fix: Documentation to clarify need for RoleBinding for ArtifactGC (#1…

…0086) Signed-off-by: Julie Vogelmani <julie_vogelman@intuit.com>
argoproj · Nov 21, 2022 · ab09448 · ab09448
1 parent 2380c2f
commit ab09448
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 2 deletions.
diff --git a/.spelling b/.spelling
@@ -36,6 +36,7 @@ Artifactory
 BlackRock
 Breitgand
 Couler
+ClusterRoleBinding
 DataDog
 Dataflow
 DeleteObject
@@ -93,6 +94,7 @@ Roadmap
 RoleBinding
 s3
 SDKs
+ServiceAccount
 Sharding
 Singer.io
 Snyk

diff --git a/docs/walk-through/artifacts.md b/docs/walk-through/artifacts.md
@@ -209,7 +209,35 @@ spec:
               strategy: Never
 ```
 
-If you do supply your own Service Account you will need to create a RoleBinding that binds it with the new `artifactgc` Role.
+If you do supply your own Service Account you will need to create a RoleBinding that binds it with a role like this:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is the minimum recommended permissions needed if you want to use artifact GC.
+  name: artifactgc
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowartifactgctasks
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowartifactgctasks/status
+  verbs:
+  - patch
+```
+
+This is the `artifactgc` role if you installed using one of the quick-start manifest files. If you installed with the `install.yaml` file for the release then the same permissions are in the `argo-cluster-role`.
+
+If you don't use your own `ServiceAccount` and are just using `default` ServiceAccount, then the role needs a RoleBinding or ClusterRoleBinding to `default` ServiceAccount.
 
 ### What happens if Garbage Collection fails?
 

diff --git a/workflow/controller/artifact_gc.go b/workflow/controller/artifact_gc.go
@@ -548,7 +548,7 @@ func (woc *wfOperationCtx) processCompletedArtifactGCPod(ctx context.Context, po
 	strategy := wfv1.ArtifactGCStrategy(strategyStr)
 
 	if pod.Status.Phase == corev1.PodFailed {
-		errMsg := fmt.Sprintf("Artifact Garbage Collection failed for strategy %s, pod %s exited with non-zero exit code", pod.Name, strategy)
+		errMsg := fmt.Sprintf("Artifact Garbage Collection failed for strategy %s, pod %s exited with non-zero exit code: check pod logs for more information", pod.Name, strategy)
 		woc.addArtGCCondition(errMsg)
 		woc.addArtGCEvent(errMsg)
 	}