database: Support TLS for all "plain SQL" connections

[srenatus]

Right now, database connections that go directly to MySQL or Postgres, like

database:
  sql:
    driver: "postgres" # or "mysql"
    dsn: <...>

cannot specify any TLS settings that doesn't require files.

For PG, you could do

database:
  sql:
    driver: "postgres"
    dsn: "host=localhost user=pg sslmode=verify-full sslrootcert=path/to/ca.pem database=test sslcert=path/to/sslcert.crt sslkey=path/to/sslcert.key"

but that requires putting files into the filesystem which is annoying in container environments.

Proposal

TLS is a credential here, so let's add a credential type "tls-cert", which takes three values

type: tls-cert
rootcert: <root cert PEM> # optional: default to system certs
cert: <client cert PEM> # optional: if present, key needs to be present, too. If absent, don't use client cert
key: <client cert key PEM> # optional: required if key is present
passphrase: <client key passphrase (base64?)> # optional: required if key has a passphrase protection

All values are optional, which makes this a little weird... but maybe OK enough.

In the database SQL config, you'll then have to reference the named credential,

database:
  sql:
    driver: "postgres" # or "mysql"
    dsn: <...>
    credentials: postgres-cert

secrets:
  postgres-cert:
    type: tls-cert
    # ... etc ...

Ideally, this could be used for other places later, too, to do mTLS with an HTTP data source, for example, or a Git repo via https.

Reported my maciej in Slack.

[srenatus]

One thing to wonder about is whether postgres-cert in that case would need to be exempt from storage in the database... since an update to it via the CRUD API will not have an effect. 🤔