支持证书自签发续订 (#367)

hhhhsc701 · web-flow · commit 7007fff77c73 · 2026-02-13T10:20:14.000+08:00
* 支持证书自签发续订

* 修复docker 构建
diff --git a/.github/workflows/docker-images-reusable.yml b/.github/workflows/docker-images-reusable.yml
@@ -153,7 +153,6 @@ jobs:
 
       - name: Manifest Docker Image
         run: |
-          docker manifest create ${{ steps.set-tag.outputs.TAGS }} \
+          docker buildx imagetools create -t ${{ steps.set-tag.outputs.TAGS }} \
             ${{ steps.set-tag.outputs.AMD_TAGS }} \
-            ${{ steps.set-tag.outputs.ARM_TAGS }}
-          docker manifest push ${{ steps.set-tag.outputs.TAGS }}
+            ${{ steps.set-tag.outputs.ARM_TAGS }}
diff --git a/deployment/helm/datamate/values.yaml b/deployment/helm/datamate/values.yaml
@@ -41,6 +41,7 @@ public:
     data:
       DB_PASSWORD: "password"
       CERT_PASS: ""
+      DOMAIN: ""
 
 datasetVolume: &datasetVolume
   name: dataset-volume
@@ -177,6 +178,11 @@ frontend:
         secretKeyRef:
           name: datamate-conf
           key: CERT_PASS
+    - name: DOMAIN
+      valueFrom:
+        secretKeyRef:
+          name: datamate-conf
+          key: DOMAIN
   volumes:
     - *logVolume
     - name: cert-volume
diff --git a/scripts/images/frontend/Dockerfile b/scripts/images/frontend/Dockerfile
@@ -12,7 +12,11 @@ FROM nginx:1.29 AS runner
 RUN --mount=type=cache,target=/var/cache/apt \
     --mount=type=cache,target=/var/lib/apt \
     apt update \
-    && apt install -y dos2unix
+    && apt install -y dos2unix python3 python3-dev python3-venv libaugeas-dev gcc \
+    && python3 -m venv /opt/certbot/ \
+    && /opt/certbot/bin/pip install --upgrade pip \
+    && /opt/certbot/bin/pip install certbot certbot-nginx \
+    && ln -s /opt/certbot/bin/certbot /usr/local/bin/certbot
 
 COPY --from=builder /app/dist /opt/frontend/statics
 COPY scripts/images/frontend/routes.inc /opt/frontend/routes.inc
diff --git a/scripts/images/frontend/start.sh b/scripts/images/frontend/start.sh
@@ -21,7 +21,16 @@ if [ -f "/etc/nginx/cert/server.pem" ]; then
 else
     cp /opt/frontend/http_backend.conf /etc/nginx/conf.d/default.conf
     cp /opt/frontend/routes.inc /etc/nginx/conf.d/routes.inc
-    echo "Switching to HTTP config"
+
+    if [ -n "$DOMAIN" ]; then
+      cron
+      certbot --nginx "-d ${DOMAIN//,/ -d }"
+      echo "Switching to HTTPS config, Domain: $DOMAIN"
+      echo "0 0 1 * * root /usr/local/bin/certbot renew --quiet" | tee /etc/cron.d/certbot-renew
+      chmod 0644 /etc/cron.d/certbot-renew
+    else
+      echo "Switching to HTTP config"
+    fi
 fi
 
 exec nginx -g "daemon off;"
