Merge branch 'main' into feature/konnect-workspaces

Author: shivaygupta-dotcom

.golangci.yml

@@ -84,6 +84,26 @@ linters:
           - gosec
         path: file/codegen/main.go
         text: Expect WriteFile permissions to be 0600 or less
+      # Exclude gosec G101 (hardcoded credentials) for test files
+      - linters:
+          - gosec
+        path: _test\.go
+        text: G101
+      # Exclude gosec G101 for static entity maps (false positive on entity type names)
+      - linters:
+          - gosec
+        path: (sanitize/schemas|validate/validate)\.go
+        text: G101
+      # Exclude gosec G704 (SSRF) for test files where HTTP requests are expected
+      - linters:
+          - gosec
+        path: tests/integration/
+        text: G704
+      # Exclude gosec G115 (integer overflow) for safe port number conversion
+      - linters:
+          - gosec
+        path: kong2kic/route\.go
+        text: G115
       - linters:
           - unparam
           - unused

cmd/file_convert.go

@@ -117,10 +117,12 @@ can be converted into a 'kong-gateway-3.x' configuration file.`,
 			validSourceFormats := []string{
 				string(convert.FormatKongGateway), string(convert.FormatKongGateway2x),
 				string(convert.FormatKongGatewayVersion28x), string(convert.FormatKongGatewayVersion34x),
+				string(convert.FormatKongGatewayVersion310x),
 			}
 			validDestinationFormats := []string{
 				string(convert.FormatKonnect), string(convert.FormatKongGateway3x),
 				string(convert.FormatKongGatewayVersion34x), string(convert.FormatKongGatewayVersion310x),
+				string(convert.FormatKongGatewayVersion314x),
 			}
 
 			err := validateInputFlag("from", convertCmdSourceFormat, validSourceFormats, "")
@@ -140,10 +142,12 @@ can be converted into a 'kong-gateway-3.x' configuration file.`,
 	sourceFormats := []convert.Format{
 		convert.FormatKongGateway, convert.FormatKongGateway2x,
 		convert.FormatKongGatewayVersion28x, convert.FormatKongGatewayVersion34x,
+		convert.FormatKongGatewayVersion310x,
 	}
 	destinationFormats := []convert.Format{
 		convert.FormatKonnect, convert.FormatKongGateway3x,
 		convert.FormatKongGatewayVersion34x, convert.FormatKongGatewayVersion310x,
+		convert.FormatKongGatewayVersion314x,
 	}
 	convertCmd.Flags().StringVar(&convertCmdSourceFormat, "from", "",
 		fmt.Sprintf("format of the source file, allowed formats: %v", sourceFormats))

convert/convert.go

@@ -25,6 +25,9 @@ var ruleset28to34 string
 //go:embed rulesets/340-to-310/entrypoint.yaml
 var ruleset34to310 string
 
+//go:embed rulesets/310-to-314/entrypoint.yaml
+var ruleset310to314 string
+
 const (
 	// FormatDistributed represents the Deck configuration format.
 	FormatDistributed Format = "distributed"
@@ -41,6 +44,7 @@ const (
 	FormatKongGatewayVersion28x  Format = "2.8"
 	FormatKongGatewayVersion34x  Format = "3.4"
 	FormatKongGatewayVersion310x Format = "3.10"
+	FormatKongGatewayVersion314x Format = "3.14"
 )
 
 // AllFormats contains all available formats.
@@ -65,6 +69,8 @@ func ParseFormat(key string) (Format, error) {
 		return FormatKongGatewayVersion34x, nil
 	case FormatKongGatewayVersion310x:
 		return FormatKongGatewayVersion310x, nil
+	case FormatKongGatewayVersion314x:
+		return FormatKongGatewayVersion314x, nil
 	default:
 		return "", fmt.Errorf("invalid format: '%v'", key)
 	}
@@ -157,6 +163,27 @@ func Convert(
 			return err
 		}
 
+	case from == FormatKongGatewayVersion310x && to == FormatKongGatewayVersion314x:
+		if len(inputFilenames) > 1 {
+			return fmt.Errorf("only one input file can be provided when converting from Kong 3.10 to Kong 3.14 format")
+		}
+		outputContent = convertKongGateway310xTo314x(inputContent)
+
+		stateFileBytes, err := filebasics.ReadFile(inputFilenames[0])
+		if err != nil {
+			return fmt.Errorf("failed to read input file '%s'; %w", inputFilenames[0], err)
+		}
+
+		lintErrs, err := lint.WithContent(stateFileBytes, []byte(ruleset310to314), "error", false)
+		if err != nil {
+			return err
+		}
+
+		_, err = lint.GetLintOutput(lintErrs, "plain", "-")
+		if err != nil {
+			return err
+		}
+
 	default:
 		return fmt.Errorf("cannot convert from '%s' to '%s' format", from, to)
 	}
@@ -359,3 +386,27 @@ func convertKongGateway34xTo310x(input *file.Content) *file.Content {
 
 	return outputContent
 }
+
+// convertKongGateway310xTo314x is used to convert a Kong Gateway 3.10.x config
+// to a Kong Gateway 3.14.x config. It can be used as a migration utility
+// between the two LTS versions. It auto-fixes some configuration related to
+// the "Secure by Default" changes in 3.14:
+//   - Routes: default protocols changed from ["http","https"] to ["https"]
+//   - Services: tls_verify now defaults to true (global tls_certificate_verify changed from off to on)
+//   - Plugins: ssl_verify now defaults to true for impacted plugins
+//   - Plugins: hide_credentials now defaults to true for auth plugins
+func convertKongGateway310xTo314x(input *file.Content) *file.Content {
+	outputContent := input.DeepCopy()
+
+	updateRoutesFor314(outputContent)
+	updateServicesFor314(outputContent)
+	updatePluginsFor314(outputContent)
+
+	cprint.UpdatePrintf(
+		"\nThese automatic changes may not be correct or exhaustive enough, please\n" +
+			"perform a manual audit of the config file.\n\n" +
+			"For related information, please visit:\n" +
+			"https://developer.konghq.com/gateway/upgrade\n\n")
+
+	return outputContent
+}

convert/convert_test.go

@@ -333,6 +333,17 @@ func Test_Convert(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "converts from 3.10 to 3.14 format",
+			args: args{
+				inputFilenames:         []string{"testdata/11/input.yaml"},
+				outputFilename:         "testdata/11/output.yaml",
+				expectedOutputFilename: "testdata/11/output-expected.yaml",
+				fromFormat:             FormatKongGatewayVersion310x,
+				toFormat:               FormatKongGatewayVersion314x,
+			},
+			wantErr: false,
+		},
 		{
 			name: "errors from distributed to kong gateway with env variables not set",
 			args: args{

convert/plugin_names.go

@@ -17,4 +17,43 @@ const (
 	aiResponseTransformerPluginName       = "ai-response-transformer"
 	aiSemanticCachePluginName             = "ai-semantic-cache"
 	aiSemanticPromptGuardPluginName       = "ai-semantic-prompt-guard"
+
+	// Auth plugins affected by hide_credentials default change in 3.14
+	keyAuthPluginName             = "key-auth"
+	keyAuthEncPluginName          = "key-auth-enc"
+	basicAuthPluginName           = "basic-auth"
+	hmacAuthPluginName            = "hmac-auth"
+	ldapAuthPluginName            = "ldap-auth"
+	oauth2PluginName              = "oauth2"
+	oauth2IntrospectionPluginName = "oauth2-introspection"
+	vaultAuthPluginName           = "vault-auth"
+	ldapAuthAdvancedPluginName    = "ldap-auth-advanced"
+
+	// Plugins affected by ssl_verify default change in 3.14
+	acePluginName                     = "ace"
+	acmePluginName                    = "acme"
+	aiAwsGuardrailPluginName          = "ai-aws-guardrail"
+	aiAzureContentSafetyPluginName    = "ai-azure-content-safety"
+	aiLlmAsJudgePluginName            = "ai-llm-as-judge"
+	aiSemanticResponseGuardPluginName = "ai-semantic-response-guard"
+	azureFunctionsPluginName          = "azure-functions"
+	confluentPluginName               = "confluent"
+	confluentConsumePluginName        = "confluent-consume"
+	datakitPluginName                 = "datakit"
+	forwardProxyPluginName            = "forward-proxy"
+	headerCertAuthPluginName          = "header-cert-auth"
+	jwtSignerPluginName               = "jwt-signer"
+	kafkaConsumePluginName            = "kafka-consume"
+	kafkaLogPluginName                = "kafka-log"
+	kafkaUpstreamPluginName           = "kafka-upstream"
+	mtlsAuthPluginName                = "mtls-auth"
+	opaPluginName                     = "opa"
+	openidConnectPluginName           = "openid-connect"
+	rateLimitingPluginName            = "rate-limiting"
+	requestCalloutPluginName          = "request-callout"
+	responseRateLimitingPluginName    = "response-ratelimiting"
+	samlPluginName                    = "saml"
+	serviceProtectionPluginName       = "service-protection"
+	tcpLogPluginName                  = "tcp-log"
+	upstreamOauthPluginName           = "upstream-oauth"
 )

convert/plugin_updates_314.go

@@ -0,0 +1,145 @@
+package convert
+
+import (
+	"github.com/kong/go-database-reconciler/pkg/cprint"
+	"github.com/kong/go-database-reconciler/pkg/file"
+	"github.com/kong/go-kong/kong"
+)
+
+// hideCredentialsPlugins is the list of auth plugins where hide_credentials
+// default changed from false to true in Kong Gateway 3.14.
+var hideCredentialsPlugins = map[string]bool{
+	keyAuthPluginName:             true,
+	keyAuthEncPluginName:          true,
+	basicAuthPluginName:           true,
+	hmacAuthPluginName:            true,
+	ldapAuthPluginName:            true,
+	oauth2PluginName:              true,
+	oauth2IntrospectionPluginName: true,
+	vaultAuthPluginName:           true,
+	ldapAuthAdvancedPluginName:    true,
+}
+
+// sslVerifyPlugins is the list of plugins where ssl_verify default
+// changed from false to true in Kong Gateway 3.14 (due to the global
+// tls_certificate_verify changing from off to on).
+var sslVerifyPlugins = map[string]bool{
+	acePluginName:                         true,
+	acmePluginName:                        true,
+	aiAwsGuardrailPluginName:              true,
+	aiAzureContentSafetyPluginName:        true,
+	aiLlmAsJudgePluginName:                true,
+	aiProxyAdvancedPluginName:             true,
+	aiRagInjectorPluginName:               true,
+	aiRateLimitingAdvancedPluginName:      true,
+	aiRequestTransformerPluginName:        true,
+	aiResponseTransformerPluginName:       true,
+	aiSemanticCachePluginName:             true,
+	aiSemanticPromptGuardPluginName:       true,
+	aiSemanticResponseGuardPluginName:     true,
+	awsLambdaPluginName:                   true,
+	azureFunctionsPluginName:              true,
+	basicAuthPluginName:                   true,
+	confluentPluginName:                   true,
+	confluentConsumePluginName:            true,
+	datakitPluginName:                     true,
+	forwardProxyPluginName:                true,
+	graphqlProxyCacheAdvancedPluginName:   true,
+	graphqlRateLimitingAdvancedPluginName: true,
+	headerCertAuthPluginName:              true,
+	httpLogPluginName:                     true,
+	jwtSignerPluginName:                   true,
+	kafkaConsumePluginName:                true,
+	kafkaLogPluginName:                    true,
+	kafkaUpstreamPluginName:               true,
+	ldapAuthPluginName:                    true,
+	ldapAuthAdvancedPluginName:            true,
+	mtlsAuthPluginName:                    true,
+	opaPluginName:                         true,
+	openidConnectPluginName:               true,
+	proxyCacheAdvancedPluginName:          true,
+	rateLimitingPluginName:                true,
+	rateLimitingAdvancedPluginName:        true,
+	requestCalloutPluginName:              true,
+	responseRateLimitingPluginName:        true,
+	samlPluginName:                        true,
+	serviceProtectionPluginName:           true,
+	tcpLogPluginName:                      true,
+	upstreamOauthPluginName:               true,
+}
+
+func updatePluginsFor314(content *file.Content) {
+	for idx := range content.Plugins {
+		plugin := &content.Plugins[idx]
+		updateLegacyPluginConfigFor314(plugin)
+	}
+
+	for _, service := range content.Services {
+		for _, plugin := range service.Plugins {
+			updateLegacyPluginConfigFor314(plugin)
+		}
+
+		for _, route := range service.Routes {
+			for _, plugin := range route.Plugins {
+				updateLegacyPluginConfigFor314(plugin)
+			}
+		}
+	}
+
+	for _, route := range content.Routes {
+		for _, plugin := range route.Plugins {
+			updateLegacyPluginConfigFor314(plugin)
+		}
+	}
+
+	for _, consumer := range content.Consumers {
+		for _, plugin := range consumer.Plugins {
+			updateLegacyPluginConfigFor314(plugin)
+		}
+	}
+
+	for _, consumerGroup := range content.ConsumerGroups {
+		for _, plugin := range consumerGroup.Plugins {
+			updateLegacyPluginConfigFor314(&file.FPlugin{
+				Plugin: kong.Plugin{
+					ID:     plugin.ID,
+					Name:   plugin.Name,
+					Config: plugin.Config,
+				},
+			})
+		}
+	}
+}
+
+func updateLegacyPluginConfigFor314(plugin *file.FPlugin) {
+	if plugin == nil || plugin.Name == nil {
+		return
+	}
+
+	pluginName := *plugin.Name
+
+	// Initialize config map if nil
+	if plugin.Config == nil {
+		plugin.Config = kong.Configuration{}
+	}
+
+	// Handle hide_credentials default change (false -> true)
+	if hideCredentialsPlugins[pluginName] {
+		if _, exists := plugin.Config["hide_credentials"]; !exists {
+			plugin.Config["hide_credentials"] = false
+			cprint.UpdatePrintf(
+				"Plugin '%s': setting hide_credentials to false "+
+					"(old default, 3.14 defaults to true)\n", pluginName)
+		}
+	}
+
+	// Handle ssl_verify default change (false -> true)
+	if sslVerifyPlugins[pluginName] {
+		if _, exists := plugin.Config["ssl_verify"]; !exists {
+			plugin.Config["ssl_verify"] = false
+			cprint.UpdatePrintf(
+				"Plugin '%s': setting ssl_verify to false "+
+					"(old default, 3.14 defaults to true)\n", pluginName)
+		}
+	}
+}

convert/route_updates_314.go

@@ -0,0 +1,46 @@
+package convert
+
+import (
+	"github.com/kong/go-database-reconciler/pkg/cprint"
+	"github.com/kong/go-database-reconciler/pkg/file"
+	"github.com/kong/go-kong/kong"
+)
+
+// updateRoutesFor314 updates all routes in the content to explicitly set the
+// old default protocols ["http", "https"] if no protocols are specified.
+// In Kong Gateway 3.14, the default protocols for routes changed from
+// ["http", "https"] to ["https"] only.
+func updateRoutesFor314(content *file.Content) {
+	for idx := range content.Routes {
+		setRouteProtocolDefaultsFor314(&content.Routes[idx])
+	}
+
+	for _, service := range content.Services {
+		for _, route := range service.Routes {
+			setRouteProtocolDefaultsFor314(route)
+		}
+	}
+}
+
+// setRouteProtocolDefaultsFor314 sets the old default protocols on a route
+// if the protocols field is not explicitly set.
+func setRouteProtocolDefaultsFor314(route *file.FRoute) {
+	if route == nil {
+		return
+	}
+	if len(route.Protocols) == 0 {
+		route.Protocols = []*string{
+			kong.String("http"),
+			kong.String("https"),
+		}
+		routeName := "<unnamed>"
+		if route.Name != nil {
+			routeName = *route.Name
+		} else if route.ID != nil {
+			routeName = *route.ID
+		}
+		cprint.UpdatePrintf(
+			"Route '%s': setting protocols to [\"http\", \"https\"] "+
+				"(old default, 3.14 defaults to [\"https\"] only)\n", routeName)
+	}
+}