docs: add API Server Cipher Suites changelog

shanduur · shanduur · commit 4396f09c8c82 · 2025-11-27T10:15:01.000+01:00
Add a changelog entry for the API Server Cipher Suites. Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com> (cherry picked from commit 9945cee)
diff --git a/hack/release.toml b/hack/release.toml
@@ -194,6 +194,15 @@ To avoid further issues, Talos will now only create the UEFI boot entry if it do
         description = """\
 The network configuration under `.machine.network` (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
 New configuration documents were created to replace it, they will be documented in the future.
+"""
+
+    [notes.apiserver-cipher-suites]
+        title = "API Server Cipher Suites"
+        description = """\
+The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default.
+This is in line with a set of best practices documented in CIS 1.12 benchmark.
+
+You can still expand the list of supported cipher suites via the `cluster.apiServer.extraArgs."tls-cipher-suites"` machine configuration field if needed.
 """
 
 [make_deps]
