fix: dstack-ingress 2.1 — wildcard cert + evidence latency#91
Merged
Conversation
Two bugs fixed:
1. build-combined-pems.sh: wildcard domains (e.g. *.example.com) failed
to find their Let's Encrypt certificates because the script looked for
/etc/letsencrypt/live/*.example.com/ while certbot stores them under
/etc/letsencrypt/live/example.com/. Fixed by using cert_dir_name() from
functions.sh to strip the wildcard prefix.
2. entrypoint.sh: the HAProxy evidence-server routing used
"tcp-request content accept if WAIT_END" which forces a full 5-second
delay (the inspect-delay value) on EVERY new TLS connection before
routing proceeds. Replaced with "tcp-request content accept if
{ req.len gt 0 }" so HAProxy accepts as soon as any application data
arrives in the buffer. After SSL termination a complete TLS record is
decrypted atomically, so the full HTTP request is available on first
evaluation.
Bump version to 2.1.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two bug fixes for dstack-ingress, bumping to version 2.1:
Wildcard certificate lookup:
build-combined-pems.shlooked for/etc/letsencrypt/live/*.example.com/but certbot stores wildcard certs under/etc/letsencrypt/live/example.com/. Fixed by using the existingcert_dir_name()helper fromfunctions.shto strip the*.prefix.5-second latency on all traffic: The HAProxy evidence-server routing used
tcp-request content accept if WAIT_END, which forces HAProxy to wait the fullinspect-delay 5sbefore accepting every new TLS connection. Replaced withtcp-request content accept if { req.len gt 0 }— accepts as soon as any application data arrives. After SSL termination, a complete TLS record is decrypted atomically so the full HTTP request is always available on first evaluation.Test plan
Both fixes verified on a live Phala Cloud CVM:
*.dstack-k3s.t16z.com) correctly obtained and served by HAProxyWAIT_END)/evidences/,/evidences/quote.json): ~0.25s, HTTP 200Release
After merge, tag
dstack-ingress-v2.1to trigger CI image build →dstacktee/dstack-ingress:2.1.🤖 Generated with Claude Code