I’m curious if anyone has been able to get FleetDM running in GCP with Cloud SQL using TLS or if there is documentation on how to set this up? I was able to get the client certificates and such provisioned, but I’m running into an issue on startup.

{
  "mysql": "could not connect to db: tls: failed to verify certificate: x509: cannot validate certificate for 10.100.0.2 because it doesn't contain any IP SANs, sleeping 9s",
  "ts": "2025-04-15T22:02:11.356279548Z"
}

I have the following environment variables set: •

fleet_mysql_address

(set to private IP of Cloud SQL instance) •

fleet_mysql_username

•

fleet_mysql_password

•

fleet_mysql_database

•

fleet_mysql_tls_ca

(path to the cloud sql root CA) •

fleet_mysql_tls_cert

(path to client public cert) • `fleet_mysql_tls_key`(path to client private key) I’ve attempted to set

fleet_mysql_tls_config

to several values, including

skip-verify

as well as the Cloud SQL connection name that is in the format of:

<project id>:<region>:<sql instance name>

. I’ve also tried setting

fleet_mysql_address

to the connection name but received a DNS error.

{
  "mysql": "could not connect to db: dial tcp: lookup <project id>:<region>:<sql instance name>: no such host, sleeping 14s",
  "ts": "2025-04-15T21:45:37.961214916Z"
}

Hi @mdtro, our documentation for reference architecture and running Fleet on GCP is located here.

Ah yes, this reference architecture was very helpful. 🙂 It unfortunately does not configure connections to Cloud SQL using TLS, just over the unencrypted protocol.

Glad to hear!

Is FleetDM actually using that Cloud SQL Proxy though? I would expect some configuration around using a GCP service account and IAM to do so.

As far as I know the answer is yes for any public connection.