feat: add dstack-ingress for custom domain TLS (CPL-152)#181
Merged
Conversation
Add dstack-ingress service to docker-compose.phala.yml for attestation- bound TLS termination inside the TEE. On main branch, deploys with DOMAIN=api.chipotle.litprotocol.com using Let's Encrypt DNS-01 via Route 53. On next branch, dstack-ingress is removed from the deploy compose file (no custom domain). - docker-compose.phala.yml: add dstack-ingress service behind "custom-domain" profile with Route 53 DNS provider config - deploy-phala.yml: add domain output, substitute TLS secrets in deploy step, conditionally strip profiles or remove service block Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CPL-152 Update docker-compose + deploy workflow for Phase 0
Code changes to deploy dstack-ingress with Builds on PR #153 ( docker-compose.phala.yml
deploy-phala.ymldetermine-target — add
deploy job — sed substitutions: -e \"s|\\${DOMAIN}|$DOMAIN|g\"
-e \"s|\\${CERTBOT_EMAIL}|$CERTBOT_EMAIL|g\"
-e \"s|\\${AWS_ACCESS_KEY_ID}|$AWS_ACCESS_KEY_ID|g\"
-e \"s|\\${AWS_SECRET_ACCESS_KEY}|$AWS_SECRET_ACCESS_KEY|g\"
-e '/profiles:/d'Strip Blocked on
|
Reserve api.chipotle.litprotocol.com for main branch deployments. The next branch gets its own custom domain at test.chipotle.litprotocol.com. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The GitHub secrets for the certbot Route 53 IAM credentials are named AWS_ACCESS_KEY_ID_CERTBOT and AWS_SECRET_ACCESS_KEY_CERTBOT. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Phala deploy doesn't support compose profiles, so dstack-ingress is now unconditionally defined. The deploy workflow strips the entire service block when DOMAIN is empty. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Consistent naming end-to-end: compose file placeholders, workflow sed patterns, and GitHub secret references all use CERTBOT_AWS_ACCESS_KEY_ID and CERTBOT_AWS_SECRET_ACCESS_KEY. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All dstack-ingress secrets now use CERTBOT_ prefix in the compose file (CERTBOT_DOMAIN, CERTBOT_AWS_ACCESS_KEY_ID, CERTBOT_AWS_SECRET_ACCESS_KEY). The deploy workflow maps them to the values dstack-ingress expects internally. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The previous link pointed to a Cloudflare-focused blog post. The actual Route 53 env var documentation lives in the Dstack-TEE examples repo. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
Commented out since the IAM user has direct Route 53 permissions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Required common variable per dstack-ingress docs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GATEWAY_DOMAIN should be _.dstack-base-prod5.phala.network per dstack-ingress docs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…gress next branch removed lit-static (moved to Cloudflare Pages in CPL-33). Our branch added dstack-ingress. Resolution: accept lit-static removal from next, keep dstack-ingress addition from our branch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Not sensitive — it's public in the ACME registration anyway. Remove the secret reference and sed substitution. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Set DOMAIN as a shell variable per branch, then derive all URL outputs from it — removes redundant hardcoded URLs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 task
This was referenced Mar 26, 2026
2 tasks
Garandor
added a commit
that referenced
this pull request
Mar 27, 2026
* feat: add dstack-ingress for custom domain TLS (CPL-152) Add dstack-ingress service to docker-compose.phala.yml for attestation- bound TLS termination inside the TEE. On main branch, deploys with DOMAIN=api.chipotle.litprotocol.com using Let's Encrypt DNS-01 via Route 53. On next branch, dstack-ingress is removed from the deploy compose file (no custom domain). - docker-compose.phala.yml: add dstack-ingress service behind "custom-domain" profile with Route 53 DNS provider config - deploy-phala.yml: add domain output, substitute TLS secrets in deploy step, conditionally strip profiles or remove service block Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: use test.chipotle.litprotocol.com for next branch Reserve api.chipotle.litprotocol.com for main branch deployments. The next branch gets its own custom domain at test.chipotle.litprotocol.com. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: rename Route 53 secret refs to AWS_*_CERTBOT The GitHub secrets for the certbot Route 53 IAM credentials are named AWS_ACCESS_KEY_ID_CERTBOT and AWS_SECRET_ACCESS_KEY_CERTBOT. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: remove compose profiles, strip dstack-ingress when no domain Phala deploy doesn't support compose profiles, so dstack-ingress is now unconditionally defined. The deploy workflow strips the entire service block when DOMAIN is empty. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: rename secrets to CERTBOT_AWS_ACCESS_KEY_ID prefix convention Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: rename AWS credential placeholders to CERTBOT_ prefix Consistent naming end-to-end: compose file placeholders, workflow sed patterns, and GitHub secret references all use CERTBOT_AWS_ACCESS_KEY_ID and CERTBOT_AWS_SECRET_ACCESS_KEY. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: note dstack-ingress expected env var names with Phala docs link Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: rename DOMAIN placeholder to CERTBOT_DOMAIN for consistency All dstack-ingress secrets now use CERTBOT_ prefix in the compose file (CERTBOT_DOMAIN, CERTBOT_AWS_ACCESS_KEY_ID, CERTBOT_AWS_SECRET_ACCESS_KEY). The deploy workflow maps them to the values dstack-ingress expects internally. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: replace dead Phala docs link with working blog post URL Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: link to dstack-ingress DNS_PROVIDERS.md for Route 53 docs The previous link pointed to a Cloudflare-focused blog post. The actual Route 53 env var documentation lives in the Dstack-TEE examples repo. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: show optional AWS_ROLE_ARN/AWS_REGION for Route 53 role assumption Commented out since the IAM user has direct Route 53 permissions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add missing GATEWAY_DOMAIN for dstack-ingress Required common variable per dstack-ingress docs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: restore underscore prefix in GATEWAY_DOMAIN GATEWAY_DOMAIN should be _.dstack-base-prod5.phala.network per dstack-ingress docs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: CERTBOT_AWS_ACCESS_KEY_ID is a var, not a secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: remove optional domain logic — custom domain is mandatory Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: hardcode CERTBOT_EMAIL to admin@litprotocol.com Not sensitive — it's public in the ACME registration anyway. Remove the secret reference and sed substitution. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: derive base_url and api_root_url from domain Set DOMAIN as a shell variable per branch, then derive all URL outputs from it — removes redundant hardcoded URLs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
dstack-ingressservice todocker-compose.phala.ymlfor attestation-bound TLS termination inside the TEE, and wires it into the deploy workflow with per-branch custom domains.Changes
docker-compose.phala.ymldstack-ingressservice (pinned image with@sha256:digest) for Route 53 DNS-01 TLSDOMAIN,GATEWAY_DOMAIN(_.dstack-base-prod5.phala.network),DNS_PROVIDER,TARGET_ENDPOINT,CERTBOT_EMAIL,SET_CAACERTBOT_EMAILhardcoded toadmin@litprotocol.com(public in ACME registration, not sensitive)AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYsourced fromCERTBOT_-prefixed env varsAWS_ROLE_ARN/AWS_REGIONdocumented as comments (not needed with direct IAM permissions)cert-datavolume for Let's Encrypt certificate persistencelit-staticstays removed (moved to Cloudflare Pages in CPL-33).github/workflows/deploy-phala.ymlmain→api.chipotle.litprotocol.com,next→test.chipotle.litprotocol.combase_urlandapi_root_urlderived fromdomain(no redundant hardcoded URLs)CERTBOT_DOMAIN,CERTBOT_AWS_ACCESS_KEY_ID(var),CERTBOT_AWS_SECRET_ACCESS_KEY(secret) into compose fileRequired GitHub configuration
CERTBOT_AWS_ACCESS_KEY_ID— Route 53 IAM access keyCERTBOT_AWS_SECRET_ACCESS_KEY— Route 53 IAM secret keyDependencies
Test plan
docker-compose.phala.ymlvalidates withdocker compose confignext— conflicts resolved cleanlynextand verifyhttps://test.chipotle.litprotocol.com/healthreturns 200mainand verifyhttps://api.chipotle.litprotocol.com/healthreturns 200🤖 Generated with Claude Code