Add ability to specify level of TLS verification for database connections

[r0mant]

What

Currently, Teleport database service always performs full TLS certificate verification when connecting to a target database. This is most secure but inflexible - some teams use their own certificates for their databases which do not always have proper hostname encoded, which they can't replace with Teleport-issued ones. For scenarios like this we need to add an option to lax verification of certificate presented by the database.

How

Instead of introducing binary insecure_skip_verify flag, the proposal is to make level of TLS verification more flexible to support different customer use-cases (which have come up before).

Example database configuration:

db_service:
  enabled: "yes"
  databases:
  - name: "example"
    protocol: "postgres"
    uri: "localhost:5432"
    ca_cert_file: xxx # deprecate this field and move it under "tls" section but keep for backwards compat.
    tls:
      mode: verify-full # can also be 'verify-ca' or 'insecure'
      server_name: PostgreSQL # optionally set custom server name
      ca_cert_file: /path/to/pem # optional CA path, existing field moved from the level above

• verify-full (default) does full verification like now. Server name can be optionally overridden, otherwise the one from URI is used.
• verify-ca skips hostname verification but checks CA.
• insecure is analogous to Go's "insecure_skip_verify" which accepts any certificate.

[r0mant]

@klizhentas Could you review the proposed UX please? ^

[vibechild]

I like having the two options for how insecure we want it. Either of these options will solve the issue for us, but having both available would be very nice.