Skip to content

fix: use auto-populated DSTACK_GATEWAY_DOMAIN (CPL-152)#191

Merged
Garandor merged 1 commit intonextfrom
fix/cpl-152-gateway-domain
Mar 27, 2026
Merged

fix: use auto-populated DSTACK_GATEWAY_DOMAIN (CPL-152)#191
Garandor merged 1 commit intonextfrom
fix/cpl-152-gateway-domain

Conversation

@Garandor
Copy link
Copy Markdown
Contributor

@Garandor Garandor commented Mar 27, 2026

Summary

  • Replaces hardcoded GATEWAY_DOMAIN: "_.dstack-base-prod5.phala.network" with _.${DSTACK_GATEWAY_DOMAIN}
  • DSTACK_GATEWAY_DOMAIN is auto-populated by Phala Cloud into the CVM environment — no external config needed

Why

The previous deployment failed to proxy HTTPS requests. dstack-ingress was creating DNS records pointing to the gateway but the hardcoded gateway domain didn't match the actual gateway routing expectations. Using the auto-populated variable ensures the value is always correct for the deployment region.

Related

Test plan

  • Deploy to next and verify https://test.chipotle.litprotocol.com/ returns a response from lit-api-server

🤖 Generated with Claude Code

@Garandor @claude
fix: use auto-populated DSTACK_GATEWAY_DOMAIN instead of hardcoded va…
a67fcf4 
…lue (CPL-152)

GATEWAY_DOMAIN was hardcoded to _.dstack-base-prod5.phala.network which
may not match the actual gateway. DSTACK_GATEWAY_DOMAIN is auto-injected
by Phala Cloud into the CVM environment per their networking specs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@linear
Copy link
Copy Markdown

linear bot commented Mar 27, 2026

CPL-152 Update docker-compose + deploy workflow for Phase 0

PR: #181 (target: next)

What was done

docker-compose.phala.yml

  • Added dstack-ingress service (pinned image @sha256: digest) for Route 53 DNS-01 TLS
  • All required dstack-ingress env vars: DOMAIN, GATEWAY_DOMAIN (_.dstack-base-prod5.phala.network), DNS_PROVIDER, TARGET_ENDPOINT, CERTBOT_EMAIL, SET_CAA
  • CERTBOT_EMAIL hardcoded to admin@litprotocol.com (public in ACME registration)
  • Route 53 credentials via CERTBOT_-prefixed env vars (CERTBOT_AWS_ACCESS_KEY_ID, CERTBOT_AWS_SECRET_ACCESS_KEY)
  • Optional AWS_ROLE_ARN / AWS_REGION documented as comments (not needed with direct IAM permissions)
  • cert-data volume for Let's Encrypt persistence
  • Comments link to dstack-ingress DNS_PROVIDERS.md
  • lit-static stays removed (moved to Cloudflare Pages in CPL-33)

.github/workflows/deploy-phala.yml

  • Custom domain is mandatory — no optional stripping logic
  • mainapi.chipotle.litprotocol.com, nexttest.chipotle.litprotocol.com
  • base_url and api_root_url derived from domain (no redundant URLs)
  • CERTBOT_AWS_ACCESS_KEY_ID is a GitHub variable (not a secret)
  • CERTBOT_AWS_SECRET_ACCESS_KEY is a GitHub secret

Required GitHub configuration

  • Variable: CERTBOT_AWS_ACCESS_KEY_ID — Route 53 IAM access key
  • Secret: CERTBOT_AWS_SECRET_ACCESS_KEY — Route 53 IAM secret key

Status

  • Compose file validates
  • Merged with next — conflicts resolved
  • CI green
  • Blocked on CPL-151 for IAM credentials + GitHub secrets

Blocked on

  • CPL-151 (IAM credentials + GitHub secrets)

@Garandor Garandor merged commit 31a9f25 into next Mar 27, 2026
1 check passed
Garandor added a commit that referenced this pull request Mar 27, 2026
@Garandor @claude
fix: use auto-populated DSTACK_GATEWAY_DOMAIN instead of hardcoded va…
82995f4 
…lue (CPL-152) (#191)

GATEWAY_DOMAIN was hardcoded to _.dstack-base-prod5.phala.network which
may not match the actual gateway. DSTACK_GATEWAY_DOMAIN is auto-injected
by Phala Cloud into the CVM environment per their networking specs.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Garandor