chore: support read-only api-db connections

[tobybellwood]

It would be preferable to support read-only access to the api-db.

This can occur two ways (in the future anyway):

• via a manually created read-only user - adding the API_DB_RO_USERNAME and API_DB_RO_PASSWORD variables to the deployment as additionalEnvs
• via a read-replica (more common in cloud installs) - by adding the API_DB_RO_ADDRESS variable to the deployment as additionalEnvs

Kong will resolve the vars in the declared order, so if there is no _RO_ it will use the version in the chart

For clarity, I created an additional variable(s) to avoid reusing the API_DB_PASSWORD variable - as it is a write password in other services that need write access.

MariaDB [infrastructure]> CREATE USER 'readonly'@'%' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.003 sec)

MariaDB [infrastructure]> GRANT SELECT, SHOW VIEW ON infrastructure.* TO 'readonly'@'%';
Query OK, 0 rows affected (0.003 sec)

[smlx]

As discussed on slack maybe we can put this logic in the helm chart. 🙂