feat(dm): add TLS support for TiDB Cloud in source config

- Extend source.yaml to include empty TLS security fields by default - Detect TiDB Cloud host in init script to enable TLS configuration - Download Let’s Encrypt root CA cert for TiDB Cloud connections - Generate source.yaml with ssl-ca path when connecting to TiDB Cloud - Use plain source.yaml config for non-TiDB Cloud hosts - Ensure DM source configuration creation tolerates errors gracefully
2025-10-16 23:45:49 +08:00 · 2025-10-16 23:45:49 +08:00 · 8908dd34b7
parent 1938d26462
commit 8908dd34b7
2 changed files with 37 additions and 8 deletions
--- a/configs/source.yaml
+++ b/configs/source.yaml
@ -5,4 +5,8 @@ from:
  host: "${TEST_DB_HOST}"
  port: ${TEST_DB_PORT}
  user: "${TEST_DB_USER}"
-  password: "${TEST_DB_PASSWORD}"
+  password: "${TEST_DB_PASSWORD}"
+  security:
+    ssl-ca: ""
+    ssl-cert: ""
+    ssl-key: ""
--- a/scripts/init-dm.sh
+++ b/scripts/init-dm.sh
@ -4,13 +4,38 @@ set -e
 echo "Waiting for DM master to be ready..."
 sleep 5

-# Substitute environment variables in source.yaml
-cat /configs/source.yaml | \
-  sed "s/\${TEST_DB_HOST}/$TEST_DB_HOST/g" | \
-  sed "s/\${TEST_DB_PORT}/$TEST_DB_PORT/g" | \
-  sed "s/\${TEST_DB_USER}/$TEST_DB_USER/g" | \
-  sed "s/\${TEST_DB_PASSWORD}/$TEST_DB_PASSWORD/g" \
-  > /tmp/source.yaml
+# Check if it's TiDB Cloud (requires TLS)
+if echo "$TEST_DB_HOST" | grep -q "tidbcloud.com"; then
+  echo "Detected TiDB Cloud - downloading CA certificate for TLS..."
+  wget -q -O /tmp/isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem
+  
+  # Generate source.yaml with TLS for TiDB Cloud
+  cat > /tmp/source.yaml <<EOF
+source-id: "test-tidb"
+enable-gtid: false
+enable-relay: false
+server-id: 101
+from:
+  host: "$TEST_DB_HOST"
+  port: $TEST_DB_PORT
+  user: "$TEST_DB_USER"
+  password: "$TEST_DB_PASSWORD"
+  security:
+    ssl-ca: "/tmp/isrgrootx1.pem"
+EOF
+else
+  # Generate source.yaml without TLS for regular TiDB
+  cat > /tmp/source.yaml <<EOF
+source-id: "test-tidb"
+enable-gtid: false
+enable-relay: false
+from:
+  host: "$TEST_DB_HOST"
+  port: $TEST_DB_PORT
+  user: "$TEST_DB_USER"
+  password: "$TEST_DB_PASSWORD"
+EOF
+fi

 echo "Creating DM source configuration..."
 /dmctl --master-addr=dm-master:8261 operate-source create /tmp/source.yaml || true