Update TLS configuration

[praseodym]

What this PR does / why we need it:

Enable TLSv1.3 by default and update list of ciphers. The new configuration matches the 'Intermediate' configuration recommended by the Mozilla SSL Configuration Generator.

Types of changes

New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Tested these settings using the settings ConfigMap.

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added tests to cover my changes.
• All new and existing tests passed.

[k8s-ci-robot]

Hi @praseodym. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[praseodym]

/assign @bowei

[aledbf]

@praseodym please don't assign PRs manually

[aledbf]

@praseodym I am not sure about enabling TLSv1.3 by default.

[praseodym]

@aledbf

please don't assign PRs manually

Hmm, then maybe k8s-ci-robot should be configured not to suggest assigning reviewers?

I am not sure about enabling TLSv1.3 by default.

With what motivation? Mozilla recommends enabling it by default, Ubuntu's nginx has had it enabled by default since November 2018 and Cloudflare enabled it everywhere in May 2018. I'd say that any issues caused by enabling TLSv1.3 by default should've been resolved by now.

[aledbf]

/ok-to-test

[aledbf]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, praseodym

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [aledbf]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sslavic]

@aledbf did this change actually make it into 0.32.0? I don't see it listed in the changelog https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0320

[sslavic]

Also, this PR seems to change documentation only, not default settings in:
https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L67-L73

Is that intentional? Is it even correct to have docs and actual defaults differ?

[praseodym]

@sslavic looks like you're right! Not quite sure what happened, I'll submit a followup PR.

[praseodym]

Fix in #5491, thanks for catching this @sslavic!

[sslavic]

IIUC, please correct if wrong, this PR:

• is likely released in 0.32.0 and touches docs only, so should be listed in docs section of 0.32.0 changelog
• aligns documentation to match actual default ssl ciphers which were changed in Update default SSL ciphers #4813 shipped in 0.27.0 https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0270
• unwantedly changes just documentation about default protocols to include tls 1.3, while actually that default is changed in Actually enable TLSv1.3 by default #5491 which is to-be-released (e.g. maybe with 0.32.1)

[praseodym]

That's correct. It also changes the set of ciphers for legacy clients in docs to align with the Mozilla SSL Configuration Generator "Old" setting.