How to enable TLS 1.3 for RKE2 ingress-nginx in a Rancher provisioned RKE2 cluster?

• SUSE Rancher 2.9.x, 2.10.x
• OpenSSL version 1.1.1 and above.
• Nginx-ingress version 1.6 and later.
• Rancher provisioned RKE2 cluster.

By default, TLS v1.2 is used in the RKE2 ingress-nginx configuration as per the commit ingress-nginx. However, there could be situations where ingress-nginx needs to be reconfigured to use TLS v1.3. 

1. Login to the Rancher UI, select the desired downstream cluster from Cluster Management. 
2. For the desired downstream cluster, click on More options >> Edit Config >> Additional Manifest and provide the below HelmChartConfig for 'rke2-ingress-nginx' in this section and click on "Save".

3. apiVersion: helm.cattle.io/v1
   kind: HelmChartConfig
   metadata:
     name: rke2-ingress-nginx
     namespace: kube-system
   spec:
     valuesContent: |-
       controller:
         config:
           ssl-protocols: "TLSv1.2 TLSv1.3"

4. Alternatively, this configuration can be provided in the manifest file '/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml' on each RKE2 server node followed by a 'rke2-server' service restart. 
5. The example above includes TLSv1.2, but TLSv1.3 can be specified to enable only TLSv1.3.
6. The TLS version can be confirmed by running the command below:
   

   # kubectl -n kube-system exec -it rke2-ingress-nginx-controller-xxxx -- /dbg conf|grep -i tls

7. The TLS version can be verified by running a curl command to the service:
   

    # curl -v https://<service_url>