internal/envoy: Allow TLSv1.3 for xDS connection.

[tsaarni]

This change sets the maximum TLS version to TLSv1.3 in the Envoy bootstrap config for the xDS connection. It means that TLSv1.3 will be selected from now on, since Contour already accepts TLSv1.3. This change will also make it easier to enforce TLSv1.3-only policy at some later point in time.

Previously Envoy defaulted to TLSv1.2 for the xDS connection.

Updates #3518

Signed-off-by: Tero Saarni [email protected]

[tsaarni]

xref #4065 (comment)

[codecov]

Codecov Report

Merging #4081 (2f0b454) into main (db9e15d) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #4081      +/-   ##
==========================================
+ Coverage   75.36%   75.38%   +0.01%     
==========================================
  Files         111      111              
  Lines        9407     9413       +6     
==========================================
+ Hits         7090     7096       +6     
  Misses       2167     2167              
  Partials      150      150              

Impacted Files	Coverage Δ
internal/envoy/v3/bootstrap.go	92.12% <100.00%> (+0.22%)	⬆️

[tsaarni]

Some background for reviewers:

Normally TLS implementations will have TLSv1.3 enabled by default, but Envoy currently caps the max version to TLSv1.2 at the client end due to retry related corner cases that might happen when proxying envoyproxy/envoy#9300. I believe that this is not a valid concern for the xDS gRPC client, but since we never changed the default in bootstrap config, it practically prevented automatic negotiation with TLSv1.3.

[skriss]

LGTM, makes sense as a step forward.

[skriss]

Will need to get rebased and get a changelog added to pass the new changelog checks.

[tsaarni]

I immediately confused minor and small when creating the changelog file :-D
I think this should be small.