feat(app): rework private registries and support private registries in kubernetes EE-30 (#5131)

* feat(app): rework private registries and support private registries in kubernetes [EE-30] feat(api): backport private registries backend changes (#5072) * feat(api/bolt): backport bolt changes * feat(api/exec): backport exec changes * feat(api/http): backport http/handler/dockerhub changes * feat(api/http): backport http/handler/endpoints changes * feat(api/http): backport http/handler/registries changes * feat(api/http): backport http/handler/stacks changes * feat(api/http): backport http/handler changes * feat(api/http): backport http/proxy/factory/azure changes * feat(api/http): backport http/proxy/factory/docker changes * feat(api/http): backport http/proxy/factory/utils changes * feat(api/http): backport http/proxy/factory/kubernetes changes * feat(api/http): backport http/proxy/factory changes * feat(api/http): backport http/security changes * feat(api/http): backport http changes * feat(api/internal): backport internal changes * feat(api): backport api changes * feat(api/kubernetes): backport kubernetes changes * fix(api/http): changes on backend following backport feat(app): backport private registries frontend changes (#5056) * feat(app/docker): backport docker/components changes * feat(app/docker): backport docker/helpers changes * feat(app/docker): backport docker/views/container changes * feat(app/docker): backport docker/views/images changes * feat(app/docker): backport docker/views/registries changes * feat(app/docker): backport docker/views/services changes * feat(app/docker): backport docker changes * feat(app/kubernetes): backport kubernetes/components changes * feat(app/kubernetes): backport kubernetes/converters changes * feat(app/kubernetes): backport kubernetes/models changes * feat(app/kubernetes): backport kubernetes/registries changes * feat(app/kubernetes): backport kubernetes/services changes * feat(app/kubernetes): backport kubernetes/views/applications changes * feat(app/kubernetes): backport kubernetes/views/configurations changes * feat(app/kubernetes): backport kubernetes/views/configure changes * feat(app/kubernetes): backport kubernetes/views/resource-pools changes * feat(app/kubernetes): backport kubernetes/views changes * feat(app/portainer): backport portainer/components/accessManagement changes * feat(app/portainer): backport portainer/components/datatables changes * feat(app/portainer): backport portainer/components/forms changes * feat(app/portainer): backport portainer/components/registry-details changes * feat(app/portainer): backport portainer/models changes * feat(app/portainer): backport portainer/rest changes * feat(app/portainer): backport portainer/services changes * feat(app/portainer): backport portainer/views changes * feat(app/portainer): backport portainer changes * feat(app): backport app changes * config(project): gitignore + jsconfig changes gitignore all files under api/cmd/portainer but main.go and enable Code Editor autocomplete on import ... from '@/...' fix(app): fix pull rate limit checker fix(app/registries): sidebar menus and registry accesses users filtering fix(api): add missing kube client factory fix(kube): fetch dockerhub pull limits (#5133) fix(app): pre review fixes (#5142) * fix(app/registries): remove checkbox for endpointRegistries view * fix(endpoints): allow access to default namespace * fix(docker): fetch pull limits * fix(kube/ns): show selected registries for non admin Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com> chore(webpack): ignore missing sourcemaps fix(registries): fetch registry config from url feat(kube/registries): ignore not found when deleting secret feat(db): move migration to db 31 fix(registries): fix bugs in PR EE-869 (#5169) * fix(registries): hide role * fix(endpoints): set empty access policy to edge endpoint * fix(registry): remove double arguments * fix(admin): ignore warning * feat(kube/configurations): tag registry secrets (#5157) * feat(kube/configurations): tag registry secrets * feat(kube/secrets): show registry secrets for admins * fix(registries): move dockerhub to beginning * refactor(registries): use endpoint scoped registries feat(registries): filter by namespace if supplied feat(access-managment): filter users for registry (#5191) * refactor(access-manage): move users selector to component * feat(access-managment): filter users for registry refactor(registries): sync code with CE (#5200) * refactor(registry): add inspect handler under endpoints * refactor(endpoint): sync endpoint_registries_list * refactor(endpoints): sync registry_access * fix(db): rename migration functions * fix(registries): show accesses for admin * fix(kube): set token on transport * refactor(kube): move secret help to bottom * fix(kuberentes): remove shouldLog parameter * style(auth): add description of security.IsAdmin * feat(security): allow admin access to registry * feat(edge): connect to edge endpoint when creating client * style(portainer): change deprecation version * refactor(sidebar): hide manage * refactor(containers): revert changes * style(container): remove whitespace * fix(endpoint): add handler to registy on endpointService * refactor(image): use endpointService.registries * fix(kueb/namespaces): rename resource pool to namespace * fix(kube/namespace): move selected registries * fix(api/registries): hide accesses on registry creation Co-authored-by: LP B <xAt0mZ@users.noreply.github.com> refactor(api): remove code duplication after rebase fix(app/registries): replace last registry api usage by endpoint registry api fix(api/endpoints): update registry access policies on endpoint deletion (#5226) [EE-1027] fix(db): update db version * fix(dockerhub): fetch rate limits * fix(registry/tests): supply restricred context * fix(registries): show proget registry only when selected * fix(registry): create dockerhub registry * feat(db): move migrations to db 32 Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com>
2025-07-24 15:59:41 +02:00 · 2021-07-14 11:15:21 +02:00 · 2021-07-14 11:15:21 +02:00 · 179df06267
commit 179df06267
parent 0f5407da40
175 changed files with 3757 additions and 2544 deletions
--- a/api/http/proxy/factory/docker/access_control.go
+++ b/api/http/proxy/factory/docker/access_control.go
@ -7,7 +7,7 @@ import (

 	"github.com/portainer/portainer/api/internal/stackutils"

-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/internal/authorization"

 	portainer "github.com/portainer/portainer/api"
@ -162,7 +162,7 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe
 		systemResourceControl := findSystemNetworkResourceControl(responseObject)
 		if systemResourceControl != nil {
 			responseObject = decorateObject(responseObject, systemResourceControl)
-			return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
+			return utils.RewriteResponse(response, responseObject, http.StatusOK)
 		}
 	}

@ -175,15 +175,15 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe
 	}

 	if resourceControl == nil && (executor.operationContext.isAdmin) {
-		return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
+		return utils.RewriteResponse(response, responseObject, http.StatusOK)
 	}

 	if executor.operationContext.isAdmin || (resourceControl != nil && authorization.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) {
 		responseObject = decorateObject(responseObject, resourceControl)
-		return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
+		return utils.RewriteResponse(response, responseObject, http.StatusOK)
 	}

-	return responseutils.RewriteAccessDeniedResponse(response)
+	return utils.RewriteAccessDeniedResponse(response)
 }

 func (transport *Transport) applyAccessControlOnResourceList(parameters *resourceOperationParameters, resourceData []interface{}, executor *operationExecutor) ([]interface{}, error) {
--- a/api/http/proxy/factory/docker/configs.go
+++ b/api/http/proxy/factory/docker/configs.go
@ -7,7 +7,7 @@ import (
 	"github.com/docker/docker/client"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/internal/authorization"
 )

@ -34,7 +34,7 @@ func getInheritedResourceControlFromConfigLabels(dockerClient *client.Client, en
 func (transport *Transport) configListOperation(response *http.Response, executor *operationExecutor) error {
 	// ConfigList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
-	responseArray, err := responseutils.GetResponseAsJSONArray(response)
+	responseArray, err := utils.GetResponseAsJSONArray(response)
 	if err != nil {
 		return err
 	}
@ -50,7 +50,7 @@ func (transport *Transport) configListOperation(response *http.Response, executo
 		return err
 	}

-	return responseutils.RewriteResponse(response, responseArray, http.StatusOK)
+	return utils.RewriteResponse(response, responseArray, http.StatusOK)
 }

 // configInspectOperation extracts the response as a JSON object, verify that the user
@ -58,7 +58,7 @@ func (transport *Transport) configListOperation(response *http.Response, executo
 func (transport *Transport) configInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ConfigInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigInspect
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -78,9 +78,9 @@ func (transport *Transport) configInspectOperation(response *http.Response, exec
 // https://docs.docker.com/engine/api/v1.37/#operation/ConfigList
 // https://docs.docker.com/engine/api/v1.37/#operation/ConfigInspect
 func selectorConfigLabels(responseObject map[string]interface{}) map[string]interface{} {
-	secretSpec := responseutils.GetJSONObject(responseObject, "Spec")
+	secretSpec := utils.GetJSONObject(responseObject, "Spec")
 	if secretSpec != nil {
-		secretLabelsObject := responseutils.GetJSONObject(secretSpec, "Labels")
+		secretLabelsObject := utils.GetJSONObject(secretSpec, "Labels")
 		return secretLabelsObject
 	}
 	return nil
--- a/api/http/proxy/factory/docker/containers.go
+++ b/api/http/proxy/factory/docker/containers.go
@ -10,7 +10,7 @@ import (

 	"github.com/docker/docker/client"
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 )
@ -46,7 +46,7 @@ func getInheritedResourceControlFromContainerLabels(dockerClient *client.Client,
 func (transport *Transport) containerListOperation(response *http.Response, executor *operationExecutor) error {
 	// ContainerList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
-	responseArray, err := responseutils.GetResponseAsJSONArray(response)
+	responseArray, err := utils.GetResponseAsJSONArray(response)
 	if err != nil {
 		return err
 	}
@ -69,7 +69,7 @@ func (transport *Transport) containerListOperation(response *http.Response, exec
 		}
 	}

-	return responseutils.RewriteResponse(response, responseArray, http.StatusOK)
+	return utils.RewriteResponse(response, responseArray, http.StatusOK)
 }

 // containerInspectOperation extracts the response as a JSON object, verify that the user
@ -77,7 +77,7 @@ func (transport *Transport) containerListOperation(response *http.Response, exec
 func (transport *Transport) containerInspectOperation(response *http.Response, executor *operationExecutor) error {
 	//ContainerInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -96,9 +96,9 @@ func (transport *Transport) containerInspectOperation(response *http.Response, e
 // Labels are available under the "Config.Labels" property.
 // API schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
 func selectorContainerLabelsFromContainerInspectOperation(responseObject map[string]interface{}) map[string]interface{} {
-	containerConfigObject := responseutils.GetJSONObject(responseObject, "Config")
+	containerConfigObject := utils.GetJSONObject(responseObject, "Config")
 	if containerConfigObject != nil {
-		containerLabelsObject := responseutils.GetJSONObject(containerConfigObject, "Labels")
+		containerLabelsObject := utils.GetJSONObject(containerConfigObject, "Labels")
 		return containerLabelsObject
 	}
 	return nil
@ -109,7 +109,7 @@ func selectorContainerLabelsFromContainerInspectOperation(responseObject map[str
 // Labels are available under the "Labels" property.
 // API schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
 func selectorContainerLabelsFromContainerListOperation(responseObject map[string]interface{}) map[string]interface{} {
-	containerLabelsObject := responseutils.GetJSONObject(responseObject, "Labels")
+	containerLabelsObject := utils.GetJSONObject(responseObject, "Labels")
 	return containerLabelsObject
 }

--- a/api/http/proxy/factory/docker/networks.go
+++ b/api/http/proxy/factory/docker/networks.go
@ -10,7 +10,7 @@ import (

 	"github.com/docker/docker/client"

-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/internal/authorization"
 )

@ -38,7 +38,7 @@ func getInheritedResourceControlFromNetworkLabels(dockerClient *client.Client, e
 func (transport *Transport) networkListOperation(response *http.Response, executor *operationExecutor) error {
 	// NetworkList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
-	responseArray, err := responseutils.GetResponseAsJSONArray(response)
+	responseArray, err := utils.GetResponseAsJSONArray(response)
 	if err != nil {
 		return err
 	}
@ -54,7 +54,7 @@ func (transport *Transport) networkListOperation(response *http.Response, execut
 		return err
 	}

-	return responseutils.RewriteResponse(response, responseArray, http.StatusOK)
+	return utils.RewriteResponse(response, responseArray, http.StatusOK)
 }

 // networkInspectOperation extracts the response as a JSON object, verify that the user
@ -62,7 +62,7 @@ func (transport *Transport) networkListOperation(response *http.Response, execut
 func (transport *Transport) networkInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// NetworkInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -99,5 +99,5 @@ func findSystemNetworkResourceControl(networkObject map[string]interface{}) *por
 // https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
 // https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
 func selectorNetworkLabels(responseObject map[string]interface{}) map[string]interface{} {
-	return responseutils.GetJSONObject(responseObject, "Labels")
+	return utils.GetJSONObject(responseObject, "Labels")
 }
--- a/api/http/proxy/factory/docker/registry.go
+++ b/api/http/proxy/factory/docker/registry.go
@ -1,39 +1,43 @@
 package docker

 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 )

 type (
 	registryAccessContext struct {
 		isAdmin         bool
-		userID          portainer.UserID
+		user            *portainer.User
+		endpointID      portainer.EndpointID
 		teamMemberships []portainer.TeamMembership
 		registries      []portainer.Registry
-		dockerHub       *portainer.DockerHub
 	}
+
 	registryAuthenticationHeader struct {
 		Username      string `json:"username"`
 		Password      string `json:"password"`
 		Serveraddress string `json:"serveraddress"`
 	}
+
+	portainerRegistryAuthenticationHeader struct {
+		RegistryId portainer.RegistryID `json:"registryId"`
+	}
 )

-func createRegistryAuthenticationHeader(serverAddress string, accessContext *registryAccessContext) *registryAuthenticationHeader {
+func createRegistryAuthenticationHeader(registryId portainer.RegistryID, accessContext *registryAccessContext) *registryAuthenticationHeader {
 	var authenticationHeader *registryAuthenticationHeader

-	if serverAddress == "" {
+	if registryId == 0 { // dockerhub (anonymous)
 		authenticationHeader = &registryAuthenticationHeader{
-			Username:      accessContext.dockerHub.Username,
-			Password:      accessContext.dockerHub.Password,
 			Serveraddress: "docker.io",
 		}
-	} else {
+	} else { // any "custom" registry
 		var matchingRegistry *portainer.Registry
 		for _, registry := range accessContext.registries {
-			if registry.URL == serverAddress &&
-				(accessContext.isAdmin || (!accessContext.isAdmin && security.AuthorizedRegistryAccess(&registry, accessContext.userID, accessContext.teamMemberships))) {
+			if registry.ID == registryId &&
+				(accessContext.isAdmin ||
+					security.AuthorizedRegistryAccess(&registry, accessContext.user, accessContext.teamMemberships, accessContext.endpointID)) {
 				matchingRegistry = &registry
 				break
 			}
--- a/api/http/proxy/factory/docker/secrets.go
+++ b/api/http/proxy/factory/docker/secrets.go
@ -7,7 +7,7 @@ import (
 	"github.com/docker/docker/client"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/internal/authorization"
 )

@ -34,7 +34,7 @@ func getInheritedResourceControlFromSecretLabels(dockerClient *client.Client, en
 func (transport *Transport) secretListOperation(response *http.Response, executor *operationExecutor) error {
 	// SecretList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/SecretList
-	responseArray, err := responseutils.GetResponseAsJSONArray(response)
+	responseArray, err := utils.GetResponseAsJSONArray(response)
 	if err != nil {
 		return err
 	}
@ -50,7 +50,7 @@ func (transport *Transport) secretListOperation(response *http.Response, executo
 		return err
 	}

-	return responseutils.RewriteResponse(response, responseArray, http.StatusOK)
+	return utils.RewriteResponse(response, responseArray, http.StatusOK)
 }

 // secretInspectOperation extracts the response as a JSON object, verify that the user
@ -58,7 +58,7 @@ func (transport *Transport) secretListOperation(response *http.Response, executo
 func (transport *Transport) secretInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// SecretInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/SecretInspect
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -78,9 +78,9 @@ func (transport *Transport) secretInspectOperation(response *http.Response, exec
 // https://docs.docker.com/engine/api/v1.37/#operation/SecretList
 // https://docs.docker.com/engine/api/v1.37/#operation/SecretInspect
 func selectorSecretLabels(responseObject map[string]interface{}) map[string]interface{} {
-	secretSpec := responseutils.GetJSONObject(responseObject, "Spec")
+	secretSpec := utils.GetJSONObject(responseObject, "Spec")
 	if secretSpec != nil {
-		secretLabelsObject := responseutils.GetJSONObject(secretSpec, "Labels")
+		secretLabelsObject := utils.GetJSONObject(secretSpec, "Labels")
 		return secretLabelsObject
 	}
 	return nil
--- a/api/http/proxy/factory/docker/services.go
+++ b/api/http/proxy/factory/docker/services.go
@ -12,7 +12,7 @@ import (
 	"github.com/docker/docker/client"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/internal/authorization"
 )

@ -39,7 +39,7 @@ func getInheritedResourceControlFromServiceLabels(dockerClient *client.Client, e
 func (transport *Transport) serviceListOperation(response *http.Response, executor *operationExecutor) error {
 	// ServiceList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-	responseArray, err := responseutils.GetResponseAsJSONArray(response)
+	responseArray, err := utils.GetResponseAsJSONArray(response)
 	if err != nil {
 		return err
 	}
@ -55,7 +55,7 @@ func (transport *Transport) serviceListOperation(response *http.Response, execut
 		return err
 	}

-	return responseutils.RewriteResponse(response, responseArray, http.StatusOK)
+	return utils.RewriteResponse(response, responseArray, http.StatusOK)
 }

 // serviceInspectOperation extracts the response as a JSON object, verify that the user
@ -63,7 +63,7 @@ func (transport *Transport) serviceListOperation(response *http.Response, execut
 func (transport *Transport) serviceInspectOperation(response *http.Response, executor *operationExecutor) error {
 	//ServiceInspect response is a JSON object
 	//https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -83,9 +83,9 @@ func (transport *Transport) serviceInspectOperation(response *http.Response, exe
 // https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
 // https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
 func selectorServiceLabels(responseObject map[string]interface{}) map[string]interface{} {
-	serviceSpecObject := responseutils.GetJSONObject(responseObject, "Spec")
+	serviceSpecObject := utils.GetJSONObject(responseObject, "Spec")
 	if serviceSpecObject != nil {
-		return responseutils.GetJSONObject(serviceSpecObject, "Labels")
+		return utils.GetJSONObject(serviceSpecObject, "Labels")
 	}
 	return nil
 }
--- a/api/http/proxy/factory/docker/swarm.go
+++ b/api/http/proxy/factory/docker/swarm.go
@ -3,7 +3,7 @@ package docker
 import (
 	"net/http"

-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 )

 // swarmInspectOperation extracts the response as a JSON object and rewrites the response based
@ -11,7 +11,7 @@ import (
 func swarmInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// SwarmInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.30/#operation/SwarmInspect
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -21,5 +21,5 @@ func swarmInspectOperation(response *http.Response, executor *operationExecutor)
 		delete(responseObject, "TLSInfo")
 	}

-	return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
+	return utils.RewriteResponse(response, responseObject, http.StatusOK)
 }
--- a/api/http/proxy/factory/docker/tasks.go
+++ b/api/http/proxy/factory/docker/tasks.go
@ -4,7 +4,7 @@ import (
 	"net/http"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 )

 const (
@ -16,7 +16,7 @@ const (
 func (transport *Transport) taskListOperation(response *http.Response, executor *operationExecutor) error {
 	// TaskList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/TaskList
-	responseArray, err := responseutils.GetResponseAsJSONArray(response)
+	responseArray, err := utils.GetResponseAsJSONArray(response)
 	if err != nil {
 		return err
 	}
@ -32,18 +32,18 @@ func (transport *Transport) taskListOperation(response *http.Response, executor
 		return err
 	}

-	return responseutils.RewriteResponse(response, responseArray, http.StatusOK)
+	return utils.RewriteResponse(response, responseArray, http.StatusOK)
 }

 // selectorServiceLabels retrieve the labels object associated to the task object.
 // Labels are available under the "Spec.ContainerSpec.Labels" property.
 // API schema reference: https://docs.docker.com/engine/api/v1.28/#operation/TaskList
 func selectorTaskLabels(responseObject map[string]interface{}) map[string]interface{} {
-	taskSpecObject := responseutils.GetJSONObject(responseObject, "Spec")
+	taskSpecObject := utils.GetJSONObject(responseObject, "Spec")
 	if taskSpecObject != nil {
-		containerSpecObject := responseutils.GetJSONObject(taskSpecObject, "ContainerSpec")
+		containerSpecObject := utils.GetJSONObject(taskSpecObject, "ContainerSpec")
 		if containerSpecObject != nil {
-			return responseutils.GetJSONObject(containerSpecObject, "Labels")
+			return utils.GetJSONObject(containerSpecObject, "Labels")
 		}
 	}
 	return nil
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@ -5,17 +5,19 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"path"
 	"regexp"
+	"strconv"
 	"strings"

 	"github.com/docker/docker/client"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/docker"
-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 )
@ -169,12 +171,31 @@ func (transport *Transport) proxyAgentRequest(r *http.Request) (*http.Response,
 		// volume browser request
 		return transport.restrictedResourceOperation(r, resourceID, volumeName, portainer.VolumeResourceControl, true)
 	case strings.HasPrefix(requestPath, "/dockerhub"):
-		dockerhub, err := transport.dataStore.DockerHub().DockerHub()
+		requestPath, registryIdString := path.Split(r.URL.Path)
+
+		registryID, err := strconv.Atoi(registryIdString)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("missing registry id: %w", err)
 		}

-		newBody, err := json.Marshal(dockerhub)
+		r.URL.Path = strings.TrimSuffix(requestPath, "/")
+
+		registry := &portainer.Registry{
+			Type: portainer.DockerHubRegistry,
+		}
+
+		if registryID != 0 {
+			registry, err = transport.dataStore.Registry().Registry(portainer.RegistryID(registryID))
+			if err != nil {
+				return nil, fmt.Errorf("failed fetching registry: %w", err)
+			}
+		}
+
+		if registry.Type != portainer.DockerHubRegistry {
+			return nil, errors.New("Invalid registry type")
+		}
+
+		newBody, err := json.Marshal(registry)
 		if err != nil {
 			return nil, err
 		}
@ -397,13 +418,13 @@ func (transport *Transport) replaceRegistryAuthenticationHeader(request *http.Re
 			return nil, err
 		}

-		var originalHeaderData registryAuthenticationHeader
+		var originalHeaderData portainerRegistryAuthenticationHeader
 		err = json.Unmarshal(decodedHeaderData, &originalHeaderData)
 		if err != nil {
 			return nil, err
 		}

-		authenticationHeader := createRegistryAuthenticationHeader(originalHeaderData.Serveraddress, accessContext)
+		authenticationHeader := createRegistryAuthenticationHeader(originalHeaderData.RegistryId, accessContext)

 		headerData, err := json.Marshal(authenticationHeader)
 		if err != nil {
@ -433,7 +454,7 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
 			}

 			if !securitySettings.AllowVolumeBrowserForRegularUsers {
-				return responseutils.WriteAccessDeniedResponse()
+				return utils.WriteAccessDeniedResponse()
 			}
 		}

@ -468,12 +489,12 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
 			}

 			if inheritedResourceControl == nil || !authorization.UserCanAccessResource(tokenData.ID, userTeamIDs, inheritedResourceControl) {
-				return responseutils.WriteAccessDeniedResponse()
+				return utils.WriteAccessDeniedResponse()
 			}
 		}

 		if resourceControl != nil && !authorization.UserCanAccessResource(tokenData.ID, userTeamIDs, resourceControl) {
-			return responseutils.WriteAccessDeniedResponse()
+			return utils.WriteAccessDeniedResponse()
 		}
 	}

@ -537,7 +558,7 @@ func (transport *Transport) interceptAndRewriteRequest(request *http.Request, op
 // https://docs.docker.com/engine/api/v1.37/#operation/SecretCreate
 // https://docs.docker.com/engine/api/v1.37/#operation/ConfigCreate
 func (transport *Transport) decorateGenericResourceCreationResponse(response *http.Response, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType, userID portainer.UserID) error {
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -556,7 +577,7 @@ func (transport *Transport) decorateGenericResourceCreationResponse(response *ht

 	responseObject = decorateObject(responseObject, resourceControl)

-	return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
+	return utils.RewriteResponse(response, responseObject, http.StatusOK)
 }

 func (transport *Transport) decorateGenericResourceCreationOperation(request *http.Request, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType) (*http.Response, error) {
@ -619,7 +640,7 @@ func (transport *Transport) administratorOperation(request *http.Request) (*http
 	}

 	if tokenData.Role != portainer.AdministratorRole {
-		return responseutils.WriteAccessDeniedResponse()
+		return utils.WriteAccessDeniedResponse()
 	}

 	return transport.executeDockerRequest(request)
@ -632,15 +653,15 @@ func (transport *Transport) createRegistryAccessContext(request *http.Request) (
 	}

 	accessContext := &registryAccessContext{
-		isAdmin: true,
-		userID:  tokenData.ID,
+		isAdmin:    true,
+		endpointID: transport.endpoint.ID,
 	}

-	hub, err := transport.dataStore.DockerHub().DockerHub()
+	user, err := transport.dataStore.User().User(tokenData.ID)
 	if err != nil {
 		return nil, err
 	}
-	accessContext.dockerHub = hub
+	accessContext.user = user

 	registries, err := transport.dataStore.Registry().Registries()
 	if err != nil {
@ -648,7 +669,7 @@ func (transport *Transport) createRegistryAccessContext(request *http.Request) (
 	}
 	accessContext.registries = registries

-	if tokenData.Role != portainer.AdministratorRole {
+	if user.Role != portainer.AdministratorRole {
 		accessContext.isAdmin = false

 		teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
--- a/api/http/proxy/factory/docker/volumes.go
+++ b/api/http/proxy/factory/docker/volumes.go
@ -9,7 +9,7 @@ import (
 	"github.com/docker/docker/client"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 )
@ -37,7 +37,7 @@ func getInheritedResourceControlFromVolumeLabels(dockerClient *client.Client, en
 func (transport *Transport) volumeListOperation(response *http.Response, executor *operationExecutor) error {
 	// VolumeList response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -68,7 +68,7 @@ func (transport *Transport) volumeListOperation(response *http.Response, executo
 		responseObject["Volumes"] = volumeData
 	}

-	return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
+	return utils.RewriteResponse(response, responseObject, http.StatusOK)
 }

 // volumeInspectOperation extracts the response as a JSON object, verify that the user
@ -76,7 +76,7 @@ func (transport *Transport) volumeListOperation(response *http.Response, executo
 func (transport *Transport) volumeInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// VolumeInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -101,7 +101,7 @@ func (transport *Transport) volumeInspectOperation(response *http.Response, exec
 // https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
 // https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
 func selectorVolumeLabels(responseObject map[string]interface{}) map[string]interface{} {
-	return responseutils.GetJSONObject(responseObject, "Labels")
+	return utils.GetJSONObject(responseObject, "Labels")
 }

 func (transport *Transport) decorateVolumeResourceCreationOperation(request *http.Request, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType) (*http.Response, error) {
@ -142,7 +142,7 @@ func (transport *Transport) decorateVolumeResourceCreationOperation(request *htt
 }

 func (transport *Transport) decorateVolumeCreationResponse(response *http.Response, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType, userID portainer.UserID) error {
-	responseObject, err := responseutils.GetResponseAsJSONObject(response)
+	responseObject, err := utils.GetResponseAsJSONObject(response)
 	if err != nil {
 		return err
 	}
@ -159,7 +159,7 @@ func (transport *Transport) decorateVolumeCreationResponse(response *http.Respon

 	responseObject = decorateObject(responseObject, resourceControl)

-	return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
+	return utils.RewriteResponse(response, responseObject, http.StatusOK)
 }

 func (transport *Transport) restrictedVolumeOperation(requestPath string, request *http.Request) (*http.Response, error) {