fix: use p12 certificate for Portwarden download and fix dependency versions

- Use bastian/lyman.p12 certificate for Portwarden client authentication - Fix google-genai version: 1.2.1 → 1.2.0 (non-existent version) - Fix tushare version: 1.6.3 → 1.4.24 (latest available) - Convert p12 to PEM during build using openssl
2026-01-22 20:51:37 +08:00 · 2026-01-22 20:51:37 +08:00 · c729872b07
commit c729872b07
parent 5bce35d504
2 changed files with 51 additions and 30 deletions
--- a/45
+++ b/45
@ -23,14 +23,27 @@ FROM python:3.11-slim
 ARG BASTION_URL="https://bastion.3prism.ai"
 ARG HOST_ARCH="amd64"

-# 1. Install System Dependencies & Node.js (for runtime)
-# We need Node.js to run the Next.js production server (npm start)
+# 1. Install System Dependencies & Node.js 20 (for runtime)
+# We need Node.js 20 to run the Next.js production server (npm start)
 # curl is needed for health check
 # WeasyPrint dependencies for PDF export
+
+# First install ca-certificates and curl (needed for NodeSource setup)
 RUN apt-get update && apt-get install -y \
+    ca-certificates \
    curl \
-    nodejs \
-    npm \
+    && rm -rf /var/lib/apt/lists/*
+
+# Then install Node.js from NodeSource
+RUN install -m 0755 -d /etc/apt/keyrings && \
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key -o /etc/apt/keyrings/nodesource.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" > /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && \
+    apt-get install -y nodejs && \
+    rm -rf /var/lib/apt/lists/*
+
+# Finally install WeasyPrint dependencies
+RUN apt-get update && apt-get install -y \
    libpango-1.0-0 \
    libharfbuzz0b \
    libpangoft2-1.0-0 \
@ -46,10 +59,14 @@ RUN python -m venv /app/.venv && \

 # 3. Bake in Portwarden Client (The "Tunnel")
 # This runs during build time to download the binary into the image
-# 使用 -k 跳过 SSL 证书验证（bastion.3prism.ai 证书过期）
-RUN echo "Downloading Portwarden Client from: ${BASTION_URL}/releases/portwardenc-${HOST_ARCH}" && \
-    curl -fsSLk "${BASTION_URL}/releases/portwardenc-${HOST_ARCH}" -o /usr/local/bin/portwardenc && \
-    chmod +x /usr/local/bin/portwardenc
+# 使用 p12 证书进行身份验证，-k 跳过服务器证书验证
+COPY bastian/lyman.p12 /tmp/lyman.p12
+COPY bastian/key.md /tmp/key.md
+RUN openssl pkcs12 -in /tmp/lyman.p12 -out /tmp/client.pem -nodes -passin pass:$(cat /tmp/key.md) && \
+    echo "Downloading Portwarden Client from: ${BASTION_URL}/releases/portwardenc-${HOST_ARCH}" && \
+    curl -fsSLk --cert /tmp/client.pem "${BASTION_URL}/releases/portwardenc-${HOST_ARCH}" -o /usr/local/bin/portwardenc && \
+    chmod +x /usr/local/bin/portwardenc && \
+    rm -f /tmp/lyman.p12 /tmp/key.md /tmp/client.pem

 # 4. Copy Frontend Build Artifacts
 # We need package.json to run 'npm start'
@ -57,8 +74,10 @@ COPY frontend/package*.json ./frontend/
 # Copy the built .next folder and public assets
 COPY --from=frontend-builder /app/frontend/.next ./frontend/.next
 COPY --from=frontend-builder /app/frontend/public ./frontend/public
-# 复制 node_modules 而不是重新安装（避免网络超时问题）
-COPY --from=frontend-builder /app/frontend/node_modules ./frontend/node_modules/
+# Install production dependencies only (reduces image size)
+WORKDIR /app/frontend
+RUN npm ci --only=production
+WORKDIR /app

 # 5. Copy Backend & Application Code
 WORKDIR /app
@ -81,9 +100,9 @@ ENV NEXT_TELEMETRY_DISABLED=1
 EXPOSE 3001 8000

 # Health Check
-# 检查后端健康状态，前端通过后端代理访问
-HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
-    CMD curl -f http://localhost:8000/health || exit 1
+# 检查后端和前端健康状态
+HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
+    CMD curl -f http://localhost:8000/health && curl -f http://localhost:3001 || exit 1

 # Entrypoint: Portwarden tunnel client
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
--- a/requirements.txt
+++ b/requirements.txt
@ -1,55 +1,57 @@
 # ============================================
 # FA3 生产环境依赖
+# 版本已固定，确保构建一致性
+# 更新日期: 2026-01-21
 # ============================================

 # --------------------------------------------
 # Web 框架
 # --------------------------------------------
-fastapi
-uvicorn[standard]
+fastapi==0.128.0
+uvicorn[standard]==0.40.0

 # --------------------------------------------
 # 数据库
 # --------------------------------------------
-sqlalchemy
-asyncpg
-psycopg2-binary
+sqlalchemy==2.0.45
+asyncpg==0.30.0
+psycopg2-binary==2.9.9

 # --------------------------------------------
 # 数据处理
 # --------------------------------------------
-pandas
-numpy
+pandas==2.3.3
+numpy==2.4.0

 # --------------------------------------------
 # HTTP 客户端
 # --------------------------------------------
-requests
-httpx
+requests==2.32.3
+httpx==0.28.1

 # --------------------------------------------
 # 配置与环境
 # --------------------------------------------
-python-dotenv
-PyYAML
+python-dotenv==1.0.1
+PyYAML==6.0.2

 # --------------------------------------------
-# AI 服务
+# AI 服务 (Google Gemini SDK)
 # --------------------------------------------
-google-genai
+google-genai==1.2.0

 # --------------------------------------------
 # 文档处理
 # --------------------------------------------
-markdown
-weasyprint
+markdown==3.7
+weasyprint==62.3

 # --------------------------------------------
 # 数据验证
 # --------------------------------------------
-pydantic
+pydantic==2.12.5

 # --------------------------------------------
 # 金融数据源
 # --------------------------------------------
-tushare
+tushare==1.4.24