Allow users to request database certificates in Machine ID

tool/tbot/config/config_destination.go

@@ -21,13 +21,39 @@ import (
 	"github.com/gravitational/trace"
 )
 
+// DatabaseConfig is the config for a database access request.
+type DatabaseConfig struct {
+	// Service is the service name of the Teleport database. Generally this is
+	// the name of the Teleport resource.
+	Service string `yaml:"service,omitempty"`
+
+	// Database is the name of the database to request access to.
+	Database string `yaml:"database,omitempty"`
+
+	// Username is the database username to request access as.
+	Username string `yaml:"username,omitempty"`
+}
+
+func (dc *DatabaseConfig) CheckAndSetDefaults() error {
+	if dc.Service == "" {
+		return trace.BadParameter("database `service` field must specify a database service name")
+	}
+
+	// Note: tsh has special checks for MongoDB and Redis. We don't know the
+	// protocol at this point so we'll need to defer those checks.
+
+	return nil
+}
+
 // DestinationConfig configures a user certificate destination.
 type DestinationConfig struct {
 	DestinationMixin `yaml:",inline"`
 
 	Roles   []string                `yaml:"roles,omitempty"`
 	Kinds   []identity.ArtifactKind `yaml:"kinds,omitempty"`
 	Configs []TemplateConfig        `yaml:"configs,omitempty"`
+
+	Database *DatabaseConfig `yaml:"database,omitempty"`
 }
 
 // destinationDefaults applies defaults for an output sink's destination. Since
@@ -42,6 +68,12 @@ func (dc *DestinationConfig) CheckAndSetDefaults() error {
 		return trace.Wrap(err)
 	}
 
+	if dc.Database != nil {
+		if err := dc.Database.CheckAndSetDefaults(); err != nil {
+			return trace.Wrap(err)
+		}
+	}
+
 	// Note: empty roles is allowed; interpreted to mean "all" at generation
 	// time