From 7d06d6d4bd8f881e2f554946790e6a747760450f Mon Sep 17 00:00:00 2001
From: Julie Vogelmani <julie_vogelman@intuit.com>
Date: Mon, 21 Nov 2022 08:51:35 -0800
Subject: [PATCH 1/4] docs: clarify need to bind ServiceAccount to role for
 artifactgc

Signed-off-by: Julie Vogelmani <julie_vogelman@intuit.com>
---
 docs/walk-through/artifacts.md | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/docs/walk-through/artifacts.md b/docs/walk-through/artifacts.md
index eda9c99bffee..318b09d82303 100644
--- a/docs/walk-through/artifacts.md
+++ b/docs/walk-through/artifacts.md
@@ -209,7 +209,34 @@ spec:
               strategy: Never
 ```
 
-If you do supply your own Service Account you will need to create a RoleBinding that binds it with the new `artifactgc` Role.
+If you do supply your own Service Account you will need to create a RoleBinding that binds it with a role like this:
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is the minimum recommended permissions needed if you want to use artifact GC.
+  name: artifactgc
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowartifactgctasks
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowartifactgctasks/status
+  verbs:
+  - patch
+```
+
+This is the `artifactgc` role if you installed using one of the quick-start manifest files. If you installed with the install.yaml file for the release then the same permissions are in the `argo-cluster-role`.
+
+If you don't use your own `ServiceAccount` and are just using `default` ServiceAccount, then the role needs a RoleBinding or ClusterRoleBinding to `default` ServiceAccount.
 
 ### What happens if Garbage Collection fails?
 

From f239c63a9499efd9da44cc1512a2a7d0c6aa1c74 Mon Sep 17 00:00:00 2001
From: Julie Vogelmani <julie_vogelman@intuit.com>
Date: Mon, 21 Nov 2022 08:55:39 -0800
Subject: [PATCH 2/4] feat: improve error message on Workflow

Signed-off-by: Julie Vogelmani <julie_vogelman@intuit.com>
---
 workflow/controller/artifact_gc.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/workflow/controller/artifact_gc.go b/workflow/controller/artifact_gc.go
index 5f76ea37887f..8a044d6cfa91 100644
--- a/workflow/controller/artifact_gc.go
+++ b/workflow/controller/artifact_gc.go
@@ -548,7 +548,7 @@ func (woc *wfOperationCtx) processCompletedArtifactGCPod(ctx context.Context, po
 	strategy := wfv1.ArtifactGCStrategy(strategyStr)
 
 	if pod.Status.Phase == corev1.PodFailed {
-		errMsg := fmt.Sprintf("Artifact Garbage Collection failed for strategy %s, pod %s exited with non-zero exit code", pod.Name, strategy)
+		errMsg := fmt.Sprintf("Artifact Garbage Collection failed for strategy %s, pod %s exited with non-zero exit code: check pod logs for more information", pod.Name, strategy)
 		woc.addArtGCCondition(errMsg)
 		woc.addArtGCEvent(errMsg)
 	}

From 1dd8cd98fefb3d48a07dedc1ae9295c1c5cef7f6 Mon Sep 17 00:00:00 2001
From: Julie Vogelmani <julie_vogelman@intuit.com>
Date: Mon, 21 Nov 2022 08:59:39 -0800
Subject: [PATCH 3/4] fix: make docs

Signed-off-by: Julie Vogelmani <julie_vogelman@intuit.com>
---
 .spelling                      | 2 ++
 docs/walk-through/artifacts.md | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.spelling b/.spelling
index c009b517fabf..4cd7c36dc69e 100644
--- a/.spelling
+++ b/.spelling
@@ -36,6 +36,7 @@ Artifactory
 BlackRock
 Breitgand
 Couler
+ClusterRoleBinding
 DataDog
 Dataflow
 DeleteObject
@@ -93,6 +94,7 @@ Roadmap
 RoleBinding
 s3
 SDKs
+ServiceAccount
 Sharding
 Singer.io
 Snyk
diff --git a/docs/walk-through/artifacts.md b/docs/walk-through/artifacts.md
index 318b09d82303..82c12b412a30 100644
--- a/docs/walk-through/artifacts.md
+++ b/docs/walk-through/artifacts.md
@@ -234,7 +234,7 @@ rules:
   - patch
 ```
 
-This is the `artifactgc` role if you installed using one of the quick-start manifest files. If you installed with the install.yaml file for the release then the same permissions are in the `argo-cluster-role`.
+This is the `artifactgc` role if you installed using one of the quick-start manifest files. If you installed with the `install.yaml` file for the release then the same permissions are in the `argo-cluster-role`.
 
 If you don't use your own `ServiceAccount` and are just using `default` ServiceAccount, then the role needs a RoleBinding or ClusterRoleBinding to `default` ServiceAccount.
 

From 68544399edc330646f749ac825e2ea93b1319458 Mon Sep 17 00:00:00 2001
From: Julie Vogelmani <julie_vogelman@intuit.com>
Date: Mon, 21 Nov 2022 09:32:23 -0800
Subject: [PATCH 4/4] fix: make docs

Signed-off-by: Julie Vogelmani <julie_vogelman@intuit.com>
---
 docs/walk-through/artifacts.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/walk-through/artifacts.md b/docs/walk-through/artifacts.md
index 82c12b412a30..52367aaeaa53 100644
--- a/docs/walk-through/artifacts.md
+++ b/docs/walk-through/artifacts.md
@@ -210,6 +210,7 @@ spec:
 ```
 
 If you do supply your own Service Account you will need to create a RoleBinding that binds it with a role like this:
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role