update TLS profile document of the Metal3 stack

This commit updates:

- TLS profile of Ironic/IPA
- TLS profile of etcd

Signed-off-by: Adam Rozman <adam.rozman@est.tech>

security/tls-1.3.md

@@ -52,11 +52,13 @@ TLS version is not configurable with flags.
 For Ironic, it should be noted that:
 
 - Ironic external endpoints are secured, while pod-internal traffic is not.
-  `httpd` (Apache) handles TLS termination.
+  `httpd` (Apache) handles TLS termination. Between the `http proxy` and Ironic
+  the communication happens via UNIX socket.
 - IPA image serving from `httpd` port `6180` might be insecure due to PXE
-  limitations (to be verified)
+  limitations unless TLS enabled PXE firmware is used.
 - Node image server is deployment specific. IPA client accessing the image
-  server is limited to TLS 1.2 (see Oslo below)
+  is able to support TLS 1.3, the process is facilitated via
+  the third party request [library](https://pypi.org/project/requests/) .
 
 Ports:
 
@@ -70,8 +72,10 @@ Ironic endpoints support setting minimum and maximum TLS versions.
 
 More info:
 
-- [OSLO library does not support](https://docs.openstack.org/oslo.service/latest/configuration/index.html#ssl.version)
-  TLS newer than 1.2 yet, TLS 1.3 support is planned
+- [OSLO library](https://docs.openstack.org/oslo.service/latest/configuration/index.html#ssl.version)
+  officially does not mention TLS 1.3 support but by default TLS 1.2 and
+  TLS 1.3 are enabled with auto negotiation ability thus TLS 1.3 is supported
+  but can't be enforced.
 - [IPA TLS configuration documentation](https://docs.openstack.org//ironic-python-agent/latest/doc-ironic-python-agent.pdf)
 
 ### CAPI
@@ -140,13 +144,13 @@ TLS version is not configurable with flags.
 **etcd**:
 
 For etcd, TLS 1.3 support was
-[contributed by EST](https://github.com/etcd-io/etcd/pull/15156) and is expected
-to be in the next patch release of etcd 3.5.x (estimated March 2023). Etcd
-versions from `3.5.0` to `3.5.7` have hardcoded TLS 1.2 version. Some versions
-of etcd `3.4.x` have support for TLS 1.3 as they lack this hardcoding of TLS
-version, and using new enough Golang enables TLS 1.3 for them.
-
-`etcd` will support setting minimum and maximum TLS version in the next release.
+[contributed by EST](https://github.com/etcd-io/etcd/pull/15156) and was added
+to the 3.5.8 (April 13 2023). Etcd versions from `3.5.0` to `3.5.7` have
+hardcoded TLS 1.2 version. Some versions of etcd `3.4.x` have support for
+TLS 1.3 as they lack this hardcoding of TLS version, and using new enough
+Golang enables TLS 1.3 for them. TLS 1.3 can be explicitly enabled starting
+from `3.4.25` in case of `3.4.x` series are used or starting from `3.5.8` in
+case `3.5.x` series is used.
 
 - Port `2379`: TLS 1.2
 - Port `2380`: TLS 1.2
@@ -212,8 +216,12 @@ hinder developer experience. Development environment is not for production use.
 
 TLS 1.3 is well supported in Metal3 ecosystem, with two exceptions:
 
-- `etcd` where TLS 1.3 support is coming in the next release
-- Ironic, where the Oslo library is not supporting TLS 1.3 (discussion on-going)
+- Ironic Python Agent (IPA), where the Oslo library is not
+  supporting TLS 1.3 officially but because of implementation characteristics
+  of `oslo.service` and the nature of Python 3 (up to 3.12) TLS 1.3 and 1.2
+  auto-negotiation is enabled by default but TLS 1.3 exclusive connection can't
+  be enforced.
 
-However, not all projects fully support configuration of TLS versions in case
-TLS 1.3 would need to be enforced as the only supported TLS version.
+As of 29.1.2024 TLS 1.3 is supported everywhere in the whole stack, but there
+are API endpoints in Ironic (pod internal) and IPA where TLS 1.3 can't be
+exclusively enforced instead there is TLS 1.3 - 1.2 auto-negotiation.