Until we have kerberos support, usage of the pg transport will likely need to be secure to prevent plain-text username/password being sent unencrypted.
It should also be a general option to enable secure transports from our ui. External exposure is covered in TEIIDSB-86.
We should use the private key from either based upon a self-signed certificate or using service signing certificates. I'll provide an example demonstrating one of those approaches.