feat: added tls_sans param to service entity (#585)

* feat: added tls_sans param to service entity

* tests: added tests for service with tls_sans

* chore: updated deepcopy gen

* tests: fixed service default tests for 3.10+

* tests: fixed unit test condition

* test: fixed test condition

Author: Prashansa-K

kong/service.go

@@ -20,11 +20,20 @@ type Service struct {
 	URL               *string      `json:"url,omitempty" yaml:"url,omitempty"`
 	WriteTimeout      *int         `json:"write_timeout,omitempty" yaml:"write_timeout,omitempty"`
 	Tags              []*string    `json:"tags,omitempty" yaml:"tags,omitempty"`
+	TLSSANs           *SANs        `json:"tls_sans,omitempty" yaml:"tls_sans,omitempty"`
 	TLSVerify         *bool        `json:"tls_verify,omitempty" yaml:"tls_verify,omitempty"`
 	TLSVerifyDepth    *int         `json:"tls_verify_depth,omitempty" yaml:"tls_verify_depth,omitempty"`
 	CACertificates    []*string    `json:"ca_certificates,omitempty" yaml:"ca_certificates,omitempty"`
 }
 
+// SANs represents Additional Subject Alternative names,
+// that can be matched on Upstream server's TLS certificates, in addition to host.
+// +k8s:deepcopy-gen=true
+type SANs struct {
+	DNSNames []*string `json:"dnsnames,omitempty" yaml:"dnsnames,omitempty"`
+	Uris     []*string `json:"uris,omitempty" yaml:"uris,omitempty"`
+}
+
 // FriendlyName returns the endpoint key name or ID.
 func (s *Service) FriendlyName() string {
 	if s.Name != nil {

kong/service_service_test.go

@@ -238,3 +238,55 @@ func TestServiceWithClientCert(T *testing.T) {
 	err = client.Certificates.Delete(defaultCtx, createdCertificate.ID)
 	require.NoError(err)
 }
+
+func TestServiceWithTLSSANs(T *testing.T) {
+	RunWhenDBMode(T, "postgres")
+	RunWhenEnterprise(T, ">=3.10.0.6", RequiredFeatures{})
+
+	assert := assert.New(T)
+	require := require.New(T)
+
+	client, err := NewTestClient(nil, nil)
+	require.NoError(err)
+	require.NotNil(client)
+
+	// Create a service with tls_sans property
+	service := &Service{
+		Name:     String("service-with-tls-sans"),
+		Host:     String("example.com"),
+		Protocol: String("https"),
+		TLSSANs: &SANs{
+			DNSNames: StringSlice("example.com", "test.example.com"),
+			Uris:     StringSlice("https://example.com"),
+		},
+	}
+
+	createdService, err := client.Services.Create(defaultCtx, service)
+	require.NoError(err)
+	require.NotNil(createdService)
+	require.NotNil(createdService.TLSSANs)
+	assert.Equal(StringSlice("example.com", "test.example.com"), createdService.TLSSANs.DNSNames)
+	assert.Equal(StringSlice("https://example.com"), createdService.TLSSANs.Uris)
+
+	// Update tls_sans property
+	createdService.TLSSANs = &SANs{
+		DNSNames: StringSlice("new-example.com"),
+		Uris:     StringSlice("https://new-example.com", "https://api.new-example.com"),
+	}
+
+	updatedService, err := client.Services.Update(defaultCtx, createdService)
+	require.NoError(err)
+	require.NotNil(updatedService)
+	require.Equal(updatedService.ID, createdService.ID)
+	require.NotNil(updatedService.TLSSANs)
+	assert.Equal(StringSlice("new-example.com"), updatedService.TLSSANs.DNSNames)
+	assert.Equal(StringSlice("https://new-example.com", "https://api.new-example.com"), updatedService.TLSSANs.Uris)
+
+	// Delete service
+	err = client.Services.Delete(defaultCtx, updatedService.ID)
+	require.NoError(err)
+
+	// Verify deletion
+	_, err = client.Services.Get(defaultCtx, updatedService.ID)
+	require.Error(err)
+}

kong/utils_test.go

@@ -1032,7 +1032,8 @@ func TestFillRoutesDefaults(T *testing.T) {
 	}
 }
 
-func TestFillServiceDefaults(T *testing.T) {
+func TestFillServiceDefaults_pre_310(T *testing.T) {
+	RunWhenKong(T, "<3.10.0")
 	assert := assert.New(T)
 
 	client, err := NewTestClient(nil, nil)
@@ -1118,6 +1119,96 @@ func TestFillServiceDefaults(T *testing.T) {
 	}
 }
 
+func TestFillServiceDefaults_310_and_up(T *testing.T) {
+	RunWhenEnterprise(T, ">=3.10.0", RequiredFeatures{})
+	assert := assert.New(T)
+
+	client, err := NewTestClient(nil, nil)
+	require.NoError(T, err)
+	assert.NotNil(client)
+
+	tests := []struct {
+		name     string
+		service  *Service
+		expected *Service
+	}{
+		{
+			name: "fills defaults for all fields, leaves name and host unchanged",
+			service: &Service{
+				Name: String("svc1"),
+				Host: String("mockbin.org"),
+			},
+			expected: &Service{
+				Name:           String("svc1"),
+				Host:           String("mockbin.org"),
+				Port:           Int(80),
+				Protocol:       String("http"),
+				ConnectTimeout: Int(60000),
+				ReadTimeout:    Int(60000),
+				Retries:        Int(5),
+				WriteTimeout:   Int(60000),
+				TLSSANs:        &SANs{},
+			},
+		},
+		{
+			name: "fills defaults for all fields except port, leaves name and host unchanged",
+			service: &Service{
+				Name: String("svc1"),
+				Host: String("mockbin.org"),
+				Port: Int(8080),
+			},
+			expected: &Service{
+				Name:           String("svc1"),
+				Host:           String("mockbin.org"),
+				Port:           Int(8080),
+				Protocol:       String("http"),
+				ConnectTimeout: Int(60000),
+				ReadTimeout:    Int(60000),
+				Retries:        Int(5),
+				WriteTimeout:   Int(60000),
+				TLSSANs:        &SANs{},
+			},
+		},
+		{
+			name: "fills defaults for all fields except port, leaves name, tags and host unchanged",
+			service: &Service{
+				Name: String("svc1"),
+				Host: String("mockbin.org"),
+				Port: Int(8080),
+				Tags: []*string{String("tag1"), String("tag2")},
+			},
+			expected: &Service{
+				Name:           String("svc1"),
+				Host:           String("mockbin.org"),
+				Port:           Int(8080),
+				Protocol:       String("http"),
+				ConnectTimeout: Int(60000),
+				ReadTimeout:    Int(60000),
+				Retries:        Int(5),
+				WriteTimeout:   Int(60000),
+				Tags:           []*string{String("tag1"), String("tag2")},
+				TLSSANs:        &SANs{},
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		T.Run(tc.name, func(t *testing.T) {
+			s := tc.service
+			fullSchema, err := client.Schemas.Get(defaultCtx, "services")
+			require.NoError(T, err)
+			assert.NotNil(fullSchema)
+			require.NoError(t, FillEntityDefaults(s, fullSchema))
+			opt := []cmp.Option{
+				cmpopts.IgnoreFields(Service{}, "Enabled"),
+			}
+			if diff := cmp.Diff(s, tc.expected, opt...); diff != "" {
+				t.Errorf("unexpected diff:\n%s", diff)
+			}
+		})
+	}
+}
+
 func TestFillTargetDefaults(T *testing.T) {
 	assert := assert.New(T)