Cannot set tlsminversion to 1.3 although it supports

[muratzorer]

From docs:

--tlsmaxversion string The maximum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.3")
--tlsminversion string The minimum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.2")

I need to restrict tls to only 1.3 for argocd-server. I get the following error when try to set "--tlsminversion" to also 1.3

kubectl describe any argocd-server pod:

Readiness probe failed: Get https://172.17.0.7:8080/healthz: remote error: tls: protocol version not supported

To Reproduce (just following lines after fresh install)

$ kubectl patch deploy argocd-server -n argocd -p '[{"op": "add", "path": "/spec/template/spec/containers/0/command/-", "value": "--tlsminversion"}]' --type json
$ kubectl patch deploy argocd-server -n argocd -p '[{"op": "add", "path": "/spec/template/spec/containers/0/command/-", "value": "1.3"}]' --type json

Expected behavior

Should set tlsminversion to 1.3

Version
1.8.1

[jannfis]

Hm, I have no problems running argocd-server workloads with --tlsminversion 1.3.

What version of Kubernetes are you running on? From judging the error message you posted, I believe that it's the readiness probe client that does not support TLS v1.3.

[muratzorer]

Kubernetes version is 1.16.3

[jannfis]

I think K8s 1.16.3 was compiled using Go 1.12.x (at least according to their changelog).

While Go 1.12 added support for TLS v1.3, it seems to be opt-in as specified in golang/go#30055 - so either you need to make your K8s opt-in to use TLS v1.3 also for , upgrade K8s to a later version (compiled using Go 1.13 or above) or use --mintlsversion v1.2 with Argo CD.

This is not a bug in Argo CD in my opinion.