If the spec.tlsSecurityProfile.type is "Custom" and spec.tlsSecurityProfile.type.custom.minTLSVersion is VersionTLS13, then setting the spec.tlsSecurityProfile.type.custom.ciphers must be empty.

Any create or update request of the HyperConverged CR that is trying to customize the ciphers when the minTLSVersion is VersionTLS13, must be rejected.

If possible, use CEL in the CRD to implement. If not, add thie logic to the validating webhook.