argoproj · Joibel · May 22, 2025 · Apr 30, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -109,8 +109,6 @@ USER 8737
 
 WORKDIR /home/argo
 
-# Temporary workaround for https://github.com/grpc/grpc-go/issues/434
-ENV GRPC_ENFORCE_ALPN_ENABLED=false
 COPY hack/ssh_known_hosts /etc/ssh/
 COPY hack/nsswitch.conf /etc/
 COPY --from=argocli-build /go/src/github.com/argoproj/argo-workflows/dist/argo /bin/

diff --git a/docs/argo-server.md b/docs/argo-server.md
@@ -178,7 +178,3 @@ Argo Server by default rate limits to 1000 per IP per minute, you can configure
 * `X-Rate-Limit-Remaining` - the number of requests left for the current rate-limit window.
 * `X-Rate-Limit-Reset` - the time at which the rate limit resets, specified in UTC time.
 * `Retry-After` - indicate when a client should retry requests (when the rate limit expires), in UTC time.
-
-### GRPC ALPN
-
-The grpc library wants to enforce ALPN, but we are not prepared for this so the argo-server binary is built with `GRPC_ENFORCE_ALPN_ENABLED` set to `false` in the docker image as a short term workaround, as documented in https://github.com/grpc/grpc-go/issues/434
diff --git a/util/tls/tls.go b/util/tls/tls.go
@@ -125,6 +125,7 @@ func GenerateX509KeyPairTLSConfig(tlsMinVersion uint16) (*tls.Config, error) {
 		Certificates:       []tls.Certificate{*cer},
 		MinVersion:         uint16(tlsMinVersion),
 		InsecureSkipVerify: true,
+		NextProtos:         []string{"h2"},
 	}, nil
 }
 
@@ -147,5 +148,6 @@ func GetServerTLSConfigFromSecret(ctx context.Context, kubectlConfig kubernetes.
 	return &tls.Config{
 		Certificates: []tls.Certificate{cert},
 		MinVersion:   uint16(tlsMinVersion),
+		NextProtos:   []string{"h2"},
 	}, nil
 }