Comment 4 for bug 1970993

Can we do the same for the k8s-control-plane charm? The cipher list can be hardened technically using "api-extra-args", but would be nice it's hardened out of the box.

[default]

> Testing cipher categories
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication) not offered (OK)
> Export ciphers (w/o ADH+NULL) not offered (OK)
> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
> Triple DES Ciphers / IDEA offered
> Obsoleted CBC ciphers (AES, ARIA etc.) offered
> Strong encryption (AEAD ciphers) with no FS offered (OK)
> Forward Secrecy strong encryption (AEAD ciphers) offered (OK)

[with explicit list]

$ juju config -m k8s-on-openstack kubernetes-control-plane api-extra-args
tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

> Testing cipher categories
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication) not offered (OK)
> Export ciphers (w/o ADH+NULL) not offered (OK)
> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
> Triple DES Ciphers / IDEA not offered
> Obsoleted CBC ciphers (AES, ARIA etc.) not offered
> Strong encryption (AEAD ciphers) with no FS not offered
> Forward Secrecy strong encryption (AEAD ciphers) offered (OK)