Create dedicated database user for Container Registry background migrations chatops integration

Request summary

Create a dedicated user for Container-registry background-migrations chatops integration.

Details:

• infrasec signoff: https://gitlab.com/gitlab-com/gl-security/product-security/product-security-engagements/product-security-requests/-/issues/31
• permissions needed:

GRANT SELECT ON batched_background_migrations TO your_user;
GRANT SELECT on batched_background_migration_jobs to your_user;
GRANT UPDATE (status) ON batched_background_migrations TO your_user;

• we expect burst of 10-20 requests few times per week - the integration will be run occasionally via manual interaction of the container-registry team with the chatops integration
• slowest query will run <1s as the queries are very simple, only query/update the status BBM jobs the number of rows updates is minimal
• during bursts of activity there should be no more than 5 active connections, but these should be rare. The connections will be short-lived

Vault path where secrets should be stored: ops-gitlab-net/gitlab-com/shared/bbm_psql_chatops_creds/{user,passw}@ci Databases: gstg, gpre, and gprd on container-registry database

Business justification

Giving container-registry team a self-service possibility when it comes to starting, stopping, pausing background migrations.

Relation to company priorities and initiatives

This will enable container-registry to move faster and descrease load on SREs DBOs as they will no longer need to do this for su.

Impact/risk analysis

See above

Expected timeline

2-4 weeks. Getting all requires appsec and infrasec approvals, sign-offs from owners, etc... already took 2 months. It would be nice to close this issue still this year.

Exit criteria

We have a set of DB credientials for a limited PSQL user capable of controlling background-migrations that can be used for gstg, gpre, and gprd on container-registry databse..

/cc @andrashorvath