Enable TLSv1.3 in ingress nginx
What does this MR do and why?
The aim on this MR is to bring a security improvement by configuring ingress-nginx to use TLSv1.3 for exposed services.
Related reference(s)
Closes #2897 (closed).
Test coverage
openssl s_client -connect grafana.sylva:443
CONNECTED(00000003)
---
Certificate chain
0 s:C = eu, O = Sylva, OU = DEV, CN = grafana-cn
i:C = eu, O = Sylva, OU = DEV, CN = Sylva CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: ecdsa-with-SHA256
v:NotBefore: Oct 1 09:30:48 2025 GMT; NotAfter: Dec 30 09:30:48 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICzDCCAnOgAwIBAgIQcnJ0I6cBVOt3zKbcKOo3XzAKBggqhkjOPQQDAjA+MQsw
CQYDVQQGEwJldTEOMAwGA1UEChMFU3lsdmExDDAKBgNVBAsTA0RFVjERMA8GA1UE
AxMIU3lsdmEgQ0EwHhcNMjUxMDAxMDkzMDQ4WhcNMjUxMjMwMDkzMDQ4WjBAMQsw
CQYDVQQGEwJldTEOMAwGA1UEChMFU3lsdmExDDAKBgNVBAsTA0RFVjETMBEGA1UE
AxMKZ3JhZmFuYS1jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO4s
xPY6p6L9FFYhXtfI1P6Tp0lbA6cHV7EH6kzyRNWuIk/BMGuQWEE+YvoD6pmCqHyY
4bLEG7zdmcLlDJtnTAcdBcf82huMelWPrJ/YvkXvcwaNy5PuQkTbxWaK8hyEW3Hb
Xc/NbOH8fkR5qtmEFGtLE4a877muczZEeubMk8BpWx/I5Gw03Lkoi2lCdKlNtJPV
AKswdTyKgzMNX2Bt4V4AxXdbDAWD4nu82hTvFo3ObV2WaL8oF+Lai7AEliDC4Tyy
pX7Jbqd6fKYDsgBql6FnIy5ns+BpuhSjk5r9jlFIBQyOx1GoCJwQV20Bbgn5XVug
sqp5nMu7HkGHyUyjydcCAwEAAaOBhTCBgjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBRSPdV5+q3a7WhhNCDRvDwddPAl6TBBBgNVHREE
OjA4gg1ncmFmYW5hLnN5bHZhgglsb2NhbGhvc3SBFnN1cm5hbWUubmFtZUBzeWx2
YS5vcmeHBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgNkzDAQUJpoSOEUv36O/MXppA
/0kq1OgayFpKCs8xufcCIBO/CxsyL/WPU5582tbKBDPqxL6mk1wgENMafBj6ciyh
-----END CERTIFICATE-----
subject=C = eu, O = Sylva, OU = DEV, CN = grafana-cn
issuer=C = eu, O = Sylva, OU = DEV, CN = Sylva CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1280 bytes and written 395 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 02296CBE35463565E125D4F346CC13505F0CBCED795D0B7E49BFD4DA934BE8BB
Session-ID-ctx:
Resumption PSK: B2740B3E546F530571362E0A73CA26FBA4D6BBEFE8B4DB3A8C74C03FA01E9DB5BCF00C804AFDD6A48DA72051170C6843
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - 86 b3 3b 8e 92 b5 5e ab-96 fb 90 56 6d 61 43 32 ..;...^....VmaC2
0010 - 89 0a d6 75 a2 69 d9 1d-de f5 9f 89 b9 e7 07 b0 ...u.i..........
Start Time: 1759312440
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 658A16DA21EB7F833087CB1A8B0202D7415F0B88F4681F1F94648614CBA8CD16
Session-ID-ctx:
Resumption PSK: 9C954EDEA038CF6F6553CCC69A7266668FF53A3E0DC7549F515D3DFE810BC601476574644B88CD3F313893AEC5DCAC2B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - 12 30 a9 be 9c d3 fa 8f-9f b3 9f 60 39 2d 90 87 .0.........`9-..
0010 - e3 fa f4 da bf 24 d1 52-be b8 21 bd 63 09 4e a9 .....$.R..!.c.N.
Start Time: 1759312440
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
openssl s_client -connect rancher.sylva:443
CONNECTED(00000003)
---
Certificate chain
0 s:C = eu, O = Sylva, OU = DEV, CN = rancher-cn
i:C = eu, O = Sylva, OU = DEV, CN = Sylva CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: ecdsa-with-SHA256
v:NotBefore: Oct 1 09:31:37 2025 GMT; NotAfter: Dec 30 09:31:37 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICzjCCAnOgAwIBAgIQYVUyQYAWmwk09ZRh0dbGwzAKBggqhkjOPQQDAjA+MQsw
CQYDVQQGEwJldTEOMAwGA1UEChMFU3lsdmExDDAKBgNVBAsTA0RFVjERMA8GA1UE
AxMIU3lsdmEgQ0EwHhcNMjUxMDAxMDkzMTM3WhcNMjUxMjMwMDkzMTM3WjBAMQsw
CQYDVQQGEwJldTEOMAwGA1UEChMFU3lsdmExDDAKBgNVBAsTA0RFVjETMBEGA1UE
AxMKcmFuY2hlci1jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSh
rb4k+b2raa7mC0/JoGC0V+dEjV1ppOV6ALKWLmQ0S+/lyptAb7swVFwgVhiN1mqZ
9ZNfhZA1Q3kZS+eUMYohTL4c0+Mu694gNHshkUr/ezDhBV/2b6ypYIrs6cQfb9fn
/E8flMFesMcHxAw92xplFwp4FHIVz8ZBP8lQ2zu7M4S1Pviu/JClGJIB9INjw+4a
eHDYmVOJlo1irpDgWuOBETHxZbr9YOHWupx1vGXDku5NlMRl8ml7WIucC0oECTlE
wZZo/g6ivcRtmlpZmTpKrZQLicR0RPa6mBplXF0RrASleaf8o2hvMCMRMzFOogCx
Qz1MeDufznvLTLUpG8sCAwEAAaOBhTCBgjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBRSPdV5+q3a7WhhNCDRvDwddPAl6TBBBgNVHREE
OjA4gg1yYW5jaGVyLnN5bHZhgglsb2NhbGhvc3SBFnN1cm5hbWUubmFtZUBzeWx2
YS5vcmeHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAMIq4zSuDRi6VKejJ6HN0jJQ
3Bsb2jyq8zubaZDkL3pXAiEAqwBYSlHcSgqKA8nwabuiXc+Fc4g0U/UoBGs8dHo5
RIo=
-----END CERTIFICATE-----
subject=C = eu, O = Sylva, OU = DEV, CN = rancher-cn
issuer=C = eu, O = Sylva, OU = DEV, CN = Sylva CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1282 bytes and written 395 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 080DD78143B55BD2A40729F4E585E902DE34132124324DFE03F299D05D629D75
Session-ID-ctx:
Resumption PSK: 7F61B2EAFE6D0352435A203E67D92ABC37F6D7D8CB03BF9AACD23E573A7B4C6026E95D3CCA50A4B1E56014C18DAA1038
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - 49 ef cd 83 39 11 93 17-80 39 a2 b2 95 4f bb cd I...9....9...O..
0010 - 42 fd 51 5a a9 56 64 b4-8b b5 6b ce c3 b5 90 12 B.QZ.Vd...k.....
Start Time: 1759312400
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7108699F414E2093DBEE91CB74ED10EF646EDABFB8D54475742037E355BE985A
Session-ID-ctx:
Resumption PSK: B24D133057EB88EF58BBC779641FEA246F5ADA99CB268F84603CD81DA5CD220134F6B4B70B87A1F1360E41C330933AF4
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - de a5 7b 97 9f 27 a7 49-37 4a a5 a6 45 2f 51 2c ..{..'.I7J..E/Q,
0010 - fd 6c 20 25 85 78 93 1a-ff 36 27 4f a9 ad c9 5c .l %.x...6'O...\
Start Time: 1759312400
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCKCI configuration
Below you can choose test deployment variants to run in this MR's CI.
Click to open to CI configuration
Legend:
| Icon | Meaning | Available values |
|---|---|---|
| Infra Provider |
capd, capo, capm3
|
|
| Bootstrap Provider |
kubeadm (alias kadm), rke2, okd, ck8s
|
|
| Node OS |
ubuntu, suse, na, leapmicro
|
|
| Deployment Options |
light-deploy, dev-sources, ha, misc, maxsurge-0, logging, no-logging, openbao
|
|
| Pipeline Scenarios | Available scenario list and description |
-
🎬 preview☁️ capd🚀 kadm🐧 ubuntu -
🎬 preview☁️ capo🚀 rke2🐧 suse -
🎬 preview☁️ capm3🚀 rke2🐧 ubuntu -
☁️ capd🚀 kadm🛠️ light-deploy🐧 ubuntu -
☁️ capd🚀 rke2🛠️ light-deploy🐧 suse -
☁️ capo🚀 rke2🐧 suse -
☁️ capo🚀 rke2🐧 leapmicro -
☁️ capo🚀 kadm🐧 ubuntu -
☁️ capo🚀 rke2🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capo🚀 kadm🎬 wkld-k8s-upgrade🐧 ubuntu -
☁️ capo🚀 rke2🎬 rolling-update-no-wkld🛠️ ha🐧 suse -
☁️ capo🚀 rke2🎬 sylva-upgrade-from-1.5.x🛠️ ha🐧 ubuntu -
☁️ capo🚀 rke2🎬 sylva-upgrade-from-1.5.x🛠️ ha,misc🐧 ubuntu -
☁️ capo🚀 rke2🛠️ ha,misc🐧 ubuntu -
☁️ capo🚀 rke2🛠️ ha,misc,openbao🐧 suse -
☁️ capm3🚀 rke2🐧 suse -
☁️ capm3🚀 kadm🐧 ubuntu -
☁️ capm3🚀 ck8s🐧 ubuntu -
☁️ capm3🚀 kadm🎬 rolling-update-no-wkld🛠️ ha,misc🐧 ubuntu -
☁️ capm3🚀 rke2🎬 wkld-k8s-upgrade🛠️ ha🐧 suse -
☁️ capm3🚀 kadm🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capm3🚀 rke2🎬 sylva-upgrade-from-1.5.x🛠️ ha🐧 suse -
☁️ capm3🚀 rke2🛠️ misc,ha🐧 suse -
☁️ capm3🚀 rke2🎬 sylva-upgrade-from-1.5.x🛠️ ha,misc🐧 suse -
☁️ capm3🚀 kadm🎬 rolling-update🛠️ ha🐧 suse -
☁️ capm3🚀 ck8s🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capm3🚀 rke2|okd🎬 no-update🐧 ubuntu|na
Global config for deployment pipelines
-
autorun pipelines -
allow failure on pipelines -
record sylvactl events
Notes:
- Enabling
autorunwill make deployment pipelines to be run automatically without human interaction - Disabling
allow failurewill make deployment pipelines mandatory for pipeline success. - if both
autorunandallow failureare disabled, deployment pipelines will need manual triggering but will be blocking the pipeline
Be aware: after configuration change, pipeline is not triggered automatically.
Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.
Edited by Bogdan Antohe