Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Documentation to clarify need for RoleBinding for ArtifactGC #10086

Merged
merged 4 commits into from Nov 21, 2022
Merged

fix: Documentation to clarify need for RoleBinding for ArtifactGC #10086

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7d06d6d
docs: clarify need to bind ServiceAccount to role for artifactgc
juliev0 Nov 21, 2022
f239c63
feat: improve error message on Workflow
juliev0 Nov 21, 2022
1dd8cd9
fix: make docs
juliev0 Nov 21, 2022
6854439
fix: make docs
juliev0 Nov 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions .spelling
View file
Open in desktop
Expand Up @@ -36,6 +36,7 @@ Artifactory
BlackRock
Breitgand
Couler
ClusterRoleBinding
DataDog
Dataflow
DeleteObject
Expand Down Expand Up @@ -93,6 +94,7 @@ Roadmap
RoleBinding
s3
SDKs
ServiceAccount
Sharding
Singer.io
Snyk
Expand Down
30 changes: 29 additions & 1 deletion docs/walk-through/artifacts.md
View file
Open in desktop
Expand Up @@ -209,7 +209,35 @@ spec:
strategy: Never
```

If you do supply your own Service Account you will need to create a RoleBinding that binds it with the new `artifactgc` Role.
If you do supply your own Service Account you will need to create a RoleBinding that binds it with a role like this:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
workflows.argoproj.io/description: |
This is the minimum recommended permissions needed if you want to use artifact GC.
name: artifactgc
rules:
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowartifactgctasks/status
verbs:
- patch
```

This is the `artifactgc` role if you installed using one of the quick-start manifest files. If you installed with the `install.yaml` file for the release then the same permissions are in the `argo-cluster-role`.

If you don't use your own `ServiceAccount` and are just using `default` ServiceAccount, then the role needs a RoleBinding or ClusterRoleBinding to `default` ServiceAccount.

### What happens if Garbage Collection fails?

Expand Down
2 changes: 1 addition & 1 deletion workflow/controller/artifact_gc.go
View file
Open in desktop
Expand Up @@ -548,7 +548,7 @@ func (woc *wfOperationCtx) processCompletedArtifactGCPod(ctx context.Context, po
strategy := wfv1.ArtifactGCStrategy(strategyStr)

if pod.Status.Phase == corev1.PodFailed {
errMsg := fmt.Sprintf("Artifact Garbage Collection failed for strategy %s, pod %s exited with non-zero exit code", pod.Name, strategy)
errMsg := fmt.Sprintf("Artifact Garbage Collection failed for strategy %s, pod %s exited with non-zero exit code: check pod logs for more information", pod.Name, strategy)
woc.addArtGCCondition(errMsg)
woc.addArtGCEvent(errMsg)
}
Expand Down