feat: Custom SAN Support (#902)

The DNS Resolver should return a ConnName with the resolved instance name and the DNS name. This will ensure that the cache key is correct, and it will allow the TLS connections to use the domain name to validate the TLS server certificate.
GoogleCloudPlatform · Jan 6, 2025 · 9339d75 · 9339d75
1 parent 12c1618
commit 9339d75
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/internal/cloudsql/resolver.go b/internal/cloudsql/resolver.go
@@ -105,7 +105,7 @@ func (r *DNSInstanceConnectionNameResolver) queryDNS(ctx context.Context, domain
 	// Attempt to parse records, returning the first valid record.
 	for _, record := range records {
 		// Parse the target as a CN
-		cn, parseErr := instance.ParseConnName(record)
+		cn, parseErr := instance.ParseConnNameWithDomainName(record, domainName)
 		if parseErr != nil {
 			perr = fmt.Errorf("unable to parse TXT for %q -> %q : %v", domainName, record, parseErr)
 			continue

diff --git a/internal/cloudsql/resolver_test.go b/internal/cloudsql/resolver_test.go
@@ -36,7 +36,7 @@ func (r *fakeResolver) LookupTXT(_ context.Context, name string) (addrs []string
 }
 
 func TestDNSInstanceNameResolver_Lookup_Success_TxtRecord(t *testing.T) {
-	want, _ := instance.ParseConnName("my-project:my-region:my-instance")
+	want, _ := instance.ParseConnNameWithDomainName("my-project:my-region:my-instance", "db.example.com")
 
 	r := DNSInstanceConnectionNameResolver{
 		dnsResolver: &fakeResolver{