feat: add crdb data source to grafana

infra/tf/cockroachdb_k8s/outputs.tf

@@ -9,4 +9,3 @@ output "port" {
 output "cluster_identifier" {
 	value = "default"
 }
-

infra/tf/k8s_infra/cockroachdb.tf

@@ -11,7 +11,6 @@ locals {
 
 module "crdb_secrets" {
 	count = local.cockroachdb_k8s ? 1 : 0
-
 	source = "../modules/secrets"
 
 	keys = [ "crdb/username", "crdb/password" ]
@@ -74,7 +73,7 @@ resource "helm_release" "cockroachdb" {
 					{
 						name = module.crdb_secrets[0].values["crdb/username"]
 						password = module.crdb_secrets[0].values["crdb/password"]
-						options = ["CREATEDB"]
+						options = ["CREATEDB", "CREATEROLE", "CREATELOGIN"]
 					}
 				]
 			}
@@ -104,7 +103,7 @@ data "kubernetes_secret" "crdb_ca" {
 }
 
 resource "kubernetes_config_map" "crdb_ca" {
-	for_each = local.cockroachdb_k8s ? toset(["rivet-service", "bolt"]) : toset([])
+	for_each = local.cockroachdb_k8s ? toset(["rivet-service", "bolt", "prometheus"]) : toset([])
 
 	metadata {
 		name = "crdb-ca"

infra/tf/k8s_infra/prometheus.tf

@@ -71,6 +71,8 @@ locals {
 			]
 		}] : []
 	])
+
+	crdb_host = "${try(data.terraform_remote_state.cockroachdb_k8s.outputs.host, data.terraform_remote_state.cockroachdb_managed.outputs.host)}:${try(data.terraform_remote_state.cockroachdb_k8s.outputs.port, data.terraform_remote_state.cockroachdb_managed.outputs.port)}"
 }
 
 module "alertmanager_secrets" {
@@ -80,6 +82,12 @@ module "alertmanager_secrets" {
 	optional = true
 }
 
+module "crdb_user_grafana_secrets" {
+	source = "../modules/secrets"
+
+	keys = [ "crdb/user/grafana/username", "crdb/user/grafana/password" ]
+}
+
 resource "kubernetes_namespace" "prometheus" {
 	count = var.prometheus_enabled ? 1 : 0
 
@@ -343,6 +351,31 @@ resource "helm_release" "prometheus" {
 					url = "http://loki-gateway.loki.svc.cluster.local:80/"
 					access = "proxy"
 					jsonData = {}
+				},
+				{
+					name = "CockroachDB"
+					type = "postgres"
+					uid = "crdb"
+					url = local.crdb_host
+					user = module.crdb_user_grafana_secrets.values["crdb/user/grafana/username"]
+					secureJsonData = {
+						password = module.crdb_user_grafana_secrets.values["crdb/user/grafana/password"]
+					}
+					jsonData = {
+						sslmode = "verify-ca"
+						sslRootCertFile = "/local/crdb/ca.crt"
+					}
+				}
+			]
+
+			extraConfigmapMounts = [
+				# TLS Cert for postgres datasource
+				{
+					name = "crdb-ca"
+					configMap = "crdb-ca"
+					mountPath = "/local/crdb/ca.crt"
+					subPath = "ca.crt"
+					readOnly = true
 				}
 			]
 

lib/bolt/core/src/dep/terraform/remote_states.rs

@@ -11,25 +11,29 @@ use crate::context::ProjectContext;
 pub fn dependency_graph(_ctx: &ProjectContext) -> HashMap<&'static str, Vec<RemoteState>> {
 	hashmap! {
 		"dns" => vec![
-			RemoteStateBuilder::default().plan_id("k8s_infra").build().unwrap()
+			RemoteStateBuilder::default().plan_id("k8s_infra").build().unwrap(),
 		],
 		"redis_aiven" => vec![
-			RemoteStateBuilder::default().plan_id("k8s_cluster_aws").build().unwrap()
+			RemoteStateBuilder::default().plan_id("k8s_cluster_aws").build().unwrap(),
 		],
 		"redis_aws" => vec![
-			RemoteStateBuilder::default().plan_id("k8s_cluster_aws").build().unwrap()
+			RemoteStateBuilder::default().plan_id("k8s_cluster_aws").build().unwrap(),
+		],
+		"k8s_infra" => vec![
+			RemoteStateBuilder::default().plan_id("cockroachdb_k8s").build().unwrap(),
+			RemoteStateBuilder::default().plan_id("cockroachdb_managed").build().unwrap(),
 		],
 		"cockroachdb_managed" => vec![
-			RemoteStateBuilder::default().plan_id("k8s_cluster_aws").build().unwrap()
+			RemoteStateBuilder::default().plan_id("k8s_cluster_aws").build().unwrap(),
 		],
 		"clickhouse_managed" => vec![
-			RemoteStateBuilder::default().plan_id("k8s_cluster_aws").build().unwrap()
+			RemoteStateBuilder::default().plan_id("k8s_cluster_aws").build().unwrap(),
 		],
 		"cloudflare_workers" => vec![
-			RemoteStateBuilder::default().plan_id("dns").build().unwrap()
+			RemoteStateBuilder::default().plan_id("dns").build().unwrap(),
 		],
 		"cloudflare_tunnels" => vec![
-			RemoteStateBuilder::default().plan_id("dns").build().unwrap()
+			RemoteStateBuilder::default().plan_id("dns").build().unwrap(),
 		],
 	}
 }

lib/bolt/core/src/tasks/config/generate.rs

@@ -309,6 +309,16 @@ pub async fn generate(project_path: &Path, ns_id: &str) -> Result<()> {
 			Ok(value(generate_password(32)))
 		})
 		.await?;
+	generator
+		.generate_secret(&["crdb", "user", "grafana", "username"], || async {
+			Ok(value("grafana"))
+		})
+		.await?;
+	generator
+		.generate_secret(&["crdb", "user", "grafana", "password"], || async {
+			Ok(value(generate_password(32)))
+		})
+		.await?;
 
 	// Write configs again with new secrets
 	generator.write().await?;

lib/bolt/core/src/tasks/infra/mod.rs

@@ -126,6 +126,28 @@ pub fn build_plan(
 		}
 	}
 
+	// CockroachDB
+	match ctx.ns().cockroachdb.provider {
+		ns::CockroachDBProvider::Kubernetes {} => {
+			plan.push(PlanStep {
+				name_id: "cockroachdb-k8s",
+				kind: PlanStepKind::Terraform {
+					plan_id: "cockroachdb_k8s".into(),
+					needs_destroy: false,
+				},
+			});
+		}
+		ns::CockroachDBProvider::Managed { .. } => {
+			plan.push(PlanStep {
+				name_id: "cockroachdb-managed",
+				kind: PlanStepKind::Terraform {
+					plan_id: "cockroachdb_managed".into(),
+					needs_destroy: true,
+				},
+			});
+		}
+	}
+
 	// Kubernetes
 	plan.push(PlanStep {
 		name_id: "k8s-infra",
@@ -177,28 +199,6 @@ pub fn build_plan(
 		}
 	}
 
-	// CockroachDB
-	match ctx.ns().cockroachdb.provider {
-		ns::CockroachDBProvider::Kubernetes {} => {
-			plan.push(PlanStep {
-				name_id: "cockroachdb-k8s",
-				kind: PlanStepKind::Terraform {
-					plan_id: "cockroachdb_k8s".into(),
-					needs_destroy: false,
-				},
-			});
-		}
-		ns::CockroachDBProvider::Managed { .. } => {
-			plan.push(PlanStep {
-				name_id: "cockroachdb-managed",
-				kind: PlanStepKind::Terraform {
-					plan_id: "cockroachdb_managed".into(),
-					needs_destroy: true,
-				},
-			});
-		}
-	}
-
 	// ClickHouse
 	if let Some(clickhouse) = &ctx.ns().clickhouse {
 		match &clickhouse.provider {

lib/bolt/core/src/tasks/migrate.rs

@@ -290,12 +290,33 @@ pub async fn up(ctx: &ProjectContext, services: &[ServiceContext]) -> Result<()>
 		match &svc.config().runtime {
 			RuntimeKind::CRDB { .. } => {
 				let db_name = svc.crdb_db_name();
-				let query = format!("CREATE DATABASE IF NOT EXISTS \"{db_name}\";");
+				let query = format!(r#"CREATE DATABASE IF NOT EXISTS "{db_name}";"#);
 
 				crdb_queries.push(db::ShellQuery {
 					svc: svc.clone(),
 					query: Some(query),
 				});
+
+				// Create users
+				let username = ctx
+					.read_secret(&["crdb", "user", "grafana", "username"])
+					.await?;
+				let password = ctx
+					.read_secret(&["crdb", "user", "grafana", "password"])
+					.await?;
+				let query = formatdoc!(
+					r#"
+					CREATE USER IF NOT EXISTS {username}
+					WITH PASSWORD '{password}';
+					GRANT SELECT
+					ON {db_name}.*
+					TO {username};
+					"#
+				);
+				crdb_queries.push(db::ShellQuery {
+					svc: svc.clone(),
+					query: Some(query),
+				});
 			}
 			RuntimeKind::ClickHouse { .. } => {
 				if ctx.ns().clickhouse.is_none() {
@@ -356,7 +377,7 @@ pub async fn up(ctx: &ProjectContext, services: &[ServiceContext]) -> Result<()>
 					});
 				}
 
-				let query = format!("CREATE DATABASE IF NOT EXISTS \"{db_name}\";");
+				let query = format!(r#"CREATE DATABASE IF NOT EXISTS "{db_name}";"#);
 				clickhouse_queries.push(db::ShellQuery {
 					svc: svc.clone(),
 					query: Some(query),