Support Elasticache Redis databases with encryption in transit disabled

[miskr-instructure]

What would you like Teleport to do?

It should be possible to configure the Teleport agent to connect to Elasticache redis endpoints that have no username and have Encryption in Transit disabled.

Suggestion: add something like databases.*.tls.mode = disabled to the configuration to indicate TLS should not be used at all.

What problem does this solve?

Elasticache redis endpoints with TLS disabled cannot be reached via Teleport.

Currently, attempting to connect to such a Redis instance results in

localhost:55656> INFO server
ERR Teleport: tls: first record does not look like a TLS handshake
(0.63s)

If a workaround exists, please include it.

Reprovision your infra to accomodate Teleport by

• enabling Encryption in Transit
• upgrading to Redis 7 and/or enabling user ACL's

...but

• these changes would require downtime and risks, difficult to swallow on production environments that work perfectly fine
• Teleport should be adapting to the existing infra instead of making the infra adapt to it
• there is no critical reason to enable those Elasticache features in a secure private network with no public access