feat(oci): oci helm support [r8s-361] (#787)

2025-07-19 05:19:39 +02:00 · 2025-07-13 10:37:43 +12:00 · 2025-07-13 10:37:43 +12:00 · 2697d6c5d7
commit 2697d6c5d7
parent b6a6ce9aaf
80 changed files with 4264 additions and 812 deletions
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@ -121,6 +121,10 @@
      "Ecr": {
        "Region": ""
      },
+      "Github": {
+        "OrganisationName": "",
+        "UseOrganisation": false
+      },
      "Gitlab": {
        "InstanceURL": "",
        "ProjectId": 0,
--- a/api/http/handler/registries/handler.go
+++ b/api/http/handler/registries/handler.go
@ -5,10 +5,10 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/endpointutils"
-	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/api/internal/registryutils/access"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/pendingactions"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@ -17,6 +17,7 @@ import (
 	"github.com/gorilla/mux"

 	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
 )

 func hideFields(registry *portainer.Registry, hideAccesses bool) {
@ -56,17 +57,20 @@ func newHandler(bouncer security.BouncerService) *Handler {
 func (handler *Handler) initRouter(bouncer accessGuard) {
 	adminRouter := handler.NewRoute().Subrouter()
 	adminRouter.Use(bouncer.AdminAccess)
-
-	authenticatedRouter := handler.NewRoute().Subrouter()
-	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
-
 	adminRouter.Handle("/registries", httperror.LoggerHandler(handler.registryList)).Methods(http.MethodGet)
 	adminRouter.Handle("/registries", httperror.LoggerHandler(handler.registryCreate)).Methods(http.MethodPost)
 	adminRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryUpdate)).Methods(http.MethodPut)
 	adminRouter.Handle("/registries/{id}/configure", httperror.LoggerHandler(handler.registryConfigure)).Methods(http.MethodPost)
 	adminRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryDelete)).Methods(http.MethodDelete)

-	authenticatedRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryInspect)).Methods(http.MethodGet)
+	// Use registry-specific access bouncer for inspect and repositories endpoints
+	registryAccessRouter := handler.NewRoute().Subrouter()
+	registryAccessRouter.Use(bouncer.AuthenticatedAccess, handler.RegistryAccess)
+	registryAccessRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryInspect)).Methods(http.MethodGet)
+
+	// Keep the gitlab proxy on the regular authenticated router as it doesn't require specific registry access
+	authenticatedRouter := handler.NewRoute().Subrouter()
+	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
 	authenticatedRouter.PathPrefix("/registries/proxies/gitlab").Handler(httperror.LoggerHandler(handler.proxyRequestsToGitlabAPIWithoutRegistry))
 }

@ -88,9 +92,7 @@ func (handler *Handler) registriesHaveSameURLAndCredentials(r1, r2 *portainer.Re
 }

 // this function validates that
-//
 // 1. user has the appropriate authorizations to perform the request
-//
 // 2. user has a direct or indirect access to the registry
 func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portainer.Registry) (hasAccess bool, isAdmin bool, err error) {
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
@ -98,11 +100,6 @@ func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portain
 		return false, false, err
 	}

-	user, err := handler.DataStore.User().Read(securityContext.UserID)
-	if err != nil {
-		return false, false, err
-	}
-
 	// Portainer admins always have access to everything
 	if securityContext.IsAdmin {
 		return true, true, nil
@ -128,47 +125,68 @@ func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portain
 		return false, false, err
 	}

-	memberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	// Use the enhanced registry access utility function that includes namespace validation
+	_, err = access.GetAccessibleRegistry(
+		handler.DataStore,
+		handler.K8sClientFactory,
+		securityContext.UserID,
+		endpointId,
+		registry.ID,
+	)
 	if err != nil {
-		return false, false, nil
+		return false, false, nil // No access
 	}

-	// validate access for kubernetes namespaces (leverage registry.RegistryAccesses[endpointId].Namespaces)
-	if endpointutils.IsKubernetesEndpoint(endpoint) {
-		kcl, err := handler.K8sClientFactory.GetPrivilegedKubeClient(endpoint)
-		if err != nil {
-			return false, false, errors.Wrap(err, "unable to retrieve kubernetes client to validate registry access")
-		}
-		accessPolicies, err := kcl.GetNamespaceAccessPolicies()
-		if err != nil {
-			return false, false, errors.Wrap(err, "unable to retrieve environment's namespaces policies to validate registry access")
-		}
-
-		authorizedNamespaces := registry.RegistryAccesses[endpointId].Namespaces
-
-		for _, namespace := range authorizedNamespaces {
-			// when the default namespace is authorized to use a registry, all users have the ability to use it
-			// unless the default namespace is restricted: in this case continue to search for other potential accesses authorizations
-			if namespace == kubernetes.DefaultNamespace && !endpoint.Kubernetes.Configuration.RestrictDefaultNamespace {
-				return true, false, nil
-			}
-
-			namespacePolicy := accessPolicies[namespace]
-			if security.AuthorizedAccess(user.ID, memberships, namespacePolicy.UserAccessPolicies, namespacePolicy.TeamAccessPolicies) {
-				return true, false, nil
-			}
-		}
-		return false, false, nil
-	}
-
-	// validate access for docker environments
-	// leverage registry.RegistryAccesses[endpointId].UserAccessPolicies (direct access)
-	// and registry.RegistryAccesses[endpointId].TeamAccessPolicies (indirect access via his teams)
-	if security.AuthorizedRegistryAccess(registry, user, memberships, endpoint.ID) {
-		return true, false, nil
-	}
-
-	// when user has no access via their role, direct grant or indirect grant
-	// then they don't have access to the registry
-	return false, false, nil
+	return true, false, nil
+}
+
+// RegistryAccess defines a security check for registry-specific API endpoints.
+// Authentication is required to access these endpoints.
+// The user must have direct or indirect access to the specific registry being requested.
+// This bouncer validates registry access using the userHasRegistryAccess logic.
+func (handler *Handler) RegistryAccess(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// First ensure the user is authenticated
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			httperror.WriteError(w, http.StatusUnauthorized, "Authentication required", httperrors.ErrUnauthorized)
+			return
+		}
+
+		// Extract registry ID from the route
+		registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+		if err != nil {
+			httperror.WriteError(w, http.StatusBadRequest, "Invalid registry identifier route variable", err)
+			return
+		}
+
+		// Get the registry from the database
+		registry, err := handler.DataStore.Registry().Read(portainer.RegistryID(registryID))
+		if handler.DataStore.IsErrObjectNotFound(err) {
+			httperror.WriteError(w, http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err)
+			return
+		} else if err != nil {
+			httperror.WriteError(w, http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err)
+			return
+		}
+
+		// Check if user has access to this registry
+		hasAccess, _, err := handler.userHasRegistryAccess(r, registry)
+		if err != nil {
+			httperror.WriteError(w, http.StatusInternalServerError, "Unable to retrieve info from request context", err)
+			return
+		}
+		if !hasAccess {
+			log.Debug().
+				Int("registry_id", registryID).
+				Str("registry_name", registry.Name).
+				Int("user_id", int(tokenData.ID)).
+				Str("context", "RegistryAccessBouncer").
+				Msg("User access denied to registry")
+			httperror.WriteError(w, http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
 }
--- a/api/http/handler/registries/registry_access_test.go
+++ b/api/http/handler/registries/registry_access_test.go
@ -0,0 +1,89 @@
+package registries
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_RegistryAccess_RequiresAuthentication(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	registry := &portainer.Registry{
+		ID:   1,
+		Name: "test-registry",
+		URL:  "https://registry.test.com",
+	}
+	err := store.Registry().Create(registry)
+	assert.NoError(t, err)
+	handler := &Handler{
+		DataStore: store,
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/1", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "1"})
+	rr := httptest.NewRecorder()
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func Test_RegistryAccess_InvalidRegistryID(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	user := &portainer.User{ID: 1, Username: "test", Role: portainer.StandardUserRole}
+	err := store.User().Create(user)
+	assert.NoError(t, err)
+
+	handler := &Handler{
+		DataStore: store,
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/invalid", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "invalid"})
+	tokenData := &portainer.TokenData{ID: 1, Role: portainer.StandardUserRole}
+	req = req.WithContext(security.StoreTokenData(req, tokenData))
+
+	rr := httptest.NewRecorder()
+
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func Test_RegistryAccess_RegistryNotFound(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	user := &portainer.User{ID: 1, Username: "test", Role: portainer.StandardUserRole}
+	err := store.User().Create(user)
+	assert.NoError(t, err)
+
+	handler := &Handler{
+		DataStore:      store,
+		requestBouncer: testhelpers.NewTestRequestBouncer(),
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/999", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "999"})
+	tokenData := &portainer.TokenData{ID: 1, Role: portainer.StandardUserRole}
+	req = req.WithContext(security.StoreTokenData(req, tokenData))
+
+	rr := httptest.NewRecorder()
+
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}
--- a/api/http/handler/registries/registry_inspect.go
+++ b/api/http/handler/registries/registry_inspect.go
@ -4,10 +4,12 @@ import (
 	"net/http"

 	portainer "github.com/portainer/portainer/api"
-	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+
+	"github.com/rs/zerolog/log"
 )

 // @id RegistryInspect
@ -31,6 +33,11 @@ func (handler *Handler) registryInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.BadRequest("Invalid registry identifier route variable", err)
 	}

+	log.Debug().
+		Int("registry_id", registryID).
+		Str("context", "RegistryInspectHandler").
+		Msg("Starting registry inspection")
+
 	registry, err := handler.DataStore.Registry().Read(portainer.RegistryID(registryID))
 	if handler.DataStore.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find a registry with the specified identifier inside the database", err)
@ -38,14 +45,12 @@ func (handler *Handler) registryInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unable to find a registry with the specified identifier inside the database", err)
 	}

-	hasAccess, isAdmin, err := handler.userHasRegistryAccess(r, registry)
+	// Check if user is admin to determine if we should hide sensitive fields
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve info from request context", err)
 	}
-	if !hasAccess {
-		return httperror.Forbidden("Access denied to resource", httperrors.ErrResourceAccessDenied)
-	}

-	hideFields(registry, !isAdmin)
+	hideFields(registry, !securityContext.IsAdmin)
 	return response.JSON(w, registry)
 }
--- a/api/http/handler/webhooks/webhook_create.go
+++ b/api/http/handler/webhooks/webhook_create.go
@ -80,7 +80,7 @@ func (handler *Handler) webhookCreate(w http.ResponseWriter, r *http.Request) *h
 			return httperror.InternalServerError("Unable to retrieve user authentication token", err)
 		}

-		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, endpointID, payload.RegistryID)
+		_, err = access.GetAccessibleRegistry(handler.DataStore, nil, tokenData.ID, endpointID, payload.RegistryID)
 		if err != nil {
 			return httperror.Forbidden("Permission deny to access registry", err)
 		}
--- a/api/http/handler/webhooks/webhook_update.go
+++ b/api/http/handler/webhooks/webhook_update.go
@ -69,7 +69,7 @@ func (handler *Handler) webhookUpdate(w http.ResponseWriter, r *http.Request) *h
 			return httperror.InternalServerError("Unable to retrieve user authentication token", err)
 		}

-		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, webhook.EndpointID, payload.RegistryID)
+		_, err = access.GetAccessibleRegistry(handler.DataStore, nil, tokenData.ID, webhook.EndpointID, payload.RegistryID)
 		if err != nil {
 			return httperror.Forbidden("Permission deny to access registry", err)
 		}
--- a/api/http/proxy/factory/docker/registry.go
+++ b/api/http/proxy/factory/docker/registry.go
@ -55,12 +55,13 @@ func createRegistryAuthenticationHeader(
 		return
 	}

-	if err = registryutils.EnsureRegTokenValid(dataStore, matchingRegistry); err != nil {
+	if err = registryutils.PrepareRegistryCredentials(dataStore, matchingRegistry); err != nil {
 		return
 	}

 	authenticationHeader.Serveraddress = matchingRegistry.URL
-	authenticationHeader.Username, authenticationHeader.Password, err = registryutils.GetRegEffectiveCredential(matchingRegistry)
+	authenticationHeader.Username = matchingRegistry.Username
+	authenticationHeader.Password = matchingRegistry.Password

 	return
 }
--- a/api/http/proxy/factory/github/client.go
+++ b/api/http/proxy/factory/github/client.go
@ -0,0 +1,108 @@
+package github
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/segmentio/encoding/json"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+const GitHubAPIHost = "https://api.github.com"
+
+// Package represents a GitHub container package
+type Package struct {
+	Name  string `json:"name"`
+	Owner struct {
+		Login string `json:"login"`
+	} `json:"owner"`
+}
+
+// Client represents a GitHub API client
+type Client struct {
+	httpClient *http.Client
+	baseURL    string
+}
+
+// NewClient creates a new GitHub API client
+func NewClient(token string) *Client {
+	return &Client{
+		httpClient: NewHTTPClient(token),
+		baseURL:    GitHubAPIHost,
+	}
+}
+
+// GetContainerPackages fetches container packages for the configured namespace
+// It's a small http client wrapper instead of using the github client because listing repositories is the only known operation that isn't directly supported by oras
+func (c *Client) GetContainerPackages(ctx context.Context, useOrganisation bool, organisationName string) ([]string, error) {
+	// Determine the namespace (user or organisation) for the request
+	namespace := "user"
+	if useOrganisation {
+		namespace = "orgs/" + organisationName
+	}
+
+	// Build the full URL for listing container packages
+	url := fmt.Sprintf("%s/%s/packages?package_type=container", c.baseURL, namespace)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitHub API returned status %d: %s", resp.StatusCode, resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	var packages []Package
+	if err := json.Unmarshal(body, &packages); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	// Extract repository names in the form "owner/name"
+	repositories := make([]string, len(packages))
+	for i, pkg := range packages {
+		repositories[i] = fmt.Sprintf("%s/%s", strings.ToLower(pkg.Owner.Login), strings.ToLower(pkg.Name))
+	}
+
+	return repositories, nil
+}
+
+// NewHTTPClient creates a new HTTP client configured for GitHub API requests
+func NewHTTPClient(token string) *http.Client {
+	return &http.Client{
+		Transport: &tokenTransport{
+			token:     token,
+			transport: retry.NewTransport(&http.Transport{}), // Use ORAS retry transport for consistent rate limiting and error handling
+		},
+		Timeout: 1 * time.Minute,
+	}
+}
+
+// tokenTransport automatically adds the Bearer token header to requests
+type tokenTransport struct {
+	token     string
+	transport http.RoundTripper
+}
+
+func (t *tokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if t.token != "" {
+		req.Header.Set("Authorization", "Bearer "+t.token)
+		req.Header.Set("Accept", "application/vnd.github+json")
+	}
+	return t.transport.RoundTrip(req)
+}
--- a/api/http/proxy/factory/gitlab/client.go
+++ b/api/http/proxy/factory/gitlab/client.go
@ -0,0 +1,130 @@
+package gitlab
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/segmentio/encoding/json"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+// Repository represents a GitLab registry repository
+type Repository struct {
+	ID        int    `json:"id"`
+	Name      string `json:"name"`
+	Path      string `json:"path"`
+	ProjectID int    `json:"project_id"`
+	Location  string `json:"location"`
+	CreatedAt string `json:"created_at"`
+	Status    string `json:"status"`
+}
+
+// Client represents a GitLab API client
+type Client struct {
+	httpClient *http.Client
+	baseURL    string
+}
+
+// NewClient creates a new GitLab API client
+// it currently is an http client because only GetRegistryRepositoryNames is needed (oras supports other commands).
+// if we need to support other commands, consider using the gitlab client library.
+func NewClient(baseURL, token string) *Client {
+	return &Client{
+		httpClient: NewHTTPClient(token),
+		baseURL:    baseURL,
+	}
+}
+
+// GetRegistryRepositoryNames fetches registry repository names for a given project.
+// It's a small http client wrapper instead of using the gitlab client library because listing repositories is the only known operation that isn't directly supported by oras
+func (c *Client) GetRegistryRepositoryNames(ctx context.Context, projectID int) ([]string, error) {
+	url := fmt.Sprintf("%s/api/v4/projects/%d/registry/repositories", c.baseURL, projectID)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitLab API returned status %d: %s", resp.StatusCode, resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	var repositories []Repository
+	if err := json.Unmarshal(body, &repositories); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	// Extract repository names
+	names := make([]string, len(repositories))
+	for i, repo := range repositories {
+		// the full path is required for further repo operations
+		names[i] = repo.Path
+	}
+
+	return names, nil
+}
+
+type Transport struct {
+	httpTransport *http.Transport
+}
+
+// NewTransport returns a pointer to a new instance of Transport that implements the HTTP Transport
+// interface for proxying requests to the Gitlab API.
+func NewTransport() *Transport {
+	return &Transport{
+		httpTransport: &http.Transport{},
+	}
+}
+
+// RoundTrip is the implementation of the http.RoundTripper interface
+func (transport *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
+	token := request.Header.Get("Private-Token")
+	if token == "" {
+		return nil, errors.New("no gitlab token provided")
+	}
+
+	r, err := http.NewRequest(request.Method, request.URL.String(), request.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	r.Header.Set("Private-Token", token)
+	return transport.httpTransport.RoundTrip(r)
+}
+
+// NewHTTPClient creates a new HTTP client configured for GitLab API requests
+func NewHTTPClient(token string) *http.Client {
+	return &http.Client{
+		Transport: &tokenTransport{
+			token:     token,
+			transport: retry.NewTransport(&http.Transport{}), // Use ORAS retry transport for consistent rate limiting and error handling
+		},
+		Timeout: 1 * time.Minute,
+	}
+}
+
+// tokenTransport automatically adds the Private-Token header to requests
+type tokenTransport struct {
+	token     string
+	transport http.RoundTripper
+}
+
+func (t *tokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Set("Private-Token", t.token)
+	return t.transport.RoundTrip(req)
+}
--- a/api/http/proxy/factory/gitlab/transport.go
+++ b/api/http/proxy/factory/gitlab/transport.go
@ -1,34 +0,0 @@
-package gitlab
-
-import (
-	"errors"
-	"net/http"
-)
-
-type Transport struct {
-	httpTransport *http.Transport
-}
-
-// NewTransport returns a pointer to a new instance of Transport that implements the HTTP Transport
-// interface for proxying requests to the Gitlab API.
-func NewTransport() *Transport {
-	return &Transport{
-		httpTransport: &http.Transport{},
-	}
-}
-
-// RoundTrip is the implementation of the http.RoundTripper interface
-func (transport *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
-	token := request.Header.Get("Private-Token")
-	if token == "" {
-		return nil, errors.New("no gitlab token provided")
-	}
-
-	r, err := http.NewRequest(request.Method, request.URL.String(), request.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	r.Header.Set("Private-Token", token)
-	return transport.httpTransport.RoundTrip(r)
-}
--- a/api/internal/registryutils/access/access.go
+++ b/api/internal/registryutils/access/access.go
@ -2,40 +2,82 @@ package access

 import (
 	"errors"
+	"fmt"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/api/kubernetes/cli"
 )

 func hasPermission(
 	dataStore dataservices.DataStore,
+	k8sClientFactory *cli.ClientFactory,
 	userID portainer.UserID,
 	endpointID portainer.EndpointID,
 	registry *portainer.Registry,
 ) (hasPermission bool, err error) {
 	user, err := dataStore.User().Read(userID)
 	if err != nil {
-		return
+		return false, err
 	}

 	if user.Role == portainer.AdministratorRole {
-		return true, err
+		return true, nil
+	}
+
+	endpoint, err := dataStore.Endpoint().Endpoint(endpointID)
+	if err != nil {
+		return false, err
 	}

 	teamMemberships, err := dataStore.TeamMembership().TeamMembershipsByUserID(userID)
 	if err != nil {
-		return
+		return false, err
 	}

+	// validate access for kubernetes namespaces (leverage registry.RegistryAccesses[endpointId].Namespaces)
+	if endpointutils.IsKubernetesEndpoint(endpoint) && k8sClientFactory != nil {
+		kcl, err := k8sClientFactory.GetPrivilegedKubeClient(endpoint)
+		if err != nil {
+			return false, fmt.Errorf("unable to retrieve kubernetes client to validate registry access: %w", err)
+		}
+		accessPolicies, err := kcl.GetNamespaceAccessPolicies()
+		if err != nil {
+			return false, fmt.Errorf("unable to retrieve environment's namespaces policies to validate registry access: %w", err)
+		}
+
+		authorizedNamespaces := registry.RegistryAccesses[endpointID].Namespaces
+
+		for _, namespace := range authorizedNamespaces {
+			// when the default namespace is authorized to use a registry, all users have the ability to use it
+			// unless the default namespace is restricted: in this case continue to search for other potential accesses authorizations
+			if namespace == kubernetes.DefaultNamespace && !endpoint.Kubernetes.Configuration.RestrictDefaultNamespace {
+				return true, nil
+			}
+
+			namespacePolicy := accessPolicies[namespace]
+			if security.AuthorizedAccess(user.ID, teamMemberships, namespacePolicy.UserAccessPolicies, namespacePolicy.TeamAccessPolicies) {
+				return true, nil
+			}
+		}
+		return false, nil
+	}
+
+	// validate access for docker environments
+	// leverage registry.RegistryAccesses[endpointId].UserAccessPolicies (direct access)
+	// and registry.RegistryAccesses[endpointId].TeamAccessPolicies (indirect access via his teams)
 	hasPermission = security.AuthorizedRegistryAccess(registry, user, teamMemberships, endpointID)

-	return
+	return hasPermission, nil
 }

 // GetAccessibleRegistry get the registry if the user has permission
 func GetAccessibleRegistry(
 	dataStore dataservices.DataStore,
+	k8sClientFactory *cli.ClientFactory,
 	userID portainer.UserID,
 	endpointID portainer.EndpointID,
 	registryID portainer.RegistryID,
@ -46,7 +88,7 @@ func GetAccessibleRegistry(
 		return
 	}

-	hasPermission, err := hasPermission(dataStore, userID, endpointID, registry)
+	hasPermission, err := hasPermission(dataStore, k8sClientFactory, userID, endpointID, registry)
 	if err != nil {
 		return
 	}
--- a/api/internal/registryutils/ecr_reg_token.go
+++ b/api/internal/registryutils/ecr_reg_token.go
@ -62,3 +62,26 @@ func GetRegEffectiveCredential(registry *portainer.Registry) (username, password

 	return
 }
+
+// PrepareRegistryCredentials consolidates the common pattern of ensuring valid ECR token
+// and setting effective credentials on the registry when authentication is enabled.
+// This function modifies the registry in-place by setting Username and Password to the effective values.
+func PrepareRegistryCredentials(tx dataservices.DataStoreTx, registry *portainer.Registry) error {
+	if !registry.Authentication {
+		return nil
+	}
+
+	if err := EnsureRegTokenValid(tx, registry); err != nil {
+		return err
+	}
+
+	username, password, err := GetRegEffectiveCredential(registry)
+	if err != nil {
+		return err
+	}
+
+	registry.Username = username
+	registry.Password = password
+
+	return nil
+}
--- a/api/kubernetes/cli/namespace.go
+++ b/api/kubernetes/cli/namespace.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"sort"
 	"strconv"
 	"time"

@ -437,5 +438,10 @@ func (kcl *KubeClient) ConvertNamespaceMapToSlice(namespaces map[string]portaine
 		namespaceSlice = append(namespaceSlice, namespace)
 	}

+	// Sort namespaces by name
+	sort.Slice(namespaceSlice, func(i, j int) bool {
+		return namespaceSlice[i].Name < namespaceSlice[j].Name
+	})
+
 	return namespaceSlice
 }
--- a/api/portainer.go
+++ b/api/portainer.go
@ -603,6 +603,12 @@ type (
 		ProjectPath string `json:"ProjectPath"`
 	}

+	// GithubRegistryData represents data required for Github registry to work
+	GithubRegistryData struct {
+		UseOrganisation  bool   `json:"UseOrganisation"`
+		OrganisationName string `json:"OrganisationName"`
+	}
+
 	HelmUserRepositoryID int

 	// HelmUserRepositories stores a Helm repository URL for the given user
@ -823,6 +829,7 @@ type (
 		Password                string                           `json:"Password,omitempty" example:"registry_password"`
 		ManagementConfiguration *RegistryManagementConfiguration `json:"ManagementConfiguration"`
 		Gitlab                  GitlabRegistryData               `json:"Gitlab"`
+		Github                  GithubRegistryData               `json:"Github"`
 		Quay                    QuayRegistryData                 `json:"Quay"`
 		Ecr                     EcrData                          `json:"Ecr"`
 		RegistryAccesses        RegistryAccesses                 `json:"RegistryAccesses"`
@ -1972,6 +1979,8 @@ const (
 	DockerHubRegistry
 	// EcrRegistry represents an ECR registry
 	EcrRegistry
+	// Github container registry
+	GithubRegistry
 )

 const (