update docs

pacevedom · pacevedom · commit f8d0be65114d · 2026-03-16T18:43:12.000+01:00
diff --git a/cmd/generate-config/config/config-openapi-spec.json b/cmd/generate-config/config/config-openapi-spec.json
@@ -762,19 +762,19 @@
           "type": "object",
           "properties": {
             "custom": {
-              "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom\nprofile as invalid configurations can be catastrophic. An example custom profile\nlooks like this:\n\n  ciphers:\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n  minTLSVersion: VersionTLS11",
+              "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom\nprofile as invalid configurations can be catastrophic. An example custom profile\nlooks like this:\n\n  minTLSVersion: VersionTLS11\n  ciphers:\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256",
               "type": "object",
               "properties": {
                 "ciphers": {
-                  "description": "ciphers is used to specify the cipher algorithms that are negotiated\nduring the TLS handshake.  Operators may remove entries their operands\ndo not support.  For example, to use DES-CBC3-SHA  (yaml):\n\n  ciphers:\n    - DES-CBC3-SHA",
+                  "description": "ciphers is used to specify the cipher algorithms that are negotiated\nduring the TLS handshake. Operators may remove entries that their operands\ndo not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n  ciphers:\n    - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable\nand are always enabled when TLS 1.3 is negotiated.",
                   "type": "array",
                   "items": {
                     "type": "string"
                   },
                   "x-kubernetes-list-type": "atomic"
                 },
                 "minTLSVersion": {
-                  "description": "minTLSVersion is used to specify the minimal version of the TLS protocol\nthat is negotiated during the TLS handshake. For example, to use TLS\nversions 1.1, 1.2 and 1.3 (yaml):\n\n  minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
+                  "description": "minTLSVersion is used to specify the minimal version of the TLS protocol\nthat is negotiated during the TLS handshake. For example, to use TLS\nversions 1.1, 1.2 and 1.3 (yaml):\n\n  minTLSVersion: VersionTLS11",
                   "type": "string",
                   "enum": [
                     "VersionTLS10",
@@ -787,22 +787,22 @@
               "nullable": true
             },
             "intermediate": {
-              "description": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n\n    - ECDHE-RSA-AES256-GCM-SHA384\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - DHE-RSA-AES128-GCM-SHA256\n\n    - DHE-RSA-AES256-GCM-SHA384\n\n  minTLSVersion: VersionTLS12",
+              "description": "intermediate is a TLS profile for use when you do not need compatibility with\nlegacy clients and want to remain highly secure while being compatible with\nmost clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS12\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n    - ECDHE-RSA-AES256-GCM-SHA384\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305",
               "type": "object",
               "nullable": true
             },
             "modern": {
-              "description": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n  minTLSVersion: VersionTLS13",
+              "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and\ndo not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS13\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256",
               "type": "object",
               "nullable": true
             },
             "old": {
-              "description": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n\n    - ECDHE-RSA-AES256-GCM-SHA384\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - DHE-RSA-AES128-GCM-SHA256\n\n    - DHE-RSA-AES256-GCM-SHA384\n\n    - DHE-RSA-CHACHA20-POLY1305\n\n    - ECDHE-ECDSA-AES128-SHA256\n\n    - ECDHE-RSA-AES128-SHA256\n\n    - ECDHE-ECDSA-AES128-SHA\n\n    - ECDHE-RSA-AES128-SHA\n\n    - ECDHE-ECDSA-AES256-SHA384\n\n    - ECDHE-RSA-AES256-SHA384\n\n    - ECDHE-ECDSA-AES256-SHA\n\n    - ECDHE-RSA-AES256-SHA\n\n    - DHE-RSA-AES128-SHA256\n\n    - DHE-RSA-AES256-SHA256\n\n    - AES128-GCM-SHA256\n\n    - AES256-GCM-SHA384\n\n    - AES128-SHA256\n\n    - AES256-SHA256\n\n    - AES128-SHA\n\n    - AES256-SHA\n\n    - DES-CBC3-SHA\n\n  minTLSVersion: VersionTLS10",
+              "description": "old is a TLS profile for use when services need to be accessed by very old\nclients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS10\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n    - ECDHE-RSA-AES256-GCM-SHA384\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305\n    - ECDHE-ECDSA-AES128-SHA256\n    - ECDHE-RSA-AES128-SHA256\n    - ECDHE-ECDSA-AES128-SHA\n    - ECDHE-RSA-AES128-SHA\n    - ECDHE-ECDSA-AES256-SHA\n    - ECDHE-RSA-AES256-SHA\n    - AES128-GCM-SHA256\n    - AES256-GCM-SHA384\n    - AES128-SHA256\n    - AES128-SHA\n    - AES256-SHA\n    - DES-CBC3-SHA",
               "type": "object",
               "nullable": true
             },
             "type": {
-              "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides\nthe ability to specify individual TLS security profile parameters.\nOld, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers\nare found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be\nreduced.\n\nNote that the Modern profile is currently not supported because it is not\nyet well adopted by common software libraries.",
+              "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the\nability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS\nconfiguration guidelines. The cipher lists consist of the configuration's\n\"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines.\nSee: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are\ndeveloped and existing ciphers are found to be insecure. Depending on\nprecisely which ciphers are available to a process, the list may be reduced.",
               "type": "string",
               "enum": [
                 "Old",
diff --git a/packaging/microshift/config.yaml b/packaging/microshift/config.yaml
@@ -423,161 +423,95 @@ ingress:
         # profile as invalid configurations can be catastrophic. An example custom profile
         # looks like this:
 
+        #   minTLSVersion: VersionTLS11
         #   ciphers:
-
         #     - ECDHE-ECDSA-CHACHA20-POLY1305
-
         #     - ECDHE-RSA-CHACHA20-POLY1305
-
         #     - ECDHE-RSA-AES128-GCM-SHA256
-
         #     - ECDHE-ECDSA-AES128-GCM-SHA256
-
-        #   minTLSVersion: VersionTLS11
         custom:
             # ciphers is used to specify the cipher algorithms that are negotiated
-            # during the TLS handshake.  Operators may remove entries their operands
-            # do not support.  For example, to use DES-CBC3-SHA  (yaml):
+            # during the TLS handshake. Operators may remove entries that their operands
+            # do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):
 
             #   ciphers:
-            #     - DES-CBC3-SHA
+            #     - ECDHE-RSA-AES128-GCM-SHA256
+
+            # TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable
+            # and are always enabled when TLS 1.3 is negotiated.
             ciphers: []
             # minTLSVersion is used to specify the minimal version of the TLS protocol
             # that is negotiated during the TLS handshake. For example, to use TLS
             # versions 1.1, 1.2 and 1.3 (yaml):
 
             #   minTLSVersion: VersionTLS11
-
-            # NOTE: currently the highest minTLSVersion allowed is VersionTLS12
             minTLSVersion: ""
-        # intermediate is a TLS security profile based on:
-
-        # https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
-
-        # and looks like this (yaml):
+        # intermediate is a TLS profile for use when you do not need compatibility with
+        # legacy clients and want to remain highly secure while being compatible with
+        # most clients currently in use.
 
+        # This profile is equivalent to a Custom profile specified as:
+        #   minTLSVersion: VersionTLS12
         #   ciphers:
-
         #     - TLS_AES_128_GCM_SHA256
-
         #     - TLS_AES_256_GCM_SHA384
-
         #     - TLS_CHACHA20_POLY1305_SHA256
-
         #     - ECDHE-ECDSA-AES128-GCM-SHA256
-
         #     - ECDHE-RSA-AES128-GCM-SHA256
-
         #     - ECDHE-ECDSA-AES256-GCM-SHA384
-
         #     - ECDHE-RSA-AES256-GCM-SHA384
-
         #     - ECDHE-ECDSA-CHACHA20-POLY1305
-
         #     - ECDHE-RSA-CHACHA20-POLY1305
-
-        #     - DHE-RSA-AES128-GCM-SHA256
-
-        #     - DHE-RSA-AES256-GCM-SHA384
-
-        #   minTLSVersion: VersionTLS12
         intermediate: {}
-        # modern is a TLS security profile based on:
-
-        # https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
-
-        # and looks like this (yaml):
+        # modern is a TLS security profile for use with clients that support TLS 1.3 and
+        # do not need backward compatibility for older clients.
 
+        # This profile is equivalent to a Custom profile specified as:
+        #   minTLSVersion: VersionTLS13
         #   ciphers:
-
         #     - TLS_AES_128_GCM_SHA256
-
         #     - TLS_AES_256_GCM_SHA384
-
         #     - TLS_CHACHA20_POLY1305_SHA256
-
-        #   minTLSVersion: VersionTLS13
         modern: {}
-        # old is a TLS security profile based on:
-
-        # https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
-
-        # and looks like this (yaml):
+        # old is a TLS profile for use when services need to be accessed by very old
+        # clients or libraries and should be used only as a last resort.
 
+        # This profile is equivalent to a Custom profile specified as:
+        #   minTLSVersion: VersionTLS10
         #   ciphers:
-
         #     - TLS_AES_128_GCM_SHA256
-
         #     - TLS_AES_256_GCM_SHA384
-
         #     - TLS_CHACHA20_POLY1305_SHA256
-
         #     - ECDHE-ECDSA-AES128-GCM-SHA256
-
         #     - ECDHE-RSA-AES128-GCM-SHA256
-
         #     - ECDHE-ECDSA-AES256-GCM-SHA384
-
         #     - ECDHE-RSA-AES256-GCM-SHA384
-
         #     - ECDHE-ECDSA-CHACHA20-POLY1305
-
         #     - ECDHE-RSA-CHACHA20-POLY1305
-
-        #     - DHE-RSA-AES128-GCM-SHA256
-
-        #     - DHE-RSA-AES256-GCM-SHA384
-
-        #     - DHE-RSA-CHACHA20-POLY1305
-
         #     - ECDHE-ECDSA-AES128-SHA256
-
         #     - ECDHE-RSA-AES128-SHA256
-
         #     - ECDHE-ECDSA-AES128-SHA
-
         #     - ECDHE-RSA-AES128-SHA
-
-        #     - ECDHE-ECDSA-AES256-SHA384
-
-        #     - ECDHE-RSA-AES256-SHA384
-
         #     - ECDHE-ECDSA-AES256-SHA
-
         #     - ECDHE-RSA-AES256-SHA
-
-        #     - DHE-RSA-AES128-SHA256
-
-        #     - DHE-RSA-AES256-SHA256
-
         #     - AES128-GCM-SHA256
-
         #     - AES256-GCM-SHA384
-
         #     - AES128-SHA256
-
-        #     - AES256-SHA256
-
         #     - AES128-SHA
-
         #     - AES256-SHA
-
         #     - DES-CBC3-SHA
-
-        #   minTLSVersion: VersionTLS10
         old: {}
-        # type is one of Old, Intermediate, Modern or Custom. Custom provides
-        # the ability to specify individual TLS security profile parameters.
-        # Old, Intermediate and Modern are TLS security profiles based on:
-
-        # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+        # type is one of Old, Intermediate, Modern or Custom. Custom provides the
+        # ability to specify individual TLS security profile parameters.
 
-        # The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers
-        # are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be
-        # reduced.
+        # The profiles are based on version 5.7 of the Mozilla Server Side TLS
+        # configuration guidelines. The cipher lists consist of the configuration's
+        # "ciphersuites" followed by the Go-specific "ciphers" from the guidelines.
+        # See: https://ssl-config.mozilla.org/guidelines/5.7.json
 
-        # Note that the Modern profile is currently not supported because it is not
-        # yet well adopted by common software libraries.
+        # The profiles are intent based, so they may change over time as new ciphers are
+        # developed and existing ciphers are found to be insecure. Depending on
+        # precisely which ciphers are available to a process, the list may be reduced.
         type: ""
     # IngressControllerTuningOptions specifies options for tuning the performance
     # of ingress controller pods
