From 8908dd34b7066134a55ea3284842e9f21493509d Mon Sep 17 00:00:00 2001
From: tigermren <tigeren@live.com>
Date: Thu, 16 Oct 2025 23:45:49 +0800
Subject: [PATCH] feat(dm): add TLS support for TiDB Cloud in source config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Extend source.yaml to include empty TLS security fields by default
- Detect TiDB Cloud host in init script to enable TLS configuration
- Download Let’s Encrypt root CA cert for TiDB Cloud connections
- Generate source.yaml with ssl-ca path when connecting to TiDB Cloud
- Use plain source.yaml config for non-TiDB Cloud hosts
- Ensure DM source configuration creation tolerates errors gracefully
---
 configs/source.yaml |  6 +++++-
 scripts/init-dm.sh  | 39 ++++++++++++++++++++++++++++++++-------
 2 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/configs/source.yaml b/configs/source.yaml
index 6d42c31..1f1e58d 100644
--- a/configs/source.yaml
+++ b/configs/source.yaml
@@ -5,4 +5,8 @@ from:
   host: "${TEST_DB_HOST}"
   port: ${TEST_DB_PORT}
   user: "${TEST_DB_USER}"
-  password: "${TEST_DB_PASSWORD}"
\ No newline at end of file
+  password: "${TEST_DB_PASSWORD}"
+  security:
+    ssl-ca: ""
+    ssl-cert: ""
+    ssl-key: ""
\ No newline at end of file
diff --git a/scripts/init-dm.sh b/scripts/init-dm.sh
index 31d0c05..1f2bdb1 100755
--- a/scripts/init-dm.sh
+++ b/scripts/init-dm.sh
@@ -4,13 +4,38 @@ set -e
 echo "Waiting for DM master to be ready..."
 sleep 5
 
-# Substitute environment variables in source.yaml
-cat /configs/source.yaml | \
-  sed "s/\${TEST_DB_HOST}/$TEST_DB_HOST/g" | \
-  sed "s/\${TEST_DB_PORT}/$TEST_DB_PORT/g" | \
-  sed "s/\${TEST_DB_USER}/$TEST_DB_USER/g" | \
-  sed "s/\${TEST_DB_PASSWORD}/$TEST_DB_PASSWORD/g" \
-  > /tmp/source.yaml
+# Check if it's TiDB Cloud (requires TLS)
+if echo "$TEST_DB_HOST" | grep -q "tidbcloud.com"; then
+  echo "Detected TiDB Cloud - downloading CA certificate for TLS..."
+  wget -q -O /tmp/isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem
+  
+  # Generate source.yaml with TLS for TiDB Cloud
+  cat > /tmp/source.yaml <<EOF
+source-id: "test-tidb"
+enable-gtid: false
+enable-relay: false
+server-id: 101
+from:
+  host: "$TEST_DB_HOST"
+  port: $TEST_DB_PORT
+  user: "$TEST_DB_USER"
+  password: "$TEST_DB_PASSWORD"
+  security:
+    ssl-ca: "/tmp/isrgrootx1.pem"
+EOF
+else
+  # Generate source.yaml without TLS for regular TiDB
+  cat > /tmp/source.yaml <<EOF
+source-id: "test-tidb"
+enable-gtid: false
+enable-relay: false
+from:
+  host: "$TEST_DB_HOST"
+  port: $TEST_DB_PORT
+  user: "$TEST_DB_USER"
+  password: "$TEST_DB_PASSWORD"
+EOF
+fi
 
 echo "Creating DM source configuration..."
 /dmctl --master-addr=dm-master:8261 operate-source create /tmp/source.yaml || true