headlamp
headlamp copied to clipboard
headlamp-k8s
Create plugin catalog
Now that we have the Headlamp Plugin package format in ArtifactHub, we should have a way to display those plugins in Headlamp (desktop version only) so users can install them. This means essentially having a plugin catalog, like we have an Apps catalog.
Details TBD.
In the meantime, how do people find plugins? Do you know of any open one (that is not in this repo), or is it too early?
Hi @remram44 , we have the official plugins we ship with Headlamp, besides the examples in this repo.
@yolossn We need to add support for signing packages as well. Did you already look into how this is done with artifacthub?
Is there a way to limit it to verified/signed plugins by default? I guess we should do that. (maybe official too?)
Also...
What about adding a "Did you mean?" confirmation dialog at the electron side for if the download is not verified/signed/official?
@yolossn We need to add support for signing packages as well. Did you already look into how this is done with artifacthub?
Sorry I didn't get what you are referring to here. how is signing packages related to the plugin catalog?
Is there a way to limit it to verified/signed plugins by default? I guess we should do that. (maybe official too?)
We already show verified plugin badges in the UI, if this is required we can make it a plugin setting.
What about adding a "Did you mean?" confirmation dialog at the electron side for if the download is not verified/signed/official?
This will be a big change at this point as the handlers in electron side don't have the metadata related to the plugin.
Is there a way to limit it to verified/signed plugins by default? I guess we should do that. (maybe official too?)
We already show verified plugin badges in the UI, if this is required we can make it a plugin setting.
We should by default show only verified plugins by default (we can add a setting for showing all, in the plugin settings area). This should be easy to do, please check with @vyncent-t since he's done that for the helm catalog. This is about giving a bit more assurance about what users are installing.
@joaquimrocha I checked the app catalog plugin and there also only badges are shown, I will add the settings.
@yolossn We need to add support for signing packages as well. Did you already look into how this is done with artifacthub?
Sorry I didn't get what you are referring to here. how is signing packages related to the plugin catalog?
Artifacts on hub can be signed (in a per type way). So this ^ badge is shown.
Also:
- when before installing a package we can verify the signature
- we can make sure plugins updated on the artifact hub are still being signed by the same people
Trying to summarize what I think from discussion with @joaquimrocha a bit earlier...
About "official" plugins. According to the Artifact hub definition they can be official if they are blessed so by the owners of that thing. So a google cloud plugin would be official if Google says it is. More details here: https://artifacthub.io/docs/topics/repositories/#official-status
IMHO:
- we should only show official+verified plugins by default, and warn if it's not an official plugin. Ideally this warning should be electron side... but maybe elsewhere in the UI for now is fine.
- we should show plugins from our plugins/ repo by default, even if they are not official (yet). Because we vet them ourselves. This could be a hard coded list to start with.
signed plugins
I agree with a suggestion @joaquimrocha made about not blocking this before we merge this in a release. We do need to think through signed packages, and the security implications through a bit more. Also to see what other defenses we implement in the end, if they would be sufficient. If we find a good reason why it's insecure without signing plugins... then we should rethink blocking on signed plugins. Also we have to learn what's best to do with signing, and we can do that with our other ongoing tasks signing the helm package and our other headlamp release artifacts.
Reminds me, we need documentation for how to publish a plugin. It might be a good idea to test that documentation by giving the task to someone to follow it with one of our existing plugins.
@yolossn I just made a PR for plugin-management things, can you please review? https://github.com/headlamp-k8s/headlamp/pull/2152
Reminds me, we need documentation for how to publish a plugin. It might be a good idea to test that documentation by giving the task to someone to follow it with one of our existing plugins.
@yolossn what do you think about abstracting the artifacthub publishing into a headlamp-plugin publish command? Currently it seems we need to make an artifacthub-pkg.yml file in the root. Here's the prometheus/artifacthub-pkg.yml
A benefit of hiding the implementation details are that we could control it better. Allowing us to program the publish command to do what we like. Keeping all the config inside package.json without duplicating the meta data would be one benefit. One thing we might want to do is publish to npm as well/instead in the future.
On topic of plugin settings... we discussed this issue a bit in a few places including in the PR
- https://github.com/headlamp-k8s/plugins/pull/35
But also in the weekly meeting about maybe presenting it to some designers for their input.
@sniok wrote
Does "Plugin Catalog -> Installed" only lists plugins that were installed using "Plugin Catalog -> Catalog"? Because I have for example kompose plugin in ~/.config/Headlamp/plugins but it doesn't show up on that list. I guess it's a bit confusing to have two different lists that are supposedly both "list of plugins you have", one in "Settings -> Plugins" and another in "Plugin Catalog -> Installed"
@yolossn wrote
I guess it's a bit confusing to have two different lists that are supposedly both "list of plugins you have", one in "Settings -> Plugins" and another in "Plugin Catalog -> Installed"
Plugin catalog only displays the plugins that are managed by plugin catalog, this is because we need extra meta information about the plugin to map it to the plugin in artifacthub and support further updates etc. It is kind of similar to play store in android phone, the play store only displays the apps installed from the play store and the plugin settings is like the phone settings where we can see all the apps.