fix(kubernetes): kube env permissions when down [EE-5427] (#10327)

api/http/handler/endpoints/endpoint_inspect.go

@@ -4,7 +4,6 @@ import (
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/utils"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
@@ -79,8 +78,8 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 		}
 	}
 
-	// Run the pending actions
-	utils.RunPendingActions(endpoint, handler.DataStore, handler.AuthorizationService)
+	// Execute endpoint pending actions
+	handler.PendingActionsService.Execute(endpoint.ID)
 
 	return response.JSON(w, endpoint)
 }

api/http/handler/endpoints/endpoint_list_test.go

@@ -196,7 +196,7 @@ func setupEndpointListHandler(t *testing.T, endpoints []portainer.Endpoint) *Han
 	handler := NewHandler(bouncer, nil)
 	handler.DataStore = store
 	handler.ComposeStackManager = testhelpers.NewComposeStackManager()
-	handler.SnapshotService, _ = snapshot.NewService("1s", store, nil, nil, nil)
+	handler.SnapshotService, _ = snapshot.NewService("1s", store, nil, nil, nil, nil)
 
 	return handler
 }

api/http/handler/endpoints/endpoint_update.go

@@ -12,6 +12,7 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/rs/zerolog/log"
 )
 
 type endpointUpdatePayload struct {
@@ -264,7 +265,12 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
 			err = handler.AuthorizationService.CleanNAPWithOverridePolicies(handler.DataStore, endpoint, nil)
 			if err != nil {
-				return httperror.InternalServerError("Unable to update user authorizations", err)
+				handler.PendingActionsService.Create(portainer.PendingActions{
+					EndpointID: endpoint.ID,
+					Action:     "CleanNAPWithOverridePolicies",
+					ActionData: nil,
+				})
+				log.Warn().Err(err).Msgf("Unable to clean NAP with override policies for endpoint (%d). Will try to update when endpoint is online.", endpoint.ID)
 			}
 		}
 	}

api/http/handler/endpoints/handler.go

@@ -10,6 +10,7 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/portainer/portainer/api/pendingactions"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/gorilla/mux"
@@ -25,18 +26,19 @@ func hideFields(endpoint *portainer.Endpoint) {
 // Handler is the HTTP handler used to handle environment(endpoint) operations.
 type Handler struct {
 	*mux.Router
-	requestBouncer       security.BouncerService
-	demoService          *demo.Service
-	DataStore            dataservices.DataStore
-	FileService          portainer.FileService
-	ProxyManager         *proxy.Manager
-	ReverseTunnelService portainer.ReverseTunnelService
-	SnapshotService      portainer.SnapshotService
-	K8sClientFactory     *cli.ClientFactory
-	ComposeStackManager  portainer.ComposeStackManager
-	AuthorizationService *authorization.Service
-	BindAddress          string
-	BindAddressHTTPS     string
+	requestBouncer        security.BouncerService
+	demoService           *demo.Service
+	DataStore             dataservices.DataStore
+	FileService           portainer.FileService
+	ProxyManager          *proxy.Manager
+	ReverseTunnelService  portainer.ReverseTunnelService
+	SnapshotService       portainer.SnapshotService
+	K8sClientFactory      *cli.ClientFactory
+	ComposeStackManager   portainer.ComposeStackManager
+	AuthorizationService  *authorization.Service
+	BindAddress           string
+	BindAddressHTTPS      string
+	PendingActionsService *pendingactions.PendingActionsService
 }
 
 // NewHandler creates a handler to manage environment(endpoint) operations.