apache · boscard · Jun 13, 2025 · Jun 13, 2025 · Jul 11, 2025
diff --git a/charts/apisix/README.md b/charts/apisix/README.md
@@ -121,6 +121,7 @@ The command removes all the Kubernetes components associated with the chart and
 | apisix.ssl.enabled | bool | `false` |  |
 | apisix.ssl.existingCASecret | string | `""` | Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) |
 | apisix.ssl.fallbackSNI | string | `""` | Define SNI to fallback if none is presented by client |
+| apisix.ssl.sslCiphers | list | `["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA","ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA","DHE-RSA-AES128-SHA256","DHE-RSA-AES256-SHA256","AES128-GCM-SHA256","AES256-GCM-SHA384","AES128-SHA256","AES256-SHA256","AES128-SHA","AES256-SHA"]` | TLS ciphers enabled |
 | apisix.ssl.sslProtocols | string | `"TLSv1.2 TLSv1.3"` | TLS protocols allowed to use. |
 | apisix.stream_plugins | list | `[]` | Customize the list of APISIX stream_plugins to enable. By default, APISIX's default stream_plugins are automatically used. See [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml) |
 | apisix.vault.enabled | bool | `false` | Enable or disable the vault integration |

diff --git a/charts/apisix/templates/configmap.yaml b/charts/apisix/templates/configmap.yaml
@@ -162,7 +162,7 @@ data:
           {{- toYaml . | nindent 10}}
           {{- end }}
         ssl_protocols: {{ .Values.apisix.ssl.sslProtocols | quote }}
-        ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+        ssl_ciphers: {{ join ":" .Values.apisix.ssl.sslCiphers | quote }}
         {{- if and .Values.apisix.ssl.enabled .Values.apisix.ssl.existingCASecret }}
         ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/{{ .Values.apisix.ssl.certCAFilename }}"
         {{- end }}

diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
@@ -320,6 +320,33 @@ apisix:
     enableHTTP3: false
     # -- TLS protocols allowed to use.
     sslProtocols: "TLSv1.2 TLSv1.3"
+    # -- TLS ciphers enabled
+    sslCiphers:
+      - "ECDHE-ECDSA-AES128-GCM-SHA256"
+      - "ECDHE-RSA-AES128-GCM-SHA256"
+      - "ECDHE-ECDSA-AES256-GCM-SHA384"
+      - "ECDHE-RSA-AES256-GCM-SHA384"
+      - "ECDHE-ECDSA-CHACHA20-POLY1305"
+      - "ECDHE-RSA-CHACHA20-POLY1305"
+      - "DHE-RSA-AES128-GCM-SHA256"
+      - "DHE-RSA-AES256-GCM-SHA384"
+      - "DHE-RSA-CHACHA20-POLY1305"
+      - "ECDHE-ECDSA-AES128-SHA256"
+      - "ECDHE-RSA-AES128-SHA256"
+      - "ECDHE-ECDSA-AES128-SHA"
+      - "ECDHE-RSA-AES128-SHA"
+      - "ECDHE-ECDSA-AES256-SHA384"
+      - "ECDHE-RSA-AES256-SHA384"
+      - "ECDHE-ECDSA-AES256-SHA"
+      - "ECDHE-RSA-AES256-SHA"
+      - "DHE-RSA-AES128-SHA256"
+      - "DHE-RSA-AES256-SHA256"
+      - "AES128-GCM-SHA256"
+      - "AES256-GCM-SHA384"
+      - "AES128-SHA256"
+      - "AES256-SHA256"
+      - "AES128-SHA"
+      - "AES256-SHA"
     # -- Define SNI to fallback if none is presented by client
     fallbackSNI: ""