Updates for release 2.32.0 (#936)

Co-authored-by: JamesPlayer <james.player@portainer.io>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -94,6 +94,11 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.32.0'
+        - '2.31.3'
+        - '2.31.2'
+        - '2.31.1'
+        - '2.31.0'
         - '2.30.1'
         - '2.30.0'
         - '2.29.2'
@@ -101,6 +106,9 @@ body:
         - '2.29.0'
         - '2.28.1'
         - '2.28.0'
+        - '2.27.9'
+        - '2.27.8'
+        - '2.27.7'
         - '2.27.6'
         - '2.27.5'
         - '2.27.4'

api/cli/cli.go

@@ -61,6 +61,8 @@ func CLIFlags() *portainer.CLIFlags {
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
 		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
 		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
+		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
+		CSP:                       kingpin.Flag("csp", "Content Security Policy (CSP) header").Envar(portainer.CSPEnvVar).Default("true").Bool(),
 	}
 }
 

api/cmd/portainer/main.go

@@ -52,6 +52,7 @@ import (
 	"github.com/portainer/portainer/pkg/libhelm"
 	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"
+	"github.com/portainer/portainer/pkg/validate"
 
 	"github.com/gofrs/uuid"
 	"github.com/rs/zerolog/log"
@@ -330,6 +331,18 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		featureflags.Parse(*flags.FeatureFlags, portainer.SupportedFeatureFlags)
 	}
 
+	trustedOrigins := []string{}
+	if *flags.TrustedOrigins != "" {
+		// validate if the trusted origins are valid urls
+		for _, origin := range strings.Split(*flags.TrustedOrigins, ",") {
+			if !validate.IsTrustedOrigin(origin) {
+				log.Fatal().Str("trusted_origin", origin).Msg("invalid url for trusted origin. Please check the trusted origins flag.")
+			}
+
+			trustedOrigins = append(trustedOrigins, origin)
+		}
+	}
+
 	fileService := initFileService(*flags.Data)
 	encryptionKey := loadEncryptionSecretKey(*flags.SecretKeyName)
 	if encryptionKey == nil {
@@ -370,7 +383,8 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	gitService := git.NewService(shutdownCtx)
 
-	openAMTService := openamt.NewService()
+	// Setting insecureSkipVerify to true to preserve the old behaviour.
+	openAMTService := openamt.NewService(true)
 
 	cryptoService := &crypto.Service{}
 
@@ -437,7 +451,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	snapshotService.Start()
 
-	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
+	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService, jwtService)
 
 	helmPackageManager, err := initHelmPackageManager()
 	if err != nil {
@@ -545,6 +559,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		Status:                      applicationStatus,
 		BindAddress:                 *flags.Addr,
 		BindAddressHTTPS:            *flags.AddrHTTPS,
+		CSP:                         *flags.CSP,
 		HTTPEnabled:                 sslDBSettings.HTTPEnabled,
 		AssetsPath:                  *flags.Assets,
 		DataStore:                   dataStore,
@@ -578,6 +593,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		PendingActionsService:       pendingActionsService,
 		PlatformService:             platformService,
 		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
+		TrustedOrigins:              trustedOrigins,
 	}
 }
 

api/database/boltdb/db.go

@@ -138,6 +138,8 @@ func (connection *DbConnection) Open() error {
 	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
 		Timeout:         1 * time.Second,
 		InitialMmapSize: connection.InitialMmapSize,
+		FreelistType:    bolt.FreelistMapType,
+		NoFreelistSync:  true,
 	})
 	if err != nil {
 		return err

api/dataservices/base.go

@@ -10,7 +10,7 @@ type BaseCRUD[T any, I constraints.Integer] interface {
 	Create(element *T) error
 	Read(ID I) (*T, error)
 	Exists(ID I) (bool, error)
-	ReadAll() ([]T, error)
+	ReadAll(predicates ...func(T) bool) ([]T, error)
 	Update(ID I, element *T) error
 	Delete(ID I) error
 }
@@ -56,12 +56,13 @@ func (service BaseDataService[T, I]) Exists(ID I) (bool, error) {
 	return exists, err
 }
 
-func (service BaseDataService[T, I]) ReadAll() ([]T, error) {
+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service BaseDataService[T, I]) ReadAll(predicates ...func(T) bool) ([]T, error) {
 	var collection = make([]T, 0)
 
 	return collection, service.Connection.ViewTx(func(tx portainer.Transaction) error {
 		var err error
-		collection, err = service.Tx(tx).ReadAll()
+		collection, err = service.Tx(tx).ReadAll(predicates...)
 
 		return err
 	})

api/dataservices/base_test.go

@@ -0,0 +1,92 @@
+package dataservices
+
+import (
+	"strconv"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/slicesx"
+
+	"github.com/stretchr/testify/require"
+)
+
+type testObject struct {
+	ID    int
+	Value int
+}
+
+type mockConnection struct {
+	store map[int]testObject
+
+	portainer.Connection
+}
+
+func (m mockConnection) UpdateObject(bucket string, key []byte, value interface{}) error {
+	obj := value.(*testObject)
+
+	m.store[obj.ID] = *obj
+
+	return nil
+}
+
+func (m mockConnection) GetAll(bucketName string, obj any, appendFn func(o any) (any, error)) error {
+	for _, v := range m.store {
+		if _, err := appendFn(&v); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m mockConnection) UpdateTx(fn func(portainer.Transaction) error) error {
+	return fn(m)
+}
+
+func (m mockConnection) ViewTx(fn func(portainer.Transaction) error) error {
+	return fn(m)
+}
+
+func (m mockConnection) ConvertToKey(v int) []byte {
+	return []byte(strconv.Itoa(v))
+}
+
+func TestReadAll(t *testing.T) {
+	service := BaseDataService[testObject, int]{
+		Bucket:     "testBucket",
+		Connection: mockConnection{store: make(map[int]testObject)},
+	}
+
+	data := []testObject{
+		{ID: 1, Value: 1},
+		{ID: 2, Value: 2},
+		{ID: 3, Value: 3},
+		{ID: 4, Value: 4},
+		{ID: 5, Value: 5},
+	}
+
+	for _, item := range data {
+		err := service.Update(item.ID, &item)
+		require.NoError(t, err)
+	}
+
+	// ReadAll without predicates
+	result, err := service.ReadAll()
+	require.NoError(t, err)
+
+	expected := append([]testObject{}, data...)
+
+	require.ElementsMatch(t, expected, result)
+
+	// ReadAll with predicates
+	hasLowID := func(obj testObject) bool { return obj.ID < 3 }
+	isEven := func(obj testObject) bool { return obj.Value%2 == 0 }
+
+	result, err = service.ReadAll(hasLowID, isEven)
+	require.NoError(t, err)
+
+	expected = slicesx.Filter(expected, hasLowID)
+	expected = slicesx.Filter(expected, isEven)
+
+	require.ElementsMatch(t, expected, result)
+}

api/dataservices/base_tx.go

@@ -34,13 +34,32 @@ func (service BaseDataServiceTx[T, I]) Exists(ID I) (bool, error) {
 	return service.Tx.KeyExists(service.Bucket, identifier)
 }
 
-func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service BaseDataServiceTx[T, I]) ReadAll(predicates ...func(T) bool) ([]T, error) {
 	var collection = make([]T, 0)
 
+	if len(predicates) == 0 {
+		return collection, service.Tx.GetAll(
+			service.Bucket,
+			new(T),
+			AppendFn(&collection),
+		)
+	}
+
+	filterFn := func(element T) bool {
+		for _, p := range predicates {
+			if !p(element) {
+				return false
+			}
+		}
+
+		return true
+	}
+
 	return collection, service.Tx.GetAll(
 		service.Bucket,
 		new(T),
-		AppendFn(&collection),
+		FilterFn(&collection, filterFn),
 	)
 }
 

api/dataservices/edgegroup/tx.go

@@ -17,11 +17,29 @@ func (service ServiceTx) UpdateEdgeGroupFunc(ID portainer.EdgeGroupID, updateFun
 }
 
 func (service ServiceTx) Create(group *portainer.EdgeGroup) error {
-	return service.Tx.CreateObject(
+	es := group.Endpoints
+	group.Endpoints = nil // Clear deprecated field
+
+	err := service.Tx.CreateObject(
 		BucketName,
 		func(id uint64) (int, any) {
 			group.ID = portainer.EdgeGroupID(id)
 			return int(group.ID), group
 		},
 	)
+
+	group.Endpoints = es // Restore endpoints after create
+
+	return err
+}
+
+func (service ServiceTx) Update(ID portainer.EdgeGroupID, group *portainer.EdgeGroup) error {
+	es := group.Endpoints
+	group.Endpoints = nil // Clear deprecated field
+
+	err := service.BaseDataServiceTx.Update(ID, group)
+
+	group.Endpoints = es // Restore endpoints after update
+
+	return err
 }

api/dataservices/endpointrelation/endpointrelation.go

@@ -112,13 +112,13 @@ func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID,
 }
 
 func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
-	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
 		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
 	})
 }
 
 func (service *Service) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
-	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
 		return service.Tx(tx).RemoveEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
 	})
 }

api/datastore/migrate_data.go

@@ -85,6 +85,7 @@ func (store *Store) newMigratorParameters(version *models.Version, flags *portai
 		EdgeStackService:        store.EdgeStackService,
 		EdgeStackStatusService:  store.EdgeStackStatusService,
 		EdgeJobService:          store.EdgeJobService,
+		EdgeGroupService:        store.EdgeGroupService,
 		TunnelServerService:     store.TunnelServerService,
 		PendingActionsService:   store.PendingActionsService,
 	}

api/datastore/migrator/migrate_2_32_0.go

@@ -0,0 +1,33 @@
+package migrator
+
+import (
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	perrors "github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/portainer/portainer/api/internal/endpointutils"
+)
+
+func (m *Migrator) addEndpointRelationForEdgeAgents_2_32_0() error {
+	endpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		if endpointutils.IsEdgeEndpoint(&endpoint) {
+			_, err := m.endpointRelationService.EndpointRelation(endpoint.ID)
+			if err != nil && errors.Is(err, perrors.ErrObjectNotFound) {
+				relation := &portainer.EndpointRelation{
+					EndpointID: endpoint.ID,
+					EdgeStacks: make(map[portainer.EdgeStackID]bool),
+				}
+
+				if err := m.endpointRelationService.Create(relation); err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}

api/datastore/migrator/migrate_2_33_0.go

@@ -0,0 +1,23 @@
+package migrator
+
+import (
+	"github.com/portainer/portainer/api/roar"
+)
+
+func (m *Migrator) migrateEdgeGroupEndpointsToRoars_2_33_0() error {
+	egs, err := m.edgeGroupService.ReadAll()
+	if err != nil {
+		return err
+	}
+
+	for _, eg := range egs {
+		eg.EndpointIDs = roar.FromSlice(eg.Endpoints)
+		eg.Endpoints = nil
+
+		if err := m.edgeGroupService.Update(eg.ID, &eg); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/datastore/migrator/migrator.go

@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices/dockerhub"
+	"github.com/portainer/portainer/api/dataservices/edgegroup"
 	"github.com/portainer/portainer/api/dataservices/edgejob"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
 	"github.com/portainer/portainer/api/dataservices/edgestackstatus"
@@ -60,6 +61,7 @@ type (
 		edgeStackService        *edgestack.Service
 		edgeStackStatusService  *edgestackstatus.Service
 		edgeJobService          *edgejob.Service
+		edgeGroupService        *edgegroup.Service
 		TunnelServerService     *tunnelserver.Service
 		pendingActionsService   *pendingactions.Service
 	}
@@ -89,6 +91,7 @@ type (
 		EdgeStackService        *edgestack.Service
 		EdgeStackStatusService  *edgestackstatus.Service
 		EdgeJobService          *edgejob.Service
+		EdgeGroupService        *edgegroup.Service
 		TunnelServerService     *tunnelserver.Service
 		PendingActionsService   *pendingactions.Service
 	}
@@ -120,11 +123,13 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		edgeStackService:        parameters.EdgeStackService,
 		edgeStackStatusService:  parameters.EdgeStackStatusService,
 		edgeJobService:          parameters.EdgeJobService,
+		edgeGroupService:        parameters.EdgeGroupService,
 		TunnelServerService:     parameters.TunnelServerService,
 		pendingActionsService:   parameters.PendingActionsService,
 	}
 
 	migrator.initMigrations()
+
 	return migrator
 }
 
@@ -249,6 +254,10 @@ func (m *Migrator) initMigrations() {
 
 	m.addMigrations("2.31.0", m.migrateEdgeStacksStatuses_2_31_0)
 
+	m.addMigrations("2.32.0", m.addEndpointRelationForEdgeAgents_2_32_0)
+
+	m.addMigrations("2.33.0", m.migrateEdgeGroupEndpointsToRoars_2_33_0)
+
 	// Add new migrations above...
 	// One function per migration, each versions migration funcs in the same file.
 }

api/datastore/test_data/output_24_to_latest.json

@@ -121,6 +121,10 @@
       "Ecr": {
         "Region": ""
       },
+      "Github": {
+        "OrganisationName": "",
+        "UseOrganisation": false
+      },
       "Gitlab": {
         "InstanceURL": "",
         "ProjectId": 0,
@@ -611,7 +615,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.31.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.32.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -776,6 +780,7 @@
         "ImageCount": 9,
         "IsPodman": false,
         "NodeCount": 0,
+        "PerformanceMetrics": null,
         "RunningContainerCount": 5,
         "ServiceCount": 0,
         "StackCount": 2,
@@ -939,7 +944,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.31.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.32.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }

api/git/azure_integration_test.go

@@ -58,7 +58,15 @@ func TestService_ClonePublicRepository_Azure(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			dst := t.TempDir()
 			repositoryUrl := fmt.Sprintf(tt.args.repositoryURLFormat, tt.args.password)
-			err := service.CloneRepository(dst, repositoryUrl, tt.args.referenceName, "", "", false)
+			err := service.CloneRepository(
+				dst,
+				repositoryUrl,
+				tt.args.referenceName,
+				"",
+				"",
+				gittypes.GitCredentialAuthType_Basic,
+				false,
+			)
 			assert.NoError(t, err)
 			assert.FileExists(t, filepath.Join(dst, "README.md"))
 		})
@@ -73,7 +81,15 @@ func TestService_ClonePrivateRepository_Azure(t *testing.T) {
 
 	dst := t.TempDir()
 
-	err := service.CloneRepository(dst, privateAzureRepoURL, "refs/heads/main", "", pat, false)
+	err := service.CloneRepository(
+		dst,
+		privateAzureRepoURL,
+		"refs/heads/main",
+		"",
+		pat,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.FileExists(t, filepath.Join(dst, "README.md"))
 }
@@ -84,7 +100,14 @@ func TestService_LatestCommitID_Azure(t *testing.T) {
 	pat := getRequiredValue(t, "AZURE_DEVOPS_PAT")
 	service := NewService(context.TODO())
 
-	id, err := service.LatestCommitID(privateAzureRepoURL, "refs/heads/main", "", pat, false)
+	id, err := service.LatestCommitID(
+		privateAzureRepoURL,
+		"refs/heads/main",
+		"",
+		pat,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, id, "cannot guarantee commit id, but it should be not empty")
 }
@@ -96,7 +119,14 @@ func TestService_ListRefs_Azure(t *testing.T) {
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
 	service := NewService(context.TODO())
 
-	refs, err := service.ListRefs(privateAzureRepoURL, username, accessToken, false, false)
+	refs, err := service.ListRefs(
+		privateAzureRepoURL,
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(refs), 1)
 }
@@ -108,8 +138,8 @@ func TestService_ListRefs_Azure_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)
 
-	go service.ListRefs(privateAzureRepoURL, username, accessToken, false, false)
-	service.ListRefs(privateAzureRepoURL, username, accessToken, false, false)
+	go service.ListRefs(privateAzureRepoURL, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	service.ListRefs(privateAzureRepoURL, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 
 	time.Sleep(2 * time.Second)
 }
@@ -247,7 +277,17 @@ func TestService_ListFiles_Azure(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			paths, err := service.ListFiles(tt.args.repositoryUrl, tt.args.referenceName, tt.args.username, tt.args.password, false, false, tt.extensions, false)
+			paths, err := service.ListFiles(
+				tt.args.repositoryUrl,
+				tt.args.referenceName,
+				tt.args.username,
+				tt.args.password,
+				gittypes.GitCredentialAuthType_Basic,
+				false,
+				false,
+				tt.extensions,
+				false,
+			)
 			if tt.expect.shouldFail {
 				assert.Error(t, err)
 				if tt.expect.err != nil {
@@ -270,8 +310,28 @@ func TestService_ListFiles_Azure_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)
 
-	go service.ListFiles(privateAzureRepoURL, "refs/heads/main", username, accessToken, false, false, []string{}, false)
-	service.ListFiles(privateAzureRepoURL, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	go service.ListFiles(
+		privateAzureRepoURL,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
+	service.ListFiles(
+		privateAzureRepoURL,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 
 	time.Sleep(2 * time.Second)
 }

api/git/backup.go

@@ -19,6 +19,7 @@ type CloneOptions struct {
 	ReferenceName string
 	Username      string
 	Password      string
+	AuthType      gittypes.GitCredentialAuthType
 	// TLSSkipVerify skips SSL verification when cloning the Git repository
 	TLSSkipVerify bool `example:"false"`
 }
@@ -42,7 +43,15 @@ func CloneWithBackup(gitService portainer.GitService, fileService portainer.File
 
 	cleanUp = true
 
-	if err := gitService.CloneRepository(options.ProjectPath, options.URL, options.ReferenceName, options.Username, options.Password, options.TLSSkipVerify); err != nil {
+	if err := gitService.CloneRepository(
+		options.ProjectPath,
+		options.URL,
+		options.ReferenceName,
+		options.Username,
+		options.Password,
+		options.AuthType,
+		options.TLSSkipVerify,
+	); err != nil {
 		cleanUp = false
 		if err := filesystem.MoveDirectory(backupProjectPath, options.ProjectPath, false); err != nil {
 			log.Warn().Err(err).Msg("failed restoring backup folder")

api/git/git.go

@@ -7,12 +7,14 @@ import (
 	"strings"
 
 	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/rs/zerolog/log"
 
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/filemode"
 	"github.com/go-git/go-git/v5/plumbing/object"
+	"github.com/go-git/go-git/v5/plumbing/transport"
 	githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-git/go-git/v5/storage/memory"
 	"github.com/pkg/errors"
@@ -33,7 +35,7 @@ func (c *gitClient) download(ctx context.Context, dst string, opt cloneOption) e
 		URL:             opt.repositoryUrl,
 		Depth:           opt.depth,
 		InsecureSkipTLS: opt.tlsSkipVerify,
-		Auth:            getAuth(opt.username, opt.password),
+		Auth:            getAuth(opt.authType, opt.username, opt.password),
 		Tags:            git.NoTags,
 	}
 
@@ -51,7 +53,10 @@ func (c *gitClient) download(ctx context.Context, dst string, opt cloneOption) e
 	}
 
 	if !c.preserveGitDirectory {
-		os.RemoveAll(filepath.Join(dst, ".git"))
+		err := os.RemoveAll(filepath.Join(dst, ".git"))
+		if err != nil {
+			log.Error().Err(err).Msg("failed to remove .git directory")
+		}
 	}
 
 	return nil
@@ -64,7 +69,7 @@ func (c *gitClient) latestCommitID(ctx context.Context, opt fetchOption) (string
 	})
 
 	listOptions := &git.ListOptions{
-		Auth:            getAuth(opt.username, opt.password),
+		Auth:            getAuth(opt.authType, opt.username, opt.password),
 		InsecureSkipTLS: opt.tlsSkipVerify,
 	}
 
@@ -94,7 +99,23 @@ func (c *gitClient) latestCommitID(ctx context.Context, opt fetchOption) (string
 	return "", errors.Errorf("could not find ref %q in the repository", opt.referenceName)
 }
 
-func getAuth(username, password string) *githttp.BasicAuth {
+func getAuth(authType gittypes.GitCredentialAuthType, username, password string) transport.AuthMethod {
+	if password == "" {
+		return nil
+	}
+
+	switch authType {
+	case gittypes.GitCredentialAuthType_Basic:
+		return getBasicAuth(username, password)
+	case gittypes.GitCredentialAuthType_Token:
+		return getTokenAuth(password)
+	default:
+		log.Warn().Msg("unknown git credentials authorization type, defaulting to None")
+		return nil
+	}
+}
+
+func getBasicAuth(username, password string) *githttp.BasicAuth {
 	if password != "" {
 		if username == "" {
 			username = "token"
@@ -108,6 +129,15 @@ func getAuth(username, password string) *githttp.BasicAuth {
 	return nil
 }
 
+func getTokenAuth(token string) *githttp.TokenAuth {
+	if token != "" {
+		return &githttp.TokenAuth{
+			Token: token,
+		}
+	}
+	return nil
+}
+
 func (c *gitClient) listRefs(ctx context.Context, opt baseOption) ([]string, error) {
 	rem := git.NewRemote(memory.NewStorage(), &config.RemoteConfig{
 		Name: "origin",
@@ -115,7 +145,7 @@ func (c *gitClient) listRefs(ctx context.Context, opt baseOption) ([]string, err
 	})
 
 	listOptions := &git.ListOptions{
-		Auth:            getAuth(opt.username, opt.password),
+		Auth:            getAuth(opt.authType, opt.username, opt.password),
 		InsecureSkipTLS: opt.tlsSkipVerify,
 	}
 
@@ -143,7 +173,7 @@ func (c *gitClient) listFiles(ctx context.Context, opt fetchOption) ([]string, e
 		Depth:           1,
 		SingleBranch:    true,
 		ReferenceName:   plumbing.ReferenceName(opt.referenceName),
-		Auth:            getAuth(opt.username, opt.password),
+		Auth:            getAuth(opt.authType, opt.username, opt.password),
 		InsecureSkipTLS: opt.tlsSkipVerify,
 		Tags:            git.NoTags,
 	}

api/git/git_integration_test.go

@@ -2,6 +2,8 @@ package git
 
 import (
 	"context"
+	"net/http"
+	"net/http/httptest"
 	"path/filepath"
 	"testing"
 	"time"
@@ -24,7 +26,15 @@ func TestService_ClonePrivateRepository_GitHub(t *testing.T) {
 	dst := t.TempDir()
 
 	repositoryUrl := privateGitRepoURL
-	err := service.CloneRepository(dst, repositoryUrl, "refs/heads/main", username, accessToken, false)
+	err := service.CloneRepository(
+		dst,
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.FileExists(t, filepath.Join(dst, "README.md"))
 }
@@ -37,7 +47,14 @@ func TestService_LatestCommitID_GitHub(t *testing.T) {
 	service := newService(context.TODO(), 0, 0)
 
 	repositoryUrl := privateGitRepoURL
-	id, err := service.LatestCommitID(repositoryUrl, "refs/heads/main", username, accessToken, false)
+	id, err := service.LatestCommitID(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, id, "cannot guarantee commit id, but it should be not empty")
 }
@@ -50,7 +67,7 @@ func TestService_ListRefs_GitHub(t *testing.T) {
 	service := newService(context.TODO(), 0, 0)
 
 	repositoryUrl := privateGitRepoURL
-	refs, err := service.ListRefs(repositoryUrl, username, accessToken, false, false)
+	refs, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(refs), 1)
 }
@@ -63,8 +80,8 @@ func TestService_ListRefs_Github_Concurrently(t *testing.T) {
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)
 
 	repositoryUrl := privateGitRepoURL
-	go service.ListRefs(repositoryUrl, username, accessToken, false, false)
-	service.ListRefs(repositoryUrl, username, accessToken, false, false)
+	go service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 
 	time.Sleep(2 * time.Second)
 }
@@ -202,7 +219,17 @@ func TestService_ListFiles_GitHub(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			paths, err := service.ListFiles(tt.args.repositoryUrl, tt.args.referenceName, tt.args.username, tt.args.password, false, false, tt.extensions, false)
+			paths, err := service.ListFiles(
+				tt.args.repositoryUrl,
+				tt.args.referenceName,
+				tt.args.username,
+				tt.args.password,
+				gittypes.GitCredentialAuthType_Basic,
+				false,
+				false,
+				tt.extensions,
+				false,
+			)
 			if tt.expect.shouldFail {
 				assert.Error(t, err)
 				if tt.expect.err != nil {
@@ -226,8 +253,28 @@ func TestService_ListFiles_Github_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "GITHUB_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)
 
-	go service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
-	service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	go service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
+	service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 
 	time.Sleep(2 * time.Second)
 }
@@ -240,8 +287,18 @@ func TestService_purgeCache_Github(t *testing.T) {
 	username := getRequiredValue(t, "GITHUB_USERNAME")
 	service := NewService(context.TODO())
 
-	service.ListRefs(repositoryUrl, username, accessToken, false, false)
-	service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 
 	assert.Equal(t, 1, service.repoRefCache.Len())
 	assert.Equal(t, 1, service.repoFileCache.Len())
@@ -261,8 +318,18 @@ func TestService_purgeCacheByTTL_Github(t *testing.T) {
 	// 40*timeout is designed for giving enough time for ListRefs and ListFiles to cache the result
 	service := newService(context.TODO(), 2, 40*timeout)
 
-	service.ListRefs(repositoryUrl, username, accessToken, false, false)
-	service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 	assert.Equal(t, 1, service.repoFileCache.Len())
 
@@ -293,12 +360,12 @@ func TestService_HardRefresh_ListRefs_GitHub(t *testing.T) {
 	service := newService(context.TODO(), 2, 0)
 
 	repositoryUrl := privateGitRepoURL
-	refs, err := service.ListRefs(repositoryUrl, username, accessToken, false, false)
+	refs, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(refs), 1)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 
-	_, err = service.ListRefs(repositoryUrl, username, "fake-token", false, false)
+	_, err = service.ListRefs(repositoryUrl, username, "fake-token", gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.Error(t, err)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 }
@@ -311,26 +378,46 @@ func TestService_HardRefresh_ListRefs_And_RemoveAllCaches_GitHub(t *testing.T) {
 	service := newService(context.TODO(), 2, 0)
 
 	repositoryUrl := privateGitRepoURL
-	refs, err := service.ListRefs(repositoryUrl, username, accessToken, false, false)
+	refs, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(refs), 1)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 
-	files, err := service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	files, err := service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(files), 1)
 	assert.Equal(t, 1, service.repoFileCache.Len())
 
-	files, err = service.ListFiles(repositoryUrl, "refs/heads/test", username, accessToken, false, false, []string{}, false)
+	files, err = service.ListFiles(
+		repositoryUrl,
+		"refs/heads/test",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(files), 1)
 	assert.Equal(t, 2, service.repoFileCache.Len())
 
-	_, err = service.ListRefs(repositoryUrl, username, "fake-token", false, false)
+	_, err = service.ListRefs(repositoryUrl, username, "fake-token", gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.Error(t, err)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 
-	_, err = service.ListRefs(repositoryUrl, username, "fake-token", true, false)
+	_, err = service.ListRefs(repositoryUrl, username, "fake-token", gittypes.GitCredentialAuthType_Basic, true, false)
 	assert.Error(t, err)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 	// The relevant file caches should be removed too
@@ -344,12 +431,72 @@ func TestService_HardRefresh_ListFiles_GitHub(t *testing.T) {
 	accessToken := getRequiredValue(t, "GITHUB_PAT")
 	username := getRequiredValue(t, "GITHUB_USERNAME")
 	repositoryUrl := privateGitRepoURL
-	files, err := service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	files, err := service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(files), 1)
 	assert.Equal(t, 1, service.repoFileCache.Len())
 
-	_, err = service.ListFiles(repositoryUrl, "refs/heads/main", username, "fake-token", false, true, []string{}, false)
+	_, err = service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		"fake-token",
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		true,
+		[]string{},
+		false,
+	)
 	assert.Error(t, err)
 	assert.Equal(t, 0, service.repoFileCache.Len())
 }
+
+func TestService_CloneRepository_TokenAuth(t *testing.T) {
+	ensureIntegrationTest(t)
+
+	service := newService(context.TODO(), 2, 0)
+	var requests []*http.Request
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requests = append(requests, r)
+	}))
+	accessToken := "test_access_token"
+	username := "test_username"
+	repositoryUrl := testServer.URL
+
+	// Since we aren't hitting a real git server we ignore the error
+	_ = service.CloneRepository(
+		"test_dir",
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Token,
+		false,
+	)
+
+	testServer.Close()
+
+	if len(requests) != 1 {
+		t.Fatalf("expected 1 request sent but got %d", len(requests))
+	}
+
+	gotAuthHeader := requests[0].Header.Get("Authorization")
+	if gotAuthHeader == "" {
+		t.Fatal("no Authorization header in git request")
+	}
+
+	expectedAuthHeader := "Bearer test_access_token"
+	if gotAuthHeader != expectedAuthHeader {
+		t.Fatalf("expected Authorization header %q but got %q", expectedAuthHeader, gotAuthHeader)
+	}
+}

api/git/git_test.go

@@ -38,7 +38,7 @@ func Test_ClonePublicRepository_Shallow(t *testing.T) {
 
 	dir := t.TempDir()
 	t.Logf("Cloning into %s", dir)
-	err := service.CloneRepository(dir, repositoryURL, referenceName, "", "", false)
+	err := service.CloneRepository(dir, repositoryURL, referenceName, "", "", gittypes.GitCredentialAuthType_Basic, false)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, getCommitHistoryLength(t, err, dir), "cloned repo has incorrect depth")
 }
@@ -50,7 +50,7 @@ func Test_ClonePublicRepository_NoGitDirectory(t *testing.T) {
 
 	dir := t.TempDir()
 	t.Logf("Cloning into %s", dir)
-	err := service.CloneRepository(dir, repositoryURL, referenceName, "", "", false)
+	err := service.CloneRepository(dir, repositoryURL, referenceName, "", "", gittypes.GitCredentialAuthType_Basic, false)
 	assert.NoError(t, err)
 	assert.NoDirExists(t, filepath.Join(dir, ".git"))
 }
@@ -84,7 +84,7 @@ func Test_latestCommitID(t *testing.T) {
 	repositoryURL := setup(t)
 	referenceName := "refs/heads/main"
 
-	id, err := service.LatestCommitID(repositoryURL, referenceName, "", "", false)
+	id, err := service.LatestCommitID(repositoryURL, referenceName, "", "", gittypes.GitCredentialAuthType_Basic, false)
 
 	assert.NoError(t, err)
 	assert.Equal(t, "68dcaa7bd452494043c64252ab90db0f98ecf8d2", id)
@@ -95,7 +95,7 @@ func Test_ListRefs(t *testing.T) {
 
 	repositoryURL := setup(t)
 
-	fs, err := service.ListRefs(repositoryURL, "", "", false, false)
+	fs, err := service.ListRefs(repositoryURL, "", "", gittypes.GitCredentialAuthType_Basic, false, false)
 
 	assert.NoError(t, err)
 	assert.Equal(t, []string{"refs/heads/main"}, fs)
@@ -107,7 +107,17 @@ func Test_ListFiles(t *testing.T) {
 	repositoryURL := setup(t)
 	referenceName := "refs/heads/main"
 
-	fs, err := service.ListFiles(repositoryURL, referenceName, "", "", false, false, []string{".yml"}, false)
+	fs, err := service.ListFiles(
+		repositoryURL,
+		referenceName,
+		"",
+		"",
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{".yml"},
+		false,
+	)
 
 	assert.NoError(t, err)
 	assert.Equal(t, []string{"docker-compose.yml"}, fs)
@@ -255,7 +265,7 @@ func Test_listFilesPrivateRepository(t *testing.T) {
 			name: "list tree with real repository and head ref but no credential",
 			args: fetchOption{
 				baseOption: baseOption{
-					repositoryUrl: privateGitRepoURL + "fake",
+					repositoryUrl: privateGitRepoURL,
 					username:      "",
 					password:      "",
 				},

api/git/service.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	lru "github.com/hashicorp/golang-lru"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/sync/singleflight"
 )
@@ -22,6 +23,7 @@ type baseOption struct {
 	repositoryUrl string
 	username      string
 	password      string
+	authType      gittypes.GitCredentialAuthType
 	tlsSkipVerify bool
 }
 
@@ -123,13 +125,22 @@ func (service *Service) timerHasStopped() bool {
 
 // CloneRepository clones a git repository using the specified URL in the specified
 // destination folder.
-func (service *Service) CloneRepository(destination, repositoryURL, referenceName, username, password string, tlsSkipVerify bool) error {
+func (service *Service) CloneRepository(
+	destination,
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) error {
 	options := cloneOption{
 		fetchOption: fetchOption{
 			baseOption: baseOption{
 				repositoryUrl: repositoryURL,
 				username:      username,
 				password:      password,
+				authType:      authType,
 				tlsSkipVerify: tlsSkipVerify,
 			},
 			referenceName: referenceName,
@@ -155,12 +166,20 @@ func (service *Service) cloneRepository(destination string, options cloneOption)
 }
 
 // LatestCommitID returns SHA1 of the latest commit of the specified reference
-func (service *Service) LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error) {
+func (service *Service) LatestCommitID(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) (string, error) {
 	options := fetchOption{
 		baseOption: baseOption{
 			repositoryUrl: repositoryURL,
 			username:      username,
 			password:      password,
+			authType:      authType,
 			tlsSkipVerify: tlsSkipVerify,
 		},
 		referenceName: referenceName,
@@ -170,7 +189,14 @@ func (service *Service) LatestCommitID(repositoryURL, referenceName, username, p
 }
 
 // ListRefs will list target repository's references without cloning the repository
-func (service *Service) ListRefs(repositoryURL, username, password string, hardRefresh bool, tlsSkipVerify bool) ([]string, error) {
+func (service *Service) ListRefs(
+	repositoryURL,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	hardRefresh bool,
+	tlsSkipVerify bool,
+) ([]string, error) {
 	refCacheKey := generateCacheKey(repositoryURL, username, password, strconv.FormatBool(tlsSkipVerify))
 	if service.cacheEnabled && hardRefresh {
 		// Should remove the cache explicitly, so that the following normal list can show the correct result
@@ -196,6 +222,7 @@ func (service *Service) ListRefs(repositoryURL, username, password string, hardR
 		repositoryUrl: repositoryURL,
 		username:      username,
 		password:      password,
+		authType:      authType,
 		tlsSkipVerify: tlsSkipVerify,
 	}
 
@@ -215,18 +242,62 @@ var singleflightGroup = &singleflight.Group{}
 
 // ListFiles will list all the files of the target repository with specific extensions.
 // If extension is not provided, it will list all the files under the target repository
-func (service *Service) ListFiles(repositoryURL, referenceName, username, password string, dirOnly, hardRefresh bool, includedExts []string, tlsSkipVerify bool) ([]string, error) {
-	repoKey := generateCacheKey(repositoryURL, referenceName, username, password, strconv.FormatBool(tlsSkipVerify), strconv.FormatBool(dirOnly))
+func (service *Service) ListFiles(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	dirOnly,
+	hardRefresh bool,
+	includedExts []string,
+	tlsSkipVerify bool,
+) ([]string, error) {
+	repoKey := generateCacheKey(
+		repositoryURL,
+		referenceName,
+		username,
+		password,
+		strconv.FormatBool(tlsSkipVerify),
+		strconv.Itoa(int(authType)),
+		strconv.FormatBool(dirOnly),
+	)
 
 	fs, err, _ := singleflightGroup.Do(repoKey, func() (any, error) {
-		return service.listFiles(repositoryURL, referenceName, username, password, dirOnly, hardRefresh, tlsSkipVerify)
+		return service.listFiles(
+			repositoryURL,
+			referenceName,
+			username,
+			password,
+			authType,
+			dirOnly,
+			hardRefresh,
+			tlsSkipVerify,
+		)
 	})
 
 	return filterFiles(fs.([]string), includedExts), err
 }
 
-func (service *Service) listFiles(repositoryURL, referenceName, username, password string, dirOnly, hardRefresh bool, tlsSkipVerify bool) ([]string, error) {
-	repoKey := generateCacheKey(repositoryURL, referenceName, username, password, strconv.FormatBool(tlsSkipVerify), strconv.FormatBool(dirOnly))
+func (service *Service) listFiles(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	dirOnly,
+	hardRefresh bool,
+	tlsSkipVerify bool,
+) ([]string, error) {
+	repoKey := generateCacheKey(
+		repositoryURL,
+		referenceName,
+		username,
+		password,
+		strconv.FormatBool(tlsSkipVerify),
+		strconv.Itoa(int(authType)),
+		strconv.FormatBool(dirOnly),
+	)
 
 	if service.cacheEnabled && hardRefresh {
 		// Should remove the cache explicitly, so that the following normal list can show the correct result
@@ -247,6 +318,7 @@ func (service *Service) listFiles(repositoryURL, referenceName, username, passwo
 			repositoryUrl: repositoryURL,
 			username:      username,
 			password:      password,
+			authType:      authType,
 			tlsSkipVerify: tlsSkipVerify,
 		},
 		referenceName: referenceName,

api/git/types/types.go

@@ -1,12 +1,21 @@
 package gittypes
 
-import "errors"
+import (
+	"errors"
+)
 
 var (
 	ErrIncorrectRepositoryURL = errors.New("git repository could not be found, please ensure that the URL is correct")
 	ErrAuthenticationFailure  = errors.New("authentication failed, please ensure that the git credentials are correct")
 )
 
+type GitCredentialAuthType int
+
+const (
+	GitCredentialAuthType_Basic GitCredentialAuthType = iota
+	GitCredentialAuthType_Token
+)
+
 // RepoConfig represents a configuration for a repo
 type RepoConfig struct {
 	// The repo url
@@ -24,10 +33,11 @@ type RepoConfig struct {
 }
 
 type GitAuthentication struct {
-	Username string
-	Password string
+	Username          string
+	Password          string
+	AuthorizationType GitCredentialAuthType
 	// Git credentials identifier when the value is not 0
-	// When the value is 0, Username and Password are set without using saved credential
+	// When the value is 0, Username, Password, and Authtype are set without using saved credential
 	// This is introduced since 2.15.0
 	GitCredentialID int `example:"0"`
 }

api/git/update/update.go

@@ -29,7 +29,14 @@ func UpdateGitObject(gitService portainer.GitService, objId string, gitConfig *g
 		return false, "", errors.WithMessagef(err, "failed to get credentials for %v", objId)
 	}
 
-	newHash, err := gitService.LatestCommitID(gitConfig.URL, gitConfig.ReferenceName, username, password, gitConfig.TLSSkipVerify)
+	newHash, err := gitService.LatestCommitID(
+		gitConfig.URL,
+		gitConfig.ReferenceName,
+		username,
+		password,
+		gittypes.GitCredentialAuthType_Basic,
+		gitConfig.TLSSkipVerify,
+	)
 	if err != nil {
 		return false, "", errors.WithMessagef(err, "failed to fetch latest commit id of %v", objId)
 	}
@@ -62,6 +69,7 @@ func UpdateGitObject(gitService portainer.GitService, objId string, gitConfig *g
 		cloneParams.auth = &gitAuth{
 			username: username,
 			password: password,
+			authType: gitConfig.Authentication.AuthorizationType,
 		}
 	}
 
@@ -89,14 +97,31 @@ type cloneRepositoryParameters struct {
 }
 
 type gitAuth struct {
+	authType gittypes.GitCredentialAuthType
 	username string
 	password string
 }
 
 func cloneGitRepository(gitService portainer.GitService, cloneParams *cloneRepositoryParameters) error {
 	if cloneParams.auth != nil {
-		return gitService.CloneRepository(cloneParams.toDir, cloneParams.url, cloneParams.ref, cloneParams.auth.username, cloneParams.auth.password, cloneParams.tlsSkipVerify)
+		return gitService.CloneRepository(
+			cloneParams.toDir,
+			cloneParams.url,
+			cloneParams.ref,
+			cloneParams.auth.username,
+			cloneParams.auth.password,
+			cloneParams.auth.authType,
+			cloneParams.tlsSkipVerify,
+		)
 	}
 
-	return gitService.CloneRepository(cloneParams.toDir, cloneParams.url, cloneParams.ref, "", "", cloneParams.tlsSkipVerify)
+	return gitService.CloneRepository(
+		cloneParams.toDir,
+		cloneParams.url,
+		cloneParams.ref,
+		"",
+		"",
+		gittypes.GitCredentialAuthType_Basic,
+		cloneParams.tlsSkipVerify,
+	)
 }

api/hostmanagement/openamt/openamt.go

@@ -32,9 +32,9 @@ type Service struct {
 }
 
 // NewService initializes a new service.
-func NewService() *Service {
+func NewService(insecureSkipVerify bool) *Service {
 	tlsConfig := crypto.CreateTLSConfiguration()
-	tlsConfig.InsecureSkipVerify = true
+	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 
 	return &Service{
 		httpsClient: &http.Client{

api/http/csrf/csrf.go

@@ -2,6 +2,7 @@ package csrf
 
 import (
 	"crypto/rand"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -9,7 +10,8 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
-	gorillacsrf "github.com/gorilla/csrf"
+	gcsrf "github.com/gorilla/csrf"
+	"github.com/rs/zerolog/log"
 	"github.com/urfave/negroni"
 )
 
@@ -19,7 +21,7 @@ func SkipCSRFToken(w http.ResponseWriter) {
 	w.Header().Set(csrfSkipHeader, "1")
 }
 
-func WithProtect(handler http.Handler) (http.Handler, error) {
+func WithProtect(handler http.Handler, trustedOrigins []string) (http.Handler, error) {
 	// IsDockerDesktopExtension is used to check if we should skip csrf checks in the request bouncer (ShouldSkipCSRFCheck)
 	// DOCKER_EXTENSION is set to '1' in build/docker-extension/docker-compose.yml
 	isDockerDesktopExtension := false
@@ -34,10 +36,12 @@ func WithProtect(handler http.Handler) (http.Handler, error) {
 		return nil, fmt.Errorf("failed to generate CSRF token: %w", err)
 	}
 
-	handler = gorillacsrf.Protect(
+	handler = gcsrf.Protect(
 		token,
-		gorillacsrf.Path("/"),
-		gorillacsrf.Secure(false),
+		gcsrf.Path("/"),
+		gcsrf.Secure(false),
+		gcsrf.TrustedOrigins(trustedOrigins),
+		gcsrf.ErrorHandler(withErrorHandler(trustedOrigins)),
 	)(handler)
 
 	return withSkipCSRF(handler, isDockerDesktopExtension), nil
@@ -55,7 +59,7 @@ func withSendCSRFToken(handler http.Handler) http.Handler {
 			}
 
 			if statusCode := sw.Status(); statusCode >= 200 && statusCode < 300 {
-				sw.Header().Set("X-CSRF-Token", gorillacsrf.Token(r))
+				sw.Header().Set("X-CSRF-Token", gcsrf.Token(r))
 			}
 		})
 
@@ -73,9 +77,33 @@ func withSkipCSRF(handler http.Handler, isDockerDesktopExtension bool) http.Hand
 		}
 
 		if skip {
-			r = gorillacsrf.UnsafeSkipCheck(r)
+			r = gcsrf.UnsafeSkipCheck(r)
 		}
 
 		handler.ServeHTTP(w, r)
 	})
 }
+
+func withErrorHandler(trustedOrigins []string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		err := gcsrf.FailureReason(r)
+
+		if errors.Is(err, gcsrf.ErrBadOrigin) || errors.Is(err, gcsrf.ErrBadReferer) || errors.Is(err, gcsrf.ErrNoReferer) {
+			log.Error().Err(err).
+				Str("request_url", r.URL.String()).
+				Str("host", r.Host).
+				Str("x_forwarded_proto", r.Header.Get("X-Forwarded-Proto")).
+				Str("forwarded", r.Header.Get("Forwarded")).
+				Str("origin", r.Header.Get("Origin")).
+				Str("referer", r.Header.Get("Referer")).
+				Strs("trusted_origins", trustedOrigins).
+				Msg("Failed to validate Origin or Referer")
+		}
+
+		http.Error(
+			w,
+			http.StatusText(http.StatusForbidden)+" - "+err.Error(),
+			http.StatusForbidden,
+		)
+	})
+}

api/http/handler/auth/authenticate.go

@@ -2,6 +2,7 @@ package auth
 
 import (
 	"net/http"
+	"strconv"
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
@@ -82,6 +83,11 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
 		}
 	}
 
+	// Clear any existing user caches
+	if user != nil {
+		handler.KubernetesClientFactory.ClearUserClientCache(strconv.Itoa(int(user.ID)))
+	}
+
 	if user != nil && isUserInitialAdmin(user) || settings.AuthenticationMethod == portainer.AuthenticationInternal {
 		return handler.authenticateInternal(rw, user, payload.Password)
 	}

api/http/handler/auth/handler.go

@@ -8,6 +8,7 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/gorilla/mux"
@@ -23,16 +24,18 @@ type Handler struct {
 	OAuthService                portainer.OAuthService
 	ProxyManager                *proxy.Manager
 	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
+	KubernetesClientFactory     *cli.ClientFactory
 	passwordStrengthChecker     security.PasswordStrengthChecker
 	bouncer                     security.BouncerService
 }
 
 // NewHandler creates a handler to manage authentication operations.
-func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimiter, passwordStrengthChecker security.PasswordStrengthChecker) *Handler {
+func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimiter, passwordStrengthChecker security.PasswordStrengthChecker, kubernetesClientFactory *cli.ClientFactory) *Handler {
 	h := &Handler{
 		Router:                  mux.NewRouter(),
 		passwordStrengthChecker: passwordStrengthChecker,
 		bouncer:                 bouncer,
+		KubernetesClientFactory: kubernetesClientFactory,
 	}
 
 	h.Handle("/auth/oauth/validate",

api/http/handler/auth/logout.go

@@ -2,6 +2,7 @@ package auth
 
 import (
 	"net/http"
+	"strconv"
 
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/logoutcontext"
@@ -23,6 +24,7 @@ func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperro
 
 	if tokenData != nil {
 		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
+		handler.KubernetesClientFactory.ClearUserClientCache(strconv.Itoa(int(tokenData.ID)))
 		logoutcontext.Cancel(tokenData.Token)
 	}
 

api/http/handler/customtemplates/customtemplate_git_fetch_test.go

@@ -33,13 +33,28 @@ type TestGitService struct {
 	targetFilePath string
 }
 
-func (g *TestGitService) CloneRepository(destination string, repositoryURL, referenceName string, username, password string, tlsSkipVerify bool) error {
+func (g *TestGitService) CloneRepository(
+	destination string,
+	repositoryURL,
+	referenceName string,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) error {
 	time.Sleep(100 * time.Millisecond)
 
 	return createTestFile(g.targetFilePath)
 }
 
-func (g *TestGitService) LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error) {
+func (g *TestGitService) LatestCommitID(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) (string, error) {
 	return "", nil
 }
 
@@ -56,11 +71,26 @@ type InvalidTestGitService struct {
 	targetFilePath string
 }
 
-func (g *InvalidTestGitService) CloneRepository(dest, repoUrl, refName, username, password string, tlsSkipVerify bool) error {
+func (g *InvalidTestGitService) CloneRepository(
+	dest,
+	repoUrl,
+	refName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) error {
 	return errors.New("simulate network error")
 }
 
-func (g *InvalidTestGitService) LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error) {
+func (g *InvalidTestGitService) LatestCommitID(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) (string, error) {
 	return "", nil
 }
 

api/http/handler/customtemplates/customtemplate_list.go

@@ -71,7 +71,7 @@ func (handler *Handler) customTemplateList(w http.ResponseWriter, r *http.Reques
 	customTemplates = filterByType(customTemplates, templateTypes)
 
 	if edge != nil {
-		customTemplates = slicesx.Filter(customTemplates, func(customTemplate portainer.CustomTemplate) bool {
+		customTemplates = slicesx.FilterInPlace(customTemplates, func(customTemplate portainer.CustomTemplate) bool {
 			return customTemplate.EdgeTemplate == *edge
 		})
 	}

api/http/handler/customtemplates/customtemplate_update.go

@@ -37,14 +37,16 @@ type customTemplateUpdatePayload struct {
 	RepositoryURL string `example:"https://github.com/openfaas/faas" validate:"required"`
 	// Reference name of a Git repository hosting the Stack file
 	RepositoryReferenceName string `example:"refs/heads/master"`
-	// Use basic authentication to clone the Git repository
+	// Use authentication to clone the Git repository
 	RepositoryAuthentication bool `example:"true"`
 	// Username used in basic authentication. Required when RepositoryAuthentication is true
-	// and RepositoryGitCredentialID is 0
+	// and RepositoryGitCredentialID is 0. Ignored if RepositoryAuthType is token
 	RepositoryUsername string `example:"myGitUsername"`
-	// Password used in basic authentication. Required when RepositoryAuthentication is true
-	// and RepositoryGitCredentialID is 0
+	// Password used in basic authentication or token used in token authentication.
+	// Required when RepositoryAuthentication is true and RepositoryGitCredentialID is 0
 	RepositoryPassword string `example:"myGitPassword"`
+	// RepositoryAuthorizationType is the authorization type to use
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType `example:"0"`
 	// GitCredentialID used to identify the bound git credential. Required when RepositoryAuthentication
 	// is true and RepositoryUsername/RepositoryPassword are not provided
 	RepositoryGitCredentialID int `example:"0"`
@@ -182,12 +184,15 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 
 		repositoryUsername := ""
 		repositoryPassword := ""
+		repositoryAuthType := gittypes.GitCredentialAuthType_Basic
 		if payload.RepositoryAuthentication {
 			repositoryUsername = payload.RepositoryUsername
 			repositoryPassword = payload.RepositoryPassword
+			repositoryAuthType = payload.RepositoryAuthorizationType
 			gitConfig.Authentication = &gittypes.GitAuthentication{
-				Username: payload.RepositoryUsername,
-				Password: payload.RepositoryPassword,
+				Username:          payload.RepositoryUsername,
+				Password:          payload.RepositoryPassword,
+				AuthorizationType: payload.RepositoryAuthorizationType,
 			}
 		}
 
@@ -197,6 +202,7 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 			ReferenceName: gitConfig.ReferenceName,
 			Username:      repositoryUsername,
 			Password:      repositoryPassword,
+			AuthType:      repositoryAuthType,
 			TLSSkipVerify: gitConfig.TLSSkipVerify,
 		})
 		if err != nil {
@@ -205,7 +211,14 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 
 		defer cleanBackup()
 
-		commitHash, err := handler.GitService.LatestCommitID(gitConfig.URL, gitConfig.ReferenceName, repositoryUsername, repositoryPassword, gitConfig.TLSSkipVerify)
+		commitHash, err := handler.GitService.LatestCommitID(
+			gitConfig.URL,
+			gitConfig.ReferenceName,
+			repositoryUsername,
+			repositoryPassword,
+			repositoryAuthType,
+			gitConfig.TLSSkipVerify,
+		)
 		if err != nil {
 			return httperror.InternalServerError("Unable get latest commit id", fmt.Errorf("failed to fetch latest commit id of the template %v: %w", customTemplate.ID, err))
 		}

api/http/handler/edgegroups/associated_endpoints.go

@@ -4,6 +4,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/roar"
 )
 
 type endpointSetType map[portainer.EndpointID]bool
@@ -49,22 +50,29 @@ func GetEndpointsByTags(tx dataservices.DataStoreTx, tagIDs []portainer.TagID, p
 	return results, nil
 }
 
-func getTrustedEndpoints(tx dataservices.DataStoreTx, endpointIDs []portainer.EndpointID) ([]portainer.EndpointID, error) {
+func getTrustedEndpoints(tx dataservices.DataStoreTx, endpointIDs roar.Roar[portainer.EndpointID]) ([]portainer.EndpointID, error) {
+	var innerErr error
+
 	results := []portainer.EndpointID{}
-	for _, endpointID := range endpointIDs {
+
+	endpointIDs.Iterate(func(endpointID portainer.EndpointID) bool {
 		endpoint, err := tx.Endpoint().Endpoint(endpointID)
 		if err != nil {
-			return nil, err
+			innerErr = err
+
+			return false
 		}
 
 		if !endpoint.UserTrusted {
-			continue
+			return true
 		}
 
 		results = append(results, endpoint.ID)
-	}
 
-	return results, nil
+		return true
+	})
+
+	return results, innerErr
 }
 
 func mapEndpointGroupToEndpoints(endpoints []portainer.Endpoint) map[portainer.EndpointGroupID]endpointSetType {

api/http/handler/edgegroups/edgegroup_create.go

@@ -7,6 +7,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/roar"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 )
@@ -52,6 +53,7 @@ func calculateEndpointsOrTags(tx dataservices.DataStoreTx, edgeGroup *portainer.
 	}
 
 	edgeGroup.Endpoints = endpointIDs
+	edgeGroup.EndpointIDs = roar.FromSlice(endpointIDs)
 
 	return nil
 }
@@ -94,6 +96,7 @@ func (handler *Handler) edgeGroupCreate(w http.ResponseWriter, r *http.Request)
 			Dynamic:      payload.Dynamic,
 			TagIDs:       []portainer.TagID{},
 			Endpoints:    []portainer.EndpointID{},
+			EndpointIDs:  roar.Roar[portainer.EndpointID]{},
 			PartialMatch: payload.PartialMatch,
 		}
 
@@ -108,5 +111,5 @@ func (handler *Handler) edgeGroupCreate(w http.ResponseWriter, r *http.Request)
 		return nil
 	})
 
-	return txResponse(w, edgeGroup, err)
+	return txResponse(w, shadowedEdgeGroup{EdgeGroup: *edgeGroup}, err)
 }

api/http/handler/edgegroups/edgegroup_create_test.go

@@ -0,0 +1,62 @@
+package edgegroups
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"strings"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEdgeGroupCreateHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:      portainer.EndpointID(i + 1),
+			Name:    "Test Endpoint " + strconv.Itoa(i+1),
+			Type:    portainer.EdgeAgentOnDockerEnvironment,
+			GroupID: 1,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodPost,
+		"/edge_groups",
+		strings.NewReader(`{"Name": "New Edge Group", "Endpoints": [1, 2, 3]}`),
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	require.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
+}

api/http/handler/edgegroups/edgegroup_inspect.go

@@ -5,6 +5,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/roar"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 )
@@ -33,7 +34,9 @@ func (handler *Handler) edgeGroupInspect(w http.ResponseWriter, r *http.Request)
 		return err
 	})
 
-	return txResponse(w, edgeGroup, err)
+	edgeGroup.Endpoints = edgeGroup.EndpointIDs.ToSlice()
+
+	return txResponse(w, shadowedEdgeGroup{EdgeGroup: *edgeGroup}, err)
 }
 
 func getEdgeGroup(tx dataservices.DataStoreTx, ID portainer.EdgeGroupID) (*portainer.EdgeGroup, error) {
@@ -50,7 +53,7 @@ func getEdgeGroup(tx dataservices.DataStoreTx, ID portainer.EdgeGroupID) (*porta
 			return nil, httperror.InternalServerError("Unable to retrieve environments and environment groups for Edge group", err)
 		}
 
-		edgeGroup.Endpoints = endpoints
+		edgeGroup.EndpointIDs = roar.FromSlice(endpoints)
 	}
 
 	return edgeGroup, err

api/http/handler/edgegroups/edgegroup_inspect_test.go

@@ -0,0 +1,176 @@
+package edgegroups
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEdgeGroupInspectHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:      portainer.EndpointID(i + 1),
+			Name:    "Test Endpoint " + strconv.Itoa(i+1),
+			Type:    portainer.EdgeAgentOnDockerEnvironment,
+			GroupID: 1,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Test Edge Group",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1, 2, 3}),
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/edge_groups/1",
+		nil,
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	assert.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
+}
+
+func TestEmptyEdgeGroupInspectHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Test Edge Group",
+		EndpointIDs: roar.Roar[portainer.EndpointID]{},
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/edge_groups/1",
+		nil,
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	// Make sure the frontend does not get a null value but a [] instead
+	require.NotNil(t, responseGroup.Endpoints)
+	require.Len(t, responseGroup.Endpoints, 0)
+}
+
+func TestDynamicEdgeGroupInspectHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	err = store.Tag().Create(&portainer.Tag{
+		ID:   1,
+		Name: "Test Tag",
+		Endpoints: map[portainer.EndpointID]bool{
+			1: true,
+			2: true,
+			3: true,
+		},
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:          portainer.EndpointID(i + 1),
+			Name:        "Test Endpoint " + strconv.Itoa(i+1),
+			Type:        portainer.EdgeAgentOnDockerEnvironment,
+			GroupID:     1,
+			TagIDs:      []portainer.TagID{1},
+			UserTrusted: true,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:      1,
+		Name:    "Test Edge Group",
+		Dynamic: true,
+		TagIDs:  []portainer.TagID{1},
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/edge_groups/1",
+		nil,
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	require.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
+}

api/http/handler/edgegroups/edgegroup_list.go

@@ -7,11 +7,17 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/roar"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 )
 
-type decoratedEdgeGroup struct {
+type shadowedEdgeGroup struct {
 	portainer.EdgeGroup
+	EndpointIds int `json:"EndpointIds,omitempty"` // Shadow to avoid exposing in the API
+}
+
+type decoratedEdgeGroup struct {
+	shadowedEdgeGroup
 	HasEdgeStack     bool `json:"HasEdgeStack"`
 	HasEdgeJob       bool `json:"HasEdgeJob"`
 	EndpointTypes    []portainer.EndpointType
@@ -76,8 +82,8 @@ func getEdgeGroupList(tx dataservices.DataStoreTx) ([]decoratedEdgeGroup, error)
 		}
 
 		edgeGroup := decoratedEdgeGroup{
-			EdgeGroup:     orgEdgeGroup,
-			EndpointTypes: []portainer.EndpointType{},
+			shadowedEdgeGroup: shadowedEdgeGroup{EdgeGroup: orgEdgeGroup},
+			EndpointTypes:     []portainer.EndpointType{},
 		}
 		if edgeGroup.Dynamic {
 			endpointIDs, err := GetEndpointsByTags(tx, edgeGroup.TagIDs, edgeGroup.PartialMatch)
@@ -88,15 +94,16 @@ func getEdgeGroupList(tx dataservices.DataStoreTx) ([]decoratedEdgeGroup, error)
 			edgeGroup.Endpoints = endpointIDs
 			edgeGroup.TrustedEndpoints = endpointIDs
 		} else {
-			trustedEndpoints, err := getTrustedEndpoints(tx, edgeGroup.Endpoints)
+			trustedEndpoints, err := getTrustedEndpoints(tx, edgeGroup.EndpointIDs)
 			if err != nil {
 				return nil, httperror.InternalServerError("Unable to retrieve environments for Edge group", err)
 			}
 
+			edgeGroup.Endpoints = edgeGroup.EndpointIDs.ToSlice()
 			edgeGroup.TrustedEndpoints = trustedEndpoints
 		}
 
-		endpointTypes, err := getEndpointTypes(tx, edgeGroup.Endpoints)
+		endpointTypes, err := getEndpointTypes(tx, edgeGroup.EndpointIDs)
 		if err != nil {
 			return nil, httperror.InternalServerError("Unable to retrieve environment types for Edge group", err)
 		}
@@ -111,15 +118,26 @@ func getEdgeGroupList(tx dataservices.DataStoreTx) ([]decoratedEdgeGroup, error)
 	return decoratedEdgeGroups, nil
 }
 
-func getEndpointTypes(tx dataservices.DataStoreTx, endpointIds []portainer.EndpointID) ([]portainer.EndpointType, error) {
+func getEndpointTypes(tx dataservices.DataStoreTx, endpointIds roar.Roar[portainer.EndpointID]) ([]portainer.EndpointType, error) {
+	var innerErr error
+
 	typeSet := map[portainer.EndpointType]bool{}
-	for _, endpointID := range endpointIds {
+
+	endpointIds.Iterate(func(endpointID portainer.EndpointID) bool {
 		endpoint, err := tx.Endpoint().Endpoint(endpointID)
 		if err != nil {
-			return nil, fmt.Errorf("failed fetching environment: %w", err)
+			innerErr = fmt.Errorf("failed fetching environment: %w", err)
+
+			return false
 		}
 
 		typeSet[endpoint.Type] = true
+
+		return true
+	})
+
+	if innerErr != nil {
+		return nil, innerErr
 	}
 
 	endpointTypes := make([]portainer.EndpointType, 0, len(typeSet))

api/http/handler/edgegroups/edgegroup_list_test.go

@@ -1,11 +1,19 @@
 package edgegroups
 
 import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func Test_getEndpointTypes(t *testing.T) {
@@ -38,7 +46,7 @@ func Test_getEndpointTypes(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		ans, err := getEndpointTypes(datastore, test.endpointIds)
+		ans, err := getEndpointTypes(datastore, roar.FromSlice(test.endpointIds))
 		assert.NoError(t, err, "getEndpointTypes shouldn't fail")
 
 		assert.ElementsMatch(t, test.expected, ans, "getEndpointTypes expected to return %b for %v, but returned %b", test.expected, test.endpointIds, ans)
@@ -48,6 +56,61 @@ func Test_getEndpointTypes(t *testing.T) {
 func Test_getEndpointTypes_failWhenEndpointDontExist(t *testing.T) {
 	datastore := testhelpers.NewDatastore(testhelpers.WithEndpoints([]portainer.Endpoint{}))
 
-	_, err := getEndpointTypes(datastore, []portainer.EndpointID{1})
+	_, err := getEndpointTypes(datastore, roar.FromSlice([]portainer.EndpointID{1}))
 	assert.Error(t, err, "getEndpointTypes should fail")
 }
+
+func TestEdgeGroupListHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:      portainer.EndpointID(i + 1),
+			Name:    "Test Endpoint " + strconv.Itoa(i+1),
+			Type:    portainer.EdgeAgentOnDockerEnvironment,
+			GroupID: 1,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Test Edge Group",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1, 2, 3}),
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/edge_groups",
+		nil,
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroups []decoratedEdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroups)
+	require.NoError(t, err)
+
+	require.Len(t, responseGroups, 1)
+	require.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroups[0].Endpoints)
+	require.Len(t, responseGroups[0].TrustedEndpoints, 0)
+}

api/http/handler/edgegroups/edgegroup_update.go

@@ -158,12 +158,12 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 		return nil
 	})
 
-	return txResponse(w, edgeGroup, err)
+	return txResponse(w, shadowedEdgeGroup{EdgeGroup: *edgeGroup}, err)
 }
 
 func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
+	if err != nil {
 		return err
 	}
 
@@ -179,12 +179,6 @@ func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoi
 		edgeStackSet[edgeStackID] = true
 	}
 
-	if relation == nil {
-		relation = &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: make(map[portainer.EdgeStackID]bool),
-		}
-	}
 	relation.EdgeStacks = edgeStackSet
 
 	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, relation)

api/http/handler/edgegroups/edgegroup_update_test.go

@@ -0,0 +1,70 @@
+package edgegroups
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"strings"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEdgeGroupUpdateHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:      portainer.EndpointID(i + 1),
+			Name:    "Test Endpoint " + strconv.Itoa(i+1),
+			Type:    portainer.EdgeAgentOnDockerEnvironment,
+			GroupID: 1,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Test Edge Group",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1}),
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodPut,
+		"/edge_groups/1",
+		strings.NewReader(`{"Endpoints": [1, 2, 3]}`),
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	require.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
+}

api/http/handler/edgestacks/edgestack_create_git.go

@@ -33,6 +33,8 @@ type edgeStackFromGitRepositoryPayload struct {
 	RepositoryUsername string `example:"myGitUsername"`
 	// Password used in basic authentication. Required when RepositoryAuthentication is true.
 	RepositoryPassword string `example:"myGitPassword"`
+	// RepositoryAuthorizationType is the authorization type to use
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType `example:"0"`
 	// Path to the Stack file inside the Git repository
 	FilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
 	// List of identifiers of EdgeGroups
@@ -125,8 +127,9 @@ func (handler *Handler) createEdgeStackFromGitRepository(r *http.Request, tx dat
 
 	if payload.RepositoryAuthentication {
 		repoConfig.Authentication = &gittypes.GitAuthentication{
-			Username: payload.RepositoryUsername,
-			Password: payload.RepositoryPassword,
+			Username:          payload.RepositoryUsername,
+			Password:          payload.RepositoryPassword,
+			AuthorizationType: payload.RepositoryAuthorizationType,
 		}
 	}
 
@@ -145,12 +148,22 @@ func (handler *Handler) storeManifestFromGitRepository(tx dataservices.DataStore
 	projectPath = handler.FileService.GetEdgeStackProjectPath(stackFolder)
 	repositoryUsername := ""
 	repositoryPassword := ""
+	repositoryAuthType := gittypes.GitCredentialAuthType_Basic
 	if repositoryConfig.Authentication != nil && repositoryConfig.Authentication.Password != "" {
 		repositoryUsername = repositoryConfig.Authentication.Username
 		repositoryPassword = repositoryConfig.Authentication.Password
+		repositoryAuthType = repositoryConfig.Authentication.AuthorizationType
 	}
 
-	if err := handler.GitService.CloneRepository(projectPath, repositoryConfig.URL, repositoryConfig.ReferenceName, repositoryUsername, repositoryPassword, repositoryConfig.TLSSkipVerify); err != nil {
+	if err := handler.GitService.CloneRepository(
+		projectPath,
+		repositoryConfig.URL,
+		repositoryConfig.ReferenceName,
+		repositoryUsername,
+		repositoryPassword,
+		repositoryAuthType,
+		repositoryConfig.TLSSkipVerify,
+	); err != nil {
 		return "", "", "", err
 	}
 

api/http/handler/edgestacks/edgestack_create_test.go

@@ -8,9 +8,10 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/stretchr/testify/require"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
 )
 
 // Create
@@ -24,7 +25,7 @@ func TestCreateAndInspect(t *testing.T) {
 		Name:         "EdgeGroup 1",
 		Dynamic:      false,
 		TagIDs:       nil,
-		Endpoints:    []portainer.EndpointID{endpoint.ID},
+		EndpointIDs:  roar.FromSlice([]portainer.EndpointID{endpoint.ID}),
 		PartialMatch: false,
 	}
 

api/http/handler/edgestacks/edgestack_list.go

@@ -3,10 +3,39 @@ package edgestacks
 import (
 	"net/http"
 
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/slicesx"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
 )
 
+type aggregatedStatusesMap map[portainer.EdgeStackStatusType]int
+
+type SummarizedStatus string
+
+const (
+	sumStatusUnavailable      SummarizedStatus = "Unavailable"
+	sumStatusDeploying        SummarizedStatus = "Deploying"
+	sumStatusFailed           SummarizedStatus = "Failed"
+	sumStatusPaused           SummarizedStatus = "Paused"
+	sumStatusPartiallyRunning SummarizedStatus = "PartiallyRunning"
+	sumStatusCompleted        SummarizedStatus = "Completed"
+	sumStatusRunning          SummarizedStatus = "Running"
+)
+
+type edgeStackStatusSummary struct {
+	AggregatedStatus aggregatedStatusesMap
+	Status           SummarizedStatus
+	Reason           string
+}
+
+type edgeStackListResponseItem struct {
+	portainer.EdgeStack
+	StatusSummary edgeStackStatusSummary
+}
+
 // @id EdgeStackList
 // @summary Fetches the list of EdgeStacks
 // @description **Access policy**: administrator
@@ -14,22 +43,122 @@ import (
 // @security ApiKeyAuth
 // @security jwt
 // @produce json
+// @param summarizeStatuses query boolean false "will summarize the statuses"
 // @success 200 {array} portainer.EdgeStack
 // @failure 500
 // @failure 400
 // @failure 503 "Edge compute features are disabled"
 // @router /edge_stacks [get]
 func (handler *Handler) edgeStackList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	summarizeStatuses, _ := request.RetrieveBooleanQueryParameter(r, "summarizeStatuses", true)
+
 	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve edge stacks from the database", err)
 	}
 
+	res := make([]edgeStackListResponseItem, len(edgeStacks))
+
 	for i := range edgeStacks {
-		if err := fillEdgeStackStatus(handler.DataStore, &edgeStacks[i]); err != nil {
+		res[i].EdgeStack = edgeStacks[i]
+
+		if summarizeStatuses {
+			if err := fillStatusSummary(handler.DataStore, &res[i]); err != nil {
+				return handlerDBErr(err, "Unable to retrieve edge stack status from the database")
+			}
+		} else if err := fillEdgeStackStatus(handler.DataStore, &res[i].EdgeStack); err != nil {
 			return handlerDBErr(err, "Unable to retrieve edge stack status from the database")
 		}
 	}
 
-	return response.JSON(w, edgeStacks)
+	return response.JSON(w, res)
+}
+
+func fillStatusSummary(tx dataservices.DataStoreTx, edgeStack *edgeStackListResponseItem) error {
+	statuses, err := tx.EdgeStackStatus().ReadAll(edgeStack.ID)
+	if err != nil {
+		return err
+	}
+
+	aggregated := make(aggregatedStatusesMap)
+
+	for _, envStatus := range statuses {
+		for _, status := range envStatus.Status {
+			aggregated[status.Type]++
+		}
+	}
+
+	status, reason := SummarizeStatuses(statuses, edgeStack.NumDeployments)
+
+	edgeStack.StatusSummary = edgeStackStatusSummary{
+		AggregatedStatus: aggregated,
+		Status:           status,
+		Reason:           reason,
+	}
+
+	edgeStack.Status = map[portainer.EndpointID]portainer.EdgeStackStatus{}
+
+	return nil
+}
+
+func SummarizeStatuses(statuses []portainer.EdgeStackStatusForEnv, numDeployments int) (SummarizedStatus, string) {
+	if numDeployments == 0 {
+		return sumStatusUnavailable, "Your edge stack is currently unavailable due to the absence of an available environment in your edge group"
+	}
+
+	allStatuses := slicesx.FlatMap(statuses, func(x portainer.EdgeStackStatusForEnv) []portainer.EdgeStackDeploymentStatus {
+		return x.Status
+	})
+
+	lastStatuses := slicesx.Map(
+		slicesx.Filter(
+			statuses,
+			func(s portainer.EdgeStackStatusForEnv) bool {
+				return len(s.Status) > 0
+			},
+		),
+		func(x portainer.EdgeStackStatusForEnv) portainer.EdgeStackDeploymentStatus {
+			return x.Status[len(x.Status)-1]
+		},
+	)
+
+	if len(lastStatuses) == 0 {
+		return sumStatusDeploying, ""
+	}
+
+	if allFailed := slicesx.Every(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool {
+		return s.Type == portainer.EdgeStackStatusError
+	}); allFailed {
+		return sumStatusFailed, ""
+	}
+
+	if hasPaused := slicesx.Some(allStatuses, func(s portainer.EdgeStackDeploymentStatus) bool {
+		return s.Type == portainer.EdgeStackStatusPausedDeploying
+	}); hasPaused {
+		return sumStatusPaused, ""
+	}
+
+	if len(lastStatuses) < numDeployments {
+		return sumStatusDeploying, ""
+	}
+
+	hasDeploying := slicesx.Some(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool { return s.Type == portainer.EdgeStackStatusDeploying })
+	hasRunning := slicesx.Some(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool { return s.Type == portainer.EdgeStackStatusRunning })
+	hasFailed := slicesx.Some(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool { return s.Type == portainer.EdgeStackStatusError })
+
+	if hasRunning && hasFailed && !hasDeploying {
+		return sumStatusPartiallyRunning, ""
+	}
+
+	if allCompleted := slicesx.Every(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool { return s.Type == portainer.EdgeStackStatusCompleted }); allCompleted {
+		return sumStatusCompleted, ""
+	}
+
+	if allRunning := slicesx.Every(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool {
+		return s.Type == portainer.EdgeStackStatusRunning
+	}); allRunning {
+		return sumStatusRunning, ""
+	}
+
+	return sumStatusDeploying, ""
 }

api/http/handler/edgestacks/edgestack_status_update.go

@@ -133,7 +133,9 @@ func (handler *Handler) updateEdgeStackStatus(tx dataservices.DataStoreTx, stack
 	}
 
 	environmentStatus, err := tx.EdgeStackStatus().Read(stackID, payload.EndpointID)
-	if err != nil {
+	if err != nil && !tx.IsErrObjectNotFound(err) {
+		return err
+	} else if tx.IsErrObjectNotFound(err) {
 		environmentStatus = &portainer.EdgeStackStatusForEnv{
 			EndpointID: payload.EndpointID,
 			Status:     []portainer.EdgeStackDeploymentStatus{},

api/http/handler/edgestacks/edgestack_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/portainer/portainer/api/internal/edge/edgestacks"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
@@ -103,7 +104,7 @@ func createEdgeStack(t *testing.T, store dataservices.DataStore, endpointID port
 		Name:         "EdgeGroup 1",
 		Dynamic:      false,
 		TagIDs:       nil,
-		Endpoints:    []portainer.EndpointID{endpointID},
+		EndpointIDs:  roar.FromSlice([]portainer.EndpointID{endpointID}),
 		PartialMatch: false,
 	}
 

api/http/handler/edgestacks/edgestack_update_test.go

@@ -9,9 +9,10 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/stretchr/testify/require"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
 )
 
 // Update
@@ -43,7 +44,7 @@ func TestUpdateAndInspect(t *testing.T) {
 		Name:         "EdgeGroup 2",
 		Dynamic:      false,
 		TagIDs:       nil,
-		Endpoints:    []portainer.EndpointID{newEndpoint.ID},
+		EndpointIDs:  roar.FromSlice([]portainer.EndpointID{newEndpoint.ID}),
 		PartialMatch: false,
 	}
 
@@ -112,7 +113,7 @@ func TestUpdateWithInvalidEdgeGroups(t *testing.T) {
 		Name:         "EdgeGroup 2",
 		Dynamic:      false,
 		TagIDs:       nil,
-		Endpoints:    []portainer.EndpointID{8889},
+		EndpointIDs:  roar.FromSlice([]portainer.EndpointID{8889}),
 		PartialMatch: false,
 	}
 

api/http/handler/endpointedge/endpointedge_status_inspect.go

@@ -264,9 +264,6 @@ func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpointID p
 func (handler *Handler) buildEdgeStacks(tx dataservices.DataStoreTx, endpointID portainer.EndpointID) ([]stackStatusResponse, *httperror.HandlerError) {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
 	if err != nil {
-		if tx.IsErrObjectNotFound(err) {
-			return nil, nil
-		}
 		return nil, httperror.InternalServerError("Unable to retrieve relation object from the database", err)
 	}
 

api/http/handler/endpointedge/endpointedge_status_inspect_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -366,8 +367,8 @@ func TestEdgeJobsResponse(t *testing.T) {
 	unrelatedEndpoint := localCreateEndpoint(80, nil)
 
 	staticEdgeGroup := portainer.EdgeGroup{
-		ID:        1,
-		Endpoints: []portainer.EndpointID{endpointFromStaticEdgeGroup.ID},
+		ID:          1,
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{endpointFromStaticEdgeGroup.ID}),
 	}
 	err := handler.DataStore.EdgeGroup().Create(&staticEdgeGroup)
 	require.NoError(t, err)

api/http/handler/endpointgroups/endpoints.go

@@ -21,17 +21,10 @@ func (handler *Handler) updateEndpointRelations(tx dataservices.DataStoreTx, end
 	}
 
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil && !tx.IsErrObjectNotFound(err) {
+	if err != nil {
 		return err
 	}
 
-	if endpointRelation == nil {
-		endpointRelation = &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: make(map[portainer.EdgeStackID]bool),
-		}
-	}
-
 	edgeGroups, err := tx.EdgeGroup().ReadAll()
 	if err != nil {
 		return err

api/http/handler/endpoints/endpoint_create.go

@@ -563,6 +563,10 @@ func (handler *Handler) saveEndpointAndUpdateAuthorizations(tx dataservices.Data
 		return err
 	}
 
+	if err := endpointutils.InitializeEdgeEndpointRelation(endpoint, tx); err != nil {
+		return err
+	}
+
 	for _, tagID := range endpoint.TagIDs {
 		if err := tx.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
 			tag.Endpoints[endpoint.ID] = true

api/http/handler/endpoints/endpoint_delete.go

@@ -3,7 +3,6 @@ package endpoints
 import (
 	"errors"
 	"net/http"
-	"slices"
 	"strconv"
 
 	portainer "github.com/portainer/portainer/api"
@@ -200,9 +199,7 @@ func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID p
 	}
 
 	for _, edgeGroup := range edgeGroups {
-		edgeGroup.Endpoints = slices.DeleteFunc(edgeGroup.Endpoints, func(e portainer.EndpointID) bool {
-			return e == endpoint.ID
-		})
+		edgeGroup.EndpointIDs.Remove(endpoint.ID)
 
 		if err := tx.EdgeGroup().Update(edgeGroup.ID, &edgeGroup); err != nil {
 			log.Warn().Err(err).Msg("Unable to update edge group")

api/http/handler/endpoints/endpoint_delete_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
 )
 
 func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {
@@ -21,7 +22,7 @@ func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {
 	handler := NewHandler(testhelpers.NewTestRequestBouncer())
 	handler.DataStore = store
 	handler.ProxyManager = proxy.NewManager(nil)
-	handler.ProxyManager.NewProxyFactory(nil, nil, nil, nil, nil, nil, nil, nil)
+	handler.ProxyManager.NewProxyFactory(nil, nil, nil, nil, nil, nil, nil, nil, nil)
 
 	// Create all the environments and add them to the same edge group
 
@@ -42,9 +43,9 @@ func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {
 	}
 
 	if err := store.EdgeGroup().Create(&portainer.EdgeGroup{
-		ID:        1,
-		Name:      "edgegroup-1",
-		Endpoints: endpointIDs,
+		ID:          1,
+		Name:        "edgegroup-1",
+		EndpointIDs: roar.FromSlice(endpointIDs),
 	}); err != nil {
 		t.Fatal("could not create edge group:", err)
 	}
@@ -78,7 +79,7 @@ func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {
 		t.Fatal("could not retrieve the edge group:", err)
 	}
 
-	if len(edgeGroup.Endpoints) > 0 {
+	if edgeGroup.EndpointIDs.Len() > 0 {
 		t.Fatal("the edge group is not consistent")
 	}
 }

api/http/handler/endpoints/endpoint_list.go

@@ -95,12 +95,11 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		return httperror.BadRequest("Invalid query parameters", err)
 	}
 
-	filteredEndpoints := security.FilterEndpoints(endpoints, endpointGroups, securityContext)
-
-	filteredEndpoints, totalAvailableEndpoints, err := handler.filterEndpointsByQuery(filteredEndpoints, query, endpointGroups, edgeGroups, settings)
+	filteredEndpoints, totalAvailableEndpoints, err := handler.filterEndpointsByQuery(endpoints, query, endpointGroups, edgeGroups, settings, securityContext)
 	if err != nil {
 		return httperror.InternalServerError("Unable to filter endpoints", err)
 	}
+	filteredEndpoints = security.FilterEndpoints(filteredEndpoints, endpointGroups, securityContext)
 
 	sortEnvironmentsByField(filteredEndpoints, endpointGroups, getSortKey(sortField), sortOrder == "desc")
 

api/http/handler/endpoints/endpoint_registries_list.go

@@ -75,7 +75,7 @@ func (handler *Handler) listRegistries(tx dataservices.DataStoreTx, r *http.Requ
 		return nil, httperror.InternalServerError("Unable to retrieve registries from the database", err)
 	}
 
-	registries, handleError := handler.filterRegistriesByAccess(r, registries, endpoint, user, securityContext.UserMemberships)
+	registries, handleError := handler.filterRegistriesByAccess(tx, r, registries, endpoint, user, securityContext.UserMemberships)
 	if handleError != nil {
 		return nil, handleError
 	}
@@ -87,15 +87,15 @@ func (handler *Handler) listRegistries(tx dataservices.DataStoreTx, r *http.Requ
 	return registries, err
 }
 
-func (handler *Handler) filterRegistriesByAccess(r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User, memberships []portainer.TeamMembership) ([]portainer.Registry, *httperror.HandlerError) {
+func (handler *Handler) filterRegistriesByAccess(tx dataservices.DataStoreTx, r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User, memberships []portainer.TeamMembership) ([]portainer.Registry, *httperror.HandlerError) {
 	if !endpointutils.IsKubernetesEndpoint(endpoint) {
 		return security.FilterRegistries(registries, user, memberships, endpoint.ID), nil
 	}
 
-	return handler.filterKubernetesEndpointRegistries(r, registries, endpoint, user, memberships)
+	return handler.filterKubernetesEndpointRegistries(tx, r, registries, endpoint, user, memberships)
 }
 
-func (handler *Handler) filterKubernetesEndpointRegistries(r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User, memberships []portainer.TeamMembership) ([]portainer.Registry, *httperror.HandlerError) {
+func (handler *Handler) filterKubernetesEndpointRegistries(tx dataservices.DataStoreTx, r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User, memberships []portainer.TeamMembership) ([]portainer.Registry, *httperror.HandlerError) {
 	namespaceParam, _ := request.RetrieveQueryParameter(r, "namespace", true)
 	isAdmin, err := security.IsAdmin(r)
 	if err != nil {
@@ -116,7 +116,7 @@ func (handler *Handler) filterKubernetesEndpointRegistries(r *http.Request, regi
 		return registries, nil
 	}
 
-	return handler.filterKubernetesRegistriesByUserRole(r, registries, endpoint, user)
+	return handler.filterKubernetesRegistriesByUserRole(tx, r, registries, endpoint, user)
 }
 
 func (handler *Handler) isNamespaceAuthorized(endpoint *portainer.Endpoint, namespace string, userId portainer.UserID, memberships []portainer.TeamMembership, isAdmin bool) (bool, error) {
@@ -169,7 +169,7 @@ func registryAccessPoliciesContainsNamespace(registryAccess portainer.RegistryAc
 	return false
 }
 
-func (handler *Handler) filterKubernetesRegistriesByUserRole(r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User) ([]portainer.Registry, *httperror.HandlerError) {
+func (handler *Handler) filterKubernetesRegistriesByUserRole(tx dataservices.DataStoreTx, r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User) ([]portainer.Registry, *httperror.HandlerError) {
 	err := handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
 	if errors.Is(err, security.ErrAuthorizationRequired) {
 		return nil, httperror.Forbidden("User is not authorized", err)
@@ -178,7 +178,7 @@ func (handler *Handler) filterKubernetesRegistriesByUserRole(r *http.Request, re
 		return nil, httperror.InternalServerError("Unable to retrieve info from request context", err)
 	}
 
-	userNamespaces, err := handler.userNamespaces(endpoint, user)
+	userNamespaces, err := handler.userNamespaces(tx, endpoint, user)
 	if err != nil {
 		return nil, httperror.InternalServerError("unable to retrieve user namespaces", err)
 	}
@@ -186,7 +186,7 @@ func (handler *Handler) filterKubernetesRegistriesByUserRole(r *http.Request, re
 	return filterRegistriesByNamespaces(registries, endpoint.ID, userNamespaces), nil
 }
 
-func (handler *Handler) userNamespaces(endpoint *portainer.Endpoint, user *portainer.User) ([]string, error) {
+func (handler *Handler) userNamespaces(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, user *portainer.User) ([]string, error) {
 	kcl, err := handler.K8sClientFactory.GetPrivilegedKubeClient(endpoint)
 	if err != nil {
 		return nil, err
@@ -197,7 +197,7 @@ func (handler *Handler) userNamespaces(endpoint *portainer.Endpoint, user *porta
 		return nil, err
 	}
 
-	userMemberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	userMemberships, err := tx.TeamMembership().TeamMembershipsByUserID(user.ID)
 	if err != nil {
 		return nil, err
 	}

api/http/handler/endpoints/filter.go

@@ -11,9 +11,10 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/handler/edgegroups"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/endpointutils"
-	"github.com/portainer/portainer/api/slicesx"
+	"github.com/portainer/portainer/api/roar"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 
 	"github.com/pkg/errors"
@@ -140,11 +141,14 @@ func (handler *Handler) filterEndpointsByQuery(
 	groups []portainer.EndpointGroup,
 	edgeGroups []portainer.EdgeGroup,
 	settings *portainer.Settings,
+	context *security.RestrictedRequestContext,
 ) ([]portainer.Endpoint, int, error) {
 	totalAvailableEndpoints := len(filteredEndpoints)
 
 	if len(query.endpointIds) > 0 {
-		filteredEndpoints = filteredEndpointsByIds(filteredEndpoints, query.endpointIds)
+		endpointIDs := roar.FromSlice(query.endpointIds)
+
+		filteredEndpoints = filteredEndpointsByIds(filteredEndpoints, endpointIDs)
 	}
 
 	if len(query.excludeIds) > 0 {
@@ -181,11 +185,16 @@ func (handler *Handler) filterEndpointsByQuery(
 	}
 
 	// filter edge environments by trusted/untrusted
+	// only portainer admins are allowed to see untrusted environments
 	filteredEndpoints = filter(filteredEndpoints, func(endpoint portainer.Endpoint) bool {
 		if !endpointutils.IsEdgeEndpoint(&endpoint) {
 			return true
 		}
 
+		if query.edgeDeviceUntrusted {
+			return !endpoint.UserTrusted && context.IsAdmin
+		}
+
 		return endpoint.UserTrusted == !query.edgeDeviceUntrusted
 	})
 
@@ -268,7 +277,7 @@ func filterEndpointsByEdgeStack(endpoints []portainer.Endpoint, edgeStackId port
 		return nil, errors.WithMessage(err, "Unable to retrieve edge stack from the database")
 	}
 
-	envIds := make([]portainer.EndpointID, 0)
+	envIds := roar.Roar[portainer.EndpointID]{}
 	for _, edgeGroupdId := range stack.EdgeGroups {
 		edgeGroup, err := datastore.EdgeGroup().Read(edgeGroupdId)
 		if err != nil {
@@ -280,30 +289,37 @@ func filterEndpointsByEdgeStack(endpoints []portainer.Endpoint, edgeStackId port
 			if err != nil {
 				return nil, errors.WithMessage(err, "Unable to retrieve environments and environment groups for Edge group")
 			}
-			edgeGroup.Endpoints = endpointIDs
+			edgeGroup.EndpointIDs = roar.FromSlice(endpointIDs)
 		}
 
-		envIds = append(envIds, edgeGroup.Endpoints...)
+		envIds.Union(edgeGroup.EndpointIDs)
 	}
 
 	if statusFilter != nil {
-		n := 0
-		for _, envId := range envIds {
+		var innerErr error
+
+		envIds.Iterate(func(envId portainer.EndpointID) bool {
 			edgeStackStatus, err := datastore.EdgeStackStatus().Read(edgeStackId, envId)
-			if err != nil {
-				return nil, errors.WithMessagef(err, "Unable to retrieve edge stack status for environment %d", envId)
+			if dataservices.IsErrObjectNotFound(err) {
+				return true
+			} else if err != nil {
+				innerErr = errors.WithMessagef(err, "Unable to retrieve edge stack status for environment %d", envId)
+				return false
 			}
 
-			if endpointStatusInStackMatchesFilter(edgeStackStatus, envId, *statusFilter) {
-				envIds[n] = envId
-				n++
+			if !endpointStatusInStackMatchesFilter(edgeStackStatus, portainer.EndpointID(envId), *statusFilter) {
+				envIds.Remove(envId)
 			}
+
+			return true
+		})
+
+		if innerErr != nil {
+			return nil, innerErr
 		}
-		envIds = envIds[:n]
 	}
 
-	uniqueIds := slicesx.Unique(envIds)
-	filteredEndpoints := filteredEndpointsByIds(endpoints, uniqueIds)
+	filteredEndpoints := filteredEndpointsByIds(endpoints, envIds)
 
 	return filteredEndpoints, nil
 }
@@ -335,16 +351,14 @@ func filterEndpointsByEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []
 	}
 	edgeGroups = edgeGroups[:n]
 
-	endpointIDSet := make(map[portainer.EndpointID]struct{})
+	endpointIDSet := roar.Roar[portainer.EndpointID]{}
 	for _, edgeGroup := range edgeGroups {
-		for _, endpointID := range edgeGroup.Endpoints {
-			endpointIDSet[endpointID] = struct{}{}
-		}
+		endpointIDSet.Union(edgeGroup.EndpointIDs)
 	}
 
 	n = 0
 	for _, endpoint := range endpoints {
-		if _, exists := endpointIDSet[endpoint.ID]; exists {
+		if endpointIDSet.Contains(endpoint.ID) {
 			endpoints[n] = endpoint
 			n++
 		}
@@ -360,12 +374,11 @@ func filterEndpointsByExcludeEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGr
 	}
 
 	n := 0
-	excludeEndpointIDSet := make(map[portainer.EndpointID]struct{})
+	excludeEndpointIDSet := roar.Roar[portainer.EndpointID]{}
+
 	for _, edgeGroup := range edgeGroups {
 		if _, ok := excludeEdgeGroupIDSet[edgeGroup.ID]; ok {
-			for _, endpointID := range edgeGroup.Endpoints {
-				excludeEndpointIDSet[endpointID] = struct{}{}
-			}
+			excludeEndpointIDSet.Union(edgeGroup.EndpointIDs)
 		} else {
 			edgeGroups[n] = edgeGroup
 			n++
@@ -375,7 +388,7 @@ func filterEndpointsByExcludeEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGr
 
 	n = 0
 	for _, endpoint := range endpoints {
-		if _, ok := excludeEndpointIDSet[endpoint.ID]; !ok {
+		if !excludeEndpointIDSet.Contains(endpoint.ID) {
 			endpoints[n] = endpoint
 			n++
 		}
@@ -600,15 +613,10 @@ func endpointFullMatchTags(endpoint portainer.Endpoint, endpointGroup portainer.
 	return len(missingTags) == 0
 }
 
-func filteredEndpointsByIds(endpoints []portainer.Endpoint, ids []portainer.EndpointID) []portainer.Endpoint {
-	idsSet := make(map[portainer.EndpointID]bool, len(ids))
-	for _, id := range ids {
-		idsSet[id] = true
-	}
-
+func filteredEndpointsByIds(endpoints []portainer.Endpoint, ids roar.Roar[portainer.EndpointID]) []portainer.Endpoint {
 	n := 0
 	for _, endpoint := range endpoints {
-		if idsSet[endpoint.ID] {
+		if ids.Contains(endpoint.ID) {
 			endpoints[n] = endpoint
 			n++
 		}

api/http/handler/endpoints/filter_test.go

@@ -6,10 +6,13 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
 	"github.com/portainer/portainer/api/slicesx"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 type filterTest struct {
@@ -174,7 +177,7 @@ func BenchmarkFilterEndpointsBySearchCriteria_PartialMatch(b *testing.B) {
 		edgeGroups = append(edgeGroups, portainer.EdgeGroup{
 			ID:           portainer.EdgeGroupID(i + 1),
 			Name:         "edge-group-" + strconv.Itoa(i+1),
-			Endpoints:    append([]portainer.EndpointID{}, endpointIDs...),
+			EndpointIDs:  roar.FromSlice(endpointIDs),
 			Dynamic:      true,
 			TagIDs:       []portainer.TagID{1, 2, 3},
 			PartialMatch: true,
@@ -221,11 +224,11 @@ func BenchmarkFilterEndpointsBySearchCriteria_FullMatch(b *testing.B) {
 	edgeGroups := []portainer.EdgeGroup{}
 	for i := range 1000 {
 		edgeGroups = append(edgeGroups, portainer.EdgeGroup{
-			ID:        portainer.EdgeGroupID(i + 1),
-			Name:      "edge-group-" + strconv.Itoa(i+1),
-			Endpoints: append([]portainer.EndpointID{}, endpointIDs...),
-			Dynamic:   true,
-			TagIDs:    []portainer.TagID{1},
+			ID:          portainer.EdgeGroupID(i + 1),
+			Name:        "edge-group-" + strconv.Itoa(i+1),
+			EndpointIDs: roar.FromSlice(endpointIDs),
+			Dynamic:     true,
+			TagIDs:      []portainer.TagID{1},
 		})
 	}
 
@@ -263,6 +266,7 @@ func runTest(t *testing.T, test filterTest, handler *Handler, endpoints []portai
 		[]portainer.EndpointGroup{},
 		[]portainer.EdgeGroup{},
 		&portainer.Settings{},
+		&security.RestrictedRequestContext{IsAdmin: true},
 	)
 
 	is.NoError(err)
@@ -298,3 +302,127 @@ func setupFilterTest(t *testing.T, endpoints []portainer.Endpoint) *Handler {
 
 	return handler
 }
+
+func TestFilterEndpointsByEdgeStack(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	endpoints := []portainer.Endpoint{
+		{ID: 1, Name: "Endpoint 1"},
+		{ID: 2, Name: "Endpoint 2"},
+		{ID: 3, Name: "Endpoint 3"},
+		{ID: 4, Name: "Endpoint 4"},
+	}
+
+	edgeStackId := portainer.EdgeStackID(1)
+
+	err := store.EdgeStack().Create(edgeStackId, &portainer.EdgeStack{
+		ID:         edgeStackId,
+		Name:       "Test Edge Stack",
+		EdgeGroups: []portainer.EdgeGroupID{1, 2},
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Edge Group 1",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1}),
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          2,
+		Name:        "Edge Group 2",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{2, 3}),
+	})
+	require.NoError(t, err)
+
+	es, err := filterEndpointsByEdgeStack(endpoints, edgeStackId, nil, store)
+	require.NoError(t, err)
+	require.Len(t, es, 3)
+	require.Contains(t, es, endpoints[0])    // Endpoint 1
+	require.Contains(t, es, endpoints[1])    // Endpoint 2
+	require.Contains(t, es, endpoints[2])    // Endpoint 3
+	require.NotContains(t, es, endpoints[3]) // Endpoint 4
+}
+
+func TestFilterEndpointsByEdgeGroup(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	endpoints := []portainer.Endpoint{
+		{ID: 1, Name: "Endpoint 1"},
+		{ID: 2, Name: "Endpoint 2"},
+		{ID: 3, Name: "Endpoint 3"},
+		{ID: 4, Name: "Endpoint 4"},
+	}
+
+	err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Edge Group 1",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1}),
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          2,
+		Name:        "Edge Group 2",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{2, 3}),
+	})
+	require.NoError(t, err)
+
+	edgeGroups, err := store.EdgeGroup().ReadAll()
+	require.NoError(t, err)
+
+	es, egs := filterEndpointsByEdgeGroupIDs(endpoints, edgeGroups, []portainer.EdgeGroupID{1, 2})
+	require.NoError(t, err)
+
+	require.Len(t, es, 3)
+	require.Contains(t, es, endpoints[0])    // Endpoint 1
+	require.Contains(t, es, endpoints[1])    // Endpoint 2
+	require.Contains(t, es, endpoints[2])    // Endpoint 3
+	require.NotContains(t, es, endpoints[3]) // Endpoint 4
+
+	require.Len(t, egs, 2)
+	require.Equal(t, egs[0].ID, portainer.EdgeGroupID(1))
+	require.Equal(t, egs[1].ID, portainer.EdgeGroupID(2))
+}
+
+func TestFilterEndpointsByExcludeEdgeGroupIDs(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	endpoints := []portainer.Endpoint{
+		{ID: 1, Name: "Endpoint 1"},
+		{ID: 2, Name: "Endpoint 2"},
+		{ID: 3, Name: "Endpoint 3"},
+		{ID: 4, Name: "Endpoint 4"},
+	}
+
+	err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Edge Group 1",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1}),
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          2,
+		Name:        "Edge Group 2",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{2, 3}),
+	})
+	require.NoError(t, err)
+
+	edgeGroups, err := store.EdgeGroup().ReadAll()
+	require.NoError(t, err)
+
+	es, egs := filterEndpointsByExcludeEdgeGroupIDs(endpoints, edgeGroups, []portainer.EdgeGroupID{1})
+	require.NoError(t, err)
+
+	require.Len(t, es, 3)
+	require.Equal(t, es, []portainer.Endpoint{
+		{ID: 2, Name: "Endpoint 2"},
+		{ID: 3, Name: "Endpoint 3"},
+		{ID: 4, Name: "Endpoint 4"},
+	})
+
+	require.Len(t, egs, 1)
+	require.Equal(t, egs[0].ID, portainer.EdgeGroupID(2))
+}

api/http/handler/endpoints/update_edge_relations.go

@@ -17,17 +17,7 @@ func (handler *Handler) updateEdgeRelations(tx dataservices.DataStoreTx, endpoin
 
 	relation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
 	if err != nil {
-		if !tx.IsErrObjectNotFound(err) {
-			return errors.WithMessage(err, "Unable to retrieve environment relation inside the database")
-		}
-
-		relation = &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: map[portainer.EdgeStackID]bool{},
-		}
-		if err := tx.EndpointRelation().Create(relation); err != nil {
-			return errors.WithMessage(err, "Unable to create environment relation inside the database")
-		}
+		return errors.WithMessage(err, "Unable to retrieve environment relation inside the database")
 	}
 
 	endpointGroup, err := tx.EndpointGroup().Read(endpoint.GroupID)

api/http/handler/endpoints/utils_update_edge_groups.go

@@ -1,12 +1,11 @@
 package endpoints
 
 import (
-	"slices"
-
-	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/set"
+
+	"github.com/pkg/errors"
 )
 
 func updateEnvironmentEdgeGroups(tx dataservices.DataStoreTx, newEdgeGroups []portainer.EdgeGroupID, environmentID portainer.EndpointID) (bool, error) {
@@ -19,10 +18,8 @@ func updateEnvironmentEdgeGroups(tx dataservices.DataStoreTx, newEdgeGroups []po
 
 	environmentEdgeGroupsSet := set.Set[portainer.EdgeGroupID]{}
 	for _, edgeGroup := range edgeGroups {
-		for _, eID := range edgeGroup.Endpoints {
-			if eID == environmentID {
-				environmentEdgeGroupsSet[edgeGroup.ID] = true
-			}
+		if edgeGroup.EndpointIDs.Contains(environmentID) {
+			environmentEdgeGroupsSet[edgeGroup.ID] = true
 		}
 	}
 
@@ -52,20 +49,16 @@ func updateEnvironmentEdgeGroups(tx dataservices.DataStoreTx, newEdgeGroups []po
 	}
 
 	removeEdgeGroups := environmentEdgeGroupsSet.Difference(newEdgeGroupsSet)
-	err = updateSet(removeEdgeGroups, func(edgeGroup *portainer.EdgeGroup) {
-		edgeGroup.Endpoints = slices.DeleteFunc(edgeGroup.Endpoints, func(eID portainer.EndpointID) bool {
-			return eID == environmentID
-		})
-	})
-	if err != nil {
+	if err := updateSet(removeEdgeGroups, func(edgeGroup *portainer.EdgeGroup) {
+		edgeGroup.EndpointIDs.Remove(environmentID)
+	}); err != nil {
 		return false, err
 	}
 
 	addToEdgeGroups := newEdgeGroupsSet.Difference(environmentEdgeGroupsSet)
-	err = updateSet(addToEdgeGroups, func(edgeGroup *portainer.EdgeGroup) {
-		edgeGroup.Endpoints = append(edgeGroup.Endpoints, environmentID)
-	})
-	if err != nil {
+	if err := updateSet(addToEdgeGroups, func(edgeGroup *portainer.EdgeGroup) {
+		edgeGroup.EndpointIDs.Add(environmentID)
+	}); err != nil {
 		return false, err
 	}
 

api/http/handler/endpoints/utils_update_edge_groups_test.go

@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/datastore"
+
 	"github.com/stretchr/testify/assert"
 )
 
@@ -14,10 +15,9 @@ func Test_updateEdgeGroups(t *testing.T) {
 		groups := make([]portainer.EdgeGroup, len(names))
 		for index, name := range names {
 			group := &portainer.EdgeGroup{
-				Name:      name,
-				Dynamic:   false,
-				TagIDs:    make([]portainer.TagID, 0),
-				Endpoints: make([]portainer.EndpointID, 0),
+				Name:    name,
+				Dynamic: false,
+				TagIDs:  make([]portainer.TagID, 0),
 			}
 
 			if err := store.EdgeGroup().Create(group); err != nil {
@@ -35,13 +35,8 @@ func Test_updateEdgeGroups(t *testing.T) {
 			group, err := store.EdgeGroup().Read(groupID)
 			is.NoError(err)
 
-			for _, endpoint := range group.Endpoints {
-				if endpoint == endpointID {
-					return
-				}
-			}
-
-			is.Fail("expected endpoint to be in group")
+			is.True(group.EndpointIDs.Contains(endpointID),
+				"expected endpoint to be in group")
 		}
 	}
 
@@ -81,7 +76,7 @@ func Test_updateEdgeGroups(t *testing.T) {
 
 		endpointGroups := groupsByName(groups, testCase.endpointGroupNames)
 		for _, group := range endpointGroups {
-			group.Endpoints = append(group.Endpoints, testCase.endpoint.ID)
+			group.EndpointIDs.Add(testCase.endpoint.ID)
 
 			err = store.EdgeGroup().Update(group.ID, &group)
 			is.NoError(err)

api/http/handler/endpoints/utils_update_tags_test.go

@@ -10,7 +10,6 @@ import (
 )
 
 func Test_updateTags(t *testing.T) {
-
 	createTags := func(store *datastore.Store, tagNames []string) ([]portainer.Tag, error) {
 		tags := make([]portainer.Tag, len(tagNames))
 		for index, tagName := range tagNames {

api/http/handler/file/handler.go

@@ -17,12 +17,12 @@ type Handler struct {
 }
 
 // NewHandler creates a handler to serve static files.
-func NewHandler(assetPublicPath string, wasInstanceDisabled func() bool) *Handler {
+func NewHandler(assetPublicPath string, csp bool, wasInstanceDisabled func() bool) *Handler {
 	h := &Handler{
 		Handler: security.MWSecureHeaders(
 			gzhttp.GzipHandler(http.FileServer(http.Dir(assetPublicPath))),
 			featureflags.IsEnabled("hsts"),
-			featureflags.IsEnabled("csp"),
+			csp,
 		),
 		wasInstanceDisabled: wasInstanceDisabled,
 	}
@@ -36,6 +36,7 @@ func isHTML(acceptContent []string) bool {
 			return true
 		}
 	}
+
 	return false
 }
 
@@ -43,11 +44,13 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if handler.wasInstanceDisabled() {
 		if r.RequestURI == "/" || r.RequestURI == "/index.html" {
 			http.Redirect(w, r, "/timeout.html", http.StatusTemporaryRedirect)
+
 			return
 		}
 	} else {
 		if strings.HasPrefix(r.RequestURI, "/timeout.html") {
 			http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+
 			return
 		}
 	}

api/http/handler/gitops/git_repo_file_preview.go

@@ -17,10 +17,11 @@ type fileResponse struct {
 }
 
 type repositoryFilePreviewPayload struct {
-	Repository string `json:"repository" example:"https://github.com/openfaas/faas" validate:"required"`
-	Reference  string `json:"reference" example:"refs/heads/master"`
-	Username   string `json:"username" example:"myGitUsername"`
-	Password   string `json:"password" example:"myGitPassword"`
+	Repository        string                         `json:"repository" example:"https://github.com/openfaas/faas" validate:"required"`
+	Reference         string                         `json:"reference" example:"refs/heads/master"`
+	Username          string                         `json:"username" example:"myGitUsername"`
+	Password          string                         `json:"password" example:"myGitPassword"`
+	AuthorizationType gittypes.GitCredentialAuthType `json:"authorizationType"`
 	// Path to file whose content will be read
 	TargetFile string `json:"targetFile" example:"docker-compose.yml"`
 	// TLSSkipVerify skips SSL verification when cloning the Git repository
@@ -68,7 +69,15 @@ func (handler *Handler) gitOperationRepoFilePreview(w http.ResponseWriter, r *ht
 		return httperror.InternalServerError("Unable to create temporary folder", err)
 	}
 
-	err = handler.gitService.CloneRepository(projectPath, payload.Repository, payload.Reference, payload.Username, payload.Password, payload.TLSSkipVerify)
+	err = handler.gitService.CloneRepository(
+		projectPath,
+		payload.Repository,
+		payload.Reference,
+		payload.Username,
+		payload.Password,
+		payload.AuthorizationType,
+		payload.TLSSkipVerify,
+	)
 	if err != nil {
 		if errors.Is(err, gittypes.ErrAuthenticationFailure) {
 			return httperror.BadRequest("Invalid git credential", err)

api/http/handler/handler.go

@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.31.0
+// @version 2.32.0
 // @description.markdown api-description.md
 // @termsOfService
 

api/http/handler/helm/helm_install.go

@@ -46,18 +46,24 @@ var errChartNameInvalid = errors.New("invalid chart name. " +
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"
 // @param payload body installChartPayload true "Chart details"
+// @param dryRun query bool false "Dry run"
 // @success 201 {object} release.Release "Created"
 // @failure 401 "Unauthorized"
 // @failure 404 "Environment(Endpoint) or ServiceAccount not found"
 // @failure 500 "Server error"
 // @router /endpoints/{id}/kubernetes/helm [post]
 func (handler *Handler) helmInstall(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	dryRun, err := request.RetrieveBooleanQueryParameter(r, "dryRun", true)
+	if err != nil {
+		return httperror.BadRequest("Invalid dryRun query parameter", err)
+	}
+
 	var payload installChartPayload
 	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
 		return httperror.BadRequest("Invalid Helm install payload", err)
 	}
 
-	release, err := handler.installChart(r, payload)
+	release, err := handler.installChart(r, payload, dryRun)
 	if err != nil {
 		return httperror.InternalServerError("Unable to install a chart", err)
 	}
@@ -94,7 +100,7 @@ func (p *installChartPayload) Validate(_ *http.Request) error {
 	return nil
 }
 
-func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*release.Release, error) {
+func (handler *Handler) installChart(r *http.Request, p installChartPayload, dryRun bool) (*release.Release, error) {
 	clusterAccess, httperr := handler.getHelmClusterAccess(r)
 	if httperr != nil {
 		return nil, httperr.Err
@@ -107,6 +113,7 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		Namespace:               p.Namespace,
 		Repo:                    p.Repo,
 		Atomic:                  p.Atomic,
+		DryRun:                  dryRun,
 		KubernetesClusterAccess: clusterAccess,
 	}
 
@@ -134,13 +141,14 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		return nil, err
 	}
 
-	manifest, err := handler.applyPortainerLabelsToHelmAppManifest(r, installOpts, release.Manifest)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := handler.updateHelmAppManifest(r, manifest, installOpts.Namespace); err != nil {
-		return nil, err
+	if !installOpts.DryRun {
+		manifest, err := handler.applyPortainerLabelsToHelmAppManifest(r, installOpts, release.Manifest)
+		if err != nil {
+			return nil, err
+		}
+		if err := handler.updateHelmAppManifest(r, manifest, installOpts.Namespace); err != nil {
+			return nil, err
+		}
 	}
 
 	return release, nil

api/http/handler/kubernetes/client.go

@@ -2,8 +2,10 @@ package kubernetes
 
 import (
 	"net/http"
+	"strconv"
 
 	"github.com/portainer/portainer/api/http/middlewares"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/rs/zerolog/log"
@@ -25,7 +27,13 @@ func (handler *Handler) prepareKubeClient(r *http.Request) (*cli.KubeClient, *ht
 		return nil, httperror.NotFound("Unable to find the Kubernetes endpoint associated to the request.", err)
 	}
 
-	pcli, err := handler.KubernetesClientFactory.GetPrivilegedKubeClient(endpoint)
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		log.Error().Err(err).Str("context", "prepareKubeClient").Msg("Unable to retrieve token data associated to the request.")
+		return nil, httperror.InternalServerError("Unable to retrieve token data associated to the request.", err)
+	}
+
+	pcli, err := handler.KubernetesClientFactory.GetPrivilegedUserKubeClient(endpoint, strconv.Itoa(int(tokenData.ID)))
 	if err != nil {
 		log.Error().Err(err).Str("context", "prepareKubeClient").Msg("Unable to get a privileged Kubernetes client for the user.")
 		return nil, httperror.InternalServerError("Unable to get a privileged Kubernetes client for the user.", err)

api/http/handler/kubernetes/event.go

@@ -20,7 +20,7 @@ import (
 // @param id path int true "Environment identifier"
 // @param namespace path string true "The namespace name the events are associated to"
 // @param resourceId query string false "The resource id of the involved kubernetes object" example:"e5b021b6-4bce-4c06-bd3b-6cca906797aa"
-// @success 200 {object} models.Event[] "Success"
+// @success 200 {object} []kubernetes.K8sEvent "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
 // @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
@@ -68,7 +68,7 @@ func (handler *Handler) getKubernetesEventsForNamespace(w http.ResponseWriter, r
 // @produce json
 // @param id path int true "Environment identifier"
 // @param resourceId query string false "The resource id of the involved kubernetes object"  example:"e5b021b6-4bce-4c06-bd3b-6cca906797aa"
-// @success 200 {object} models.Event[] "Success"
+// @success 200 {object} []kubernetes.K8sEvent "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
 // @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."

api/http/handler/kubernetes/handler.go

@@ -146,7 +146,7 @@ func (h *Handler) getProxyKubeClient(r *http.Request) (portainer.KubeClient, *ht
 		return nil, httperror.Forbidden(fmt.Sprintf("an error occurred during the getProxyKubeClient operation, permission denied to access the environment /api/kubernetes/%d. Error: ", endpointID), err)
 	}
 
-	cli, ok := h.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), tokenData.Token)
+	cli, ok := h.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), strconv.Itoa(int(tokenData.ID)))
 	if !ok {
 		return nil, httperror.InternalServerError("an error occurred during the getProxyKubeClient operation,failed to get proxy KubeClient", nil)
 	}
@@ -179,7 +179,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 		}
 
 		// Check if we have a kubeclient against this auth token already, otherwise generate a new one
-		_, ok := handler.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), tokenData.Token)
+		_, ok := handler.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), strconv.Itoa(int(tokenData.ID)))
 		if ok {
 			next.ServeHTTP(w, r)
 			return
@@ -269,7 +269,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), tokenData.Token, kubeCli)
+		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), strconv.Itoa(int(tokenData.ID)), kubeCli)
 		next.ServeHTTP(w, r)
 	})
 }

api/http/handler/kubernetes/namespaces.go

@@ -22,6 +22,7 @@ import (
 // @produce json
 // @param id path int true "Environment identifier"
 // @param withResourceQuota query boolean true "When set to true, include the resource quota information as part of the Namespace information. Default is false"
+// @param withUnhealthyEvents query boolean true "When set to true, include the unhealthy events information as part of the Namespace information. Default is false"
 // @success 200 {array} portainer.K8sNamespaceInfo "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
@@ -36,6 +37,12 @@ func (handler *Handler) getKubernetesNamespaces(w http.ResponseWriter, r *http.R
 		return httperror.BadRequest("an error occurred during the GetKubernetesNamespaces operation, invalid query parameter withResourceQuota. Error: ", err)
 	}
 
+	withUnhealthyEvents, err := request.RetrieveBooleanQueryParameter(r, "withUnhealthyEvents", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "GetKubernetesNamespaces").Msg("Invalid query parameter withUnhealthyEvents")
+		return httperror.BadRequest("an error occurred during the GetKubernetesNamespaces operation, invalid query parameter withUnhealthyEvents. Error: ", err)
+	}
+
 	cli, httpErr := handler.prepareKubeClient(r)
 	if httpErr != nil {
 		log.Error().Err(httpErr).Str("context", "GetKubernetesNamespaces").Msg("Unable to get a Kubernetes client for the user")
@@ -48,6 +55,14 @@ func (handler *Handler) getKubernetesNamespaces(w http.ResponseWriter, r *http.R
 		return httperror.InternalServerError("an error occurred during the GetKubernetesNamespaces operation, unable to retrieve namespaces from the Kubernetes cluster. Error: ", err)
 	}
 
+	if withUnhealthyEvents {
+		namespaces, err = cli.CombineNamespacesWithUnhealthyEvents(namespaces)
+		if err != nil {
+			log.Error().Err(err).Str("context", "GetKubernetesNamespaces").Msg("Unable to combine namespaces with unhealthy events")
+			return httperror.InternalServerError("an error occurred during the GetKubernetesNamespaces operation, unable to combine namespaces with unhealthy events. Error: ", err)
+		}
+	}
+
 	if withResourceQuota {
 		return cli.CombineNamespacesWithResourceQuotas(namespaces, w)
 	}

api/http/handler/registries/handler.go

@@ -5,10 +5,10 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/endpointutils"
-	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/api/internal/registryutils/access"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/pendingactions"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@@ -17,6 +17,7 @@ import (
 	"github.com/gorilla/mux"
 
 	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
 )
 
 func hideFields(registry *portainer.Registry, hideAccesses bool) {
@@ -56,17 +57,20 @@ func newHandler(bouncer security.BouncerService) *Handler {
 func (handler *Handler) initRouter(bouncer accessGuard) {
 	adminRouter := handler.NewRoute().Subrouter()
 	adminRouter.Use(bouncer.AdminAccess)
-
-	authenticatedRouter := handler.NewRoute().Subrouter()
-	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
-
 	adminRouter.Handle("/registries", httperror.LoggerHandler(handler.registryList)).Methods(http.MethodGet)
 	adminRouter.Handle("/registries", httperror.LoggerHandler(handler.registryCreate)).Methods(http.MethodPost)
 	adminRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryUpdate)).Methods(http.MethodPut)
 	adminRouter.Handle("/registries/{id}/configure", httperror.LoggerHandler(handler.registryConfigure)).Methods(http.MethodPost)
 	adminRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryDelete)).Methods(http.MethodDelete)
 
-	authenticatedRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryInspect)).Methods(http.MethodGet)
+	// Use registry-specific access bouncer for inspect and repositories endpoints
+	registryAccessRouter := handler.NewRoute().Subrouter()
+	registryAccessRouter.Use(bouncer.AuthenticatedAccess, handler.RegistryAccess)
+	registryAccessRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryInspect)).Methods(http.MethodGet)
+
+	// Keep the gitlab proxy on the regular authenticated router as it doesn't require specific registry access
+	authenticatedRouter := handler.NewRoute().Subrouter()
+	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
 	authenticatedRouter.PathPrefix("/registries/proxies/gitlab").Handler(httperror.LoggerHandler(handler.proxyRequestsToGitlabAPIWithoutRegistry))
 }
 
@@ -88,9 +92,7 @@ func (handler *Handler) registriesHaveSameURLAndCredentials(r1, r2 *portainer.Re
 }
 
 // this function validates that
-//
 // 1. user has the appropriate authorizations to perform the request
-//
 // 2. user has a direct or indirect access to the registry
 func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portainer.Registry) (hasAccess bool, isAdmin bool, err error) {
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
@@ -98,11 +100,6 @@ func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portain
 		return false, false, err
 	}
 
-	user, err := handler.DataStore.User().Read(securityContext.UserID)
-	if err != nil {
-		return false, false, err
-	}
-
 	// Portainer admins always have access to everything
 	if securityContext.IsAdmin {
 		return true, true, nil
@@ -128,47 +125,68 @@ func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portain
 		return false, false, err
 	}
 
-	memberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	// Use the enhanced registry access utility function that includes namespace validation
+	_, err = access.GetAccessibleRegistry(
+		handler.DataStore,
+		handler.K8sClientFactory,
+		securityContext.UserID,
+		endpointId,
+		registry.ID,
+	)
 	if err != nil {
-		return false, false, nil
+		return false, false, nil // No access
 	}
 
-	// validate access for kubernetes namespaces (leverage registry.RegistryAccesses[endpointId].Namespaces)
-	if endpointutils.IsKubernetesEndpoint(endpoint) {
-		kcl, err := handler.K8sClientFactory.GetPrivilegedKubeClient(endpoint)
-		if err != nil {
-			return false, false, errors.Wrap(err, "unable to retrieve kubernetes client to validate registry access")
-		}
-		accessPolicies, err := kcl.GetNamespaceAccessPolicies()
-		if err != nil {
-			return false, false, errors.Wrap(err, "unable to retrieve environment's namespaces policies to validate registry access")
-		}
-
-		authorizedNamespaces := registry.RegistryAccesses[endpointId].Namespaces
-
-		for _, namespace := range authorizedNamespaces {
-			// when the default namespace is authorized to use a registry, all users have the ability to use it
-			// unless the default namespace is restricted: in this case continue to search for other potential accesses authorizations
-			if namespace == kubernetes.DefaultNamespace && !endpoint.Kubernetes.Configuration.RestrictDefaultNamespace {
-				return true, false, nil
-			}
-
-			namespacePolicy := accessPolicies[namespace]
-			if security.AuthorizedAccess(user.ID, memberships, namespacePolicy.UserAccessPolicies, namespacePolicy.TeamAccessPolicies) {
-				return true, false, nil
-			}
-		}
-		return false, false, nil
-	}
-
-	// validate access for docker environments
-	// leverage registry.RegistryAccesses[endpointId].UserAccessPolicies (direct access)
-	// and registry.RegistryAccesses[endpointId].TeamAccessPolicies (indirect access via his teams)
-	if security.AuthorizedRegistryAccess(registry, user, memberships, endpoint.ID) {
-		return true, false, nil
-	}
-
-	// when user has no access via their role, direct grant or indirect grant
-	// then they don't have access to the registry
-	return false, false, nil
+	return true, false, nil
+}
+
+// RegistryAccess defines a security check for registry-specific API endpoints.
+// Authentication is required to access these endpoints.
+// The user must have direct or indirect access to the specific registry being requested.
+// This bouncer validates registry access using the userHasRegistryAccess logic.
+func (handler *Handler) RegistryAccess(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// First ensure the user is authenticated
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			httperror.WriteError(w, http.StatusUnauthorized, "Authentication required", httperrors.ErrUnauthorized)
+			return
+		}
+
+		// Extract registry ID from the route
+		registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+		if err != nil {
+			httperror.WriteError(w, http.StatusBadRequest, "Invalid registry identifier route variable", err)
+			return
+		}
+
+		// Get the registry from the database
+		registry, err := handler.DataStore.Registry().Read(portainer.RegistryID(registryID))
+		if handler.DataStore.IsErrObjectNotFound(err) {
+			httperror.WriteError(w, http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err)
+			return
+		} else if err != nil {
+			httperror.WriteError(w, http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err)
+			return
+		}
+
+		// Check if user has access to this registry
+		hasAccess, _, err := handler.userHasRegistryAccess(r, registry)
+		if err != nil {
+			httperror.WriteError(w, http.StatusInternalServerError, "Unable to retrieve info from request context", err)
+			return
+		}
+		if !hasAccess {
+			log.Debug().
+				Int("registry_id", registryID).
+				Str("registry_name", registry.Name).
+				Int("user_id", int(tokenData.ID)).
+				Str("context", "RegistryAccessBouncer").
+				Msg("User access denied to registry")
+			httperror.WriteError(w, http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
 }

api/http/handler/registries/registry_access_test.go

@@ -0,0 +1,89 @@
+package registries
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_RegistryAccess_RequiresAuthentication(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	registry := &portainer.Registry{
+		ID:   1,
+		Name: "test-registry",
+		URL:  "https://registry.test.com",
+	}
+	err := store.Registry().Create(registry)
+	assert.NoError(t, err)
+	handler := &Handler{
+		DataStore: store,
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/1", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "1"})
+	rr := httptest.NewRecorder()
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func Test_RegistryAccess_InvalidRegistryID(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	user := &portainer.User{ID: 1, Username: "test", Role: portainer.StandardUserRole}
+	err := store.User().Create(user)
+	assert.NoError(t, err)
+
+	handler := &Handler{
+		DataStore: store,
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/invalid", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "invalid"})
+	tokenData := &portainer.TokenData{ID: 1, Role: portainer.StandardUserRole}
+	req = req.WithContext(security.StoreTokenData(req, tokenData))
+
+	rr := httptest.NewRecorder()
+
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func Test_RegistryAccess_RegistryNotFound(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	user := &portainer.User{ID: 1, Username: "test", Role: portainer.StandardUserRole}
+	err := store.User().Create(user)
+	assert.NoError(t, err)
+
+	handler := &Handler{
+		DataStore:      store,
+		requestBouncer: testhelpers.NewTestRequestBouncer(),
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/999", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "999"})
+	tokenData := &portainer.TokenData{ID: 1, Role: portainer.StandardUserRole}
+	req = req.WithContext(security.StoreTokenData(req, tokenData))
+
+	rr := httptest.NewRecorder()
+
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}

api/http/handler/registries/registry_inspect.go

@@ -4,10 +4,12 @@ import (
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
-	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+
+	"github.com/rs/zerolog/log"
 )
 
 // @id RegistryInspect
@@ -31,6 +33,11 @@ func (handler *Handler) registryInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.BadRequest("Invalid registry identifier route variable", err)
 	}
 
+	log.Debug().
+		Int("registry_id", registryID).
+		Str("context", "RegistryInspectHandler").
+		Msg("Starting registry inspection")
+
 	registry, err := handler.DataStore.Registry().Read(portainer.RegistryID(registryID))
 	if handler.DataStore.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find a registry with the specified identifier inside the database", err)
@@ -38,14 +45,12 @@ func (handler *Handler) registryInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unable to find a registry with the specified identifier inside the database", err)
 	}
 
-	hasAccess, isAdmin, err := handler.userHasRegistryAccess(r, registry)
+	// Check if user is admin to determine if we should hide sensitive fields
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve info from request context", err)
 	}
-	if !hasAccess {
-		return httperror.Forbidden("Access denied to resource", httperrors.ErrResourceAccessDenied)
-	}
 
-	hideFields(registry, !isAdmin)
+	hideFields(registry, !securityContext.IsAdmin)
 	return response.JSON(w, registry)
 }

api/http/handler/stacks/stack_update_git.go

@@ -19,14 +19,15 @@ import (
 )
 
 type stackGitUpdatePayload struct {
-	AutoUpdate               *portainer.AutoUpdateSettings
-	Env                      []portainer.Pair
-	Prune                    bool
-	RepositoryReferenceName  string
-	RepositoryAuthentication bool
-	RepositoryUsername       string
-	RepositoryPassword       string
-	TLSSkipVerify            bool
+	AutoUpdate                  *portainer.AutoUpdateSettings
+	Env                         []portainer.Pair
+	Prune                       bool
+	RepositoryReferenceName     string
+	RepositoryAuthentication    bool
+	RepositoryUsername          string
+	RepositoryPassword          string
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType
+	TLSSkipVerify               bool
 }
 
 func (payload *stackGitUpdatePayload) Validate(r *http.Request) error {
@@ -151,11 +152,19 @@ func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *
 		}
 
 		stack.GitConfig.Authentication = &gittypes.GitAuthentication{
-			Username: payload.RepositoryUsername,
-			Password: password,
+			Username:          payload.RepositoryUsername,
+			Password:          password,
+			AuthorizationType: payload.RepositoryAuthorizationType,
 		}
 
-		if _, err := handler.GitService.LatestCommitID(stack.GitConfig.URL, stack.GitConfig.ReferenceName, stack.GitConfig.Authentication.Username, stack.GitConfig.Authentication.Password, stack.GitConfig.TLSSkipVerify); err != nil {
+		if _, err := handler.GitService.LatestCommitID(
+			stack.GitConfig.URL,
+			stack.GitConfig.ReferenceName,
+			stack.GitConfig.Authentication.Username,
+			stack.GitConfig.Authentication.Password,
+			stack.GitConfig.Authentication.AuthorizationType,
+			stack.GitConfig.TLSSkipVerify,
+		); err != nil {
 			return httperror.InternalServerError("Unable to fetch git repository", err)
 		}
 	} else {

api/http/handler/stacks/stack_update_git_redeploy.go

@@ -6,6 +6,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/git"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/security"
 	k "github.com/portainer/portainer/api/kubernetes"
@@ -19,12 +20,13 @@ import (
 )
 
 type stackGitRedployPayload struct {
-	RepositoryReferenceName  string
-	RepositoryAuthentication bool
-	RepositoryUsername       string
-	RepositoryPassword       string
-	Env                      []portainer.Pair
-	Prune                    bool
+	RepositoryReferenceName     string
+	RepositoryAuthentication    bool
+	RepositoryUsername          string
+	RepositoryPassword          string
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType
+	Env                         []portainer.Pair
+	Prune                       bool
 	// Force a pulling to current image with the original tag though the image is already the latest
 	PullImage bool `example:"false"`
 
@@ -135,13 +137,16 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 
 	repositoryUsername := ""
 	repositoryPassword := ""
+	repositoryAuthType := gittypes.GitCredentialAuthType_Basic
 	if payload.RepositoryAuthentication {
 		repositoryPassword = payload.RepositoryPassword
+		repositoryAuthType = payload.RepositoryAuthorizationType
 
 		// When the existing stack is using the custom username/password and the password is not updated,
 		// the stack should keep using the saved username/password
 		if repositoryPassword == "" && stack.GitConfig != nil && stack.GitConfig.Authentication != nil {
 			repositoryPassword = stack.GitConfig.Authentication.Password
+			repositoryAuthType = stack.GitConfig.Authentication.AuthorizationType
 		}
 		repositoryUsername = payload.RepositoryUsername
 	}
@@ -152,6 +157,7 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 		ReferenceName: stack.GitConfig.ReferenceName,
 		Username:      repositoryUsername,
 		Password:      repositoryPassword,
+		AuthType:      repositoryAuthType,
 		TLSSkipVerify: stack.GitConfig.TLSSkipVerify,
 	}
 
@@ -166,7 +172,7 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 		return err
 	}
 
-	newHash, err := handler.GitService.LatestCommitID(stack.GitConfig.URL, stack.GitConfig.ReferenceName, repositoryUsername, repositoryPassword, stack.GitConfig.TLSSkipVerify)
+	newHash, err := handler.GitService.LatestCommitID(stack.GitConfig.URL, stack.GitConfig.ReferenceName, repositoryUsername, repositoryPassword, repositoryAuthType, stack.GitConfig.TLSSkipVerify)
 	if err != nil {
 		return httperror.InternalServerError("Unable get latest commit id", errors.WithMessagef(err, "failed to fetch latest commit id of the stack %v", stack.ID))
 	}

api/http/handler/stacks/update_kubernetes_stack.go

@@ -27,12 +27,13 @@ type kubernetesFileStackUpdatePayload struct {
 }
 
 type kubernetesGitStackUpdatePayload struct {
-	RepositoryReferenceName  string
-	RepositoryAuthentication bool
-	RepositoryUsername       string
-	RepositoryPassword       string
-	AutoUpdate               *portainer.AutoUpdateSettings
-	TLSSkipVerify            bool
+	RepositoryReferenceName     string
+	RepositoryAuthentication    bool
+	RepositoryUsername          string
+	RepositoryPassword          string
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType
+	AutoUpdate                  *portainer.AutoUpdateSettings
+	TLSSkipVerify               bool
 }
 
 func (payload *kubernetesFileStackUpdatePayload) Validate(r *http.Request) error {
@@ -76,11 +77,19 @@ func (handler *Handler) updateKubernetesStack(r *http.Request, stack *portainer.
 			}
 
 			stack.GitConfig.Authentication = &gittypes.GitAuthentication{
-				Username: payload.RepositoryUsername,
-				Password: password,
+				Username:          payload.RepositoryUsername,
+				Password:          password,
+				AuthorizationType: payload.RepositoryAuthorizationType,
 			}
 
-			if _, err := handler.GitService.LatestCommitID(stack.GitConfig.URL, stack.GitConfig.ReferenceName, stack.GitConfig.Authentication.Username, stack.GitConfig.Authentication.Password, stack.GitConfig.TLSSkipVerify); err != nil {
+			if _, err := handler.GitService.LatestCommitID(
+				stack.GitConfig.URL,
+				stack.GitConfig.ReferenceName,
+				stack.GitConfig.Authentication.Username,
+				stack.GitConfig.Authentication.Password,
+				stack.GitConfig.Authentication.AuthorizationType,
+				stack.GitConfig.TLSSkipVerify,
+			); err != nil {
 				return httperror.InternalServerError("Unable to fetch git repository", err)
 			}
 		}

api/http/handler/tags/tag_delete.go

@@ -8,6 +8,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/edge"
+	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -58,6 +59,9 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 
 	for endpointID := range tag.Endpoints {
 		endpoint, err := tx.Endpoint().Endpoint(endpointID)
+		if tx.IsErrObjectNotFound(err) {
+			continue
+		}
 		if err != nil {
 			return httperror.InternalServerError("Unable to retrieve environment from the database", err)
 		}
@@ -103,15 +107,10 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 		return httperror.InternalServerError("Unable to retrieve edge stacks from the database", err)
 	}
 
-	for _, endpoint := range endpoints {
-		if (tag.Endpoints[endpoint.ID] || tag.EndpointGroups[endpoint.GroupID]) && (endpoint.Type == portainer.EdgeAgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment) {
-			err = updateEndpointRelations(tx, endpoint, edgeGroups, edgeStacks)
-			if err != nil {
-				return httperror.InternalServerError("Unable to update environment relations in the database", err)
-			}
-		}
+	edgeJobs, err := tx.EdgeJob().ReadAll()
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve edge job configurations from the database", err)
 	}
-
 	for _, edgeGroup := range edgeGroups {
 		edgeGroup.TagIDs = slices.DeleteFunc(edgeGroup.TagIDs, func(t portainer.TagID) bool {
 			return t == tagID
@@ -123,6 +122,16 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 		}
 	}
 
+	for _, endpoint := range endpoints {
+		if (!tag.Endpoints[endpoint.ID] && !tag.EndpointGroups[endpoint.GroupID]) || !endpointutils.IsEdgeEndpoint(&endpoint) {
+			continue
+		}
+
+		if err := updateEndpointRelations(tx, endpoint, edgeGroups, edgeStacks, edgeJobs); err != nil {
+			return httperror.InternalServerError("Unable to update environment relations in the database", err)
+		}
+	}
+
 	err = tx.Tag().Delete(tagID)
 	if err != nil {
 		return httperror.InternalServerError("Unable to remove the tag from the database", err)
@@ -131,19 +140,12 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 	return nil
 }
 
-func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
+func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack, edgeJobs []portainer.EdgeJob) error {
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil && !tx.IsErrObjectNotFound(err) {
+	if err != nil {
 		return err
 	}
 
-	if endpointRelation == nil {
-		endpointRelation = &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: make(map[portainer.EdgeStackID]bool),
-		}
-	}
-
 	endpointGroup, err := tx.EndpointGroup().Read(endpoint.GroupID)
 	if err != nil {
 		return err
@@ -157,5 +159,25 @@ func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.End
 
 	endpointRelation.EdgeStacks = stacksSet
 
-	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, endpointRelation)
+	if err := tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, endpointRelation); err != nil {
+		return err
+	}
+
+	for _, edgeJob := range edgeJobs {
+		endpoints, err := edge.GetEndpointsFromEdgeGroups(edgeJob.EdgeGroups, tx)
+		if err != nil {
+			return err
+		}
+		if slices.Contains(endpoints, endpoint.ID) {
+			continue
+		}
+
+		delete(edgeJob.GroupLogsCollection, endpoint.ID)
+
+		if err := tx.EdgeJob().Update(edgeJob.ID, &edgeJob); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

api/http/handler/tags/tag_delete_test.go

@@ -8,23 +8,20 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	portainerDsErrors "github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestTagDeleteEdgeGroupsConcurrently(t *testing.T) {
 	const tagsCount = 100
 
-	_, store := datastore.MustNewTestStore(t, true, false)
-
-	user := &portainer.User{ID: 2, Username: "admin", Role: portainer.AdministratorRole}
-	if err := store.User().Create(user); err != nil {
-		t.Fatal("could not create admin user:", err)
-	}
-
-	handler := NewHandler(testhelpers.NewTestRequestBouncer())
-	handler.DataStore = store
-
+	handler, store := setUpHandler(t)
 	// Create all the tags and add them to the same edge group
 
 	var tagIDs []portainer.TagID
@@ -84,3 +81,128 @@ func TestTagDeleteEdgeGroupsConcurrently(t *testing.T) {
 		t.Fatal("the edge group is not consistent")
 	}
 }
+
+func TestHandler_tagDelete(t *testing.T) {
+	t.Run("should delete tag and update related endpoints and edge groups", func(t *testing.T) {
+		handler, store := setUpHandler(t)
+
+		tag := &portainer.Tag{
+			ID:             1,
+			Name:           "tag-1",
+			Endpoints:      make(map[portainer.EndpointID]bool),
+			EndpointGroups: make(map[portainer.EndpointGroupID]bool),
+		}
+		require.NoError(t, store.Tag().Create(tag))
+
+		endpointGroup := &portainer.EndpointGroup{
+			ID:     2,
+			Name:   "endpoint-group-1",
+			TagIDs: []portainer.TagID{tag.ID},
+		}
+		require.NoError(t, store.EndpointGroup().Create(endpointGroup))
+
+		endpoint1 := &portainer.Endpoint{
+			ID:      1,
+			Name:    "endpoint-1",
+			GroupID: endpointGroup.ID,
+		}
+		require.NoError(t, store.Endpoint().Create(endpoint1))
+
+		endpoint2 := &portainer.Endpoint{
+			ID:     2,
+			Name:   "endpoint-2",
+			TagIDs: []portainer.TagID{tag.ID},
+		}
+		require.NoError(t, store.Endpoint().Create(endpoint2))
+
+		tag.Endpoints[endpoint2.ID] = true
+		tag.EndpointGroups[endpointGroup.ID] = true
+		require.NoError(t, store.Tag().Update(tag.ID, tag))
+
+		dynamicEdgeGroup := &portainer.EdgeGroup{
+			ID:      1,
+			Name:    "edgegroup-1",
+			TagIDs:  []portainer.TagID{tag.ID},
+			Dynamic: true,
+		}
+		require.NoError(t, store.EdgeGroup().Create(dynamicEdgeGroup))
+
+		staticEdgeGroup := &portainer.EdgeGroup{
+			ID:          2,
+			Name:        "edgegroup-2",
+			EndpointIDs: roar.FromSlice([]portainer.EndpointID{endpoint2.ID}),
+		}
+		require.NoError(t, store.EdgeGroup().Create(staticEdgeGroup))
+
+		req, err := http.NewRequest(http.MethodDelete, "/tags/"+strconv.Itoa(int(tag.ID)), nil)
+		if err != nil {
+			t.Fail()
+
+			return
+		}
+
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+
+		require.Equal(t, http.StatusNoContent, rec.Code)
+
+		// Check that the tag is deleted
+		_, err = store.Tag().Read(tag.ID)
+		require.ErrorIs(t, err, portainerDsErrors.ErrObjectNotFound)
+
+		// Check that the endpoints are updated
+		endpoint1, err = store.Endpoint().Endpoint(endpoint1.ID)
+		require.NoError(t, err)
+		assert.Len(t, endpoint1.TagIDs, 0, "endpoint-1 should not have any tags")
+		assert.Equal(t, endpoint1.GroupID, endpointGroup.ID, "endpoint-1 should still belong to the endpoint group")
+
+		endpoint2, err = store.Endpoint().Endpoint(endpoint2.ID)
+		require.NoError(t, err)
+		assert.Len(t, endpoint2.TagIDs, 0, "endpoint-2 should not have any tags")
+
+		// Check that the dynamic edge group is updated
+		dynamicEdgeGroup, err = store.EdgeGroup().Read(dynamicEdgeGroup.ID)
+		require.NoError(t, err)
+		assert.Len(t, dynamicEdgeGroup.TagIDs, 0, "dynamic edge group should not have any tags")
+		assert.Equal(t, 0, dynamicEdgeGroup.EndpointIDs.Len(), "dynamic edge group should not have any endpoints")
+
+		// Check that the static edge group is not updated
+		staticEdgeGroup, err = store.EdgeGroup().Read(staticEdgeGroup.ID)
+		require.NoError(t, err)
+		assert.Len(t, staticEdgeGroup.TagIDs, 0, "static edge group should not have any tags")
+		assert.Equal(t, 1, staticEdgeGroup.EndpointIDs.Len(), "static edge group should have one endpoint")
+		assert.True(t, staticEdgeGroup.EndpointIDs.Contains(endpoint2.ID), "static edge group should have the endpoint-2")
+	})
+
+	// Test the tx.IsErrObjectNotFound logic when endpoint is not found during cleanup
+	t.Run("should continue gracefully when endpoint not found during cleanup", func(t *testing.T) {
+		_, store := setUpHandler(t)
+		// Create a tag with a reference to a non-existent endpoint
+		tag := &portainer.Tag{
+			ID:             1,
+			Name:           "test-tag",
+			Endpoints:      map[portainer.EndpointID]bool{999: true}, // Non-existent endpoint
+			EndpointGroups: make(map[portainer.EndpointGroupID]bool),
+		}
+
+		err := store.Tag().Create(tag)
+		require.NoError(t, err)
+
+		err = deleteTag(store, 1)
+		require.NoError(t, err)
+	})
+}
+
+func setUpHandler(t *testing.T) (*Handler, dataservices.DataStore) {
+	_, store := datastore.MustNewTestStore(t, true, false)
+
+	user := &portainer.User{ID: 2, Username: "admin", Role: portainer.AdministratorRole}
+	if err := store.User().Create(user); err != nil {
+		t.Fatal("could not create admin user:", err)
+	}
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	return handler, store
+}

api/http/handler/templates/template_file.go

@@ -5,6 +5,7 @@ import (
 	"slices"
 
 	portainer "github.com/portainer/portainer/api"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -71,7 +72,15 @@ func (handler *Handler) templateFile(w http.ResponseWriter, r *http.Request) *ht
 
 	defer handler.cleanUp(projectPath)
 
-	if err := handler.GitService.CloneRepository(projectPath, template.Repository.URL, "", "", "", false); err != nil {
+	if err := handler.GitService.CloneRepository(
+		projectPath,
+		template.Repository.URL,
+		"",
+		"",
+		"",
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	); err != nil {
 		return httperror.InternalServerError("Unable to clone git repository", err)
 	}
 

api/http/handler/templates/utils_fetch_templates.go

@@ -40,11 +40,13 @@ func (handler *Handler) fetchTemplates() (*listResponse, *httperror.HandlerError
 	}
 	defer resp.Body.Close()
 
-	err = json.NewDecoder(resp.Body).Decode(&body)
-	if err != nil {
+	if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
 		return nil, httperror.InternalServerError("Unable to parse template file", err)
 	}
 
+	for i := range body.Templates {
+		body.Templates[i].ID = portainer.TemplateID(i + 1)
+	}
 	return body, nil
 
 }

api/http/handler/webhooks/webhook_create.go

@@ -80,7 +80,7 @@ func (handler *Handler) webhookCreate(w http.ResponseWriter, r *http.Request) *h
 			return httperror.InternalServerError("Unable to retrieve user authentication token", err)
 		}
 
-		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, endpointID, payload.RegistryID)
+		_, err = access.GetAccessibleRegistry(handler.DataStore, nil, tokenData.ID, endpointID, payload.RegistryID)
 		if err != nil {
 			return httperror.Forbidden("Permission deny to access registry", err)
 		}

api/http/handler/webhooks/webhook_update.go

@@ -69,7 +69,7 @@ func (handler *Handler) webhookUpdate(w http.ResponseWriter, r *http.Request) *h
 			return httperror.InternalServerError("Unable to retrieve user authentication token", err)
 		}
 
-		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, webhook.EndpointID, payload.RegistryID)
+		_, err = access.GetAccessibleRegistry(handler.DataStore, nil, tokenData.ID, webhook.EndpointID, payload.RegistryID)
 		if err != nil {
 			return httperror.Forbidden("Permission deny to access registry", err)
 		}

api/http/middlewares/endpoint.go

@@ -25,12 +25,12 @@ type key int
 const contextEndpoint key = 0
 
 func WithEndpoint(endpointService dataservices.EndpointService, endpointIDParam string) mux.MiddlewareFunc {
+	if endpointIDParam == "" {
+		endpointIDParam = "id"
+	}
+
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, request *http.Request) {
-			if endpointIDParam == "" {
-				endpointIDParam = "id"
-			}
-
 			endpointID, err := requesthelpers.RetrieveNumericRouteVariableValue(request, endpointIDParam)
 			if err != nil {
 				httperror.WriteError(rw, http.StatusBadRequest, "Invalid environment identifier route variable", err)
@@ -51,7 +51,6 @@ func WithEndpoint(endpointService dataservices.EndpointService, endpointIDParam
 			ctx := context.WithValue(request.Context(), contextEndpoint, endpoint)
 
 			next.ServeHTTP(rw, request.WithContext(ctx))
-
 		})
 	}
 }

api/http/middlewares/plaintext_http_request.go

@@ -3,6 +3,7 @@ package middlewares
 import (
 	"net/http"
 	"slices"
+	"strings"
 
 	"github.com/gorilla/csrf"
 )
@@ -16,6 +17,45 @@ type plainTextHTTPRequestHandler struct {
 	next http.Handler
 }
 
+// parseForwardedHeaderProto parses the Forwarded header and extracts the protocol.
+// The Forwarded header format supports:
+// - Single proxy: Forwarded: by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>
+// - Multiple proxies: Forwarded: for=192.0.2.43, for=198.51.100.17
+// We take the first (leftmost) entry as it represents the original client
+func parseForwardedHeaderProto(forwarded string) string {
+	if forwarded == "" {
+		return ""
+	}
+
+	// Parse the first part (leftmost proxy, closest to original client)
+	firstPart, _, _ := strings.Cut(forwarded, ",")
+	firstPart = strings.TrimSpace(firstPart)
+
+	// Split by semicolon to get key-value pairs within this proxy entry
+	// Format: key=value;key=value;key=value
+	pairs := strings.Split(firstPart, ";")
+	for _, pair := range pairs {
+		// Split by equals sign to separate key and value
+		key, value, found := strings.Cut(pair, "=")
+		if !found {
+			continue
+		}
+
+		if strings.EqualFold(strings.TrimSpace(key), "proto") {
+			return strings.Trim(strings.TrimSpace(value), `"'`)
+		}
+	}
+
+	return ""
+}
+
+// isHTTPSRequest checks if the original request was made over HTTPS
+// by examining both X-Forwarded-Proto and Forwarded headers
+func isHTTPSRequest(r *http.Request) bool {
+	return strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https") ||
+		strings.EqualFold(parseForwardedHeaderProto(r.Header.Get("Forwarded")), "https")
+}
+
 func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if slices.Contains(safeMethods, r.Method) {
 		h.next.ServeHTTP(w, r)
@@ -24,7 +64,7 @@ func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.R
 
 	req := r
 	// If original request was HTTPS (via proxy), keep CSRF checks.
-	if xfproto := r.Header.Get("X-Forwarded-Proto"); xfproto != "https" {
+	if !isHTTPSRequest(r) {
 		req = csrf.PlaintextHTTPRequest(r)
 	}
 

api/http/middlewares/plaintext_http_request_test.go

@@ -0,0 +1,173 @@
+package middlewares
+
+import (
+	"testing"
+)
+
+var tests = []struct {
+	name      string
+	forwarded string
+	expected  string
+}{
+	{
+		name:      "empty header",
+		forwarded: "",
+		expected:  "",
+	},
+	{
+		name:      "single proxy with proto=https",
+		forwarded: "proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "single proxy with proto=http",
+		forwarded: "proto=http",
+		expected:  "http",
+	},
+	{
+		name:      "single proxy with multiple directives",
+		forwarded: "for=192.0.2.60;proto=https;by=203.0.113.43",
+		expected:  "https",
+	},
+	{
+		name:      "single proxy with proto in middle",
+		forwarded: "for=192.0.2.60;proto=https;host=example.com",
+		expected:  "https",
+	},
+	{
+		name:      "single proxy with proto at end",
+		forwarded: "for=192.0.2.60;host=example.com;proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "multiple proxies - takes first",
+		forwarded: "proto=https, proto=http",
+		expected:  "https",
+	},
+	{
+		name:      "multiple proxies with complex format",
+		forwarded: "for=192.0.2.43;proto=https, for=198.51.100.17;proto=http",
+		expected:  "https",
+	},
+	{
+		name:      "multiple proxies with for directive only",
+		forwarded: "for=192.0.2.43, for=198.51.100.17",
+		expected:  "",
+	},
+	{
+		name:      "multiple proxies with proto only in second",
+		forwarded: "for=192.0.2.43, proto=https",
+		expected:  "",
+	},
+	{
+		name:      "multiple proxies with proto only in first",
+		forwarded: "proto=https, for=198.51.100.17",
+		expected:  "https",
+	},
+	{
+		name:      "quoted protocol value",
+		forwarded: "proto=\"https\"",
+		expected:  "https",
+	},
+	{
+		name:      "single quoted protocol value",
+		forwarded: "proto='https'",
+		expected:  "https",
+	},
+	{
+		name:      "mixed case protocol",
+		forwarded: "proto=HTTPS",
+		expected:  "HTTPS",
+	},
+	{
+		name:      "no proto directive",
+		forwarded: "for=192.0.2.60;by=203.0.113.43",
+		expected:  "",
+	},
+	{
+		name:      "empty proto value",
+		forwarded: "proto=",
+		expected:  "",
+	},
+	{
+		name:      "whitespace around values",
+		forwarded: " proto = https ",
+		expected:  "https",
+	},
+	{
+		name:      "whitespace around semicolons",
+		forwarded: "for=192.0.2.60 ; proto=https ; by=203.0.113.43",
+		expected:  "https",
+	},
+	{
+		name:      "whitespace around commas",
+		forwarded: "proto=https , proto=http",
+		expected:  "https",
+	},
+	{
+		name:      "IPv6 address in for directive",
+		forwarded: "for=\"[2001:db8:cafe::17]:4711\";proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "complex multiple proxies with IPv6",
+		forwarded: "for=192.0.2.43;proto=https, for=\"[2001:db8:cafe::17]\";proto=http",
+		expected:  "https",
+	},
+	{
+		name:      "obfuscated identifiers",
+		forwarded: "for=_mdn;proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "unknown identifier",
+		forwarded: "for=unknown;proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "malformed key-value pair",
+		forwarded: "proto",
+		expected:  "",
+	},
+	{
+		name:      "malformed key-value pair with equals",
+		forwarded: "proto=",
+		expected:  "",
+	},
+	{
+		name:      "multiple equals signs",
+		forwarded: "proto=https=extra",
+		expected:  "https=extra",
+	},
+	{
+		name:      "mixed case directive name",
+		forwarded: "PROTO=https",
+		expected:  "https",
+	},
+	{
+		name:      "mixed case directive name with spaces",
+		forwarded: " Proto = https ",
+		expected:  "https",
+	},
+}
+
+func TestParseForwardedHeaderProto(t *testing.T) {
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := parseForwardedHeaderProto(tt.forwarded)
+			if result != tt.expected {
+				t.Errorf("parseForwardedHeader(%q) = %q, want %q", tt.forwarded, result, tt.expected)
+			}
+		})
+	}
+}
+
+func FuzzParseForwardedHeaderProto(f *testing.F) {
+	for _, t := range tests {
+		f.Add(t.forwarded)
+	}
+
+	f.Fuzz(func(t *testing.T, forwarded string) {
+		parseForwardedHeaderProto(forwarded)
+	})
+}

api/http/models/kubernetes/application.go

@@ -38,14 +38,30 @@ type K8sApplication struct {
 	Labels                  map[string]string                      `json:"Labels,omitempty"`
 	Resource                K8sApplicationResource                 `json:"Resource,omitempty"`
 	HorizontalPodAutoscaler *autoscalingv2.HorizontalPodAutoscaler `json:"HorizontalPodAutoscaler,omitempty"`
+	CustomResourceMetadata  CustomResourceMetadata                 `json:"CustomResourceMetadata,omitempty"`
 }
 
 type Metadata struct {
 	Labels map[string]string `json:"labels"`
 }
 
+type CustomResourceMetadata struct {
+	Kind       string `json:"kind"`
+	APIVersion string `json:"apiVersion"`
+	Plural     string `json:"plural"`
+}
+
 type Pod struct {
-	Status string `json:"Status"`
+	Name            string                 `json:"Name"`
+	ContainerName   string                 `json:"ContainerName"`
+	Image           string                 `json:"Image"`
+	ImagePullPolicy string                 `json:"ImagePullPolicy"`
+	Status          string                 `json:"Status"`
+	NodeName        string                 `json:"NodeName"`
+	PodIP           string                 `json:"PodIP"`
+	UID             string                 `json:"Uid"`
+	Resource        K8sApplicationResource `json:"Resource,omitempty"`
+	CreationDate    time.Time              `json:"CreationDate"`
 }
 
 type Configuration struct {
@@ -72,8 +88,8 @@ type TLSInfo struct {
 
 // Existing types
 type K8sApplicationResource struct {
-	CPURequest    float64 `json:"CpuRequest"`
-	CPULimit      float64 `json:"CpuLimit"`
-	MemoryRequest int64   `json:"MemoryRequest"`
-	MemoryLimit   int64   `json:"MemoryLimit"`
+	CPURequest    float64 `json:"CpuRequest,omitempty"`
+	CPULimit      float64 `json:"CpuLimit,omitempty"`
+	MemoryRequest int64   `json:"MemoryRequest,omitempty"`
+	MemoryLimit   int64   `json:"MemoryLimit,omitempty"`
 }

api/http/proxy/factory/docker/access_control.go

@@ -35,7 +35,7 @@ type (
 func getUniqueElements(items string) []string {
 	xs := strings.Split(items, ",")
 	xs = slicesx.Map(xs, strings.TrimSpace)
-	xs = slicesx.Filter(xs, func(x string) bool { return len(x) > 0 })
+	xs = slicesx.FilterInPlace(xs, func(x string) bool { return len(x) > 0 })
 
 	return slicesx.Unique(xs)
 }

api/http/proxy/factory/docker/registry.go

@@ -55,12 +55,13 @@ func createRegistryAuthenticationHeader(
 		return
 	}
 
-	if err = registryutils.EnsureRegTokenValid(dataStore, matchingRegistry); err != nil {
+	if err = registryutils.PrepareRegistryCredentials(dataStore, matchingRegistry); err != nil {
 		return
 	}
 
 	authenticationHeader.Serveraddress = matchingRegistry.URL
-	authenticationHeader.Username, authenticationHeader.Password, err = registryutils.GetRegEffectiveCredential(matchingRegistry)
+	authenticationHeader.Username = matchingRegistry.Username
+	authenticationHeader.Password = matchingRegistry.Password
 
 	return
 }

api/http/proxy/factory/docker/transport.go

@@ -15,6 +15,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
@@ -418,7 +419,14 @@ func (transport *Transport) updateDefaultGitBranch(request *http.Request) error
 	}
 
 	repositoryURL := remote[:len(remote)-4]
-	latestCommitID, err := transport.gitService.LatestCommitID(repositoryURL, "", "", "", false)
+	latestCommitID, err := transport.gitService.LatestCommitID(
+		repositoryURL,
+		"",
+		"",
+		"",
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	if err != nil {
 		return err
 	}

api/http/proxy/factory/factory.go

@@ -24,11 +24,12 @@ type (
 		kubernetesTokenCacheManager *kubernetes.TokenCacheManager
 		gitService                  portainer.GitService
 		snapshotService             portainer.SnapshotService
+		jwtService                  portainer.JWTService
 	}
 )
 
 // NewProxyFactory returns a pointer to a new instance of a ProxyFactory
-func NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService, snapshotService portainer.SnapshotService) *ProxyFactory {
+func NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService, snapshotService portainer.SnapshotService, jwtService portainer.JWTService) *ProxyFactory {
 	return &ProxyFactory{
 		dataStore:                   dataStore,
 		signatureService:            signatureService,
@@ -38,6 +39,7 @@ func NewProxyFactory(dataStore dataservices.DataStore, signatureService portaine
 		kubernetesTokenCacheManager: kubernetesTokenCacheManager,
 		gitService:                  gitService,
 		snapshotService:             snapshotService,
+		jwtService:                  jwtService,
 	}
 }
 

api/http/proxy/factory/github/client.go

@@ -0,0 +1,108 @@
+package github
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/segmentio/encoding/json"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+const GitHubAPIHost = "https://api.github.com"
+
+// Package represents a GitHub container package
+type Package struct {
+	Name  string `json:"name"`
+	Owner struct {
+		Login string `json:"login"`
+	} `json:"owner"`
+}
+
+// Client represents a GitHub API client
+type Client struct {
+	httpClient *http.Client
+	baseURL    string
+}
+
+// NewClient creates a new GitHub API client
+func NewClient(token string) *Client {
+	return &Client{
+		httpClient: NewHTTPClient(token),
+		baseURL:    GitHubAPIHost,
+	}
+}
+
+// GetContainerPackages fetches container packages for the configured namespace
+// It's a small http client wrapper instead of using the github client because listing repositories is the only known operation that isn't directly supported by oras
+func (c *Client) GetContainerPackages(ctx context.Context, useOrganisation bool, organisationName string) ([]string, error) {
+	// Determine the namespace (user or organisation) for the request
+	namespace := "user"
+	if useOrganisation {
+		namespace = "orgs/" + organisationName
+	}
+
+	// Build the full URL for listing container packages
+	url := fmt.Sprintf("%s/%s/packages?package_type=container", c.baseURL, namespace)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitHub API returned status %d: %s", resp.StatusCode, resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	var packages []Package
+	if err := json.Unmarshal(body, &packages); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	// Extract repository names in the form "owner/name"
+	repositories := make([]string, len(packages))
+	for i, pkg := range packages {
+		repositories[i] = fmt.Sprintf("%s/%s", strings.ToLower(pkg.Owner.Login), strings.ToLower(pkg.Name))
+	}
+
+	return repositories, nil
+}
+
+// NewHTTPClient creates a new HTTP client configured for GitHub API requests
+func NewHTTPClient(token string) *http.Client {
+	return &http.Client{
+		Transport: &tokenTransport{
+			token:     token,
+			transport: retry.NewTransport(&http.Transport{}), // Use ORAS retry transport for consistent rate limiting and error handling
+		},
+		Timeout: 1 * time.Minute,
+	}
+}
+
+// tokenTransport automatically adds the Bearer token header to requests
+type tokenTransport struct {
+	token     string
+	transport http.RoundTripper
+}
+
+func (t *tokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if t.token != "" {
+		req.Header.Set("Authorization", "Bearer "+t.token)
+		req.Header.Set("Accept", "application/vnd.github+json")
+	}
+	return t.transport.RoundTrip(req)
+}

api/http/proxy/factory/gitlab/client.go

@@ -0,0 +1,130 @@
+package gitlab
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/segmentio/encoding/json"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+// Repository represents a GitLab registry repository
+type Repository struct {
+	ID        int    `json:"id"`
+	Name      string `json:"name"`
+	Path      string `json:"path"`
+	ProjectID int    `json:"project_id"`
+	Location  string `json:"location"`
+	CreatedAt string `json:"created_at"`
+	Status    string `json:"status"`
+}
+
+// Client represents a GitLab API client
+type Client struct {
+	httpClient *http.Client
+	baseURL    string
+}
+
+// NewClient creates a new GitLab API client
+// it currently is an http client because only GetRegistryRepositoryNames is needed (oras supports other commands).
+// if we need to support other commands, consider using the gitlab client library.
+func NewClient(baseURL, token string) *Client {
+	return &Client{
+		httpClient: NewHTTPClient(token),
+		baseURL:    baseURL,
+	}
+}
+
+// GetRegistryRepositoryNames fetches registry repository names for a given project.
+// It's a small http client wrapper instead of using the gitlab client library because listing repositories is the only known operation that isn't directly supported by oras
+func (c *Client) GetRegistryRepositoryNames(ctx context.Context, projectID int) ([]string, error) {
+	url := fmt.Sprintf("%s/api/v4/projects/%d/registry/repositories", c.baseURL, projectID)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitLab API returned status %d: %s", resp.StatusCode, resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	var repositories []Repository
+	if err := json.Unmarshal(body, &repositories); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	// Extract repository names
+	names := make([]string, len(repositories))
+	for i, repo := range repositories {
+		// the full path is required for further repo operations
+		names[i] = repo.Path
+	}
+
+	return names, nil
+}
+
+type Transport struct {
+	httpTransport *http.Transport
+}
+
+// NewTransport returns a pointer to a new instance of Transport that implements the HTTP Transport
+// interface for proxying requests to the Gitlab API.
+func NewTransport() *Transport {
+	return &Transport{
+		httpTransport: &http.Transport{},
+	}
+}
+
+// RoundTrip is the implementation of the http.RoundTripper interface
+func (transport *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
+	token := request.Header.Get("Private-Token")
+	if token == "" {
+		return nil, errors.New("no gitlab token provided")
+	}
+
+	r, err := http.NewRequest(request.Method, request.URL.String(), request.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	r.Header.Set("Private-Token", token)
+	return transport.httpTransport.RoundTrip(r)
+}
+
+// NewHTTPClient creates a new HTTP client configured for GitLab API requests
+func NewHTTPClient(token string) *http.Client {
+	return &http.Client{
+		Transport: &tokenTransport{
+			token:     token,
+			transport: retry.NewTransport(&http.Transport{}), // Use ORAS retry transport for consistent rate limiting and error handling
+		},
+		Timeout: 1 * time.Minute,
+	}
+}
+
+// tokenTransport automatically adds the Private-Token header to requests
+type tokenTransport struct {
+	token     string
+	transport http.RoundTripper
+}
+
+func (t *tokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Set("Private-Token", t.token)
+	return t.transport.RoundTrip(req)
+}

api/http/proxy/factory/gitlab/transport.go

@@ -1,34 +0,0 @@
-package gitlab
-
-import (
-	"errors"
-	"net/http"
-)
-
-type Transport struct {
-	httpTransport *http.Transport
-}
-
-// NewTransport returns a pointer to a new instance of Transport that implements the HTTP Transport
-// interface for proxying requests to the Gitlab API.
-func NewTransport() *Transport {
-	return &Transport{
-		httpTransport: &http.Transport{},
-	}
-}
-
-// RoundTrip is the implementation of the http.RoundTripper interface
-func (transport *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
-	token := request.Header.Get("Private-Token")
-	if token == "" {
-		return nil, errors.New("no gitlab token provided")
-	}
-
-	r, err := http.NewRequest(request.Method, request.URL.String(), request.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	r.Header.Set("Private-Token", token)
-	return transport.httpTransport.RoundTrip(r)
-}

api/http/proxy/factory/kubernetes.go

@@ -38,7 +38,7 @@ func (factory *ProxyFactory) newKubernetesLocalProxy(endpoint *portainer.Endpoin
 		return nil, err
 	}
 
-	transport, err := kubernetes.NewLocalTransport(tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore)
+	transport, err := kubernetes.NewLocalTransport(tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore, factory.jwtService)
 	if err != nil {
 		return nil, err
 	}
@@ -74,7 +74,7 @@ func (factory *ProxyFactory) newKubernetesEdgeHTTPProxy(endpoint *portainer.Endp
 
 	endpointURL.Scheme = "http"
 	proxy := NewSingleHostReverseProxyWithHostHeader(endpointURL)
-	proxy.Transport = kubernetes.NewEdgeTransport(factory.dataStore, factory.signatureService, factory.reverseTunnelService, endpoint, tokenManager, factory.kubernetesClientFactory)
+	proxy.Transport = kubernetes.NewEdgeTransport(factory.dataStore, factory.signatureService, factory.reverseTunnelService, endpoint, tokenManager, factory.kubernetesClientFactory, factory.jwtService)
 
 	return proxy, nil
 }
@@ -105,7 +105,7 @@ func (factory *ProxyFactory) newKubernetesAgentHTTPSProxy(endpoint *portainer.En
 	}
 
 	proxy := NewSingleHostReverseProxyWithHostHeader(remoteURL)
-	proxy.Transport = kubernetes.NewAgentTransport(factory.signatureService, tlsConfig, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore)
+	proxy.Transport = kubernetes.NewAgentTransport(factory.signatureService, tlsConfig, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore, factory.jwtService)
 
 	return proxy, nil
 }

api/http/proxy/factory/kubernetes/agent_transport.go

@@ -16,7 +16,7 @@ type agentTransport struct {
 }
 
 // NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer agent
-func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsConfig *tls.Config, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore) *agentTransport {
+func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsConfig *tls.Config, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) *agentTransport {
 	transport := &agentTransport{
 		baseTransport: newBaseTransport(
 			&http.Transport{
@@ -26,6 +26,7 @@ func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsCo
 			endpoint,
 			k8sClientFactory,
 			dataStore,
+			jwtService,
 		),
 		signatureService: signatureService,
 	}

api/http/proxy/factory/kubernetes/edge_transport.go

@@ -16,7 +16,7 @@ type edgeTransport struct {
 }
 
 // NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer Edge agent
-func NewEdgeTransport(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, endpoint *portainer.Endpoint, tokenManager *tokenManager, k8sClientFactory *cli.ClientFactory) *edgeTransport {
+func NewEdgeTransport(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, endpoint *portainer.Endpoint, tokenManager *tokenManager, k8sClientFactory *cli.ClientFactory, jwtService portainer.JWTService) *edgeTransport {
 	transport := &edgeTransport{
 		reverseTunnelService: reverseTunnelService,
 		signatureService:     signatureService,
@@ -26,6 +26,7 @@ func NewEdgeTransport(dataStore dataservices.DataStore, signatureService portain
 			endpoint,
 			k8sClientFactory,
 			dataStore,
+			jwtService,
 		),
 	}
 

api/http/proxy/factory/kubernetes/local_transport.go

@@ -14,7 +14,7 @@ type localTransport struct {
 }
 
 // NewLocalTransport returns a new transport that can be used to send requests to the local Kubernetes API
-func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore) (*localTransport, error) {
+func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) (*localTransport, error) {
 	config, err := crypto.CreateTLSConfigurationFromBytes(nil, nil, nil, true, true)
 	if err != nil {
 		return nil, err
@@ -29,6 +29,7 @@ func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint,
 			endpoint,
 			k8sClientFactory,
 			dataStore,
+			jwtService,
 		),
 	}
 

api/http/proxy/factory/kubernetes/pods.go

@@ -2,12 +2,18 @@ package kubernetes
 
 import (
 	"net/http"
+	"strings"
 )
 
-func (transport *baseTransport) proxyPodsRequest(request *http.Request, namespace, requestPath string) (*http.Response, error) {
+func (transport *baseTransport) proxyPodsRequest(request *http.Request, namespace string) (*http.Response, error) {
 	if request.Method == http.MethodDelete {
 		transport.refreshRegistry(request, namespace)
 	}
 
+	if request.Method == http.MethodPost && strings.Contains(request.URL.Path, "/exec") {
+		if err := transport.addTokenForExec(request); err != nil {
+			return nil, err
+		}
+	}
 	return transport.executeKubernetesRequest(request)
 }

api/http/proxy/factory/kubernetes/transport.go

@@ -26,15 +26,17 @@ type baseTransport struct {
 	endpoint         *portainer.Endpoint
 	k8sClientFactory *cli.ClientFactory
 	dataStore        dataservices.DataStore
+	jwtService       portainer.JWTService
 }
 
-func newBaseTransport(httpTransport *http.Transport, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore) *baseTransport {
+func newBaseTransport(httpTransport *http.Transport, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) *baseTransport {
 	return &baseTransport{
 		httpTransport:    httpTransport,
 		tokenManager:     tokenManager,
 		endpoint:         endpoint,
 		k8sClientFactory: k8sClientFactory,
 		dataStore:        dataStore,
+		jwtService:       jwtService,
 	}
 }
 
@@ -58,6 +60,7 @@ func (transport *baseTransport) proxyKubernetesRequest(request *http.Request) (*
 
 	switch {
 	case strings.EqualFold(requestPath, "/namespaces/portainer/configmaps/portainer-config") && (request.Method == "PUT" || request.Method == "POST"):
+		transport.k8sClientFactory.ClearClientCache()
 		defer transport.tokenManager.UpdateUserServiceAccountsForEndpoint(portainer.EndpointID(endpointID))
 		return transport.executeKubernetesRequest(request)
 	case strings.EqualFold(requestPath, "/namespaces"):
@@ -81,7 +84,7 @@ func (transport *baseTransport) proxyNamespacedRequest(request *http.Request, fu
 
 	switch {
 	case strings.HasPrefix(requestPath, "pods"):
-		return transport.proxyPodsRequest(request, namespace, requestPath)
+		return transport.proxyPodsRequest(request, namespace)
 	case strings.HasPrefix(requestPath, "deployments"):
 		return transport.proxyDeploymentsRequest(request, namespace, requestPath)
 	case requestPath == "" && request.Method == "DELETE":
@@ -91,6 +94,23 @@ func (transport *baseTransport) proxyNamespacedRequest(request *http.Request, fu
 	}
 }
 
+// addTokenForExec injects a kubeconfig token into the request header
+// this is only used with kubeconfig for kubectl exec requests
+func (transport *baseTransport) addTokenForExec(request *http.Request) error {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return err
+	}
+
+	token, err := transport.jwtService.GenerateTokenForKubeconfig(tokenData)
+	if err != nil {
+		return err
+	}
+
+	request.Header.Set("Authorization", "Bearer "+token)
+	return nil
+}
+
 func (transport *baseTransport) executeKubernetesRequest(request *http.Request) (*http.Response, error) {
 
 	resp, err := transport.httpTransport.RoundTrip(request)

api/http/proxy/factory/kubernetes/transport_test.go

@@ -0,0 +1,359 @@
+package kubernetes
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// MockJWTService implements portainer.JWTService for testing
+type MockJWTService struct {
+	generateTokenFunc func(data *portainer.TokenData) (string, error)
+}
+
+func (m *MockJWTService) GenerateToken(data *portainer.TokenData) (string, time.Time, error) {
+	if m.generateTokenFunc != nil {
+		token, err := m.generateTokenFunc(data)
+		return token, time.Now().Add(24 * time.Hour), err
+	}
+	return "mock-token", time.Now().Add(24 * time.Hour), nil
+}
+
+func (m *MockJWTService) GenerateTokenForKubeconfig(data *portainer.TokenData) (string, error) {
+	if m.generateTokenFunc != nil {
+		return m.generateTokenFunc(data)
+	}
+	return "mock-kubeconfig-token", nil
+}
+
+func (m *MockJWTService) ParseAndVerifyToken(token string) (*portainer.TokenData, string, time.Time, error) {
+	return &portainer.TokenData{ID: 1, Username: "mock", Role: portainer.AdministratorRole}, "mock-id", time.Now().Add(24 * time.Hour), nil
+}
+
+func (m *MockJWTService) SetUserSessionDuration(userSessionDuration time.Duration) {
+	// Mock implementation - not used in tests
+}
+
+func TestBaseTransport_AddTokenForExec(t *testing.T) {
+	// Setup test store and JWT service
+	_, store := datastore.MustNewTestStore(t, true, false)
+
+	// Create test users
+	adminUser := &portainer.User{
+		ID:       1,
+		Username: "admin",
+		Role:     portainer.AdministratorRole,
+	}
+	err := store.User().Create(adminUser)
+	require.NoError(t, err)
+
+	standardUser := &portainer.User{
+		ID:       2,
+		Username: "standard",
+		Role:     portainer.StandardUserRole,
+	}
+	err = store.User().Create(standardUser)
+	require.NoError(t, err)
+
+	// Create JWT service
+	jwtService, err := jwt.NewService("24h", store)
+	require.NoError(t, err)
+
+	// Create base transport
+	transport := &baseTransport{
+		jwtService: jwtService,
+	}
+
+	tests := []struct {
+		name           string
+		tokenData      *portainer.TokenData
+		setupRequest   func(*http.Request) *http.Request
+		expectError    bool
+		errorMsg       string
+		expectPanic    bool
+		verifyResponse func(*testing.T, *http.Request, *portainer.TokenData)
+	}{
+		{
+			name: "admin user - successful token generation",
+			tokenData: &portainer.TokenData{
+				ID:       adminUser.ID,
+				Username: adminUser.Username,
+				Role:     adminUser.Role,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       adminUser.ID,
+					Username: adminUser.Username,
+					Role:     adminUser.Role,
+				}))
+			},
+			expectError: false,
+			verifyResponse: func(t *testing.T, req *http.Request, tokenData *portainer.TokenData) {
+				authHeader := req.Header.Get("Authorization")
+				assert.NotEmpty(t, authHeader)
+				assert.True(t, strings.HasPrefix(authHeader, "Bearer "))
+
+				token := authHeader[7:] // Remove "Bearer " prefix
+				parsedTokenData, _, _, err := jwtService.ParseAndVerifyToken(token)
+				assert.NoError(t, err)
+				assert.Equal(t, tokenData.ID, parsedTokenData.ID)
+				assert.Equal(t, tokenData.Username, parsedTokenData.Username)
+				assert.Equal(t, tokenData.Role, parsedTokenData.Role)
+			},
+		},
+		{
+			name: "standard user - successful token generation",
+			tokenData: &portainer.TokenData{
+				ID:       standardUser.ID,
+				Username: standardUser.Username,
+				Role:     standardUser.Role,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       standardUser.ID,
+					Username: standardUser.Username,
+					Role:     standardUser.Role,
+				}))
+			},
+			expectError: false,
+			verifyResponse: func(t *testing.T, req *http.Request, tokenData *portainer.TokenData) {
+				authHeader := req.Header.Get("Authorization")
+				assert.NotEmpty(t, authHeader)
+				assert.True(t, strings.HasPrefix(authHeader, "Bearer "))
+
+				token := authHeader[7:] // Remove "Bearer " prefix
+				parsedTokenData, _, _, err := jwtService.ParseAndVerifyToken(token)
+				assert.NoError(t, err)
+				assert.Equal(t, tokenData.ID, parsedTokenData.ID)
+				assert.Equal(t, tokenData.Username, parsedTokenData.Username)
+				assert.Equal(t, tokenData.Role, parsedTokenData.Role)
+			},
+		},
+		{
+			name:      "request without token data in context",
+			tokenData: nil,
+			setupRequest: func(req *http.Request) *http.Request {
+				return req // Don't add token data to context
+			},
+			expectError: true,
+			errorMsg:    "Unable to find JWT data in request context",
+		},
+		{
+			name:      "request with nil token data",
+			tokenData: nil,
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, nil))
+			},
+			expectPanic: true,
+		},
+		{
+			name: "JWT service failure",
+			tokenData: &portainer.TokenData{
+				ID:       1,
+				Username: "test",
+				Role:     portainer.AdministratorRole,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       1,
+					Username: "test",
+					Role:     portainer.AdministratorRole,
+				}))
+			},
+			expectPanic: true,
+		},
+		{
+			name: "verify authorization header format",
+			tokenData: &portainer.TokenData{
+				ID:       adminUser.ID,
+				Username: adminUser.Username,
+				Role:     adminUser.Role,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       adminUser.ID,
+					Username: adminUser.Username,
+					Role:     adminUser.Role,
+				}))
+			},
+			expectError: false,
+			verifyResponse: func(t *testing.T, req *http.Request, tokenData *portainer.TokenData) {
+				authHeader := req.Header.Get("Authorization")
+				assert.NotEmpty(t, authHeader)
+				assert.True(t, strings.HasPrefix(authHeader, "Bearer "))
+
+				token := authHeader[7:] // Remove "Bearer " prefix
+				assert.NotEmpty(t, token)
+				assert.Greater(t, len(token), 0, "Token should not be empty")
+			},
+		},
+		{
+			name: "verify header is overwritten on subsequent calls",
+			tokenData: &portainer.TokenData{
+				ID:       adminUser.ID,
+				Username: adminUser.Username,
+				Role:     adminUser.Role,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				req = req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       adminUser.ID,
+					Username: adminUser.Username,
+					Role:     adminUser.Role,
+				}))
+				// Set an existing Authorization header
+				req.Header.Set("Authorization", "Bearer old-token")
+				return req
+			},
+			expectError: false,
+			verifyResponse: func(t *testing.T, req *http.Request, tokenData *portainer.TokenData) {
+				authHeader := req.Header.Get("Authorization")
+				assert.NotEqual(t, "Bearer old-token", authHeader)
+				assert.True(t, strings.HasPrefix(authHeader, "Bearer "))
+
+				token := authHeader[7:] // Remove "Bearer " prefix
+				parsedTokenData, _, _, err := jwtService.ParseAndVerifyToken(token)
+				assert.NoError(t, err)
+				assert.Equal(t, tokenData.ID, parsedTokenData.ID)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create request
+			request := httptest.NewRequest("GET", "/", nil)
+			request = tt.setupRequest(request)
+
+			// Determine which transport to use based on test case
+			var testTransport *baseTransport
+			if tt.name == "JWT service failure" {
+				testTransport = &baseTransport{
+					jwtService: nil,
+				}
+			} else {
+				testTransport = transport
+			}
+
+			// Call the function
+			if tt.expectPanic {
+				assert.Panics(t, func() {
+					_ = testTransport.addTokenForExec(request)
+				})
+				return
+			}
+
+			err := testTransport.addTokenForExec(request)
+
+			// Check results
+			if tt.expectError {
+				assert.Error(t, err)
+				if tt.errorMsg != "" {
+					assert.Contains(t, err.Error(), tt.errorMsg)
+				}
+			} else {
+				assert.NoError(t, err)
+				if tt.verifyResponse != nil {
+					tt.verifyResponse(t, request, tt.tokenData)
+				}
+			}
+		})
+	}
+}
+
+func TestBaseTransport_AddTokenForExec_Integration(t *testing.T) {
+	// Create a test HTTP server to capture requests
+	var capturedRequest *http.Request
+	var capturedHeaders http.Header
+
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedRequest = r
+		capturedHeaders = r.Header.Clone()
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("success"))
+	}))
+	defer testServer.Close()
+
+	// Create mock JWT service
+	mockJWTService := &MockJWTService{
+		generateTokenFunc: func(data *portainer.TokenData) (string, error) {
+			return "mock-token-" + data.Username, nil
+		},
+	}
+
+	// Create base transport
+	transport := &baseTransport{
+		httpTransport: &http.Transport{},
+		jwtService:    mockJWTService,
+	}
+
+	tests := []struct {
+		name          string
+		tokenData     *portainer.TokenData
+		requestPath   string
+		expectedToken string
+	}{
+		{
+			name: "admin user exec request",
+			tokenData: &portainer.TokenData{
+				ID:       1,
+				Username: "admin",
+				Role:     portainer.AdministratorRole,
+			},
+			requestPath:   "/api/endpoints/1/kubernetes/api/v1/namespaces/default/pods/test-pod/exec",
+			expectedToken: "mock-token-admin",
+		},
+		{
+			name: "standard user exec request",
+			tokenData: &portainer.TokenData{
+				ID:       2,
+				Username: "standard",
+				Role:     portainer.StandardUserRole,
+			},
+			requestPath:   "/api/endpoints/1/kubernetes/api/v1/namespaces/default/pods/test-pod/exec",
+			expectedToken: "mock-token-standard",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset captured data
+			capturedRequest = nil
+			capturedHeaders = nil
+
+			// Create request to the test server
+			request, err := http.NewRequest("POST", testServer.URL+tt.requestPath, strings.NewReader(""))
+			require.NoError(t, err)
+
+			// Add token data to request context
+			request = request.WithContext(security.StoreTokenData(request, tt.tokenData))
+
+			// Call proxyPodsRequest which triggers addTokenForExec for POST /exec requests
+			resp, err := transport.proxyPodsRequest(request, "default")
+			require.NoError(t, err)
+			defer resp.Body.Close()
+
+			// Verify the response
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			// Verify the request was captured
+			assert.NotNil(t, capturedRequest)
+			assert.Equal(t, "POST", capturedRequest.Method)
+			assert.Equal(t, tt.requestPath, capturedRequest.URL.Path)
+
+			// Verify the authorization header was set correctly
+			capturedAuthHeader := capturedHeaders.Get("Authorization")
+			assert.NotEmpty(t, capturedAuthHeader)
+			assert.True(t, strings.HasPrefix(capturedAuthHeader, "Bearer "))
+			assert.Equal(t, "Bearer "+tt.expectedToken, capturedAuthHeader)
+		})
+	}
+}

api/http/proxy/factory/reverse_proxy.go

@@ -9,17 +9,20 @@ import (
 
 // Note that we discard any non-canonical headers by design
 var allowedHeaders = map[string]struct{}{
-	"Accept":                  {},
-	"Accept-Encoding":         {},
-	"Accept-Language":         {},
-	"Cache-Control":           {},
-	"Content-Length":          {},
-	"Content-Type":            {},
-	"Private-Token":           {},
-	"User-Agent":              {},
-	"X-Portaineragent-Target": {},
-	"X-Portainer-Volumename":  {},
-	"X-Registry-Auth":         {},
+	"Accept":                    {},
+	"Accept-Encoding":           {},
+	"Accept-Language":           {},
+	"Cache-Control":             {},
+	"Connection":                {},
+	"Content-Length":            {},
+	"Content-Type":              {},
+	"Private-Token":             {},
+	"Upgrade":                   {},
+	"User-Agent":                {},
+	"X-Portaineragent-Target":   {},
+	"X-Portainer-Volumename":    {},
+	"X-Registry-Auth":           {},
+	"X-Stream-Protocol-Version": {},
 }
 
 // newSingleHostReverseProxyWithHostHeader is based on NewSingleHostReverseProxy

api/http/proxy/manager.go

@@ -32,8 +32,8 @@ func NewManager(kubernetesClientFactory *cli.ClientFactory) *Manager {
 	}
 }
 
-func (manager *Manager) NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService, snapshotService portainer.SnapshotService) {
-	manager.proxyFactory = factory.NewProxyFactory(dataStore, signatureService, tunnelService, clientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
+func (manager *Manager) NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService, snapshotService portainer.SnapshotService, jwtService portainer.JWTService) {
+	manager.proxyFactory = factory.NewProxyFactory(dataStore, signatureService, tunnelService, clientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService, jwtService)
 }
 
 // CreateAndRegisterEndpointProxy creates a new HTTP reverse proxy based on environment(endpoint) properties and adds it to the registered proxies.

api/http/security/bouncer.go

@@ -35,6 +35,7 @@ type (
 		JWTAuthLookup(*http.Request) (*portainer.TokenData, error)
 		TrustedEdgeEnvironmentAccess(dataservices.DataStoreTx, *portainer.Endpoint) error
 		RevokeJWT(string)
+		DisableCSP()
 	}
 
 	// RequestBouncer represents an entity that manages API request accesses
@@ -72,7 +73,7 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW
 		jwtService:    jwtService,
 		apiKeyService: apiKeyService,
 		hsts:          featureflags.IsEnabled("hsts"),
-		csp:           featureflags.IsEnabled("csp"),
+		csp:           true,
 	}
 
 	go b.cleanUpExpiredJWT()
@@ -80,6 +81,11 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW
 	return b
 }
 
+// DisableCSP disables Content Security Policy
+func (bouncer *RequestBouncer) DisableCSP() {
+	bouncer.csp = false
+}
+
 // PublicAccess defines a security check for public API endpoints.
 // No authentication is required to access these endpoints.
 func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler {
@@ -528,7 +534,7 @@ func MWSecureHeaders(next http.Handler, hsts, csp bool) http.Handler {
 		}
 
 		if csp {
-			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud")
+			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud js.hsforms.net; frame-ancestors 'none';")
 		}
 
 		w.Header().Set("X-Content-Type-Options", "nosniff")