Merge pull request #85 from Dstack-TEE/feat/ingress-wildcard-domain

feat(ingress): support wildcard custom domains

Author: kvinwang

custom-domain/dstack-ingress/README.md

@@ -53,6 +53,39 @@ The dstack-ingress now supports multiple domains in a single container:
 - Each domain gets its own SSL certificate
 - Flexible nginx configuration per domain
 
+### Wildcard Domain Support
+
+You can use a wildcard domain (e.g. `*.myapp.com`) to route all subdomains to a single dstack application:
+
+- The TXT record is automatically set as `_dstack-app-address-wildcard.myapp.com` (instead of `_dstack-app-address.*.myapp.com`)
+- CAA records use the `issuewild` tag on the base domain
+- Requires dstack-gateway with wildcard TXT resolution support ([dstack#545](https://github.com/Dstack-TEE/dstack/pull/545))
+
+```yaml
+services:
+  dstack-ingress:
+    image: dstacktee/dstack-ingress:latest
+    ports:
+      - "443:443"
+    environment:
+      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
+      - DOMAIN=*.myapp.com
+      - GATEWAY_DOMAIN=_.dstack-prod5.phala.network
+      - CERTBOT_EMAIL=${CERTBOT_EMAIL}
+      - SET_CAA=true
+      - TARGET_ENDPOINT=http://app:80
+    volumes:
+      - /var/run/dstack.sock:/var/run/dstack.sock
+      - /var/run/tappd.sock:/var/run/tappd.sock
+      - cert-data:/etc/letsencrypt
+    restart: unless-stopped
+  app:
+    image: nginx
+    restart: unless-stopped
+volumes:
+  cert-data:
+```
+
 ## Usage
 
 ### Prerequisites

custom-domain/dstack-ingress/scripts/entrypoint.sh

@@ -106,6 +106,9 @@ EOF
 setup_py_env
 
 setup_nginx_conf() {
+    local cert_name
+    cert_name=$(cert_dir_name "$DOMAIN")
+
     local client_max_body_size_conf=""
     if [ -n "$CLIENT_MAX_BODY_SIZE" ]; then
         client_max_body_size_conf="    client_max_body_size ${CLIENT_MAX_BODY_SIZE};"
@@ -148,8 +151,8 @@ server {
     server_name ${DOMAIN};
 
     # SSL certificate configuration
-    ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/${cert_name}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${cert_name}/privkey.pem;
 
     # Modern SSL configuration - TLS 1.2 and 1.3 only
     ssl_protocols TLSv1.2 TLSv1.3;
@@ -166,7 +169,7 @@ server {
     # Enable OCSP stapling
     ssl_stapling on;
     ssl_stapling_verify on;
-    ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/${cert_name}/fullchain.pem;
     resolver 8.8.8.8 8.8.4.4 valid=300s;
     resolver_timeout 5s;
 
@@ -231,8 +234,16 @@ set_txt_record() {
     fi
     APP_ID=${APP_ID:-"$DSTACK_APP_ID"}
 
+    local txt_domain
+    if [[ "$domain" == \*.* ]]; then
+        # Wildcard domain: *.myapp.com → _dstack-app-address-wildcard.myapp.com
+        txt_domain="${TXT_PREFIX}-wildcard.${domain#\*.}"
+    else
+        txt_domain="${TXT_PREFIX}.${domain}"
+    fi
+
     dnsman.py set_txt \
-        --domain "${TXT_PREFIX}.${domain}" \
+        --domain "$txt_domain" \
         --content "$APP_ID:$PORT"
 
     if [ $? -ne 0 ]; then
@@ -257,11 +268,20 @@ set_caa_record() {
         return
     fi
 
+    local caa_domain caa_tag
+    if [[ "$domain" == \*.* ]]; then
+        caa_domain="${domain#\*.}"
+        caa_tag="issuewild"
+    else
+        caa_domain="$domain"
+        caa_tag="issue"
+    fi
+
     ACCOUNT_URI=$(jq -j '.uri' "$account_file")
-    echo "Adding CAA record for $domain, accounturi=$ACCOUNT_URI"
+    echo "Adding CAA record ($caa_tag) for $caa_domain, accounturi=$ACCOUNT_URI"
     dnsman.py set_caa \
-        --domain "$domain" \
-        --caa-tag "issue" \
+        --domain "$caa_domain" \
+        --caa-tag "$caa_tag" \
         --caa-value "letsencrypt.org;validationmethods=dns-01;accounturi=$ACCOUNT_URI"
 
     if [ $? -ne 0 ]; then

custom-domain/dstack-ingress/scripts/functions.sh

@@ -112,6 +112,14 @@ sanitize_proxy_buffers() {
     fi
 }
 
+# Get the certbot certificate directory name for a domain.
+# Certbot stores wildcard certs without the "*." prefix:
+#   *.example.com → /etc/letsencrypt/live/example.com/
+cert_dir_name() {
+    local domain="$1"
+    echo "${domain#\*.}"
+}
+
 get_letsencrypt_account_path() {
     local base_path="/etc/letsencrypt/accounts"
     local api_endpoint="acme-v02.api.letsencrypt.org"

custom-domain/dstack-ingress/scripts/generate-evidences.sh

@@ -23,7 +23,7 @@ fi
 # Copy all certificate files
 while IFS= read -r domain; do
     [[ -n "$domain" ]] || continue
-    cert_file="/etc/letsencrypt/live/${domain}/fullchain.pem"
+    cert_file="/etc/letsencrypt/live/$(cert_dir_name "$domain")/fullchain.pem"
     if [ -f "$cert_file" ]; then
         cp "$cert_file" "cert-${domain}.pem"
     else