From cfc0557de18cfaa0edb18ab492f59f2eb80b62b2 Mon Sep 17 00:00:00 2001
From: Simon Behar <simbeh7@gmail.com>
Date: Thu, 1 Apr 2021 09:36:44 -0700
Subject: [PATCH 1/2] fix: Switch InsecureSkipVerify to true

Signed-off-by: Simon Behar <simbeh7@gmail.com>
---
 cmd/argo/commands/server.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/argo/commands/server.go b/cmd/argo/commands/server.go
index 39b0d5864d28..1cc4fb193f0e 100644
--- a/cmd/argo/commands/server.go
+++ b/cmd/argo/commands/server.go
@@ -100,7 +100,7 @@ See %s`, help.ArgoSever),
 				}
 				tlsConfig = &tls.Config{
 					Certificates:       []tls.Certificate{cer},
-					InsecureSkipVerify: false, // InsecureSkipVerify will not impact the TLS listener. It is needed for the server to speak to itself for GRPC.
+					InsecureSkipVerify: true,
 					MinVersion:         uint16(tlsMinVersion),
 				}
 			} else {

From 0c909a5dce42563aeb0a744a9ec8bdda225bebf6 Mon Sep 17 00:00:00 2001
From: Simon Behar <simbeh7@gmail.com>
Date: Thu, 1 Apr 2021 09:46:31 -0700
Subject: [PATCH 2/2] Revert "fix(server): Disable CN check (Go 15 does not
 support). Fixes #5539 (#5550)"

This reverts commit 20f00470e8177a89afd0676cedcfb8dac39b34de.
---
 server/apiserver/argoserver.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/apiserver/argoserver.go b/server/apiserver/argoserver.go
index 7206cfc4e88f..16c73ba5c293 100644
--- a/server/apiserver/argoserver.go
+++ b/server/apiserver/argoserver.go
@@ -16,6 +16,7 @@ import (
 	"github.com/soheilhy/cmux"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/rest"
 
@@ -271,8 +272,13 @@ func (as *argoServer) newHTTPServer(ctx context.Context, port int, artifactServe
 	}
 	dialOpts := []grpc.DialOption{
 		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(MaxGRPCMessageSize)),
-		grpc.WithInsecure(),
 	}
+	if as.tlsConfig != nil {
+		dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(as.tlsConfig)))
+	} else {
+		dialOpts = append(dialOpts, grpc.WithInsecure())
+	}
+
 	webhookInterceptor := webhook.Interceptor(as.clients.Kubernetes)
 
 	// HTTP 1.1+JSON Server