feat(dm): add TLS support for TiDB Cloud in source config

- Extend source.yaml to include empty TLS security fields by default
- Detect TiDB Cloud host in init script to enable TLS configuration
- Download Let’s Encrypt root CA cert for TiDB Cloud connections
- Generate source.yaml with ssl-ca path when connecting to TiDB Cloud
- Use plain source.yaml config for non-TiDB Cloud hosts
- Ensure DM source configuration creation tolerates errors gracefully

configs/source.yaml

@@ -6,3 +6,7 @@ from:
   port: ${TEST_DB_PORT}
   user: "${TEST_DB_USER}"
   password: "${TEST_DB_PASSWORD}"
+  security:
+    ssl-ca: ""
+    ssl-cert: ""
+    ssl-key: ""

scripts/init-dm.sh

@@ -4,13 +4,38 @@ set -e
 echo "Waiting for DM master to be ready..."
 sleep 5
 
-# Substitute environment variables in source.yaml
+# Check if it's TiDB Cloud (requires TLS)
-cat /configs/source.yaml | \
+if echo "$TEST_DB_HOST" | grep -q "tidbcloud.com"; then
-  sed "s/\${TEST_DB_HOST}/$TEST_DB_HOST/g" | \
+  echo "Detected TiDB Cloud - downloading CA certificate for TLS..."
-  sed "s/\${TEST_DB_PORT}/$TEST_DB_PORT/g" | \
+  wget -q -O /tmp/isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem
-  sed "s/\${TEST_DB_USER}/$TEST_DB_USER/g" | \
+  
-  sed "s/\${TEST_DB_PASSWORD}/$TEST_DB_PASSWORD/g" \
+  # Generate source.yaml with TLS for TiDB Cloud
-  > /tmp/source.yaml
+  cat > /tmp/source.yaml <<EOF
+source-id: "test-tidb"
+enable-gtid: false
+enable-relay: false
+server-id: 101
+from:
+  host: "$TEST_DB_HOST"
+  port: $TEST_DB_PORT
+  user: "$TEST_DB_USER"
+  password: "$TEST_DB_PASSWORD"
+  security:
+    ssl-ca: "/tmp/isrgrootx1.pem"
+EOF
+else
+  # Generate source.yaml without TLS for regular TiDB
+  cat > /tmp/source.yaml <<EOF
+source-id: "test-tidb"
+enable-gtid: false
+enable-relay: false
+from:
+  host: "$TEST_DB_HOST"
+  port: $TEST_DB_PORT
+  user: "$TEST_DB_USER"
+  password: "$TEST_DB_PASSWORD"
+EOF
+fi
 
 echo "Creating DM source configuration..."
 /dmctl --master-addr=dm-master:8261 operate-source create /tmp/source.yaml || true