Generate database access credentials with tctl auth sign command

[gabrielcorado]

Closes #9789.

Adds the flag --db-name into the tctl auth sign. When the flag is provided, the command will generate user credentials that can be used to connect to the database. In addition, it also adds the --db-user flag so users can provide the database username to be added in the routing information.

Example of usage:

# Generate the credentials for the "db-1" database for the "alice" user.
$ tctl auth sign --format tls -o db_credentials --db-name db-1 --user alice --ttl 1h

# Connect to the database using the certificates.
$ psql "user=postgres dbname=postgres host=teleport.example.com port=5432 sslcert=./db_credentials.crt sslkey=./db_credentials.key sslrootcert=./db_credentials.cas sslmode=verify-ca"
psql (14.2, server 14.1 (Debian 14.1-1.pgdg110+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_128_GCM_SHA256, bits: 128, compression: off)
Type "help" for help.

postgres=#

[jakule]

LGTM, a few minor comments.

[smallinsky]

Right now we are using --db-name to provide the name od database instance where in tsh login/connect the --db-name refers to a database name scheme. For example:

tsh db connect  --db-user=postgres --db-name=testdb postgres-instance

This might be unintuitive also in current approach also the Database field is not set in:

routeToDatabase = proto.RouteToDatabase{
			ServiceName: a.dbName,
			Protocol:    server.GetDatabase().GetProtocol(),
			Username:    a.dbUser,
		}

so there is no way to specify the --db-name to connect in case of postgres access where databaseName is used.

[gabrielcorado]

That's an interesting point, but it is hard to name the ServiceName property into something else since in some places (like the UI and the command you mentioned), it is called "database name".

What about setting the flags like this:

• --db: Refers to the ServiceName property from RouteToDatabase;
• --db-name: Refers to the Database property from RouteToDatabase;
• --db-user: Refers to the Username property from RouteToDatabase;

Another question related to this: is the parameter (Database) required only in some database types? if so should we add validation to it (for example, if PostgreSQL requires it, we make the flag required)?

[smallinsky]

Agree, the --db-name is a bit misleading because and it should be somehow distinguishable from RouteToDatabase.ServiceName a new flog --db or --db-service should fix this and to allow to provide full RouteToDatabase information

@r0mant Any objection ?

[r0mant]

Sorry for delay here guys, yeah I think --db-service, --db-user and --db-name makes sense.

[gabrielcorado]

Done. Updated the flags.

[r0mant]

lgtm after the remaining comment is addressed.