Initial PostgreSQL MCP support

[gabrielcorado]

The initial version of the database access MCP is for PostgreSQL databases. Docs preview PR

For reviewers, here is a quick overview of the entire flow:

1. Receive a list of databases available on the MCP server.
2. Check each database's corresponding MCP server (per protocol). This is done using a simple Registry that maps MCP server constructors using database protocols.
3. If there is no match, the database is skipped. Otherwise, we start an ALPN local proxy for each database.
4. After that, we start the MCP servers, passing the databases they will serve.
5. Start the "Root" MCP server, which, in addition to all tools registered by the protocol-specific MCPs, has the served database as a resource and a tool to list them.

What is not currently covered:

• Automatically refresh the list of served databases. For example, if the user now has access to a different database, they'll need to restart the MCP command to get access to it.

Claude Desktop sample usage

# claude_desktop_config.json
{
  "mcpServers": {
    "teleport-databases": {
      "command": "tsh",
      "args": [
        "mcp",
        "db",
        "start",
        "teleport://databases/pg-dev?dbUser=postgres&dbName=postgres",
        "teleport://databases/pg-prod?dbUser=readonly&dbName=postgres"
      ]
    }
  }
}

[greedy52]

🎉 ship it

[public-teleport-github-review-bot]

@gabrielcorado - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

[gabrielcorado]

I've updated the implementation to better fit the login command (which will be added in a separate PR). The changes were:

• tsh mcp db start now receives a list of databases in the MCP resources format. The resource URI will also include the connection parameters (database user and database name). This way, users can tweak their configuration and access different databases without requiring a branch. (see PR description for a config example).
• The filtering options --query and --labels will be available on the tsh mcp db login command.
• The tsh MCP db start command is now hidden, as manually running it on the terminal is ineffective. Users must rely on the login command to generate the correct command.

The new UX flow would consist of users running the login command, which will generate the final tsh mcp db start command and update their MCP client.

[r0mant]

lgtm

[r0mant]

Should we include the cluster name here? To be able to add support for trusted clusters in future for example.

[greedy52]

if we gonna support more resources and trusted cluster, might just adopt the same scheme Connect uses:

teleport/lib/teleterm/api/uri/uri.go

Lines 31 to 32 in 2365ae9

	var pathDbs = urlpath.New("/clusters/:cluster/dbs/:dbName")
	var pathLeafDbs = urlpath.New("/clusters/:cluster/leaves/:leaf/dbs/:dbName")

[gabrielcorado]

I've updated to include the cluster information.

[r0mant]

Nit: Use path.Join here?

[gabrielcorado]

We cannot use the URL.JoinPath because part of the resource URI is parsed into the url.Host, which we want included here.

[greedy52]

how do we deal with duplicates? or worse, same database service with different query params

[gabrielcorado]

I've added a validation for the duplication. The current resource URI wouldn't support a single database configured multiple times.

[camscale]

This signature change has broken tsh vnet on darwin:

teleport/tool/tsh/common/vnet_daemon_darwin.go

Line 64 in 1fba70d

if err := utils.InitLogger(utils.LoggingForDaemon, level, utils.WithOSLog(subsystem)); err != nil {

- probably got missed due to build tags.