fix: don't necessarily include all artifacts from templates in node outputs

[juliev0]

The fact that it's being listed in the NodeStatus is causing ArtifactGC to attempt to delete it (and fail doing so).

Fixes: #12845

Motivation

If an Artifact file didn't get written, it shouldn't be in the outputs for the TaskResult (and thus the Outputs for the Node) just because it was listed as an Artifact in the Workflow.

Modifications

Only if the Artifact file is successfully written does the wait container include it as one of the Output Artifacts in its WorkflowTaskResult. The Workflow Controller uses that WorkflowTaskResult information to populate the NodeStatus of the Workflow. This is the information that ArtifactGC uses to determine what needs to be deleted.

Verification

The person who submitted the Issue tested the image I made, and it repeatedly worked to solve his issue of ArtifactGC failing. (Note it also prevented his other artifacts from getting deleted, because the failed deletion preempted the other deletions from being attempted (as @agilgur5 pointed out, this could be another improvement, to continue the deletion process independent of failure)).

I did start to create an e2e test for this issue. But it seems that with minio, I can't repeat the same failure using the "main" branch. It seems that attempting to delete an artifact which doesn't exist doesn't result in a failure for some reason.

[juliev0]

instead of updating this directly, create a new list of the artifacts that we actually saved and return that

[Garett-MacGowan]

LGTM. So before we were using the we.Template.Outputs.Artifacts to pass to ReportOutputs but now we are creating a fresh wfv1.Artifacts object that will only include the successfully saved artifacts. This makes sense.

[agilgur5]

Hmmm I do see a small issue here, but I think this already existed beforehand:
If the wait container is interrupted during this loop, some artifacts may save to S3 (etc) but not be reported

But since adding artifacts to Outputs.Artifacts wouldn't report them until the very end anyway, I think this doesn't change any existing behavior

[juliev0]

If the wait container is interrupted during this loop, some artifacts may save to S3 (etc) but not be reported

How do you mean it wouldn't be reported? Since the background context is passed into both SaveArtifacts() and ReportOutputs() below, I believe all of that logic is still supposed to be executed. Is there something different you're referring to besides the context being cancelled?

[agilgur5]

If the loop is long or the container is otherwise non-gracefully terminated, the request context won't matter.

Also realized that saving artifacts can be parallelized here to reduce that chance and improve throughput (related: #12442). Similarly pre-existing logic though.

[Garett-MacGowan]

LGTM

[Garett-MacGowan]

LGTM. So before we were using the we.Template.Outputs.Artifacts to pass to ReportOutputs but now we are creating a fresh wfv1.Artifacts object that will only include the successfully saved artifacts. This makes sense.

[agilgur5]

(as @agilgur5 pointed out, this could be another improvement, to continue the deletion process independent of failure)

I was thinking about this and it will probably be fixed by parallel artifact GC (#11768), as that inherently has to process each artifact independently.

Vaguely related to this, I was wondering if creating more WorkflowTaskResults, e.g. child results, might help with some of these races, i.e. via create-only immutable records of progress. Particularly it could resolve a security issue with malicious Workflows as mentioned in #12783 (comment) as the Executor would then only need create permissions, and not patch.

[juliev0]

was previously trying to avoid intermittent test failures due to the workflow itself failing when it shouldn't - but now there's a Workflow which fails in here so this is how I'm allowing that one to be failed

[agilgur5]

Mostly LGTM. I left a few style comments on the tests, one suggestion for the test case, and a question on the saving + reporting. Still learning my way around the artifacts part of the codebase

[agilgur5]

hmm to ensure that GC works in the presence of a missing artifact, should we make the Workflow have a normal, successful artifact as well? i.e. the same case as the bug report; some successful artifacts, some unsuccessful

in this current test case, GC doesn't run at all, right?

[juliev0]

Okay, I've modified the test Workflow so that it also successfully saves an artifact file and garbage collects it. Had to update the test to look for artifact keys names that are auto-generated.

[agilgur5]

Hmmm I do see a small issue here, but I think this already existed beforehand:
If the wait container is interrupted during this loop, some artifacts may save to S3 (etc) but not be reported

But since adding artifacts to Outputs.Artifacts wouldn't report them until the very end anyway, I think this doesn't change any existing behavior