Dockerで安全な秘密DB作成

Docker

Last updated at 2025-07-06Posted at 2025-07-05


FROM node:22-alpine AS builder

RUN npm install -g pnpm

WORKDIR /app

COPY package.json pnpm-lock.yaml ./

RUN pnpm install

COPY apps/Dockerfile/prisma ./prisma

RUN pnpm prisma generate



FROM postgres:15-alpine

RUN apk update && apk add --no-cache nodejs npm && npm install -g pnpm

ENV NODE_PATH=/app/node_modules

WORKDIR /app

COPY --from=builder /app/ ./

COPY apps/Dockerfile/init-db.sh /docker-entrypoint-initdb.d/init-db.sh

RUN chmod +x /docker-entrypoint-initdb.d/init-db.sh

#!/bin/sh

set -e

# データベースの初期化
echo "Initializing database..."

pnpm prisma migrate deploy

echo "Database initialized successfully"

ここで.envに DBのURLを記述しておこう

.env.local

# Confidential Database Environment Variables
CONFIDENTIAL_DB_USER=confidential_user
CONFIDENTIAL_DB_PASSWORD=confidential_password
CONFIDENTIAL_DB_NAME=confidential_db

# Database Connection String (schema.prismaで期待される変数名)
CONFIDENTIAL_DATABASE_URL=postgresql://confidential_user:confidential_password@confidential-db:5432/confidential_db

その次に、package.jsonで起動コマンドを管理しよう

"confidential:seed": "docker compose --env-file ./database/.env.local run --rm confidential-db sh -c 'npx prisma generate && npx tsx prisma/seed.ts'",

Docker-compose.ymlで結合しよう


version: '3.8'

services:
  frontend:
    build:
      context: .
      dockerfile: ./apps/frontend/Dockerfile
    ports:
      - "3002:3000"
    depends_on:
      - bff
    environment:
      - NODE_ENV=development
      - GRAPHQL_URL_SSR=http://bff:4000/graphql
      - NEXT_PUBLIC_GRAPHQL_URL=http://localhost:4001/graphql
    networks:
      - ec-network

  bff:
    build:
      context: .
      dockerfile: ./apps/bff/Dockerfile
    ports:
      - "4001:4000"
    depends_on:
      - backend
    environment:
      - NODE_ENV=production
      - BACKEND_GRPC_URL=backend:50051
    networks:
      - ec-network

  backend:
    build:
      context: .
      dockerfile: ./apps/backend/Dockerfile
    ports:
      - "50052:50051"
    depends_on:
      database:
        condition: service_healthy
    environment:
      - NODE_ENV=production
      - DATABASE_URL=mysql://root:password@database:3306/ec_database
    networks:
      - ec-network

  database:
    image: mysql:8.0
    ports:
      - "3307:3306"
    environment:
      - MYSQL_ROOT_PASSWORD=password
      - MYSQL_DATABASE=ec_database
      - MYSQL_USER=ec_user
      - MYSQL_PASSWORD=password
    volumes:
      - mysql_data:/var/lib/mysql
      - ./database/init:/docker-entrypoint-initdb.d
      - ./database/my.cnf:/etc/mysql/conf.d/my.cnf
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-ppassword"]
      timeout: 10s
      retries: 10
      interval: 5s
      start_period: 30s
    networks:
      - ec-network

  confidential-db:
    build:
      context: .
      dockerfile: ./apps/Dockerfile/dockerfile.confidential
    container_name: confidential-db
    restart: always
    environment:
      POSTGRES_USER: ${CONFIDENTIAL_DB_USER}
      POSTGRES_PASSWORD: ${CONFIDENTIAL_DB_PASSWORD}
      POSTGRES_DB: ${CONFIDENTIAL_DB_NAME}
      DATABASE_URL: "postgresql://${CONFIDENTIAL_DB_USER}:${CONFIDENTIAL_DB_PASSWORD}@confidential-db:5432/${CONFIDENTIAL_DB_NAME}"
      CONFIDENTIAL_DATABASE_URL: "postgresql://${CONFIDENTIAL_DB_USER}:${CONFIDENTIAL_DB_PASSWORD}@confidential-db:5432/${CONFIDENTIAL_DB_NAME}"
    env_file:
      - ./database/.env.local
    ports:
      - "3308:5432"
    volumes:
      - confidential_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${CONFIDENTIAL_DB_USER} -d ${CONFIDENTIAL_DB_NAME}"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - ec-network
volumes:
  mysql_data:
  confidential_data:

networks:
  ec-network:
    driver: bridge

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up