Split the single container-automation webhook URL into two independently
optional URLs — UpdateWebhookURL (fired on update/rollback/update-failed) and
HealWebhookURL (fired on auto-heal restart). The notifier routes each event to
its mechanism's URL by kind; an empty URL silences only that mechanism, so a
user can enable notifications for updates without heal (or vice-versa).
Settings gain both fields (each validated http/https, {{message}} allowed), the
NotificationPanel exposes two labeled inputs, and the golden migration output is
updated. Delivery path (goroutine/recover/timeout, {{message}} GET vs POST,
per-container stack message format) is unchanged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add an opt-in webhook notification for container-automation events (image
update, rollback, update-failed, auto-heal restart), plugging into the existing
Notifier seam in notify.go.
- Settings: new ContainerAutomation.Notification.WebhookURL (shared across
update + heal), persisted and validated in the settings update handler
(optional; http/https only; accepts the {{message}} placeholder).
- webhookNotifier reads the current URL from the datastore per event (UI changes
take effect without a restart). If the URL contains {{message}} it substitutes
the URL-encoded message and issues a GET; otherwise it POSTs the message as the
body. Delivery, the env/stack name lookups, and any panic run in a goroutine
under recover() with a 10s timeout — strictly best-effort, never blocks or
crashes the automation daemon. multiNotifier fans events to logNotifier +
webhook and isolates a panic in any one notifier.
- Message format (maintainer's spec):
Environment | <env>
Stack [<name>] (Container [<name>] for non-stack events)
Update [<name>]: <old> -> <new>
Auto-heal: 'Auto-heal: restarted unhealthy container'.
- New NotificationPanel in settings to configure the URL.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
F1: cap the image-status cache TTL at 5m (was 24h) — the cache is keyed by the
LOCAL imageID, which doesn't change when upstream pushes a new image under the
same tag, so the 24h TTL hid new images from both the badge and the auto-update
daemon; a short TTL re-resolves the remote digest within the poll window.
F2: document that the update->rollback guard map is in-memory (restart implication).
F3: skip auto-update for an unnamed container when rollback is on (the endpoint+name
keyed guard can't record it, so it would loop) — pure skipUnnamedForRollback + test.
F4: wrap the pre-update ContainerInspect in context.WithTimeout(endpointTimeout).
F5: document Reload() does not interrupt an in-flight tick.
F6: floor auto-heal CheckInterval at 1s (mirrors auto-update) + test.
F7: wontfix — migration is currently correct; namespace rework is out of scope.
F8: correct the misleading SSRF/AllowList comment (no filter is applied).
F9: front auto-heal interval floor + test; dedup STALE_TIME; fix invalidation comment.
Also refresh three stale '24h/long-lived cache' comments to match the 5m TTL.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
F1: record rolled-back targets per service (endpointID/containerName + remote
digest) and skip auto-update during a 24h cooldown unless the remote digest
changes — breaks the infinite update→rollback loop on a persistently
unhealthy image, without blocking a genuinely new image.
F2: unit-test applyContainerUpdate dispatch/payload mapping.
F3: settings_update.go comments mention auto-heal AND auto-update.
F4: drop stale '(future M4)' TS docs; primitives are frontend-only.
F5: replace the anonymous ContainerAutomation settings struct with named
types (identical JSON tags).
F6: drop parseEnable (duplicate of boolLabel).
F7: remove the unused gitService dependency.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
F1: tolerate up to 3 consecutive health-gate inspect failures (reset on
success) before declaring an update failed, so a transient Docker API blip no
longer triggers a false rollback.
F2: detect baseCtx cancellation during the gate and abort without rolling back
or emitting update-failed (debug log only), instead of a misleading
"rollback failed" event on every shutdown mid-gate.
F3: derive the gate deadline as start + max(RollbackTimeout, StartPeriod+buffer)
via effectiveRollbackDeadline, reading the container's healthcheck StartPeriod
so a legitimately slow-starting container is not rolled back while starting.
F4: only enable the gate when the original reference is a proper tag (new
isTagReference helper); skip with a log line for digest-pinned / bare-image-id
containers that cannot be re-tagged.
F5: document the sequential-tick delay limitation of the gate poll.
F6: emit EventUpdated only after the gate confirms healthy (or immediately when
no gate is active); the rollback path emits only EventRollback, so the event
sequence is truthful.
F7: floor RollbackTimeout at 10s in backend and frontend validation.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
P0 Health-gated rollback (standalone auto-update path): capture the previous
image id + reference + healthcheck before the recreate, then poll the new
container's health over a configurable window. On healthy proceed (and only
then clean up the old image); on unhealthy/exit/timeout re-tag the old image
back onto the original reference and Recreate (no pull) to restore it, reusing
Recreate's config preservation. The decision is a pure decideRollback() helper.
P1 Per-endpoint enable: ContainerAutomationDisabled flag on Endpoint (zero value
participates, no migration churn), checked by both daemons; settable via the
endpoint update API. UI control deferred (see report).
P2 Notifier seam: minimal Notifier interface + logNotifier, emitting structured
updated/rollback/update-failed/heal-restarted events from the daemon.
Settings: RollbackOnFailure + RollbackTimeout (default 120s) added to
ContainerAutomation.AutoUpdate, wired through defaults/migration/golden,
settings_update validation, the AutoUpdatePanel and the TS types.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
F1: Stop routing git-backed stacks through a per-tick RedeployWhenChanged for
image-only updates. The git redeploy path short-circuits when the commit is
unchanged (so an upstream-digest update never applies) yet still git-fetches
every tick. Git stacks are now detect-only in the auto-apply path; their image
update lands on the next git change or via manual "Update now". File (non-git)
stacks still force-pull-redeploy immediately. The AutoUpdatePanel text no longer
promises daemon auto-update for git/externally-managed containers.
F2: Resolve registries for the file-stack redeploy the same way the established
userless/system path (RedeployWhenChanged) does, via the new
deployments.ResolveStackRegistries: scope to the stack author's endpoint access
and RefreshAndPersistECRTokens, instead of hand-passing Registry().ReadAll().
ECR-backed stacks now auto-update with fresh tokens.
F3: Add a 1m floor for the auto-update poll interval, enforced in the settings
Validate and mirrored in the frontend validation.
F4: Thread the application shutdownCtx into NewService and use it as the base
for the heal/update job operation contexts, so shutdown cancels in-flight work.
F5: Correct the updateEndpoint comment about monitor-only badge-cache warming
(only in-scope monitor-only containers are status-checked).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add an optional periodic auto-update daemon that detects outdated container
images and applies updates, replacing the containrrr/watchtower sidecar. It
extends M1's containerautomation service/scheduler/labels infrastructure and
reuses the existing zlib image-detection engine, the standalone Recreate path
and the stack deployer.
Backend:
- api/containerautomation/autoupdate.go: scheduler job iterating Docker
(non-edge) endpoints -> in-scope running containers -> ContainerImageStatus;
for Outdated: standalone -> ContainerService.Recreate(pull); stack-managed ->
one stack redeploy-with-pull per stack per tick (git via RedeployWhenChanged,
file via the deployer directly); external compose -> detect only. Monitor-only
containers are status-checked (warms the badge cache) but never applied.
Overlap guard (atomic), pull/registry-auth failure -> leave running container
untouched, conservative cleanup of the dangling old image on the Cleanup flag
(non-forced ImageRemove only succeeds when truly unused).
- labels.go: update enable / monitor-only labels with watchtower aliases,
InUpdateScope, IsMonitorOnly, and pure resolveContainerUpdateRouting /
groupContainersForUpdate (Go analogue of M3's TS routing + grouping).
- service.go: run both jobs, Reload restarts/stops each per settings; NewService
also takes ContainerService, StackDeployer and GitService.
- Settings.ContainerAutomation.AutoUpdate {Enabled, PollInterval, Scope,
Cleanup} with fresh-install defaults and a 2.43.0 backfill (extends M1's
migration; golden test data updated). settings handler validates + reloads.
Frontend:
- Global AutoUpdatePanel in SettingsView (enable / poll interval / scope /
cleanup) via useUpdateSettingsMutation, plus settings TS types.
- Read-only per-container Auto-update row in the container details view
(Docker labels are immutable at runtime), surfacing monitor-only.
Tests: Go unit tests for the update label aliases, scope, monitor-only, the
routing decision and the one-redeploy-per-stack grouping; vitest for the panel
and the per-container row.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a native, CE-only auto-heal daemon that restarts Docker containers whose
healthcheck reports "unhealthy", replacing the willfarrell/autoheal sidecar.
Backend:
- New package api/containerautomation (service lifecycle + scheduler job,
per-endpoint heal pass, label/scope parsing, in-memory cooldown/retry state).
- Settings.ContainerAutomation.AutoHeal {Enabled, CheckInterval, Scope} with
fresh-install defaults and a 2.43.0 migration backfilling existing installs.
- Settings update handler reloads/stops the job via a small Reloader interface
(no import cycle); service bootstrapped from main.go after stack schedules.
Frontend:
- Global AutoHealPanel in SettingsView (enable / interval / scope) via
useUpdateSettingsMutation, plus settings TS types.
- Read-only per-container Auto-heal row in the container details view (Docker
labels are immutable at runtime; opt-in is set via Create/Edit form labels).
Tests: Go unit tests for label/scope resolution and the cooldown/retry decision;
vitest for the panel and the per-container row.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* feat(internal-auth): ability to set minimum password length [EE-3175]
* pass props to react component
* fixes + WIP slider
* fix slider updating + add styles
* remove nested ternary
* fix slider updating + add remind me later button
* add length to settings + value & onchange method
* finish my account view
* fix slider updating
* slider styles
* update style
* move slider in
* update size of slider
* allow admin to browse to authentication view
* use feather icons instead of font awesome
* feat(settings): add colors to password rules
* clean up tooltip styles
* more style changes
* styles
* fixes + use requiredLength in password field for icon logic
* simplify logic
* simplify slider logic and remove debug code
* use required length for logic to display pwd length warning
* fix slider styles
* use requiredPasswordLength to determine if password is valid
* style tooltip based on theme
* reset skips when password is changed
* misc cleanup
* reset skips when required length is changed
* fix formatting
* fix issues
* implement some suggestions
* simplify logic
* update broken test
* pick min password length from DB
* fix suggestions
* set up min password length in the DB
* fix test after migration
* fix formatting issue
* fix bug with icon
* refactored migration
* fix typo
* fixes
* fix logic
* set skips per user
* reset skips for all users on length change
Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com>
Co-authored-by: Dmitry Salakhov <to@dimasalakhov.com>
* fix(settings): clear helm url if requested [EE-2494]
fix [EE-2494]
before this PR, helm url would clear when updating settings, if the helm url key wasn't provided.
in this PR, it will be changed only if required
* fix(settings): allow empty helm repo
* chore(deps): run yarn
* fix(settings): set helm repo url
* feat(access-token): Multi-auth middleware support EE-1891 (#5936)
* AnyAuth middleware initial implementation with tests
* using mux.MiddlewareFunc instead of custom definition
* removed redundant comments
* - ExtractBearerToken bouncer func made private
- changed helm token handling functionality to use jwt service to convert token to jwt string
- updated tests
- fixed helm list broken test due to missing token in request context
* rename mwCheckAuthentication -> mwCheckJWTAuthentication
* - introduce initial api-key auth support using X-API-KEY header
- added tests to validate x-api-key request header presence
* updated core mwAuthenticatedUser middleware to support multiple auth paradigms
* - simplified anyAuth middleware
- enforcing authmiddleware to implement verificationFunc interface
- created tests for middleware
* simplify bouncer
Co-authored-by: Dmitry Salakhov <to@dimasalakhov.com>
* feat(api-key): user-access-token generation endpoint EE-1889 EE-1888 EE-1895 (#6012)
* user-access-token generation endpoint
* fix comment
* - introduction of apikey service
- seperation of repository from service logic - called in handler
* fixed tests
* - fixed api key prefix
- added tests
* added another test for digest matching
* updated swagger spec for access token creation
* api key response returns raw key and struct - easing testability
* test for api key prefix length
* added another TODO to middleware
* - api-key prefix rune -> string (rune does not auto-encode when response sent back to client)
- digest -> pointer as we want to allow nil values and omit digest in responses (when nil)
* - updated apikey struct
- updated apikey service to support all common operations
- updated apikey repo
- integration of apikey service into bouncer
- added test for all apikey service functions
- boilerplate code for apikey service integration
* - user access token generation tests
- apiKeyLookup updated to support query params
- added api-key tests for query params
- added api-key tests for apiKeyLookup
* get and remove access token handlers
* get and remove access token handler tests
* - delete user deletes all associated api keys
- tests for this functionality
* removed redundant []byte cast
* automatic api-key eviction set within cache for 1 hour
* fixed bug with loop var using final value
* fixed service comment
* ignore bolt error responses
* case-insensitive query param check
* simplified query var assignment
* - added GetAPIKey func to get by unique id
- updated DeleteAPIKey func to not require user ID
- updated tests
* GenerateRandomKey helper func from github.com/gorilla/securecookie moved to codebase
* json response casing for api-keys fixed
* updating api-key will update the cache
* updated golang LRU cache
* using hashicorps golang-LRU cache for api keys
* simplified jwt check in create user access token
* fixed api-key update logic on cache miss
* Prefix generated api-keys with `ptr_` (#6067)
* prefix api-keys with 'ptr_'
* updated apikey description
* refactor
Co-authored-by: Dmitry Salakhov <to@dimasalakhov.com>
* helm list test refactor
* fixed user delete test
* reduce test nil pointer errors
* using correct http 201 created status code for token creation; updated tests
* fixed swagger doc user id path param for user access token based endpoints
* added api-key security openapi spec to existing jwt secured endpoints (#6091)
* fixed flaky test
* apikey datecreated and lastused attrs converted to unix timestamp
* feat(user): added access token datatable. (#6124)
* feat(user): added access token datatable.
* feat(tokens): only display lastUsed time when it is not the default date
* Update app/portainer/views/account/accountController.js
Co-authored-by: zees-dev <63374656+zees-dev@users.noreply.github.com>
* Update app/portainer/views/account/accountController.js
Co-authored-by: zees-dev <63374656+zees-dev@users.noreply.github.com>
* Update app/portainer/views/account/accountController.js
Co-authored-by: zees-dev <63374656+zees-dev@users.noreply.github.com>
* Update app/portainer/components/datatables/access-tokens-datatable/accessTokensDatatableController.js
Co-authored-by: zees-dev <63374656+zees-dev@users.noreply.github.com>
* Update app/portainer/services/api/userService.js
Co-authored-by: zees-dev <63374656+zees-dev@users.noreply.github.com>
* feat(improvements): proposed datatable improvements to speed up dev time (#6138)
* modal code update
* updated datatable filenames, updated controller to be default class export
* fix(access-token): code improvement.
Co-authored-by: zees-dev <63374656+zees-dev@users.noreply.github.com>
* feat(apikeys): create access token view initial implementation EE-1886 (#6129)
* CopyButton implementation
* Code component implementation
* ToolTip component migration to another folder
* TextTip component implementation - continued
* form Heading component
* Button component updated to be more dynamic
* copybutton - small size
* form control pass tip error
* texttip small text
* CreateAccessToken react feature initial implementation
* create user access token angularjs view implementation
* registration of CreateAccessToken component in AngularJS
* user token generation API request moved to angular service, method passed down instead
* consistent naming of access token operations; clustered similar code together
* any user can add access token
* create access token page routing
* moved code component to the correct location
* removed isadmin check as all functionality applicable to all users
* create access token angular view moved up a level
* fixed PR issues, updated PR
* addressed PR issues/improvements
* explicit hr for horizontal line
* fixed merge conflict storybook build breaking
* - apikey test
- cache test
* addressed testing issues:
- description validations
- remove token description link on table
* fix(api-keys): user role change evicts user keys in cache EE-2113 (#6168)
* user role change evicts user api keys in cache
* EvictUserKeyCache -> InvalidateUserKeyCache
* godoc for InvalidateUserKeyCache func
* additional test line
* disable add access token button after adding token to prevent spam
Co-authored-by: Dmitry Salakhov <to@dimasalakhov.com>
Co-authored-by: fhanportainer <79428273+fhanportainer@users.noreply.github.com>
* fix(helm): allow clearing global helm repo EE-1965
* fix(helm): show hint if global helm repo is blank EE-1965
* fix(helm): skip loading charts if repo is blank EE-1965
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* allow settings to be saved offline. Due to helm repo validation not working for bitnami when offline!
* @hookenz
dont validate the helm repo if the repo hasn't changed or is the default
* feat(kubeshell) allow overriding default kubeshell
* Add missing error check and struct tag
* Add migrator for kube shell image and add it as a default in the db
* Fix file name to match migrator pattern
* remove default as it's now coming from the db
* remove blank line
* - conflict resolution code update
- logging migration error on migration failures
* - migrateDBVersionTo34 -> migrateDBVersionToDB34 (naming consistency)
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* feat(helm): add helm chart backport to ce EE-1409 (#5425)
* EE-1311 Helm Chart Backport from EE
* backport to ce
Co-authored-by: Matt Hook <hookenz@gmail.com>
* feat(helm): list and configure helm chart (#5431)
* backport and tidyup code
* --amend
* using rocket icon for charts
* helm chart bugfix - clear category button
* added matomo analytics for helm chart install
* fix web editor exit warning without changes
* editor modified exit bugfix
* fixed notifications typo
* updated helm template text
* helper text to convey slow helm templates load
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* removing redundant time-consuming api call by using prop attribute
* feat(helm) helm chart backport from ee EE-1311 (#5436)
* Add missing defaultHelmRepoUrl and mock testing
* Backport EE-1477
* Backport updates to helm tests from EE
* add https by default changes and ssl to tls renaming from EE
* Port install integration test. Disabled by default to pass CI checks
* merged changes from EE for the integration test
* kube proxy whitelist updated to support internal helm install command
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* Pull in all changes from tech review in EE-943
* added helm to sidebar after rebase, sync CE with EE
* bugfix: kubectl shell not opening - bearer token bug
* tidy go modules & remove yarn-error.log
* removed redundant handler (not used) - to match EE
* resolved merge conflicts, updated code
* feat(helm/views): helm release and application views EE-1236 (#5529)
* feat(helm): add helm chart backport to ce EE-1409 (#5425)
* EE-1311 Helm Chart Backport from EE
* backport to ce
Co-authored-by: Matt Hook <hookenz@gmail.com>
* Pull in all changes from tech review in EE-943
* added helm to sidebar after rebase, sync CE with EE
* removed redundant handler (not used) - to match EE
* feat(helm) display helm charts - backend EE-1236
* copy over components for new applications view EE-1236
* Add new applications datatable component
* Add more migrated files
* removed test not applicable to CE
* baclkported EE app data table code to CE
* removed redundant helm repo url
* resolved conflicts, updated code
* using endpoint middleware
* PR review fixes
* using constants, openapi updated
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* fixed test conflicts, go linted
* feat(helm/templates-add): helm templates add repo for user support EE-1278 (#5514)
* feat(helm): add helm chart backport to ce EE-1409 (#5425)
* EE-1311 Helm Chart Backport from EE
* backport to ce
Co-authored-by: Matt Hook <hookenz@gmail.com>
* feat(helm) helm chart backport from ee EE-1311 (#5436)
* Add missing defaultHelmRepoUrl and mock testing
* Backport EE-1477
* Backport updates to helm tests from EE
* add https by default changes and ssl to tls renaming from EE
* Port install integration test. Disabled by default to pass CI checks
* merged changes from EE for the integration test
* kube proxy whitelist updated to support internal helm install command
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* Pull in all changes from tech review in EE-943
* feat(helm): add helm chart backport to ce EE-1409 (#5425)
* EE-1311 Helm Chart Backport from EE
* backport to ce
Co-authored-by: Matt Hook <hookenz@gmail.com>
* Pull in all changes from tech review in EE-943
* added helm to sidebar after rebase, sync CE with EE
* backport EE-1278, squashed, diffed, updated
* helm install openapi spec update
* resolved conflicts, updated code
* - matching ee codebase at 0afe57034449ee0e9f333d92c252a13995a93019
- helm install using endpoint middleware
- remove trailing slash from added/persisted helm repo urls
* feat(helm) use libhelm url validator and improved path assembly EE-1554 (#5561)
* feat(helm/userrepos) fix getting global repo for ordinary users EE-1562 (#5567)
* feat(helm/userrepos) fix getting global repo for ordinary users EE-1562
* post review changes and further backported changes from EE
* resolved conflicts, updated code
* fixed helm_install handler unit test
* user cannot add existing repo if suffix is '/' (#5571)
* feat(helm/docs) fix broken swagger docs EE-1278 (#5572)
* Fix swagger docs
* minor correction
* fix(helm): migrating code from user handler to helm handler (#5573)
* - migrated user_helm_repos to helm endpoint handler
- migrated api operations from user factory/service to helm factory/service
- passing endpointId into helm service/factory as endpoint provider is deprecated
* upgrade libhelm to hide secrets
Co-authored-by: Matt Hook <hookenz@gmail.com>
* removed duplicate file - due to merge conflict
* dependency injection in helm factory
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: Matt Hook <hookenz@gmail.com>
* kubernetes.templates -> kubernetes.templates.helm name conflict fix
* Validate the URL added as a public helm repo (#5579)
* fix(helm): helm app deletion fix EE-1581 (#5582)
* updated helm lib to show correct error on uninstall failure
* passing down helm app namespace on deletion
* fix(k8s): EE-1591 non-admin users cannot deploy charts containing secrets (#5590)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix(helm): helm epic bugfixes EE-1582 EE-1593 (#5585)
* - trim trailing slash and lowercase before persisting helm repo
- browser helm templates url /kubernetes/templates/templates -> /kubernetes/templates/helm
- fix publish url
- fix helm repo add refresh
- semi-fix k8s app expansion
* Tidy up swagger documentation related to helm. Make json consistent
* fixed helm release page for non-default namespaces
* k8s app view table expansion bugfix
* EE-1593: publish url load balancer fallback
Co-authored-by: Matt Hook <hookenz@gmail.com>
* k8s app list fix for charts with deployments containing multiple pods - which use the same label (#5599)
* fix(kubernetes): app list view fix for secrets with long keys or values EE-1600 (#5600)
* k8s app secrets key value text overflow ellipses
* wrapping key value pairs instead of ellipses
* fix(helm): helm apps bundling issue across different namespaces EE-1619 (#5602)
* helm apps bundling issue across different namespaces
* - code comments and indentation to ease reading
- moved namespace calc out of loop
* feat(helm/test) disable slow helm search test by default EE-1599 (#5598)
* skip helm_repo_search as it's an integration test
* switch to portainer built in integration test checker
* make module order match EE
* don't print test struct out when skipping integration test
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: Matt Hook <hookenz@gmail.com>
Co-authored-by: cong meng <mcpacino@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* feat(kubeconfig) EE-1153 Introduce the ability to change the expiry of a kubeconfig
* feat(kubeconfig) EE-1153 pr feedback update
* feat(kubeconfig) EE-1153 code cleanup
Co-authored-by: Simon Meng <simon.meng@portainer.io>