diff --git a/convert/plugin_names.go b/convert/plugin_names.go index a76f36af3..bf254ed29 100644 --- a/convert/plugin_names.go +++ b/convert/plugin_names.go @@ -55,6 +55,9 @@ const ( responseRateLimitingPluginName = "response-ratelimiting" samlPluginName = "saml" serviceProtectionPluginName = "service-protection" + solaceConsumePluginName = "solace-consume" + solaceLogPluginName = "solace-log" + solaceUpstreamPluginName = "solace-upstream" tcpLogPluginName = "tcp-log" upstreamOauthPluginName = "upstream-oauth" ) diff --git a/convert/plugin_updates_314.go b/convert/plugin_updates_314.go index cff87058f..c04859994 100644 --- a/convert/plugin_updates_314.go +++ b/convert/plugin_updates_314.go @@ -33,6 +33,7 @@ var sslVerifyPluginConfigSetters = map[string][]pluginConfigDefaultSetter{ }, acmePluginName: { newNestedBoolDefaultSetter("storage_config.redis.ssl_verify"), + newNestedBoolDefaultSetter("storage_config.vault.tls_verify"), }, aiAwsGuardrailPluginName: { newNestedBoolDefaultSetter("ssl_verify"), @@ -40,6 +41,9 @@ var sslVerifyPluginConfigSetters = map[string][]pluginConfigDefaultSetter{ aiAzureContentSafetyPluginName: { newNestedBoolDefaultSetter("ssl_verify"), }, + aiLlmAsJudgePluginName: { + newNestedBoolDefaultSetter("https_verify"), + }, aiProxyAdvancedPluginName: aiVectorDBSSLVerifySetters(), aiRagInjectorPluginName: aiVectorDBSSLVerifySetters(), aiRateLimitingAdvancedPluginName: { @@ -141,6 +145,15 @@ var sslVerifyPluginConfigSetters = map[string][]pluginConfigDefaultSetter{ serviceProtectionPluginName: { newNestedBoolDefaultSetter("redis.ssl_verify"), }, + solaceConsumePluginName: { + newNestedBoolDefaultSetter("session.ssl_validate_certificate"), + }, + solaceLogPluginName: { + newNestedBoolDefaultSetter("session.ssl_validate_certificate"), + }, + solaceUpstreamPluginName: { + newNestedBoolDefaultSetter("session.ssl_validate_certificate"), + }, tcpLogPluginName: { newNestedBoolDefaultSetter("ssl_verify"), }, diff --git a/convert/plugin_updates_314_test.go b/convert/plugin_updates_314_test.go index 37afe1b89..fe1803f93 100644 --- a/convert/plugin_updates_314_test.go +++ b/convert/plugin_updates_314_test.go @@ -143,6 +143,56 @@ func TestUpdateLegacyPluginConfigFor314_SSLVerifyFields(t *testing.T) { "https_verify": false, }, }, + { + name: "sets ai-llm-as-judge https_verify", + plugin: &file.FPlugin{Plugin: kong.Plugin{ + Name: kong.String(aiLlmAsJudgePluginName), + Config: kong.Configuration{}, + }}, + expected: kong.Configuration{ + "https_verify": false, + }, + }, + { + name: "sets acme vault tls_verify when vault config exists", + plugin: &file.FPlugin{Plugin: kong.Plugin{ + Name: kong.String(acmePluginName), + Config: kong.Configuration{ + "storage_config": map[string]interface{}{ + "vault": map[string]interface{}{}, + }, + }, + }}, + expected: kong.Configuration{ + "storage_config": map[string]interface{}{ + "vault": map[string]interface{}{ + "tls_verify": false, + }, + }, + }, + }, + { + name: "sets solace-consume session ssl_validate_certificate when session config exists", + plugin: &file.FPlugin{Plugin: kong.Plugin{ + Name: kong.String(solaceConsumePluginName), + Config: kong.Configuration{ + "session": map[string]interface{}{}, + }, + }}, + expected: kong.Configuration{ + "session": map[string]interface{}{ + "ssl_validate_certificate": false, + }, + }, + }, + { + name: "does not invent missing solace session config", + plugin: &file.FPlugin{Plugin: kong.Plugin{ + Name: kong.String(solaceLogPluginName), + Config: kong.Configuration{}, + }}, + expected: kong.Configuration{}, + }, } for _, tt := range tests { @@ -169,7 +219,7 @@ func TestUpdateLegacyPluginConfigFor314_LDAPVerifyHost(t *testing.T) { func TestUpdateLegacyPluginConfigFor314_LeavesUnsupportedPluginUnchanged(t *testing.T) { plugin := &file.FPlugin{Plugin: kong.Plugin{ - Name: kong.String(aiLlmAsJudgePluginName), + Name: kong.String(opaPluginName), Config: kong.Configuration{"foo": "bar"}, }} diff --git a/convert/rulesets/310-to-314/entrypoint.yaml b/convert/rulesets/310-to-314/entrypoint.yaml index fad066bc0..81886cf02 100644 --- a/convert/rulesets/310-to-314/entrypoint.yaml +++ b/convert/rulesets/310-to-314/entrypoint.yaml @@ -91,7 +91,7 @@ rules: In Kong Gateway 3.14, TLS verification is enabled by default for plugin HTTP clients that use https_verify. given: - - $..plugins[?(@.name == 'azure-functions' || @.name == 'forward-proxy')].config + - $..plugins[?(@.name == 'ai-llm-as-judge' || @.name == 'azure-functions' || @.name == 'forward-proxy')].config message: >- Kong Gateway 3.14 enables TLS certificate verification by default. Plugins that use https_verify will now verify certificates unless you set https_verify to false explicitly. @@ -142,3 +142,31 @@ rules: then: - field: session_memcached_ssl_verify function: defined + + acme-vault-tls-verify-plugin-check: + description: >- + In Kong Gateway 3.14, TLS verification is enabled by default for the Acme plugin's + vault storage backend. + given: + - $..plugins[?(@.name == 'acme')].config.storage_config.vault + message: >- + Kong Gateway 3.14 enables TLS certificate verification by default. The Acme plugin vault + storage backend will now verify TLS certificates unless you set tls_verify to false explicitly. + severity: warn + then: + - field: tls_verify + function: defined + + solace-ssl-validate-certificate-plugin-check: + description: >- + In Kong Gateway 3.14, TLS certificate validation is enabled by default for Solace plugin + session connections. + given: + - $..plugins[?(@.name == 'solace-consume' || @.name == 'solace-log' || @.name == 'solace-upstream')].config.session + message: >- + Kong Gateway 3.14 enables TLS certificate verification by default. Solace plugins will now + validate session TLS certificates unless you set ssl_validate_certificate to false explicitly. + severity: warn + then: + - field: ssl_validate_certificate + function: defined