Merge branch 'release/2.6'

* fix(custom-templates): show git form

fix [EE-1025]

* fix(git-form): empty auth values when auth is off

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -4,7 +4,6 @@ about: Create a bug report
 title: ''
 labels: bug/need-confirmation, kind/bug
 assignees: ''
-
 ---
 
 <!--

.github/ISSUE_TEMPLATE/Custom.md

@@ -4,8 +4,8 @@ about: Ask us a question about Portainer usage or deployment
 title: ''
 labels: ''
 assignees: ''
-
 ---
+
 Before you start, we need a little bit more information from you:
 
 Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.

api/bolt/migrator/migrate_dbversion30.go

@@ -1,6 +1,13 @@
 package migrator
 
-func (m *Migrator) updateSettingsToDB31() error {
+func (m *Migrator) migrateDBVersionTo30() error {
+	if err := m.migrateSettings(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (m *Migrator) migrateSettings() error {
 	legacySettings, err := m.settingsService.Settings()
 	if err != nil {
 		return err

api/bolt/migrator/migrate_dbversion30_test.go

@@ -2,9 +2,12 @@ package migrator
 
 import (
 	"os"
+	"path"
 	"testing"
+	"time"
 
 	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer/api/bolt/internal"
 	"github.com/portainer/portainer/api/bolt/settings"
 )
 
@@ -16,6 +19,34 @@ var (
 	settingsService    *settings.Service
 )
 
+// initTestingDBConn creates a raw bolt DB connection
+// for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
+func initTestingDBConn(storePath, fileName string) (*bolt.DB, error) {
+	databasePath := path.Join(storePath, fileName)
+	dbConn, err := bolt.Open(databasePath, 0600, &bolt.Options{Timeout: 1 * time.Second})
+	if err != nil {
+		return nil, err
+	}
+	return dbConn, nil
+}
+
+// initTestingDBConn creates a settings service with raw bolt DB connection
+// for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
+func initTestingSettingsService(dbConn *bolt.DB, preSetObj map[string]interface{}) (*settings.Service, error) {
+	internalDBConn := &internal.DbConnection{
+		DB: dbConn,
+	}
+	settingsService, err := settings.NewService(internalDBConn)
+	if err != nil {
+		return nil, err
+	}
+	//insert a obj
+	if err := internal.UpdateObject(internalDBConn, "settings", []byte("SETTINGS"), preSetObj); err != nil {
+		return nil, err
+	}
+	return settingsService, nil
+}
+
 func setup() error {
 	testingDBStorePath, _ = os.Getwd()
 	testingDBFileName = "portainer-ee-mig-30.db"
@@ -35,7 +66,7 @@ func setup() error {
 	return nil
 }
 
-func TestUpdateSettingsToDB31(t *testing.T) {
+func TestMigrateSettings(t *testing.T) {
 	if err := setup(); err != nil {
 		t.Errorf("failed to complete testing setups, err: %v", err)
 	}
@@ -45,7 +76,7 @@ func TestUpdateSettingsToDB31(t *testing.T) {
 		db:              dbConn,
 		settingsService: settingsService,
 	}
-	if err := m.updateSettingsToDB31(); err != nil {
+	if err := m.migrateSettings(); err != nil {
 		t.Errorf("failed to update settings: %v", err)
 	}
 	updatedSettings, err := m.settingsService.Settings()

api/bolt/migrator/migrate_test_helper.go

@@ -1,38 +0,0 @@
-package migrator
-
-import (
-	"path"
-	"time"
-
-	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api/bolt/internal"
-	"github.com/portainer/portainer/api/bolt/settings"
-)
-
-// initTestingDBConn creates a raw bolt DB connection
-// for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
-func initTestingDBConn(storePath, fileName string) (*bolt.DB, error) {
-	databasePath := path.Join(storePath, fileName)
-	dbConn, err := bolt.Open(databasePath, 0600, &bolt.Options{Timeout: 1 * time.Second})
-	if err != nil {
-		return nil, err
-	}
-	return dbConn, nil
-}
-
-// initTestingDBConn creates a settings service with raw bolt DB connection
-// for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
-func initTestingSettingsService(dbConn *bolt.DB, preSetObj map[string]interface{}) (*settings.Service, error) {
-	internalDBConn := &internal.DbConnection{
-		DB: dbConn,
-	}
-	settingsService, err := settings.NewService(internalDBConn)
-	if err != nil {
-		return nil, err
-	}
-	//insert a obj
-	if err := internal.UpdateObject(internalDBConn, "settings", []byte("SETTINGS"), preSetObj); err != nil {
-		return nil, err
-	}
-	return settingsService, nil
-}

api/bolt/migrator/migrator.go

@@ -358,9 +358,9 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
-	// Portainer 2.5.0
-	if m.currentDBVersion < 31 {
-		err := m.updateSettingsToDB31()
+	// Portainer 2.6.0
+	if m.currentDBVersion < 30 {
+		err := m.migrateDBVersionTo30()
 		if err != nil {
 			return err
 		}

api/cmd/portainer/main.go

@@ -20,6 +20,7 @@ import (
 	"github.com/portainer/portainer/api/http/client"
 	"github.com/portainer/portainer/api/http/proxy"
 	kubeproxy "github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
+	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/snapshot"
 	"github.com/portainer/portainer/api/jwt"
@@ -389,6 +390,9 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	}
 	snapshotService.Start()
 
+	authorizationService := authorization.NewService(dataStore)
+	authorizationService.K8sClientFactory = kubernetesClientFactory
+
 	swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService, reverseTunnelService)
 	if err != nil {
 		log.Fatalf("failed initializing swarm stack manager: %v", err)
@@ -461,6 +465,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	}
 
 	return &http.Server{
+		AuthorizationService:        authorizationService,
 		ReverseTunnelService:        reverseTunnelService,
 		Status:                      applicationStatus,
 		BindAddress:                 *flags.Addr,

api/filesystem/filesystem.go

@@ -31,6 +31,8 @@ const (
 	ComposeStorePath = "compose"
 	// ComposeFileDefaultName represents the default name of a compose file.
 	ComposeFileDefaultName = "docker-compose.yml"
+	// ManifestFileDefaultName represents the default name of a k8s manifest file.
+	ManifestFileDefaultName = "k8s-deployment.yml"
 	// EdgeStackStorePath represents the subfolder where edge stack files are stored in the file store folder.
 	EdgeStackStorePath = "edge_stacks"
 	// PrivateKeyFile represents the name on disk of the file containing the private key.

api/http/handler/customtemplates/customtemplate_create.go

@@ -236,7 +236,14 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 	projectPath := handler.FileService.GetCustomTemplateProjectPath(strconv.Itoa(customTemplateID))
 	customTemplate.ProjectPath = projectPath
 
-	err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, payload.RepositoryUsername, payload.RepositoryPassword)
+	repositoryUsername := payload.RepositoryUsername
+	repositoryPassword := payload.RepositoryPassword
+	if !payload.RepositoryAuthentication {
+		repositoryUsername = ""
+		repositoryPassword = ""
+	}
+
+	err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, repositoryUsername, repositoryPassword)
 	if err != nil {
 		return nil, err
 	}

api/http/handler/edgestacks/edgestack_create.go

@@ -212,7 +212,14 @@ func (handler *Handler) createSwarmStackFromGitRepository(r *http.Request) (*por
 	projectPath := handler.FileService.GetEdgeStackProjectPath(strconv.Itoa(int(stack.ID)))
 	stack.ProjectPath = projectPath
 
-	err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, payload.RepositoryUsername, payload.RepositoryPassword)
+	repositoryUsername := payload.RepositoryUsername
+	repositoryPassword := payload.RepositoryPassword
+	if !payload.RepositoryAuthentication {
+		repositoryUsername = ""
+		repositoryPassword = ""
+	}
+
+	err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, repositoryUsername, repositoryPassword)
 	if err != nil {
 		return nil, err
 	}

api/http/handler/endpointgroups/endpointgroup_update.go

@@ -109,12 +109,33 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 		}
 	}
 
+	updateAuthorizations := false
 	if payload.UserAccessPolicies != nil && !reflect.DeepEqual(payload.UserAccessPolicies, endpointGroup.UserAccessPolicies) {
 		endpointGroup.UserAccessPolicies = payload.UserAccessPolicies
+		updateAuthorizations = true
 	}
 
 	if payload.TeamAccessPolicies != nil && !reflect.DeepEqual(payload.TeamAccessPolicies, endpointGroup.TeamAccessPolicies) {
 		endpointGroup.TeamAccessPolicies = payload.TeamAccessPolicies
+		updateAuthorizations = true
+	}
+
+	if updateAuthorizations {
+		endpoints, err := handler.DataStore.Endpoint().Endpoints()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
+		}
+
+		for _, endpoint := range endpoints {
+			if endpoint.GroupID == endpointGroup.ID {
+				if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+					err = handler.AuthorizationService.CleanNAPWithOverridePolicies(&endpoint, endpointGroup)
+					if err != nil {
+						return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+					}
+				}
+			}
+		}
 	}
 
 	err = handler.DataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, endpointGroup)

api/http/handler/endpointgroups/handler.go

@@ -1,6 +1,7 @@
 package endpointgroups
 
 import (
+	"github.com/portainer/portainer/api/internal/authorization"
 	"net/http"
 
 	"github.com/gorilla/mux"
@@ -12,6 +13,7 @@ import (
 // Handler is the HTTP handler used to handle endpoint group operations.
 type Handler struct {
 	*mux.Router
+	AuthorizationService *authorization.Service
 	DataStore portainer.DataStore
 }
 

api/http/handler/endpoints/endpoint_update.go

@@ -155,11 +155,14 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		endpoint.Kubernetes = *payload.Kubernetes
 	}
 
+	updateAuthorizations := false
 	if payload.UserAccessPolicies != nil && !reflect.DeepEqual(payload.UserAccessPolicies, endpoint.UserAccessPolicies) {
+		updateAuthorizations = true
 		endpoint.UserAccessPolicies = payload.UserAccessPolicies
 	}
 
 	if payload.TeamAccessPolicies != nil && !reflect.DeepEqual(payload.TeamAccessPolicies, endpoint.TeamAccessPolicies) {
+		updateAuthorizations = true
 		endpoint.TeamAccessPolicies = payload.TeamAccessPolicies
 	}
 
@@ -252,6 +255,15 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}
 
+	if updateAuthorizations {
+		if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+			err = handler.AuthorizationService.CleanNAPWithOverridePolicies(endpoint, nil)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+			}
+		}
+	}
+
 	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}

api/http/handler/endpoints/handler.go

@@ -5,6 +5,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/authorization"
 
 	"net/http"
 
@@ -28,6 +29,7 @@ type Handler struct {
 	ReverseTunnelService portainer.ReverseTunnelService
 	SnapshotService      portainer.SnapshotService
 	ComposeStackManager  portainer.ComposeStackManager
+	AuthorizationService *authorization.Service
 }
 
 // NewHandler creates a handler to manage endpoint operations.

api/http/handler/stacks/create_compose_stack.go

@@ -237,11 +237,11 @@ func (handler *Handler) createComposeStackFromFileUpload(w http.ResponseWriter,
 
 	isUnique, err := handler.checkUniqueName(endpoint, payload.Name, 0, false)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to check for name collision", err}
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to check for name collision", Err: err}
 	}
 	if !isUnique {
 		errorMessage := fmt.Sprintf("A stack with the name '%s' already exists", payload.Name)
-		return &httperror.HandlerError{http.StatusConflict, errorMessage, errors.New(errorMessage)}
+		return &httperror.HandlerError{StatusCode: http.StatusConflict, Message: errorMessage, Err: errors.New(errorMessage)}
 	}
 
 	stackID := handler.DataStore.Stack().GetNextIdentifier()

api/http/handler/stacks/create_kubernetes_stack.go

@@ -2,7 +2,11 @@ package stacks
 
 import (
 	"errors"
+	"io/ioutil"
 	"net/http"
+	"path/filepath"
+	"strconv"
+	"time"
 
 	"github.com/asaskevich/govalidator"
 
@@ -10,16 +14,29 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
-	endpointutils "github.com/portainer/portainer/api/internal/endpoint"
+	"github.com/portainer/portainer/api/filesystem"
 )
 
-type kubernetesStackPayload struct {
+const defaultReferenceName = "refs/heads/master"
+
+type kubernetesStringDeploymentPayload struct {
 	ComposeFormat    bool
 	Namespace        string
 	StackFileContent string
 }
 
-func (payload *kubernetesStackPayload) Validate(r *http.Request) error {
+type kubernetesGitDeploymentPayload struct {
+	ComposeFormat            bool
+	Namespace                string
+	RepositoryURL            string
+	RepositoryReferenceName  string
+	RepositoryAuthentication bool
+	RepositoryUsername       string
+	RepositoryPassword       string
+	FilePathInRepository     string
+}
+
+func (payload *kubernetesStringDeploymentPayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.StackFileContent) {
 		return errors.New("Invalid stack file content")
 	}
@@ -29,24 +46,63 @@ func (payload *kubernetesStackPayload) Validate(r *http.Request) error {
 	return nil
 }
 
+func (payload *kubernetesGitDeploymentPayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Namespace) {
+		return errors.New("Invalid namespace")
+	}
+	if govalidator.IsNull(payload.RepositoryURL) || !govalidator.IsURL(payload.RepositoryURL) {
+		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
+	}
+	if payload.RepositoryAuthentication && govalidator.IsNull(payload.RepositoryPassword) {
+		return errors.New("Invalid repository credentials. Password must be specified when authentication is enabled")
+	}
+	if govalidator.IsNull(payload.FilePathInRepository) {
+		return errors.New("Invalid file path in repository")
+	}
+	if govalidator.IsNull(payload.RepositoryReferenceName) {
+		payload.RepositoryReferenceName = defaultReferenceName
+	}
+	return nil
+}
+
 type createKubernetesStackResponse struct {
 	Output string `json:"Output"`
 }
 
-func (handler *Handler) createKubernetesStack(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint) *httperror.HandlerError {
-	if !endpointutils.IsKubernetesEndpoint(endpoint) {
-		return &httperror.HandlerError{http.StatusBadRequest, "Endpoint type does not match", errors.New("Endpoint type does not match")}
+func (handler *Handler) createKubernetesStackFromFileContent(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint) *httperror.HandlerError {
+	var payload kubernetesStringDeploymentPayload
+	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
 	}
 
-	var payload kubernetesStackPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	stackID := handler.DataStore.Stack().GetNextIdentifier()
+	stack := &portainer.Stack{
+		ID:           portainer.StackID(stackID),
+		Type:         portainer.KubernetesStack,
+		EndpointID:   endpoint.ID,
+		EntryPoint:   filesystem.ManifestFileDefaultName,
+		Status:       portainer.StackStatusActive,
+		CreationDate: time.Now().Unix(),
 	}
 
+	stackFolder := strconv.Itoa(int(stack.ID))
+	projectPath, err := handler.FileService.StoreStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist Kubernetes manifest file on disk", Err: err}
+	}
+	stack.ProjectPath = projectPath
+
+	doCleanUp := true
+	defer handler.cleanUp(stack, &doCleanUp)
+
 	output, err := handler.deployKubernetesStack(endpoint, payload.StackFileContent, payload.ComposeFormat, payload.Namespace)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to deploy Kubernetes stack", err}
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to deploy Kubernetes stack", Err: err}
+	}
+
+	err = handler.DataStore.Stack().CreateStack(stack)
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the Kubernetes stack inside the database", Err: err}
 	}
 
 	resp := &createKubernetesStackResponse{
@@ -56,6 +112,49 @@ func (handler *Handler) createKubernetesStack(w http.ResponseWriter, r *http.Req
 	return response.JSON(w, resp)
 }
 
+func (handler *Handler) createKubernetesStackFromGitRepository(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint) *httperror.HandlerError {
+	var payload kubernetesGitDeploymentPayload
+	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
+	}
+
+	stackID := handler.DataStore.Stack().GetNextIdentifier()
+	stack := &portainer.Stack{
+		ID:           portainer.StackID(stackID),
+		Type:         portainer.KubernetesStack,
+		EndpointID:   endpoint.ID,
+		EntryPoint:   payload.FilePathInRepository,
+		Status:       portainer.StackStatusActive,
+		CreationDate: time.Now().Unix(),
+	}
+
+	projectPath := handler.FileService.GetStackProjectPath(strconv.Itoa(int(stack.ID)))
+	stack.ProjectPath = projectPath
+
+	doCleanUp := true
+	defer handler.cleanUp(stack, &doCleanUp)
+
+	stackFileContent, err := handler.cloneManifestContentFromGitRepo(&payload, stack.ProjectPath)
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Failed to process manifest from Git repository", Err: err}
+	}
+
+	output, err := handler.deployKubernetesStack(endpoint, stackFileContent, payload.ComposeFormat, payload.Namespace)
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to deploy Kubernetes stack", Err: err}
+	}
+
+	err = handler.DataStore.Stack().CreateStack(stack)
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the stack inside the database", Err: err}
+	}
+
+	resp := &createKubernetesStackResponse{
+		Output: output,
+	}
+	return response.JSON(w, resp)
+}
+
 func (handler *Handler) deployKubernetesStack(endpoint *portainer.Endpoint, stackConfig string, composeFormat bool, namespace string) (string, error) {
 	handler.stackCreationMutex.Lock()
 	defer handler.stackCreationMutex.Unlock()
@@ -71,3 +170,22 @@ func (handler *Handler) deployKubernetesStack(endpoint *portainer.Endpoint, stac
 	return handler.KubernetesDeployer.Deploy(endpoint, stackConfig, namespace)
 
 }
+
+func (handler *Handler) cloneManifestContentFromGitRepo(gitInfo *kubernetesGitDeploymentPayload, projectPath string) (string, error) {
+	repositoryUsername := gitInfo.RepositoryUsername
+	repositoryPassword := gitInfo.RepositoryPassword
+	if !gitInfo.RepositoryAuthentication {
+		repositoryUsername = ""
+		repositoryPassword = ""
+	}
+
+	err := handler.GitService.CloneRepository(projectPath, gitInfo.RepositoryURL, gitInfo.RepositoryReferenceName, repositoryUsername, repositoryPassword)
+	if err != nil {
+		return "", err
+	}
+	content, err := ioutil.ReadFile(filepath.Join(projectPath, gitInfo.FilePathInRepository))
+	if err != nil {
+		return "", err
+	}
+	return string(content), nil
+}

api/http/handler/stacks/create_kubernetes_stack_test.go

@@ -0,0 +1,64 @@
+package stacks
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type git struct {
+	content string
+}
+
+func (g *git) CloneRepository(destination string, repositoryURL, referenceName, username, password string) error {
+	return g.ClonePublicRepository(repositoryURL, referenceName, destination)
+}
+func (g *git) ClonePublicRepository(repositoryURL string, referenceName string, destination string) error {
+	return ioutil.WriteFile(path.Join(destination, "deployment.yml"), []byte(g.content), 0755)
+}
+func (g *git) ClonePrivateRepositoryWithBasicAuth(repositoryURL, referenceName string, destination, username, password string) error {
+	return g.ClonePublicRepository(repositoryURL, referenceName, destination)
+}
+
+func TestCloneAndConvertGitRepoFile(t *testing.T) {
+	dir, err := os.MkdirTemp("", "kube-create-stack")
+	assert.NoError(t, err, "failed to create a tmp dir")
+	defer os.RemoveAll(dir)
+
+	content := `apiVersion: apps/v1
+	kind: Deployment
+	metadata:
+		name: nginx-deployment
+		labels:
+			app: nginx
+	spec:
+		replicas: 3
+		selector:
+			matchLabels:
+				app: nginx
+		template:
+			metadata:
+				labels:
+					app: nginx
+			spec:
+				containers:
+				- name: nginx
+					image: nginx:1.14.2
+					ports:
+					- containerPort: 80`
+
+	h := &Handler{
+		GitService: &git{
+			content: content,
+		},
+	}
+	gitInfo := &kubernetesGitDeploymentPayload{
+		FilePathInRepository: "deployment.yml",
+	}
+	fileContent, err := h.cloneManifestContentFromGitRepo(gitInfo, dir)
+	assert.NoError(t, err, "failed to clone or convert the file from Git repo")
+	assert.Equal(t, content, fileContent)
+}

api/http/handler/stacks/stack_create.go

@@ -112,7 +112,7 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt
 	case portainer.DockerComposeStack:
 		return handler.createComposeStack(w, r, method, endpoint, tokenData.ID)
 	case portainer.KubernetesStack:
-		return handler.createKubernetesStack(w, r, endpoint)
+		return handler.createKubernetesStack(w, r, method, endpoint)
 	}
 
 	return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: type. Value must be one of: 1 (Swarm stack) or 2 (Compose stack)", errors.New(request.ErrInvalidQueryParameter)}
@@ -145,6 +145,16 @@ func (handler *Handler) createSwarmStack(w http.ResponseWriter, r *http.Request,
 	return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: method. Value must be one of: string, repository or file", errors.New(request.ErrInvalidQueryParameter)}
 }
 
+func (handler *Handler) createKubernetesStack(w http.ResponseWriter, r *http.Request, method string, endpoint *portainer.Endpoint) *httperror.HandlerError {
+	switch method {
+	case "string":
+		return handler.createKubernetesStackFromFileContent(w, r, endpoint)
+	case "repository":
+		return handler.createKubernetesStackFromGitRepository(w, r, endpoint)
+	}
+	return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid value for query parameter: method. Value must be one of: string or repository", Err: errors.New(request.ErrInvalidQueryParameter)}
+}
+
 func (handler *Handler) isValidStackFile(stackFileContent []byte, securitySettings *portainer.EndpointSecuritySettings) error {
 	composeConfigYAML, err := loader.ParseYAML(stackFileContent)
 	if err != nil {
@@ -226,6 +236,10 @@ func (handler *Handler) decorateStackResponse(w http.ResponseWriter, stack *port
 }
 
 func (handler *Handler) cloneAndSaveConfig(stack *portainer.Stack, projectPath, repositoryURL, refName, configFilePath string, auth bool, username, password string) error {
+	if !auth {
+		username = ""
+		password = ""
+	}
 
 	err := handler.GitService.CloneRepository(projectPath, repositoryURL, refName, username, password)
 	if err != nil {

api/http/handler/stacks/stack_update_git.go

@@ -106,7 +106,14 @@ func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to move git repository directory", err}
 	}
 
-	err = handler.GitService.CloneRepository(stack.ProjectPath, stack.GitConfig.URL, payload.RepositoryReferenceName, payload.RepositoryUsername, payload.RepositoryPassword)
+	repositoryUsername := payload.RepositoryUsername
+	repositoryPassword := payload.RepositoryPassword
+	if !payload.RepositoryAuthentication {
+		repositoryUsername = ""
+		repositoryPassword = ""
+	}
+
+	err = handler.GitService.CloneRepository(stack.ProjectPath, stack.GitConfig.URL, payload.RepositoryReferenceName, repositoryUsername, repositoryPassword)
 	if err != nil {
 		restoreError := filesystem.MoveDirectory(backupProjectPath, stack.ProjectPath)
 		if restoreError != nil {
@@ -116,6 +123,13 @@ func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to clone git repository", err}
 	}
 
+	defer func() {
+		err = handler.FileService.RemoveDirectory(backupProjectPath)
+		if err != nil {
+			log.Printf("[WARN] [http,stacks,git] [error: %s] [message: unable to remove git repository directory]", err)
+		}
+	}()
+
 	httpErr := handler.deployStack(r, stack, endpoint)
 	if httpErr != nil {
 		return httpErr
@@ -126,11 +140,6 @@ func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack changes inside the database", err}
 	}
 
-	err = handler.FileService.RemoveDirectory(backupProjectPath)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove git repository directory", err}
-	}
-
 	return response.JSON(w, stack)
 }
 

api/http/server.go

@@ -45,11 +45,13 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 )
 
 // Server implements the portainer.Server interface
 type Server struct {
+	AuthorizationService 		*authorization.Service
 	BindAddress                 string
 	AssetsPath                  string
 	Status                      *portainer.Status
@@ -135,6 +137,7 @@ func (server *Server) Start() error {
 	endpointHandler.SnapshotService = server.SnapshotService
 	endpointHandler.ReverseTunnelService = server.ReverseTunnelService
 	endpointHandler.ComposeStackManager = server.ComposeStackManager
+	endpointHandler.AuthorizationService = server.AuthorizationService
 
 	var endpointEdgeHandler = endpointedge.NewHandler(requestBouncer)
 	endpointEdgeHandler.DataStore = server.DataStore
@@ -142,6 +145,7 @@ func (server *Server) Start() error {
 	endpointEdgeHandler.ReverseTunnelService = server.ReverseTunnelService
 
 	var endpointGroupHandler = endpointgroups.NewHandler(requestBouncer)
+	endpointGroupHandler.AuthorizationService = server.AuthorizationService
 	endpointGroupHandler.DataStore = server.DataStore
 
 	var endpointProxyHandler = endpointproxy.NewHandler(requestBouncer)

api/internal/authorization/authorizations.go

@@ -1,11 +1,15 @@
 package authorization
 
-import "github.com/portainer/portainer/api"
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/kubernetes/cli"
+)
 
 // Service represents a service used to
 // update authorizations associated to a user or team.
 type Service struct {
 	dataStore portainer.DataStore
+	K8sClientFactory  *cli.ClientFactory
 }
 
 // NewService returns a point to a new Service instance.

api/internal/authorization/endpint_role_with_override.go

@@ -0,0 +1,134 @@
+package authorization
+
+import portainer "github.com/portainer/portainer/api"
+
+// CleanNAPWithOverridePolicies Clean Namespace Access Policies with override policies
+func (service *Service) CleanNAPWithOverridePolicies(
+	endpoint *portainer.Endpoint,
+	endpointGroup *portainer.EndpointGroup,
+) error {
+	kubecli, err := service.K8sClientFactory.GetKubeClient(endpoint)
+	if err != nil {
+		return err
+	}
+
+	accessPolicies, err := kubecli.GetNamespaceAccessPolicies()
+	if err != nil {
+		return err
+	}
+
+	hasChange := false
+
+	for namespace, policy := range accessPolicies {
+		for teamID := range policy.TeamAccessPolicies {
+			access, err := service.getTeamEndpointAccessWithPolicies(teamID, endpoint, endpointGroup)
+			if err != nil {
+				return err
+			}
+			if !access {
+				delete(accessPolicies[namespace].TeamAccessPolicies, teamID)
+				hasChange = true
+			}
+		}
+
+		for userID := range policy.UserAccessPolicies {
+			access, err := service.getUserEndpointAccessWithPolicies(userID, endpoint, endpointGroup)
+			if err != nil {
+				return err
+			}
+			if !access {
+				delete(accessPolicies[namespace].UserAccessPolicies, userID)
+				hasChange = true
+			}
+		}
+	}
+
+	if hasChange {
+		err = kubecli.UpdateNamespaceAccessPolicies(accessPolicies)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (service *Service) getUserEndpointAccessWithPolicies(
+	userID portainer.UserID,
+	endpoint *portainer.Endpoint,
+	endpointGroup *portainer.EndpointGroup,
+) (bool, error) {
+	memberships, err := service.dataStore.TeamMembership().TeamMembershipsByUserID(userID)
+	if err != nil {
+		return false, err
+	}
+
+	if endpointGroup == nil {
+		endpointGroup, err = service.dataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	if userAccess(userID, endpoint.UserAccessPolicies, endpoint.TeamAccessPolicies, memberships) {
+		return true, nil
+	}
+
+	if userAccess(userID, endpointGroup.UserAccessPolicies, endpointGroup.TeamAccessPolicies, memberships) {
+		return true, nil
+	}
+
+	return false, nil
+
+}
+
+func userAccess(
+	userID portainer.UserID,
+	userAccessPolicies portainer.UserAccessPolicies,
+	teamAccessPolicies portainer.TeamAccessPolicies,
+	memberships []portainer.TeamMembership,
+) bool {
+	if _, ok := userAccessPolicies[userID]; ok {
+		return true
+	}
+
+	for _, membership := range memberships {
+		if _, ok := teamAccessPolicies[membership.TeamID]; ok {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (service *Service) getTeamEndpointAccessWithPolicies(
+	teamID portainer.TeamID,
+	endpoint *portainer.Endpoint,
+	endpointGroup *portainer.EndpointGroup,
+) (bool, error) {
+	if endpointGroup == nil {
+		var err error
+		endpointGroup, err = service.dataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	if teamAccess(teamID, endpoint.TeamAccessPolicies) {
+		return true, nil
+	}
+
+	if teamAccess(teamID, endpointGroup.TeamAccessPolicies) {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func teamAccess(
+	teamID portainer.TeamID,
+	teamAccessPolicies portainer.TeamAccessPolicies,
+) bool {
+	_, ok := teamAccessPolicies[teamID];
+	return ok
+}

api/kubernetes/cli/access.go

@@ -9,12 +9,7 @@ import (
 )
 
 type (
-	accessPolicies struct {
-		UserAccessPolicies portainer.UserAccessPolicies `json:"UserAccessPolicies"`
-		TeamAccessPolicies portainer.TeamAccessPolicies `json:"TeamAccessPolicies"`
-	}
-
-	namespaceAccessPolicies map[string]accessPolicies
+	namespaceAccessPolicies map[string]portainer.K8sNamespaceAccessPolicy
 )
 
 func (kcl *KubeClient) setupNamespaceAccesses(userID int, teamIDs []int, serviceAccountName string) error {
@@ -69,7 +64,7 @@ func (kcl *KubeClient) setupNamespaceAccesses(userID int, teamIDs []int, service
 	return nil
 }
 
-func hasUserAccessToNamespace(userID int, teamIDs []int, policies accessPolicies) bool {
+func hasUserAccessToNamespace(userID int, teamIDs []int, policies portainer.K8sNamespaceAccessPolicy) bool {
 	_, userAccess := policies.UserAccessPolicies[portainer.UserID(userID)]
 	if userAccess {
 		return true
@@ -84,3 +79,50 @@ func hasUserAccessToNamespace(userID int, teamIDs []int, policies accessPolicies
 
 	return false
 }
+
+// GetNamespaceAccessPolicies gets the namespace access policies
+// from config maps in the portainer namespace
+func (kcl *KubeClient) GetNamespaceAccessPolicies() (map[string]portainer.K8sNamespaceAccessPolicy, error) {
+	configMap, err := kcl.cli.CoreV1().ConfigMaps(portainerNamespace).Get(portainerConfigMapName, metav1.GetOptions{})
+	if k8serrors.IsNotFound(err) {
+		return nil, nil
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	accessData := configMap.Data[portainerConfigMapAccessPoliciesKey]
+
+	var policies map[string]portainer.K8sNamespaceAccessPolicy
+	err = json.Unmarshal([]byte(accessData), &policies)
+	if err != nil {
+		return nil, err
+	}
+	return policies, nil
+}
+
+// UpdateNamespaceAccessPolicies updates the namespace access policies
+func (kcl *KubeClient) UpdateNamespaceAccessPolicies(accessPolicies map[string]portainer.K8sNamespaceAccessPolicy) error {
+	data, err := json.Marshal(accessPolicies)
+	if err != nil {
+		return err
+	}
+
+	configMap, err := kcl.cli.CoreV1().ConfigMaps(portainerNamespace).Get(portainerConfigMapName, metav1.GetOptions{})
+	if k8serrors.IsNotFound(err) {
+		return nil
+	}
+
+	if err != nil {
+		return err
+	}
+
+	configMap.Data[portainerConfigMapAccessPoliciesKey] = string(data)
+	_, err = kcl.cli.CoreV1().ConfigMaps(portainerNamespace).Update(configMap)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/portainer.go

@@ -392,6 +392,11 @@ type (
 	// JobType represents a job type
 	JobType int
 
+	K8sNamespaceAccessPolicy struct {
+		UserAccessPolicies UserAccessPolicies `json:"UserAccessPolicies"`
+		TeamAccessPolicies TeamAccessPolicies `json:"TeamAccessPolicies"`
+	}
+
 	// KubernetesData contains all the Kubernetes related endpoint information
 	KubernetesData struct {
 		Snapshots     []KubernetesSnapshot    `json:"Snapshots"`
@@ -1160,6 +1165,8 @@ type (
 		SetupUserServiceAccount(userID int, teamIDs []int) error
 		GetServiceAccountBearerToken(userID int) (string, error)
 		StartExecProcess(namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer) error
+		GetNamespaceAccessPolicies() (map[string]K8sNamespaceAccessPolicy, error)
+		UpdateNamespaceAccessPolicies(accessPolicies map[string]K8sNamespaceAccessPolicy) error
 	}
 
 	// KubernetesDeployer represents a service to deploy a manifest inside a Kubernetes endpoint
@@ -1334,9 +1341,9 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.5.1"
+	APIVersion = "2.6.0"
 	// DBVersion is the version number of the Portainer database
-	DBVersion = 31
+	DBVersion = 30
 	// ComposeSyntaxMaxVersion is a maximum supported version of the docker compose syntax
 	ComposeSyntaxMaxVersion = "3.9"
 	// AssetsServerURL represents the URL of the Portainer asset server

app/azure/views/containerinstances/create/createContainerInstanceController.js

@@ -8,7 +8,8 @@ angular.module('portainer.azure').controller('AzureCreateContainerInstanceContro
   'Notifications',
   'Authentication',
   'ResourceControlService',
-  function ($q, $scope, $state, AzureService, Notifications, Authentication, ResourceControlService) {
+  'FormValidator',
+  function ($q, $scope, $state, AzureService, Notifications, Authentication, ResourceControlService, FormValidator) {
     var allResourceGroups = [];
     var allProviders = [];
 
@@ -70,6 +71,11 @@ angular.module('portainer.azure').controller('AzureCreateContainerInstanceContro
         return 'At least one port binding is required';
       }
 
+      const error = FormValidator.validateAccessControl(model.AccessControlData, Authentication.isAdmin());
+      if (error !== '') {
+        return error;
+      }
+
       return null;
     }
 

app/kubernetes/components/yaml-inspector/yamlInspector.html

@@ -3,7 +3,8 @@
   <div style="margin: 15px;">
     <span class="btn btn-primary btn-sm" ng-click="$ctrl.copyYAML()"><i class="fa fa-copy space-right" aria-hidden="true"></i>Copy to clipboard</span>
     <span class="btn btn-primary btn-sm space-left" ng-click="$ctrl.toggleYAMLInspectorExpansion()">
-      <i class="fa fa-{{ $ctrl.expanded ? 'minus' : 'plus' }} space-right" aria-hidden="true"></i>{{ $ctrl.expanded ? 'Collapse' : 'Expand' }}</span>
+      <i class="fa fa-{{ $ctrl.expanded ? 'minus' : 'plus' }} space-right" aria-hidden="true"></i>{{ $ctrl.expanded ? 'Collapse' : 'Expand' }}</span
+    >
     <span id="copyNotificationYAML" style="margin-left: 7px; display: none; color: #23ae89;" class="small"> <i class="fa fa-check" aria-hidden="true"></i> copied </span>
   </div>
 </div>

app/kubernetes/models/deploy.js

@@ -2,3 +2,13 @@ export const KubernetesDeployManifestTypes = Object.freeze({
   KUBERNETES: 1,
   COMPOSE: 2,
 });
+
+export const KubernetesDeployBuildMethods = Object.freeze({
+  GIT: 1,
+  WEB_EDITOR: 2,
+});
+
+export const KubernetesDeployRequestMethods = Object.freeze({
+  REPOSITORY: 'repository',
+  STRING: 'string',
+});

app/kubernetes/views/applications/create/createApplication.html

@@ -207,8 +207,8 @@
                         <ng-messages for="kubernetesApplicationCreationForm['environment_variable_name_' + $index].$error">
                           <p ng-message="required"><i class="fa fa-exclamation-triangle" aria-hidden="true"></i> Environment variable name is required.</p>
                           <p ng-message="pattern"
-                          ><i class="fa fa-exclamation-triangle" aria-hidden="true"></i> This field must consist of alphabetic characters, digits, '_', '-', or '.', and must
-                          not start with a digit (e.g. 'my.env-name', or 'MY_ENV.NAME', or 'MyEnvName1'.</p
+                            ><i class="fa fa-exclamation-triangle" aria-hidden="true"></i> This field must consist of alphabetic characters, digits, '_', '-', or '.', and must not
+                            start with a digit (e.g. 'my.env-name', or 'MY_ENV.NAME', or 'MyEnvName1'.</p
                           >
                         </ng-messages>
                         <p ng-if="ctrl.state.duplicates.environmentVariables.refs[$index] !== undefined"

app/kubernetes/views/configure/configureController.js

@@ -175,7 +175,7 @@ class KubernetesConfigureController {
       }
     });
   }
-  
+
   enableMetricsServer() {
     if (this.formValues.UseServerMetrics) {
       this.state.metrics.userClick = true;

app/kubernetes/views/deploy/deploy.html

@@ -52,41 +52,162 @@
                   </div>
                 </div>
                 <!-- !deploy-type -->
-                <!-- editor -->
+
+                <!-- build method -->
                 <div class="col-sm-12 form-section-title">
-                  Web editor
+                  Build method
                 </div>
-                <div class="form-group">
-                  <span class="col-sm-12 text-muted small" ng-show="ctrl.state.DeployType === ctrl.ManifestDeployTypes.COMPOSE">
-                    <p>
-                      <i class="fa fa-exclamation-circle orange-icon" aria-hidden="true" style="margin-right: 2px;"></i>
-                      Portainer uses <a href="https://kompose.io/" target="_blank">Kompose</a> to convert your Compose manifest to a Kubernetes compliant manifest. Be wary that not
-                      all the Compose format options are supported by Kompose at the moment.
-                    </p>
-                    <p>
-                      You can get more information about Compose file format in the
-                      <a href="https://docs.docker.com/compose/compose-file/" target="_blank">official documentation</a>.
-                    </p>
-                  </span>
-                  <span class="col-sm-12 text-muted small" ng-show="ctrl.state.DeployType === ctrl.ManifestDeployTypes.KUBERNETES">
-                    <p>
-                      <i class="fa fa-info-circle blue-icon" aria-hidden="true" style="margin-right: 2px;"></i>
-                      This feature allows you to deploy any kind of Kubernetes resource in this environment (Deployment, Secret, ConfigMap...).
-                    </p>
-                    <p>
-                      You can get more information about Kubernetes file format in the
-                      <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/" target="_blank">official documentation</a>.
-                    </p>
-                  </span>
+                <div class="form-group"></div>
+                <div class="form-group" style="margin-bottom: 0;">
+                  <div class="boxselector_wrapper">
+                    <div>
+                      <input type="radio" id="build_method_git" ng-model="ctrl.state.BuildMethod" ng-value="ctrl.BuildMethods.GIT" />
+                      <label for="build_method_git">
+                        <div class="boxselector_header">
+                          <i class="fab fa-github" aria-hidden="true" style="margin-right: 2px;"></i>
+                          Git Repository
+                        </div>
+                        <p>Use a git repository</p>
+                      </label>
+                    </div>
+                    <div>
+                      <input type="radio" id="build_method_web_editor" ng-model="ctrl.state.BuildMethod" ng-value="ctrl.BuildMethods.WEB_EDITOR" />
+                      <label for="build_method_web_editor">
+                        <div class="boxselector_header">
+                          <i class="fa fa-edit" aria-hidden="true" style="margin-right: 2px;"></i>
+                          Web editor
+                        </div>
+                        <p>Use our Web editor</p>
+                      </label>
+                    </div>
+                  </div>
                 </div>
-                <div class="form-group">
-                  <div class="col-sm-12">
-                    <code-editor
-                      identifier="kubernetes-deploy-editor"
-                      placeholder="# Define or paste the content of your manifest file here"
-                      yml="false"
-                      on-change="(ctrl.editorUpdate)"
-                    ></code-editor>
+
+                <!-- !deploy-type -->
+
+                <!-- repository -->
+                <div ng-show="ctrl.state.BuildMethod === ctrl.BuildMethods.GIT">
+                  <div class="col-sm-12 form-section-title">
+                    Git repository
+                  </div>
+                  <div class="form-group">
+                    <span class="col-sm-12 text-muted small">
+                      You can use the URL of a git repository.
+                    </span>
+                  </div>
+                  <div class="form-group">
+                    <label for="stack_repository_url" class="col-sm-2 control-label text-left">Repository URL</label>
+                    <div class="col-sm-10">
+                      <input
+                        type="text"
+                        class="form-control"
+                        ng-model="ctrl.formValues.RepositoryURL"
+                        id="stack_repository_url"
+                        placeholder="https://github.com/portainer/deployment-repository"
+                      />
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <span class="col-sm-12 text-muted small">
+                      Specify a reference of the repository using the following syntax: branches with
+                      <code>refs/heads/branch_name</code> or tags with <code>refs/tags/tag_name</code>. If not specified, will use the default <code>HEAD</code> reference normally
+                      the <code>master</code> branch.
+                    </span>
+                  </div>
+                  <div class="form-group">
+                    <label for="stack_repository_url" class="col-sm-2 control-label text-left">Repository reference</label>
+                    <div class="col-sm-10">
+                      <input
+                        type="text"
+                        class="form-control"
+                        ng-model="ctrl.formValues.RepositoryReferenceName"
+                        id="stack_repository_reference_name"
+                        placeholder="refs/heads/master"
+                      />
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <span class="col-sm-12 text-muted small">
+                      Indicate the path to the yaml file from the root of your repository.
+                    </span>
+                  </div>
+                  <div class="form-group">
+                    <label for="stack_repository_path" class="col-sm-2 control-label text-left">Manifest path</label>
+                    <div class="col-sm-10">
+                      <input type="text" class="form-control" ng-model="ctrl.formValues.FilePathInRepository" id="stack_manifest_path" placeholder="deployment.yml" />
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <div class="col-sm-12">
+                      <label class="control-label text-left">
+                        Authentication
+                      </label>
+                      <label class="switch" style="margin-left: 20px;"> <input type="checkbox" ng-model="ctrl.formValues.RepositoryAuthentication" /><i></i> </label>
+                    </div>
+                  </div>
+                  <div class="form-group" ng-if="ctrl.formValues.RepositoryAuthentication">
+                    <span class="col-sm-12 text-muted small">
+                      If your git account has 2FA enabled, you may receive an
+                      <code>authentication required</code> error when deploying your stack. In this case, you will need to provide a personal-access token instead of your password.
+                    </span>
+                  </div>
+                  <div class="form-group" ng-if="ctrl.formValues.RepositoryAuthentication">
+                    <label for="repository_username" class="col-sm-1 control-label text-left">Username</label>
+                    <div class="col-sm-11 col-md-5">
+                      <input type="text" class="form-control" ng-model="ctrl.formValues.RepositoryUsername" name="repository_username" placeholder="myGitUser" />
+                    </div>
+                    <label for="repository_password" class="col-sm-1 control-label text-left">
+                      Password
+                    </label>
+                    <div class="col-sm-11 col-md-5">
+                      <input type="password" class="form-control" ng-model="ctrl.formValues.RepositoryPassword" name="repository_password" placeholder="myPassword" />
+                    </div>
+                  </div>
+                </div>
+                <!-- !repository -->
+
+                <!-- editor -->
+                <div ng-if="ctrl.state.BuildMethod === ctrl.BuildMethods.WEB_EDITOR">
+                  <div class="col-sm-12 form-section-title">
+                    Web editor
+                  </div>
+                  <div class="form-group">
+                    <span class="col-sm-12 text-muted small" ng-show="ctrl.state.DeployType === ctrl.ManifestDeployTypes.COMPOSE">
+                      <p>
+                        <i class="fa fa-exclamation-circle orange-icon" aria-hidden="true" style="margin-right: 2px;"></i>
+                        Portainer uses <a href="https://kompose.io/" target="_blank">Kompose</a> to convert your Compose manifest to a Kubernetes compliant manifest. Be wary that
+                        not all the Compose format options are supported by Kompose at the moment.
+                      </p>
+                      <p>
+                        You can get more information about Compose file format in the
+                        <a href="https://docs.docker.com/compose/compose-file/" target="_blank">official documentation</a>.
+                      </p>
+                    </span>
+                    <span
+                      class="col-sm-12 text-muted small"
+                      ng-show="ctrl.state.DeployType === ctrl.ManifestDeployTypes.KUBERNETES && ctrl.state.BuildMethod === ctrl.BuildMethods.WEB_EDITOR"
+                    >
+                      <p>
+                        <i class="fa fa-info-circle blue-icon" aria-hidden="true" style="margin-right: 2px;"></i>
+                        This feature allows you to deploy any kind of Kubernetes resource in this environment (Deployment, Secret, ConfigMap...).
+                      </p>
+                      <p>
+                        You can get more information about Kubernetes file format in the
+                        <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/" target="_blank">official documentation</a>.
+                      </p>
+                    </span>
+                  </div>
+
+                  <div class="form-group">
+                    <div class="col-sm-12">
+                      <code-editor
+                        identifier="kubernetes-deploy-editor"
+                        placeholder="# Define or paste the content of your manifest file here"
+                        yml="false"
+                        value="ctrl.formValues.EditorContent"
+                        on-change="(ctrl.editorUpdate)"
+                      ></code-editor>
+                    </div>
                   </div>
                 </div>
                 <!-- !editor -->

app/kubernetes/views/deploy/deployController.js

@@ -1,7 +1,7 @@
 import angular from 'angular';
 import _ from 'lodash-es';
 import stripAnsi from 'strip-ansi';
-import { KubernetesDeployManifestTypes } from 'Kubernetes/models/deploy';
+import { KubernetesDeployManifestTypes, KubernetesDeployBuildMethods, KubernetesDeployRequestMethods } from 'Kubernetes/models/deploy';
 
 class KubernetesDeployController {
   /* @ngInject */
@@ -23,7 +23,14 @@ class KubernetesDeployController {
   }
 
   disableDeploy() {
-    return _.isEmpty(this.formValues.EditorContent) || _.isEmpty(this.formValues.Namespace) || this.state.actionInProgress;
+    const isGitFormInvalid =
+      this.state.BuildMethod === KubernetesDeployBuildMethods.GIT &&
+      (!this.formValues.RepositoryURL ||
+        !this.formValues.FilePathInRepository ||
+        (this.formValues.RepositoryAuthentication && (!this.formValues.RepositoryUsername || !this.formValues.RepositoryPassword)));
+    const isWebEditorInvalid = this.state.BuildMethod === KubernetesDeployBuildMethods.WEB_EDITOR && _.isEmpty(this.formValues.EditorContent);
+
+    return isGitFormInvalid || isWebEditorInvalid || _.isEmpty(this.formValues.Namespace) || this.state.actionInProgress;
   }
 
   async editorUpdateAsync(cm) {
@@ -46,8 +53,28 @@ class KubernetesDeployController {
     this.state.actionInProgress = true;
 
     try {
-      const compose = this.state.DeployType === this.ManifestDeployTypes.COMPOSE;
-      await this.StackService.kubernetesDeploy(this.endpointId, this.formValues.Namespace, this.formValues.EditorContent, compose);
+      const method = this.state.BuildMethod === this.BuildMethods.GIT ? KubernetesDeployRequestMethods.REPOSITORY : KubernetesDeployRequestMethods.STRING;
+
+      const payload = {
+        ComposeFormat: this.state.DeployType === this.ManifestDeployTypes.COMPOSE,
+        Namespace: this.formValues.Namespace,
+      };
+
+      if (method === KubernetesDeployRequestMethods.REPOSITORY) {
+        payload.RepositoryURL = this.formValues.RepositoryURL;
+        payload.RepositoryReferenceName = this.formValues.RepositoryReferenceName;
+        payload.RepositoryAuthentication = this.formValues.RepositoryAuthentication ? true : false;
+        if (payload.RepositoryAuthentication) {
+          payload.RepositoryUsername = this.formValues.RepositoryUsername;
+          payload.RepositoryPassword = this.formValues.RepositoryPassword;
+        }
+        payload.FilePathInRepository = this.formValues.FilePathInRepository;
+      } else {
+        payload.StackFileContent = this.formValues.EditorContent;
+      }
+
+      await this.StackService.kubernetesDeploy(this.endpointId, method, payload);
+
       this.Notifications.success('Manifest successfully deployed');
       this.state.isEditorDirty = false;
       this.$state.go('kubernetes.applications');
@@ -92,10 +119,10 @@ class KubernetesDeployController {
       return this.ModalService.confirmWebEditorDiscard();
     }
   }
-
   async onInit() {
     this.state = {
       DeployType: KubernetesDeployManifestTypes.KUBERNETES,
+      BuildMethod: KubernetesDeployBuildMethods.GIT,
       tabLogsDisabled: true,
       activeTab: 0,
       viewReady: false,
@@ -104,6 +131,7 @@ class KubernetesDeployController {
 
     this.formValues = {};
     this.ManifestDeployTypes = KubernetesDeployManifestTypes;
+    this.BuildMethods = KubernetesDeployBuildMethods;
     this.endpointId = this.EndpointProvider.endpointID();
 
     await this.getNamespaces();

app/portainer/components/forms/git-form/git-form-auth-fieldset/git-form-auth-fieldset.controller.js

@@ -1,8 +1,13 @@
 class GitFormComposeAuthFieldsetController {
   /* @ngInject */
   constructor() {
+    this.authValues = {
+      username: '',
+      password: '',
+    };
+
     this.onChangeField = this.onChangeField.bind(this);
-    this.onChangeAuth = this.onChangeField('RepositoryAuthentication');
+    this.onChangeAuth = this.onChangeAuth.bind(this);
     this.onChangeUsername = this.onChangeField('RepositoryUsername');
     this.onChangePassword = this.onChangeField('RepositoryPassword');
   }
@@ -15,6 +20,35 @@ class GitFormComposeAuthFieldsetController {
       });
     };
   }
+
+  onChangeAuth(auth) {
+    if (!auth) {
+      this.authValues.username = this.model.RepositoryUsername;
+      this.authValues.password = this.model.RepositoryPassword;
+      this.onChange({
+        ...this.model,
+        RepositoryAuthentication: true,
+        RepositoryUsername: '',
+        RepositoryPassword: '',
+      });
+
+      return;
+    }
+
+    this.onChange({
+      ...this.model,
+      RepositoryAuthentication: false,
+      RepositoryUsername: this.authValues.username,
+      RepositoryPassword: this.authValues.password,
+    });
+  }
+
+  $onInit() {
+    if (this.model.RepositoryAuthentication) {
+      this.authValues.username = this.model.RepositoryUsername;
+      this.authValues.password = this.model.RepositoryPassword;
+    }
+  }
 }
 
 export default GitFormComposeAuthFieldsetController;

app/portainer/services/api/stackService.js

@@ -369,21 +369,16 @@ angular.module('portainer.app').factory('StackService', [
       return action(name, stackFileContent, env, endpointId);
     };
 
-    async function kubernetesDeployAsync(endpointId, namespace, content, compose) {
+    async function kubernetesDeployAsync(endpointId, method, payload) {
       try {
-        const payload = {
-          StackFileContent: content,
-          ComposeFormat: compose,
-          Namespace: namespace,
-        };
-        await Stack.create({ method: 'undefined', type: 3, endpointId: endpointId }, payload).$promise;
+        await Stack.create({ endpointId: endpointId, method: method, type: 3 }, payload).$promise;
       } catch (err) {
         throw { err: err };
       }
     }
 
-    service.kubernetesDeploy = function (endpointId, namespace, content, compose) {
-      return $async(kubernetesDeployAsync, endpointId, namespace, content, compose);
+    service.kubernetesDeploy = function (endpointId, method, payload) {
+      return $async(kubernetesDeployAsync, endpointId, method, payload);
     };
 
     service.start = start;

app/portainer/views/custom-templates/create-custom-template-view/createCustomTemplateView.html

@@ -103,7 +103,7 @@
           </div>
           <!-- !upload -->
           <!-- repository -->
-          <git-form ng-if="state.Method === 'repository'" model="$ctrl.formValues" on-change="($ctrl.onChangeFormValues)"></git-form>
+          <git-form ng-if="$ctrl.state.Method === 'repository'" model="$ctrl.formValues" on-change="($ctrl.onChangeFormValues)"></git-form>
           <!-- !repository -->
           <por-access-control-form form-data="$ctrl.formValues.AccessControlData"></por-access-control-form>
 

gruntfile.js

@@ -191,7 +191,7 @@ function shell_download_docker_binary(p, a) {
   var ip = ps[p] === undefined ? p : ps[p];
   var ia = as[a] === undefined ? a : as[a];
   var binaryVersion = p === 'windows' ? '<%= binaries.dockerWindowsVersion %>' : '<%= binaries.dockerLinuxVersion %>';
-  
+
   return [
     'if [ -f dist/docker ] || [ -f dist/docker.exe ]; then',
     'echo "docker binary exists";',
@@ -207,7 +207,7 @@ function shell_download_docker_compose_binary(p, a) {
   var ip = ps[p] || p;
   var ia = as[a] || a;
   var binaryVersion = p === 'windows' ? '<%= binaries.dockerWindowsComposeVersion %>' : '<%= binaries.dockerLinuxComposeVersion %>';
-  
+
   return [
     'if [ -f dist/docker-compose ] || [ -f dist/docker-compose.exe ]; then',
     'echo "Docker Compose binary exists";',
@@ -219,7 +219,7 @@ function shell_download_docker_compose_binary(p, a) {
 
 function shell_download_kompose_binary(p, a) {
   var binaryVersion = '<%= binaries.komposeVersion %>';
-  
+
   return [
     'if [ -f dist/kompose ] || [ -f dist/kompose.exe ]; then',
     'echo "kompose binary exists";',
@@ -231,7 +231,7 @@ function shell_download_kompose_binary(p, a) {
 
 function shell_download_kubectl_binary(p, a) {
   var binaryVersion = '<%= binaries.kubectlVersion %>';
-  
+
   return [
     'if [ -f dist/kubectl ] || [ -f dist/kubectl.exe ]; then',
     'echo "kubectl binary exists";',

package.json

@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "2.5.1",
+  "version": "2.6.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"