-
Notifications
You must be signed in to change notification settings - Fork 2
Project Overview
StreamSpace is an open-source platform for streaming containerized GUI applications to a web browser. Users pick a template (e.g. Google Chrome, a full Linux desktop), the platform spins up a container, and the user interacts with it through the browser over WebRTC.
A central Control Plane (REST + WebSocket API, plus a React UI) orchestrates Agents that run on target infrastructure. Today there is a Kubernetes Agent and a Docker Agent. A user's session is a containerized application running on whichever platform the agent manages.
Browser ───────────────────► Control Plane (API + UI)
│
│ Agent WebSocket Hub
▼
Agent (K8s or Docker)
│
▼
Session pod / container
↑ Selkies on :8080
Browser ◄──────────WebRTC over /api/v1/http/ proxy
Streaming is Selkies-GStreamer (WebRTC) end-to-end. The control plane exposes an authenticated reverse proxy at /api/v1/http/<session-id>/ that forwards to the session pod's Selkies endpoint on port 8080. Once the WebRTC peer connection is established, media flows browser↔pod directly via the data channel; the proxy's job is signaling and authentication.
The earlier VNC code path was removed in April 2026. There is no longer a separate VNC proxy or noVNC viewer.
- Control Plane API — Go (Gin). Auth, session orchestration, agent coordination, Selkies proxy, multi-tenancy.
- K8s Agent — Go. Manages Session/Template CRDs, deploys session pods, reports lifecycle. Leader election for HA.
- Docker Agent — Go. Equivalent for Docker hosts. HA via file/Redis/Swarm backends.
- Web UI — React + TypeScript + Material-UI. Real-time agent monitoring, admin dashboard, session viewer.
- Helm chart — production deployment for Kubernetes.
Container image sources for session workloads live in streamspace-templates/images/. The pipeline produces images, signs them with cosign keyless, and attaches SPDX SBOM attestations. Each image declares its supported platforms via images/<name>/PLATFORMS (defaults to linux/amd64,linux/arm64 when absent).
Currently published:
-
ghcr.io/streamspace-dev/chrome-selkies:latest— Google Chrome streamed via Selkies-GStreamer (linux/amd64; arm64 blocked on upstream Selkies binaries)
The Selkies-native catalog (Firefox, VS Code, full desktops) builds on the same pipeline pattern.
- Multi-tenancy — org-scoped access control, JWT claims, cross-tenant prevention
- Authentication — local accounts, SSO (SAML 2.0, OIDC, OAuth2), MFA (TOTP)
- Audit logging — comprehensive event log with compliance reporting
- Observability — Grafana dashboards, Prometheus alerts, structured logging with trace IDs
- Network controls — TLS-enforced ingress, network policies between session pods, IP allow-listing, rate limiting
The platform is under active rebuild after retiring the previous multi-clone dev workflow; see Roadmap-and-Releases for what's in flight. Coverage targets are tracked in the project board, not pinned in this wiki.
- High-level user guides — this wiki
- Contributor reference —
docs/in the main repo - Frozen architectural snapshots —
docs/historical/ - Architecture decision records —
docs/design/architecture/