Database TLS "insecure" mode does not generate client certificate

[r0mant]

Description

What happened:

With the following database configuration:

db_service:
  enabled: "yes"
  databases:
  - name: "postgres"
    description: "🐘 PostgreSQL 13.0: Local"
    protocol: "postgres"
    uri: "localhost:5432"
    tls:
      mode: insecure

Connection to Postgres fails with:

Original Error: *pgconn.connectError failed to connect to `host=localhost user=postgres database=postgres`: server error (FATAL: connection requires a valid client certificate (SQLSTATE 28000))

In the Postgres logs:

2022-03-03 19:29:31.600 GMT [50] FATAL:  connection requires a valid client certificate

It looks like TLS "insecure" mode just sets InsecureSkipVerify to true and does not actually generate client certificate for the connection:

https://github.com/gravitational/teleport/blob/v9.0.0-beta.1/lib/srv/db/common/auth.go#L384-L393

The setting should only apply to validating the server certificate.

What you expected to happen:

Connection to self-hosted database which presents an invalid certificate should still succeed with "insecure" mode.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

1. Configure a self-hosted Postgres with an invalid certificate.
2. Configure database access with TLS insecure mode.
3. Try to tsh db connect to it.