fix wget issue

Signed-off-by: liubo02 <liubo02@pingcap.com>

Author: liubog2008

pkg/manager/member/startscript/v1/render_script.go

@@ -187,9 +187,10 @@ func RenderTiCDCStartScript(tc *v1alpha1.TidbCluster) (string, error) {
 	var script string
 	serverCmd := strings.Join(cmdArgs, " ")
 
-	wgetDiscoveryPrefix := "http"
+	discoveryFetchPrefix := "wget -qO- -T 3 http"
 	if tc.IsDiscoveryMTLSEnabled() {
-		wgetDiscoveryPrefix = "--ca-certificate=/var/lib/ticdc-tls/ca.crt --certificate=/var/lib/ticdc-tls/tls.crt --private-key=/var/lib/ticdc-tls/tls.key https"
+		// Use curl for discovery mTLS because wget in the runtime image does not reliably present the client cert.
+		discoveryFetchPrefix = "curl -sS --fail --max-time 3 --cacert /var/lib/ticdc-tls/ca.crt --cert /var/lib/ticdc-tls/tls.crt --key /var/lib/ticdc-tls/tls.key https"
 	}
 
 	if changefeedInfo.Enabled {
@@ -234,13 +235,13 @@ wait ${CDC_PID}
 pd_url="%s"
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url="%s-discovery.${NAMESPACE}:10261"
-until result=$(wget -qO- -T 3 %s://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$(%s://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
 echo "waiting for the verification of PD endpoints ..."
 sleep 2
 done
 `
 
-			script += fmt.Sprintf(str, pdAddr, tc.GetName(), wgetDiscoveryPrefix)
+			script += fmt.Sprintf(str, pdAddr, tc.GetName(), discoveryFetchPrefix)
 			script += "\n" + changefeedScript
 		} else {
 			script = "set -uo pipefail\n" + changefeedScript
@@ -258,13 +259,13 @@ done
 pd_url="%s"
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url="%s-discovery.${NAMESPACE}:10261"
-until result=$(wget -qO- -T 3 %s://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$(%s://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
 echo "waiting for the verification of PD endpoints ..."
 sleep 2
 done
 `
 
-		script += fmt.Sprintf(str, pdAddr, tc.GetName(), wgetDiscoveryPrefix)
+		script += fmt.Sprintf(str, pdAddr, tc.GetName(), discoveryFetchPrefix)
 		script += "\n" + strings.Join(append([]string{"exec"}, cmdArgs...), " ")
 	} else {
 		script = serverCmd
@@ -435,15 +436,16 @@ func RenderTiFlashInitScript(tc *v1alpha1.TidbCluster) (string, error) {
 		} else {
 			pdAddr = fmt.Sprintf("http://%s-pd:%d", tcName, v1alpha1.DefaultPDClientPort)
 		}
-		wgetDiscoveryPrefix := "http"
+		discoveryFetchPrefix := "wget -qO- -T 3 http"
 		if tc.IsDiscoveryMTLSEnabled() {
-			wgetDiscoveryPrefix = "--ca-certificate=/var/lib/tiflash-tls/ca.crt --certificate=/var/lib/tiflash-tls/tls.crt --private-key=/var/lib/tiflash-tls/tls.key https"
+			// Use curl for discovery mTLS because wget in the runtime image does not reliably present the client cert.
+			discoveryFetchPrefix = "curl -sS --fail --max-time 3 --cacert /var/lib/tiflash-tls/ca.crt --cert /var/lib/tiflash-tls/tls.crt --key /var/lib/tiflash-tls/tls.key https"
 		}
 		str := `pd_url="%s"
 set +e
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url="%s-discovery.%s:10261"
-until result=$(wget -qO- -T 3 %s://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null | sed 's/http:\/\///g' | sed 's/https:\/\///g'); do
+until result=$(%s://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null | sed 's/http:\/\///g' | sed 's/https:\/\///g'); do
 echo "waiting for the verification of PD endpoints ..."
 sleep 2
 done
@@ -453,7 +455,7 @@ sed -i s/PD_ADDR/${result}/g /data0/config.toml
 sed -i s/PD_ADDR/${result}/g /data0/proxy.toml
 `
 		script += "\n"
-		script += fmt.Sprintf(str, pdAddr, tc.GetName(), tc.GetNamespace(), wgetDiscoveryPrefix)
+		script += fmt.Sprintf(str, pdAddr, tc.GetName(), tc.GetNamespace(), discoveryFetchPrefix)
 	}
 
 	return script, nil

pkg/manager/member/startscript/v1/template.go

@@ -68,7 +68,7 @@ POD_NAME=${POD_NAME:-$HOSTNAME}{{ if .AcrossK8s }}
 pd_url="{{ .Path }}"
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url="${CLUSTER_NAME}-discovery.${NAMESPACE}:10261"
-until result=$(wget -qO- -T 3 {{ if .DiscoveryMTLS }}--ca-certificate={{ .ClusterCertPath }}/ca.crt --certificate={{ .ClusterCertPath }}/tls.crt --private-key={{ .ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null | sed 's/http:\/\///g'); do
+until result=$({{ if .DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .ClusterCertPath }}/ca.crt --cert {{ .ClusterCertPath }}/tls.crt --key {{ .ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null | sed 's/http:\/\///g'); do
 echo "waiting for the verification of PD endpoints ..."
 sleep $((RANDOM % 5))
 done
@@ -205,7 +205,7 @@ join=${join%,}
 ARGS="${ARGS} --join=${join}"
 elif [[ ! -d {{ .DataDir }}/member/wal ]]
 then
-until result=$(wget -qO- -T 3 {{ if .DiscoveryMTLS }}--ca-certificate={{ .ClusterCertPath }}/ca.crt --certificate={{ .ClusterCertPath }}/tls.crt --private-key={{ .ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/new/${encoded_domain_url} 2>/dev/null); do
+until result=$({{ if .DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .ClusterCertPath }}/ca.crt --cert {{ .ClusterCertPath }}/tls.crt --key {{ .ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}://${discovery_url}/new/${encoded_domain_url} 2>/dev/null); do
 echo "waiting for discovery service to return start args ..."
 sleep $((RANDOM % 5))
 done
@@ -292,7 +292,7 @@ pd_url="{{ .PDAddress }}"
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url="${CLUSTER_NAME}-discovery.${NAMESPACE}:10261"
 
-until result=$(wget -qO- -T 3 {{ if .DiscoveryMTLS }}--ca-certificate={{ .ClusterCertPath }}/ca.crt --certificate={{ .ClusterCertPath }}/tls.crt --private-key={{ .ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$({{ if .DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .ClusterCertPath }}/ca.crt --cert {{ .ClusterCertPath }}/tls.crt --key {{ .ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
 echo "waiting for the verification of PD endpoints ..."
 sleep $((RANDOM % 5))
 done
@@ -351,7 +351,7 @@ var pumpStartScriptTplText = `{{ if .AcrossK8s }}
 pd_url="{{ .PDAddr }}"
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url="{{ .ClusterName }}-discovery.{{ .Namespace }}:10261"
-until result=$(wget -qO- -T 3 {{ if .DiscoveryMTLS }}--ca-certificate={{ .ClusterCertPath }}/ca.crt --certificate={{ .ClusterCertPath }}/tls.crt --private-key={{ .ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$({{ if .DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .ClusterCertPath }}/ca.crt --cert {{ .ClusterCertPath }}/tls.crt --key {{ .ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
 echo "waiting for the verification of PD endpoints ..."
 sleep $((RANDOM % 5))
 done
@@ -720,7 +720,7 @@ pd_url="{{ .PDAddress }}"
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url="${CLUSTER_NAME}-discovery.${NAMESPACE}:10261"
 
-until result=$(wget -qO- -T 3 {{ if .DiscoveryMTLS }}--ca-certificate={{ .ClusterCertPath }}/ca.crt --certificate={{ .ClusterCertPath }}/tls.crt --private-key={{ .ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$({{ if .DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .ClusterCertPath }}/ca.crt --cert {{ .ClusterCertPath }}/tls.crt --key {{ .ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
 echo "waiting for the verification of PD endpoints ..."
 sleep $((RANDOM % 5))
 done

pkg/manager/member/startscript/v2/common.go

@@ -116,7 +116,8 @@ type AcrossK8sScriptModel struct {
 	PDAddr string
 
 	// DiscoveryMTLS indicates whether mTLS is enabled on the discovery server.
-	// When true, wget uses HTTPS with the component's own cluster certificate.
+	// When true, the startup script uses curl with the component's own cluster
+	// certificate because wget in the runtime image does not reliably present the client cert.
 	DiscoveryMTLS bool
 
 	// ClusterCertPath is the path to the component's own cluster TLS certificate directory.

pkg/manager/member/startscript/v2/pd_start_script.go

@@ -258,6 +258,13 @@ done
 `
 
 	// pdStartScript is the template of start script.
+	//
+	// Use curl for discovery mTLS because wget in the runtime image does not reliably present the client cert.
+	pdDiscoveryFetchPrefix = `{{ if .DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .ClusterCertPath }}/ca.crt --cert {{ .ClusterCertPath }}/tls.crt --key {{ .ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}`
+
+	// Use curl for discovery mTLS because wget in the runtime image does not reliably present the client cert.
+	acrossK8sPDDiscoveryFetchPrefix = `{{ if .AcrossK8s.DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .AcrossK8s.ClusterCertPath }}/ca.crt --cert {{ .AcrossK8s.ClusterCertPath }}/tls.crt --key {{ .AcrossK8s.ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}`
+
 	pdStartScript = `
 PD_POD_NAME=${POD_NAME:-$HOSTNAME}
 PD_DOMAIN={{ .PDDomain }}` +
@@ -282,7 +289,7 @@ if [[ -f {{ .DataDir }}/join ]]; then
 elif [[ ! -d {{ .DataDir }}/member/wal ]]; then
     encoded_domain_url=$(echo ${PD_DOMAIN}:2380 | base64 | tr "\n" " " | sed "s/ //g")
 
-    until result=$(wget -qO- -T 3 {{ if .DiscoveryMTLS }}--ca-certificate={{ .ClusterCertPath }}/ca.crt --certificate={{ .ClusterCertPath }}/tls.crt --private-key={{ .ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://{{ .DiscoveryAddr }}/new/${encoded_domain_url} 2>/dev/null); do
+    until result=$(` + pdDiscoveryFetchPrefix + `://{{ .DiscoveryAddr }}/new/${encoded_domain_url} 2>/dev/null); do
         echo "waiting for discovery service to return start args ..."
         sleep $((RANDOM % 5))
     done
@@ -302,7 +309,7 @@ exec /pd-server ${ARGS}
 pd_url={{ .AcrossK8s.PDAddr }}
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url={{ .AcrossK8s.DiscoveryAddr }}
-until result=$(wget -qO- -T 3 {{ if .AcrossK8s.DiscoveryMTLS }}--ca-certificate={{ .AcrossK8s.ClusterCertPath }}/ca.crt --certificate={{ .AcrossK8s.ClusterCertPath }}/tls.crt --private-key={{ .AcrossK8s.ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null | sed 's/http:\/\///g'); do
+until result=$(` + acrossK8sPDDiscoveryFetchPrefix + `://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null | sed 's/http:\/\///g'); do
     echo "waiting for the verification of PD endpoints ..."
     sleep $((RANDOM % 5))
 done

pkg/manager/member/startscript/v2/pd_start_script_test.go

@@ -882,7 +882,7 @@ if [[ -f /var/lib/pd/join ]]; then
 elif [[ ! -d /var/lib/pd/member/wal ]]; then
     encoded_domain_url=$(echo ${PD_DOMAIN}:2380 | base64 | tr "\n" " " | sed "s/ //g")
 
-    until result=$(wget -qO- -T 3 --ca-certificate=/var/lib/pd-tls/ca.crt --certificate=/var/lib/pd-tls/tls.crt --private-key=/var/lib/pd-tls/tls.key https://start-script-test-discovery.start-script-test-ns:10261/new/${encoded_domain_url} 2>/dev/null); do
+    until result=$(curl -sS --fail --max-time 3 --cacert /var/lib/pd-tls/ca.crt --cert /var/lib/pd-tls/tls.crt --key /var/lib/pd-tls/tls.key https://start-script-test-discovery.start-script-test-ns:10261/new/${encoded_domain_url} 2>/dev/null); do
         echo "waiting for discovery service to return start args ..."
         sleep $((RANDOM % 5))
     done

pkg/manager/member/startscript/v2/pump_start_script.go

@@ -68,12 +68,16 @@ func RenderPumpStartScript(tc *v1alpha1.TidbCluster) (string, error) {
 
 const (
 	// pumpStartSubScript contains optional subscripts used in start script.
+	//
+	// Use curl for discovery mTLS because wget in the runtime image does not reliably present the client cert.
+	pumpAcrossK8sDiscoveryFetchPrefix = `{{ if .AcrossK8s.DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .AcrossK8s.ClusterCertPath }}/ca.crt --cert {{ .AcrossK8s.ClusterCertPath }}/tls.crt --key {{ .AcrossK8s.ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}`
+
 	pumpStartSubScript = `
 {{ define "AcrossK8sSubscript" }}
 pd_url={{ .AcrossK8s.PDAddr }}
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url={{ .AcrossK8s.DiscoveryAddr }}
-until result=$(wget -qO- -T 3 {{ if .AcrossK8s.DiscoveryMTLS }}--ca-certificate={{ .AcrossK8s.ClusterCertPath }}/ca.crt --certificate={{ .AcrossK8s.ClusterCertPath }}/tls.crt --private-key={{ .AcrossK8s.ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$(` + pumpAcrossK8sDiscoveryFetchPrefix + `://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
     echo "waiting for the verification of PD endpoints ..."
     sleep $((RANDOM % 5))
 done

pkg/manager/member/startscript/v2/pump_start_script_test.go

@@ -338,7 +338,7 @@ PUMP_POD_NAME=$HOSTNAME
 pd_url=https://start-script-test-pd:2379
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url=start-script-test-discovery.start-script-test-ns:10261
-until result=$(wget -qO- -T 3 --ca-certificate=/var/lib/pump-tls/ca.crt --certificate=/var/lib/pump-tls/tls.crt --private-key=/var/lib/pump-tls/tls.key https://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$(curl -sS --fail --max-time 3 --cacert /var/lib/pump-tls/ca.crt --cert /var/lib/pump-tls/tls.crt --key /var/lib/pump-tls/tls.key https://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
     echo "waiting for the verification of PD endpoints ..."
     sleep $((RANDOM % 5))
 done

pkg/manager/member/startscript/v2/ticdc_start_script.go

@@ -236,12 +236,16 @@ func escapeSingleQuotes(input string) string {
 
 const (
 	// ticdcStartSubScript contains optional subscripts used in start script.
+	//
+	// Use curl for discovery mTLS because wget in the runtime image does not reliably present the client cert.
+	ticdcAcrossK8sDiscoveryFetchPrefix = `{{ if .AcrossK8s.DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .AcrossK8s.ClusterCertPath }}/ca.crt --cert {{ .AcrossK8s.ClusterCertPath }}/tls.crt --key {{ .AcrossK8s.ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}`
+
 	ticdcStartSubScript = `
 {{ define "AcrossK8sSubscript" }}
 pd_url={{ .AcrossK8s.PDAddr }}
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url={{ .AcrossK8s.DiscoveryAddr }}
-until result=$(wget -qO- -T 3 {{ if .AcrossK8s.DiscoveryMTLS }}--ca-certificate={{ .AcrossK8s.ClusterCertPath }}/ca.crt --certificate={{ .AcrossK8s.ClusterCertPath }}/tls.crt --private-key={{ .AcrossK8s.ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$(` + ticdcAcrossK8sDiscoveryFetchPrefix + `://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
     echo "waiting for the verification of PD endpoints ..."
     sleep $((RANDOM % 5))
 done

pkg/manager/member/startscript/v2/ticdc_start_script_test.go

@@ -388,7 +388,7 @@ TICDC_POD_NAME=${POD_NAME}
 pd_url=https://start-script-test-pd:2379
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url=start-script-test-discovery.start-script-test-ns:10261
-until result=$(wget -qO- -T 3 --ca-certificate=/var/lib/ticdc-tls/ca.crt --certificate=/var/lib/ticdc-tls/tls.crt --private-key=/var/lib/ticdc-tls/tls.key https://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
+until result=$(curl -sS --fail --max-time 3 --cacert /var/lib/ticdc-tls/ca.crt --cert /var/lib/ticdc-tls/tls.crt --key /var/lib/ticdc-tls/tls.key https://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null); do
     echo "waiting for the verification of PD endpoints ..."
     sleep $((RANDOM % 5))
 done

pkg/manager/member/startscript/v2/tidb_start_script.go

@@ -83,12 +83,16 @@ func RenderTiDBStartScript(tc *v1alpha1.TidbCluster) (string, error) {
 
 const (
 	// tidbStartSubScript contains optional subscripts used in start script.
+	//
+	// Use curl for discovery mTLS because wget in the runtime image does not reliably present the client cert.
+	tidbAcrossK8sDiscoveryFetchPrefix = `{{ if .AcrossK8s.DiscoveryMTLS }}curl -sS --fail --max-time 3 --cacert {{ .AcrossK8s.ClusterCertPath }}/ca.crt --cert {{ .AcrossK8s.ClusterCertPath }}/tls.crt --key {{ .AcrossK8s.ClusterCertPath }}/tls.key https{{ else }}wget -qO- -T 3 http{{ end }}`
+
 	tidbStartSubScript = `
 {{ define "AcrossK8sSubscript" }}
 pd_url={{ .AcrossK8s.PDAddr }}
 encoded_domain_url=$(echo $pd_url | base64 | tr "\n" " " | sed "s/ //g")
 discovery_url={{ .AcrossK8s.DiscoveryAddr }}
-until result=$(wget -qO- -T 3 {{ if .AcrossK8s.DiscoveryMTLS }}--ca-certificate={{ .AcrossK8s.ClusterCertPath }}/ca.crt --certificate={{ .AcrossK8s.ClusterCertPath }}/tls.crt --private-key={{ .AcrossK8s.ClusterCertPath }}/tls.key https{{ else }}http{{ end }}://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null | sed 's/http:\/\///g'); do
+until result=$(` + tidbAcrossK8sDiscoveryFetchPrefix + `://${discovery_url}/verify/${encoded_domain_url} 2>/dev/null | sed 's/http:\/\///g'); do
     echo "waiting for the verification of PD endpoints ..."
     sleep $((RANDOM % 5))
 done