Skip to content

feat: add SAN / ALIAS_DOMAIN support for dstack-ingress (CPL-139)#1

Closed
cl4wb0t wants to merge 11 commits intomainfrom
npw/route53-weighted-routes
Closed

feat: add SAN / ALIAS_DOMAIN support for dstack-ingress (CPL-139)#1
cl4wb0t wants to merge 11 commits intomainfrom
npw/route53-weighted-routes

Conversation

@cl4wb0t
Copy link
Copy Markdown
Owner

@cl4wb0t cl4wb0t commented Mar 23, 2026

Summary

Cherry-pick of Dstack-TEE/dstack-examples#83 by @wwwehr for evaluation and testing.

  • ALIAS_DOMAIN support: New env var that adds a shared load-balanced domain as a SAN on each node's TLS cert, adds it to nginx server_name, and appends the node's APP_ID:PORT to the alias domain's TXT record
  • Route53 weighted CNAME routing: When ALIAS_DOMAIN + ROUTE53_INITIAL_WEIGHT are set, creates a weight-0 weighted CNAME for the alias domain pointing to the node domain
  • certbot fix: Handles staging-to-production account switch; adds --cert-name flag
  • GHCR manifest fix: Adds proper Accept headers for OCI/Docker manifest checks

New Environment Variables

Variable Effect
ALIAS_DOMAIN Adds SAN to cert, adds to nginx server_name, appends alias TXT record
ROUTE53_INITIAL_WEIGHT Weight for node's primary CNAME; combined with ALIAS_DOMAIN, creates weight-0 alias CNAME

Files Changed

  • scripts/dns_providers/route53.py — Weighted routing, append TXT, SAN support
  • scripts/dns_providers/base.py — Fallback implementations for new methods
  • scripts/dnsman.py — New set_txt_append and set_weighted_cname actions
  • scripts/entrypoint.sh — ALIAS_DOMAIN handling in nginx and DNS setup
  • scripts/certman.py — SAN cert expansion, certbot fixes
  • docker-compose.loadbalanced.yaml — Reference compose for multi-node setup
  • DNS_PROVIDERS.md / README.md — Documentation

Test Plan

  • Verify certbot issues SAN cert covering both DOMAIN and ALIAS_DOMAIN
  • Verify nginx server_name includes both domains
  • Verify TXT record append (not replace) for alias domain
  • Verify weighted CNAME creation at weight 0
  • Test without ALIAS_DOMAIN set — should behave identically to before

Tracks: CPL-139

🤖 Generated with Claude Code

wwwehr and others added 11 commits March 4, 2026 00:59
@wwwehr
Refactor Route53DNSProvider for weighted routing support
51080fd 
Refactor Route53DNSProvider methods to add support for weighted routing. Update methods to handle weighted routing parameters and adjust record ID parsing for weighted records.
@wwwehr
Skip automatic weighting for TXT records in DNS creation
c791e17 
Updated create_dns_record method to skip automatic weighting for TXT records and added comments for clarity.
@wwwehr
tested out, but need to add a subject alt
b488e75
@wwwehr
added DOMAIN_ALIAS concept with weighted records; still need to test …
9087442 
…extensively and add double TXT support
@wwwehr
manage more than one TXT record so that the phala node can resolve ro…
71b9976 
…uting of appid
@wwwehr
updated docs post review
f1ad1f8
@wwwehr
revert change in docs
346bdd8
@wwwehr
refining docs
3a5e9ec
@wwwehr
added example docker compose
0ac722d
@wwwehr
more clarifying examples and a compose example
6ce1b54
@claude
refactor: strip weighted DNS load balancing, keep SAN/ALIAS_DOMAIN su…
2d8cbce 
…pport

Remove Route53-specific weighted CNAME routing (ROUTE53_INITIAL_WEIGHT,
set_weighted_cname, append_txt_record, set_alias_domain_cname) and the
load-balanced docker-compose example.

Retain ALIAS_DOMAIN as a pure SAN feature:
- certbot issues SAN cert covering both DOMAIN and ALIAS_DOMAIN
- nginx server_name includes ALIAS_DOMAIN
- General Route53 provider support unchanged

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@cl4wb0t
Copy link
Copy Markdown
Owner Author

cl4wb0t commented Mar 23, 2026

Superseded by #2 (Route53 cleanup) and #3 (ALIAS_DOMAIN/SAN support)

@cl4wb0t cl4wb0t closed this Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cl4wb0t @wwwehr