feat(extensions): introduce extension support (#2527)

* wip * wip: missing repository & tags removal * feat(registry): private registry management * style(plugin-details): update view * wip * wip * wip * feat(plugins): add license info * feat(plugins): browse feature preview * feat(registry-configure): add the ability to configure registry management * style(app): update text in app * feat(plugins): add plugin version number * feat(plugins): wip plugin upgrade process * feat(plugins): wip plugin upgrade * feat(plugins): add the ability to update a plugin * feat(plugins): init plugins at startup time * feat(plugins): add the ability to remove a plugin * feat(plugins): update to latest plugin definitions * feat(plugins): introduce plugin-tooltip component * refactor(app): relocate plugin files to app/plugins * feat(plugins): introduce PluginDefinitionsURL constant * feat(plugins): update the flags used by the plugins * feat(plugins): wip * feat(plugins): display a label when a plugin has expired * wip * feat(registry-creation): update registry creation logic * refactor(registry-creation): change name/ids for inputs * feat(api): pass registry type to management configuration * feat(api): unstrip /v2 in regsitry proxy * docs(api): add TODO * feat(store): mockup-1 * feat(store): mockup 2 * feat(store): mockup 2 * feat(store): update mockup-2 * feat(app): add unauthenticated event check * update gruntfile * style(support): update support views * style(support): update product views * refactor(extensions): refactor plugins to extensions * feat(extensions): add a deal property * feat(extensions): introduce ExtensionManager * style(extensions): update extension details style * feat(extensions): display license/company when enabling extension * feat(extensions): update extensions views * feat(extensions): use ProductId defined in extension schema * style(app): remove padding left for form section title elements * style(support): use per host model * refactor(extensions): multiple refactors related to extensions mecanism * feat(extensions): update tls file path for registry extension * feat(extensions): update registry management configuration * feat(extensions): send license in header to extension proxy * fix(proxy): fix invalid default loopback address * feat(extensions): add header X-RegistryManagement-ForceNew for specific operations * feat(extensions): add the ability to display screenshots * feat(extensions): center screenshots * style(extensions): tune style * feat(extensions-details): open full screen image on click (#2517) * feat(extension-details): show magnifying glass on images * feat(extensions): support extension logo * feat(extensions): update support logos * refactor(lint): fix lint issues
2025-08-02 20:35:25 +02:00 · 2018-12-09 16:49:27 +13:00 · 2018-12-09 16:49:27 +13:00 · 6fd5ddc802
commit 6fd5ddc802
parent f5dc663879
100 changed files with 3519 additions and 268 deletions
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@ -0,0 +1,48 @@
+package archive
+
+import (
+	"archive/zip"
+	"bytes"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// UnzipArchive will unzip an archive from bytes into the dest destination folder on disk
+func UnzipArchive(archiveData []byte, dest string) error {
+	zipReader, err := zip.NewReader(bytes.NewReader(archiveData), int64(len(archiveData)))
+	if err != nil {
+		return err
+	}
+
+	for _, zipFile := range zipReader.File {
+
+		f, err := zipFile.Open()
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		data, err := ioutil.ReadAll(f)
+		if err != nil {
+			return err
+		}
+
+		fpath := filepath.Join(dest, zipFile.Name)
+
+		outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, zipFile.Mode())
+		if err != nil {
+			return err
+		}
+
+		_, err = io.Copy(outFile, bytes.NewReader(data))
+		if err != nil {
+			return err
+		}
+
+		outFile.Close()
+	}
+
+	return nil
+}
--- a/api/bolt/datastore.go
+++ b/api/bolt/datastore.go
@ -10,6 +10,7 @@ import (
 	"github.com/portainer/portainer/bolt/dockerhub"
 	"github.com/portainer/portainer/bolt/endpoint"
 	"github.com/portainer/portainer/bolt/endpointgroup"
+	"github.com/portainer/portainer/bolt/extension"
 	"github.com/portainer/portainer/bolt/migrator"
 	"github.com/portainer/portainer/bolt/registry"
 	"github.com/portainer/portainer/bolt/resourcecontrol"
@ -39,6 +40,7 @@ type Store struct {
 	DockerHubService       *dockerhub.Service
 	EndpointGroupService   *endpointgroup.Service
 	EndpointService        *endpoint.Service
+	ExtensionService       *extension.Service
 	RegistryService        *registry.Service
 	ResourceControlService *resourcecontrol.Service
 	SettingsService        *settings.Service
@ -176,6 +178,12 @@ func (store *Store) initServices() error {
 	}
 	store.EndpointService = endpointService

+	extensionService, err := extension.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.ExtensionService = extensionService
+
 	registryService, err := registry.NewService(store.db)
 	if err != nil {
 		return err
--- a/api/bolt/extension/extension.go
+++ b/api/bolt/extension/extension.go
@ -0,0 +1,86 @@
+package extension
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "extension"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Extension returns a extension by ID
+func (service *Service) Extension(ID portainer.ExtensionID) (*portainer.Extension, error) {
+	var extension portainer.Extension
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &extension)
+	if err != nil {
+		return nil, err
+	}
+
+	return &extension, nil
+}
+
+// Extensions return an array containing all the extensions.
+func (service *Service) Extensions() ([]portainer.Extension, error) {
+	var extensions = make([]portainer.Extension, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var extension portainer.Extension
+			err := internal.UnmarshalObject(v, &extension)
+			if err != nil {
+				return err
+			}
+			extensions = append(extensions, extension)
+		}
+
+		return nil
+	})
+
+	return extensions, err
+}
+
+// Persist persists a extension inside the database.
+func (service *Service) Persist(extension *portainer.Extension) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		data, err := internal.MarshalObject(extension)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(extension.ID)), data)
+	})
+}
+
+// DeleteExtension deletes a Extension.
+func (service *Service) DeleteExtension(ID portainer.ExtensionID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@ -471,6 +471,24 @@ func initJobService(dockerClientFactory *docker.ClientFactory) portainer.JobServ
 	return docker.NewJobService(dockerClientFactory)
 }

+func initExtensionManager(fileService portainer.FileService, extensionService portainer.ExtensionService) (portainer.ExtensionManager, error) {
+	extensionManager := exec.NewExtensionManager(fileService, extensionService)
+
+	extensions, err := extensionService.Extensions()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, extension := range extensions {
+		err := extensionManager.EnableExtension(&extension, extension.License.LicenseKey)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return extensionManager, nil
+}
+
 func terminateIfNoAdminCreated(userService portainer.UserService) {
 	timer1 := time.NewTimer(5 * time.Minute)
 	<-timer1.C
@ -509,6 +527,11 @@ func main() {
 		log.Fatal(err)
 	}

+	extensionManager, err := initExtensionManager(fileService, store.ExtensionService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	clientFactory := initClientFactory(digitalSignatureService)

 	jobService := initJobService(clientFactory)
@ -619,6 +642,7 @@ func main() {
 		TeamMembershipService:  store.TeamMembershipService,
 		EndpointService:        store.EndpointService,
 		EndpointGroupService:   store.EndpointGroupService,
+		ExtensionService:       store.ExtensionService,
 		ResourceControlService: store.ResourceControlService,
 		SettingsService:        store.SettingsService,
 		RegistryService:        store.RegistryService,
@ -630,6 +654,7 @@ func main() {
 		WebhookService:         store.WebhookService,
 		SwarmStackManager:      swarmStackManager,
 		ComposeStackManager:    composeStackManager,
+		ExtensionManager:       extensionManager,
 		CryptoService:          cryptoService,
 		JWTService:             jwtService,
 		FileService:            fileService,
--- a/api/errors.go
+++ b/api/errors.go
@ -88,6 +88,11 @@ const (
 	ErrUndefinedTLSFileType = Error("Undefined TLS file type")
 )

+// Extension errors.
+const (
+	ErrExtensionAlreadyEnabled = Error("This extension is already enabled")
+)
+
 // Docker errors.
 const (
 	ErrUnableToPingEndpoint = Error("Unable to communicate with the endpoint")
--- a/api/exec/extension.go
+++ b/api/exec/extension.go
@ -0,0 +1,205 @@
+package exec
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"os/exec"
+	"path"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/orcaman/concurrent-map"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/client"
+)
+
+var extensionDownloadBaseURL = "https://portainer-io-assets.sfo2.digitaloceanspaces.com/extensions/"
+
+var extensionBinaryMap = map[portainer.ExtensionID]string{
+	portainer.RegistryManagementExtension: "extension-registry-management",
+}
+
+// ExtensionManager represents a service used to
+// manage extension processes.
+type ExtensionManager struct {
+	processes        cmap.ConcurrentMap
+	fileService      portainer.FileService
+	extensionService portainer.ExtensionService
+}
+
+// NewExtensionManager returns a pointer to an ExtensionManager
+func NewExtensionManager(fileService portainer.FileService, extensionService portainer.ExtensionService) *ExtensionManager {
+	return &ExtensionManager{
+		processes:        cmap.New(),
+		fileService:      fileService,
+		extensionService: extensionService,
+	}
+}
+
+func processKey(ID portainer.ExtensionID) string {
+	return strconv.Itoa(int(ID))
+}
+
+func buildExtensionURL(extension *portainer.Extension) string {
+	extensionURL := extensionDownloadBaseURL
+	extensionURL += extensionBinaryMap[extension.ID]
+	extensionURL += "-" + runtime.GOOS + "-" + runtime.GOARCH
+	extensionURL += "-" + extension.Version
+	extensionURL += ".zip"
+	return extensionURL
+}
+
+func buildExtensionPath(binaryPath string, extension *portainer.Extension) string {
+
+	extensionFilename := extensionBinaryMap[extension.ID]
+	extensionFilename += "-" + runtime.GOOS + "-" + runtime.GOARCH
+	extensionFilename += "-" + extension.Version
+
+	extensionPath := path.Join(
+		binaryPath,
+		extensionFilename)
+
+	return extensionPath
+}
+
+// FetchExtensionDefinitions will fetch the list of available
+// extension definitions from the official Portainer assets server
+func (manager *ExtensionManager) FetchExtensionDefinitions() ([]portainer.Extension, error) {
+	extensionData, err := client.Get(portainer.ExtensionDefinitionsURL, 30)
+	if err != nil {
+		return nil, err
+	}
+
+	var extensions []portainer.Extension
+	err = json.Unmarshal(extensionData, &extensions)
+	if err != nil {
+		return nil, err
+	}
+
+	return extensions, nil
+}
+
+// EnableExtension will check for the existence of the extension binary on the filesystem
+// first. If it does not exist, it will download it from the official Portainer assets server.
+// After installing the binary on the filesystem, it will execute the binary in license check
+// mode to validate the extension license. If the license is valid, it will then start
+// the extension process and register it in the processes map.
+func (manager *ExtensionManager) EnableExtension(extension *portainer.Extension, licenseKey string) error {
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+	extensionBinaryExists, err := manager.fileService.FileExists(extensionBinaryPath)
+	if err != nil {
+		return err
+	}
+
+	if !extensionBinaryExists {
+		err := manager.downloadExtension(extension)
+		if err != nil {
+			return err
+		}
+	}
+
+	licenseDetails, err := validateLicense(extensionBinaryPath, licenseKey)
+	if err != nil {
+		return err
+	}
+
+	extension.License = portainer.LicenseInformation{
+		LicenseKey: licenseKey,
+		Company:    licenseDetails[0],
+		Expiration: licenseDetails[1],
+	}
+	extension.Version = licenseDetails[2]
+
+	return manager.startExtensionProcess(extension, extensionBinaryPath)
+}
+
+// DisableExtension will retrieve the process associated to the extension
+// from the processes map and kill the process. It will then remove the process
+// from the processes map and remove the binary associated to the extension
+// from the filesystem
+func (manager *ExtensionManager) DisableExtension(extension *portainer.Extension) error {
+	process, ok := manager.processes.Get(processKey(extension.ID))
+	if !ok {
+		return nil
+	}
+
+	err := process.(*exec.Cmd).Process.Kill()
+	if err != nil {
+		return err
+	}
+
+	manager.processes.Remove(processKey(extension.ID))
+
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+	return manager.fileService.RemoveDirectory(extensionBinaryPath)
+}
+
+// UpdateExtension will download the new extension binary from the official Portainer assets
+// server, disable the previous extension via DisableExtension, trigger a license check
+// and then start the extension process and add it to the processes map
+func (manager *ExtensionManager) UpdateExtension(extension *portainer.Extension, version string) error {
+	oldVersion := extension.Version
+
+	extension.Version = version
+	err := manager.downloadExtension(extension)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = oldVersion
+	err = manager.DisableExtension(extension)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = version
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+
+	licenseDetails, err := validateLicense(extensionBinaryPath, extension.License.LicenseKey)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = licenseDetails[2]
+
+	return manager.startExtensionProcess(extension, extensionBinaryPath)
+}
+
+func (manager *ExtensionManager) downloadExtension(extension *portainer.Extension) error {
+	extensionURL := buildExtensionURL(extension)
+
+	data, err := client.Get(extensionURL, 30)
+	if err != nil {
+		return err
+	}
+
+	return manager.fileService.ExtractExtensionArchive(data)
+}
+
+func validateLicense(binaryPath, licenseKey string) ([]string, error) {
+	licenseCheckProcess := exec.Command(binaryPath, "-license", licenseKey, "-check")
+	cmdOutput := &bytes.Buffer{}
+	licenseCheckProcess.Stdout = cmdOutput
+
+	err := licenseCheckProcess.Run()
+	if err != nil {
+		return nil, errors.New("Invalid extension license key")
+	}
+
+	output := string(cmdOutput.Bytes())
+
+	return strings.Split(output, "|"), nil
+}
+
+func (manager *ExtensionManager) startExtensionProcess(extension *portainer.Extension, binaryPath string) error {
+	extensionProcess := exec.Command(binaryPath, "-license", extension.License.LicenseKey)
+	err := extensionProcess.Start()
+	if err != nil {
+		return err
+	}
+
+	manager.processes.Set(processKey(extension.ID), extensionProcess)
+	return nil
+}
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@ -7,6 +7,7 @@ import (
 	"io/ioutil"

 	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/archive"

 	"io"
 	"os"
@ -32,8 +33,13 @@ const (
 	PrivateKeyFile = "portainer.key"
 	// PublicKeyFile represents the name on disk of the file containing the public key.
 	PublicKeyFile = "portainer.pub"
+	// BinaryStorePath represents the subfolder where binaries are stored in the file store folder.
+	BinaryStorePath = "bin"
 	// ScheduleStorePath represents the subfolder where schedule files are stored.
 	ScheduleStorePath = "schedules"
+	// ExtensionRegistryManagementStorePath represents the subfolder where files related to the
+	// registry management extension are stored.
+	ExtensionRegistryManagementStorePath = "extensions"
 )

 // Service represents a service for managing files and directories.
@ -65,9 +71,30 @@ func NewService(dataStorePath, fileStorePath string) (*Service, error) {
 		return nil, err
 	}

+	err = service.createDirectoryInStore(BinaryStorePath)
+	if err != nil {
+		return nil, err
+	}
+
 	return service, nil
 }

+// GetBinaryFolder returns the full path to the binary store on the filesystem
+func (service *Service) GetBinaryFolder() string {
+	return path.Join(service.fileStorePath, BinaryStorePath)
+}
+
+// ExtractExtensionArchive extracts the content of an extension archive
+// specified as raw data into the binary store on the filesystem
+func (service *Service) ExtractExtensionArchive(data []byte) error {
+	err := archive.UnzipArchive(data, path.Join(service.fileStorePath, BinaryStorePath))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // RemoveDirectory removes a directory on the filesystem.
 func (service *Service) RemoveDirectory(directoryPath string) error {
 	return os.RemoveAll(directoryPath)
@ -99,6 +126,27 @@ func (service *Service) StoreStackFileFromBytes(stackIdentifier, fileName string
 	return path.Join(service.fileStorePath, stackStorePath), nil
 }

+// StoreRegistryManagementFileFromBytes creates a subfolder in the
+// ExtensionRegistryManagementStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreRegistryManagementFileFromBytes(folder, fileName string, data []byte) (string, error) {
+	extensionStorePath := path.Join(ExtensionRegistryManagementStorePath, folder)
+	err := service.createDirectoryInStore(extensionStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	file := path.Join(extensionStorePath, fileName)
+	r := bytes.NewReader(data)
+
+	err = service.createFileInStore(file, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, file), nil
+}
+
 // StoreTLSFileFromBytes creates a folder in the TLSStorePath and stores a new file from bytes.
 // It returns the path to the newly created file.
 func (service *Service) StoreTLSFileFromBytes(folder string, fileType portainer.TLSFileType, data []byte) (string, error) {
--- a/api/http/handler/endpointproxy/proxy_storidge.go
+++ b/api/http/handler/endpointproxy/proxy_storidge.go
@ -1,5 +1,7 @@
 package endpointproxy

+// TODO: legacy extension management
+
 import (
 	"strconv"

@ -42,9 +44,9 @@ func (handler *Handler) proxyRequestsToStoridgeAPI(w http.ResponseWriter, r *htt
 	proxyExtensionKey := string(endpoint.ID) + "_" + string(portainer.StoridgeEndpointExtension)

 	var proxy http.Handler
-	proxy = handler.ProxyManager.GetExtensionProxy(proxyExtensionKey)
+	proxy = handler.ProxyManager.GetLegacyExtensionProxy(proxyExtensionKey)
 	if proxy == nil {
-		proxy, err = handler.ProxyManager.CreateAndRegisterExtensionProxy(proxyExtensionKey, storidgeExtension.URL)
+		proxy, err = handler.ProxyManager.CreateLegacyExtensionProxy(proxyExtensionKey, storidgeExtension.URL)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create extension proxy", err}
 		}
--- a/api/http/handler/endpoints/endpoint_delete.go
+++ b/api/http/handler/endpoints/endpoint_delete.go
@ -42,7 +42,6 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 	}

 	handler.ProxyManager.DeleteProxy(string(endpointID))
-	handler.ProxyManager.DeleteExtensionProxies(string(endpointID))

 	return response.Empty(w)
 }
--- a/api/http/handler/endpoints/endpoint_extension_add.go
+++ b/api/http/handler/endpoints/endpoint_extension_add.go
@ -1,5 +1,7 @@
 package endpoints

+// TODO: legacy extension management
+
 import (
 	"net/http"

--- a/api/http/handler/endpoints/endpoint_extension_remove.go
+++ b/api/http/handler/endpoints/endpoint_extension_remove.go
@ -1,5 +1,7 @@
 package endpoints

+// TODO: legacy extension management
+
 import (
 	"net/http"

--- a/api/http/handler/extensions/extension_create.go
+++ b/api/http/handler/extensions/extension_create.go
@ -0,0 +1,79 @@
+package extensions
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/asaskevich/govalidator"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer"
+)
+
+type extensionCreatePayload struct {
+	License string
+}
+
+func (payload *extensionCreatePayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.License) {
+		return portainer.Error("Invalid license")
+	}
+
+	return nil
+}
+
+func (handler *Handler) extensionCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload extensionCreatePayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	extensionIdentifier, err := strconv.Atoi(string(payload.License[0]))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid license format", err}
+	}
+	extensionID := portainer.ExtensionID(extensionIdentifier)
+
+	extensions, err := handler.ExtensionService.Extensions()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extensions status from the database", err}
+	}
+
+	for _, existingExtension := range extensions {
+		if existingExtension.ID == extensionID {
+			return &httperror.HandlerError{http.StatusConflict, "Unable to enable extension", portainer.ErrExtensionAlreadyEnabled}
+		}
+	}
+
+	extension := &portainer.Extension{
+		ID: extensionID,
+	}
+
+	extensionDefinitions, err := handler.ExtensionManager.FetchExtensionDefinitions()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extension definitions", err}
+	}
+
+	for _, def := range extensionDefinitions {
+		if def.ID == extension.ID {
+			extension.Version = def.Version
+			break
+		}
+	}
+
+	err = handler.ExtensionManager.EnableExtension(extension, payload.License)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to enable extension", err}
+	}
+
+	extension.Enabled = true
+
+	err = handler.ExtensionService.Persist(extension)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist extension status inside the database", err}
+	}
+
+	return response.Empty(w)
+}
--- a/api/http/handler/extensions/extension_delete.go
+++ b/api/http/handler/extensions/extension_delete.go
@ -0,0 +1,38 @@
+package extensions
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer"
+)
+
+// DELETE request on /api/extensions/:id
+func (handler *Handler) extensionDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	extensionIdentifier, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid extension identifier route variable", err}
+	}
+	extensionID := portainer.ExtensionID(extensionIdentifier)
+
+	extension, err := handler.ExtensionService.Extension(extensionID)
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a extension with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
+	}
+
+	err = handler.ExtensionManager.DisableExtension(extension)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to delete extension", err}
+	}
+
+	err = handler.ExtensionService.DeleteExtension(extensionID)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to delete the extension from the database", err}
+	}
+
+	return response.Empty(w)
+}
--- a/api/http/handler/extensions/extension_inspect.go
+++ b/api/http/handler/extensions/extension_inspect.go
@ -0,0 +1,59 @@
+package extensions
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/coreos/go-semver/semver"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/client"
+)
+
+// GET request on /api/extensions/:id
+func (handler *Handler) extensionInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	extensionIdentifier, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid extension identifier route variable", err}
+	}
+	extensionID := portainer.ExtensionID(extensionIdentifier)
+
+	extensionData, err := client.Get(portainer.ExtensionDefinitionsURL, 30)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extension definitions", err}
+	}
+
+	var extensions []portainer.Extension
+	err = json.Unmarshal(extensionData, &extensions)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to parse external extension definitions", err}
+	}
+
+	var extension portainer.Extension
+	for _, p := range extensions {
+		if p.ID == extensionID {
+			extension = p
+			break
+		}
+	}
+
+	storedExtension, err := handler.ExtensionService.Extension(extensionID)
+	if err == portainer.ErrObjectNotFound {
+		return response.JSON(w, extension)
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
+	}
+
+	extension.Enabled = storedExtension.Enabled
+
+	extensionVer := semver.New(extension.Version)
+	pVer := semver.New(storedExtension.Version)
+
+	if pVer.LessThan(*extensionVer) {
+		extension.UpdateAvailable = true
+	}
+
+	return response.JSON(w, extension)
+}
--- a/api/http/handler/extensions/extension_list.go
+++ b/api/http/handler/extensions/extension_list.go
@ -0,0 +1,55 @@
+package extensions
+
+import (
+	"net/http"
+
+	"github.com/coreos/go-semver/semver"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer"
+)
+
+// GET request on /api/extensions?store=<store>
+func (handler *Handler) extensionList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	storeDetails, _ := request.RetrieveBooleanQueryParameter(r, "store", true)
+
+	extensions, err := handler.ExtensionService.Extensions()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extensions from the database", err}
+	}
+
+	if storeDetails {
+		definitions, err := handler.ExtensionManager.FetchExtensionDefinitions()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extension definitions", err}
+		}
+
+		for idx := range definitions {
+			associateExtensionData(&definitions[idx], extensions)
+		}
+
+		extensions = definitions
+	}
+
+	return response.JSON(w, extensions)
+}
+
+func associateExtensionData(definition *portainer.Extension, extensions []portainer.Extension) {
+	for _, extension := range extensions {
+		if extension.ID == definition.ID {
+
+			definition.Enabled = extension.Enabled
+			definition.License.Company = extension.License.Company
+			definition.License.Expiration = extension.License.Expiration
+
+			definitionVersion := semver.New(definition.Version)
+			extensionVersion := semver.New(extension.Version)
+			if extensionVersion.LessThan(*definitionVersion) {
+				definition.UpdateAvailable = true
+			}
+
+			break
+		}
+	}
+}
--- a/api/http/handler/extensions/extension_update.go
+++ b/api/http/handler/extensions/extension_update.go
@ -0,0 +1,56 @@
+package extensions
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer"
+)
+
+type extensionUpdatePayload struct {
+	Version string
+}
+
+func (payload *extensionUpdatePayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Version) {
+		return portainer.Error("Invalid extension version")
+	}
+
+	return nil
+}
+
+func (handler *Handler) extensionUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	extensionIdentifier, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid extension identifier route variable", err}
+	}
+	extensionID := portainer.ExtensionID(extensionIdentifier)
+
+	var payload extensionUpdatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	extension, err := handler.ExtensionService.Extension(extensionID)
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a extension with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
+	}
+
+	err = handler.ExtensionManager.UpdateExtension(extension, payload.Version)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update extension", err}
+	}
+
+	err = handler.ExtensionService.Persist(extension)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist extension status inside the database", err}
+	}
+
+	return response.Empty(w)
+}
--- a/api/http/handler/extensions/handler.go
+++ b/api/http/handler/extensions/handler.go
@ -0,0 +1,37 @@
+package extensions
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/security"
+)
+
+// Handler is the HTTP handler used to handle extension operations.
+type Handler struct {
+	*mux.Router
+	ExtensionService portainer.ExtensionService
+	ExtensionManager portainer.ExtensionManager
+}
+
+// NewHandler creates a handler to manage extension operations.
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
+	h := &Handler{
+		Router: mux.NewRouter(),
+	}
+
+	h.Handle("/extensions",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionList))).Methods(http.MethodGet)
+	h.Handle("/extensions",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionCreate))).Methods(http.MethodPost)
+	h.Handle("/extensions/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionInspect))).Methods(http.MethodGet)
+	h.Handle("/extensions/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionDelete))).Methods(http.MethodDelete)
+	h.Handle("/extensions/{id}/update",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionUpdate))).Methods(http.MethodPost)
+
+	return h
+}
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@ -9,6 +9,7 @@ import (
 	"github.com/portainer/portainer/http/handler/endpointgroups"
 	"github.com/portainer/portainer/http/handler/endpointproxy"
 	"github.com/portainer/portainer/http/handler/endpoints"
+	"github.com/portainer/portainer/http/handler/extensions"
 	"github.com/portainer/portainer/http/handler/file"
 	"github.com/portainer/portainer/http/handler/motd"
 	"github.com/portainer/portainer/http/handler/registries"
@ -37,6 +38,7 @@ type Handler struct {
 	EndpointProxyHandler   *endpointproxy.Handler
 	FileHandler            *file.Handler
 	MOTDHandler            *motd.Handler
+	ExtensionHandler       *extensions.Handler
 	RegistryHandler        *registries.Handler
 	ResourceControlHandler *resourcecontrols.Handler
 	SettingsHandler        *settings.Handler
@ -75,6 +77,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	case strings.HasPrefix(r.URL.Path, "/api/motd"):
 		http.StripPrefix("/api", h.MOTDHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/extensions"):
+		http.StripPrefix("/api", h.ExtensionHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/registries"):
 		http.StripPrefix("/api", h.RegistryHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/resource_controls"):
--- a/api/http/handler/registries/handler.go
+++ b/api/http/handler/registries/handler.go
@ -1,23 +1,27 @@
 package registries

 import (
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/http/security"
-
 	"net/http"

 	"github.com/gorilla/mux"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
 )

 func hideFields(registry *portainer.Registry) {
 	registry.Password = ""
+	registry.ManagementConfiguration = nil
 }

 // Handler is the HTTP handler used to handle registry operations.
 type Handler struct {
 	*mux.Router
-	RegistryService portainer.RegistryService
+	RegistryService  portainer.RegistryService
+	ExtensionService portainer.ExtensionService
+	FileService      portainer.FileService
+	ProxyManager     *proxy.Manager
 }

 // NewHandler creates a handler to manage registry operations.
@ -36,8 +40,12 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryUpdate))).Methods(http.MethodPut)
 	h.Handle("/registries/{id}/access",
 		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryUpdateAccess))).Methods(http.MethodPut)
+	h.Handle("/registries/{id}/configure",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryConfigure))).Methods(http.MethodPost)
 	h.Handle("/registries/{id}",
 		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryDelete))).Methods(http.MethodDelete)
+	h.PathPrefix("/registries/{id}/v2").Handler(
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.proxyRequestsToRegistryAPI)))

 	return h
 }
--- a/api/http/handler/registries/proxy.go
+++ b/api/http/handler/registries/proxy.go
@ -0,0 +1,78 @@
+package registries
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/portainer"
+)
+
+// request on /api/registries/:id/v2
+func (handler *Handler) proxyRequestsToRegistryAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid registry identifier route variable", err}
+	}
+
+	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err}
+	}
+
+	extension, err := handler.ExtensionService.Extension(portainer.RegistryManagementExtension)
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Registry management extension is not enabled", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
+	}
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetExtensionProxy(portainer.RegistryManagementExtension)
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateExtensionProxy(portainer.RegistryManagementExtension)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to register registry proxy", err}
+		}
+	}
+
+	managementConfiguration := registry.ManagementConfiguration
+	if managementConfiguration == nil {
+		managementConfiguration = createDefaultManagementConfiguration(registry)
+	}
+
+	encodedConfiguration, err := json.Marshal(managementConfiguration)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to encode management configuration", err}
+	}
+
+	id := strconv.Itoa(int(registryID))
+	r.Header.Set("X-RegistryManagement-Key", id)
+	r.Header.Set("X-RegistryManagement-URI", registry.URL)
+	r.Header.Set("X-RegistryManagement-Config", string(encodedConfiguration))
+	r.Header.Set("X-PortainerExtension-License", extension.License.LicenseKey)
+
+	http.StripPrefix("/registries/"+id, proxy).ServeHTTP(w, r)
+	return nil
+}
+
+func createDefaultManagementConfiguration(registry *portainer.Registry) *portainer.RegistryManagementConfiguration {
+	config := &portainer.RegistryManagementConfiguration{
+		Type: registry.Type,
+		TLSConfig: portainer.TLSConfiguration{
+			TLS: false,
+		},
+	}
+
+	if registry.Authentication {
+		config.Authentication = true
+		config.Username = registry.Username
+		config.Password = registry.Password
+	}
+
+	return config
+}
--- a/api/http/handler/registries/registry_configure.go
+++ b/api/http/handler/registries/registry_configure.go
@ -0,0 +1,137 @@
+package registries
+
+import (
+	"net/http"
+	"strconv"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer"
+)
+
+type registryConfigurePayload struct {
+	Authentication bool
+	Username       string
+	Password       string
+	TLS            bool
+	TLSSkipVerify  bool
+	TLSCertFile    []byte
+	TLSKeyFile     []byte
+	TLSCACertFile  []byte
+}
+
+func (payload *registryConfigurePayload) Validate(r *http.Request) error {
+	useAuthentication, _ := request.RetrieveBooleanMultiPartFormValue(r, "Authentication", true)
+	payload.Authentication = useAuthentication
+
+	if useAuthentication {
+		username, err := request.RetrieveMultiPartFormValue(r, "Username", false)
+		if err != nil {
+			return portainer.Error("Invalid username")
+		}
+		payload.Username = username
+
+		password, _ := request.RetrieveMultiPartFormValue(r, "Password", true)
+		payload.Password = password
+	}
+
+	useTLS, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLS", true)
+	payload.TLS = useTLS
+
+	skipTLSVerify, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLSSkipVerify", true)
+	payload.TLSSkipVerify = skipTLSVerify
+
+	if useTLS && !skipTLSVerify {
+		cert, _, err := request.RetrieveMultiPartFormFile(r, "TLSCertFile")
+		if err != nil {
+			return portainer.Error("Invalid certificate file. Ensure that the file is uploaded correctly")
+		}
+		payload.TLSCertFile = cert
+
+		key, _, err := request.RetrieveMultiPartFormFile(r, "TLSKeyFile")
+		if err != nil {
+			return portainer.Error("Invalid key file. Ensure that the file is uploaded correctly")
+		}
+		payload.TLSKeyFile = key
+
+		ca, _, err := request.RetrieveMultiPartFormFile(r, "TLSCACertFile")
+		if err != nil {
+			return portainer.Error("Invalid CA certificate file. Ensure that the file is uploaded correctly")
+		}
+		payload.TLSCACertFile = ca
+	}
+
+	return nil
+}
+
+// POST request on /api/registries/:id/configure
+func (handler *Handler) registryConfigure(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid registry identifier route variable", err}
+	}
+
+	payload := &registryConfigurePayload{}
+	err = payload.Validate(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err}
+	}
+
+	registry.ManagementConfiguration = &portainer.RegistryManagementConfiguration{
+		Type: registry.Type,
+	}
+
+	if payload.Authentication {
+		registry.ManagementConfiguration.Authentication = true
+		registry.ManagementConfiguration.Username = payload.Username
+		if payload.Username == registry.Username && payload.Password == "" {
+			registry.ManagementConfiguration.Password = registry.Password
+		} else {
+			registry.ManagementConfiguration.Password = payload.Password
+		}
+	}
+
+	if payload.TLS {
+		registry.ManagementConfiguration.TLSConfig = portainer.TLSConfiguration{
+			TLS:           true,
+			TLSSkipVerify: payload.TLSSkipVerify,
+		}
+
+		if !payload.TLSSkipVerify {
+			folder := strconv.Itoa(int(registry.ID))
+
+			certPath, err := handler.FileService.StoreRegistryManagementFileFromBytes(folder, "cert.pem", payload.TLSCertFile)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS certificate file on disk", err}
+			}
+			registry.ManagementConfiguration.TLSConfig.TLSCertPath = certPath
+
+			keyPath, err := handler.FileService.StoreRegistryManagementFileFromBytes(folder, "key.pem", payload.TLSKeyFile)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS key file on disk", err}
+			}
+			registry.ManagementConfiguration.TLSConfig.TLSKeyPath = keyPath
+
+			cacertPath, err := handler.FileService.StoreRegistryManagementFileFromBytes(folder, "ca.pem", payload.TLSCACertFile)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS CA certificate file on disk", err}
+			}
+			registry.ManagementConfiguration.TLSConfig.TLSCACertPath = cacertPath
+		}
+	}
+
+	err = handler.RegistryService.UpdateRegistry(registry.ID, registry)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist registry changes inside the database", err}
+	}
+
+	return response.Empty(w)
+}
--- a/api/http/handler/registries/registry_create.go
+++ b/api/http/handler/registries/registry_create.go
@ -12,6 +12,7 @@ import (

 type registryCreatePayload struct {
 	Name           string
+	Type           int
 	URL            string
 	Authentication bool
 	Username       string
@ -28,6 +29,9 @@ func (payload *registryCreatePayload) Validate(r *http.Request) error {
 	if payload.Authentication && (govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password)) {
 		return portainer.Error("Invalid credentials. Username and password must be specified when authentication is enabled")
 	}
+	if payload.Type != 1 && payload.Type != 2 && payload.Type != 3 {
+		return portainer.Error("Invalid registry type. Valid values are: 1 (Quay.io), 2 (Azure container registry) or 3 (custom registry)")
+	}
 	return nil
 }

@ -49,6 +53,7 @@ func (handler *Handler) registryCreate(w http.ResponseWriter, r *http.Request) *
 	}

 	registry := &portainer.Registry{
+		Type:            portainer.RegistryType(payload.Type),
 		Name:            payload.Name,
 		URL:             payload.URL,
 		Authentication:  payload.Authentication,
--- a/api/http/proxy/factory.go
+++ b/api/http/proxy/factory.go
@ -25,7 +25,7 @@ type proxyFactory struct {

 func (factory *proxyFactory) newHTTPProxy(u *url.URL) http.Handler {
 	u.Scheme = "http"
-	return newSingleHostReverseProxyWithHostHeader(u)
+	return httputil.NewSingleHostReverseProxy(u)
 }

 func newAzureProxy(credentials *portainer.AzureCredentials) (http.Handler, error) {
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@ -3,18 +3,25 @@ package proxy
 import (
 	"net/http"
 	"net/url"
-	"strings"
+	"strconv"

 	"github.com/orcaman/concurrent-map"
 	"github.com/portainer/portainer"
 )

+// TODO: contain code related to legacy extension management
+
+var extensionPorts = map[portainer.ExtensionID]string{
+	portainer.RegistryManagementExtension: "7001",
+}
+
 type (
 	// Manager represents a service used to manage Docker proxies.
 	Manager struct {
-		proxyFactory     *proxyFactory
-		proxies          cmap.ConcurrentMap
-		extensionProxies cmap.ConcurrentMap
+		proxyFactory           *proxyFactory
+		proxies                cmap.ConcurrentMap
+		extensionProxies       cmap.ConcurrentMap
+		legacyExtensionProxies cmap.ConcurrentMap
 	}

 	// ManagerParams represents the required parameters to create a new Manager instance.
@ -31,8 +38,9 @@ type (
 // NewManager initializes a new proxy Service
 func NewManager(parameters *ManagerParams) *Manager {
 	return &Manager{
-		proxies:          cmap.New(),
-		extensionProxies: cmap.New(),
+		proxies:                cmap.New(),
+		extensionProxies:       cmap.New(),
+		legacyExtensionProxies: cmap.New(),
 		proxyFactory: &proxyFactory{
 			ResourceControlService: parameters.ResourceControlService,
 			TeamMembershipService:  parameters.TeamMembershipService,
@ -44,6 +52,83 @@ func NewManager(parameters *ManagerParams) *Manager {
 	}
 }

+// GetProxy returns the proxy associated to a key
+func (manager *Manager) GetProxy(key string) http.Handler {
+	proxy, ok := manager.proxies.Get(key)
+	if !ok {
+		return nil
+	}
+	return proxy.(http.Handler)
+}
+
+// CreateAndRegisterProxy creates a new HTTP reverse proxy based on endpoint properties and and adds it to the registered proxies.
+// It can also be used to create a new HTTP reverse proxy and replace an already registered proxy.
+func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
+	proxy, err := manager.createProxy(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	manager.proxies.Set(string(endpoint.ID), proxy)
+	return proxy, nil
+}
+
+// DeleteProxy deletes the proxy associated to a key
+func (manager *Manager) DeleteProxy(key string) {
+	manager.proxies.Remove(key)
+}
+
+// GetExtensionProxy returns an extension proxy associated to an extension identifier
+func (manager *Manager) GetExtensionProxy(extensionID portainer.ExtensionID) http.Handler {
+	proxy, ok := manager.extensionProxies.Get(strconv.Itoa(int(extensionID)))
+	if !ok {
+		return nil
+	}
+	return proxy.(http.Handler)
+}
+
+// CreateExtensionProxy creates a new HTTP reverse proxy for an extension and
+// registers it in the extension map associated to the specified extension identifier
+func (manager *Manager) CreateExtensionProxy(extensionID portainer.ExtensionID) (http.Handler, error) {
+	address := "http://localhost:" + extensionPorts[extensionID]
+
+	extensionURL, err := url.Parse(address)
+	if err != nil {
+		return nil, err
+	}
+
+	proxy := manager.proxyFactory.newHTTPProxy(extensionURL)
+	manager.extensionProxies.Set(strconv.Itoa(int(extensionID)), proxy)
+
+	return proxy, nil
+}
+
+// DeleteExtensionProxy deletes the extension proxy associated to an extension identifier
+func (manager *Manager) DeleteExtensionProxy(extensionID portainer.ExtensionID) {
+	manager.extensionProxies.Remove(strconv.Itoa(int(extensionID)))
+}
+
+// GetLegacyExtensionProxy returns a legacy extension proxy associated to a key
+func (manager *Manager) GetLegacyExtensionProxy(key string) http.Handler {
+	proxy, ok := manager.legacyExtensionProxies.Get(key)
+	if !ok {
+		return nil
+	}
+	return proxy.(http.Handler)
+}
+
+// CreateLegacyExtensionProxy creates a new HTTP reverse proxy for a legacy extension and adds it to the registered proxies.
+func (manager *Manager) CreateLegacyExtensionProxy(key, extensionAPIURL string) (http.Handler, error) {
+	extensionURL, err := url.Parse(extensionAPIURL)
+	if err != nil {
+		return nil, err
+	}
+
+	proxy := manager.proxyFactory.newHTTPProxy(extensionURL)
+	manager.extensionProxies.Set(key, proxy)
+	return proxy, nil
+}
+
 func (manager *Manager) createDockerProxy(endpointURL *url.URL, tlsConfig *portainer.TLSConfiguration) (http.Handler, error) {
 	if endpointURL.Scheme == "tcp" {
 		if tlsConfig.TLS || tlsConfig.TLSSkipVerify {
@ -69,59 +154,3 @@ func (manager *Manager) createProxy(endpoint *portainer.Endpoint) (http.Handler,
 		return manager.createDockerProxy(endpointURL, &endpoint.TLSConfig)
 	}
 }
-
-// CreateAndRegisterProxy creates a new HTTP reverse proxy based on endpoint properties and and adds it to the registered proxies.
-// It can also be used to create a new HTTP reverse proxy and replace an already registered proxy.
-func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
-	proxy, err := manager.createProxy(endpoint)
-	if err != nil {
-		return nil, err
-	}
-
-	manager.proxies.Set(string(endpoint.ID), proxy)
-	return proxy, nil
-}
-
-// GetProxy returns the proxy associated to a key
-func (manager *Manager) GetProxy(key string) http.Handler {
-	proxy, ok := manager.proxies.Get(key)
-	if !ok {
-		return nil
-	}
-	return proxy.(http.Handler)
-}
-
-// DeleteProxy deletes the proxy associated to a key
-func (manager *Manager) DeleteProxy(key string) {
-	manager.proxies.Remove(key)
-}
-
-// CreateAndRegisterExtensionProxy creates a new HTTP reverse proxy for an extension and adds it to the registered proxies.
-func (manager *Manager) CreateAndRegisterExtensionProxy(key, extensionAPIURL string) (http.Handler, error) {
-	extensionURL, err := url.Parse(extensionAPIURL)
-	if err != nil {
-		return nil, err
-	}
-
-	proxy := manager.proxyFactory.newHTTPProxy(extensionURL)
-	manager.extensionProxies.Set(key, proxy)
-	return proxy, nil
-}
-
-// GetExtensionProxy returns the extension proxy associated to a key
-func (manager *Manager) GetExtensionProxy(key string) http.Handler {
-	proxy, ok := manager.extensionProxies.Get(key)
-	if !ok {
-		return nil
-	}
-	return proxy.(http.Handler)
-}
-
-// DeleteExtensionProxies deletes all the extension proxies associated to a key
-func (manager *Manager) DeleteExtensionProxies(key string) {
-	for _, k := range manager.extensionProxies.Keys() {
-		if strings.Contains(k, key+"_") {
-			manager.extensionProxies.Remove(k)
-		}
-	}
-}
--- a/api/http/server.go
+++ b/api/http/server.go
@ -11,6 +11,7 @@ import (
 	"github.com/portainer/portainer/http/handler/endpointgroups"
 	"github.com/portainer/portainer/http/handler/endpointproxy"
 	"github.com/portainer/portainer/http/handler/endpoints"
+	"github.com/portainer/portainer/http/handler/extensions"
 	"github.com/portainer/portainer/http/handler/file"
 	"github.com/portainer/portainer/http/handler/motd"
 	"github.com/portainer/portainer/http/handler/registries"
@ -41,6 +42,7 @@ type Server struct {
 	AuthDisabled           bool
 	EndpointManagement     bool
 	Status                 *portainer.Status
+	ExtensionManager       portainer.ExtensionManager
 	ComposeStackManager    portainer.ComposeStackManager
 	CryptoService          portainer.CryptoService
 	SignatureService       portainer.DigitalSignatureService
@ -53,6 +55,7 @@ type Server struct {
 	GitService             portainer.GitService
 	JWTService             portainer.JWTService
 	LDAPService            portainer.LDAPService
+	ExtensionService       portainer.ExtensionService
 	RegistryService        portainer.RegistryService
 	ResourceControlService portainer.ResourceControlService
 	ScheduleService        portainer.ScheduleService
@ -128,8 +131,15 @@ func (server *Server) Start() error {

 	var motdHandler = motd.NewHandler(requestBouncer)

+	var extensionHandler = extensions.NewHandler(requestBouncer)
+	extensionHandler.ExtensionService = server.ExtensionService
+	extensionHandler.ExtensionManager = server.ExtensionManager
+
 	var registryHandler = registries.NewHandler(requestBouncer)
 	registryHandler.RegistryService = server.RegistryService
+	registryHandler.ExtensionService = server.ExtensionService
+	registryHandler.FileService = server.FileService
+	registryHandler.ProxyManager = proxyManager

 	var resourceControlHandler = resourcecontrols.NewHandler(requestBouncer)
 	resourceControlHandler.ResourceControlService = server.ResourceControlService
@ -203,6 +213,7 @@ func (server *Server) Start() error {
 		EndpointProxyHandler:   endpointProxyHandler,
 		FileHandler:            fileHandler,
 		MOTDHandler:            motdHandler,
+		ExtensionHandler:       extensionHandler,
 		RegistryHandler:        registryHandler,
 		ResourceControlHandler: resourceControlHandler,
 		SettingsHandler:        settingsHandler,
--- a/api/portainer.go
+++ b/api/portainer.go
@ -165,17 +165,32 @@ type (
 	// RegistryID represents a registry identifier
 	RegistryID int

+	// RegistryType represents a type of registry
+	RegistryType int
+
 	// Registry represents a Docker registry with all the info required
 	// to connect to it
 	Registry struct {
-		ID              RegistryID `json:"Id"`
-		Name            string     `json:"Name"`
-		URL             string     `json:"URL"`
-		Authentication  bool       `json:"Authentication"`
-		Username        string     `json:"Username"`
-		Password        string     `json:"Password,omitempty"`
-		AuthorizedUsers []UserID   `json:"AuthorizedUsers"`
-		AuthorizedTeams []TeamID   `json:"AuthorizedTeams"`
+		ID                      RegistryID                       `json:"Id"`
+		Type                    RegistryType                     `json:"Type"`
+		Name                    string                           `json:"Name"`
+		URL                     string                           `json:"URL"`
+		Authentication          bool                             `json:"Authentication"`
+		Username                string                           `json:"Username"`
+		Password                string                           `json:"Password,omitempty"`
+		AuthorizedUsers         []UserID                         `json:"AuthorizedUsers"`
+		AuthorizedTeams         []TeamID                         `json:"AuthorizedTeams"`
+		ManagementConfiguration *RegistryManagementConfiguration `json:"ManagementConfiguration"`
+	}
+
+	// RegistryManagementConfiguration represents a configuration that can be used to query
+	// the registry API via the registry management extension.
+	RegistryManagementConfiguration struct {
+		Type           RegistryType     `json:"Type"`
+		Authentication bool             `json:"Authentication"`
+		Username       string           `json:"Username"`
+		Password       string           `json:"Password"`
+		TLSConfig      TLSConfiguration `json:"TLSConfig"`
 	}

 	// DockerHub represents all the required information to connect and use the
@ -323,7 +338,8 @@ type (
 		Labels []Pair `json:"Labels"`
 	}

-	// EndpointExtension represents a extension associated to an endpoint
+	// EndpointExtension represents a deprecated form of Portainer extension
+	// TODO: legacy extension management
 	EndpointExtension struct {
 		Type EndpointExtensionType `json:"Type"`
 		URL  string                `json:"URL"`
@ -459,6 +475,35 @@ type (
 	// It can be either a TLS CA file, a TLS certificate file or a TLS key file
 	TLSFileType int

+	// ExtensionID represents a extension identifier
+	ExtensionID int
+
+	// Extension represents a Portainer extension
+	Extension struct {
+		ID               ExtensionID        `json:"Id"`
+		Enabled          bool               `json:"Enabled"`
+		Name             string             `json:"Name,omitempty"`
+		ShortDescription string             `json:"ShortDescription,omitempty"`
+		Description      string             `json:"Description,omitempty"`
+		Price            string             `json:"Price,omitempty"`
+		PriceDescription string             `json:"PriceDescription,omitempty"`
+		Deal             bool               `json:"Deal,omitempty"`
+		Available        bool               `json:"Available,omitempty"`
+		License          LicenseInformation `json:"License,omitempty"`
+		Version          string             `json:"Version"`
+		UpdateAvailable  bool               `json:"UpdateAvailable"`
+		ProductID        int                `json:"ProductId,omitempty"`
+		Images           []string           `json:"Images,omitempty"`
+		Logo             string             `json:"Logo,omitempty"`
+	}
+
+	// LicenseInformation represents information about an extension license
+	LicenseInformation struct {
+		LicenseKey string `json:"LicenseKey,omitempty"`
+		Company    string `json:"Company,omitempty"`
+		Expiration string `json:"Expiration,omitempty"`
+	}
+
 	// CLIService represents a service for managing CLI
 	CLIService interface {
 		ParseFlags(version string) (*CLIFlags, error)
@ -617,6 +662,14 @@ type (
 		DeleteTemplate(ID TemplateID) error
 	}

+	// ExtensionService represents a service for managing extension data
+	ExtensionService interface {
+		Extension(ID ExtensionID) (*Extension, error)
+		Extensions() ([]Extension, error)
+		Persist(extension *Extension) error
+		DeleteExtension(ID ExtensionID) error
+	}
+
 	// CryptoService represents a service for encrypting/hashing data
 	CryptoService interface {
 		Hash(data string) (string, error)
@ -649,6 +702,7 @@ type (
 		DeleteTLSFiles(folder string) error
 		GetStackProjectPath(stackIdentifier string) string
 		StoreStackFileFromBytes(stackIdentifier, fileName string, data []byte) (string, error)
+		StoreRegistryManagementFileFromBytes(folder, fileName string, data []byte) (string, error)
 		KeyPairFilesExist() (bool, error)
 		StoreKeyPair(private, public []byte, privatePEMHeader, publicPEMHeader string) error
 		LoadKeyPair() ([]byte, []byte, error)
@ -656,6 +710,8 @@ type (
 		FileExists(path string) (bool, error)
 		StoreScheduledJobFileFromBytes(identifier string, data []byte) (string, error)
 		GetScheduleFolder(identifier string) string
+		ExtractExtensionArchive(data []byte) error
+		GetBinaryFolder() string
 	}

 	// GitService represents a service for managing Git
@ -709,6 +765,14 @@ type (
 	JobService interface {
 		ExecuteScript(endpoint *Endpoint, nodeName, image string, script []byte, schedule *Schedule) error
 	}
+
+	// ExtensionManager represents a service used to manage extensions
+	ExtensionManager interface {
+		FetchExtensionDefinitions() ([]Extension, error)
+		EnableExtension(extension *Extension, licenseKey string) error
+		DisableExtension(extension *Extension) error
+		UpdateExtension(extension *Extension, version string) error
+	}
 )

 const (
@ -718,6 +782,8 @@ const (
 	DBVersion = 15
 	// MessageOfTheDayURL represents the URL where Portainer MOTD message can be retrieved
 	MessageOfTheDayURL = "https://portainer-io-assets.sfo2.digitaloceanspaces.com/motd.html"
+	// ExtensionDefinitionsURL represents the URL where Portainer extension definitions can be retrieved
+	ExtensionDefinitionsURL = "https://portainer-io-assets.sfo2.digitaloceanspaces.com/extensions.json"
 	// PortainerAgentHeader represents the name of the header available in any agent response
 	PortainerAgentHeader = "Portainer-Agent"
 	// PortainerAgentTargetHeader represent the name of the header containing the target node name
@ -838,6 +904,12 @@ const (
 	ServiceWebhook
 )

+const (
+	_ ExtensionID = iota
+	// RegistryManagementExtension represents the registry management extension
+	RegistryManagementExtension
+)
+
 const (
 	_ JobType = iota
 	// ScriptExecutionJobType is a non-system job used to execute a script against a list of
@ -849,3 +921,13 @@ const (
 	// an external definition store
 	EndpointSyncJobType
 )
+
+const (
+	_ RegistryType = iota
+	// QuayRegistry represents a Quay.io registry
+	QuayRegistry
+	// AzureRegistry represents an ACR registry
+	AzureRegistry
+	// CustomRegistry represents a custom registry
+	CustomRegistry
+)