Skip to content

Templates Catalog

Jump to bottom
joshuaaferguson edited this page Apr 25, 2026 · 2 revisions

Templates Catalog

Templates define the containerized applications users can launch as streaming sessions. They live in the streamspace-templates sibling repo, alongside the Dockerfile sources for custom images.

Repository layout

streamspace-templates/
├── images/                  # Dockerfile sources for custom images
│   └── chrome-selkies/      # First custom Selkies-native image
├── selkies/                 # Selkies-native template manifests
│   └── chrome-selkies.yaml
├── browsers/                # Inherited LinuxServer-based templates
├── development/             # Inherited LinuxServer-based templates
├── webtop/                  # Inherited LinuxServer-based templates
├── … (~50 inherited categories)
├── catalog.yaml             # Catalog metadata
└── .github/workflows/
    └── build-images.yml     # Multi-arch build / cosign sign / SBOM

Currently working

The Selkies-only platform supports templates whose spec.streamingProtocol is selkies and whose pod exposes the Selkies endpoint on port 8080.

Template Image Streaming
chrome-selkies ghcr.io/streamspace-dev/chrome-selkies:latest Selkies (WebRTC) on :8080

This image is produced by the build pipeline in streamspace-templates/.github/workflows/build-images.yml — multi-arch (amd64/arm64), cosign-signed, with an SPDX SBOM attestation.

Inherited LinuxServer catalog (migration in progress)

Roughly 195 templates inherited from the LinuxServer.io catalog still ship in subdirectories under browsers/, webtop/, etc. They reference lscr.io/linuxserver/<image> images that use KasmVNC on port 3000 — they do not work end-to-end with the Selkies-only control plane.

These remain in the repo as a reference set for the catalog migration, but they are not currently usable. Replacing them with Selkies-native equivalents (using the same images/ build pipeline) is tracked work — see the project board.

Adding a new image

  1. Create images/<name>/ with a Dockerfile (and entrypoint if needed)
  2. Match the standards in images/README.md:
    • Selkies-GStreamer on port 8080
    • OCI labels with title/description/vendor/source
    • Health check on :8080/
    • Standard env knobs: DISPLAY_SIZEW, DISPLAY_SIZEH, SELKIES_ENCODER, SELKIES_ENABLE_AUDIO, TZ
  3. Add a template manifest under selkies/<name>.yaml:
apiVersion: stream.space/v1alpha1
kind: Template
metadata:
  name: <name>
  namespace: workspaces
spec:
  displayName: <Human Name>
  description: <One-liner>
  category: <category>
  baseImage: ghcr.io/streamspace-dev/<name>:latest
  streamingProtocol: selkies
  defaultResources:
    requests:
      memory: 2Gi
      cpu: 1000m
  ports:
    - name: selkies
      containerPort: 8080
      protocol: TCP
  1. Open a PR — CI will build only the changed image, sign it, and attach an SBOM. Merging to main publishes :latest and :sha-<short>; pushing a vX.Y.Z tag publishes the semver tags.

Verifying a published image

# Confirm signature (keyless, GitHub Actions OIDC)
cosign verify ghcr.io/streamspace-dev/chrome-selkies:latest \
  --certificate-identity-regexp '^https://github.com/streamspace-dev/streamspace-templates/' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# Inspect SBOM
cosign download attestation ghcr.io/streamspace-dev/chrome-selkies:latest \
  --predicate-type https://spdx.dev/Document

Submission standards

  • Honor the env knobs above so users can resize displays and toggle audio without rebuilding
  • Use a non-root user inside the container
  • Don't bake credentials or org-specific config into the image
  • Pin upstream base image versions (e.g. selkies-gstreamer:24.04, not :latest)

See the repo's CONTRIBUTING.md for the full submission workflow.

Clone this wiki locally