +95,36 @@ services:
- '/sys:/host/sys:ro'
restart: unless-stopped

# dstack-ingress — attestation-bound TLS termination inside the TEE.
# Obtains a Let's Encrypt cert for DOMAIN via DNS-01 (Route 53), then
# reverse-proxies HTTPS :443 → lit-api-server :8000.
dstack-ingress:
image: dstacktee/dstack-ingress:1.4@sha256:11c0481ca2e3566f514a1c8a2cc69af1e0bb9dab2e4ea49b469c81ec8e7c5c72
ports:
- "443:443"
environment:
# dstack-ingress expects DOMAIN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY internally.
# Route 53 provider docs (env vars, optional role assumption):
# https://github.com/Dstack-TEE/dstack-examples/blob/main/custom-domain/dstack-ingress/DNS_PROVIDERS.md
DOMAIN: "${CERTBOT_DOMAIN}"
GATEWAY_DOMAIN: "_.dstack-base-prod5.phala.network"
DNS_PROVIDER: "route53"
TARGET_ENDPOINT: "http://lit-api-server:8000"
CERTBOT_EMAIL: "admin@litprotocol.com"
SET_CAA: "true"
AWS_ACCESS_KEY_ID: "${CERTBOT_AWS_ACCESS_KEY_ID}"
AWS_SECRET_ACCESS_KEY: "${CERTBOT_AWS_SECRET_ACCESS_KEY}"
# Optional: for STS role assumption instead of direct IAM keys
# AWS_ROLE_ARN: "${CERTBOT_AWS_ROLE_ARN}"
# AWS_REGION: "${CERTBOT_AWS_REGION}"
volumes:
- /var/run/dstack.sock:/var/run/dstack.sock
- cert-data:/etc/letsencrypt
depends_on:
lit-api-server:
condition: service_started
restart: unless-stopped

volumes:
lit-socket:
cert-data: