[v9] Allow users to request database certificates in Machine ID (#11904)

[timothyb89]

Backport of #11904 for branch/v9

---

• Allow users to request database certificates in Machine ID

This adds a new destination-level config option to tbot.yaml that
allows users to request database access for a particular destination
certificate. Behind the scenes, this triggers generates two
impersonated certs: the first identity is generated to request the
specified roles and resolve the database config, then is replaced
with a new identity using those roles plus a fully-formed
RouteToDatabase request.

Database requests are made by adding a destination entry like the
following to tbot.yaml:

destinations:
  - directory: /foo/bar

    database:
      service: <teleport database name>
      username: <database username>
      database: <database name>

    # The certs won't be very useful without TLS
    kinds: [tls]

We currently don't support proxying or generating db-specific config
files. See #11596 for an identityfile implementation that can help.
Additionally, we don't currently have a tsh proxy equivalent so the
legacy MySQL handlers need to be enabled, which is not the case by
default in Teleport 9. However, that same PR can export a
tsh-compatible identity file for the datbase identity which can be
passed along to tsh -i ... and presumably used with its proxy
commands. We plan to follow-up with another PR to improve this UX.

• Try to fix flaky test

• Address review feedback

• Update tool/tbot/renew.go

Co-authored-by: Roman Tkachenko roman@goteleport.com

• Add special username checks for MongoDB and Redis

Co-authored-by: Roman Tkachenko roman@goteleport.com