Setting TLS 1.3 only ciphers causes API server to fail on startup #11706
Description
On Calico v3.31.3, when exclusively using TLS 1.3 ciphers via the TLSCipherSuites field on the Installation resource:
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
tlsCipherSuites:
- name: TLS_AES_256_GCM_SHA384
- name: TLS_CHACHA20_POLY1305_SHA256
- name: TLS_AES_128_GCM_SHA256It was found that the API server would fail to start up properly, yielding the following error (formatting adjusted):
time=2026-01-21T10:31:31Z
level=error
msg=Error running API server:
error configuring http2:
http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher
(need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
func=github.com/projectcalico/calico/apiserver/cmd/apiserver/server.RunServer.func3
file=/go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/run_server.go:108
I believe the issue lies here https://github.com/projectcalico/calico/blob/master/apiserver/cmd/apiserver/server/options.go#L132. It seems the the minimum version for TLS is hardcoded at 1.2. This causes the server to perform some validation checks for ciphers needed for HTTP/2 regardless of what ciphers were set.
Ideally, there's a field or environment variable available that lets us specify what TLS version we want to use. If it's possible to provide that option, that would be great. Otherwise, an explanation on why TLS 1.2 has to be set would be good as well.
Thank you!