Add https: auto mode for services

peterschmidt85 · cursoragent · peterschmidt85 · commit 10ecf33b7642 · 2026-02-20T11:32:29.000+01:00
Allow setting `https` to `auto` in service configuration. When set to
`auto`, the effective HTTPS setting is resolved at registration time
based on the gateway's certificate configuration: enabled for
Let's Encrypt, disabled for no certificate or ACM.

The default remains `true` for backward compatibility.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/src/dstack/_internal/core/models/configurations.py b/src/dstack/_internal/core/models/configurations.py
@@ -856,9 +856,13 @@ class ServiceConfigurationParams(CoreModel):
             )
         ),
     ] = None
-    https: Annotated[bool, Field(description="Enable HTTPS if running with a gateway")] = (
-        SERVICE_HTTPS_DEFAULT
-    )
+    https: Annotated[
+        Union[bool, Literal["auto"]],
+        Field(
+            description="Enable HTTPS if running with a gateway."
+            " Set to `auto` to determine automatically based on gateway configuration"
+        ),
+    ] = SERVICE_HTTPS_DEFAULT
     auth: Annotated[bool, Field(description="Enable the authorization")] = True
 
     scaling: Annotated[
diff --git a/src/dstack/_internal/server/services/services/__init__.py b/src/dstack/_internal/server/services/services/__init__.py
@@ -22,7 +22,6 @@
 )
 from dstack._internal.core.models.configurations import (
     DEFAULT_REPLICA_GROUP_NAME,
-    SERVICE_HTTPS_DEFAULT,
     ServiceConfiguration,
 )
 from dstack._internal.core.models.gateways import GatewayConfiguration, GatewayStatus
@@ -241,7 +240,7 @@ def _register_service_in_server(run_model: RunModel, run_spec: RunSpec) -> Servi
             "Service with SGLang router configuration requires a gateway. "
             "Please configure a gateway with the SGLang router enabled."
         )
-    if run_spec.configuration.https != SERVICE_HTTPS_DEFAULT:
+    if run_spec.configuration.https is False:
         # Note: if the user sets `https: <default-value>`, it will be ignored silently
         # TODO: in 0.19, make `https` Optional to be able to tell if it was set or omitted
         raise ServerClientError(
@@ -416,7 +415,14 @@ async def unregister_replica(session: AsyncSession, job_model: JobModel):
 
 def _get_service_https(run_spec: RunSpec, configuration: GatewayConfiguration) -> bool:
     assert run_spec.configuration.type == "service"
-    if not run_spec.configuration.https:
+    https = run_spec.configuration.https
+    if https == "auto":
+        if configuration.certificate is None:
+            return False
+        if configuration.certificate.type == "acm":
+            return False
+        return True
+    if not https:
         return False
     if configuration.certificate is not None and configuration.certificate.type == "acm":
         return False
diff --git a/src/tests/_internal/server/services/services/test_services.py b/src/tests/_internal/server/services/services/test_services.py
@@ -0,0 +1,100 @@
+from typing import Literal, Optional, Union
+from unittest.mock import MagicMock
+
+import pytest
+
+from dstack._internal.core.errors import ServerClientError
+from dstack._internal.core.models.backends.base import BackendType
+from dstack._internal.core.models.configurations import ServiceConfiguration
+from dstack._internal.core.models.gateways import (
+    ACMGatewayCertificate,
+    AnyGatewayCertificate,
+    GatewayConfiguration,
+    LetsEncryptGatewayCertificate,
+)
+from dstack._internal.core.models.runs import RunSpec
+from dstack._internal.server.services.services import (
+    _get_service_https,
+    _register_service_in_server,
+)
+from dstack._internal.server.testing.common import get_run_spec
+
+
+def _service_run_spec(https: Union[bool, Literal["auto"]] = "auto") -> RunSpec:
+    return get_run_spec(
+        repo_id="test-repo",
+        configuration=ServiceConfiguration(commands=["python serve.py"], port=8000, https=https),
+    )
+
+
+def _gateway_config(
+    certificate: Optional[AnyGatewayCertificate] = LetsEncryptGatewayCertificate(),
+) -> GatewayConfiguration:
+    return GatewayConfiguration(
+        backend=BackendType.AWS,
+        region="us-east-1",
+        certificate=certificate,
+    )
+
+
+def _mock_run_model() -> MagicMock:
+    run_model = MagicMock()
+    run_model.project.name = "test-project"
+    run_model.run_name = "test-run"
+    return run_model
+
+
+class TestServiceConfigurationHttps:
+    def test_default_is_true(self) -> None:
+        conf = ServiceConfiguration(commands=["python serve.py"], port=8000)
+        assert conf.https is True
+
+    def test_accepts_auto(self) -> None:
+        conf = ServiceConfiguration(commands=["python serve.py"], port=8000, https="auto")
+        assert conf.https == "auto"
+
+
+class TestGetServiceHttps:
+    def test_auto_resolves_to_true_with_lets_encrypt_gateway(self) -> None:
+        run_spec = _service_run_spec(https="auto")
+        gw = _gateway_config(certificate=LetsEncryptGatewayCertificate())
+        assert _get_service_https(run_spec, gw) is True
+
+    def test_auto_resolves_to_false_when_gateway_has_no_certificate(self) -> None:
+        run_spec = _service_run_spec(https="auto")
+        gw = _gateway_config(certificate=None)
+        assert _get_service_https(run_spec, gw) is False
+
+    def test_auto_resolves_to_false_with_acm_gateway(self) -> None:
+        run_spec = _service_run_spec(https="auto")
+        gw = _gateway_config(
+            certificate=ACMGatewayCertificate(arn="arn:aws:acm:us-east-1:123:cert/abc")
+        )
+        assert _get_service_https(run_spec, gw) is False
+
+    def test_true_enables_https_regardless_of_gateway_certificate(self) -> None:
+        run_spec = _service_run_spec(https=True)
+        gw = _gateway_config(certificate=None)
+        assert _get_service_https(run_spec, gw) is True
+
+    def test_false_disables_https_regardless_of_gateway_certificate(self) -> None:
+        run_spec = _service_run_spec(https=False)
+        gw = _gateway_config(certificate=LetsEncryptGatewayCertificate())
+        assert _get_service_https(run_spec, gw) is False
+
+
+class TestRegisterServiceInServerHttps:
+    def test_allows_default_true_without_gateway(self) -> None:
+        run_spec = _service_run_spec(https=True)
+        result = _register_service_in_server(_mock_run_model(), run_spec)
+        assert result is not None
+
+    def test_allows_auto_without_gateway(self) -> None:
+        run_spec = _service_run_spec(https="auto")
+        result = _register_service_in_server(_mock_run_model(), run_spec)
+        assert result is not None
+
+    def test_rejects_explicit_false_without_gateway(self) -> None:
+        run_spec = _service_run_spec(https=False)
+        with pytest.raises(ServerClientError, match="not applicable"):
+            _register_service_in_server(_mock_run_model(), run_spec)
