Merge pull request #51 from Dstack-TEE/multi-domains

ingress: Support for multple domains

Author: kvinwang

custom-domain/dstack-ingress/.gitignore

@@ -2,3 +2,4 @@
 /CLAUDE.md
 /test/
 __pycache__
+/oci.tar

custom-domain/dstack-ingress/Dockerfile

@@ -8,6 +8,7 @@ RUN set -e; \
     echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250411T024939Z bookworm-security main' >> /etc/apt/sources.list && \
     echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until && \
     # Create preferences file to pin all packages
+    rm -rf /etc/apt/sources.list.d/debian.sources && \
     mkdir -p /etc/apt/preferences.d && \
     cat /tmp/pinned-packages.txt | while read line; do \
         pkg=$(echo $line | cut -d= -f1); \
@@ -29,18 +30,12 @@ RUN set -e; \
         coreutils && \
         rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache /tmp/pinned-packages.txt
 
-RUN mkdir -p /etc/letsencrypt /var/www/certbot /usr/share/nginx/html
-
-# Set up Python virtual environment and install certbot
-RUN set -e; \
-    python3 -m venv --system-site-packages /opt/app-venv && \
-    . /opt/app-venv/bin/activate && \
-    pip install --upgrade pip && \
-    pip install certbot requests && \
-    # Create symlinks for system-wide access
-    ln -sf /opt/app-venv/bin/certbot /usr/local/bin/certbot && \
-    # Ensure the virtual environment is always activated for scripts
-    echo 'source /opt/app-venv/bin/activate' > /etc/profile.d/app-venv.sh
+RUN mkdir -p \
+    /etc/letsencrypt \
+    /var/www/certbot \
+    /usr/share/nginx/html \
+    /etc/nginx/conf.d \
+    /var/log/nginx
 
 COPY ./scripts /scripts/
 RUN chmod +x /scripts/*.sh /scripts/*.py
@@ -50,4 +45,3 @@ COPY .GIT_REV /etc/
 
 ENTRYPOINT ["/scripts/entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
-

custom-domain/dstack-ingress/README.md

@@ -33,14 +33,26 @@ The dstack-ingress system provides a seamless way to set up custom domains for d
 3. **Certificate Management**:
 
    - SSL certificates are automatically obtained during initial setup
-   - A scheduled task runs twice daily to check for certificate renewal
+   - A simple background daemon checks for certificate renewal every 12 hours
    - When certificates are renewed, Nginx is automatically reloaded to use the new certificates
+   - Uses a simple sleep loop instead of cron for reliability and easier debugging in containers
 
 4. **Evidence Generation**:
    - The system generates evidence files for verification purposes
    - These include the ACME account information and certificate data
    - Evidence files are accessible through a dedicated endpoint
 
+## Features
+
+### Multi-Domain Support (New!)
+
+The dstack-ingress now supports multiple domains in a single container:
+
+- **Single Domain Mode** (backward compatible): Use `DOMAIN` and `TARGET_ENDPOINT` environment variables
+- **Multi-Domain Mode**: Use `DOMAINS` environment variable with custom nginx configurations in `/etc/nginx/conf.d/`
+- Each domain gets its own SSL certificate
+- Flexible nginx configuration per domain
+
 ## Usage
 
 ### Prerequisites
@@ -50,7 +62,7 @@ The dstack-ingress system provides a seamless way to set up custom domains for d
 
 ### Deployment
 
-You can either build the ingress container and push it to docker hub, or use the prebuilt image at `kvin/dstack-ingress`.
+You can either build the ingress container and push it to docker hub, or use the prebuilt image at `dstacktee/dstack-ingress:20250924`.
 
 #### Option 1: Use the Pre-built Image
 
@@ -59,7 +71,7 @@ The fastest way to get started is to use our pre-built image. Simply use the fol
 ```yaml
 services:
   dstack-ingress:
-    image: kvin/dstack-ingress@sha256:b61d50360c7a4e5ab7d22f5ce87677714f3f64a65db34ee5eebcc54683950c89
+    image: dstacktee/dstack-ingress:20250924@sha256:40429d78060ef3066b5f93676bf3ba7c2e9ac47d4648440febfdda558aed4b32
     ports:
       - "443:443"
     environment:
@@ -87,15 +99,90 @@ volumes:
   cert-data: # Persistent volume for certificates
 ```
 
+### Multi-Domain Configuration
+
+```yaml
+services:
+  ingress:
+    image: dstacktee/dstack-ingress:20250924@sha256:40429d78060ef3066b5f93676bf3ba7c2e9ac47d4648440febfdda558aed4b32
+    ports:
+      - "443:443"
+    environment:
+      DNS_PROVIDER: cloudflare
+      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
+      CERTBOT_EMAIL: ${CERTBOT_EMAIL}
+      GATEWAY_DOMAIN: _.dstack-prod5.phala.network
+      SET_CAA: true
+      DOMAINS: |
+        ${APP_DOMAIN}
+        ${API_DOMAIN}
+
+    volumes:
+      - /var/run/tappd.sock:/var/run/tappd.sock
+      - letsencrypt:/etc/letsencrypt
+
+    configs:
+      - source: app_conf
+        target: /etc/nginx/conf.d/app.conf
+        mode: 0444
+      - source: api_conf
+        target: /etc/nginx/conf.d/api.conf
+        mode: 0444
+
+    restart: unless-stopped
+
+  app-main:
+    image: nginx
+    restart: unless-stopped
+
+  app-api:
+    image: nginx
+    restart: unless-stopped
+
+volumes:
+  letsencrypt:
+
+configs:
+  app_conf:
+    content: |
+      server {
+          listen 443 ssl;
+          server_name ${APP_DOMAIN};
+          ssl_certificate /etc/letsencrypt/live/${APP_DOMAIN}/fullchain.pem;
+          ssl_certificate_key /etc/letsencrypt/live/${APP_DOMAIN}/privkey.pem;
+          location / {
+              proxy_pass http://app-main:80;
+          }
+      }
+  api_conf:
+    content: |
+      server {
+          listen 443 ssl;
+          server_name ${API_DOMAIN};
+          ssl_certificate /etc/letsencrypt/live/${API_DOMAIN}/fullchain.pem;
+          ssl_certificate_key /etc/letsencrypt/live/${API_DOMAIN}/privkey.pem;
+          location / {
+              proxy_pass http://app-api:80;
+          }
+      }
+```
+
 **Core Environment Variables:**
 
 - `DNS_PROVIDER`: DNS provider to use (cloudflare, linode)
-- `DOMAIN`: Your custom domain
+- `DOMAIN`: Your custom domain (for single domain mode)
+- `DOMAINS`: Multiple domains, one per line (supports environment variable substitution like `${APP_DOMAIN}`)
 - `GATEWAY_DOMAIN`: The dstack gateway domain (e.g. `_.dstack-prod5.phala.network` for Phala Cloud)
 - `CERTBOT_EMAIL`: Your email address used in Let's Encrypt certificate requests
-- `TARGET_ENDPOINT`: The plain HTTP endpoint of your dstack application
+- `TARGET_ENDPOINT`: The plain HTTP endpoint of your dstack application (for single domain mode)
 - `SET_CAA`: Set to `true` to enable CAA record setup
 
+**Backward Compatibility:**
+
+- If both `DOMAIN` and `TARGET_ENDPOINT` are set, the system operates in single-domain mode with auto-generated nginx config
+- If `DOMAINS` is set, the system operates in multi-domain mode and expects custom nginx configs in `/etc/nginx/conf.d/`
+- You can use both modes simultaneously
+
 For provider-specific configuration details, see [DNS Provider Configuration](DNS_PROVIDERS.md).
 
 #### Option 2: Build Your Own Image
@@ -126,7 +213,6 @@ docker push yourusername/dstack-ingress:tag
 
 4. Update the docker-compose.yaml file with your image name and deploy
 
-
 #### gRPC Support
 
 If your dstack application uses gRPC, you can set `TARGET_ENDPOINT` to `grpc://app:50051`.
@@ -136,7 +222,7 @@ example:
 ```yaml
 services:
   dstack-ingress:
-    image: kvin/dstack-ingress@sha256:b61d50360c7a4e5ab7d22f5ce87677714f3f64a65db34ee5eebcc54683950c89
+    image: dstacktee/dstack-ingress:20250924@sha256:40429d78060ef3066b5f93676bf3ba7c2e9ac47d4648440febfdda558aed4b32
     ports:
       - "443:443"
     environment:

custom-domain/dstack-ingress/build-image.sh

@@ -1,15 +1,71 @@
 #!/bin/bash
-NAME=$1
-if [ -z "$NAME" ]; then
-    echo "Usage: $0 <name>[:<tag>]"
-    exit 1
-fi
+
+# Parse command line arguments
+PUSH=false
+REPO=""
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --push)
+            PUSH=true
+            REPO="$2"
+            if [ -z "$REPO" ]; then
+                echo "Error: --push requires a repository argument"
+                echo "Usage: $0 [--push <repo>[:<tag>]]"
+                exit 1
+            fi
+            shift 2
+            ;;
+        *)
+            echo "Usage: $0 [--push <repo>[:<tag>]]"
+            exit 1
+            ;;
+    esac
+done
 # Check if buildkit_20 already exists before creating it
 if ! docker buildx inspect buildkit_20 &>/dev/null; then
     docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20
 fi
 touch pinned-packages.txt
 git rev-parse HEAD > .GIT_REV
-docker buildx build --builder buildkit_20 --no-cache --build-arg SOURCE_DATE_EPOCH="0" --output type=docker,name="$NAME",rewrite-timestamp=true .
-docker run --rm --entrypoint bash "$NAME" -c "dpkg -l | grep '^ii' |awk '{print \$2\"=\"\$3}' | sort" > pinned-packages.txt
+TEMP_TAG="dstack-ingress-temp:$(date +%s)"
+docker buildx build --builder buildkit_20 --no-cache --build-arg SOURCE_DATE_EPOCH="0" \
+    --output type=oci,dest=./oci.tar,rewrite-timestamp=true \
+    --output type=docker,name="$TEMP_TAG" .
+
+if [ "$?" -ne 0 ]; then
+    echo "Build failed"
+    rm .GIT_REV
+    exit 1
+fi
+
+echo "Build completed, manifest digest:"
+echo ""
+skopeo inspect oci-archive:./oci.tar | jq .Digest
+echo ""
+
+if [ "$PUSH" = true ]; then
+    echo "Pushing image to $REPO..."
+    skopeo copy --insecure-policy oci-archive:./oci.tar docker://"$REPO"
+    echo "Image pushed successfully to $REPO"
+else
+    echo "To push the image to a registry, run:"
+    echo ""
+    echo " $0 --push <repo>[:<tag>]"
+    echo ""
+    echo "Or use skopeo directly:"
+    echo ""
+    echo " skopeo copy --insecure-policy oci-archive:./oci.tar docker://<repo>[:<tag>]"
+fi
+echo ""
+
+# Extract package information from the built image
+echo "Extracting package information from built image: $TEMP_TAG"
+docker run --rm --entrypoint bash "$TEMP_TAG" -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" > pinned-packages.txt
+
+echo "Package information extracted to pinned-packages.txt ($(wc -l < pinned-packages.txt) packages)"
+
+# Clean up the temporary image from Docker daemon
+docker rmi "$TEMP_TAG" 2>/dev/null || true
+
 rm .GIT_REV

custom-domain/dstack-ingress/docker-compose.multi.yaml

@@ -0,0 +1,67 @@
+services:
+  ingress:
+    image: dstacktee/dstack-ingress:20250924@sha256:40429d78060ef3066b5f93676bf3ba7c2e9ac47d4648440febfdda558aed4b32
+    ports:
+      - "443:443"
+    environment:
+      DNS_PROVIDER: cloudflare
+      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
+      CERTBOT_EMAIL: ${CERTBOT_EMAIL}
+      GATEWAY_DOMAIN: _.dstack-prod5.phala.network
+      SET_CAA: true
+      DOMAINS: |
+        ${APP_DOMAIN}
+        ${API_DOMAIN}
+
+    volumes:
+      - /var/run/tappd.sock:/var/run/tappd.sock
+      - letsencrypt:/etc/letsencrypt
+
+    configs:
+      - source: app_conf
+        target: /etc/nginx/conf.d/app.conf
+        mode: 0444
+      - source: api_conf
+        target: /etc/nginx/conf.d/api.conf
+        mode: 0444
+
+    restart: unless-stopped
+
+  app-main:
+    image: nginx
+    restart: unless-stopped
+
+  app-api:
+    image: nginx
+    restart: unless-stopped
+
+volumes:
+  letsencrypt:
+
+configs:
+  app_conf:
+    content: |
+      server {
+          listen 443 ssl;
+          server_name ${APP_DOMAIN};
+
+          ssl_certificate /etc/letsencrypt/live/${APP_DOMAIN}/fullchain.pem;
+          ssl_certificate_key /etc/letsencrypt/live/${APP_DOMAIN}/privkey.pem;
+
+          location / {
+              proxy_pass http://app-main:80;
+          }
+      }
+  api_conf:
+    content: |
+      server {
+          listen 443 ssl;
+          server_name ${API_DOMAIN};
+
+          ssl_certificate /etc/letsencrypt/live/${API_DOMAIN}/fullchain.pem;
+          ssl_certificate_key /etc/letsencrypt/live/${API_DOMAIN}/privkey.pem;
+
+          location / {
+              proxy_pass http://app-api:80;
+          }
+      }

custom-domain/dstack-ingress/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   dstack-ingress:
-    image: kvin/dstack-ingress@sha256:b61d50360c7a4e5ab7d22f5ce87677714f3f64a65db34ee5eebcc54683950c89
+    image: dstacktee/dstack-ingress:20250924@sha256:40429d78060ef3066b5f93676bf3ba7c2e9ac47d4648440febfdda558aed4b32
     ports:
       - "443:443"
     environment: