Help setting up a Postgres DB on an existing teleport node

[GauthierPLM]

When setting up my Teleport cluster, I started by adding nodes I want to have access to via SSH. It works pretty well and while I don't yet fully understand how to properly setup access rights, I am able to use tsh to connect to all nodes.

Now, 2 of my nodes have a Postgres DB running in a docker container. I tried to follow the doc, but as mentioned in #37701, it's not as simple as it seems.

What I have done so far

1. Generated a new join token and granted it both node and db roles.
2. Edited /etc/teleport.yaml on my node to add the new token in teleport.join_params.token and to add the following config:

version: v3
# ...
db_service:
  enabled: yes
  resources:
  - labels:
      environment: pre-production
      database: postgres
  databases:
  - name: "platform-preproduction-db"
    protocol: "postgres"
    uri: "localhost:5432"

3. Edited my user to add the traits db_names=* and db_users=*.
4. Restarted the teleport service on my node -> the DB now appears in my resources list.

With this setup, no authentication has been setup yet, so naturally I get an error Access to db denied. User does not have permissions. Confirm database user and name. when trying to connect.

Questions

1. The documentaton instructs to grant impersonation right and to generate a certificate. (I'll go with using Teleport CA)

How can I grant impersonation rights?
When generating the certificate, can I use localhost as host (instead of a domain)? I assume yes, but prefer to double check since it's never mentioned.

2. Is my database config enough or do I need to edit it after generating and installing the certifiate?

Thank you for reading me and I hope you'll be able to help! 🙏