From be451eeaa60b284f6f644cec1ce9f4546eabdf45 Mon Sep 17 00:00:00 2001
From: Jonathan Hess <hessjc@google.com>
Date: Fri, 13 Dec 2024 13:37:31 -0700
Subject: [PATCH] feat: Customer Certificate Authority support

---
 dialer.go                     | 2 +-
 internal/cloudsql/instance.go | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/dialer.go b/dialer.go
index ba380eed..269c9a15 100644
--- a/dialer.go
+++ b/dialer.go
@@ -394,7 +394,7 @@ func (d *Dialer) Dial(ctx context.Context, icn string, opts ...DialOption) (conn
 	}()
 
 	iConn := newInstrumentedConn(tlsConn, func() {
-		n := atomic.AddUint64(c.openConnsCount, ^uint64(0))
+		n := atomic.AddUint64(c.openConnsCount, ^uint64(0)) // c.openConnsCount = c.openConnsCount - 1
 		trace.RecordOpenConnections(context.Background(), int64(n), d.dialerID, cn.String())
 	}, d.dialerID, cn.String())
 
diff --git a/internal/cloudsql/instance.go b/internal/cloudsql/instance.go
index bc25e672..e3ced10e 100644
--- a/internal/cloudsql/instance.go
+++ b/internal/cloudsql/instance.go
@@ -241,7 +241,8 @@ func (c ConnectionInfo) TLSConfig() *tls.Config {
 	for _, caCert := range c.ServerCACert {
 		pool.AddCert(caCert)
 	}
-	if c.ServerCAMode == "GOOGLE_MANAGED_CAS_CA" {
+	if c.ServerCAMode == "GOOGLE_MANAGED_CAS_CA" ||
+		c.ServerCAMode == "CUSTOMER_MANAGED_CAS_CA" {
 		// For CAS instances, we can rely on the DNS name to verify the server identity.
 		return &tls.Config{
 			ServerName:   c.DNSName,