ビルド時にSSL証明書を追加 (#175)

futaringoto · Oct 3, 2024 · c62f8c6 · c62f8c6
1 parent 99b8d0e
commit c62f8c6
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 9 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -3,9 +3,6 @@ name: Build container and push to ACR
 on:
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 env:
   IMAGE: 'futarin-api'
 
@@ -26,6 +23,11 @@ jobs:
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
+      - name: Add SSL certificates for DB
+        run: |
+          echo "${{ secrets.DB_SSL_CERT }}" > ${{ github.workspace }}/api/db-cert.pem
+          chmod 644 ${{ github.workspace }}/api/db-cert.pem
+
       - name: 'Compose Customized Docker Image'
         run: |
           docker buildx build --platform linux/amd64,linux/arm64 \

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -126,6 +126,7 @@ sudo make test
 | REGISTRY_USERNAME | ACR　ユーザ名 |
 | REGISTRY_PASSWORD | ACR パスワード |
 | AZURE_WEBAPP_PUBLISH_PROFILE | Azure 認証情報 |
+| DB_SSL_CERT | Azure Database for MySQL SSL証明書 |
 | OPENAI_API_KEY | OpenAI Platform APIキー(テスト用) |
 | VOICEVOX_API_KEY | VOICEVOX API APIキー(テスト用) |
 

diff --git a/api/db.py b/api/db.py
@@ -5,7 +5,7 @@
 from sqlalchemy.ext.asyncio import AsyncAttrs, AsyncSession, create_async_engine
 from sqlalchemy.orm import DeclarativeBase, sessionmaker
 
-from v2.utils.config import get_db_object, get_is_dev_mode, get_ssl_cert_path
+from v2.utils.config import get_db_object, get_is_dev_mode, get_db_cert_path
 
 IS_DEV_MODE: bool = get_is_dev_mode()
 
@@ -25,8 +25,8 @@ def create_dev_async_engine():
 
 def create_prod_async_engine():
     DB_OBJECT: Dict[str, str] = get_db_object()
-    SSL_CERT_PATH = get_ssl_cert_path()
-    ssl_context = ssl.create_default_context(cafile=SSL_CERT_PATH)
+    DB_CERT_PATH = get_db_cert_path()
+    ssl_context = ssl.create_default_context(cafile=DB_CERT_PATH)
     url = URL.create(
         drivername="mysql+aiomysql",
         username=DB_OBJECT["username"],

diff --git a/api/v2/utils/config.py b/api/v2/utils/config.py
@@ -15,7 +15,7 @@ def check_env_variables():
         "DB_HOST",
         "DB_USERNAME",
         "DB_PASSWORD",
-        "SSL_CERT_PATH",
+        "DB_CERT_PATH",
     ]
     if not is_dev_mode:
         env_vars.extend(env_vars_prod)
@@ -49,5 +49,5 @@ def get_db_object() -> Dict[str, str]:
     return obj
 
 
-def get_ssl_cert_path():
-    return os.getenv("SSL_CERT_PATH")
+def get_db_cert_path():
+    return os.getenv("DB_CERT_PATH")
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -16,6 +16,7 @@ services:
     image: futarin-api
     environment:
       - IS_DEV_MODE=0
+      - DB_CERT_PATH=/api/db-cert.pem
     env_file:
       - .env
     build: