EE-4286 fix(docker): update tls certs for docker env

* fix(image): hide button issues [EE-4166]

api/archive/targz_test.go

@@ -2,7 +2,6 @@ package archive
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
@@ -28,10 +27,10 @@ func listFiles(dir string) []string {
 func Test_shouldCreateArhive(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	ioutil.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
 	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
-	ioutil.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
-	ioutil.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
 
 	gzPath, err := TarGzDir(tmpdir)
 	assert.Nil(t, err)
@@ -48,7 +47,7 @@ func Test_shouldCreateArhive(t *testing.T) {
 	wasExtracted := func(p string) {
 		fullpath := path.Join(extractionDir, p)
 		assert.Contains(t, extractedFiles, fullpath)
-		copyContent, _ := ioutil.ReadFile(fullpath)
+		copyContent, _ := os.ReadFile(fullpath)
 		assert.Equal(t, content, copyContent)
 	}
 
@@ -60,10 +59,10 @@ func Test_shouldCreateArhive(t *testing.T) {
 func Test_shouldCreateArhiveXXXXX(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	ioutil.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
 	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
-	ioutil.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
-	ioutil.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
 
 	gzPath, err := TarGzDir(tmpdir)
 	assert.Nil(t, err)
@@ -80,7 +79,7 @@ func Test_shouldCreateArhiveXXXXX(t *testing.T) {
 	wasExtracted := func(p string) {
 		fullpath := path.Join(extractionDir, p)
 		assert.Contains(t, extractedFiles, fullpath)
-		copyContent, _ := ioutil.ReadFile(fullpath)
+		copyContent, _ := os.ReadFile(fullpath)
 		assert.Equal(t, content, copyContent)
 	}
 

api/archive/zip.go

@@ -4,12 +4,12 @@ import (
 	"archive/zip"
 	"bytes"
 	"fmt"
-	"github.com/pkg/errors"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/pkg/errors"
 )
 
 // UnzipArchive will unzip an archive from bytes into the dest destination folder on disk
@@ -36,7 +36,7 @@ func extractFileFromArchive(file *zip.File, dest string) error {
 	}
 	defer f.Close()
 
-	data, err := ioutil.ReadAll(f)
+	data, err := io.ReadAll(f)
 	if err != nil {
 		return err
 	}

api/archive/zip_test.go

@@ -1,9 +1,10 @@
 package archive
 
 import (
-	"github.com/stretchr/testify/assert"
 	"path/filepath"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestUnzipFile(t *testing.T) {

api/cli/cli.go

@@ -62,6 +62,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		MaxBatchDelay:             kingpin.Flag("max-batch-delay", "Maximum delay before a batch starts").Duration(),
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
+		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("PRETTY", "JSON"),
 	}
 
 	kingpin.Parse()

api/cmd/portainer/import.go

@@ -1,28 +0,0 @@
-package main
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/datastore"
-
-	"github.com/rs/zerolog/log"
-)
-
-func importFromJson(fileService portainer.FileService, store *datastore.Store) {
-	// EXPERIMENTAL - if used with an incomplete json file, it will fail, as we don't have a way to default the model values
-	importFile := "/data/import.json"
-	if exists, _ := fileService.FileExists(importFile); exists {
-		if err := store.Import(importFile); err != nil {
-			log.Error().Str("filename", importFile).Err(err).Msg("import failed")
-			// TODO: should really rollback on failure, but then we have nothing.
-		} else {
-			log.Info().Str("filename", importFile).Msg("successfully imported the file to a new portainer database")
-		}
-
-		// TODO: this is bad - its to ensure that any defaults that were broken in import, or migrations get set back to what we want
-		// I also suspect that everything from "Init to Init" is potentially a migration
-		err := store.Init()
-		if err != nil {
-			log.Fatal().Err(err).Msg("failed initializing data store")
-		}
-	}
-}

api/cmd/portainer/log.go

@@ -1,7 +1,9 @@
 package main
 
 import (
+	"fmt"
 	stdlog "log"
+	"os"
 
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
@@ -31,3 +33,23 @@ func setLoggingLevel(level string) {
 		zerolog.SetGlobalLevel(zerolog.DebugLevel)
 	}
 }
+
+func setLoggingMode(mode string) {
+	switch mode {
+	case "PRETTY":
+		log.Logger = log.Output(zerolog.ConsoleWriter{
+			Out:           os.Stderr,
+			NoColor:       true,
+			TimeFormat:    "2006/01/02 03:04PM",
+			FormatMessage: formatMessage})
+	case "JSON":
+		log.Logger = log.Output(os.Stderr)
+	}
+}
+
+func formatMessage(i interface{}) string {
+	if i == nil {
+		return ""
+	}
+	return fmt.Sprintf("%s |", i)
+}

api/cmd/portainer/main.go

@@ -239,8 +239,8 @@ func initDockerClientFactory(signatureService portainer.DigitalSignatureService,
 	return docker.NewClientFactory(signatureService, reverseTunnelService)
 }
 
-func initKubernetesClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, instanceID string, dataStore dataservices.DataStore) *kubecli.ClientFactory {
-	return kubecli.NewClientFactory(signatureService, reverseTunnelService, instanceID, dataStore)
+func initKubernetesClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, dataStore dataservices.DataStore, instanceID, addrHTTPS, userSessionTimeout string) (*kubecli.ClientFactory, error) {
+	return kubecli.NewClientFactory(signatureService, reverseTunnelService, dataStore, instanceID, addrHTTPS, userSessionTimeout)
 }
 
 func initSnapshotService(
@@ -316,12 +316,7 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		sslSettings.HTTPEnabled = true
 	}
 
-	err = dataStore.SSLSettings().UpdateSettings(sslSettings)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return dataStore.SSLSettings().UpdateSettings(sslSettings)
 }
 
 // enableFeaturesFromFlags turns on or off feature flags
@@ -617,7 +612,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	reverseTunnelService := chisel.NewService(dataStore, shutdownCtx)
 
 	dockerClientFactory := initDockerClientFactory(digitalSignatureService, reverseTunnelService)
-	kubernetesClientFactory := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, instanceID, dataStore)
+	kubernetesClientFactory, err := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, dataStore, instanceID, *flags.AddrHTTPS, settings.UserSessionTimeout)
 
 	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx)
 	if err != nil {
@@ -763,10 +758,12 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 func main() {
 	configureLogger()
+	setLoggingMode("PRETTY")
 
 	flags := initCLI()
 
 	setLoggingLevel(*flags.LogLevel)
+	setLoggingMode(*flags.LogMode)
 
 	for {
 		server := buildServer(flags)

api/connection.go

@@ -24,6 +24,7 @@ type Connection interface {
 	SetServiceName(bucketName string) error
 	GetObject(bucketName string, key []byte, object interface{}) error
 	UpdateObject(bucketName string, key []byte, object interface{}) error
+	UpdateObjectFunc(bucketName string, key []byte, object any, updateFn func()) error
 	DeleteObject(bucketName string, key []byte) error
 	DeleteAllObjects(bucketName string, matching func(o interface{}) (id int, ok bool)) error
 	GetNextIdentifier(bucketName string) int

api/crypto/aes.go

@@ -13,7 +13,7 @@ import (
 // Person with better knowledge is welcomed to improve it.
 // sourced from https://golang.org/src/crypto/cipher/example_test.go
 
-var emptySalt []byte = make([]byte, 0, 0)
+var emptySalt []byte = make([]byte, 0)
 
 // AesEncrypt reads from input, encrypts with AES-256 and writes to the output.
 // passphrase is used to generate an encryption key.

api/crypto/aes_test.go

@@ -2,7 +2,6 @@ package crypto
 
 import (
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -20,7 +19,7 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 	)
 
 	content := []byte("content")
-	ioutil.WriteFile(originFilePath, content, 0600)
+	os.WriteFile(originFilePath, content, 0600)
 
 	originFile, _ := os.Open(originFilePath)
 	defer originFile.Close()
@@ -30,7 +29,7 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 
 	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
 	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	encryptedContent, err := os.ReadFile(encryptedFilePath)
 	assert.Nil(t, err, "Couldn't read encrypted file")
 	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
 
@@ -45,7 +44,7 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 
 	io.Copy(decryptedFileWriter, decryptedReader)
 
-	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	decryptedContent, _ := os.ReadFile(decryptedFilePath)
 	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 }
 
@@ -59,7 +58,7 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
 	)
 
 	content := []byte("content")
-	ioutil.WriteFile(originFilePath, content, 0600)
+	os.WriteFile(originFilePath, content, 0600)
 
 	originFile, _ := os.Open(originFilePath)
 	defer originFile.Close()
@@ -69,7 +68,7 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
 
 	err := AesEncrypt(originFile, encryptedFileWriter, []byte(""))
 	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	encryptedContent, err := os.ReadFile(encryptedFilePath)
 	assert.Nil(t, err, "Couldn't read encrypted file")
 	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
 
@@ -84,7 +83,7 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
 
 	io.Copy(decryptedFileWriter, decryptedReader)
 
-	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	decryptedContent, _ := os.ReadFile(decryptedFilePath)
 	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 }
 
@@ -98,7 +97,7 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 	)
 
 	content := []byte("content")
-	ioutil.WriteFile(originFilePath, content, 0600)
+	os.WriteFile(originFilePath, content, 0600)
 
 	originFile, _ := os.Open(originFilePath)
 	defer originFile.Close()
@@ -108,7 +107,7 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 
 	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
 	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	encryptedContent, err := os.ReadFile(encryptedFilePath)
 	assert.Nil(t, err, "Couldn't read encrypted file")
 	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
 
@@ -123,6 +122,6 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 
 	io.Copy(decryptedFileWriter, decryptedReader)
 
-	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	decryptedContent, _ := os.ReadFile(decryptedFilePath)
 	assert.NotEqual(t, content, decryptedContent, "Original and decrypted content should NOT match")
 }

api/crypto/tls.go

@@ -3,7 +3,7 @@ package crypto
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"io/ioutil"
+	"os"
 )
 
 // CreateServerTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings
@@ -63,7 +63,7 @@ func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipSe
 	}
 
 	if !skipServerVerification && caCertPath != "" {
-		caCert, err := ioutil.ReadFile(caCertPath)
+		caCert, err := os.ReadFile(caCertPath)
 		if err != nil {
 			return nil, err
 		}

api/database/boltdb/db.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path"
 	"time"
@@ -167,7 +166,7 @@ func (connection *DbConnection) ExportRaw(filename string) error {
 	if err != nil {
 		return err
 	}
-	return ioutil.WriteFile(filename, b, 0600)
+	return os.WriteFile(filename, b, 0600)
 }
 
 // ConvertToKey returns an 8-byte big endian representation of v.
@@ -179,7 +178,7 @@ func (connection *DbConnection) ConvertToKey(v int) []byte {
 	return b
 }
 
-// CreateBucket is a generic function used to create a bucket inside a database database.
+// CreateBucket is a generic function used to create a bucket inside a database.
 func (connection *DbConnection) SetServiceName(bucketName string) error {
 	return connection.Batch(func(tx *bolt.Tx) error {
 		_, err := tx.CreateBucketIfNotExists([]byte(bucketName))
@@ -187,7 +186,7 @@ func (connection *DbConnection) SetServiceName(bucketName string) error {
 	})
 }
 
-// GetObject is a generic function used to retrieve an unmarshalled object from a database database.
+// GetObject is a generic function used to retrieve an unmarshalled object from a database.
 func (connection *DbConnection) GetObject(bucketName string, key []byte, object interface{}) error {
 	var data []byte
 
@@ -219,7 +218,7 @@ func (connection *DbConnection) getEncryptionKey() []byte {
 	return connection.EncryptionKey
 }
 
-// UpdateObject is a generic function used to update an object inside a database database.
+// UpdateObject is a generic function used to update an object inside a database.
 func (connection *DbConnection) UpdateObject(bucketName string, key []byte, object interface{}) error {
 	data, err := connection.MarshalObject(object)
 	if err != nil {
@@ -232,7 +231,33 @@ func (connection *DbConnection) UpdateObject(bucketName string, key []byte, obje
 	})
 }
 
-// DeleteObject is a generic function used to delete an object inside a database database.
+// UpdateObjectFunc is a generic function used to update an object safely without race conditions.
+func (connection *DbConnection) UpdateObjectFunc(bucketName string, key []byte, object any, updateFn func()) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+
+		data := bucket.Get(key)
+		if data == nil {
+			return dserrors.ErrObjectNotFound
+		}
+
+		err := connection.UnmarshalObjectWithJsoniter(data, object)
+		if err != nil {
+			return err
+		}
+
+		updateFn()
+
+		data, err = connection.MarshalObject(object)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(key, data)
+	})
+}
+
+// DeleteObject is a generic function used to delete an object inside a database.
 func (connection *DbConnection) DeleteObject(bucketName string, key []byte) error {
 	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))

api/database/models/ingress.go

@@ -59,9 +59,6 @@ func (r K8sIngressInfo) Validate(request *http.Request) error {
 	if r.Namespace == "" {
 		return errors.New("missing ingress Namespace from the request payload")
 	}
-	if r.ClassName == "" {
-		return errors.New("missing ingress ClassName from the request payload")
-	}
 	return nil
 }
 

api/dataservices/interface.go

@@ -251,6 +251,7 @@ type (
 		Tag(ID portainer.TagID) (*portainer.Tag, error)
 		Create(tag *portainer.Tag) error
 		UpdateTag(ID portainer.TagID, tag *portainer.Tag) error
+		UpdateTagFunc(ID portainer.TagID, updateFunc func(tag *portainer.Tag)) error
 		DeleteTag(ID portainer.TagID) error
 		BucketName() string
 	}

api/dataservices/tag/tag.go

@@ -80,12 +80,24 @@ func (service *Service) Create(tag *portainer.Tag) error {
 	)
 }
 
-// UpdateTag updates a tag.
+// Deprecated: Use UpdateTagFunc instead.
 func (service *Service) UpdateTag(ID portainer.TagID, tag *portainer.Tag) error {
 	identifier := service.connection.ConvertToKey(int(ID))
 	return service.connection.UpdateObject(BucketName, identifier, tag)
 }
 
+// UpdateTagFunc updates a tag inside a transaction avoiding data races.
+func (service *Service) UpdateTagFunc(ID portainer.TagID, updateFunc func(tag *portainer.Tag)) error {
+	id := service.connection.ConvertToKey(int(ID))
+	tag := &portainer.Tag{}
+
+	service.connection.UpdateObjectFunc(BucketName, id, tag, func() {
+		updateFunc(tag)
+	})
+
+	return nil
+}
+
 // DeleteTag deletes a tag.
 func (service *Service) DeleteTag(ID portainer.TagID) error {
 	identifier := service.connection.ConvertToKey(int(ID))

api/datastore/migrate_data_test.go

@@ -275,7 +275,7 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string) error {
 
 	// Compare the result we got with the one we wanted.
 	if diff := cmp.Diff(wantJSON, gotJSON); diff != "" {
-		gotPath := filepath.Join(t.TempDir(), "portainer-migrator-test-fail.json")
+		gotPath := filepath.Join(os.TempDir(), "portainer-migrator-test-fail.json")
 		os.WriteFile(
 			gotPath,
 			gotJSON,

api/datastore/migrator/migrate_dbversion34_test.go

@@ -1,94 +0,0 @@
-package migrator
-
-const (
-	db35TestFile = "portainer-mig-35.db"
-	username     = "portainer"
-	password     = "password"
-)
-
-// TODO: this is exactly the kind of reaching into the internals of the store we should not do
-// func setupDB35Test(t *testing.T) *Migrator {
-// 	is := assert.New(t)
-// 	dbConn, err := bolt.Open(path.Join(t.TempDir(), db35TestFile), 0600, &bolt.Options{Timeout: 1 * time.Second})
-// 	is.NoError(err, "failed to init testing DB connection")
-
-// 	// Create an old style dockerhub authenticated account
-// 	dockerhubService, err := dockerhub.NewService(&database.DbConnection{DB: dbConn})
-// 	is.NoError(err, "failed to init testing registry service")
-// 	err = dockerhubService.UpdateDockerHub(&portainer.DockerHub{true, username, password})
-// 	is.NoError(err, "failed to create dockerhub account")
-
-// 	registryService, err := registry.NewService(&database.DbConnection{DB: dbConn})
-// 	is.NoError(err, "failed to init testing registry service")
-
-// 	endpointService, err := endpoint.NewService(&database.DbConnection{DB: dbConn})
-// 	is.NoError(err, "failed to init endpoint service")
-
-// 	m := &Migrator{
-// 		db:               dbConn,
-// 		dockerhubService: dockerhubService,
-// 		registryService:  registryService,
-// 		endpointService:  endpointService,
-// 	}
-
-// 	return m
-// }
-
-// // TestUpdateDockerhubToDB32 tests a normal upgrade
-// func TestUpdateDockerhubToDB32(t *testing.T) {
-// 	is := assert.New(t)
-// 	m := setupDB35Test(t)
-// 	defer m.db.Close()
-// 	defer os.Remove(db35TestFile)
-
-// 	if err := m.updateDockerhubToDB32(); err != nil {
-// 		t.Errorf("failed to update settings: %v", err)
-// 	}
-
-// 	// Verify we have a single registry were created
-// 	registries, err := m.registryService.Registries()
-// 	is.NoError(err, "failed to read registries from the RegistryService")
-// 	is.Equal(len(registries), 1, "only one migrated registry expected")
-// }
-
-// // TestUpdateDockerhubToDB32_with_duplicate_migrations tests an upgrade where in earlier versions a broken migration
-// // created a large number of duplicate "dockerhub migrated" registry entries.
-// func TestUpdateDockerhubToDB32_with_duplicate_migrations(t *testing.T) {
-// 	is := assert.New(t)
-// 	m := setupDB35Test(t)
-// 	defer m.db.Close()
-// 	defer os.Remove(db35TestFile)
-
-// 	// Create lots of duplicate entries...
-// 	registry := &portainer.Registry{
-// 		Type:             portainer.DockerHubRegistry,
-// 		Name:             "Dockerhub (authenticated - migrated)",
-// 		URL:              "docker.io",
-// 		Authentication:   true,
-// 		Username:         "portainer",
-// 		Password:         "password",
-// 		RegistryAccesses: portainer.RegistryAccesses{},
-// 	}
-
-// 	for i := 1; i < 150; i++ {
-// 		err := m.registryService.CreateRegistry(registry)
-// 		assert.NoError(t, err, "create registry failed")
-// 	}
-
-// 	// Verify they were created
-// 	registries, err := m.registryService.Registries()
-// 	is.NoError(err, "failed to read registries from the RegistryService")
-// 	is.Condition(func() bool {
-// 		return len(registries) > 1
-// 	}, "expected multiple duplicate registry entries")
-
-// 	// Now run the migrator
-// 	if err := m.updateDockerhubToDB32(); err != nil {
-// 		t.Errorf("failed to update settings: %v", err)
-// 	}
-
-// 	// Verify we have a single registry were created
-// 	registries, err = m.registryService.Registries()
-// 	is.NoError(err, "failed to read registries from the RegistryService")
-// 	is.Equal(len(registries), 1, "only one migrated registry expected")
-// }

api/datastore/migrator/migrate_dbversion70.go

@@ -8,7 +8,7 @@ import (
 
 func (m *Migrator) migrateDBVersionToDB70() error {
 	log.Info().Msg("- add IngressAvailabilityPerNamespace field")
-	if err := m.addIngressAvailabilityPerNamespaceFieldDB70(); err != nil {
+	if err := m.updateIngressFieldsForEnvDB70(); err != nil {
 		return err
 	}
 
@@ -51,7 +51,7 @@ func (m *Migrator) migrateDBVersionToDB70() error {
 	return nil
 }
 
-func (m *Migrator) addIngressAvailabilityPerNamespaceFieldDB70() error {
+func (m *Migrator) updateIngressFieldsForEnvDB70() error {
 	endpoints, err := m.endpointService.Endpoints()
 	if err != nil {
 		return err
@@ -59,6 +59,7 @@ func (m *Migrator) addIngressAvailabilityPerNamespaceFieldDB70() error {
 
 	for _, endpoint := range endpoints {
 		endpoint.Kubernetes.Configuration.IngressAvailabilityPerNamespace = true
+		endpoint.Kubernetes.Configuration.AllowNoneIngressClass = false
 
 		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
 		if err != nil {

api/datastore/services.go

@@ -3,7 +3,7 @@ package datastore
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strconv"
 
 	portainer "github.com/portainer/portainer/api"
@@ -607,13 +607,13 @@ func (store *Store) Export(filename string) (err error) {
 	if err != nil {
 		return err
 	}
-	return ioutil.WriteFile(filename, b, 0600)
+	return os.WriteFile(filename, b, 0600)
 }
 
 func (store *Store) Import(filename string) (err error) {
 	backup := storeExport{}
 
-	s, err := ioutil.ReadFile(filename)
+	s, err := os.ReadFile(filename)
 	if err != nil {
 		return err
 	}

api/datastore/test_data/output_24_to_latest.json

@@ -52,6 +52,7 @@
       "IsEdgeDevice": false,
       "Kubernetes": {
         "Configuration": {
+          "AllowNoneIngressClass": false,
           "EnableResourceOverCommit": false,
           "IngressAvailabilityPerNamespace": true,
           "IngressClasses": null,

api/docker/snapshot.go

@@ -159,7 +159,7 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 	gpuUseSet := make(map[string]struct{})
 	gpuUseAll := false
 	for _, container := range containers {
-		if container.State == "exited" {
+		if container.State == "exited" || container.State == "stopped" {
 			stoppedContainers++
 		} else if container.State == "running" {
 			runningContainers++

api/exec/compose_stack_test.go

@@ -1,7 +1,7 @@
 package exec
 
 import (
-	"io/ioutil"
+	"io"
 	"os"
 	"path"
 	"testing"
@@ -55,7 +55,7 @@ func Test_createEnvFile(t *testing.T) {
 				assert.Equal(t, "stack.env", result)
 
 				f, _ := os.Open(path.Join(dir, "stack.env"))
-				content, _ := ioutil.ReadAll(f)
+				content, _ := io.ReadAll(f)
 
 				assert.Equal(t, tt.expected, string(content))
 			} else {
@@ -80,7 +80,7 @@ func Test_createEnvFile_mergesDefultAndInplaceEnvVars(t *testing.T) {
 	assert.NoError(t, err)
 	assert.FileExists(t, path.Join(dir, "stack.env"))
 	f, _ := os.Open(path.Join(dir, "stack.env"))
-	content, _ := ioutil.ReadAll(f)
+	content, _ := io.ReadAll(f)
 
 	assert.Equal(t, []byte("VAR1=VAL1\nVAR2=VAL2\n\nVAR1=NEW_VAL1\nVAR3=VAL3\n"), content)
 }

api/exec/swarm_stack.go

@@ -203,12 +203,7 @@ func (manager *SwarmStackManager) updateDockerCLIConfiguration(configPath string
 	headersObject["X-PortainerAgent-Signature"] = signature
 	headersObject["X-PortainerAgent-PublicKey"] = manager.signatureService.EncodedPublicKey()
 
-	err = manager.fileService.WriteJSONToFile(configFilePath, config)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return manager.fileService.WriteJSONToFile(configFilePath, config)
 }
 
 func (manager *SwarmStackManager) retrieveConfigurationFromDisk(path string) (map[string]interface{}, error) {

api/filesystem/copy_test.go

@@ -1,7 +1,6 @@
 package filesystem
 
 import (
-	"io/ioutil"
 	"os"
 	"path"
 	"path/filepath"
@@ -19,12 +18,12 @@ func Test_copyFile_returnsError_whenSourceDoesNotExist(t *testing.T) {
 func Test_copyFile_shouldMakeAbackup(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	ioutil.WriteFile(path.Join(tmpdir, "origin"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "origin"), content, 0600)
 
 	err := copyFile(path.Join(tmpdir, "origin"), path.Join(tmpdir, "copy"))
 	assert.NoError(t, err)
 
-	copyContent, _ := ioutil.ReadFile(path.Join(tmpdir, "copy"))
+	copyContent, _ := os.ReadFile(path.Join(tmpdir, "copy"))
 	assert.Equal(t, content, copyContent)
 }
 
@@ -59,13 +58,13 @@ func Test_CopyPath_shouldSkipWhenNotExist(t *testing.T) {
 func Test_CopyPath_shouldCopyFile(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	ioutil.WriteFile(path.Join(tmpdir, "file"), content, 0600)
+	os.WriteFile(path.Join(tmpdir, "file"), content, 0600)
 
 	os.MkdirAll(path.Join(tmpdir, "backup"), 0700)
 	err := CopyPath(path.Join(tmpdir, "file"), path.Join(tmpdir, "backup"))
 	assert.NoError(t, err)
 
-	copyContent, err := ioutil.ReadFile(path.Join(tmpdir, "backup", "file"))
+	copyContent, err := os.ReadFile(path.Join(tmpdir, "backup", "file"))
 	assert.NoError(t, err)
 	assert.Equal(t, content, copyContent)
 }

api/filesystem/filesystem.go

@@ -163,7 +163,7 @@ func (service *Service) Copy(fromFilePath string, toFilePath string, deleteIfExi
 	}
 
 	if !exists {
-		return errors.New(fmt.Sprintf("File (%s) doesn't exist", fromFilePath))
+		return fmt.Errorf("File (%s) doesn't exist", fromFilePath)
 	}
 
 	finput, err := os.Open(fromFilePath)

api/filesystem/write_test.go

@@ -1,7 +1,7 @@
 package filesystem
 
 import (
-	"io/ioutil"
+	"os"
 	"path"
 	"testing"
 
@@ -16,7 +16,7 @@ func Test_WriteFile_CanStoreContentInANewFile(t *testing.T) {
 	err := WriteToFile(tmpFilePath, content)
 	assert.NoError(t, err)
 
-	fileContent, _ := ioutil.ReadFile(tmpFilePath)
+	fileContent, _ := os.ReadFile(tmpFilePath)
 	assert.Equal(t, content, fileContent)
 }
 
@@ -31,7 +31,7 @@ func Test_WriteFile_CanOverwriteExistingFile(t *testing.T) {
 	err = WriteToFile(tmpFilePath, content)
 	assert.NoError(t, err)
 
-	fileContent, _ := ioutil.ReadFile(tmpFilePath)
+	fileContent, _ := os.ReadFile(tmpFilePath)
 	assert.Equal(t, content, fileContent)
 }
 
@@ -43,6 +43,6 @@ func Test_WriteFile_CanWriteANestedPath(t *testing.T) {
 	err := WriteToFile(tmpFilePath, content)
 	assert.NoError(t, err)
 
-	fileContent, _ := ioutil.ReadFile(tmpFilePath)
+	fileContent, _ := os.ReadFile(tmpFilePath)
 	assert.Equal(t, content, fileContent)
 }

api/git/azure.go

@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -100,7 +99,7 @@ func (a *azureClient) downloadZipFromAzureDevOps(ctx context.Context, opt cloneO
 	if err != nil {
 		return "", errors.WithMessage(err, "failed to build download url")
 	}
-	zipFile, err := ioutil.TempFile("", "azure-git-repo-*.zip")
+	zipFile, err := os.CreateTemp("", "azure-git-repo-*.zip")
 	if err != nil {
 		return "", errors.WithMessage(err, "failed to create temp file")
 	}

api/git/git_integration_test.go

@@ -274,7 +274,8 @@ func TestService_purgeCacheByTTL_Github(t *testing.T) {
 
 func TestService_canStopCacheCleanTimer_whenContextDone(t *testing.T) {
 	timeout := 10 * time.Millisecond
-	deadlineCtx, _ := context.WithDeadline(context.TODO(), time.Now().Add(10*timeout))
+	deadlineCtx, cancel := context.WithDeadline(context.TODO(), time.Now().Add(10*timeout))
+	defer cancel()
 
 	service := NewService(deadlineCtx)
 	assert.False(t, service.timerHasStopped(), "timer should not be stopped")

api/go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.1.8
 	github.com/go-playground/validator/v10 v10.10.1
 	github.com/gofrs/uuid v4.0.0+incompatible
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt/v4 v4.2.0
 	github.com/google/go-cmp v0.5.8
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.7.3
@@ -31,10 +31,11 @@ require (
 	github.com/json-iterator/go v1.1.12
 	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
 	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
+	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pkg/errors v0.9.1
 	github.com/portainer/docker-compose-wrapper v0.0.0-20220708023447-a69a4ebaa021
 	github.com/portainer/libcrypto v0.0.0-20220506221303-1f4fb3b30f9a
-	github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108
+	github.com/portainer/libhelm v0.0.0-20221018213433-5ad83b50dbc9
 	github.com/portainer/libhttp v0.0.0-20220916153711-5d61e12f4b0a
 	github.com/rkl-/digest v0.0.0-20180419075440-8316caa4a777
 	github.com/robfig/cron/v3 v3.0.1
@@ -47,7 +48,7 @@ require (
 	golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.22.5
 	k8s.io/apimachinery v0.22.5
 	k8s.io/client-go v0.22.5

api/go.sum

@@ -173,8 +173,8 @@ github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPh
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
+github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -352,6 +352,8 @@ github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrB
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6 h1:lNCW6THrCKBiJBpz8kbVGjC7MgdCGKwuvBgc7LoD6sw=
 github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
+github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
+github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -363,8 +365,10 @@ github.com/portainer/docker-compose-wrapper v0.0.0-20220708023447-a69a4ebaa021 h
 github.com/portainer/docker-compose-wrapper v0.0.0-20220708023447-a69a4ebaa021/go.mod h1:WxDlJWZxCnicdLCPnLNEv7/gRhjeIVuCGmsv+iOPH3c=
 github.com/portainer/libcrypto v0.0.0-20220506221303-1f4fb3b30f9a h1:B0z3skIMT+OwVNJPQhKp52X+9OWW6A9n5UWig3lHBJk=
 github.com/portainer/libcrypto v0.0.0-20220506221303-1f4fb3b30f9a/go.mod h1:n54EEIq+MM0NNtqLeCby8ljL+l275VpolXO0ibHegLE=
-github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108 h1:5e8KAnDa2G3cEHK7aV/ue8lOaoQwBZUzoALslwWkR04=
-github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108/go.mod h1:YvYAk7krKTzB+rFwDr0jQ3sQu2BtiXK1AR0sZH7nhJA=
+github.com/portainer/libhelm v0.0.0-20221017001602-b619e0ddf8fc h1:Ms8ZDGvSydX7aoCfu06Rk8II2N4tlX3cn7whtGC5fDA=
+github.com/portainer/libhelm v0.0.0-20221017001602-b619e0ddf8fc/go.mod h1:YvYAk7krKTzB+rFwDr0jQ3sQu2BtiXK1AR0sZH7nhJA=
+github.com/portainer/libhelm v0.0.0-20221018213433-5ad83b50dbc9 h1:PMw+45hocpYsMQ7WLIlzsf4854BhDM8C631kr0DVJtc=
+github.com/portainer/libhelm v0.0.0-20221018213433-5ad83b50dbc9/go.mod h1:YvYAk7krKTzB+rFwDr0jQ3sQu2BtiXK1AR0sZH7nhJA=
 github.com/portainer/libhttp v0.0.0-20220916153711-5d61e12f4b0a h1:BJ5V4EDNhg3ImYbmXnGS8vrMhq6rzsEneIXyJh0g4dc=
 github.com/portainer/libhttp v0.0.0-20220916153711-5d61e12f4b0a/go.mod h1:ckuHnoLA5kLuE5WkvPBXmrw63LUMdSH4aX71QRi9y10=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -747,6 +751,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=

api/hostmanagement/openamt/authorization.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
@@ -33,7 +33,7 @@ func (service *Service) Authorization(configuration portainer.OpenAMTConfigurati
 	if err != nil {
 		return "", err
 	}
-	responseBody, readErr := ioutil.ReadAll(response.Body)
+	responseBody, readErr := io.ReadAll(response.Body)
 	if readErr != nil {
 		return "", readErr
 	}

api/hostmanagement/openamt/deviceFeatures.go

@@ -21,9 +21,6 @@ func (service *Service) enableDeviceFeatures(configuration portainer.OpenAMTConf
 	jsonValue, _ := json.Marshal(payload)
 
 	_, err := service.executeSaveRequest(http.MethodPost, url, configuration.MPSToken, jsonValue)
-	if err != nil {
-		return err
-	}
 
-	return nil
+	return err
 }

api/hostmanagement/openamt/openamt.go

@@ -6,7 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"time"
 
@@ -83,11 +83,8 @@ func (service *Service) Configure(configuration portainer.OpenAMTConfiguration)
 	}
 
 	_, err = service.createOrUpdateDomain(configuration)
-	if err != nil {
-		return err
-	}
 
-	return nil
+	return err
 }
 
 func (service *Service) executeSaveRequest(method string, url string, token string, payload []byte) ([]byte, error) {
@@ -102,7 +99,7 @@ func (service *Service) executeSaveRequest(method string, url string, token stri
 	if err != nil {
 		return nil, err
 	}
-	responseBody, readErr := ioutil.ReadAll(response.Body)
+	responseBody, readErr := io.ReadAll(response.Body)
 	if readErr != nil {
 		return nil, readErr
 	}
@@ -131,7 +128,7 @@ func (service *Service) executeGetRequest(url string, token string) ([]byte, err
 	if err != nil {
 		return nil, err
 	}
-	responseBody, readErr := ioutil.ReadAll(response.Body)
+	responseBody, readErr := io.ReadAll(response.Body)
 	if readErr != nil {
 		return nil, readErr
 	}
@@ -229,12 +226,7 @@ func (service *Service) ExecuteDeviceAction(configuration portainer.OpenAMTConfi
 	}
 	configuration.MPSToken = token
 
-	err = service.executeDeviceAction(configuration, deviceGUID, int(parsedAction))
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return service.executeDeviceAction(configuration, deviceGUID, int(parsedAction))
 }
 
 func (service *Service) EnableDeviceFeatures(configuration portainer.OpenAMTConfiguration, deviceGUID string, features portainer.OpenAMTDeviceEnabledFeatures) (string, error) {

api/http/client/client.go

@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -96,7 +96,7 @@ func Get(url string, timeout int) ([]byte, error) {
 		return nil, errInvalidResponseStatus
 	}
 
-	body, err := ioutil.ReadAll(response.Body)
+	body, err := io.ReadAll(response.Body)
 	if err != nil {
 		return nil, err
 	}

api/http/handler/backup/backup_test.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -38,7 +37,7 @@ func listFiles(dir string) []string {
 
 func contains(t *testing.T, list []string, path string) {
 	assert.Contains(t, list, path)
-	copyContent, _ := ioutil.ReadFile(path)
+	copyContent, _ := os.ReadFile(path)
 	assert.Equal(t, "content\n", string(copyContent))
 }
 
@@ -58,7 +57,7 @@ func Test_backupHandlerWithoutPassword_shouldCreateATarballArchive(t *testing.T)
 	tmpdir := t.TempDir()
 
 	archivePath := filepath.Join(tmpdir, "archive.tar.gz")
-	err := ioutil.WriteFile(archivePath, body, 0600)
+	err := os.WriteFile(archivePath, body, 0600)
 	if err != nil {
 		t.Fatal("Failed to save downloaded .tar.gz archive: ", err)
 	}

api/http/handler/backup/handler.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/gorilla/mux"
 	httperror "github.com/portainer/libhttp/error"
-	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/adminmonitor"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/demo"
@@ -71,11 +70,3 @@ func adminAccess(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
-
-func systemWasInitialized(dataStore dataservices.DataStore) (bool, error) {
-	users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
-	if err != nil {
-		return false, err
-	}
-	return len(users) > 0, nil
-}

api/http/handler/customtemplates/customtemplate_create.go

@@ -142,12 +142,7 @@ func (payload *customTemplateFromFileContentPayload) Validate(r *http.Request) e
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
 
-	err := validateVariablesDefinitions(payload.Variables)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return validateVariablesDefinitions(payload.Variables)
 }
 
 func isValidNote(note string) bool {
@@ -251,12 +246,7 @@ func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request)
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
 
-	err := validateVariablesDefinitions(payload.Variables)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return validateVariablesDefinitions(payload.Variables)
 }
 
 func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (*portainer.CustomTemplate, error) {
@@ -390,16 +380,13 @@ func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) er
 	payload.FileContent = composeFileContent
 
 	varsString, _ := request.RetrieveMultiPartFormValue(r, "Variables", true)
-	err = json.Unmarshal([]byte(varsString), &payload.Variables)
-	if err != nil {
-		return errors.New("Invalid variables. Ensure that the variables are valid JSON")
+	if varsString != "" {
+		err = json.Unmarshal([]byte(varsString), &payload.Variables)
+		if err != nil {
+			return errors.New("Invalid variables. Ensure that the variables are valid JSON")
+		}
+		return validateVariablesDefinitions(payload.Variables)
 	}
-
-	err = validateVariablesDefinitions(payload.Variables)
-	if err != nil {
-		return err
-	}
-
 	return nil
 }
 

api/http/handler/customtemplates/customtemplate_update.go

@@ -55,12 +55,7 @@ func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
 
-	err := validateVariablesDefinitions(payload.Variables)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return validateVariablesDefinitions(payload.Variables)
 }
 
 // @id CustomTemplateUpdate

api/http/handler/customtemplates/handler.go

@@ -8,7 +8,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/authorization"
 )
 
 // Handler is the HTTP handler used to handle environment(endpoint) group operations.
@@ -42,20 +41,3 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 func userCanEditTemplate(customTemplate *portainer.CustomTemplate, securityContext *security.RestrictedRequestContext) bool {
 	return securityContext.IsAdmin || customTemplate.CreatedByUserID == securityContext.UserID
 }
-
-func userCanAccessTemplate(customTemplate portainer.CustomTemplate, securityContext *security.RestrictedRequestContext, resourceControl *portainer.ResourceControl) bool {
-	if securityContext.IsAdmin || customTemplate.CreatedByUserID == securityContext.UserID {
-		return true
-	}
-
-	userTeamIDs := make([]portainer.TeamID, 0)
-	for _, membership := range securityContext.UserMemberships {
-		userTeamIDs = append(userTeamIDs, membership.TeamID)
-	}
-
-	if resourceControl != nil && authorization.UserCanAccessResource(securityContext.UserID, userTeamIDs, resourceControl) {
-		return true
-	}
-
-	return false
-}

api/http/handler/edgegroups/associated_endpoints.go

@@ -1,7 +1,7 @@
 package edgegroups
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 type endpointSetType map[portainer.EndpointID]bool

api/http/handler/endpointgroups/endpointgroup_create.go

@@ -91,15 +91,13 @@ func (handler *Handler) endpointGroupCreate(w http.ResponseWriter, r *http.Reque
 	}
 
 	for _, tagID := range endpointGroup.TagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve tag from the database", err)
-		}
+		handler.DataStore.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
+			tag.EndpointGroups[endpointGroup.ID] = true
+		})
 
-		tag.EndpointGroups[endpointGroup.ID] = true
-
-		err = handler.DataStore.Tag().UpdateTag(tagID, tag)
-		if err != nil {
+		if handler.DataStore.IsErrObjectNotFound(err) {
+			return httperror.InternalServerError("Unable to find a tag inside the database", err)
+		} else if err != nil {
 			return httperror.InternalServerError("Unable to persist tag changes inside the database", err)
 		}
 	}

api/http/handler/endpointgroups/endpointgroup_delete.go

@@ -66,15 +66,13 @@ func (handler *Handler) endpointGroupDelete(w http.ResponseWriter, r *http.Reque
 	}
 
 	for _, tagID := range endpointGroup.TagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve tag from the database", err)
-		}
+		handler.DataStore.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
+			delete(tag.EndpointGroups, endpointGroup.ID)
+		})
 
-		delete(tag.EndpointGroups, endpointGroup.ID)
-
-		err = handler.DataStore.Tag().UpdateTag(tagID, tag)
-		if err != nil {
+		if handler.DataStore.IsErrObjectNotFound(err) {
+			return httperror.InternalServerError("Unable to find a tag inside the database", err)
+		} else if err != nil {
 			return httperror.InternalServerError("Unable to persist tag changes inside the database", err)
 		}
 	}

api/http/handler/endpointgroups/endpointgroup_update.go

@@ -81,28 +81,26 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 			removeTags := tag.Difference(endpointGroupTagSet, payloadTagSet)
 
 			for tagID := range removeTags {
-				tag, err := handler.DataStore.Tag().Tag(tagID)
-				if err != nil {
+				handler.DataStore.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
+					delete(tag.EndpointGroups, endpointGroup.ID)
+				})
+
+				if handler.DataStore.IsErrObjectNotFound(err) {
 					return httperror.InternalServerError("Unable to find a tag inside the database", err)
-				}
-				delete(tag.EndpointGroups, endpointGroup.ID)
-				err = handler.DataStore.Tag().UpdateTag(tag.ID, tag)
-				if err != nil {
+				} else if err != nil {
 					return httperror.InternalServerError("Unable to persist tag changes inside the database", err)
 				}
 			}
 
 			endpointGroup.TagIDs = payload.TagIDs
 			for _, tagID := range payload.TagIDs {
-				tag, err := handler.DataStore.Tag().Tag(tagID)
-				if err != nil {
+				handler.DataStore.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
+					tag.EndpointGroups[endpointGroup.ID] = true
+				})
+
+				if handler.DataStore.IsErrObjectNotFound(err) {
 					return httperror.InternalServerError("Unable to find a tag inside the database", err)
-				}
-
-				tag.EndpointGroups[endpointGroup.ID] = true
-
-				err = handler.DataStore.Tag().UpdateTag(tag.ID, tag)
-				if err != nil {
+				} else if err != nil {
 					return httperror.InternalServerError("Unable to persist tag changes inside the database", err)
 				}
 			}

api/http/handler/endpoints/endpoint_create.go

@@ -530,14 +530,9 @@ func (handler *Handler) saveEndpointAndUpdateAuthorizations(endpoint *portainer.
 	}
 
 	for _, tagID := range endpoint.TagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
-			return err
-		}
-
-		tag.Endpoints[endpoint.ID] = true
-
-		err = handler.DataStore.Tag().UpdateTag(tagID, tag)
+		err = handler.DataStore.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
+			tag.Endpoints[endpoint.ID] = true
+		})
 		if err != nil {
 			return err
 		}

api/http/handler/endpoints/endpoint_delete.go

@@ -62,15 +62,13 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 	}
 
 	for _, tagID := range endpoint.TagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
+		err = handler.DataStore.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
+			delete(tag.Endpoints, endpoint.ID)
+		})
+
+		if handler.DataStore.IsErrObjectNotFound(err) {
 			return httperror.NotFound("Unable to find tag inside the database", err)
-		}
-
-		delete(tag.Endpoints, endpoint.ID)
-
-		err = handler.DataStore.Tag().UpdateTag(tagID, tag)
-		if err != nil {
+		} else if err != nil {
 			return httperror.InternalServerError("Unable to persist tag relation inside the database", err)
 		}
 	}

api/http/handler/endpoints/endpoint_update.go

@@ -139,29 +139,26 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 			removeTags := tag.Difference(endpointTagSet, payloadTagSet)
 
 			for tagID := range removeTags {
-				tag, err := handler.DataStore.Tag().Tag(tagID)
-				if err != nil {
-					return httperror.InternalServerError("Unable to find a tag inside the database", err)
-				}
+				err = handler.DataStore.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
+					delete(tag.Endpoints, endpoint.ID)
+				})
 
-				delete(tag.Endpoints, endpoint.ID)
-				err = handler.DataStore.Tag().UpdateTag(tag.ID, tag)
-				if err != nil {
+				if handler.DataStore.IsErrObjectNotFound(err) {
+					return httperror.InternalServerError("Unable to find a tag inside the database", err)
+				} else if err != nil {
 					return httperror.InternalServerError("Unable to persist tag changes inside the database", err)
 				}
 			}
 
 			endpoint.TagIDs = payload.TagIDs
 			for _, tagID := range payload.TagIDs {
-				tag, err := handler.DataStore.Tag().Tag(tagID)
-				if err != nil {
+				err = handler.DataStore.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
+					tag.Endpoints[endpoint.ID] = true
+				})
+
+				if handler.DataStore.IsErrObjectNotFound(err) {
 					return httperror.InternalServerError("Unable to find a tag inside the database", err)
-				}
-
-				tag.Endpoints[endpoint.ID] = true
-
-				err = handler.DataStore.Tag().UpdateTag(tag.ID, tag)
-				if err != nil {
+				} else if err != nil {
 					return httperror.InternalServerError("Unable to persist tag changes inside the database", err)
 				}
 			}
@@ -193,12 +190,8 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		switch *payload.Status {
 		case 1:
 			endpoint.Status = portainer.EndpointStatusUp
-			break
 		case 2:
 			endpoint.Status = portainer.EndpointStatusDown
-			break
-		default:
-			break
 		}
 	}
 
@@ -331,7 +324,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 
 	err = handler.SnapshotService.FillSnapshotData(endpoint)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to add snapshot data", err}
+		return httperror.InternalServerError("Unable to add snapshot data", err)
 	}
 
 	return response.JSON(w, endpoint)

api/http/handler/helm/helm_install.go

@@ -2,7 +2,6 @@ package helm
 
 import (
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"strings"
@@ -192,7 +191,7 @@ func (handler *Handler) updateHelmAppManifest(r *http.Request, manifest []byte,
 	for _, resource := range yamlResources {
 		resource := resource // https://golang.org/doc/faq#closures_and_goroutines
 		g.Go(func() error {
-			tmpfile, err := ioutil.TempFile("", "helm-manifest-*")
+			tmpfile, err := os.CreateTemp("", "helm-manifest-*")
 			if err != nil {
 				return errors.Wrap(err, "failed to create a tmp helm manifest file")
 			}

api/http/handler/hostmanagement/fdo/fdo.go

@@ -128,12 +128,7 @@ func (handler *Handler) addDefaultProfile() error {
 	profile.FilePath = filePath
 	profile.DateCreated = time.Now().Unix()
 
-	err = handler.DataStore.FDOProfile().Create(profile)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return handler.DataStore.FDOProfile().Create(profile)
 }
 
 const defaultProfileFileContent = `

api/http/handler/hostmanagement/openamt/amtconfiguration.go

@@ -169,12 +169,8 @@ func (handler *Handler) saveConfiguration(configuration portainer.OpenAMTConfigu
 	configuration.MPSToken = ""
 
 	settings.OpenAMTConfiguration = configuration
-	err = handler.DataStore.Settings().UpdateSettings(settings)
-	if err != nil {
-		return err
-	}
 
-	return nil
+	return handler.DataStore.Settings().UpdateSettings(settings)
 }
 
 func (handler *Handler) disableOpenAMT() error {

api/http/handler/hostmanagement/openamt/amtrpc.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"time"
 
@@ -139,7 +139,7 @@ func pullImage(ctx context.Context, docker *client.Client, imageName string) err
 	}
 
 	defer out.Close()
-	outputBytes, err := ioutil.ReadAll(out)
+	outputBytes, err := io.ReadAll(out)
 	if err != nil {
 		log.Error().Str("image_name", imageName).Err(err).Msg("could not read image pull output")
 
@@ -261,7 +261,7 @@ func runContainer(ctx context.Context, docker *client.Client, imageName, contain
 		return "", err
 	}
 
-	outputBytes, err := ioutil.ReadAll(out)
+	outputBytes, err := io.ReadAll(out)
 	if err != nil {
 		log.Error().
 			Str("image_name", imageName).
@@ -295,29 +295,6 @@ func (handler *Handler) activateDevice(endpoint *portainer.Endpoint, settings po
 	}
 
 	_, err := handler.PullAndRunContainer(ctx, endpoint, rpcGoImageName, rpcGoContainerName, cmdLine)
-	if err != nil {
-		return err
-	}
 
-	return nil
-}
-
-func (handler *Handler) deactivateDevice(endpoint *portainer.Endpoint, settings portainer.Settings) error {
-	ctx := context.TODO()
-
-	config := settings.OpenAMTConfiguration
-	cmdLine := []string{
-		"deactivate",
-		"-n",
-		"-v",
-		"-u", fmt.Sprintf("wss://%s/activate", config.MPSServer),
-		"-password", config.MPSPassword,
-	}
-
-	_, err := handler.PullAndRunContainer(ctx, endpoint, rpcGoImageName, rpcGoContainerName, cmdLine)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return err
 }

api/http/handler/kubernetes/configmaps_and_secrets.go

@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"net/http"
+	"strconv"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -9,7 +10,23 @@ import (
 )
 
 func (handler *Handler) getKubernetesConfigMaps(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
 
 	namespace, err := request.RetrieveRouteVariableValue(r, "namespace")
 	if err != nil {
@@ -22,7 +39,7 @@ func (handler *Handler) getKubernetesConfigMaps(w http.ResponseWriter, r *http.R
 	configmaps, err := cli.GetConfigMapsAndSecrets(namespace)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to retrieve configmaps and secrets",
 			err,
 		)
 	}

api/http/handler/kubernetes/handler.go

@@ -3,6 +3,8 @@ package kubernetes
 import (
 	"errors"
 	"net/http"
+	"net/url"
+	"strconv"
 
 	portainer "github.com/portainer/portainer/api"
 	portainerDsErrors "github.com/portainer/portainer/api/dataservices/errors"
@@ -24,7 +26,6 @@ type Handler struct {
 	*mux.Router
 	authorizationService     *authorization.Service
 	DataStore                dataservices.DataStore
-	KubernetesClient         portainer.KubeClient
 	KubernetesClientFactory  *cli.ClientFactory
 	JwtService               dataservices.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
@@ -39,7 +40,6 @@ func NewHandler(bouncer *security.RequestBouncer, authorizationService *authoriz
 		JwtService:               jwtService,
 		kubeClusterAccessService: kubeClusterAccessService,
 		KubernetesClientFactory:  kubernetesClientFactory,
-		KubernetesClient:         kubernetesClient,
 	}
 
 	kubeRouter := h.PathPrefix("/kubernetes").Subrouter()
@@ -85,13 +85,19 @@ func kubeOnlyMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, request *http.Request) {
 		endpoint, err := middlewares.FetchEndpoint(request)
 		if err != nil {
-			httperror.WriteError(rw, http.StatusInternalServerError, "Unable to find an environment on request context", err)
+			httperror.InternalServerError(
+				"Unable to find an environment on request context",
+				err,
+			)
 			return
 		}
 
 		if !endpointutils.IsKubernetesEndpoint(endpoint) {
 			errMessage := "environment is not a Kubernetes environment"
-			httperror.WriteError(rw, http.StatusBadRequest, errMessage, errors.New(errMessage))
+			httperror.BadRequest(
+				errMessage,
+				errors.New(errMessage),
+			)
 			return
 		}
 
@@ -109,6 +115,7 @@ func (handler *Handler) kubeClient(next http.Handler) http.Handler {
 				"Invalid environment identifier route variable",
 				err,
 			)
+			return
 		}
 
 		endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
@@ -119,6 +126,7 @@ func (handler *Handler) kubeClient(next http.Handler) http.Handler {
 				"Unable to find an environment with the specified identifier inside the database",
 				err,
 			)
+			return
 		} else if err != nil {
 			httperror.WriteError(
 				w,
@@ -126,23 +134,101 @@ func (handler *Handler) kubeClient(next http.Handler) http.Handler {
 				"Unable to find an environment with the specified identifier inside the database",
 				err,
 			)
+			return
 		}
 
 		if handler.KubernetesClientFactory == nil {
 			next.ServeHTTP(w, r)
 			return
 		}
-		kubeCli, err := handler.KubernetesClientFactory.GetKubeClient(endpoint)
+		// Generate a proxied kubeconfig, then create a kubeclient using it.
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			httperror.WriteError(
+				w,
+				http.StatusForbidden,
+				"Permission denied to access environment",
+				err,
+			)
+			return
+		}
+		bearerToken, err := handler.JwtService.GenerateTokenForKubeconfig(tokenData)
 		if err != nil {
 			httperror.WriteError(
 				w,
 				http.StatusInternalServerError,
-				"Unable to create Kubernetes client",
+				"Unable to create JWT token",
 				err,
 			)
-
+			return
 		}
-		handler.KubernetesClient = kubeCli
+		singleEndpointList := []portainer.Endpoint{
+			*endpoint,
+		}
+		config, handlerErr := handler.buildConfig(
+			r,
+			tokenData,
+			bearerToken,
+			singleEndpointList,
+		)
+		if err != nil {
+			httperror.WriteError(
+				w,
+				http.StatusInternalServerError,
+				"Unable to build endpoint kubeconfig",
+				handlerErr.Err,
+			)
+			return
+		}
+
+		if len(config.Clusters) == 0 {
+			httperror.WriteError(
+				w,
+				http.StatusInternalServerError,
+				"Unable build cluster kubeconfig",
+				errors.New("Unable build cluster kubeconfig"),
+			)
+			return
+		}
+
+		// Manually setting the localhost to route
+		// the request to proxy server
+		serverURL, err := url.Parse(config.Clusters[0].Cluster.Server)
+		if err != nil {
+			httperror.WriteError(
+				w,
+				http.StatusInternalServerError,
+				"Unable parse cluster's kubeconfig server URL",
+				nil,
+			)
+			return
+		}
+		serverURL.Scheme = "https"
+		serverURL.Host = "localhost" + handler.KubernetesClientFactory.AddrHTTPS
+		config.Clusters[0].Cluster.Server = serverURL.String()
+
+		yaml, err := cli.GenerateYAML(config)
+		if err != nil {
+			httperror.WriteError(
+				w,
+				http.StatusInternalServerError,
+				"Unable to generate yaml from endpoint kubeconfig",
+				err,
+			)
+			return
+		}
+		kubeCli, err := handler.KubernetesClientFactory.CreateKubeClientFromKubeConfig(endpoint.Name, []byte(yaml))
+		if err != nil {
+			httperror.WriteError(
+				w,
+				http.StatusInternalServerError,
+				"Failed to create client from kubeconfig",
+				err,
+			)
+			return
+		}
+
+		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), r.Header.Get("Authorization"), kubeCli)
 		next.ServeHTTP(w, r)
 	})
 }

api/http/handler/kubernetes/ingresses.go

@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"net/http"
+	"strconv"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -49,12 +50,29 @@ func (handler *Handler) getKubernetesIngressControllers(w http.ResponseWriter, r
 		)
 	}
 
-	controllers := cli.GetIngressControllers()
+	controllers, err := cli.GetIngressControllers()
+	if err != nil {
+		return httperror.InternalServerError(
+			"Failed to fetch ingressclasses",
+			err,
+		)
+	}
+
+	// Add none controller if "AllowNone" is set for endpoint.
+	if endpoint.Kubernetes.Configuration.AllowNoneIngressClass {
+		controllers = append(controllers, models.K8sIngressController{
+			Name:      "none",
+			ClassName: "none",
+			Type:      "custom",
+		})
+	}
 	existingClasses := endpoint.Kubernetes.Configuration.IngressClasses
 	var updatedClasses []portainer.KubernetesIngressClassConfig
 	for i := range controllers {
 		controllers[i].Availability = true
-		controllers[i].New = true
+		if controllers[i].ClassName != "none" {
+			controllers[i].New = true
+		}
 
 		var updatedClass portainer.KubernetesIngressClassConfig
 		updatedClass.Name = controllers[i].ClassName
@@ -129,8 +147,31 @@ func (handler *Handler) getKubernetesIngressControllersByNamespace(w http.Respon
 		)
 	}
 
-	cli := handler.KubernetesClient
-	currentControllers := cli.GetIngressControllers()
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
+
+	currentControllers, err := cli.GetIngressControllers()
+	if err != nil {
+		return httperror.InternalServerError(
+			"Failed to fetch ingressclasses",
+			err,
+		)
+	}
+	// Add none controller if "AllowNone" is set for endpoint.
+	if endpoint.Kubernetes.Configuration.AllowNoneIngressClass {
+		currentControllers = append(currentControllers, models.K8sIngressController{
+			Name:      "none",
+			ClassName: "none",
+			Type:      "custom",
+		})
+	}
 	kubernetesConfig := endpoint.Kubernetes.Configuration
 	existingClasses := kubernetesConfig.IngressClasses
 	ingressAvailabilityPerNamespace := kubernetesConfig.IngressAvailabilityPerNamespace
@@ -139,7 +180,9 @@ func (handler *Handler) getKubernetesIngressControllersByNamespace(w http.Respon
 	for i := range currentControllers {
 		var globallyblocked bool
 		currentControllers[i].Availability = true
-		currentControllers[i].New = true
+		if currentControllers[i].ClassName != "none" {
+			currentControllers[i].New = true
+		}
 
 		var updatedClass portainer.KubernetesIngressClassConfig
 		updatedClass.Name = currentControllers[i].ClassName
@@ -229,7 +272,21 @@ func (handler *Handler) updateKubernetesIngressControllers(w http.ResponseWriter
 	}
 
 	existingClasses := endpoint.Kubernetes.Configuration.IngressClasses
-	controllers := cli.GetIngressControllers()
+	controllers, err := cli.GetIngressControllers()
+	if err != nil {
+		return httperror.InternalServerError(
+			"Unable to get ingress controllers",
+			err,
+		)
+	}
+	// Add none controller if "AllowNone" is set for endpoint.
+	if endpoint.Kubernetes.Configuration.AllowNoneIngressClass {
+		controllers = append(controllers, models.K8sIngressController{
+			Name:      "none",
+			ClassName: "none",
+			Type:      "custom",
+		})
+	}
 	var updatedClasses []portainer.KubernetesIngressClassConfig
 	for i := range controllers {
 		controllers[i].Availability = true
@@ -328,7 +385,7 @@ PayloadLoop:
 			updatedClass.GloballyBlocked = existingClass.GloballyBlocked
 
 			// Handle "allow"
-			if p.Availability == true {
+			if p.Availability {
 				// remove the namespace from the list of blocked namespaces
 				// in the existingClass.
 				for _, blockedNS := range existingClass.BlockedNamespaces {
@@ -401,11 +458,28 @@ func (handler *Handler) getKubernetesIngresses(w http.ResponseWriter, r *http.Re
 		)
 	}
 
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
+
 	ingresses, err := cli.GetIngresses(namespace)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to retrieve ingresses",
 			err,
 		)
 	}
@@ -431,11 +505,28 @@ func (handler *Handler) createKubernetesIngress(w http.ResponseWriter, r *http.R
 		)
 	}
 
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
+
 	err = cli.CreateIngress(namespace, payload)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to retrieve the ingress",
 			err,
 		)
 	}
@@ -443,10 +534,26 @@ func (handler *Handler) createKubernetesIngress(w http.ResponseWriter, r *http.R
 }
 
 func (handler *Handler) deleteKubernetesIngresses(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
 
 	var payload models.K8sIngressDeleteRequests
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
 		return httperror.BadRequest("Invalid request payload", err)
 	}
@@ -454,7 +561,7 @@ func (handler *Handler) deleteKubernetesIngresses(w http.ResponseWriter, r *http
 	err = cli.DeleteIngresses(payload)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to delete ingresses",
 			err,
 		)
 	}
@@ -479,11 +586,28 @@ func (handler *Handler) updateKubernetesIngress(w http.ResponseWriter, r *http.R
 		)
 	}
 
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
+
 	err = cli.UpdateIngress(namespace, payload)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to update the ingress",
 			err,
 		)
 	}

api/http/handler/kubernetes/namespaces.go

@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"net/http"
+	"strconv"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -10,12 +11,28 @@ import (
 )
 
 func (handler *Handler) getKubernetesNamespaces(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
 
 	namespaces, err := cli.GetNamespaces()
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to retrieve namespaces",
 			err,
 		)
 	}
@@ -24,10 +41,26 @@ func (handler *Handler) getKubernetesNamespaces(w http.ResponseWriter, r *http.R
 }
 
 func (handler *Handler) createKubernetesNamespace(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
 
 	var payload models.K8sNamespaceDetails
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
 		return httperror.BadRequest(
 			"Invalid request payload",
@@ -38,7 +71,7 @@ func (handler *Handler) createKubernetesNamespace(w http.ResponseWriter, r *http
 	err = cli.CreateNamespace(payload)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to create namespace",
 			err,
 		)
 	}
@@ -46,7 +79,23 @@ func (handler *Handler) createKubernetesNamespace(w http.ResponseWriter, r *http
 }
 
 func (handler *Handler) deleteKubernetesNamespaces(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
 
 	namespace, err := request.RetrieveRouteVariableValue(r, "namespace")
 	if err != nil {
@@ -59,7 +108,7 @@ func (handler *Handler) deleteKubernetesNamespaces(w http.ResponseWriter, r *htt
 	err = cli.DeleteNamespace(namespace)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to delete namespace",
 			err,
 		)
 	}
@@ -68,17 +117,33 @@ func (handler *Handler) deleteKubernetesNamespaces(w http.ResponseWriter, r *htt
 }
 
 func (handler *Handler) updateKubernetesNamespace(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
 
 	var payload models.K8sNamespaceDetails
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
 		return httperror.BadRequest("Invalid request payload", err)
 	}
 
 	err = cli.UpdateNamespace(payload)
 	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve nodes limits", err)
+		return httperror.InternalServerError("Unable to update namespace", err)
 	}
 	return nil
 }

api/http/handler/kubernetes/services.go

@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"net/http"
+	"strconv"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -18,7 +19,24 @@ func (handler *Handler) getKubernetesServices(w http.ResponseWriter, r *http.Req
 		)
 	}
 
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
+
 	services, err := cli.GetServices(namespace)
 	if err != nil {
 		return httperror.InternalServerError(
@@ -48,11 +66,28 @@ func (handler *Handler) createKubernetesService(w http.ResponseWriter, r *http.R
 		)
 	}
 
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
+
 	err = cli.CreateService(namespace, payload)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to create sercice",
 			err,
 		)
 	}
@@ -60,10 +95,26 @@ func (handler *Handler) createKubernetesService(w http.ResponseWriter, r *http.R
 }
 
 func (handler *Handler) deleteKubernetesServices(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
 
 	var payload models.K8sServiceDeleteRequests
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
 		return httperror.BadRequest(
 			"Invalid request payload",
@@ -74,7 +125,7 @@ func (handler *Handler) deleteKubernetesServices(w http.ResponseWriter, r *http.
 	err = cli.DeleteServices(payload)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to delete service",
 			err,
 		)
 	}
@@ -99,11 +150,27 @@ func (handler *Handler) updateKubernetesService(w http.ResponseWriter, r *http.R
 		)
 	}
 
-	cli := handler.KubernetesClient
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return httperror.BadRequest(
+			"Invalid environment identifier route variable",
+			err,
+		)
+	}
+
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
+	}
 	err = cli.UpdateService(namespace, payload)
 	if err != nil {
 		return httperror.InternalServerError(
-			"Unable to retrieve nodes limits",
+			"Unable to update service",
 			err,
 		)
 	}

api/http/handler/registries/registry_create_test.go

@@ -1,15 +1,9 @@
 package registries
 
 import (
-	"bytes"
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/security"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -49,85 +43,3 @@ func Test_registryCreatePayload_Validate(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
-
-type testRegistryService struct {
-	dataservices.RegistryService
-	createRegistry func(r *portainer.Registry) error
-	updateRegistry func(ID portainer.RegistryID, r *portainer.Registry) error
-	getRegistry    func(ID portainer.RegistryID) (*portainer.Registry, error)
-}
-
-type testDataStore struct {
-	dataservices.DataStore
-	registry *testRegistryService
-}
-
-func (t testDataStore) Registry() dataservices.RegistryService {
-	return t.registry
-}
-
-func (t testRegistryService) CreateRegistry(r *portainer.Registry) error {
-	return t.createRegistry(r)
-}
-
-func (t testRegistryService) UpdateRegistry(ID portainer.RegistryID, r *portainer.Registry) error {
-	return t.updateRegistry(ID, r)
-}
-
-func (t testRegistryService) Registry(ID portainer.RegistryID) (*portainer.Registry, error) {
-	return t.getRegistry(ID)
-}
-
-func (t testRegistryService) Registries() ([]portainer.Registry, error) {
-	return nil, nil
-}
-
-func (t testRegistryService) Create(registry *portainer.Registry) error {
-	return nil
-}
-
-// Not entirely sure what this is intended to test
-func deleteTestHandler_registryCreate(t *testing.T) {
-	payload := registryCreatePayload{
-		Name:           "Test registry",
-		Type:           portainer.ProGetRegistry,
-		URL:            "http://example.com",
-		BaseURL:        "http://example.com",
-		Authentication: false,
-		Username:       "username",
-		Password:       "password",
-		Gitlab:         portainer.GitlabRegistryData{},
-	}
-	payloadBytes, err := json.Marshal(payload)
-	assert.NoError(t, err)
-	r := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(payloadBytes))
-	w := httptest.NewRecorder()
-
-	restrictedContext := &security.RestrictedRequestContext{
-		IsAdmin: true,
-		UserID:  portainer.UserID(1),
-	}
-
-	ctx := security.StoreRestrictedRequestContext(r, restrictedContext)
-	r = r.WithContext(ctx)
-
-	registry := portainer.Registry{}
-	handler := Handler{}
-	handler.DataStore = testDataStore{
-		registry: &testRegistryService{
-			createRegistry: func(r *portainer.Registry) error {
-				registry = *r
-				return nil
-			},
-		},
-	}
-	handlerError := handler.registryCreate(w, r)
-	assert.Nil(t, handlerError)
-	assert.Equal(t, payload.Name, registry.Name)
-	assert.Equal(t, payload.Type, registry.Type)
-	assert.Equal(t, payload.URL, registry.URL)
-	assert.Equal(t, payload.BaseURL, registry.BaseURL)
-	assert.Equal(t, payload.Authentication, registry.Authentication)
-	assert.Equal(t, payload.Username, registry.Username)
-	assert.Equal(t, payload.Password, registry.Password)
-}

api/http/handler/registries/registry_update_test.go

@@ -1,88 +0,0 @@
-package registries
-
-import (
-	"bytes"
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/stretchr/testify/assert"
-)
-
-func ps(s string) *string {
-	return &s
-}
-
-func pb(b bool) *bool {
-	return &b
-}
-
-type TestBouncer struct{}
-
-func (t TestBouncer) AdminAccess(h http.Handler) http.Handler {
-	return h
-}
-
-func (t TestBouncer) AuthenticatedAccess(h http.Handler) http.Handler {
-	return h
-}
-
-func (t TestBouncer) AuthorizedEndpointOperation(r *http.Request, endpoint *portainer.Endpoint) error {
-	return nil
-}
-
-// TODO, no i don't know what this is actually intended to test either.
-func delete_TestHandler_registryUpdate(t *testing.T) {
-	payload := registryUpdatePayload{
-		Name:           ps("Updated test registry"),
-		URL:            ps("http://example.org/feed"),
-		BaseURL:        ps("http://example.org"),
-		Authentication: pb(true),
-		Username:       ps("username"),
-		Password:       ps("password"),
-	}
-	payloadBytes, err := json.Marshal(payload)
-	assert.NoError(t, err)
-	registry := portainer.Registry{Type: portainer.ProGetRegistry, ID: 5}
-	r := httptest.NewRequest(http.MethodPut, "/registries/5", bytes.NewReader(payloadBytes))
-	w := httptest.NewRecorder()
-
-	restrictedContext := &security.RestrictedRequestContext{
-		IsAdmin: true,
-		UserID:  portainer.UserID(1),
-	}
-
-	ctx := security.StoreRestrictedRequestContext(r, restrictedContext)
-	r = r.WithContext(ctx)
-
-	updatedRegistry := portainer.Registry{}
-	handler := newHandler(nil)
-	handler.initRouter(TestBouncer{})
-	handler.DataStore = testDataStore{
-		registry: &testRegistryService{
-			getRegistry: func(_ portainer.RegistryID) (*portainer.Registry, error) {
-				return &registry, nil
-			},
-			updateRegistry: func(ID portainer.RegistryID, r *portainer.Registry) error {
-				assert.Equal(t, ID, r.ID)
-				updatedRegistry = *r
-				return nil
-			},
-		},
-	}
-
-	handler.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	// Registry type should remain intact
-	assert.Equal(t, registry.Type, updatedRegistry.Type)
-
-	assert.Equal(t, *payload.Name, updatedRegistry.Name)
-	assert.Equal(t, *payload.URL, updatedRegistry.URL)
-	assert.Equal(t, *payload.BaseURL, updatedRegistry.BaseURL)
-	assert.Equal(t, *payload.Authentication, updatedRegistry.Authentication)
-	assert.Equal(t, *payload.Username, updatedRegistry.Username)
-	assert.Equal(t, *payload.Password, updatedRegistry.Password)
-}

api/http/handler/resourcecontrols/resourcecontrol_create.go

@@ -29,10 +29,7 @@ type resourceControlCreatePayload struct {
 	SubResourceIDs []string `example:"617c5f22bb9b023d6daab7cba43a57576f83492867bc767d1c59416b065e5f08"`
 }
 
-var (
-	errResourceControlAlreadyExists = errors.New("A resource control is already applied on this resource") //http/resourceControl
-	errInvalidResourceControlType   = errors.New("Unsupported resource control type")                      //http/resourceControl
-)
+var errResourceControlAlreadyExists = errors.New("A resource control is already applied on this resource") //http/resourceControl
 
 func (payload *resourceControlCreatePayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.ResourceID) {

api/http/handler/settings/settings_update.go

@@ -251,12 +251,7 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 func (handler *Handler) updateSnapshotInterval(settings *portainer.Settings, snapshotInterval string) error {
 	settings.SnapshotInterval = snapshotInterval
 
-	err := handler.SnapshotService.SetSnapshotInterval(snapshotInterval)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return handler.SnapshotService.SetSnapshotInterval(snapshotInterval)
 }
 
 func (handler *Handler) updateTLS(settings *portainer.Settings) *httperror.HandlerError {

api/http/handler/stacks/stack_delete.go

@@ -3,7 +3,6 @@ package stacks
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"strconv"
@@ -200,7 +199,7 @@ func (handler *Handler) deleteStack(userID portainer.UserID, stack *portainer.St
 		//then process the remove operation
 		if stack.IsComposeFormat {
 			fileNames := stackutils.GetStackFilePaths(stack, false)
-			tmpDir, err := ioutil.TempDir("", "kube_delete")
+			tmpDir, err := os.MkdirTemp("", "kube_delete")
 			if err != nil {
 				return errors.Wrap(err, "failed to create temp directory for deleting kub stack")
 			}

api/http/handler/stacks/update_kubernetes_stack.go

@@ -2,7 +2,6 @@ package stacks
 
 import (
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"strconv"
@@ -105,7 +104,7 @@ func (handler *Handler) updateKubernetesStack(r *http.Request, stack *portainer.
 		return httperror.BadRequest("Failed to retrieve user token data", err)
 	}
 
-	tempFileDir, _ := ioutil.TempDir("", "kub_file_content")
+	tempFileDir, _ := os.MkdirTemp("", "kub_file_content")
 	defer os.RemoveAll(tempFileDir)
 
 	if err := filesystem.WriteToFile(filesystem.JoinPaths(tempFileDir, stack.EntryPoint), []byte(payload.StackFileContent)); err != nil {

api/http/handler/templates/template_file.go

@@ -23,7 +23,7 @@ type filePayload struct {
 
 type fileResponse struct {
 	// The requested file content
-	FileContent string `example: "version:2"`
+	FileContent string `example:"version:2"`
 }
 
 func (payload *filePayload) Validate(r *http.Request) error {

api/http/handler/upload/handler.go

@@ -2,7 +2,7 @@ package upload
 
 import (
 	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 
 	"net/http"

api/http/handler/users/admin_check.go

@@ -1,9 +1,10 @@
 package users
 
 import (
-	"github.com/portainer/portainer/api/dataservices/errors"
 	"net/http"
 
+	"github.com/portainer/portainer/api/dataservices/errors"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"

api/http/handler/webhooks/handler.go

@@ -1,12 +1,11 @@
 package webhooks
 
 import (
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/internal/authorization"
 	"net/http"
 
+	"github.com/portainer/portainer/api/dataservices"
+
 	httperror "github.com/portainer/libhttp/error"
-	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/security"
 
@@ -39,43 +38,3 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		bouncer.PublicAccess(httperror.LoggerHandler(h.webhookExecute))).Methods(http.MethodPost)
 	return h
 }
-
-func (handler *Handler) checkResourceAccess(r *http.Request, resourceID string, resourceControlType portainer.ResourceControlType) *httperror.HandlerError {
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user info from request context", err)
-	}
-	// non-admins
-	rc, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(resourceID, resourceControlType)
-	if rc == nil || err != nil {
-		return httperror.InternalServerError("Unable to retrieve a resource control associated to the resource", err)
-	}
-	userTeamIDs := make([]portainer.TeamID, 0)
-	for _, membership := range securityContext.UserMemberships {
-		userTeamIDs = append(userTeamIDs, membership.TeamID)
-	}
-	canAccess := authorization.UserCanAccessResource(securityContext.UserID, userTeamIDs, rc)
-	if !canAccess {
-		return &httperror.HandlerError{StatusCode: http.StatusForbidden, Message: "This operation is disabled for non-admin users and unassigned access users"}
-	}
-	return nil
-}
-
-func (handler *Handler) checkAuthorization(r *http.Request, endpoint *portainer.Endpoint, authorizations []portainer.Authorization) (bool, *httperror.HandlerError) {
-	err := handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
-	if err != nil {
-		return false, httperror.Forbidden("Permission denied to access environment", err)
-	}
-
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return false, httperror.InternalServerError("Unable to retrieve user info from request context", err)
-	}
-
-	authService := authorization.NewService(handler.DataStore)
-	isAdminOrAuthorized, err := authService.UserIsAdminOrAuthorized(securityContext.UserID, endpoint.ID, authorizations)
-	if err != nil {
-		return false, httperror.InternalServerError("Unable to get user authorizations", err)
-	}
-	return isAdminOrAuthorized, nil
-}

api/http/handler/webhooks/webhook_delete.go

@@ -2,9 +2,10 @@ package webhooks
 
 import (
 	"errors"
-	"github.com/portainer/portainer/api/http/security"
 	"net/http"
 
+	"github.com/portainer/portainer/api/http/security"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"

api/http/handler/webhooks/webhook_execute.go

@@ -3,11 +3,12 @@ package webhooks
 import (
 	"context"
 	"errors"
-	"github.com/portainer/portainer/api/internal/registryutils"
 	"io"
 	"net/http"
 	"strings"
 
+	"github.com/portainer/portainer/api/internal/registryutils"
+
 	dockertypes "github.com/docker/docker/api/types"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"

api/http/handler/webhooks/webhook_list.go

@@ -1,9 +1,10 @@
 package webhooks
 
 import (
-	"github.com/portainer/portainer/api/http/security"
 	"net/http"
 
+	"github.com/portainer/portainer/api/http/security"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"

api/http/handler/websocket/attach.go

@@ -116,12 +116,7 @@ func hijackAttachStartOperation(websocketConn *websocket.Conn, endpoint *portain
 		return err
 	}
 
-	err = hijackRequest(websocketConn, httpConn, attachStartRequest)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return hijackRequest(websocketConn, httpConn, attachStartRequest)
 }
 
 func createAttachStartRequest(attachID string) (*http.Request, error) {

api/http/handler/websocket/dial_windows.go

@@ -4,8 +4,9 @@
 package websocket
 
 import (
-	"github.com/Microsoft/go-winio"
 	"net"
+
+	"github.com/Microsoft/go-winio"
 )
 
 func createDial(scheme, host string) (net.Conn, error) {

api/http/handler/websocket/exec.go

@@ -121,12 +121,7 @@ func hijackExecStartOperation(websocketConn *websocket.Conn, endpoint *portainer
 		return err
 	}
 
-	err = hijackRequest(websocketConn, httpConn, execStartRequest)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return hijackRequest(websocketConn, httpConn, execStartRequest)
 }
 
 func createExecStartRequest(execID string) (*http.Request, error) {

api/http/handler/websocket/initdial.go

@@ -5,7 +5,7 @@ import (
 	"net"
 	"net/url"
 
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
 )
 

api/http/handler/websocket/proxy.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/gorilla/websocket"
 	"github.com/koding/websocketproxy"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 func (handler *Handler) proxyEdgeAgentWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error {

api/http/handler/websocket/types.go

@@ -1,6 +1,6 @@
 package websocket
 
-import "github.com/portainer/portainer/api"
+import portainer "github.com/portainer/portainer/api"
 
 type webSocketRequestParams struct {
 	ID       string

api/http/proxy/factory/agent/transport.go

@@ -6,14 +6,11 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )
 
-type (
-	// Transport is an http.Transport wrapper that adds custom http headers to communicate to an Agent
-	Transport struct {
-		httpTransport      *http.Transport
-		signatureService   portainer.DigitalSignatureService
-		endpointIdentifier portainer.EndpointID
-	}
-)
+// Transport is an http.Transport wrapper that adds custom http headers to communicate to an Agent
+type Transport struct {
+	httpTransport    *http.Transport
+	signatureService portainer.DigitalSignatureService
+}
 
 // NewTransport returns a new transport that can be used to send signed requests to a Portainer agent
 func NewTransport(signatureService portainer.DigitalSignatureService, httpTransport *http.Transport) *Transport {

api/http/proxy/factory/azure/containergroup.go

@@ -85,11 +85,8 @@ func (transport *Transport) proxyContainerGroupPutRequest(request *http.Request)
 	responseObject = decorateObject(responseObject, resourceControl)
 
 	err = utils.RewriteResponse(response, responseObject, http.StatusOK)
-	if err != nil {
-		return response, err
-	}
 
-	return response, nil
+	return response, err
 }
 
 func (transport *Transport) proxyContainerGroupGetRequest(request *http.Request) (*http.Response, error) {

api/http/proxy/factory/docker/build.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"errors"
-	"io/ioutil"
+	"io"
 	"mime"
 	"net/http"
 
@@ -37,7 +37,7 @@ func buildOperation(request *http.Request) error {
 	var buffer []byte
 	switch mediaType {
 	case "":
-		body, err := ioutil.ReadAll(request.Body)
+		body, err := io.ReadAll(request.Body)
 		if err != nil {
 			return err
 		}
@@ -81,7 +81,7 @@ func buildOperation(request *http.Request) error {
 
 			log.Info().Str("filename", hdr.Filename).Int64("size", hdr.Size).Msg("upload the file to build image")
 
-			content, err := ioutil.ReadAll(f)
+			content, err := io.ReadAll(f)
 			if err != nil {
 				return err
 			}
@@ -105,7 +105,7 @@ func buildOperation(request *http.Request) error {
 		return nil
 	}
 
-	request.Body = ioutil.NopCloser(bytes.NewReader(buffer))
+	request.Body = io.NopCloser(bytes.NewReader(buffer))
 	request.ContentLength = int64(len(buffer))
 	request.Header.Set("Content-Type", "application/x-tar")
 

api/http/proxy/factory/docker/containers.go

@@ -5,7 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strings"
 
@@ -190,7 +190,7 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
 			return nil, err
 		}
 
-		body, err := ioutil.ReadAll(request.Body)
+		body, err := io.ReadAll(request.Body)
 		if err != nil {
 			return nil, err
 		}
@@ -229,7 +229,7 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
 			}
 		}
 
-		request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+		request.Body = io.NopCloser(bytes.NewBuffer(body))
 	}
 
 	response, err := transport.executeDockerRequest(request)

api/http/proxy/factory/docker/services.go

@@ -5,7 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"io/ioutil"
+	"io"
 	"net/http"
 
 	"github.com/docker/docker/api/types"
@@ -116,7 +116,7 @@ func (transport *Transport) decorateServiceCreationOperation(request *http.Reque
 			return nil, err
 		}
 
-		body, err := ioutil.ReadAll(request.Body)
+		body, err := io.ReadAll(request.Body)
 		if err != nil {
 			return nil, err
 		}
@@ -135,7 +135,7 @@ func (transport *Transport) decorateServiceCreationOperation(request *http.Reque
 			}
 		}
 
-		request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+		request.Body = io.NopCloser(bytes.NewBuffer(body))
 	}
 
 	return transport.replaceRegistryAuthenticationHeader(request)

api/http/proxy/factory/docker/transport.go

@@ -6,7 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"path"
 	"regexp"
@@ -197,7 +197,7 @@ func (transport *Transport) proxyAgentRequest(r *http.Request) (*http.Response,
 
 		r.Method = http.MethodPost
 
-		r.Body = ioutil.NopCloser(bytes.NewReader(newBody))
+		r.Body = io.NopCloser(bytes.NewReader(newBody))
 		r.ContentLength = int64(len(newBody))
 	}
 

api/http/proxy/factory/kubernetes/token.go

@@ -1,7 +1,7 @@
 package kubernetes
 
 import (
-	"io/ioutil"
+	"os"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -28,7 +28,7 @@ func NewTokenManager(kubecli portainer.KubeClient, dataStore dataservices.DataSt
 	}
 
 	if setLocalAdminToken {
-		token, err := ioutil.ReadFile(defaultServiceAccountTokenFile)
+		token, err := os.ReadFile(defaultServiceAccountTokenFile)
 		if err != nil {
 			return nil, err
 		}

api/http/proxy/factory/kubernetes/transport.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"path"
 	"regexp"
@@ -189,7 +189,7 @@ func decorateAgentDockerHubRequest(r *http.Request, dataStore dataservices.DataS
 	}
 
 	r.Method = http.MethodPost
-	r.Body = ioutil.NopCloser(bytes.NewReader(newBody))
+	r.Body = io.NopCloser(bytes.NewReader(newBody))
 	r.ContentLength = int64(len(newBody))
 
 	return nil

api/http/proxy/factory/utils/json.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"mime"
 
 	"gopkg.in/yaml.v3"
@@ -50,7 +49,7 @@ func getBody(body io.ReadCloser, contentType string, isGzip bool) (interface{},
 
 	defer reader.Close()
 
-	bodyBytes, err := ioutil.ReadAll(reader)
+	bodyBytes, err := io.ReadAll(reader)
 	if err != nil {
 		return nil, err
 	}

api/http/proxy/factory/utils/request.go

@@ -2,7 +2,7 @@ package utils
 
 import (
 	"bytes"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strconv"
 )
@@ -25,7 +25,7 @@ func RewriteRequest(request *http.Request, newData interface{}) error {
 		return err
 	}
 
-	body := ioutil.NopCloser(bytes.NewReader(data))
+	body := io.NopCloser(bytes.NewReader(data))
 
 	request.Body = body
 	request.ContentLength = int64(len(data))

api/http/proxy/factory/utils/response.go

@@ -3,7 +3,7 @@ package utils
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strconv"
 
@@ -82,7 +82,7 @@ func RewriteResponse(response *http.Response, newResponseData interface{}, statu
 		return err
 	}
 
-	body := ioutil.NopCloser(bytes.NewReader(data))
+	body := io.NopCloser(bytes.NewReader(data))
 
 	response.StatusCode = statusCode
 	response.Body = body

api/http/security/rate_limiter.go

@@ -29,7 +29,7 @@ func NewRateLimiter(maxRequests int, duration time.Duration, banDuration time.Du
 func (limiter *RateLimiter) LimitAccess(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ip := StripAddrPort(r.RemoteAddr)
-		if banned := limiter.Inc(ip); banned == true {
+		if banned := limiter.Inc(ip); banned {
 			httperror.WriteError(w, http.StatusForbidden, "Access denied", errors.ErrResourceAccessDenied)
 			return
 		}

api/internal/edge/edgestack.go

@@ -3,7 +3,7 @@ package edge
 import (
 	"errors"
 
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 // EdgeStackRelatedEndpoints returns a list of environments(endpoints) related to this Edge stack

api/internal/edge/endpoint.go

@@ -1,6 +1,6 @@
 package edge
 
-import "github.com/portainer/portainer/api"
+import portainer "github.com/portainer/portainer/api"
 
 // EndpointRelatedEdgeStacks returns a list of Edge stacks related to this Environment(Endpoint)
 func EndpointRelatedEdgeStacks(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) []portainer.EdgeStackID {

api/internal/ssl/ssl.go

@@ -166,10 +166,5 @@ func (service *Service) cacheInfo(certPath string, keyPath string, selfSigned bo
 	settings.KeyPath = keyPath
 	settings.SelfSigned = selfSigned
 
-	err = service.dataStore.SSLSettings().UpdateSettings(settings)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return service.dataStore.SSLSettings().UpdateSettings(settings)
 }

api/internal/tag/tag.go

@@ -1,6 +1,6 @@
 package tag
 
-import "github.com/portainer/portainer/api"
+import portainer "github.com/portainer/portainer/api"
 
 type tagSet map[portainer.TagID]bool
 

api/jwt/jwt.go

@@ -9,7 +9,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/gorilla/securecookie"
 	"github.com/rs/zerolog/log"
 )

api/jwt/jwt_kubeconfig_test.go

@@ -3,7 +3,7 @@ package jwt
 import (
 	"testing"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	i "github.com/portainer/portainer/api/internal/testhelpers"

api/jwt/jwt_test.go

@@ -1,12 +1,12 @@
 package jwt
 
 import (
-	i "github.com/portainer/portainer/api/internal/testhelpers"
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	portainer "github.com/portainer/portainer/api"
+	i "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/stretchr/testify/assert"
 )
 

api/kubernetes/cli/access.go

@@ -117,9 +117,6 @@ func (kcl *KubeClient) UpdateNamespaceAccessPolicies(accessPolicies map[string]p
 
 	configMap.Data[portainerConfigMapAccessPoliciesKey] = string(data)
 	_, err = kcl.cli.CoreV1().ConfigMaps(portainerNamespace).Update(context.TODO(), configMap, metav1.UpdateOptions{})
-	if err != nil {
-		return err
-	}
 
-	return nil
+	return err
 }

api/kubernetes/cli/client.go

@@ -5,8 +5,10 @@ import (
 	"net/http"
 	"strconv"
 	"sync"
+	"time"
 
 	cmap "github.com/orcaman/concurrent-map"
+	"github.com/patrickmn/go-cache"
 	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -23,6 +25,8 @@ type (
 		signatureService     portainer.DigitalSignatureService
 		instanceID           string
 		endpointClients      cmap.ConcurrentMap
+		endpointProxyClients *cache.Cache
+		AddrHTTPS            string
 	}
 
 	// KubeClient represent a service used to execute Kubernetes operations
@@ -34,14 +38,24 @@ type (
 )
 
 // NewClientFactory returns a new instance of a ClientFactory
-func NewClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, instanceID string, dataStore dataservices.DataStore) *ClientFactory {
+func NewClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, dataStore dataservices.DataStore, instanceID, addrHTTPS, userSessionTimeout string) (*ClientFactory, error) {
+	if userSessionTimeout == "" {
+		userSessionTimeout = portainer.DefaultUserSessionTimeout
+	}
+	timeout, err := time.ParseDuration(userSessionTimeout)
+	if err != nil {
+		return nil, err
+	}
+
 	return &ClientFactory{
 		dataStore:            dataStore,
 		signatureService:     signatureService,
 		reverseTunnelService: reverseTunnelService,
 		instanceID:           instanceID,
 		endpointClients:      cmap.New(),
-	}
+		endpointProxyClients: cache.New(timeout, timeout),
+		AddrHTTPS:            addrHTTPS,
+	}, nil
 }
 
 func (factory *ClientFactory) GetInstanceID() (instanceID string) {
@@ -59,7 +73,7 @@ func (factory *ClientFactory) GetKubeClient(endpoint *portainer.Endpoint) (porta
 	key := strconv.Itoa(int(endpoint.ID))
 	client, ok := factory.endpointClients.Get(key)
 	if !ok {
-		client, err := factory.createKubeClient(endpoint)
+		client, err := factory.createCachedAdminKubeClient(endpoint)
 		if err != nil {
 			return nil, err
 		}
@@ -71,7 +85,49 @@ func (factory *ClientFactory) GetKubeClient(endpoint *portainer.Endpoint) (porta
 	return client.(portainer.KubeClient), nil
 }
 
-func (factory *ClientFactory) createKubeClient(endpoint *portainer.Endpoint) (portainer.KubeClient, error) {
+// GetProxyKubeClient retrieves a KubeClient from the cache. You should be
+// calling SetProxyKubeClient before first. It is normally, called the
+// kubernetes middleware.
+func (factory *ClientFactory) GetProxyKubeClient(endpointID, token string) (portainer.KubeClient, bool) {
+	client, ok := factory.endpointProxyClients.Get(endpointID + "." + token)
+	if !ok {
+		return nil, false
+	}
+	return client.(portainer.KubeClient), true
+}
+
+// SetProxyKubeClient stores a kubeclient in the cache.
+func (factory *ClientFactory) SetProxyKubeClient(endpointID, token string, cli portainer.KubeClient) {
+	factory.endpointProxyClients.Set(endpointID+"."+token, cli, 0)
+}
+
+// CreateKubeClientFromKubeConfig creates a KubeClient from a clusterID, and
+// Kubernetes config.
+func (factory *ClientFactory) CreateKubeClientFromKubeConfig(clusterID string, kubeConfig []byte) (portainer.KubeClient, error) {
+	config, err := clientcmd.NewClientConfigFromBytes([]byte(kubeConfig))
+	if err != nil {
+		return nil, err
+	}
+	cliConfig, err := config.ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	cli, err := kubernetes.NewForConfig(cliConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	kubecli := &KubeClient{
+		cli:        cli,
+		instanceID: factory.instanceID,
+		lock:       &sync.Mutex{},
+	}
+
+	return kubecli, nil
+}
+
+func (factory *ClientFactory) createCachedAdminKubeClient(endpoint *portainer.Endpoint) (portainer.KubeClient, error) {
 	cli, err := factory.CreateClient(endpoint)
 	if err != nil {
 		return nil, err

api/kubernetes/cli/ingress.go

@@ -5,11 +5,12 @@ import (
 	"strings"
 
 	"github.com/portainer/portainer/api/database/models"
+	"github.com/rs/zerolog/log"
 	netv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func (kcl *KubeClient) GetIngressControllers() models.K8sIngressControllers {
+func (kcl *KubeClient) GetIngressControllers() (models.K8sIngressControllers, error) {
 	var controllers []models.K8sIngressController
 
 	// We know that each existing class points to a controller so we can start
@@ -17,19 +18,22 @@ func (kcl *KubeClient) GetIngressControllers() models.K8sIngressControllers {
 	classClient := kcl.cli.NetworkingV1().IngressClasses()
 	classList, err := classClient.List(context.Background(), metav1.ListOptions{})
 	if err != nil {
-		return nil
+		return nil, err
 	}
 
 	// We want to know which of these controllers is in use.
 	var ingresses []models.K8sIngressInfo
 	namespaces, err := kcl.GetNamespaces()
 	if err != nil {
-		return nil
+		return nil, err
 	}
 	for namespace := range namespaces {
 		t, err := kcl.GetIngresses(namespace)
 		if err != nil {
-			return nil
+			// User might not be able to list ingresses in system/not allowed
+			// namespaces.
+			log.Debug().Err(err).Msg("failed to list ingresses for the current user, skipped sending ingress")
+			continue
 		}
 		ingresses = append(ingresses, t...)
 	}
@@ -58,7 +62,7 @@ func (kcl *KubeClient) GetIngressControllers() models.K8sIngressControllers {
 		}
 		controllers = append(controllers, controller)
 	}
-	return controllers
+	return controllers, nil
 }
 
 // GetIngresses gets all the ingresses for a given namespace in a k8s endpoint.
@@ -86,11 +90,11 @@ func (kcl *KubeClient) GetIngresses(namespace string) ([]models.K8sIngressInfo,
 
 	var infos []models.K8sIngressInfo
 	for _, ingress := range ingressList.Items {
-		ingressClass := ingress.Spec.IngressClassName
 		var info models.K8sIngressInfo
 		info.Name = ingress.Name
 		info.UID = string(ingress.UID)
 		info.Namespace = namespace
+		ingressClass := ingress.Spec.IngressClassName
 		info.ClassName = ""
 		if ingressClass != nil {
 			info.ClassName = *ingressClass
@@ -109,6 +113,10 @@ func (kcl *KubeClient) GetIngresses(namespace string) ([]models.K8sIngressInfo,
 		// Gather list of paths and hosts.
 		hosts := make(map[string]struct{})
 		for _, r := range ingress.Spec.Rules {
+			// We collect all exiting hosts in a map to avoid duplicates.
+			// Then, later convert it to a slice for the frontend.
+			hosts[r.Host] = struct{}{}
+
 			if r.HTTP == nil {
 				continue
 			}
@@ -120,12 +128,10 @@ func (kcl *KubeClient) GetIngresses(namespace string) ([]models.K8sIngressInfo,
 				path.IngressName = info.Name
 				path.Host = r.Host
 
-				// We collect all exiting hosts in a map to avoid duplicates.
-				// Then, later convert it to a slice for the frontend.
-				hosts[r.Host] = struct{}{}
-
 				path.Path = p.Path
-				path.PathType = string(*p.PathType)
+				if p.PathType != nil {
+					path.PathType = string(*p.PathType)
+				}
 				path.ServiceName = p.Backend.Service.Name
 				path.Port = int(p.Backend.Service.Port.Number)
 				info.Paths = append(info.Paths, path)
@@ -150,7 +156,9 @@ func (kcl *KubeClient) CreateIngress(namespace string, info models.K8sIngressInf
 
 	ingress.Name = info.Name
 	ingress.Namespace = info.Namespace
-	ingress.Spec.IngressClassName = &info.ClassName
+	if info.ClassName != "" {
+		ingress.Spec.IngressClassName = &info.ClassName
+	}
 	ingress.Annotations = info.Annotations
 
 	// Store TLS information.
@@ -220,7 +228,9 @@ func (kcl *KubeClient) UpdateIngress(namespace string, info models.K8sIngressInf
 
 	ingress.Name = info.Name
 	ingress.Namespace = info.Namespace
-	ingress.Spec.IngressClassName = &info.ClassName
+	if info.ClassName != "" {
+		ingress.Spec.IngressClassName = &info.ClassName
+	}
 	ingress.Annotations = info.Annotations
 
 	// Store TLS information.

api/kubernetes/cli/nodes_limits_test.go

@@ -1,14 +1,15 @@
 package cli
 
 import (
+	"reflect"
+	"testing"
+
 	portainer "github.com/portainer/portainer/api"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	kfake "k8s.io/client-go/kubernetes/fake"
-	"reflect"
-	"testing"
 )
 
 func newNodes() *v1.NodeList {

api/kubernetes/cli/resource_test.go

@@ -85,7 +85,7 @@ func Test_GenerateYAML(t *testing.T) {
 				t.Errorf("generateYamlConfig failed; err=%s", err)
 			}
 
-			if compareYAMLStrings(yaml, ryt.wantYAML) != 0 {
+			if compareYAMLStrings(string(yaml), ryt.wantYAML) != 0 {
 				t.Errorf("generateYamlConfig failed;\ngot=\n%s\nwant=\n%s", yaml, ryt.wantYAML)
 			}
 		})

api/kubernetes/cli/role.go

@@ -25,6 +25,11 @@ func getPortainerUserDefaultPolicies() []rbacv1.PolicyRule {
 			Resources: []string{"namespaces", "pods", "nodes"},
 			APIGroups: []string{"metrics.k8s.io"},
 		},
+		{
+			Verbs:     []string{"list"},
+			Resources: []string{"ingressclasses"},
+			APIGroups: []string{"networking.k8s.io"},
+		},
 	}
 }
 

api/kubernetes/cli/service_account.go

@@ -37,7 +37,7 @@ func (kcl *KubeClient) GetServiceAccountBearerToken(userID int) (string, error)
 
 // SetupUserServiceAccount will make sure that all the required resources are created inside the Kubernetes
 // cluster before creating a ServiceAccount and a ServiceAccountToken for the specified Portainer user.
-//It will also create required default RoleBinding and ClusterRoleBinding rules.
+// It will also create required default RoleBinding and ClusterRoleBinding rules.
 func (kcl *KubeClient) SetupUserServiceAccount(userID int, teamIDs []int, restrictDefaultNamespace bool) error {
 	serviceAccountName := UserServiceAccountName(userID, kcl.instanceID)