feat(observability): provision Grafana PostgreSQL datasource

Adds a read-only datasource pointing at archive-db using the grafana_reader role (provisioned by Flyway V68). The password is interpolated from the GRAFANA_DB_PASSWORD env var passed to obs-grafana, and the connection is locked to editable: false so the credential cannot be inspected via the UI. sslmode=disable is intentional: traffic stays inside archiv-net. Refs #651. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 19:22:35 +02:00
parent ed8e9576e4
commit ab2708e63b
1 changed files with 16 additions and 0 deletions
--- a/infra/observability/grafana/provisioning/datasources/datasources.yml
+++ b/infra/observability/grafana/provisioning/datasources/datasources.yml
@@ -36,3 +36,19 @@ datasources:
        datasourceUid: prometheus
      nodeGraph:
        enabled: true
+
+  # Read-only PostgreSQL datasource for the PO Overview dashboard (issue #651).
+  # Uses the grafana_reader role provisioned by Flyway V68. Traffic stays inside
+  # archiv-net, so sslmode=disable is the deliberate, accepted setting.
+  - name: PostgreSQL
+    type: postgres
+    uid: postgres
+    url: archive-db:5432
+    user: grafana_reader
+    editable: false
+    secureJsonData:
+      password: ${GRAFANA_DB_PASSWORD}
+    jsonData:
+      database: ${POSTGRES_DB}
+      sslmode: disable
+      postgresVersion: 1600