Argo Executor Plugin Demo

This repository demonstrates how to use Executor Plugins in Argo Workflows. It includes:

• Kustomize manifests to deploy Argo Workflow Controller with plugins enabled.
• Python-based plugin implementations.
• Example workflows for different types of plugins.
• Dockerfiles for building plugin images.

Repository Structure

Here is an overview of the main folders in this repository:

• manifests/ – Kubernetes manifests for deploying Argo Workflows and Executor Plugins.

  • vanilla/ – Vanilla Argo installation with a split Workflow Controller. Used as a base setup.
  • base/ – the base configuration for deploying Argo Workflow Controller with Executor Plugins enabled.
  • plugins/ – Manifests for the Executor Plugin examples:
    • executor-plugin-simple/ – Minimal plugin example without ServiceAccount or token checks.
    • executor-plugin-secured-access-to-pod/ – Plugin that verifies tokens to restrict pod access.
    • executor-plugin-with-sa-mounted/ – Plugin using a mounted ServiceAccount for Kubernetes API access.

• plugins/ – Python source code for the plugins.

  • src/list-pods-plugin/ – Lists all pods in the namespace (requires a ServiceAccount mounted for Kubernetes API access).
  • src/print-message-plugin/ – prints a message parameter.
  • src/secured-access-plugin/ – verifies access token before running.

• workflows/ – Example Argo Workflows using each plugin.

• Dockerfiles – Build plugin images:

  • Dockerfile.list_pods_plugin
  • Dockerfile.print_message_plugin
  • Dockerfile.secured_access_plugin

Getting Started

⚠️ Demo/example only, not production-ready. This guide shows how to run the Argo Executor Plugin demo on a local Kubernetes cluster (tested on Minikube). Step 0: Install Minikube – follow the official instructions for your OS.

Step 1: Start Minikube – launch a local Kubernetes cluster for testing.

minikube start

Step 2: Build plugin Docker images – before deploying the plugins build their images locally.

docker build -f Dockerfile.list_pods_plugin -t list-pods-plugin:latest . 
docker build -f Dockerfile.print_message_plugin -t print-message-plugin:latest .
docker build -f Dockerfile.secured_access_plugin -t secured-access-plugin:latest .

Load the Docker images into the Minikube cluster so Argo can use them:

minikube image load list-pods-plugin:latest
minikube image load print-message-plugin:latest 
minikube image load secured-access-plugin:latest

Step 3: Create Argo namespace – create a separate namespace to isolate Argo resources.

kubectl create ns argo

Remember to use -n argo to run workflows in the correct namespace

Step 4: Apply Argo manifests with Executor Plugin enabled – deploy Argo Workflow Controller with Executor Plugins enabled, along with plugin manifests.

kubectl -n argo apply -k manifests/base/
kubectl -n argo wait --for=condition=Ready pod -l app=workflow-controller --timeout=120s

Install Argo CLI – to run Argo commands (submit, list, etc.), you need the Argo CLI installed.
Follow the official installation guide: Argo CLI

Launch example Argo Workflows – run workflows to test each plugin.

• Simple Plugin – minimal plugin without security or ServiceAccount integration.

argo submit -n argo workflows/steps-simple-plugin.yaml

• Secured Access Plugin – plugin that verifies tokens to restrict pod access.

argo submit -n argo workflows/steps-secured-access-plugin.yaml

• Plugin with Mounted ServiceAccount – plugin using a mounted ServiceAccount for API access.

argo submit -n argo workflows/steps-list-pods-plugin.yaml

You can check the status of workflows in the argo namespace:

argo list -n argo