Skip to content

fix: start dstack-ingress before other services (CPL-152)#192

Closed
Garandor wants to merge 1 commit intonextfrom
fix/cpl-152-ingress-startup-order
Closed

fix: start dstack-ingress before other services (CPL-152)#192
Garandor wants to merge 1 commit intonextfrom
fix/cpl-152-ingress-startup-order

Conversation

@Garandor
Copy link
Copy Markdown
Contributor

@Garandor Garandor commented Mar 27, 2026

Summary

  • dstack-ingress must finish obtaining the TLS certificate before lit-api-server starts accepting traffic
  • Removes depends_on: lit-api-server from dstack-ingress (it was backwards)
  • Adds healthcheck on dstack-ingress that waits for the Let's Encrypt cert file
  • Makes lit-api-server depend on dstack-ingress: condition: service_healthy

Startup order

  1. otel-collector + dstack-ingress start in parallel
  2. dstack-ingress provisions DNS records + TLS cert (healthcheck passes when cert exists)
  3. lit-actions starts
  4. lit-api-server starts (after dstack-ingress healthy + lit-actions started)

Related

  • CPL-152

Test plan

  • docker compose config validates
  • Deploy to next — verify dstack-ingress gets cert before API server starts

🤖 Generated with Claude Code

@Garandor @claude
fix: start dstack-ingress before other services (CPL-152)
91a7c2d 
dstack-ingress must obtain the TLS certificate before the API server
starts accepting traffic. Adds a healthcheck that waits for the cert
file, and makes lit-api-server depend on dstack-ingress being healthy.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@linear
Copy link
Copy Markdown

linear bot commented Mar 27, 2026

CPL-152 Update docker-compose + deploy workflow for Phase 0

PR: #181 (target: next)

What was done

docker-compose.phala.yml

  • Added dstack-ingress service (pinned image @sha256: digest) for Route 53 DNS-01 TLS
  • All required dstack-ingress env vars: DOMAIN, GATEWAY_DOMAIN (_.dstack-base-prod5.phala.network), DNS_PROVIDER, TARGET_ENDPOINT, CERTBOT_EMAIL, SET_CAA
  • CERTBOT_EMAIL hardcoded to admin@litprotocol.com (public in ACME registration)
  • Route 53 credentials via CERTBOT_-prefixed env vars (CERTBOT_AWS_ACCESS_KEY_ID, CERTBOT_AWS_SECRET_ACCESS_KEY)
  • Optional AWS_ROLE_ARN / AWS_REGION documented as comments (not needed with direct IAM permissions)
  • cert-data volume for Let's Encrypt persistence
  • Comments link to dstack-ingress DNS_PROVIDERS.md
  • lit-static stays removed (moved to Cloudflare Pages in CPL-33)

.github/workflows/deploy-phala.yml

  • Custom domain is mandatory — no optional stripping logic
  • mainapi.chipotle.litprotocol.com, nexttest.chipotle.litprotocol.com
  • base_url and api_root_url derived from domain (no redundant URLs)
  • CERTBOT_AWS_ACCESS_KEY_ID is a GitHub variable (not a secret)
  • CERTBOT_AWS_SECRET_ACCESS_KEY is a GitHub secret

Required GitHub configuration

  • Variable: CERTBOT_AWS_ACCESS_KEY_ID — Route 53 IAM access key
  • Secret: CERTBOT_AWS_SECRET_ACCESS_KEY — Route 53 IAM secret key

Status

  • Compose file validates
  • Merged with next — conflicts resolved
  • CI green
  • Blocked on CPL-151 for IAM credentials + GitHub secrets

Blocked on

  • CPL-151 (IAM credentials + GitHub secrets)

@Garandor Garandor closed this Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Garandor