Add additional deck file convert fields

convert/plugin_names.go

@@ -55,6 +55,9 @@ const (
 	responseRateLimitingPluginName    = "response-ratelimiting"
 	samlPluginName                    = "saml"
 	serviceProtectionPluginName       = "service-protection"
+	solaceConsumePluginName           = "solace-consume"
+	solaceLogPluginName               = "solace-log"
+	solaceUpstreamPluginName          = "solace-upstream"
 	tcpLogPluginName                  = "tcp-log"
 	upstreamOauthPluginName           = "upstream-oauth"
 )

convert/plugin_updates_314.go

@@ -33,13 +33,17 @@ var sslVerifyPluginConfigSetters = map[string][]pluginConfigDefaultSetter{
 	},
 	acmePluginName: {
 		newNestedBoolDefaultSetter("storage_config.redis.ssl_verify"),
+		newNestedBoolDefaultSetter("storage_config.vault.tls_verify"),
 	},
 	aiAwsGuardrailPluginName: {
 		newNestedBoolDefaultSetter("ssl_verify"),
 	},
 	aiAzureContentSafetyPluginName: {
 		newNestedBoolDefaultSetter("ssl_verify"),
 	},
+	aiLlmAsJudgePluginName: {
+		newNestedBoolDefaultSetter("https_verify"),
+	},
 	aiProxyAdvancedPluginName: aiVectorDBSSLVerifySetters(),
 	aiRagInjectorPluginName:   aiVectorDBSSLVerifySetters(),
 	aiRateLimitingAdvancedPluginName: {
@@ -141,6 +145,15 @@ var sslVerifyPluginConfigSetters = map[string][]pluginConfigDefaultSetter{
 	serviceProtectionPluginName: {
 		newNestedBoolDefaultSetter("redis.ssl_verify"),
 	},
+	solaceConsumePluginName: {
+		newNestedBoolDefaultSetter("session.ssl_validate_certificate"),
+	},
+	solaceLogPluginName: {
+		newNestedBoolDefaultSetter("session.ssl_validate_certificate"),
+	},
+	solaceUpstreamPluginName: {
+		newNestedBoolDefaultSetter("session.ssl_validate_certificate"),
+	},
 	tcpLogPluginName: {
 		newNestedBoolDefaultSetter("ssl_verify"),
 	},

convert/plugin_updates_314_test.go

@@ -143,6 +143,56 @@ func TestUpdateLegacyPluginConfigFor314_SSLVerifyFields(t *testing.T) {
 				"https_verify": false,
 			},
 		},
+		{
+			name: "sets ai-llm-as-judge https_verify",
+			plugin: &file.FPlugin{Plugin: kong.Plugin{
+				Name:   kong.String(aiLlmAsJudgePluginName),
+				Config: kong.Configuration{},
+			}},
+			expected: kong.Configuration{
+				"https_verify": false,
+			},
+		},
+		{
+			name: "sets acme vault tls_verify when vault config exists",
+			plugin: &file.FPlugin{Plugin: kong.Plugin{
+				Name: kong.String(acmePluginName),
+				Config: kong.Configuration{
+					"storage_config": map[string]interface{}{
+						"vault": map[string]interface{}{},
+					},
+				},
+			}},
+			expected: kong.Configuration{
+				"storage_config": map[string]interface{}{
+					"vault": map[string]interface{}{
+						"tls_verify": false,
+					},
+				},
+			},
+		},
+		{
+			name: "sets solace-consume session ssl_validate_certificate when session config exists",
+			plugin: &file.FPlugin{Plugin: kong.Plugin{
+				Name: kong.String(solaceConsumePluginName),
+				Config: kong.Configuration{
+					"session": map[string]interface{}{},
+				},
+			}},
+			expected: kong.Configuration{
+				"session": map[string]interface{}{
+					"ssl_validate_certificate": false,
+				},
+			},
+		},
+		{
+			name: "does not invent missing solace session config",
+			plugin: &file.FPlugin{Plugin: kong.Plugin{
+				Name:   kong.String(solaceLogPluginName),
+				Config: kong.Configuration{},
+			}},
+			expected: kong.Configuration{},
+		},
 	}
 
 	for _, tt := range tests {
@@ -169,7 +219,7 @@ func TestUpdateLegacyPluginConfigFor314_LDAPVerifyHost(t *testing.T) {
 
 func TestUpdateLegacyPluginConfigFor314_LeavesUnsupportedPluginUnchanged(t *testing.T) {
 	plugin := &file.FPlugin{Plugin: kong.Plugin{
-		Name:   kong.String(aiLlmAsJudgePluginName),
+		Name:   kong.String(opaPluginName),
 		Config: kong.Configuration{"foo": "bar"},
 	}}
 

convert/rulesets/310-to-314/entrypoint.yaml

@@ -91,7 +91,7 @@ rules:
       In Kong Gateway 3.14, TLS verification is enabled by default for plugin HTTP clients
       that use https_verify.
     given:
-      - $..plugins[?(@.name == 'azure-functions' || @.name == 'forward-proxy')].config
+      - $..plugins[?(@.name == 'ai-llm-as-judge' || @.name == 'azure-functions' || @.name == 'forward-proxy')].config
     message: >-
       Kong Gateway 3.14 enables TLS certificate verification by default. Plugins that use
       https_verify will now verify certificates unless you set https_verify to false explicitly.
@@ -142,3 +142,31 @@ rules:
     then:
       - field: session_memcached_ssl_verify
         function: defined
+
+  acme-vault-tls-verify-plugin-check:
+    description: >-
+      In Kong Gateway 3.14, TLS verification is enabled by default for the Acme plugin's
+      vault storage backend.
+    given:
+      - $..plugins[?(@.name == 'acme')].config.storage_config.vault
+    message: >-
+      Kong Gateway 3.14 enables TLS certificate verification by default. The Acme plugin vault
+      storage backend will now verify TLS certificates unless you set tls_verify to false explicitly.
+    severity: warn
+    then:
+      - field: tls_verify
+        function: defined
+
+  solace-ssl-validate-certificate-plugin-check:
+    description: >-
+      In Kong Gateway 3.14, TLS certificate validation is enabled by default for Solace plugin
+      session connections.
+    given:
+      - $..plugins[?(@.name == 'solace-consume' || @.name == 'solace-log' || @.name == 'solace-upstream')].config.session
+    message: >-
+      Kong Gateway 3.14 enables TLS certificate verification by default. Solace plugins will now
+      validate session TLS certificates unless you set ssl_validate_certificate to false explicitly.
+    severity: warn
+    then:
+      - field: ssl_validate_certificate
+        function: defined