fix: Set the universe domain when using an impersonation chain.

This change ensures that the universe domain configuration is correctly passed when setting up an impersonation chain for credentials.

It also introduces internal test infrastructure to mock `impersonate.CredentialsTokenSource` and adds a unit test `TestCredentialsOpt` to verify this behavior.

Author: hessjcg

internal/proxy/proxy.go

@@ -15,8 +15,15 @@
 package proxy
 
 import (
+	"cloud.google.com/go/cloudsqlconn"
 	"context"
 	"fmt"
+	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cloudsql"
+	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/internal/gcloud"
+	"golang.org/x/oauth2"
+	"google.golang.org/api/impersonate"
+	"google.golang.org/api/option"
+	"google.golang.org/api/sqladmin/v1"
 	"io"
 	"net"
 	"os"
@@ -26,14 +33,6 @@ import (
 	"sync"
 	"sync/atomic"
 	"time"
-
-	"cloud.google.com/go/cloudsqlconn"
-	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cloudsql"
-	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/internal/gcloud"
-	"golang.org/x/oauth2"
-	"google.golang.org/api/impersonate"
-	"google.golang.org/api/option"
-	"google.golang.org/api/sqladmin/v1"
 )
 
 var (
@@ -342,6 +341,9 @@ func credentialsOpt(c Config, l cloudsql.Logger) (cloudsqlconn.Option, error) {
 	// credentials token source.
 	if c.ImpersonationChain != "" {
 		var iopts []option.ClientOption
+		if c.UniverseDomain != "" {
+			iopts = append(iopts, option.WithUniverseDomain(c.UniverseDomain))
+		}
 		switch {
 		case c.Token != "":
 			l.Infof("Impersonating service account with OAuth2 token")