Refactor postgres service file handling, add db config command

[r0mant]

This PR belongs to a series of smaller self-contained database access PRs that I will be submitting to land various QoL improvements and refactorings to help keep future MySQL integration PR smaller.

This PR includes:

• Refactor and reorganize Postgres connection service file handling a bit to make adding MySQL option file easier.

• While being at it, also added support for --insecure flag for Postgres service file. Closes Add insecure mode support for database access #5026.

• tsh db ls command output now includes an example connect command to make it easier for users to learn how to connect to a database (can just copy-paste). Example:

➜  ~ tsh db ls
Name                               Description            Labels    Connect
---------------------------------- ---------------------- --------- -------------------------
> local (user: postgres, db: test) PostgreSQL 13.0: Local env=local psql "service=root-local"

• Add tsh db config command that prints database connection information in text form. I realized the need for a command like this when configuring GUI clients - they often require entering paths for certificates for example, and regular users may not know where Teleport stores them on their machine. Example:

➜  ~ tsh db config
Name:      local
Host:      root.gravitational.io
Port:      3080
User:      postgres
Database:  test
CA:        /Users/r0mant/.tsh/keys/root.gravitational.io/certs.pem
Cert:      /Users/r0mant/.tsh/keys/root.gravitational.io/r0mant-db/root/local-x509.pem
Key:       /Users/r0mant/.tsh/keys/root.gravitational.io/r0mant

[a-palchikov]

According to documentation, there are 6 SSL modes and the 3 require, verify-ca and verify-full will error if Postgres was not compiled with SSL support - is this a concern in this case? Also looks like disable or even allow would make a better candidate for insecure mode than verify-ca.

[r0mant]

It's not a concern because we require TLS for the database access. I'm using verify-ca for the same reason, all our routing/authentication it based on client certificates. Also, this is configuring client to talk to Teleport proxy, not Postgres.

[a-palchikov]

Sounds like lib/client/db/profile would be a more apt package location for working with profiles

[r0mant]

Can't move it there due to circular imports.

[a-palchikov]

I'm not sure which imports you mean here, but my suggestion was to pull the interfaces (ConnectProfileFile and ConnectProfile) to lib/client/db and implement support for profile handling for a specific database flavor in the corresponding lib/client/db/profile/<profile> or lib/client/db/<flavor>/.

[a-palchikov]

This is probably meant to land in lib/client/db instead - to be implemented by more specific packages in lib/client/db/...?

[r0mant]

Not really, this is intentional so particular implementations can reuse this struct from here. Can't move it level up due to circular imports.

[a-palchikov]

With the structs in lib/client/db, they'd do exactly that. The specific provider implementation would use the struct from lib/client/db. Of course this means lib/client/db/<provider> cannot be used from lib/client/db which does cause a circular dependency. But it should not have to - the providers should just register themselves somewhere in the root and the root would use them via an interface - does that make sense?

[r0mant]

Yeah, I know what you're saying, I just feel that introducing this sort of registry when I only need to share one struct between a couple of packages may be a bit of an overkill.

[a-palchikov]

If would consider adding a format option for this to make this machine-parsable - this way it can be converted to any other format on the fly without much trouble.

[r0mant]

This is intended to be human-readable first. I agree it might make sense to add other format in future, I'll leave it as a potential improvements if anyone actually needs it.

[r0mant]

@awly @a-palchikov @russjones @fspmarshall Can I please get some codeowners reviews when you get a chance? I'd like to get this merged so I can continue with MySQL integration. Thanks!

[a-palchikov]

Feel free to merge if the suggested provider package layout is not warranted.

[a-palchikov]

I'm not sure which imports you mean here, but my suggestion was to pull the interfaces (ConnectProfileFile and ConnectProfile) to lib/client/db and implement support for profile handling for a specific database flavor in the corresponding lib/client/db/profile/<profile> or lib/client/db/<flavor>/.

[a-palchikov]

With the structs in lib/client/db, they'd do exactly that. The specific provider implementation would use the struct from lib/client/db. Of course this means lib/client/db/<provider> cannot be used from lib/client/db which does cause a circular dependency. But it should not have to - the providers should just register themselves somewhere in the root and the root would use them via an interface - does that make sense?

[russjones]

You may not need this, but if you want to print some instructions as well, you can add something like the following:

fmt.Printf(`echo 'Environment loaded, run the following command to connect...\n'`)

I'm doing something similar for tsh login leaf.example.com --env.

[r0mant]

The purpose of this command is for its output to be fed to shell's eval (like, $(tsh db env) - similar to what minikube for example does as well). For easier discovery of the connect commands I added those to tsh db ls table.