chore(release): bump version to 2.30.1 (#748 )

fix(libclient): option to disable external http request [BE-11696] (#745 )
chore: bump version to 2.30.0 (#735 )
2025-05-20 11:33:45 +12:00 · 2025-05-20 09:41:14 +12:00 · 2025-05-14 17:35:05 +12:00 · 2025-05-14 16:31:42 +12:00 · 2025-05-13 22:15:04 +12:00 · 2025-05-13 16:33:14 +12:00
1632 changed files with 51407 additions and 30017 deletions
--- a/.air.toml
+++ b/.air.toml
@@ -0,0 +1,52 @@
+root = "."
+testdata_dir = "testdata"
+tmp_dir = ".tmp"
+
+[build]
+  args_bin = []
+  bin = "./dist/portainer"
+  cmd = "SKIP_GO_GET=true make build-server"
+  delay = 1000
+  exclude_dir = []
+  exclude_file = []
+  exclude_regex = ["_test.go"]
+  exclude_unchanged = false
+  follow_symlink = false
+  full_bin = "./dist/portainer --log-level=DEBUG"
+  include_dir = ["api"]
+  include_ext = ["go"]
+  include_file = []
+  kill_delay = "0s"
+  log = "build-errors.log"
+  poll = false
+  poll_interval = 0
+  post_cmd = []
+  pre_cmd = []
+  rerun = false
+  rerun_delay = 500
+  send_interrupt = false
+  stop_on_error = false
+
+[color]
+  app = ""
+  build = "yellow"
+  main = "magenta"
+  runner = "green"
+  watcher = "cyan"
+
+[log]
+  main_only = false
+  silent = false
+  time = false
+
+[misc]
+  clean_on_exit = false
+
+[proxy]
+  app_port = 0
+  enabled = false
+  proxy_port = 0
+
+[screen]
+  clear_on_rebuild = false
+  keep_scroll = true
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -2,16 +2,17 @@ name: Bug Report
 description: Create a report to help us improve.
 labels: kind/bug,bug/need-confirmation
 body:
-
  - type: markdown
    attributes:
      value: |
        # Welcome!
-        
+
        The issue tracker is for reporting bugs. If you have an [idea for a new feature](https://github.com/orgs/portainer/discussions/categories/ideas) or a [general question about Portainer](https://github.com/orgs/portainer/discussions/categories/help) please post in our [GitHub Discussions](https://github.com/orgs/portainer/discussions).
-        
+
        You can also ask for help in our [community Slack channel](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA).
-        
+
+        Please note that we only provide support for current versions of Portainer. You can find a list of supported versions in our [lifecycle policy](https://docs.portainer.io/start/lifecycle).
+
        **DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS**.

  - type: checkboxes
@@ -43,7 +44,7 @@ body:
  - type: textarea
    attributes:
      label: Problem Description
-      description: A clear and concise description of what the bug is. 
+      description: A clear and concise description of what the bug is.
    validations:
      required: true

@@ -69,7 +70,7 @@ body:
        1. Go to '...'
        2. Click on '....'
        3. Scroll down to '....'
-        4. See error   
+        4. See error
    validations:
      required: true

@@ -90,28 +91,35 @@ body:
  - type: dropdown
    attributes:
      label: Portainer version
-      description: We only provide support for the most recent version of Portainer and the previous 3 versions. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
+      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
-        - '2.20.3'
-        - '2.20.2'
-        - '2.20.1'
-        - '2.20.0'
-        - '2.19.5'
-        - '2.19.4'
-        - '2.19.3'
-        - '2.19.2'
-        - '2.19.1'
-        - '2.19.0'
-        - '2.18.4'
-        - '2.18.3'
-        - '2.18.2'
-        - '2.18.1'
-        - '2.17.1'
-        - '2.17.0'
-        - '2.16.2'
-        - '2.16.1'
-        - '2.16.0'
+        - '2.29.2'
+        - '2.29.1'
+        - '2.29.0'
+        - '2.28.1'
+        - '2.28.0'
+        - '2.27.6'
+        - '2.27.5'
+        - '2.27.4'
+        - '2.27.3'
+        - '2.27.2'
+        - '2.27.1'
+        - '2.27.0'
+        - '2.26.1'
+        - '2.26.0'
+        - '2.25.1'
+        - '2.25.0'
+        - '2.24.1'
+        - '2.24.0'
+        - '2.23.0'
+        - '2.22.0'
+        - '2.21.5'
+        - '2.21.4'
+        - '2.21.3'
+        - '2.21.2'
+        - '2.21.1'
+        - '2.21.0'
    validations:
      required: true

@@ -149,7 +157,7 @@ body:
  - type: input
    attributes:
      label: Browser
-      description: | 
+      description: |
        Enter your browser and version. Example: Google Chrome 114.0
    validations:
      required: false
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,176 +0,0 @@
-name: ci
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - 'develop'
-      - 'release/*'
-  pull_request:
-    branches:
-      - 'develop'
-      - 'release/*'
-      - 'feat/*'
-      - 'fix/*'
-      - 'refactor/*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  DOCKER_HUB_REPO: portainerci/portainer-ce
-  EXTENSION_HUB_REPO: portainerci/portainer-docker-extension
-  GO_VERSION: 1.21.9
-  NODE_VERSION: 18.x
-
-jobs:
-  build_images:
-    strategy:
-      matrix:
-        config:
-          - { platform: linux, arch: amd64, version: "" }
-          - { platform: linux, arch: arm64, version: "" }
-          - { platform: linux, arch: arm, version: "" }
-          - { platform: linux, arch: ppc64le, version: "" }
-          - { platform: linux, arch: s390x, version: "" }
-          - { platform: windows, arch: amd64, version: 1809 }
-          - { platform: windows, arch: amd64, version: ltsc2022 }
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    steps:
-      - name: '[preparation] checkout the current branch'
-        uses: actions/checkout@v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branch }}
-      - name: '[preparation] set up golang'
-        uses: actions/setup-go@v5.0.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: '[preparation] set up node.js'
-        uses: actions/setup-node@v4.0.1
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - name: '[preparation] set up qemu'
-        uses: docker/setup-qemu-action@v3.0.0
-      - name: '[preparation] set up docker context for buildx'
-        run: docker context create builders
-      - name: '[preparation] set up docker buildx'
-        uses: docker/setup-buildx-action@v3.0.0
-        with:
-          endpoint: builders
-      - name: '[preparation] docker login'
-        uses: docker/login-action@v3.0.0
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-      - name: '[preparation] set the container image tag'
-        run: |
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            # use the release branch name as the tag for release branches
-            # for instance, release/2.19 becomes 2.19
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
-          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
-            # use pr${{ github.event.number }} as the tag for pull requests
-            # for instance, pr123
-            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
-          else
-            # replace / with - in the branch name
-            # for instance, feature/1.0.0 -> feature-1.0.0
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
-          fi
-          
-          echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}${{ matrix.config.version }}-${{ matrix.config.arch }}" >> $GITHUB_ENV
-      - name: '[execution] build linux & windows portainer binaries'
-        run: |
-          export YARN_VERSION=$(yarn --version)
-          export WEBPACK_VERSION=$(yarn list webpack --depth=0 | grep webpack | awk -F@ '{print $2}')
-          export BUILDNUMBER=${GITHUB_RUN_NUMBER}
-          GIT_COMMIT_HASH_LONG=${{ github.sha }}
-          export GIT_COMMIT_HASH_SHORT={GIT_COMMIT_HASH_LONG:0:7}
-          
-          NODE_ENV="testing"
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            NODE_ENV="production"
-          fi
-          
-          make build-all PLATFORM=${{ matrix.config.platform }} ARCH=${{ matrix.config.arch }} ENV=${NODE_ENV}
-        env:
-          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
-      - name: '[execution] build and push docker images'
-        run: |
-          if [ "${{ matrix.config.platform }}" == "windows" ]; then
-            mv dist/portainer dist/portainer.exe
-            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} --build-arg OSVERSION=${{ matrix.config.version }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-          else 
-            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
-            
-            if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-              docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-              docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
-            fi
-          fi
-        env:
-          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
-  build_manifests:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    needs: [build_images]
-    steps:
-      - name: '[preparation] docker login'
-        uses: docker/login-action@v3.0.0
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-      - name: '[preparation] set up docker context for buildx'
-        run: docker version && docker context create builders
-      - name: '[preparation] set up docker buildx'
-        uses: docker/setup-buildx-action@v3.0.0
-        with:
-          endpoint: builders
-      - name: '[execution] build and push manifests'
-        run: |
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            # use the release branch name as the tag for release branches
-            # for instance, release/2.19 becomes 2.19
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
-          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
-            # use pr${{ github.event.number }} as the tag for pull requests
-            # for instance, pr123
-            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
-          else
-            # replace / with - in the branch name
-            # for instance, feature/1.0.0 -> feature-1.0.0
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
-          fi
-
-          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-s390x" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windows1809-amd64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windowsltsc2022-amd64"
-          
-          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine"
-            
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-s390x"
-            
-            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine"
-          fi
--- a/.github/workflows/label-conflcts.yaml
+++ b/.github/workflows/label-conflcts.yaml
@@ -1,15 +0,0 @@
-on:
-  push:
-    branches:
-      - develop
-      - 'release/**'
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: mschilde/auto-label-merge-conflicts@master
-        with:
-          CONFLICT_LABEL_NAME: 'has conflicts'
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MAX_RETRIES: 10
-          WAIT_MS: 60000
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,55 +0,0 @@
-name: Lint
-
-on:
-  push:
-    branches:
-      - master
-      - develop
-      - release/*
-  pull_request:
-    branches:
-      - master
-      - develop
-      - release/*
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  GO_VERSION: 1.21.9
-  NODE_VERSION: 18.x
-
-jobs:
-  run-linters:
-    name: Run linters
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - run: yarn --frozen-lockfile
-      - name: Run linters
-        uses: wearerequired/lint-action@v1
-        with:
-          eslint: true
-          eslint_extensions: ts,tsx,js,jsx
-          prettier: true
-          prettier_dir: app/
-          gofmt: true
-          gofmt_dir: api/
-      - name: Typecheck
-        uses: icrawl/action-tsc@v1
-      - name: GolangCI-Lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: v1.55.2
-          args: --timeout=10m -c .golangci.yaml
--- a/.github/workflows/nightly-security-scan.yml
+++ b/.github/workflows/nightly-security-scan.yml
@@ -1,252 +0,0 @@
-name: Nightly Code Security Scan
-
-on:
-  schedule:
-    - cron: '0 20 * * *'
-  workflow_dispatch:
-
-env:
-  GO_VERSION: 1.21.9
-
-jobs:
-  client-dependencies:
-    name: Client Dependency Check
-    runs-on: ubuntu-latest
-    if: >- # only run for develop branch
-      github.ref == 'refs/heads/develop'
-    outputs:
-      js: ${{ steps.set-matrix.outputs.js_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: scan vulnerabilities by Snyk
-        uses: snyk/actions/node@master
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          json: true
-
-      - name: upload scan result as develop artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: js-security-scan-develop-result
-          path: snyk.json
-
-      - name: develop scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/js-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-js-result-${{github.run_id}}
-          path: js-result.html
-
-      - name: analyse vulnerabilities
-        id: set-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
-          echo "js_result=${result}" >> $GITHUB_OUTPUT
-
-  server-dependencies:
-    name: Server Dependency Check
-    runs-on: ubuntu-latest
-    if: >- # only run for develop branch
-      github.ref == 'refs/heads/develop'
-    outputs:
-      go: ${{ steps.set-matrix.outputs.go_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: download Go modules
-        run: cd ./api && go get -t -v -d ./...
-
-      - name: scan vulnerabilities by Snyk
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: |
-          yarn global add snyk
-          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :
-
-      - name: upload scan result as develop artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: go-security-scan-develop-result
-          path: snyk.json
-
-      - name: develop scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-go-result-${{github.run_id}}
-          path: go-result.html
-
-      - name: analyse vulnerabilities
-        id: set-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
-          echo "go_result=${result}" >> $GITHUB_OUTPUT
-
-  image-vulnerability:
-    name: Image Vulnerability Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.ref == 'refs/heads/develop'
-    outputs:
-      image-trivy: ${{ steps.set-trivy-matrix.outputs.image_trivy_result }}
-      image-docker-scout: ${{ steps.set-docker-scout-matrix.outputs.image_docker_scout_result }}
-    steps:
-      - name: scan vulnerabilities by Trivy
-        uses: docker://docker.io/aquasec/trivy:latest
-        continue-on-error: true
-        with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop
-
-      - name: upload Trivy image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-develop-result
-          path: image-trivy.json
-
-      - name: develop Trivy scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result")
-
-      - name: upload html file as Trivy artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-${{github.run_id}}
-          path: image-trivy-result.html
-
-      - name: analyse vulnerabilities from Trivy
-        id: set-trivy-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix)
-          echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT
-
-      - name: scan vulnerabilities by Docker Scout
-        uses: docker/scout-action@v1
-        continue-on-error: true
-        with:
-          command: cves
-          image: portainerci/portainer:develop
-          sarif-file: image-docker-scout.json
-          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
-          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: upload Docker Scout image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-develop-result
-          path: image-docker-scout.json
-
-      - name: develop Docker Scout scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
-
-      - name: upload html file as Docker Scout artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-${{github.run_id}}
-          path: image-docker-scout-result.html
-
-      - name: analyse vulnerabilities from Docker Scout
-        id: set-docker-scout-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix)
-          echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT
-
-  result-analysis:
-    name: Analyse Scan Results
-    needs: [client-dependencies, server-dependencies, image-vulnerability]
-    runs-on: ubuntu-latest
-    if: >-
-      github.ref == 'refs/heads/develop'
-    strategy:
-      matrix:
-        js: ${{fromJson(needs.client-dependencies.outputs.js)}}
-        go: ${{fromJson(needs.server-dependencies.outputs.go)}}
-        image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}}
-        image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}}
-    steps:
-      - name: display the results of js, Go, and image scan
-        run: |
-          echo "${{ matrix.js.status }}"
-          echo "${{ matrix.go.status }}"
-          echo "${{ matrix.image-trivy.status }}"
-          echo "${{ matrix.image-docker-scout.status }}"
-          echo "${{ matrix.js.summary }}"
-          echo "${{ matrix.go.summary }}"
-          echo "${{ matrix.image-trivy.summary }}"
-          echo "${{ matrix.image-docker-scout.summary }}"
-
-      - name: send message to Slack
-        if: >-
-          matrix.js.status == 'failure' ||
-          matrix.go.status == 'failure' || 
-          matrix.image-trivy.status == 'failure' || 
-          matrix.image-docker-scout.status == 'failure'
-        uses: slackapi/slack-github-action@v1.23.0
-        with:
-          payload: |
-            {
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "Code Scanning Result (*${{ github.repository }}*)\n*<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Actions Workflow URL>*"
-                  }
-                }
-              ],
-              "attachments": [
-                {
-                  "color": "#FF0000",
-                  "blocks": [
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*JS dependency check*: *${{ matrix.js.status }}*\n${{ matrix.js.summary }}"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Go dependency check*: *${{ matrix.go.status }}*\n${{ matrix.go.summary }}"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
--- a/.github/workflows/pr-security.yml
+++ b/.github/workflows/pr-security.yml
@@ -1,298 +0,0 @@
-name: PR Code Security Scan
-
-on:
-  pull_request_review:
-    types:
-      - submitted
-      - edited
-    paths:
-      - 'package.json'
-      - 'go.mod'
-      - 'build/linux/Dockerfile'
-      - 'build/linux/alpine.Dockerfile'
-      - 'build/windows/Dockerfile'
-      - '.github/workflows/pr-security.yml'
-
-env:
-  GO_VERSION: 1.21.9
-  NODE_VERSION: 18.x
-
-jobs:
-  client-dependencies:
-    name: Client Dependency Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: scan vulnerabilities by Snyk
-        uses: snyk/actions/node@master
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          json: true
-
-      - name: upload scan result as pull-request artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: js-security-scan-feat-result
-          path: snyk.json
-
-      - name: download artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./snyk.json ./js-snyk-feature.json
-          (gh run download -n js-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./snyk.json ]]; then
-            mv ./snyk.json ./js-snyk-develop.json
-          else
-            echo "null" > ./js-snyk-develop.json
-          fi
-
-      - name: pr vs develop scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=table --export --export-filename="/data/js-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-js-result-compare-to-develop-${{github.run_id}}
-          path: js-result.html
-
-      - name: analyse different vulnerabilities against develop branch
-        id: set-diff-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=matrix)
-          echo "js_diff_result=${result}" >> $GITHUB_OUTPUT
-
-  server-dependencies:
-    name: Server Dependency Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: download Go modules
-        run: cd ./api && go get -t -v -d ./...
-
-      - name: scan vulnerabilities by Snyk
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: |
-          yarn global add snyk
-          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :
-
-      - name: upload scan result as pull-request artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: go-security-scan-feature-result
-          path: snyk.json
-
-      - name: download artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./snyk.json ./go-snyk-feature.json
-          (gh run download -n go-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./snyk.json ]]; then
-            mv ./snyk.json ./go-snyk-develop.json
-          else
-            echo "null" > ./go-snyk-develop.json
-          fi
-
-      - name: pr vs develop scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-go-result-compare-to-develop-${{github.run_id}}
-          path: go-result.html
-
-      - name: analyse different vulnerabilities against develop branch
-        id: set-diff-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=matrix)
-          echo "go_diff_result=${result}" >> $GITHUB_OUTPUT
-
-  image-vulnerability:
-    name: Image Vulnerability Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }}
-      imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }}
-    steps:
-      - name: checkout code
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install packages
-        run: yarn --frozen-lockfile
-
-      - name: build
-        run: make build-all
-
-      - name: set up docker buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: build and compress image
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          file: build/linux/Dockerfile
-          tags: local-portainer:${{ github.sha }}
-          outputs: type=docker,dest=/tmp/local-portainer-image.tar
-
-      - name: load docker image
-        run: |
-          docker load --input /tmp/local-portainer-image.tar
-
-      - name: scan vulnerabilities by Trivy
-        uses: docker://docker.io/aquasec/trivy:latest
-        continue-on-error: true
-        with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress local-portainer:${{ github.sha }}
-
-      - name: upload Trivy image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-feature-result
-          path: image-trivy.json
-
-      - name: download Trivy artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./image-trivy.json ./image-trivy-feature.json
-          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./image-trivy.json ]]; then
-            mv ./image-trivy.json ./image-trivy-develop.json
-          else
-            echo "null" > ./image-trivy-develop.json
-          fi
-
-      - name: pr vs develop Trivy scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result")
-
-      - name: upload html file as Trivy artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-trivy-result.html
-
-      - name: analyse different vulnerabilities against develop branch by Trivy
-        id: set-diff-trivy-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
-          echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT
-
-      - name: scan vulnerabilities by Docker Scout
-        uses: docker/scout-action@v1
-        continue-on-error: true
-        with:
-          command: cves
-          image: local-portainer:${{ github.sha }}
-          sarif-file: image-docker-scout.json
-          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
-          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: upload Docker Scout image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-feature-result
-          path: image-docker-scout.json
-
-      - name: download Docker Scout artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./image-docker-scout.json ./image-docker-scout-feature.json
-          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./image-docker-scout.json ]]; then
-            mv ./image-docker-scout.json ./image-docker-scout-develop.json
-          else
-            echo "null" > ./image-docker-scout-develop.json
-          fi
-
-      - name: pr vs develop Docker Scout scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
-
-      - name: upload html file as Docker Scout artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-docker-scout-result.html
-
-      - name: analyse different vulnerabilities against develop branch by Docker Scout
-        id: set-diff-docker-scout-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix)
-          echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT
-
-  result-analysis:
-    name: Analyse Scan Result Against develop Branch
-    needs: [client-dependencies, server-dependencies, image-vulnerability]
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    strategy:
-      matrix:
-        jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}}
-        godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
-        imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}}
-        imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}}
-    steps:
-      - name: check job status of diff result
-        if: >-
-          matrix.jsdiff.status == 'failure' ||
-          matrix.godiff.status == 'failure' ||
-          matrix.imagediff-trivy.status == 'failure' ||
-          matrix.imagediff-docker-scout.status == 'failure'
-        run: |
-          echo "${{ matrix.jsdiff.status }}"
-          echo "${{ matrix.godiff.status }}"
-          echo "${{ matrix.imagediff-trivy.status }}"
-          echo "${{ matrix.imagediff-docker-scout.status }}"
-          echo "${{ matrix.jsdiff.summary }}"
-          echo "${{ matrix.godiff.summary }}"
-          echo "${{ matrix.imagediff-trivy.summary }}"
-          echo "${{ matrix.imagediff-docker-scout.summary }}"
-          exit 1
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -1,19 +0,0 @@
-name: Automatic Rebase
-on:
-  issue_comment:
-    types: [created]
-jobs:
-  rebase:
-    name: Rebase
-    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the latest code
-        uses: actions/checkout@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
-      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.4
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,28 +0,0 @@
-name: Close Stale Issues
-on:
-  schedule:
-    - cron: '0 12 * * *'
-  workflow_dispatch:
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-
-    steps:
-    - uses: actions/stale@v8
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-
-        # Issue Config
-        days-before-issue-stale: 60
-        days-before-issue-close: 7
-        stale-issue-label: 'status/stale'
-        exempt-all-issue-milestones: true # Do not stale issues in a milestone
-        exempt-issue-labels: kind/enhancement, kind/style, kind/workaround, kind/refactor, bug/need-confirmation, bug/confirmed, status/discuss
-        stale-issue-message: 'This issue has been marked as stale as it has not had recent activity, it will be closed if no further activity occurs in the next 7 days. If you believe that it has been incorrectly labelled as stale, leave a comment and the label will be removed.'
-        close-issue-message: 'Since no further activity has appeared on this issue it will be closed. If you believe that it has been incorrectly closed, leave a comment mentioning `portainer/support` and one of our staff will then review the issue. Note - If it is an old bug report, make sure that it is reproduceable in the latest version of Portainer as it may have already been fixed.'
-        
-        # Pull Request Config
-        days-before-pr-stale: -1 # Do not stale pull request
-        days-before-pr-close: -1 # Do not close pull request
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,56 +0,0 @@
-name: Test
-
-env:
-  GO_VERSION: 1.21.9
-  NODE_VERSION: 18.x
-
-on:
-  pull_request:
-    branches:
-      - master
-      - develop
-      - release/*
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-  push:
-    branches:
-      - master
-      - develop
-      - release/*
-
-jobs:
-  test-client:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - run: yarn --frozen-lockfile
-
-      - name: Run tests
-        run: make test-client ARGS="--maxWorkers=2 --minWorkers=1"
-  test-server:
-    strategy:
-      matrix:
-        config:
-          - { platform: linux, arch: amd64 }
-          - { platform: linux, arch: arm64 }
-          - { platform: windows, arch: amd64, version: 1809 }
-          - { platform: windows, arch: amd64, version: ltsc2022 }
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - name: Run tests
-        run: make test-server
--- a/.github/workflows/validate-openapi-spec.yaml
+++ b/.github/workflows/validate-openapi-spec.yaml
@@ -1,39 +0,0 @@
-name: Validate OpenAPI specs
-
-on:
-  pull_request:
-    branches:
-      - master
-      - develop
-      - 'release/*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  GO_VERSION: 1.21.9
-  NODE_VERSION: 18.x
-
-jobs:
-  openapi-spec:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Download golang modules
-        run: cd ./api && go get -t -v -d ./...
-      - uses: actions/setup-node@v3
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - run: yarn --frozen-lockfile
-
-      - name: Validate OpenAPI Spec
-        run: make docs-validate
--- a/.godir
+++ b/.godir
@@ -1 +0,0 @@
-portainer
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -9,7 +9,10 @@ linters:
    - gosimple
    - govet
    - errorlint
-    - exportloopref
+    - copyloopvar
+    - intrange
+    - perfsprint
+    - ineffassign

 linters-settings:
  depguard:
@@ -18,8 +21,6 @@ linters-settings:
        deny:
          - pkg: 'encoding/json'
            desc: 'use github.com/segmentio/encoding/json'
-          - pkg: 'github.com/sirupsen/logrus'
-            desc: 'logging is allowed only by github.com/rs/zerolog'
          - pkg: 'golang.org/x/exp'
            desc: 'exp is not allowed'
          - pkg: 'github.com/portainer/libcrypto'
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

-yarn lint-staged
+cd $(dirname -- "$0") && yarn lint-staged
--- a/.vscode.example/launch.json
+++ b/.vscode.example/launch.json
@@ -1,19 +0,0 @@
-{
-  // Use IntelliSense to learn about possible attributes.
-  // Hover to view descriptions of existing attributes.
-  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
-  "version": "0.2.0",
-  "configurations": [
-    {
-      "name": "Launch",
-      "type": "go",
-      "request": "launch",
-      "mode": "debug",
-      "program": "${workspaceRoot}/api/cmd/portainer",
-      "cwd": "${workspaceRoot}",
-      "env": {},
-      "showLog": true,
-      "args": ["--data", "${env:HOME}/portainer-data", "--assets", "${workspaceRoot}/dist"]
-    }
-  ]
-}
--- a/.vscode.example/portainer.code-snippets
+++ b/.vscode.example/portainer.code-snippets
@@ -1,191 +0,0 @@
-{
-  // Place your portainer workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
-  // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
-  // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
-  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
-  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
-  // Placeholders with the same ids are connected.
-  // Example:
-  // "Print to console": {
-  // 	"scope": "javascript,typescript",
-  // 	"prefix": "log",
-  // 	"body": [
-  // 		"console.log('$1');",
-  // 		"$2"
-  // 	],
-  // 	"description": "Log output to console"
-  // }
-  "React Named Export Component": {
-    "prefix": "rnec",
-    "body": [
-      "export function $TM_FILENAME_BASE() {",
-      "  return <div>$TM_FILENAME_BASE</div>;",
-      "}"
-    ],
-    "description": "React Named Export Component"
-  },
-  "Component": {
-    "scope": "javascript",
-    "prefix": "mycomponent",
-    "description": "Dummy Angularjs Component",
-    "body": [
-      "import angular from 'angular';",
-      "import controller from './${TM_FILENAME_BASE}Controller'",
-      "",
-      "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').component('$TM_FILENAME_BASE', {",
-      "  templateUrl: './$TM_FILENAME_BASE.html',",
-      "  controller,",
-      "});",
-      ""
-    ]
-  },
-  "Controller": {
-    "scope": "javascript",
-    "prefix": "mycontroller",
-    "body": [
-      "class ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/} {",
-      "\t/* @ngInject */",
-      "\tconstructor($0) {",
-      "\t}",
-      "}",
-      "",
-      "export default ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/};"
-    ],
-    "description": "Dummy ES6+ controller"
-  },
-  "Service": {
-    "scope": "javascript",
-    "prefix": "myservice",
-    "description": "Dummy ES6+ service",
-    "body": [
-      "import angular from 'angular';",
-      "import PortainerError from 'Portainer/error';",
-      "",
-      "class $1 {",
-      "  /* @ngInject */",
-      "  constructor(\\$async, $0) {",
-      "    this.\\$async = \\$async;",
-      "",
-      "    this.getAsync = this.getAsync.bind(this);",
-      "    this.getAllAsync = this.getAllAsync.bind(this);",
-      "    this.createAsync = this.createAsync.bind(this);",
-      "    this.updateAsync = this.updateAsync.bind(this);",
-      "    this.deleteAsync = this.deleteAsync.bind(this);",
-      "  }",
-      "",
-      "  /**",
-      "   * GET",
-      "   */",
-      "  async getAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  async getAllAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  get() {",
-      "    if () {",
-      "      return this.\\$async(this.getAsync);",
-      "    }",
-      "    return this.\\$async(this.getAllAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * CREATE",
-      "   */",
-      "  async createAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  create() {",
-      "    return this.\\$async(this.createAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * UPDATE",
-      "   */",
-      "  async updateAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  update() {",
-      "    return this.\\$async(this.updateAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * DELETE",
-      "   */",
-      "  async deleteAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  delete() {",
-      "    return this.\\$async(this.deleteAsync);",
-      "  }",
-      "}",
-      "",
-      "export default $1;",
-      "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').service('$1', $1);"
-    ]
-  },
-  "swagger-api-doc": {
-    "prefix": "swapi",
-    "scope": "go",
-    "description": "Snippet for a api doc",
-    "body": [
-      "// @id ",
-      "// @summary ",
-      "// @description ",
-      "// @description **Access policy**: ",
-      "// @tags ",
-      "// @security ApiKeyAuth",
-      "// @security jwt",
-      "// @accept json",
-      "// @produce json",
-      "// @param id path int true \"identifier\"",
-      "// @param body body Object true \"details\"",
-      "// @success 200 {object} portainer. \"Success\"",
-      "// @success 204 \"Success\"",
-      "// @failure 400 \"Invalid request\"",
-      "// @failure 403 \"Permission denied\"",
-      "// @failure 404 \" not found\"",
-      "// @failure 500 \"Server error\"",
-      "// @router /{id} [get]"
-    ]
-  },
-  "analytics": {
-    "prefix": "nlt",
-    "body": ["analytics-on", "analytics-category=\"$1\"", "analytics-event=\"$2\""],
-    "description": "analytics"
-  },
-  "analytics-if": {
-    "prefix": "nltf",
-    "body": ["analytics-if=\"$1\""],
-    "description": "analytics"
-  },
-  "analytics-metadata": {
-    "prefix": "nltm",
-    "body": "analytics-properties=\"{ metadata: { $1 } }\""
-  }
-}
--- a/.vscode.example/settings.json
+++ b/.vscode.example/settings.json
@@ -1,8 +0,0 @@
-{
-  "go.lintTool": "golangci-lint",
-  "go.lintFlags": ["--fast", "-E", "exportloopref"],
-  "gopls": {
-    "build.expandWorkspaceToModule": false
-  },
-  "gitlens.advanced.blame.customArguments": ["--ignore-revs-file", ".git-blame-ignore-revs"]
-}
--- a/24
+++ b/24
@@ -9,7 +9,7 @@ ENV=development
 WEBPACK_CONFIG=webpack/webpack.$(ENV).js
 TAG=local

-SWAG=go run github.com/swaggo/swag/cmd/swag@v1.16.2 
+SWAG=go run github.com/swaggo/swag/cmd/swag@v1.16.2
 GOTESTSUM=go run gotest.tools/gotestsum@latest

 # Don't change anything below this line unless you know what you're doing
@@ -17,11 +17,13 @@ GOTESTSUM=go run gotest.tools/gotestsum@latest


 ##@ Building
-.PHONY: init-dist build-storybook build build-client build-server build-image devops
+.PHONY: all init-dist build-storybook build build-client build-server build-image devops
 init-dist:
 	@mkdir -p dist

-build-all: deps build-server build-client ## Build the client, server and download external dependancies (doesn't build an image)
+all: tidy deps build-server build-client ## Build the client, server and download external dependancies (doesn't build an image)
+
+build-all: all ## Alias for the 'all' target (used by CI)

 build-client: init-dist ## Build the client
 	export NODE_ENV=$(ENV) && yarn build --config $(WEBPACK_CONFIG)
@@ -30,7 +32,7 @@ build-server: init-dist ## Build the server binary
 	./build/build_binary.sh "$(PLATFORM)" "$(ARCH)"

 build-image: build-all ## Build the Portainer image locally
-	docker buildx build --load -t portainerci/portainer:$(TAG) -f build/linux/Dockerfile .
+	docker buildx build --load -t portainerci/portainer-ce:$(TAG) -f build/linux/Dockerfile .

 build-storybook: ## Build and serve the storybook files
 	yarn storybook:build
@@ -50,7 +52,7 @@ client-deps: ## Install client dependencies
 	yarn

 tidy: ## Tidy up the go.mod file
-	cd api && go mod tidy
+	@go mod tidy


 ##@ Cleanup
@@ -65,23 +67,25 @@ clean: ## Remove all build and download artifacts
 test: test-server test-client ## Run all tests

 test-client: ## Run client tests
-	yarn test $(ARGS)
+	yarn test $(ARGS) --coverage

 test-server:	## Run server tests
-	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover  ./...
+	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover -covermode=atomic -coverprofile=coverage.out ./...

 ##@ Dev
 .PHONY: dev dev-client dev-server
-dev: ## Run both the client and server in development mode	
+dev: ## Run both the client and server in development mode
 	make dev-server
 	make dev-client

-dev-client: ## Run the client in development mode 
+dev-client: ## Run the client in development mode
 	yarn dev

 dev-server: build-server ## Run the server in development mode
 	@./dev/run_container.sh

+dev-server-podman: build-server ## Run the server in development mode
+	@./dev/run_container_podman.sh

 ##@ Format
 .PHONY: format format-client format-server
@@ -114,7 +118,7 @@ dev-extension: build-server build-client ## Run the extension in development mod
 ##@ Docs
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
-	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./ 
+	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./

 docs-validate: docs-build ## Validate docs
 	yarn swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
--- a/api/agent/version.go
+++ b/api/agent/version.go
@@ -10,7 +10,7 @@ import (
 	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/url"
+	"github.com/portainer/portainer/api/url"
 )

 // GetAgentVersionAndPlatform returns the agent version and platform
--- a/api/apikey/apikey_test.go
+++ b/api/apikey/apikey_test.go
@@ -3,7 +3,6 @@ package apikey
 import (
 	"testing"

-	"github.com/portainer/portainer/api/internal/securecookie"
 	"github.com/stretchr/testify/assert"
 )

@@ -34,17 +33,19 @@ func Test_generateRandomKey(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := securecookie.GenerateRandomKey(tt.wantLenth)
+			got := GenerateRandomKey(tt.wantLenth)
 			is.Equal(tt.wantLenth, len(got))
 		})
 	}

 	t.Run("Generated keys are unique", func(t *testing.T) {
 		keys := make(map[string]bool)
-		for i := 0; i < 100; i++ {
-			key := securecookie.GenerateRandomKey(8)
+
+		for range 100 {
+			key := GenerateRandomKey(8)
 			_, ok := keys[string(key)]
 			is.False(ok)
+
 			keys[string(key)] = true
 		}
 	})
--- a/api/apikey/cache.go
+++ b/api/apikey/cache.go
@@ -1,69 +1,79 @@
 package apikey

 import (
-	lru "github.com/hashicorp/golang-lru"
 	portainer "github.com/portainer/portainer/api"
+
+	lru "github.com/hashicorp/golang-lru"
 )

-const defaultAPIKeyCacheSize = 1024
+const DefaultAPIKeyCacheSize = 1024

 // entry is a tuple containing the user and API key associated to an API key digest
-type entry struct {
-	user   portainer.User
+type entry[T any] struct {
+	user   T
 	apiKey portainer.APIKey
 }

-// apiKeyCache is a concurrency-safe, in-memory cache which primarily exists for to reduce database roundtrips.
+type UserCompareFn[T any] func(T, portainer.UserID) bool
+
+// ApiKeyCache is a concurrency-safe, in-memory cache which primarily exists for to reduce database roundtrips.
 // We store the api-key digest (keys) and the associated user and key-data (values) in the cache.
 // This is required because HTTP requests will contain only the api-key digest in the x-api-key request header;
 // digest value must be mapped to a portainer user (and respective key data) for validation.
 // This cache is used to avoid multiple database queries to retrieve these user/key associated to the digest.
-type apiKeyCache struct {
+type ApiKeyCache[T any] struct {
 	// cache type [string]entry cache (key: string(digest), value: user/key entry)
 	// note: []byte keys are not supported by golang-lru Cache
-	cache *lru.Cache
+	cache     *lru.Cache
+	userCmpFn UserCompareFn[T]
 }

 // NewAPIKeyCache creates a new cache for API keys
-func NewAPIKeyCache(cacheSize int) *apiKeyCache {
+func NewAPIKeyCache[T any](cacheSize int, userCompareFn UserCompareFn[T]) *ApiKeyCache[T] {
 	cache, _ := lru.New(cacheSize)
-	return &apiKeyCache{cache: cache}
+
+	return &ApiKeyCache[T]{cache: cache, userCmpFn: userCompareFn}
 }

 // Get returns the user/key associated to an api-key's digest
 // This is required because HTTP requests will contain the digest of the API key in header,
 // the digest value must be mapped to a portainer user.
-func (c *apiKeyCache) Get(digest string) (portainer.User, portainer.APIKey, bool) {
+func (c *ApiKeyCache[T]) Get(digest string) (T, portainer.APIKey, bool) {
 	val, ok := c.cache.Get(digest)
 	if !ok {
-		return portainer.User{}, portainer.APIKey{}, false
+		var t T
+
+		return t, portainer.APIKey{}, false
 	}
-	tuple := val.(entry)
+
+	tuple := val.(entry[T])

 	return tuple.user, tuple.apiKey, true
 }

 // Set persists a user/key entry to the cache
-func (c *apiKeyCache) Set(digest string, user portainer.User, apiKey portainer.APIKey) {
-	c.cache.Add(digest, entry{
+func (c *ApiKeyCache[T]) Set(digest string, user T, apiKey portainer.APIKey) {
+	c.cache.Add(digest, entry[T]{
 		user:   user,
 		apiKey: apiKey,
 	})
 }

 // Delete evicts a digest's user/key entry key from the cache
-func (c *apiKeyCache) Delete(digest string) {
+func (c *ApiKeyCache[T]) Delete(digest string) {
 	c.cache.Remove(digest)
 }

 // InvalidateUserKeyCache loops through all the api-keys associated to a user and removes them from the cache
-func (c *apiKeyCache) InvalidateUserKeyCache(userId portainer.UserID) bool {
+func (c *ApiKeyCache[T]) InvalidateUserKeyCache(userId portainer.UserID) bool {
 	present := false
+
 	for _, k := range c.cache.Keys() {
 		user, _, _ := c.Get(k.(string))
-		if user.ID == userId {
+		if c.userCmpFn(user, userId) {
 			present = c.cache.Remove(k)
 		}
 	}
+
 	return present
 }
--- a/api/apikey/cache_test.go
+++ b/api/apikey/cache_test.go
@@ -10,11 +10,11 @@ import (
 func Test_apiKeyCacheGet(t *testing.T) {
 	is := assert.New(t)

-	keyCache := NewAPIKeyCache(10)
+	keyCache := NewAPIKeyCache(10, compareUser)

 	// pre-populate cache
-	keyCache.cache.Add(string("foo"), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
-	keyCache.cache.Add(string(""), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
+	keyCache.cache.Add(string("foo"), entry[portainer.User]{user: portainer.User{}, apiKey: portainer.APIKey{}})
+	keyCache.cache.Add(string(""), entry[portainer.User]{user: portainer.User{}, apiKey: portainer.APIKey{}})

 	tests := []struct {
 		digest string
@@ -45,7 +45,7 @@ func Test_apiKeyCacheGet(t *testing.T) {
 func Test_apiKeyCacheSet(t *testing.T) {
 	is := assert.New(t)

-	keyCache := NewAPIKeyCache(10)
+	keyCache := NewAPIKeyCache(10, compareUser)

 	// pre-populate cache
 	keyCache.Set("bar", portainer.User{ID: 2}, portainer.APIKey{})
@@ -57,23 +57,23 @@ func Test_apiKeyCacheSet(t *testing.T) {
 	val, ok := keyCache.cache.Get(string("bar"))
 	is.True(ok)

-	tuple := val.(entry)
+	tuple := val.(entry[portainer.User])
 	is.Equal(portainer.User{ID: 2}, tuple.user)

 	val, ok = keyCache.cache.Get(string("foo"))
 	is.True(ok)

-	tuple = val.(entry)
+	tuple = val.(entry[portainer.User])
 	is.Equal(portainer.User{ID: 3}, tuple.user)
 }

 func Test_apiKeyCacheDelete(t *testing.T) {
 	is := assert.New(t)

-	keyCache := NewAPIKeyCache(10)
+	keyCache := NewAPIKeyCache(10, compareUser)

 	t.Run("Delete an existing entry", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("foo"), entry[portainer.User]{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
 		keyCache.Delete("foo")

 		_, ok := keyCache.cache.Get(string("foo"))
@@ -128,7 +128,7 @@ func Test_apiKeyCacheLRU(t *testing.T) {

 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			keyCache := NewAPIKeyCache(test.cacheLen)
+			keyCache := NewAPIKeyCache(test.cacheLen, compareUser)

 			for _, key := range test.key {
 				keyCache.Set(key, portainer.User{ID: 1}, portainer.APIKey{})
@@ -150,10 +150,10 @@ func Test_apiKeyCacheLRU(t *testing.T) {
 func Test_apiKeyCacheInvalidateUserKeyCache(t *testing.T) {
 	is := assert.New(t)

-	keyCache := NewAPIKeyCache(10)
+	keyCache := NewAPIKeyCache(10, compareUser)

 	t.Run("Removes users keys from cache", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("foo"), entry[portainer.User]{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})

 		ok := keyCache.InvalidateUserKeyCache(1)
 		is.True(ok)
@@ -163,8 +163,8 @@ func Test_apiKeyCacheInvalidateUserKeyCache(t *testing.T) {
 	})

 	t.Run("Does not affect other keys", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
-		keyCache.cache.Add(string("bar"), entry{user: portainer.User{ID: 2}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("foo"), entry[portainer.User]{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("bar"), entry[portainer.User]{user: portainer.User{ID: 2}, apiKey: portainer.APIKey{}})

 		ok := keyCache.InvalidateUserKeyCache(1)
 		is.True(ok)
--- a/api/apikey/service.go
+++ b/api/apikey/service.go
@@ -1,14 +1,15 @@
 package apikey

 import (
+	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"io"
 	"time"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/internal/securecookie"

 	"github.com/pkg/errors"
 )
@@ -20,30 +21,45 @@ var ErrInvalidAPIKey = errors.New("Invalid API key")
 type apiKeyService struct {
 	apiKeyRepository dataservices.APIKeyRepository
 	userRepository   dataservices.UserService
-	cache            *apiKeyCache
+	cache            *ApiKeyCache[portainer.User]
+}
+
+// GenerateRandomKey generates a random key of specified length
+// source: https://github.com/gorilla/securecookie/blob/master/securecookie.go#L515
+func GenerateRandomKey(length int) []byte {
+	k := make([]byte, length)
+	if _, err := io.ReadFull(rand.Reader, k); err != nil {
+		return nil
+	}
+
+	return k
+}
+
+func compareUser(u portainer.User, id portainer.UserID) bool {
+	return u.ID == id
 }

 func NewAPIKeyService(apiKeyRepository dataservices.APIKeyRepository, userRepository dataservices.UserService) *apiKeyService {
 	return &apiKeyService{
 		apiKeyRepository: apiKeyRepository,
 		userRepository:   userRepository,
-		cache:            NewAPIKeyCache(defaultAPIKeyCacheSize),
+		cache:            NewAPIKeyCache(DefaultAPIKeyCacheSize, compareUser),
 	}
 }

 // HashRaw computes a hash digest of provided raw API key.
 func (a *apiKeyService) HashRaw(rawKey string) string {
 	hashDigest := sha256.Sum256([]byte(rawKey))
+
 	return base64.StdEncoding.EncodeToString(hashDigest[:])
 }

 // GenerateApiKey generates a raw API key for a user (for one-time display).
 // The generated API key is stored in the cache and database.
 func (a *apiKeyService) GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error) {
-	randKey := securecookie.GenerateRandomKey(32)
+	randKey := GenerateRandomKey(32)
 	encodedRawAPIKey := base64.StdEncoding.EncodeToString(randKey)
 	prefixedAPIKey := portainerAPIKeyPrefix + encodedRawAPIKey
-
 	hashDigest := a.HashRaw(prefixedAPIKey)

 	apiKey := &portainer.APIKey{
@@ -54,8 +70,7 @@ func (a *apiKeyService) GenerateApiKey(user portainer.User, description string)
 		Digest:      hashDigest,
 	}

-	err := a.apiKeyRepository.Create(apiKey)
-	if err != nil {
+	if err := a.apiKeyRepository.Create(apiKey); err != nil {
 		return "", nil, errors.Wrap(err, "Unable to create API key")
 	}

@@ -78,7 +93,6 @@ func (a *apiKeyService) GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey,
 // GetDigestUserAndKey returns the user and api-key associated to a specified hash digest.
 // A cache lookup is performed first; if the user/api-key is not found in the cache, respective database lookups are performed.
 func (a *apiKeyService) GetDigestUserAndKey(digest string) (portainer.User, portainer.APIKey, error) {
-	// get api key from cache if possible
 	cachedUser, cachedKey, ok := a.cache.Get(digest)
 	if ok {
 		return cachedUser, cachedKey, nil
@@ -106,20 +120,21 @@ func (a *apiKeyService) UpdateAPIKey(apiKey *portainer.APIKey) error {
 	if err != nil {
 		return errors.Wrap(err, "Unable to retrieve API key")
 	}
+
 	a.cache.Set(apiKey.Digest, user, *apiKey)
+
 	return a.apiKeyRepository.Update(apiKey.ID, apiKey)
 }

 // DeleteAPIKey deletes an API key and removes the digest/api-key entry from the cache.
 func (a *apiKeyService) DeleteAPIKey(apiKeyID portainer.APIKeyID) error {
-	// get api-key digest to remove from cache
 	apiKey, err := a.apiKeyRepository.Read(apiKeyID)
 	if err != nil {
 		return errors.Wrap(err, fmt.Sprintf("Unable to retrieve API key: %d", apiKeyID))
 	}

-	// delete the user/api-key from cache
 	a.cache.Delete(apiKey.Digest)
+
 	return a.apiKeyRepository.Delete(apiKeyID)
 }

--- a/api/archive/targz.go
+++ b/api/archive/targz.go
@@ -15,7 +15,7 @@ import (
 // abosolutePath should be an absolute path to a directory.
 // Archive name will be <directoryName>.tar.gz and will be placed next to the directory.
 func TarGzDir(absolutePath string) (string, error) {
-	targzPath := filepath.Join(absolutePath, fmt.Sprintf("%s.tar.gz", filepath.Base(absolutePath)))
+	targzPath := filepath.Join(absolutePath, filepath.Base(absolutePath)+".tar.gz")
 	outFile, err := os.Create(targzPath)
 	if err != nil {
 		return "", err
--- a/api/archive/targz_test.go
+++ b/api/archive/targz_test.go
@@ -1,7 +1,6 @@
 package archive

 import (
-	"fmt"
 	"os"
 	"os/exec"
 	"path"
@@ -24,7 +23,7 @@ func listFiles(dir string) []string {
 	return items
 }

-func Test_shouldCreateArhive(t *testing.T) {
+func Test_shouldCreateArchive(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
 	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
@@ -34,12 +33,11 @@ func Test_shouldCreateArhive(t *testing.T) {

 	gzPath, err := TarGzDir(tmpdir)
 	assert.Nil(t, err)
-	assert.Equal(t, filepath.Join(tmpdir, fmt.Sprintf("%s.tar.gz", filepath.Base(tmpdir))), gzPath)
+	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
 	cmd := exec.Command("tar", "-xzf", gzPath, "-C", extractionDir)
-	err = cmd.Run()
-	if err != nil {
+	if err := cmd.Run(); err != nil {
 		t.Fatal("Failed to extract archive: ", err)
 	}
 	extractedFiles := listFiles(extractionDir)
@@ -56,7 +54,7 @@ func Test_shouldCreateArhive(t *testing.T) {
 	wasExtracted("dir/.dotfile")
 }

-func Test_shouldCreateArhiveXXXXX(t *testing.T) {
+func Test_shouldCreateArchive2(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
 	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
@@ -66,12 +64,11 @@ func Test_shouldCreateArhiveXXXXX(t *testing.T) {

 	gzPath, err := TarGzDir(tmpdir)
 	assert.Nil(t, err)
-	assert.Equal(t, filepath.Join(tmpdir, fmt.Sprintf("%s.tar.gz", filepath.Base(tmpdir))), gzPath)
+	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
 	r, _ := os.Open(gzPath)
-	ExtractTarGz(r, extractionDir)
-	if err != nil {
+	if err := ExtractTarGz(r, extractionDir); err != nil {
 		t.Fatal("Failed to extract archive: ", err)
 	}
 	extractedFiles := listFiles(extractionDir)
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -2,7 +2,6 @@ package archive

 import (
 	"archive/zip"
-	"bytes"
 	"fmt"
 	"io"
 	"os"
@@ -12,50 +11,6 @@ import (
 	"github.com/pkg/errors"
 )

-// UnzipArchive will unzip an archive from bytes into the dest destination folder on disk
-func UnzipArchive(archiveData []byte, dest string) error {
-	zipReader, err := zip.NewReader(bytes.NewReader(archiveData), int64(len(archiveData)))
-	if err != nil {
-		return err
-	}
-
-	for _, zipFile := range zipReader.File {
-		err := extractFileFromArchive(zipFile, dest)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func extractFileFromArchive(file *zip.File, dest string) error {
-	f, err := file.Open()
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	data, err := io.ReadAll(f)
-	if err != nil {
-		return err
-	}
-
-	fpath := filepath.Join(dest, file.Name)
-
-	outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
-	if err != nil {
-		return err
-	}
-
-	_, err = io.Copy(outFile, bytes.NewReader(data))
-	if err != nil {
-		return err
-	}
-
-	return outFile.Close()
-}
-
 // UnzipFile will decompress a zip archive, moving all files and folders
 // within the zip file (parameter 1) to an output directory (parameter 2).
 func UnzipFile(src string, dest string) error {
@@ -76,11 +31,11 @@ func UnzipFile(src string, dest string) error {
 		if f.FileInfo().IsDir() {
 			// Make Folder
 			os.MkdirAll(p, os.ModePerm)
+
 			continue
 		}

-		err = unzipFile(f, p)
-		if err != nil {
+		if err := unzipFile(f, p); err != nil {
 			return err
 		}
 	}
@@ -93,20 +48,20 @@ func unzipFile(f *zip.File, p string) error {
 	if err := os.MkdirAll(filepath.Dir(p), os.ModePerm); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't make a path %s", p)
 	}
+
 	outFile, err := os.OpenFile(p, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
 	}
 	defer outFile.Close()
+
 	rc, err := f.Open()
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
 	}
 	defer rc.Close()

-	_, err = io.Copy(outFile, rc)
-
-	if err != nil {
+	if _, err = io.Copy(outFile, rc); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
 	}

--- a/api/aws/ecr/authorization_token.go
+++ b/api/aws/ecr/authorization_token.go
@@ -3,7 +3,7 @@ package ecr
 import (
 	"context"
 	"encoding/base64"
-	"fmt"
+	"errors"
 	"strings"
 	"time"
 )
@@ -15,7 +15,7 @@ func (s *Service) GetEncodedAuthorizationToken() (token *string, expiry *time.Ti
 	}

 	if len(getAuthorizationTokenOutput.AuthorizationData) == 0 {
-		err = fmt.Errorf("AuthorizationData is empty")
+		err = errors.New("AuthorizationData is empty")
 		return
 	}

@@ -50,7 +50,7 @@ func (s *Service) ParseAuthorizationToken(token string) (username string, passwo

 	splitToken := strings.Split(token, ":")
 	if len(splitToken) < 2 {
-		err = fmt.Errorf("invalid ECR authorization token")
+		err = errors.New("invalid ECR authorization token")
 		return
 	}

--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -21,6 +21,7 @@ const rwxr__r__ os.FileMode = 0o744

 var filesToBackup = []string{
 	"certs",
+	"chisel",
 	"compose",
 	"config.json",
 	"custom_templates",
@@ -30,40 +31,13 @@ var filesToBackup = []string{
 	"portainer.key",
 	"portainer.pub",
 	"tls",
-	"chisel",
 }

 // Creates a tar.gz system archive and encrypts it if password is not empty. Returns a path to the archive file.
 func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datastore dataservices.DataStore, filestorePath string) (string, error) {
-	unlock := gate.Lock()
-	defer unlock()
-
-	backupDirPath := filepath.Join(filestorePath, "backup", time.Now().Format("2006-01-02_15-04-05"))
-	if err := os.MkdirAll(backupDirPath, rwxr__r__); err != nil {
-		return "", errors.Wrap(err, "Failed to create backup dir")
-	}
-
-	{
-		// new export
-		exportFilename := path.Join(backupDirPath, fmt.Sprintf("export-%d.json", time.Now().Unix()))
-
-		err := datastore.Export(exportFilename)
-		if err != nil {
-			log.Error().Err(err).Str("filename", exportFilename).Msg("failed to export")
-		} else {
-			log.Debug().Str("filename", exportFilename).Msg("file exported")
-		}
-	}
-
-	if err := backupDb(backupDirPath, datastore); err != nil {
-		return "", errors.Wrap(err, "Failed to backup database")
-	}
-
-	for _, filename := range filesToBackup {
-		err := filesystem.CopyPath(filepath.Join(filestorePath, filename), backupDirPath)
-		if err != nil {
-			return "", errors.Wrap(err, "Failed to create backup file")
-		}
+	backupDirPath, err := backupDatabaseAndFilesystem(gate, datastore, filestorePath)
+	if err != nil {
+		return "", err
 	}

 	archivePath, err := archive.TarGzDir(backupDirPath)
@@ -81,6 +55,37 @@ func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datasto
 	return archivePath, nil
 }

+func backupDatabaseAndFilesystem(gate *offlinegate.OfflineGate, datastore dataservices.DataStore, filestorePath string) (string, error) {
+	unlock := gate.Lock()
+	defer unlock()
+
+	backupDirPath := filepath.Join(filestorePath, "backup", time.Now().Format("2006-01-02_15-04-05"))
+	if err := os.MkdirAll(backupDirPath, rwxr__r__); err != nil {
+		return "", errors.Wrap(err, "Failed to create backup dir")
+	}
+
+	// new export
+	exportFilename := path.Join(backupDirPath, fmt.Sprintf("export-%d.json", time.Now().Unix()))
+
+	if err := datastore.Export(exportFilename); err != nil {
+		log.Error().Err(err).Str("filename", exportFilename).Msg("failed to export")
+	} else {
+		log.Debug().Str("filename", exportFilename).Msg("file exported")
+	}
+
+	if err := backupDb(backupDirPath, datastore); err != nil {
+		return "", errors.Wrap(err, "Failed to backup database")
+	}
+
+	for _, filename := range filesToBackup {
+		if err := filesystem.CopyPath(filepath.Join(filestorePath, filename), backupDirPath); err != nil {
+			return "", errors.Wrap(err, "Failed to create backup file")
+		}
+	}
+
+	return backupDirPath, nil
+}
+
 func backupDb(backupDirPath string, datastore dataservices.DataStore) error {
 	dbFileName := datastore.Connection().GetDatabaseFileName()
 	_, err := datastore.Backup(filepath.Join(backupDirPath, dbFileName))
@@ -94,7 +99,7 @@ func encrypt(path string, passphrase string) (string, error) {
 	}
 	defer in.Close()

-	outFileName := fmt.Sprintf("%s.encrypted", path)
+	outFileName := path + ".encrypted"
 	out, err := os.Create(outFileName)
 	if err != nil {
 		return "", err
--- a/api/build/variables.go
+++ b/api/build/variables.go
@@ -1,12 +0,0 @@
-package build
-
-import "runtime"
-
-// Variables to be set during the build time
-var BuildNumber string
-var ImageTag string
-var NodejsVersion string
-var YarnVersion string
-var WebpackVersion string
-var GoVersion string = runtime.Version()
-var GitCommit string
--- a/api/chisel/schedules.go
+++ b/api/chisel/schedules.go
@@ -1,82 +0,0 @@
-package chisel
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/edge/cache"
-)
-
-// EdgeJobs retrieves the edge jobs for the given environment
-func (service *Service) EdgeJobs(endpointID portainer.EndpointID) []portainer.EdgeJob {
-	service.mu.RLock()
-	defer service.mu.RUnlock()
-
-	return append(
-		make([]portainer.EdgeJob, 0, len(service.edgeJobs[endpointID])),
-		service.edgeJobs[endpointID]...,
-	)
-}
-
-// AddEdgeJob register an EdgeJob inside the tunnel details associated to an environment(endpoint).
-func (service *Service) AddEdgeJob(endpoint *portainer.Endpoint, edgeJob *portainer.EdgeJob) {
-	if endpoint.Edge.AsyncMode {
-		return
-	}
-
-	service.mu.Lock()
-	defer service.mu.Unlock()
-
-	existingJobIndex := -1
-	for idx, existingJob := range service.edgeJobs[endpoint.ID] {
-		if existingJob.ID == edgeJob.ID {
-			existingJobIndex = idx
-
-			break
-		}
-	}
-
-	if existingJobIndex == -1 {
-		service.edgeJobs[endpoint.ID] = append(service.edgeJobs[endpoint.ID], *edgeJob)
-	} else {
-		service.edgeJobs[endpoint.ID][existingJobIndex] = *edgeJob
-	}
-
-	cache.Del(endpoint.ID)
-}
-
-// RemoveEdgeJob will remove the specified Edge job from each tunnel it was registered with.
-func (service *Service) RemoveEdgeJob(edgeJobID portainer.EdgeJobID) {
-	service.mu.Lock()
-
-	for endpointID := range service.edgeJobs {
-		n := 0
-		for _, edgeJob := range service.edgeJobs[endpointID] {
-			if edgeJob.ID != edgeJobID {
-				service.edgeJobs[endpointID][n] = edgeJob
-				n++
-			}
-		}
-
-		service.edgeJobs[endpointID] = service.edgeJobs[endpointID][:n]
-
-		cache.Del(endpointID)
-	}
-
-	service.mu.Unlock()
-}
-
-func (service *Service) RemoveEdgeJobFromEndpoint(endpointID portainer.EndpointID, edgeJobID portainer.EdgeJobID) {
-	service.mu.Lock()
-	defer service.mu.Unlock()
-
-	n := 0
-	for _, edgeJob := range service.edgeJobs[endpointID] {
-		if edgeJob.ID != edgeJobID {
-			service.edgeJobs[endpointID][n] = edgeJob
-			n++
-		}
-	}
-
-	service.edgeJobs[endpointID] = service.edgeJobs[endpointID][:n]
-
-	cache.Del(endpointID)
-}
--- a/api/chisel/service_test.go
+++ b/api/chisel/service_test.go
@@ -15,8 +15,10 @@ import (

 func TestPingAgentPanic(t *testing.T) {
 	endpoint := &portainer.Endpoint{
-		ID:   1,
-		Type: portainer.EdgeAgentOnDockerEnvironment,
+		ID:          1,
+		EdgeID:      "test-edge-id",
+		Type:        portainer.EdgeAgentOnDockerEnvironment,
+		UserTrusted: true,
 	}

 	_, store := datastore.MustNewTestStore(t, true, true)
@@ -42,7 +44,8 @@ func TestPingAgentPanic(t *testing.T) {
 		errCh <- srv.Serve(ln)
 	}()

-	s.Open(endpoint)
+	err = s.Open(endpoint)
+	require.NoError(t, err)
 	s.activeTunnels[endpoint.ID].Port = ln.Addr().(*net.TCPAddr).Port

 	require.Error(t, s.pingAgent(endpoint.ID))
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -24,14 +24,24 @@ const (
 	maxAvailablePort = 65535
 )

+var (
+	ErrNonEdgeEnv = errors.New("cannot open a tunnel for non-edge environments")
+	ErrAsyncEnv   = errors.New("cannot open a tunnel for async edge environments")
+	ErrInvalidEnv = errors.New("cannot open a tunnel for an invalid environment")
+)
+
 // Open will mark the tunnel as REQUIRED so the agent opens it
 func (s *Service) Open(endpoint *portainer.Endpoint) error {
 	if !endpointutils.IsEdgeEndpoint(endpoint) {
-		return errors.New("cannot open a tunnel for non-edge environments")
+		return ErrNonEdgeEnv
 	}

 	if endpoint.Edge.AsyncMode {
-		return errors.New("cannot open a tunnel for async edge environments")
+		return ErrAsyncEnv
+	}
+
+	if endpoint.ID == 0 || endpoint.EdgeID == "" || !endpoint.UserTrusted {
+		return ErrInvalidEnv
 	}

 	s.mu.Lock()
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -17,17 +17,14 @@ import (
 type Service struct{}

 var (
-	errInvalidEndpointProtocol       = errors.New("Invalid environment protocol: Portainer only supports unix://, npipe:// or tcp://")
-	errSocketOrNamedPipeNotFound     = errors.New("Unable to locate Unix socket or named pipe")
-	errInvalidSnapshotInterval       = errors.New("Invalid snapshot interval")
-	errAdminPassExcludeAdminPassFile = errors.New("Cannot use --admin-password with --admin-password-file")
+	ErrInvalidEndpointProtocol       = errors.New("Invalid environment protocol: Portainer only supports unix://, npipe:// or tcp://")
+	ErrSocketOrNamedPipeNotFound     = errors.New("Unable to locate Unix socket or named pipe")
+	ErrInvalidSnapshotInterval       = errors.New("Invalid snapshot interval")
+	ErrAdminPassExcludeAdminPassFile = errors.New("Cannot use --admin-password with --admin-password-file")
 )

-// ParseFlags parse the CLI flags and return a portainer.Flags struct
-func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
-	kingpin.Version(version)
-
-	flags := &portainer.CLIFlags{
+func CLIFlags() *portainer.CLIFlags {
+	return &portainer.CLIFlags{
 		Addr:                      kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
 		AddrHTTPS:                 kingpin.Flag("bind-https", "Address and port to serve Portainer via https").Default(defaultHTTPSBindAddress).String(),
 		TunnelAddr:                kingpin.Flag("tunnel-addr", "Address to serve the tunnel server").Default(defaultTunnelServerAddress).String(),
@@ -62,7 +59,16 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
+		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
+		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 	}
+}
+
+// ParseFlags parse the CLI flags and return a portainer.Flags struct
+func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
+	kingpin.Version(version)
+
+	flags := CLIFlags()

 	kingpin.Parse()

@@ -82,18 +88,16 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 	displayDeprecationWarnings(flags)

-	err := validateEndpointURL(*flags.EndpointURL)
-	if err != nil {
+	if err := validateEndpointURL(*flags.EndpointURL); err != nil {
 		return err
 	}

-	err = validateSnapshotInterval(*flags.SnapshotInterval)
-	if err != nil {
+	if err := validateSnapshotInterval(*flags.SnapshotInterval); err != nil {
 		return err
 	}

 	if *flags.AdminPassword != "" && *flags.AdminPasswordFile != "" {
-		return errAdminPassExcludeAdminPassFile
+		return ErrAdminPassExcludeAdminPassFile
 	}

 	return nil
@@ -115,15 +119,16 @@ func validateEndpointURL(endpointURL string) error {
 	}

 	if !strings.HasPrefix(endpointURL, "unix://") && !strings.HasPrefix(endpointURL, "tcp://") && !strings.HasPrefix(endpointURL, "npipe://") {
-		return errInvalidEndpointProtocol
+		return ErrInvalidEndpointProtocol
 	}

 	if strings.HasPrefix(endpointURL, "unix://") || strings.HasPrefix(endpointURL, "npipe://") {
 		socketPath := strings.TrimPrefix(endpointURL, "unix://")
 		socketPath = strings.TrimPrefix(socketPath, "npipe://")
+
 		if _, err := os.Stat(socketPath); err != nil {
 			if os.IsNotExist(err) {
-				return errSocketOrNamedPipeNotFound
+				return ErrSocketOrNamedPipeNotFound
 			}

 			return err
@@ -138,9 +143,8 @@ func validateSnapshotInterval(snapshotInterval string) error {
 		return nil
 	}

-	_, err := time.ParseDuration(snapshotInterval)
-	if err != nil {
-		return errInvalidSnapshotInterval
+	if _, err := time.ParseDuration(snapshotInterval); err != nil {
+		return ErrInvalidSnapshotInterval
 	}

 	return nil
--- a/api/cli/confirm.go
+++ b/api/cli/confirm.go
@@ -19,7 +19,5 @@ func Confirm(message string) (bool, error) {
 	}

 	answer = strings.ReplaceAll(answer, "\n", "")
-	answer = strings.ToLower(answer)
-
-	return answer == "y" || answer == "yes", nil
+	return strings.EqualFold(answer, "y") || strings.EqualFold(answer, "yes"), nil
 }
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -4,20 +4,21 @@
 package cli

 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "/data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "/certs/ca.pem"
-	defaultTLSCertPath         = "/certs/cert.pem"
-	defaultTLSKeyPath          = "/certs/key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "/data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "/certs/ca.pem"
+	defaultTLSCertPath            = "/certs/cert.pem"
+	defaultTLSKeyPath             = "/certs/key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -1,21 +1,22 @@
 package cli

 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "C:\\data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
-	defaultTLSCertPath         = "C:\\certs\\cert.pem"
-	defaultTLSKeyPath          = "C:\\certs\\key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultSnapshotInterval    = "5m"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "C:\\data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "C:\\certs\\ca.pem"
+	defaultTLSCertPath            = "C:\\certs\\cert.pem"
+	defaultTLSKeyPath             = "C:\\certs\\key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultSnapshotInterval       = "5m"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )
--- a/api/cli/pairlistbool.go
+++ b/api/cli/pairlistbool.go
@@ -1,45 +0,0 @@
-package cli
-
-import (
-	"strings"
-
-	portainer "github.com/portainer/portainer/api"
-
-	"gopkg.in/alecthomas/kingpin.v2"
-)
-
-type pairListBool []portainer.Pair
-
-// Set implementation for a list of portainer.Pair
-func (l *pairListBool) Set(value string) error {
-	p := new(portainer.Pair)
-
-	// default to true.  example setting=true is equivalent to setting
-	parts := strings.SplitN(value, "=", 2)
-	if len(parts) != 2 {
-		p.Name = parts[0]
-		p.Value = "true"
-	} else {
-		p.Name = parts[0]
-		p.Value = parts[1]
-	}
-
-	*l = append(*l, *p)
-	return nil
-}
-
-// String implementation for a list of pair
-func (l *pairListBool) String() string {
-	return ""
-}
-
-// IsCumulative implementation for a list of pair
-func (l *pairListBool) IsCumulative() bool {
-	return true
-}
-
-func BoolPairs(s kingpin.Settings) (target *[]portainer.Pair) {
-	target = new([]portainer.Pair)
-	s.SetValue((*pairListBool)(target))
-	return
-}
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"cmp"
 	"context"
 	"crypto/sha256"
 	"os"
@@ -9,7 +10,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/apikey"
-	"github.com/portainer/portainer/api/build"
 	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/crypto"
@@ -30,7 +30,6 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	kubeproxy "github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/internal/authorization"
-	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/edge/edgestacks"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/internal/snapshot"
@@ -40,15 +39,18 @@ import (
 	"github.com/portainer/portainer/api/kubernetes"
 	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/oauth"
 	"github.com/portainer/portainer/api/pendingactions"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/api/pendingactions/handlers"
+	"github.com/portainer/portainer/api/platform"
 	"github.com/portainer/portainer/api/scheduler"
 	"github.com/portainer/portainer/api/stacks/deployments"
+	"github.com/portainer/portainer/pkg/build"
 	"github.com/portainer/portainer/pkg/featureflags"
 	"github.com/portainer/portainer/pkg/libhelm"
-	"github.com/portainer/portainer/pkg/libstack"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"

 	"github.com/gofrs/uuid"
@@ -56,14 +58,14 @@ import (
 )

 func initCLI() *portainer.CLIFlags {
-	var cliService portainer.CLIService = &cli.Service{}
+	cliService := &cli.Service{}
+
 	flags, err := cliService.ParseFlags(portainer.APIVersion)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed parsing flags")
 	}

-	err = cliService.ValidateFlags(flags)
-	if err != nil {
+	if err := cliService.ValidateFlags(flags); err != nil {
 		log.Fatal().Err(err).Msg("failed validating flags")
 	}

@@ -93,15 +95,15 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 		log.Fatal().Msg("failed creating database connection: expecting a boltdb database type but a different one was received")
 	}

-	store := datastore.NewStore(*flags.Data, fileService, connection)
+	store := datastore.NewStore(flags, fileService, connection)
+
 	isNew, err := store.Open()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed opening store")
 	}

 	if *flags.Rollback {
-		err := store.Rollback(false)
-		if err != nil {
+		if err := store.Rollback(false); err != nil {
 			log.Fatal().Err(err).Msg("failed rolling back")
 		}

@@ -110,8 +112,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	}

 	// Init sets some defaults - it's basically a migration
-	err = store.Init()
-	if err != nil {
+	if err := store.Init(); err != nil {
 		log.Fatal().Err(err).Msg("failed initializing data store")
 	}

@@ -121,7 +122,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 			log.Fatal().Err(err).Msg("failed generating instance id")
 		}

-		migratorInstance := migrator.NewMigrator(&migrator.MigratorParameters{})
+		migratorInstance := migrator.NewMigrator(&migrator.MigratorParameters{Flags: flags})
 		migratorCount := migratorInstance.GetMigratorCountOfCurrentAPIVersion()

 		// from MigrateData
@@ -133,25 +134,23 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 		}
 		store.VersionService.UpdateVersion(&v)

-		err = updateSettingsFromFlags(store, flags)
-		if err != nil {
+		if err := updateSettingsFromFlags(store, flags); err != nil {
 			log.Fatal().Err(err).Msg("failed updating settings from flags")
 		}
 	} else {
-		err = store.MigrateData()
-		if err != nil {
+		if err := store.MigrateData(); err != nil {
 			log.Fatal().Err(err).Msg("failed migration")
 		}
 	}

-	err = updateSettingsFromFlags(store, flags)
-	if err != nil {
+	if err := updateSettingsFromFlags(store, flags); err != nil {
 		log.Fatal().Err(err).Msg("failed updating settings from flags")
 	}

 	// this is for the db restore functionality - needs more tests.
 	go func() {
 		<-shutdownCtx.Done()
+
 		defer connection.Close()
 	}()

@@ -168,32 +167,12 @@ func checkDBSchemaServerVersionMatch(dbStore dataservices.DataStore, serverVersi
 	return v.SchemaVersion == serverVersion && v.Edition == serverEdition
 }

-func initComposeStackManager(composeDeployer libstack.Deployer, proxyManager *proxy.Manager) portainer.ComposeStackManager {
-	composeWrapper, err := exec.NewComposeStackManager(composeDeployer, proxyManager)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed creating compose manager")
-	}
-
-	return composeWrapper
+func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager) portainer.KubernetesDeployer {
+	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager)
 }

-func initSwarmStackManager(
-	assetsPath string,
-	configPath string,
-	signatureService portainer.DigitalSignatureService,
-	fileService portainer.FileService,
-	reverseTunnelService portainer.ReverseTunnelService,
-	dataStore dataservices.DataStore,
-) (portainer.SwarmStackManager, error) {
-	return exec.NewSwarmStackManager(assetsPath, configPath, signatureService, fileService, reverseTunnelService, dataStore)
-}
-
-func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, assetsPath string) portainer.KubernetesDeployer {
-	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, assetsPath)
-}
-
-func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, error) {
-	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
+func initHelmPackageManager() (libhelmtypes.HelmPackageManager, error) {
+	return libhelm.NewHelmPackageManager()
 }

 func initAPIKeyService(datastore dataservices.DataStore) apikey.APIKeyService {
@@ -205,36 +184,16 @@ func initJWTService(userSessionTimeout string, dataStore dataservices.DataStore)
 		userSessionTimeout = portainer.DefaultUserSessionTimeout
 	}

-	jwtService, err := jwt.NewService(userSessionTimeout, dataStore)
-	if err != nil {
-		return nil, err
-	}
-
-	return jwtService, nil
+	return jwt.NewService(userSessionTimeout, dataStore)
 }

 func initDigitalSignatureService() portainer.DigitalSignatureService {
 	return crypto.NewECDSAService(os.Getenv("AGENT_SECRET"))
 }

-func initCryptoService() portainer.CryptoService {
-	return &crypto.Service{}
-}
-
-func initLDAPService() portainer.LDAPService {
-	return &ldap.Service{}
-}
-
-func initOAuthService() portainer.OAuthService {
-	return oauth.NewService()
-}
-
-func initGitService(ctx context.Context) portainer.GitService {
-	return git.NewService(ctx)
-}
-
 func initSSLService(addr, certPath, keyPath string, fileService portainer.FileService, dataStore dataservices.DataStore, shutdownTrigger context.CancelFunc) (*ssl.Service, error) {
 	slices := strings.Split(addr, ":")
+
 	host := slices[0]
 	if host == "" {
 		host = "0.0.0.0"
@@ -242,22 +201,13 @@ func initSSLService(addr, certPath, keyPath string, fileService portainer.FileSe

 	sslService := ssl.NewService(fileService, dataStore, shutdownTrigger)

-	err := sslService.Init(host, certPath, keyPath)
-	if err != nil {
+	if err := sslService.Init(host, certPath, keyPath); err != nil {
 		return nil, err
 	}

 	return sslService, nil
 }

-func initDockerClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *dockerclient.ClientFactory {
-	return dockerclient.NewClientFactory(signatureService, reverseTunnelService)
-}
-
-func initKubernetesClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, dataStore dataservices.DataStore, instanceID, addrHTTPS, userSessionTimeout string) (*kubecli.ClientFactory, error) {
-	return kubecli.NewClientFactory(signatureService, reverseTunnelService, dataStore, instanceID, addrHTTPS, userSessionTimeout)
-}
-
 func initSnapshotService(
 	snapshotIntervalFromFlag string,
 	dataStore dataservices.DataStore,
@@ -290,34 +240,21 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		return err
 	}

-	if *flags.SnapshotInterval != "" {
-		settings.SnapshotInterval = *flags.SnapshotInterval
-	}
-
-	if *flags.Logo != "" {
-		settings.LogoURL = *flags.Logo
-	}
-
-	if *flags.EnableEdgeComputeFeatures {
-		settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
-	}
-
-	if *flags.Templates != "" {
-		settings.TemplatesURL = *flags.Templates
-	}
+	settings.SnapshotInterval = cmp.Or(*flags.SnapshotInterval, settings.SnapshotInterval)
+	settings.LogoURL = cmp.Or(*flags.Logo, settings.LogoURL)
+	settings.EnableEdgeComputeFeatures = cmp.Or(*flags.EnableEdgeComputeFeatures, settings.EnableEdgeComputeFeatures)
+	settings.TemplatesURL = cmp.Or(*flags.Templates, settings.TemplatesURL)

 	if *flags.Labels != nil {
 		settings.BlackListedLabels = *flags.Labels
 	}

+	settings.AgentSecret = ""
 	if agentKey, ok := os.LookupEnv("AGENT_SECRET"); ok {
 		settings.AgentSecret = agentKey
-	} else {
-		settings.AgentSecret = ""
 	}

-	err = dataStore.Settings().UpdateSettings(settings)
-	if err != nil {
+	if err := dataStore.Settings().UpdateSettings(settings); err != nil {
 		return err
 	}

@@ -340,6 +277,7 @@ func loadAndParseKeyPair(fileService portainer.FileService, signatureService por
 	if err != nil {
 		return err
 	}
+
 	return signatureService.ParseKeyPair(private, public)
 }

@@ -348,7 +286,9 @@ func generateAndStoreKeyPair(fileService portainer.FileService, signatureService
 	if err != nil {
 		return err
 	}
+
 	privateHeader, publicHeader := signatureService.PEMHeaders()
+
 	return fileService.StoreKeyPair(private, public, privateHeader, publicHeader)
 }

@@ -361,6 +301,7 @@ func initKeyPair(fileService portainer.FileService, signatureService portainer.D
 	if existingKeyPair {
 		return loadAndParseKeyPair(fileService, signatureService)
 	}
+
 	return generateAndStoreKeyPair(fileService, signatureService)
 }

@@ -378,6 +319,7 @@ func loadEncryptionSecretKey(keyfilename string) []byte {

 	// return a 32 byte hash of the secret (required for AES)
 	hash := sha256.Sum256(content)
+
 	return hash[:]
 }

@@ -422,17 +364,17 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Err(err).Msg("failed initializing JWT service")
 	}

-	ldapService := initLDAPService()
+	ldapService := &ldap.Service{}

-	oauthService := initOAuthService()
+	oauthService := oauth.NewService()

-	gitService := initGitService(shutdownCtx)
+	gitService := git.NewService(shutdownCtx)

 	openAMTService := openamt.NewService()

-	cryptoService := initCryptoService()
+	cryptoService := &crypto.Service{}

-	digitalSignatureService := initDigitalSignatureService()
+	signatureService := initDigitalSignatureService()

 	edgeStacksService := edgestacks.NewService(dataStore)

@@ -446,15 +388,18 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Err(err).Msg("failed to get SSL settings")
 	}

-	err = initKeyPair(fileService, digitalSignatureService)
-	if err != nil {
+	if err := initKeyPair(fileService, signatureService); err != nil {
 		log.Fatal().Err(err).Msg("failed initializing key pair")
 	}

 	reverseTunnelService := chisel.NewService(dataStore, shutdownCtx, fileService)

-	dockerClientFactory := initDockerClientFactory(digitalSignatureService, reverseTunnelService)
-	kubernetesClientFactory, err := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, dataStore, instanceID, *flags.AddrHTTPS, settings.UserSessionTimeout)
+	dockerClientFactory := dockerclient.NewClientFactory(signatureService, reverseTunnelService)
+
+	kubernetesClientFactory, err := kubecli.NewClientFactory(signatureService, reverseTunnelService, dataStore, instanceID, *flags.AddrHTTPS, settings.UserSessionTimeout)
+	if err != nil {
+		log.Fatal().Err(err).Msg("failed initializing Kubernetes Client Factory service")
+	}

 	authorizationService := authorization.NewService(dataStore)
 	authorizationService.K8sClientFactory = kubernetesClientFactory
@@ -469,19 +414,16 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	dockerConfigPath := fileService.GetDockerConfigPath()

-	composeDeployer, err := compose.NewComposeDeployer(*flags.Assets, dockerConfigPath)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed initializing compose deployer")
-	}
+	composeDeployer := compose.NewComposeDeployer()

-	composeStackManager := initComposeStackManager(composeDeployer, proxyManager)
+	composeStackManager := exec.NewComposeStackManager(composeDeployer, proxyManager, dataStore)

-	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService, dataStore)
+	swarmStackManager, err := exec.NewSwarmStackManager(*flags.Assets, dockerConfigPath, signatureService, fileService, reverseTunnelService, dataStore)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing swarm stack manager")
 	}

-	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, digitalSignatureService, proxyManager, *flags.Assets)
+	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager)

 	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory)
 	pendingActionsService.RegisterHandler(actions.CleanNAPWithOverridePolicies, handlers.NewHandlerCleanNAPWithOverridePolicies(authorizationService, dataStore))
@@ -492,20 +434,16 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing snapshot service")
 	}
+
 	snapshotService.Start()

-	proxyManager.NewProxyFactory(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
+	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)

-	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
+	helmPackageManager, err := initHelmPackageManager()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing helm package manager")
 	}

-	err = edge.LoadEdgeJobs(dataStore, reverseTunnelService)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed loading edge jobs from database")
-	}
-
 	applicationStatus := initStatus(instanceID)

 	// channel to control when the admin user is created
@@ -514,6 +452,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	go endpointutils.InitEndpoint(shutdownCtx, adminCreationDone, flags, dataStore, snapshotService)

 	adminPasswordHash := ""
+
 	if *flags.AdminPasswordFile != "" {
 		content, err := fileService.GetFileContent(*flags.AdminPasswordFile, "")
 		if err != nil {
@@ -536,14 +475,14 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 		if len(users) == 0 {
 			log.Info().Msg("created admin user with the given password.")
+
 			user := &portainer.User{
 				Username: "admin",
 				Role:     portainer.AdministratorRole,
 				Password: adminPasswordHash,
 			}

-			err := dataStore.User().Create(user)
-			if err != nil {
+			if err := dataStore.User().Create(user); err != nil {
 				log.Fatal().Err(err).Msg("failed creating admin user")
 			}

@@ -554,8 +493,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		}
 	}

-	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService)
-	if err != nil {
+	if err := reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService); err != nil {
 		log.Fatal().Err(err).Msg("failed starting tunnel server")
 	}

@@ -568,7 +506,20 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Msg("failed to fetch SSL settings from DB")
 	}

-	upgradeService, err := upgrade.NewService(*flags.Assets, composeDeployer, kubernetesClientFactory)
+	platformService, err := platform.NewService(dataStore)
+	if err != nil {
+		log.Fatal().Err(err).Msg("failed initializing platform service")
+	}
+
+	upgradeService, err := upgrade.NewService(
+		*flags.Assets,
+		kubernetesClientFactory,
+		dockerClientFactory,
+		composeStackManager,
+		dataStore,
+		fileService,
+		stackDeployer,
+	)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing upgrade service")
 	}
@@ -613,7 +564,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		ProxyManager:                proxyManager,
 		KubernetesTokenCacheManager: kubernetesTokenCacheManager,
 		KubeClusterAccessService:    kubeClusterAccessService,
-		SignatureService:            digitalSignatureService,
+		SignatureService:            signatureService,
 		SnapshotService:             snapshotService,
 		SSLService:                  sslService,
 		DockerClientFactory:         dockerClientFactory,
@@ -625,20 +576,23 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		UpgradeService:              upgradeService,
 		AdminCreationDone:           adminCreationDone,
 		PendingActionsService:       pendingActionsService,
+		PlatformService:             platformService,
+		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
 	}
 }

 func main() {
-	configureLogger()
-	setLoggingMode("PRETTY")
+	logs.ConfigureLogger()
+	logs.SetLoggingMode("PRETTY")

 	flags := initCLI()

-	setLoggingLevel(*flags.LogLevel)
-	setLoggingMode(*flags.LogMode)
+	logs.SetLoggingLevel(*flags.LogLevel)
+	logs.SetLoggingMode(*flags.LogMode)

 	for {
 		server := buildServer(flags)
+
 		log.Info().
 			Str("version", portainer.APIVersion).
 			Str("build_number", build.BuildNumber).
--- a/api/internal/concurrent/concurrent.go
+++ b/api/internal/concurrent/concurrent.go
@@ -17,11 +17,11 @@ func (kcl *KubeClient) GetConfigMapsAndSecrets(namespace string) ([]models.K8sCo
 	// use closures to capture the current kube client and namespace by declaring wrapper functions
 	// that match the interface signature for concurrent.Func

-	listConfigMaps := func(ctx context.Context) (interface{}, error) {
+	listConfigMaps := func(ctx context.Context) (any, error) {
 		return kcl.cli.CoreV1().ConfigMaps(namespace).List(context.Background(), meta.ListOptions{})
 	}

-	listSecrets := func(ctx context.Context) (interface{}, error) {
+	listSecrets := func(ctx context.Context) (any, error) {
 		return kcl.cli.CoreV1().Secrets(namespace).List(context.Background(), meta.ListOptions{})
 	}

@@ -93,6 +93,7 @@ type Func func(ctx context.Context) (any, error)
 // Run runs a list of functions returns the results
 func Run(ctx context.Context, maxConcurrency int, tasks ...Func) ([]Result, error) {
 	var wg sync.WaitGroup
+
 	resultsChan := make(chan Result, len(tasks))
 	taskChan := make(chan Func, len(tasks))

@@ -101,6 +102,7 @@ func Run(ctx context.Context, maxConcurrency int, tasks ...Func) ([]Result, erro

 	runTask := func() {
 		defer wg.Done()
+
 		for fn := range taskChan {
 			result, err := fn(localCtx)
 			resultsChan <- Result{Result: result, Err: err}
@@ -113,7 +115,7 @@ func Run(ctx context.Context, maxConcurrency int, tasks ...Func) ([]Result, erro
 	}

 	// Start worker goroutines
-	for i := 0; i < maxConcurrency; i++ {
+	for range maxConcurrency {
 		wg.Add(1)
 		go runTask()
 	}
@@ -135,8 +137,10 @@ func Run(ctx context.Context, maxConcurrency int, tasks ...Func) ([]Result, erro
 	for r := range resultsChan {
 		if r.Err != nil {
 			cancelCtx()
+
 			return nil, r.Err
 		}
+
 		results = append(results, r)
 	}

--- a/api/connection.go
+++ b/api/connection.go
@@ -5,22 +5,23 @@ import (
 )

 type ReadTransaction interface {
-	GetObject(bucketName string, key []byte, object interface{}) error
-	GetAll(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error
-	GetAllWithJsoniter(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error
-	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj interface{}, append func(o interface{}) (interface{}, error)) error
+	GetObject(bucketName string, key []byte, object any) error
+	GetRawBytes(bucketName string, key []byte) ([]byte, error)
+	GetAll(bucketName string, obj any, append func(o any) (any, error)) error
+	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, append func(o any) (any, error)) error
+	KeyExists(bucketName string, key []byte) (bool, error)
 }

 type Transaction interface {
 	ReadTransaction

 	SetServiceName(bucketName string) error
-	UpdateObject(bucketName string, key []byte, object interface{}) error
+	UpdateObject(bucketName string, key []byte, object any) error
 	DeleteObject(bucketName string, key []byte) error
-	CreateObject(bucketName string, fn func(uint64) (int, interface{})) error
-	CreateObjectWithId(bucketName string, id int, obj interface{}) error
-	CreateObjectWithStringId(bucketName string, id []byte, obj interface{}) error
-	DeleteAllObjects(bucketName string, obj interface{}, matching func(o interface{}) (id int, ok bool)) error
+	CreateObject(bucketName string, fn func(uint64) (int, any)) error
+	CreateObjectWithId(bucketName string, id int, obj any) error
+	CreateObjectWithStringId(bucketName string, id []byte, obj any) error
+	DeleteAllObjects(bucketName string, obj any, matching func(o any) (id int, ok bool)) error
 	GetNextIdentifier(bucketName string) int
 }

@@ -41,13 +42,14 @@ type Connection interface {
 	GetDatabaseFileName() string
 	GetDatabaseFilePath() string
 	GetStorePath() string
+	GetDatabaseFileSize() (int64, error)

 	IsEncryptedStore() bool
 	NeedsEncryptionMigration() (bool, error)
 	SetEncrypted(encrypted bool)

-	BackupMetadata() (map[string]interface{}, error)
-	RestoreMetadata(s map[string]interface{}) error
+	BackupMetadata() (map[string]any, error)
+	RestoreMetadata(s map[string]any) error

 	UpdateObjectFunc(bucketName string, key []byte, object any, updateFn func()) error
 	ConvertToKey(v int) []byte
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -31,8 +31,7 @@ const (

 // AesEncrypt reads from input, encrypts with AES-256 and writes to output. passphrase is used to generate an encryption key
 func AesEncrypt(input io.Reader, output io.Writer, passphrase []byte) error {
-	err := aesEncryptGCM(input, output, passphrase)
-	if err != nil {
+	if err := aesEncryptGCM(input, output, passphrase); err != nil {
 		return fmt.Errorf("error encrypting file: %w", err)
 	}

@@ -142,7 +141,7 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 	}

 	if string(header) != aesGcmHeader {
-		return nil, fmt.Errorf("invalid header")
+		return nil, errors.New("invalid header")
 	}

 	// Read salt
@@ -194,8 +193,7 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 			return nil, err
 		}

-		_, err = buf.Write(plaintext)
-		if err != nil {
+		if _, err := buf.Write(plaintext); err != nil {
 			return nil, err
 		}

--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -8,6 +8,7 @@ import (
 	"math"
 	"os"
 	"path"
+	"strconv"
 	"time"

 	portainer "github.com/portainer/portainer/api"
@@ -61,6 +62,15 @@ func (connection *DbConnection) GetStorePath() string {
 	return connection.Path
 }

+func (connection *DbConnection) GetDatabaseFileSize() (int64, error) {
+	file, err := os.Stat(connection.GetDatabaseFilePath())
+	if err != nil {
+		return 0, fmt.Errorf("Failed to stat database file path: %s err: %w", connection.GetDatabaseFilePath(), err)
+	}
+
+	return file.Size(), nil
+}
+
 func (connection *DbConnection) SetEncrypted(flag bool) {
 	connection.isEncrypted = flag
 }
@@ -73,7 +83,6 @@ func (connection *DbConnection) IsEncryptedStore() bool {
 // NeedsEncryptionMigration returns true if database encryption is enabled and
 // we have an un-encrypted DB that requires migration to an encrypted DB
 func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {
-
 	// Cases:  Note, we need to check both portainer.db and portainer.edb
 	// to determine if it's a new store.   We only need to differentiate between cases 2,3 and 5

@@ -121,11 +130,11 @@ func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {

 // Open opens and initializes the BoltDB database.
 func (connection *DbConnection) Open() error {
-
 	log.Info().Str("filename", connection.GetDatabaseFileName()).Msg("loading PortainerDB")

 	// Now we open the db
 	databasePath := connection.GetDatabaseFilePath()
+
 	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
 		Timeout:         1 * time.Second,
 		InitialMmapSize: connection.InitialMmapSize,
@@ -178,6 +187,7 @@ func (connection *DbConnection) ViewTx(fn func(portainer.Transaction) error) err
 func (connection *DbConnection) BackupTo(w io.Writer) error {
 	return connection.View(func(tx *bolt.Tx) error {
 		_, err := tx.WriteTo(w)
+
 		return err
 	})
 }
@@ -192,6 +202,7 @@ func (connection *DbConnection) ExportRaw(filename string) error {
 	if err != nil {
 		return err
 	}
+
 	return os.WriteFile(filename, b, 0600)
 }

@@ -201,6 +212,7 @@ func (connection *DbConnection) ExportRaw(filename string) error {
 func (connection *DbConnection) ConvertToKey(v int) []byte {
 	b := make([]byte, 8)
 	binary.BigEndian.PutUint64(b, uint64(v))
+
 	return b
 }

@@ -212,7 +224,7 @@ func keyToString(b []byte) string {

 	v := binary.BigEndian.Uint64(b)
 	if v <= math.MaxInt32 {
-		return fmt.Sprintf("%d", v)
+		return strconv.FormatUint(v, 10)
 	}

 	return string(b)
@@ -226,12 +238,38 @@ func (connection *DbConnection) SetServiceName(bucketName string) error {
 }

 // GetObject is a generic function used to retrieve an unmarshalled object from a database.
-func (connection *DbConnection) GetObject(bucketName string, key []byte, object interface{}) error {
+func (connection *DbConnection) GetObject(bucketName string, key []byte, object any) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(bucketName, key, object)
 	})
 }

+func (connection *DbConnection) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	var value []byte
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		value, err = tx.GetRawBytes(bucketName, key)
+
+		return err
+	})
+
+	return value, err
+}
+
+func (connection *DbConnection) KeyExists(bucketName string, key []byte) (bool, error) {
+	var exists bool
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = tx.KeyExists(bucketName, key)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (connection *DbConnection) getEncryptionKey() []byte {
 	if !connection.isEncrypted {
 		return nil
@@ -241,7 +279,7 @@ func (connection *DbConnection) getEncryptionKey() []byte {
 }

 // UpdateObject is a generic function used to update an object inside a database.
-func (connection *DbConnection) UpdateObject(bucketName string, key []byte, object interface{}) error {
+func (connection *DbConnection) UpdateObject(bucketName string, key []byte, object any) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.UpdateObject(bucketName, key, object)
 	})
@@ -282,7 +320,7 @@ func (connection *DbConnection) DeleteObject(bucketName string, key []byte) erro

 // DeleteAllObjects delete all objects where matching() returns (id, ok).
 // TODO: think about how to return the error inside (maybe change ok to type err, and use "notfound"?
-func (connection *DbConnection) DeleteAllObjects(bucketName string, obj interface{}, matching func(o interface{}) (id int, ok bool)) error {
+func (connection *DbConnection) DeleteAllObjects(bucketName string, obj any, matching func(o any) (id int, ok bool)) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.DeleteAllObjects(bucketName, obj, matching)
 	})
@@ -301,71 +339,64 @@ func (connection *DbConnection) GetNextIdentifier(bucketName string) int {
 }

 // CreateObject creates a new object in the bucket, using the next bucket sequence id
-func (connection *DbConnection) CreateObject(bucketName string, fn func(uint64) (int, interface{})) error {
+func (connection *DbConnection) CreateObject(bucketName string, fn func(uint64) (int, any)) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.CreateObject(bucketName, fn)
 	})
 }

 // CreateObjectWithId creates a new object in the bucket, using the specified id
-func (connection *DbConnection) CreateObjectWithId(bucketName string, id int, obj interface{}) error {
+func (connection *DbConnection) CreateObjectWithId(bucketName string, id int, obj any) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.CreateObjectWithId(bucketName, id, obj)
 	})
 }

 // CreateObjectWithStringId creates a new object in the bucket, using the specified id
-func (connection *DbConnection) CreateObjectWithStringId(bucketName string, id []byte, obj interface{}) error {
+func (connection *DbConnection) CreateObjectWithStringId(bucketName string, id []byte, obj any) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.CreateObjectWithStringId(bucketName, id, obj)
 	})
 }

-func (connection *DbConnection) GetAll(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
+func (connection *DbConnection) GetAll(bucketName string, obj any, appendFn func(o any) (any, error)) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
-		return tx.GetAll(bucketName, obj, append)
+		return tx.GetAll(bucketName, obj, appendFn)
 	})
 }

-// TODO: decide which Unmarshal to use, and use one...
-func (connection *DbConnection) GetAllWithJsoniter(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
+func (connection *DbConnection) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, appendFn func(o any) (any, error)) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
-		return tx.GetAllWithJsoniter(bucketName, obj, append)
-	})
-}
-
-func (connection *DbConnection) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj interface{}, append func(o interface{}) (interface{}, error)) error {
-	return connection.ViewTx(func(tx portainer.Transaction) error {
-		return tx.GetAllWithKeyPrefix(bucketName, keyPrefix, obj, append)
+		return tx.GetAllWithKeyPrefix(bucketName, keyPrefix, obj, appendFn)
 	})
 }

 // BackupMetadata will return a copy of the boltdb sequence numbers for all buckets.
-func (connection *DbConnection) BackupMetadata() (map[string]interface{}, error) {
-	buckets := map[string]interface{}{}
+func (connection *DbConnection) BackupMetadata() (map[string]any, error) {
+	buckets := map[string]any{}

 	err := connection.View(func(tx *bolt.Tx) error {
-		err := tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
+		return tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
 			bucketName := string(name)
 			seqId := bucket.Sequence()
 			buckets[bucketName] = int(seqId)
+
 			return nil
 		})
-
-		return err
 	})

 	return buckets, err
 }

 // RestoreMetadata will restore the boltdb sequence numbers for all buckets.
-func (connection *DbConnection) RestoreMetadata(s map[string]interface{}) error {
+func (connection *DbConnection) RestoreMetadata(s map[string]any) error {
 	var err error

 	for bucketName, v := range s {
 		id, ok := v.(float64) // JSON ints are unmarshalled to interface as float64. See: https://pkg.go.dev/encoding/json#Decoder.Decode
 		if !ok {
 			log.Error().Str("bucket", bucketName).Msg("failed to restore metadata to bucket, skipped")
+
 			continue
 		}

--- a/api/database/boltdb/db_test.go
+++ b/api/database/boltdb/db_test.go
@@ -87,10 +87,7 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 	}

 	for _, tc := range cases {
-		tc := tc
-
 		t.Run(tc.name, func(t *testing.T) {
-
 			connection := DbConnection{Path: dir}

 			if tc.dbname == "both" {
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -8,8 +8,8 @@ import (
 	bolt "go.etcd.io/bbolt"
 )

-func backupMetadata(connection *bolt.DB) (map[string]interface{}, error) {
-	buckets := map[string]interface{}{}
+func backupMetadata(connection *bolt.DB) (map[string]any, error) {
+	buckets := map[string]any{}

 	err := connection.View(func(tx *bolt.Tx) error {
 		err := tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
@@ -39,7 +39,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 	}
 	defer connection.Close()

-	backup := make(map[string]interface{})
+	backup := make(map[string]any)
 	if metadata {
 		meta, err := backupMetadata(connection)
 		if err != nil {
@@ -49,10 +49,10 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 		backup["__metadata"] = meta
 	}

-	err = connection.View(func(tx *bolt.Tx) error {
-		err = tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
+	if err := connection.View(func(tx *bolt.Tx) error {
+		return tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
 			bucketName := string(name)
-			var list []interface{}
+			var list []any
 			version := make(map[string]string)
 			cursor := bucket.Cursor()
 			for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
@@ -60,7 +60,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 					continue
 				}

-				var obj interface{}
+				var obj any
 				err := c.UnmarshalObject(v, &obj)
 				if err != nil {
 					log.Error().
@@ -84,27 +84,22 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 				return nil
 			}

-			if len(list) > 0 {
-				if bucketName == "ssl" ||
-					bucketName == "settings" ||
-					bucketName == "tunnel_server" {
-					backup[bucketName] = nil
-					if len(list) > 0 {
-						backup[bucketName] = list[0]
-					}
-					return nil
+			if bucketName == "ssl" ||
+				bucketName == "settings" ||
+				bucketName == "tunnel_server" {
+				backup[bucketName] = nil
+				if len(list) > 0 {
+					backup[bucketName] = list[0]
 				}
-				backup[bucketName] = list
+
 				return nil
 			}

+			backup[bucketName] = list
+
 			return nil
 		})
-
-		return err
-	})
-
-	if err != nil {
+	}); err != nil {
 		return []byte("{}"), err
 	}

--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -5,17 +5,16 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
-	"fmt"
 	"io"

 	"github.com/pkg/errors"
 	"github.com/segmentio/encoding/json"
 )

-var errEncryptedStringTooShort = fmt.Errorf("encrypted string too short")
+var errEncryptedStringTooShort = errors.New("encrypted string too short")

 // MarshalObject encodes an object to binary format
-func (connection *DbConnection) MarshalObject(object interface{}) ([]byte, error) {
+func (connection *DbConnection) MarshalObject(object any) ([]byte, error) {
 	buf := &bytes.Buffer{}

 	// Special case for the VERSION bucket. Here we're not using json
@@ -39,7 +38,7 @@ func (connection *DbConnection) MarshalObject(object interface{}) ([]byte, error
 }

 // UnmarshalObject decodes an object from binary data
-func (connection *DbConnection) UnmarshalObject(data []byte, object interface{}) error {
+func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 	var err error
 	if connection.getEncryptionKey() != nil {
 		data, err = decrypt(data, connection.getEncryptionKey())
@@ -47,8 +46,8 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object interface{})
 			return errors.Wrap(err, "Failed decrypting object")
 		}
 	}
-	e := json.Unmarshal(data, object)
-	if e != nil {
+
+	if e := json.Unmarshal(data, object); e != nil {
 		// Special case for the VERSION bucket. Here we're not using json
 		// So we need to return it as a string
 		s, ok := object.(*string)
@@ -58,6 +57,7 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object interface{})

 		*s = string(data)
 	}
+
 	return err
 }

@@ -70,22 +70,20 @@ func encrypt(plaintext []byte, passphrase []byte) (encrypted []byte, err error)
 	if err != nil {
 		return encrypted, err
 	}
+
 	nonce := make([]byte, gcm.NonceSize())
-	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
 		return encrypted, err
 	}
-	ciphertextByte := gcm.Seal(
-		nonce,
-		nonce,
-		plaintext,
-		nil)
-	return ciphertextByte, nil
+
+	return gcm.Seal(nonce, nonce, plaintext, nil), nil
 }

 func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err error) {
 	if string(encrypted) == "false" {
 		return []byte("false"), nil
 	}
+
 	block, err := aes.NewCipher(passphrase)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error creating cypher block")
@@ -102,11 +100,8 @@ func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err err
 	}

 	nonce, ciphertextByteClean := encrypted[:nonceSize], encrypted[nonceSize:]
-	plaintextByte, err = gcm.Open(
-		nil,
-		nonce,
-		ciphertextByteClean,
-		nil)
+
+	plaintextByte, err = gcm.Open(nil, nonce, ciphertextByteClean, nil)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error decrypting text")
 	}
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -25,7 +25,7 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 	uuid := uuid.Must(uuid.NewV4())

 	tests := []struct {
-		object   interface{}
+		object   any
 		expected string
 	}{
 		{
@@ -57,7 +57,7 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 			expected: uuid.String(),
 		},
 		{
-			object:   map[string]interface{}{"key": "value"},
+			object:   map[string]any{"key": "value"},
 			expected: `{"key":"value"}`,
 		},
 		{
@@ -73,11 +73,11 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 			expected: `["1","2","3"]`,
 		},
 		{
-			object:   []map[string]interface{}{{"key1": "value1"}, {"key2": "value2"}},
+			object:   []map[string]any{{"key1": "value1"}, {"key2": "value2"}},
 			expected: `[{"key1":"value1"},{"key2":"value2"}]`,
 		},
 		{
-			object:   []interface{}{1, "2", false, map[string]interface{}{"key1": "value1"}},
+			object:   []any{1, "2", false, map[string]any{"key1": "value1"}},
 			expected: `[1,"2",false,{"key1":"value1"}]`,
 		},
 	}
--- a/api/database/boltdb/tx.go
+++ b/api/database/boltdb/tx.go
@@ -6,6 +6,7 @@ import (

 	dserrors "github.com/portainer/portainer/api/dataservices/errors"

+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	bolt "go.etcd.io/bbolt"
 )
@@ -20,7 +21,7 @@ func (tx *DbTransaction) SetServiceName(bucketName string) error {
 	return err
 }

-func (tx *DbTransaction) GetObject(bucketName string, key []byte, object interface{}) error {
+func (tx *DbTransaction) GetObject(bucketName string, key []byte, object any) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))

 	value := bucket.Get(key)
@@ -31,7 +32,34 @@ func (tx *DbTransaction) GetObject(bucketName string, key []byte, object interfa
 	return tx.conn.UnmarshalObject(value, object)
 }

-func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object interface{}) error {
+func (tx *DbTransaction) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+	if value == nil {
+		return nil, fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
+	}
+
+	if tx.conn.getEncryptionKey() != nil {
+		var err error
+
+		if value, err = decrypt(value, tx.conn.getEncryptionKey()); err != nil {
+			return value, errors.Wrap(err, "Failed decrypting object")
+		}
+	}
+
+	return value, nil
+}
+
+func (tx *DbTransaction) KeyExists(bucketName string, key []byte) (bool, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+
+	return value != nil, nil
+}
+
+func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object any) error {
 	data, err := tx.conn.MarshalObject(object)
 	if err != nil {
 		return err
@@ -46,7 +74,7 @@ func (tx *DbTransaction) DeleteObject(bucketName string, key []byte) error {
 	return bucket.Delete(key)
 }

-func (tx *DbTransaction) DeleteAllObjects(bucketName string, obj interface{}, matchingFn func(o interface{}) (id int, ok bool)) error {
+func (tx *DbTransaction) DeleteAllObjects(bucketName string, obj any, matchingFn func(o any) (id int, ok bool)) error {
 	var ids []int

 	bucket := tx.tx.Bucket([]byte(bucketName))
@@ -74,16 +102,18 @@ func (tx *DbTransaction) DeleteAllObjects(bucketName string, obj interface{}, ma

 func (tx *DbTransaction) GetNextIdentifier(bucketName string) int {
 	bucket := tx.tx.Bucket([]byte(bucketName))
+
 	id, err := bucket.NextSequence()
 	if err != nil {
-		log.Error().Err(err).Str("bucket", bucketName).Msg("failed to get the next identifer")
+		log.Error().Err(err).Str("bucket", bucketName).Msg("failed to get the next identifier")
+
 		return 0
 	}

 	return int(id)
 }

-func (tx *DbTransaction) CreateObject(bucketName string, fn func(uint64) (int, interface{})) error {
+func (tx *DbTransaction) CreateObject(bucketName string, fn func(uint64) (int, any)) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))

 	seqId, _ := bucket.NextSequence()
@@ -97,7 +127,7 @@ func (tx *DbTransaction) CreateObject(bucketName string, fn func(uint64) (int, i
 	return bucket.Put(tx.conn.ConvertToKey(id), data)
 }

-func (tx *DbTransaction) CreateObjectWithId(bucketName string, id int, obj interface{}) error {
+func (tx *DbTransaction) CreateObjectWithId(bucketName string, id int, obj any) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))
 	data, err := tx.conn.MarshalObject(obj)
 	if err != nil {
@@ -107,7 +137,7 @@ func (tx *DbTransaction) CreateObjectWithId(bucketName string, id int, obj inter
 	return bucket.Put(tx.conn.ConvertToKey(id), data)
 }

-func (tx *DbTransaction) CreateObjectWithStringId(bucketName string, id []byte, obj interface{}) error {
+func (tx *DbTransaction) CreateObjectWithStringId(bucketName string, id []byte, obj any) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))
 	data, err := tx.conn.MarshalObject(obj)
 	if err != nil {
@@ -117,7 +147,7 @@ func (tx *DbTransaction) CreateObjectWithStringId(bucketName string, id []byte,
 	return bucket.Put(id, data)
 }

-func (tx *DbTransaction) GetAll(bucketName string, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
+func (tx *DbTransaction) GetAll(bucketName string, obj any, appendFn func(o any) (any, error)) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))

 	return bucket.ForEach(func(k []byte, v []byte) error {
@@ -130,20 +160,7 @@ func (tx *DbTransaction) GetAll(bucketName string, obj interface{}, appendFn fun
 	})
 }

-func (tx *DbTransaction) GetAllWithJsoniter(bucketName string, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
-	bucket := tx.tx.Bucket([]byte(bucketName))
-
-	return bucket.ForEach(func(k []byte, v []byte) error {
-		err := tx.conn.UnmarshalObject(v, obj)
-		if err == nil {
-			obj, err = appendFn(obj)
-		}
-
-		return err
-	})
-}
-
-func (tx *DbTransaction) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
+func (tx *DbTransaction) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, appendFn func(o any) (any, error)) error {
 	cursor := tx.tx.Bucket([]byte(bucketName)).Cursor()

 	for k, v := cursor.Seek(keyPrefix); k != nil && bytes.HasPrefix(k, keyPrefix); k, v = cursor.Next() {
--- a/api/dataservices/apikeyrepository/apikeyrepository.go
+++ b/api/dataservices/apikeyrepository/apikeyrepository.go
@@ -21,8 +21,7 @@ type Service struct {

 // NewService creates a new instance of a service.
 func NewService(connection portainer.Connection) (*Service, error) {
-	err := connection.SetServiceName(BucketName)
-	if err != nil {
+	if err := connection.SetServiceName(BucketName); err != nil {
 		return nil, err
 	}

@@ -41,7 +40,7 @@ func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.APIKey{},
-		func(obj interface{}) (interface{}, error) {
+		func(obj any) (any, error) {
 			record, ok := obj.(*portainer.APIKey)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to APIKey object")
@@ -62,11 +61,11 @@ func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer
 // Note: there is a 1-to-1 mapping of api-key and digest
 func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, error) {
 	var k *portainer.APIKey
-	stop := fmt.Errorf("ok")
+	stop := errors.New("ok")
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.APIKey{},
-		func(obj interface{}) (interface{}, error) {
+		func(obj any) (any, error) {
 			key, ok := obj.(*portainer.APIKey)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to APIKey object")
@@ -95,7 +94,7 @@ func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, err
 func (service *Service) Create(record *portainer.APIKey) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			record.ID = portainer.APIKeyID(id)

 			return int(record.ID), record
--- a/api/dataservices/base.go
+++ b/api/dataservices/base.go
@@ -9,6 +9,7 @@ import (
 type BaseCRUD[T any, I constraints.Integer] interface {
 	Create(element *T) error
 	Read(ID I) (*T, error)
+	Exists(ID I) (bool, error)
 	ReadAll() ([]T, error)
 	Update(ID I, element *T) error
 	Delete(ID I) error
@@ -42,6 +43,19 @@ func (service BaseDataService[T, I]) Read(ID I) (*T, error) {
 	})
 }

+func (service BaseDataService[T, I]) Exists(ID I) (bool, error) {
+	var exists bool
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = service.Tx(tx).Exists(ID)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (service BaseDataService[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)

--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -28,10 +28,16 @@ func (service BaseDataServiceTx[T, I]) Read(ID I) (*T, error) {
 	return &element, nil
 }

+func (service BaseDataServiceTx[T, I]) Exists(ID I) (bool, error) {
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	return service.Tx.KeyExists(service.Bucket, identifier)
+}
+
 func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)

-	return collection, service.Tx.GetAllWithJsoniter(
+	return collection, service.Tx.GetAll(
 		service.Bucket,
 		new(T),
 		AppendFn(&collection),
--- a/api/dataservices/edgegroup/tx.go
+++ b/api/dataservices/edgegroup/tx.go
@@ -19,7 +19,7 @@ func (service ServiceTx) UpdateEdgeGroupFunc(ID portainer.EdgeGroupID, updateFun
 func (service ServiceTx) Create(group *portainer.EdgeGroup) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			group.ID = portainer.EdgeGroupID(id)
 			return int(group.ID), group
 		},
--- a/api/dataservices/edgestack/edgestack.go
+++ b/api/dataservices/edgestack/edgestack.go
@@ -15,7 +15,7 @@ type Service struct {
 	connection          portainer.Connection
 	idxVersion          map[portainer.EdgeStackID]int
 	mu                  sync.RWMutex
-	cacheInvalidationFn func(portainer.EdgeStackID)
+	cacheInvalidationFn func(portainer.Transaction, portainer.EdgeStackID)
 }

 func (service *Service) BucketName() string {
@@ -23,7 +23,7 @@ func (service *Service) BucketName() string {
 }

 // NewService creates a new instance of a service.
-func NewService(connection portainer.Connection, cacheInvalidationFn func(portainer.EdgeStackID)) (*Service, error) {
+func NewService(connection portainer.Connection, cacheInvalidationFn func(portainer.Transaction, portainer.EdgeStackID)) (*Service, error) {
 	err := connection.SetServiceName(BucketName)
 	if err != nil {
 		return nil, err
@@ -36,7 +36,7 @@ func NewService(connection portainer.Connection, cacheInvalidationFn func(portai
 	}

 	if s.cacheInvalidationFn == nil {
-		s.cacheInvalidationFn = func(portainer.EdgeStackID) {}
+		s.cacheInvalidationFn = func(portainer.Transaction, portainer.EdgeStackID) {}
 	}

 	es, err := s.EdgeStacks()
@@ -106,7 +106,7 @@ func (service *Service) Create(id portainer.EdgeStackID, edgeStack *portainer.Ed

 	service.mu.Lock()
 	service.idxVersion[id] = edgeStack.Version
-	service.cacheInvalidationFn(id)
+	service.cacheInvalidationFn(service.connection, id)
 	service.mu.Unlock()

 	return nil
@@ -125,7 +125,7 @@ func (service *Service) UpdateEdgeStack(ID portainer.EdgeStackID, edgeStack *por
 	}

 	service.idxVersion[ID] = edgeStack.Version
-	service.cacheInvalidationFn(ID)
+	service.cacheInvalidationFn(service.connection, ID)

 	return nil
 }
@@ -142,7 +142,7 @@ func (service *Service) UpdateEdgeStackFunc(ID portainer.EdgeStackID, updateFunc
 		updateFunc(edgeStack)

 		service.idxVersion[ID] = edgeStack.Version
-		service.cacheInvalidationFn(ID)
+		service.cacheInvalidationFn(service.connection, ID)
 	})
 }

@@ -165,7 +165,7 @@ func (service *Service) DeleteEdgeStack(ID portainer.EdgeStackID) error {

 	delete(service.idxVersion, ID)

-	service.cacheInvalidationFn(ID)
+	service.cacheInvalidationFn(service.connection, ID)

 	return nil
 }
--- a/api/dataservices/edgestack/tx.go
+++ b/api/dataservices/edgestack/tx.go
@@ -24,7 +24,7 @@ func (service ServiceTx) EdgeStacks() ([]portainer.EdgeStack, error) {
 	err := service.tx.GetAll(
 		BucketName,
 		&portainer.EdgeStack{},
-		func(obj interface{}) (interface{}, error) {
+		func(obj any) (any, error) {
 			stack, ok := obj.(*portainer.EdgeStack)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to EdgeStack object")
@@ -44,8 +44,7 @@ func (service ServiceTx) EdgeStack(ID portainer.EdgeStackID) (*portainer.EdgeSta
 	var stack portainer.EdgeStack
 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.GetObject(BucketName, identifier, &stack)
-	if err != nil {
+	if err := service.tx.GetObject(BucketName, identifier, &stack); err != nil {
 		return nil, err
 	}

@@ -65,18 +64,17 @@ func (service ServiceTx) EdgeStackVersion(ID portainer.EdgeStackID) (int, bool)
 func (service ServiceTx) Create(id portainer.EdgeStackID, edgeStack *portainer.EdgeStack) error {
 	edgeStack.ID = id

-	err := service.tx.CreateObjectWithId(
+	if err := service.tx.CreateObjectWithId(
 		BucketName,
 		int(edgeStack.ID),
 		edgeStack,
-	)
-	if err != nil {
+	); err != nil {
 		return err
 	}

 	service.service.mu.Lock()
 	service.service.idxVersion[id] = edgeStack.Version
-	service.service.cacheInvalidationFn(id)
+	service.service.cacheInvalidationFn(service.tx, id)
 	service.service.mu.Unlock()

 	return nil
@@ -89,13 +87,12 @@ func (service ServiceTx) UpdateEdgeStack(ID portainer.EdgeStackID, edgeStack *po

 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.UpdateObject(BucketName, identifier, edgeStack)
-	if err != nil {
+	if err := service.tx.UpdateObject(BucketName, identifier, edgeStack); err != nil {
 		return err
 	}

 	service.service.idxVersion[ID] = edgeStack.Version
-	service.service.cacheInvalidationFn(ID)
+	service.service.cacheInvalidationFn(service.tx, ID)

 	return nil
 }
@@ -119,14 +116,13 @@ func (service ServiceTx) DeleteEdgeStack(ID portainer.EdgeStackID) error {

 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.DeleteObject(BucketName, identifier)
-	if err != nil {
+	if err := service.tx.DeleteObject(BucketName, identifier); err != nil {
 		return err
 	}

 	delete(service.service.idxVersion, ID)

-	service.service.cacheInvalidationFn(ID)
+	service.service.cacheInvalidationFn(service.tx, ID)

 	return nil
 }
--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -6,6 +6,8 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+
+	"github.com/rs/zerolog/log"
 )

 // BucketName represents the name of the bucket where this service stores data.
@@ -157,6 +159,7 @@ func (service *Service) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.
 					return true
 				}
 			}
+
 			return false
 		}),
 	)
@@ -166,11 +169,13 @@ func (service *Service) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.
 func (service *Service) GetNextIdentifier() int {
 	var identifier int

-	service.connection.UpdateTx(func(tx portainer.Transaction) error {
+	if err := service.connection.UpdateTx(func(tx portainer.Transaction) error {
 		identifier = service.Tx(tx).GetNextIdentifier()

 		return nil
-	})
+	}); err != nil {
+		log.Error().Err(err).Str("bucket", BucketName).Msg("could not get the next identifier")
+	}

 	return identifier
 }
--- a/api/dataservices/endpoint/tx.go
+++ b/api/dataservices/endpoint/tx.go
@@ -20,10 +20,10 @@ func (service ServiceTx) BucketName() string {
 // Endpoint returns an environment(endpoint) by ID.
 func (service ServiceTx) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error) {
 	var endpoint portainer.Endpoint
+
 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.GetObject(BucketName, identifier, &endpoint)
-	if err != nil {
+	if err := service.tx.GetObject(BucketName, identifier, &endpoint); err != nil {
 		return nil, err
 	}

@@ -36,8 +36,7 @@ func (service ServiceTx) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint,
 func (service ServiceTx) UpdateEndpoint(ID portainer.EndpointID, endpoint *portainer.Endpoint) error {
 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.UpdateObject(BucketName, identifier, endpoint)
-	if err != nil {
+	if err := service.tx.UpdateObject(BucketName, identifier, endpoint); err != nil {
 		return err
 	}

@@ -45,6 +44,7 @@ func (service ServiceTx) UpdateEndpoint(ID portainer.EndpointID, endpoint *porta
 	if len(endpoint.EdgeID) > 0 {
 		service.service.idxEdgeID[endpoint.EdgeID] = ID
 	}
+
 	service.service.heartbeats.Store(ID, endpoint.LastCheckInDate)
 	service.service.mu.Unlock()

@@ -57,8 +57,7 @@ func (service ServiceTx) UpdateEndpoint(ID portainer.EndpointID, endpoint *porta
 func (service ServiceTx) DeleteEndpoint(ID portainer.EndpointID) error {
 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.DeleteObject(BucketName, identifier)
-	if err != nil {
+	if err := service.tx.DeleteObject(BucketName, identifier); err != nil {
 		return err
 	}

@@ -70,6 +69,7 @@ func (service ServiceTx) DeleteEndpoint(ID portainer.EndpointID) error {
 			break
 		}
 	}
+
 	service.service.heartbeats.Delete(ID)
 	service.service.mu.Unlock()

@@ -82,7 +82,7 @@ func (service ServiceTx) DeleteEndpoint(ID portainer.EndpointID) error {
 func (service ServiceTx) Endpoints() ([]portainer.Endpoint, error) {
 	var endpoints = make([]portainer.Endpoint, 0)

-	return endpoints, service.tx.GetAllWithJsoniter(
+	return endpoints, service.tx.GetAll(
 		BucketName,
 		&portainer.Endpoint{},
 		dataservices.AppendFn(&endpoints),
@@ -107,8 +107,7 @@ func (service ServiceTx) UpdateHeartbeat(endpointID portainer.EndpointID) {

 // CreateEndpoint assign an ID to a new environment(endpoint) and saves it.
 func (service ServiceTx) Create(endpoint *portainer.Endpoint) error {
-	err := service.tx.CreateObjectWithId(BucketName, int(endpoint.ID), endpoint)
-	if err != nil {
+	if err := service.tx.CreateObjectWithId(BucketName, int(endpoint.ID), endpoint); err != nil {
 		return err
 	}

@@ -116,6 +115,7 @@ func (service ServiceTx) Create(endpoint *portainer.Endpoint) error {
 	if len(endpoint.EdgeID) > 0 {
 		service.service.idxEdgeID[endpoint.EdgeID] = endpoint.ID
 	}
+
 	service.service.heartbeats.Store(endpoint.ID, endpoint.LastCheckInDate)
 	service.service.mu.Unlock()

@@ -134,6 +134,7 @@ func (service ServiceTx) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer
 					return true
 				}
 			}
+
 			return false
 		}),
 	)
--- a/api/dataservices/endpointgroup/endpointgroup.go
+++ b/api/dataservices/endpointgroup/endpointgroup.go
@@ -41,7 +41,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(endpointGroup *portainer.EndpointGroup) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			endpointGroup.ID = portainer.EndpointGroupID(id)
 			return int(endpointGroup.ID), endpointGroup
 		},
--- a/api/dataservices/endpointgroup/tx.go
+++ b/api/dataservices/endpointgroup/tx.go
@@ -13,7 +13,7 @@ type ServiceTx struct {
 func (service ServiceTx) Create(endpointGroup *portainer.EndpointGroup) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			endpointGroup.ID = portainer.EndpointGroupID(id)
 			return int(endpointGroup.ID), endpointGroup
 		},
--- a/api/dataservices/endpointrelation/endpointrelation.go
+++ b/api/dataservices/endpointrelation/endpointrelation.go
@@ -1,6 +1,8 @@
 package endpointrelation

 import (
+	"sync"
+
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/edge/cache"
@@ -13,11 +15,15 @@ const BucketName = "endpoint_relations"

 // Service represents a service for managing environment(endpoint) relation data.
 type Service struct {
-	connection      portainer.Connection
-	updateStackFn   func(ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
-	updateStackFnTx func(tx portainer.Transaction, ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
+	connection             portainer.Connection
+	updateStackFn          func(ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
+	updateStackFnTx        func(tx portainer.Transaction, ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
+	endpointRelationsCache []portainer.EndpointRelation
+	mu                     sync.Mutex
 }

+var _ dataservices.EndpointRelationService = &Service{}
+
 func (service *Service) BucketName() string {
 	return BucketName
 }
@@ -32,8 +38,7 @@ func (service *Service) RegisterUpdateStackFunction(

 // NewService creates a new instance of a service.
 func NewService(connection portainer.Connection) (*Service, error) {
-	err := connection.SetServiceName(BucketName)
-	if err != nil {
+	if err := connection.SetServiceName(BucketName); err != nil {
 		return nil, err
 	}

@@ -65,8 +70,7 @@ func (service *Service) EndpointRelation(endpointID portainer.EndpointID) (*port
 	var endpointRelation portainer.EndpointRelation
 	identifier := service.connection.ConvertToKey(int(endpointID))

-	err := service.connection.GetObject(BucketName, identifier, &endpointRelation)
-	if err != nil {
+	if err := service.connection.GetObject(BucketName, identifier, &endpointRelation); err != nil {
 		return nil, err
 	}

@@ -78,6 +82,10 @@ func (service *Service) Create(endpointRelation *portainer.EndpointRelation) err
 	err := service.connection.CreateObjectWithId(BucketName, int(endpointRelation.EndpointID), endpointRelation)
 	cache.Del(endpointRelation.EndpointID)

+	service.mu.Lock()
+	service.endpointRelationsCache = nil
+	service.mu.Unlock()
+
 	return err
 }

@@ -94,11 +102,27 @@ func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID,

 	updatedRelationState, _ := service.EndpointRelation(endpointID)

+	service.mu.Lock()
+	service.endpointRelationsCache = nil
+	service.mu.Unlock()
+
 	service.updateEdgeStacksAfterRelationChange(previousRelationState, updatedRelationState)

 	return nil
 }

+func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
+func (service *Service) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).RemoveEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service *Service) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)
@@ -110,27 +134,15 @@ func (service *Service) DeleteEndpointRelation(endpointID portainer.EndpointID)
 		return err
 	}

+	service.mu.Lock()
+	service.endpointRelationsCache = nil
+	service.mu.Unlock()
+
 	service.updateEdgeStacksAfterRelationChange(deletedRelation, nil)

 	return nil
 }

-func (service *Service) InvalidateEdgeCacheForEdgeStack(edgeStackID portainer.EdgeStackID) {
-	rels, err := service.EndpointRelations()
-	if err != nil {
-		log.Error().Err(err).Msg("cannot retrieve endpoint relations")
-		return
-	}
-
-	for _, rel := range rels {
-		for id := range rel.EdgeStacks {
-			if edgeStackID == id {
-				cache.Del(rel.EndpointID)
-			}
-		}
-	}
-}
-
 func (service *Service) updateEdgeStacksAfterRelationChange(previousRelationState *portainer.EndpointRelation, updatedRelationState *portainer.EndpointRelation) {
 	relations, _ := service.EndpointRelations()

@@ -161,19 +173,24 @@ func (service *Service) updateEdgeStacksAfterRelationChange(previousRelationStat
 	// list how many time this stack is referenced in all relations
 	// in order to update the stack deployments count
 	for refStackId, refStackEnabled := range stacksToUpdate {
-		if refStackEnabled {
-			numDeployments := 0
-			for _, r := range relations {
-				for sId, enabled := range r.EdgeStacks {
-					if enabled && sId == refStackId {
-						numDeployments += 1
-					}
+		if !refStackEnabled {
+			continue
+		}
+
+		numDeployments := 0
+
+		for _, r := range relations {
+			for sId, enabled := range r.EdgeStacks {
+				if enabled && sId == refStackId {
+					numDeployments += 1
 				}
 			}
+		}

-			service.updateStackFn(refStackId, func(edgeStack *portainer.EdgeStack) {
-				edgeStack.NumDeployments = numDeployments
-			})
+		if err := service.updateStackFn(refStackId, func(edgeStack *portainer.EdgeStack) {
+			edgeStack.NumDeployments = numDeployments
+		}); err != nil {
+			log.Error().Err(err).Msg("could not update the number of deployments")
 		}
 	}
 }
--- a/api/dataservices/endpointrelation/tx.go
+++ b/api/dataservices/endpointrelation/tx.go
@@ -13,6 +13,8 @@ type ServiceTx struct {
 	tx      portainer.Transaction
 }

+var _ dataservices.EndpointRelationService = &ServiceTx{}
+
 func (service ServiceTx) BucketName() string {
 	return BucketName
 }
@@ -33,8 +35,7 @@ func (service ServiceTx) EndpointRelation(endpointID portainer.EndpointID) (*por
 	var endpointRelation portainer.EndpointRelation
 	identifier := service.service.connection.ConvertToKey(int(endpointID))

-	err := service.tx.GetObject(BucketName, identifier, &endpointRelation)
-	if err != nil {
+	if err := service.tx.GetObject(BucketName, identifier, &endpointRelation); err != nil {
 		return nil, err
 	}

@@ -46,6 +47,10 @@ func (service ServiceTx) Create(endpointRelation *portainer.EndpointRelation) er
 	err := service.tx.CreateObjectWithId(BucketName, int(endpointRelation.EndpointID), endpointRelation)
 	cache.Del(endpointRelation.EndpointID)

+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	return err
 }

@@ -62,11 +67,75 @@ func (service ServiceTx) UpdateEndpointRelation(endpointID portainer.EndpointID,

 	updatedRelationState, _ := service.EndpointRelation(endpointID)

+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	service.updateEdgeStacksAfterRelationChange(previousRelationState, updatedRelationState)

 	return nil
 }

+func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		rel.EdgeStacks[edgeStackID] = true
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments += len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
+func (service ServiceTx) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		delete(rel.EdgeStacks, edgeStackID)
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments -= len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service ServiceTx) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)
@@ -78,27 +147,44 @@ func (service ServiceTx) DeleteEndpointRelation(endpointID portainer.EndpointID)
 		return err
 	}

+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	service.updateEdgeStacksAfterRelationChange(deletedRelation, nil)

 	return nil
 }

 func (service ServiceTx) InvalidateEdgeCacheForEdgeStack(edgeStackID portainer.EdgeStackID) {
-	rels, err := service.EndpointRelations()
+	rels, err := service.cachedEndpointRelations()
 	if err != nil {
 		log.Error().Err(err).Msg("cannot retrieve endpoint relations")
 		return
 	}

 	for _, rel := range rels {
-		for id := range rel.EdgeStacks {
-			if edgeStackID == id {
-				cache.Del(rel.EndpointID)
-			}
+		if _, ok := rel.EdgeStacks[edgeStackID]; ok {
+			cache.Del(rel.EndpointID)
 		}
 	}
 }

+func (service ServiceTx) cachedEndpointRelations() ([]portainer.EndpointRelation, error) {
+	service.service.mu.Lock()
+	defer service.service.mu.Unlock()
+
+	if service.service.endpointRelationsCache == nil {
+		var err error
+		service.service.endpointRelationsCache, err = service.EndpointRelations()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return service.service.endpointRelationsCache, nil
+}
+
 func (service ServiceTx) updateEdgeStacksAfterRelationChange(previousRelationState *portainer.EndpointRelation, updatedRelationState *portainer.EndpointRelation) {
 	relations, _ := service.EndpointRelations()

@@ -129,19 +215,24 @@ func (service ServiceTx) updateEdgeStacksAfterRelationChange(previousRelationSta
 	// list how many time this stack is referenced in all relations
 	// in order to update the stack deployments count
 	for refStackId, refStackEnabled := range stacksToUpdate {
-		if refStackEnabled {
-			numDeployments := 0
-			for _, r := range relations {
-				for sId, enabled := range r.EdgeStacks {
-					if enabled && sId == refStackId {
-						numDeployments += 1
-					}
+		if !refStackEnabled {
+			continue
+		}
+
+		numDeployments := 0
+
+		for _, r := range relations {
+			for sId, enabled := range r.EdgeStacks {
+				if enabled && sId == refStackId {
+					numDeployments += 1
 				}
 			}
+		}

-			service.service.updateStackFnTx(service.tx, refStackId, func(edgeStack *portainer.EdgeStack) {
-				edgeStack.NumDeployments = numDeployments
-			})
+		if err := service.service.updateStackFnTx(service.tx, refStackId, func(edgeStack *portainer.EdgeStack) {
+			edgeStack.NumDeployments = numDeployments
+		}); err != nil {
+			log.Error().Err(err).Msg("could not update the number of deployments")
 		}
 	}
 }
--- a/api/dataservices/fdoprofile/fdoprofile.go
+++ b/api/dataservices/fdoprofile/fdoprofile.go
@@ -1,43 +0,0 @@
-package fdoprofile
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-)
-
-// BucketName represents the name of the bucket where this service stores data.
-const BucketName = "fdo_profiles"
-
-// Service represents a service for managingFDO Profiles data.
-type Service struct {
-	dataservices.BaseDataService[portainer.FDOProfile, portainer.FDOProfileID]
-}
-
-// NewService creates a new instance of a service.
-func NewService(connection portainer.Connection) (*Service, error) {
-	err := connection.SetServiceName(BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		BaseDataService: dataservices.BaseDataService[portainer.FDOProfile, portainer.FDOProfileID]{
-			Bucket:     BucketName,
-			Connection: connection,
-		},
-	}, nil
-}
-
-// Create assign an ID to a new FDO Profile and saves it.
-func (service *Service) Create(FDOProfile *portainer.FDOProfile) error {
-	return service.Connection.CreateObjectWithId(
-		BucketName,
-		int(FDOProfile.ID),
-		FDOProfile,
-	)
-}
-
-// GetNextIdentifier returns the next identifier for a FDO Profile.
-func (service *Service) GetNextIdentifier() int {
-	return service.Connection.GetNextIdentifier(BucketName)
-}
--- a/api/dataservices/helmuserrepository/helmuserrepository.go
+++ b/api/dataservices/helmuserrepository/helmuserrepository.go
@@ -45,7 +45,7 @@ func (service *Service) HelmUserRepositoryByUserID(userID portainer.UserID) ([]p
 func (service *Service) Create(record *portainer.HelmUserRepository) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			record.ID = portainer.HelmUserRepositoryID(id)
 			return int(record.ID), record
 		},
--- a/api/dataservices/helpers.go
+++ b/api/dataservices/helpers.go
@@ -17,8 +17,8 @@ func IsErrObjectNotFound(e error) bool {
 }

 // AppendFn appends elements to the given collection slice
-func AppendFn[T any](collection *[]T) func(obj interface{}) (interface{}, error) {
-	return func(obj interface{}) (interface{}, error) {
+func AppendFn[T any](collection *[]T) func(obj any) (any, error) {
+	return func(obj any) (any, error) {
 		element, ok := obj.(*T)
 		if !ok {
 			log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("type assertion failed")
@@ -32,8 +32,8 @@ func AppendFn[T any](collection *[]T) func(obj interface{}) (interface{}, error)
 }

 // FilterFn appends elements to the given collection when the predicate is true
-func FilterFn[T any](collection *[]T, predicate func(T) bool) func(obj interface{}) (interface{}, error) {
-	return func(obj interface{}) (interface{}, error) {
+func FilterFn[T any](collection *[]T, predicate func(T) bool) func(obj any) (any, error) {
+	return func(obj any) (any, error) {
 		element, ok := obj.(*T)
 		if !ok {
 			log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("type assertion failed")
@@ -50,8 +50,8 @@ func FilterFn[T any](collection *[]T, predicate func(T) bool) func(obj interface

 // FirstFn sets the element to the first one that satisfies the predicate and stops the computation, returns ErrStop on
 // success
-func FirstFn[T any](element *T, predicate func(T) bool) func(obj interface{}) (interface{}, error) {
-	return func(obj interface{}) (interface{}, error) {
+func FirstFn[T any](element *T, predicate func(T) bool) func(obj any) (any, error) {
+	return func(obj any) (any, error) {
 		e, ok := obj.(*T)
 		if !ok {
 			log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("type assertion failed")
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -15,7 +15,6 @@ type (
 		Endpoint() EndpointService
 		EndpointGroup() EndpointGroupService
 		EndpointRelation() EndpointRelationService
-		FDOProfile() FDOProfileService
 		HelmUserRepository() HelmUserRepositoryService
 		Registry() RegistryService
 		ResourceControl() ResourceControlService
@@ -116,16 +115,12 @@ type (
 		EndpointRelation(EndpointID portainer.EndpointID) (*portainer.EndpointRelation, error)
 		Create(endpointRelation *portainer.EndpointRelation) error
 		UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error
+		AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
+		RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
 		DeleteEndpointRelation(EndpointID portainer.EndpointID) error
 		BucketName() string
 	}

-	// FDOProfileService represents a service to manage FDO Profiles
-	FDOProfileService interface {
-		BaseCRUD[portainer.FDOProfile, portainer.FDOProfileID]
-		GetNextIdentifier() int
-	}
-
 	// HelmUserRepositoryService represents a service to manage HelmUserRepositories
 	HelmUserRepositoryService interface {
 		BaseCRUD[portainer.HelmUserRepository, portainer.HelmUserRepositoryID]
@@ -164,6 +159,7 @@ type (

 	SnapshotService interface {
 		BaseCRUD[portainer.Snapshot, portainer.EndpointID]
+		ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error)
 	}

 	// SSLSettingsService represents a service for managing application settings
--- a/api/dataservices/pendingactions/pendingactions.go
+++ b/api/dataservices/pendingactions/pendingactions.go
@@ -64,7 +64,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 }

 func (s ServiceTx) Create(config *portainer.PendingAction) error {
-	return s.Tx.CreateObject(BucketName, func(id uint64) (int, interface{}) {
+	return s.Tx.CreateObject(BucketName, func(id uint64) (int, any) {
 		config.ID = portainer.PendingActionID(id)
 		config.CreatedAt = time.Now().Unix()

--- a/api/dataservices/registry/registry.go
+++ b/api/dataservices/registry/registry.go
@@ -42,7 +42,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(registry *portainer.Registry) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			registry.ID = portainer.RegistryID(id)
 			return int(registry.ID), registry
 		},
--- a/api/dataservices/registry/tx.go
+++ b/api/dataservices/registry/tx.go
@@ -13,7 +13,7 @@ type ServiceTx struct {
 func (service ServiceTx) Create(registry *portainer.Registry) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			registry.ID = portainer.RegistryID(id)
 			return int(registry.ID), registry
 		},
--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -48,11 +48,11 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 // if no ResourceControl was found.
 func (service *Service) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
 	var resourceControl *portainer.ResourceControl
-	stop := fmt.Errorf("ok")
+	stop := errors.New("ok")
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.ResourceControl{},
-		func(obj interface{}) (interface{}, error) {
+		func(obj any) (any, error) {
 			rc, ok := obj.(*portainer.ResourceControl)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to ResourceControl object")
@@ -84,7 +84,7 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 func (service *Service) Create(resourceControl *portainer.ResourceControl) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			resourceControl.ID = portainer.ResourceControlID(id)
 			return int(resourceControl.ID), resourceControl
 		},
--- a/api/dataservices/resourcecontrol/tx.go
+++ b/api/dataservices/resourcecontrol/tx.go
@@ -19,11 +19,11 @@ type ServiceTx struct {
 // if no ResourceControl was found.
 func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
 	var resourceControl *portainer.ResourceControl
-	stop := fmt.Errorf("ok")
+	stop := errors.New("ok")
 	err := service.Tx.GetAll(
 		BucketName,
 		&portainer.ResourceControl{},
-		func(obj interface{}) (interface{}, error) {
+		func(obj any) (any, error) {
 			rc, ok := obj.(*portainer.ResourceControl)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to ResourceControl object")
@@ -55,7 +55,7 @@ func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, r
 func (service ServiceTx) Create(resourceControl *portainer.ResourceControl) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			resourceControl.ID = portainer.ResourceControlID(id)
 			return int(resourceControl.ID), resourceControl
 		},
--- a/api/dataservices/role/role.go
+++ b/api/dataservices/role/role.go
@@ -42,7 +42,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(role *portainer.Role) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			role.ID = portainer.RoleID(id)
 			return int(role.ID), role
 		},
--- a/api/dataservices/role/tx.go
+++ b/api/dataservices/role/tx.go
@@ -13,7 +13,7 @@ type ServiceTx struct {
 func (service ServiceTx) Create(role *portainer.Role) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			role.ID = portainer.RoleID(id)
 			return int(role.ID), role
 		},
--- a/api/dataservices/snapshot/snapshot.go
+++ b/api/dataservices/snapshot/snapshot.go
@@ -38,3 +38,16 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(snapshot *portainer.Snapshot) error {
 	return service.Connection.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service *Service) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot *portainer.Snapshot
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		snapshot, err = service.Tx(tx).ReadWithoutSnapshotRaw(ID)
+
+		return err
+	})
+
+	return snapshot, err
+}
--- a/api/dataservices/snapshot/tx.go
+++ b/api/dataservices/snapshot/tx.go
@@ -12,3 +12,26 @@ type ServiceTx struct {
 func (service ServiceTx) Create(snapshot *portainer.Snapshot) error {
 	return service.Tx.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service ServiceTx) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot struct {
+		Docker *struct {
+			X struct{} `json:"DockerSnapshotRaw"`
+			*portainer.DockerSnapshot
+		} `json:"Docker"`
+
+		portainer.Snapshot
+	}
+
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	if err := service.Tx.GetObject(service.Bucket, identifier, &snapshot); err != nil {
+		return nil, err
+	}
+
+	if snapshot.Docker != nil {
+		snapshot.Snapshot.Docker = snapshot.Docker.DockerSnapshot
+	}
+
+	return &snapshot.Snapshot, nil
+}
--- a/api/dataservices/stack/tests/stack_test.go
+++ b/api/dataservices/stack/tests/stack_test.go
@@ -33,7 +33,7 @@ func TestService_StackByWebhookID(t *testing.T) {

 	b := stackBuilder{t: t, store: store}
 	b.createNewStack(newGuidString(t))
-	for i := 0; i < 10; i++ {
+	for range 10 {
 		b.createNewStack("")
 	}
 	webhookID := newGuidString(t)
--- a/api/dataservices/tag/tag.go
+++ b/api/dataservices/tag/tag.go
@@ -42,7 +42,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(tag *portainer.Tag) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			tag.ID = portainer.TagID(id)
 			return int(tag.ID), tag
 		},
--- a/api/dataservices/tag/tx.go
+++ b/api/dataservices/tag/tx.go
@@ -15,7 +15,7 @@ type ServiceTx struct {
 func (service ServiceTx) Create(tag *portainer.Tag) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			tag.ID = portainer.TagID(id)
 			return int(tag.ID), tag
 		},
--- a/api/dataservices/team/team.go
+++ b/api/dataservices/team/team.go
@@ -19,8 +19,7 @@ type Service struct {

 // NewService creates a new instance of a service.
 func NewService(connection portainer.Connection) (*Service, error) {
-	err := connection.SetServiceName(BucketName)
-	if err != nil {
+	if err := connection.SetServiceName(BucketName); err != nil {
 		return nil, err
 	}

@@ -32,6 +31,16 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.Team, portainer.TeamID]{
+			Bucket:     BucketName,
+			Connection: service.Connection,
+			Tx:         tx,
+		},
+	}
+}
+
 // TeamByName returns a team by name.
 func (service *Service) TeamByName(name string) (*portainer.Team, error) {
 	var t portainer.Team
@@ -59,7 +68,7 @@ func (service *Service) TeamByName(name string) (*portainer.Team, error) {
 func (service *Service) Create(team *portainer.Team) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			team.ID = portainer.TeamID(id)
 			return int(team.ID), team
 		},
--- a/api/dataservices/team/tx.go
+++ b/api/dataservices/team/tx.go
@@ -0,0 +1,48 @@
+package team
+
+import (
+	"errors"
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	dserrors "github.com/portainer/portainer/api/dataservices/errors"
+)
+
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[portainer.Team, portainer.TeamID]
+}
+
+// TeamByName returns a team by name.
+func (service ServiceTx) TeamByName(name string) (*portainer.Team, error) {
+	var t portainer.Team
+
+	err := service.Tx.GetAll(
+		BucketName,
+		&portainer.Team{},
+		dataservices.FirstFn(&t, func(e portainer.Team) bool {
+			return strings.EqualFold(e.Name, name)
+		}),
+	)
+
+	if errors.Is(err, dataservices.ErrStop) {
+		return &t, nil
+	}
+
+	if err == nil {
+		return nil, dserrors.ErrObjectNotFound
+	}
+
+	return nil, err
+}
+
+// CreateTeam creates a new Team.
+func (service ServiceTx) Create(team *portainer.Team) error {
+	return service.Tx.CreateObject(
+		BucketName,
+		func(id uint64) (int, any) {
+			team.ID = portainer.TeamID(id)
+			return int(team.ID), team
+		},
+	)
+}
--- a/api/dataservices/teammembership/teammembership.go
+++ b/api/dataservices/teammembership/teammembership.go
@@ -72,7 +72,7 @@ func (service *Service) TeamMembershipsByTeamID(teamID portainer.TeamID) ([]port
 func (service *Service) Create(membership *portainer.TeamMembership) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			membership.ID = portainer.TeamMembershipID(id)
 			return int(membership.ID), membership
 		},
@@ -84,8 +84,8 @@ func (service *Service) DeleteTeamMembershipByUserID(userID portainer.UserID) er
 	return service.Connection.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj interface{}) (id int, ok bool) {
-			membership, ok := obj.(portainer.TeamMembership)
+		func(obj any) (id int, ok bool) {
+			membership, ok := obj.(*portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
 				//return fmt.Errorf("Failed to convert to TeamMembership object: %s", obj)
@@ -105,8 +105,8 @@ func (service *Service) DeleteTeamMembershipByTeamID(teamID portainer.TeamID) er
 	return service.Connection.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj interface{}) (id int, ok bool) {
-			membership, ok := obj.(portainer.TeamMembership)
+		func(obj any) (id int, ok bool) {
+			membership, ok := obj.(*portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
 				//return fmt.Errorf("Failed to convert to TeamMembership object: %s", obj)
@@ -125,8 +125,8 @@ func (service *Service) DeleteTeamMembershipByTeamIDAndUserID(teamID portainer.T
 	return service.Connection.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj interface{}) (id int, ok bool) {
-			membership, ok := obj.(portainer.TeamMembership)
+		func(obj any) (id int, ok bool) {
+			membership, ok := obj.(*portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
 				//return fmt.Errorf("Failed to convert to TeamMembership object: %s", obj)
--- a/api/dataservices/teammembership/tx.go
+++ b/api/dataservices/teammembership/tx.go
@@ -43,7 +43,7 @@ func (service ServiceTx) TeamMembershipsByTeamID(teamID portainer.TeamID) ([]por
 func (service ServiceTx) Create(membership *portainer.TeamMembership) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			membership.ID = portainer.TeamMembershipID(id)
 			return int(membership.ID), membership
 		},
@@ -55,7 +55,7 @@ func (service ServiceTx) DeleteTeamMembershipByUserID(userID portainer.UserID) e
 	return service.Tx.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj interface{}) (id int, ok bool) {
+		func(obj any) (id int, ok bool) {
 			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
@@ -76,7 +76,7 @@ func (service ServiceTx) DeleteTeamMembershipByTeamID(teamID portainer.TeamID) e
 	return service.Tx.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj interface{}) (id int, ok bool) {
+		func(obj any) (id int, ok bool) {
 			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
@@ -96,7 +96,7 @@ func (service ServiceTx) DeleteTeamMembershipByTeamIDAndUserID(teamID portainer.
 	return service.Tx.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj interface{}) (id int, ok bool) {
+		func(obj any) (id int, ok bool) {
 			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
--- a/api/dataservices/user/tx.go
+++ b/api/dataservices/user/tx.go
@@ -53,7 +53,7 @@ func (service ServiceTx) UsersByRole(role portainer.UserRole) ([]portainer.User,
 func (service ServiceTx) Create(user *portainer.User) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			user.ID = portainer.UserID(id)
 			user.Username = strings.ToLower(user.Username)

--- a/api/dataservices/user/user.go
+++ b/api/dataservices/user/user.go
@@ -82,7 +82,7 @@ func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User,
 func (service *Service) Create(user *portainer.User) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			user.ID = portainer.UserID(id)
 			user.Username = strings.ToLower(user.Username)

--- a/api/dataservices/webhook/webhook.go
+++ b/api/dataservices/webhook/webhook.go
@@ -81,7 +81,7 @@ func (service *Service) WebhookByToken(token string) (*portainer.Webhook, error)
 func (service *Service) Create(webhook *portainer.Webhook) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, interface{}) {
+		func(id uint64) (int, any) {
 			webhook.ID = portainer.WebhookID(id)
 			return int(webhook.ID), webhook
 		},
--- a/api/datastore/backup_test.go
+++ b/api/datastore/backup_test.go
@@ -1,7 +1,6 @@
 package datastore

 import (
-	"fmt"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
@@ -33,7 +32,7 @@ func TestStoreCreation(t *testing.T) {
 func TestBackup(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
 	backupFileName := store.backupFilename()
-	t.Run(fmt.Sprintf("Backup should create %s", backupFileName), func(t *testing.T) {
+	t.Run("Backup should create "+backupFileName, func(t *testing.T) {
 		v := models.Version{
 			Edition:       int(portainer.PortainerCE),
 			SchemaVersion: portainer.APIVersion,
--- a/api/datastore/datastore.go
+++ b/api/datastore/datastore.go
@@ -16,8 +16,9 @@ import (
 )

 // NewStore initializes a new Store and the associated services
-func NewStore(storePath string, fileService portainer.FileService, connection portainer.Connection) *Store {
+func NewStore(cliFlags *portainer.CLIFlags, fileService portainer.FileService, connection portainer.Connection) *Store {
 	return &Store{
+		flags:       cliFlags,
 		fileService: fileService,
 		connection:  connection,
 	}
--- a/api/datastore/init.go
+++ b/api/datastore/init.go
@@ -57,7 +57,7 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 			HelmRepositoryURL:        portainer.DefaultHelmRepositoryURL,
 			UserSessionTimeout:       portainer.DefaultUserSessionTimeout,
 			KubeconfigExpiry:         portainer.DefaultKubeconfigExpiry,
-			KubectlShellImage:        portainer.DefaultKubectlShellImage,
+			KubectlShellImage:        *store.flags.KubectlShellImage,

 			IsDockerDesktopExtension: isDDExtention,
 		}
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@@ -32,7 +32,7 @@ func (store *Store) MigrateData() error {
 		return errors.Wrap(err, "while migrating legacy version")
 	}

-	migratorParams := store.newMigratorParameters(version)
+	migratorParams := store.newMigratorParameters(version, store.flags)
 	migrator := migrator.NewMigrator(migratorParams)

 	if !migrator.NeedsMigration() {
@@ -62,8 +62,9 @@ func (store *Store) MigrateData() error {
 	return nil
 }

-func (store *Store) newMigratorParameters(version *models.Version) *migrator.MigratorParameters {
+func (store *Store) newMigratorParameters(version *models.Version, flags *portainer.CLIFlags) *migrator.MigratorParameters {
 	return &migrator.MigratorParameters{
+		Flags:                   flags,
 		CurrentDBVersion:        version,
 		EndpointGroupService:    store.EndpointGroupService,
 		EndpointService:         store.EndpointService,
--- a/api/datastore/migrate_data_test.go
+++ b/api/datastore/migrate_data_test.go
@@ -109,7 +109,7 @@ func TestMigrateData(t *testing.T) {
 			t.FailNow()
 		}

-		migratorParams := store.newMigratorParameters(v)
+		migratorParams := store.newMigratorParameters(v, store.flags)
 		m := migrator.NewMigrator(migratorParams)
 		latestMigrations := m.LatestMigrations()

@@ -321,7 +321,7 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 // importJSON reads input JSON and commits it to a portainer datastore.Store.
 // Errors are logged with the testing package.
 func importJSON(t *testing.T, r io.Reader, store *Store) error {
-	objects := make(map[string]interface{})
+	objects := make(map[string]any)

 	// Parse json into map of objects.
 	d := json.NewDecoder(r)
@@ -337,9 +337,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 	for k, v := range objects {
 		switch k {
 		case "version":
-			versions, ok := v.(map[string]interface{})
+			versions, ok := v.(map[string]any)
 			if !ok {
-				t.Logf("failed casting %s to map[string]interface{}", k)
+				t.Logf("failed casting %s to map[string]any", k)
 			}

 			// New format db
@@ -404,9 +404,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			}

 		case "dockerhub":
-			obj, ok := v.([]interface{})
+			obj, ok := v.([]any)
 			if !ok {
-				t.Logf("failed to cast %s to []interface{}", k)
+				t.Logf("failed to cast %s to []any", k)
 			}
 			err := con.CreateObjectWithStringId(
 				k,
@@ -418,9 +418,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			}

 		case "ssl":
-			obj, ok := v.(map[string]interface{})
+			obj, ok := v.(map[string]any)
 			if !ok {
-				t.Logf("failed to case %s to map[string]interface{}", k)
+				t.Logf("failed to case %s to map[string]any", k)
 			}
 			err := con.CreateObjectWithStringId(
 				k,
@@ -432,9 +432,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			}

 		case "settings":
-			obj, ok := v.(map[string]interface{})
+			obj, ok := v.(map[string]any)
 			if !ok {
-				t.Logf("failed to case %s to map[string]interface{}", k)
+				t.Logf("failed to case %s to map[string]any", k)
 			}
 			err := con.CreateObjectWithStringId(
 				k,
@@ -446,9 +446,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			}

 		case "tunnel_server":
-			obj, ok := v.(map[string]interface{})
+			obj, ok := v.(map[string]any)
 			if !ok {
-				t.Logf("failed to case %s to map[string]interface{}", k)
+				t.Logf("failed to case %s to map[string]any", k)
 			}
 			err := con.CreateObjectWithStringId(
 				k,
@@ -462,18 +462,18 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			continue

 		default:
-			objlist, ok := v.([]interface{})
+			objlist, ok := v.([]any)
 			if !ok {
-				t.Logf("failed to cast %s to []interface{}", k)
+				t.Logf("failed to cast %s to []any", k)
 			}

 			for _, obj := range objlist {
-				value, ok := obj.(map[string]interface{})
+				value, ok := obj.(map[string]any)
 				if !ok {
-					t.Logf("failed to cast %v to map[string]interface{}", obj)
+					t.Logf("failed to cast %v to map[string]any", obj)
 				} else {
 					var ok bool
-					var id interface{}
+					var id any
 					switch k {
 					case "endpoint_relations":
 						// TODO: need to make into an int, then do that weird
--- a/api/datastore/migrate_dbversion29_test.go
+++ b/api/datastore/migrate_dbversion29_test.go
@@ -12,13 +12,13 @@ const dummyLogoURL = "example.com"

 // initTestingDBConn creates a settings service with raw database DB connection
 // for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
-func initTestingSettingsService(dbConn portainer.Connection, preSetObj map[string]interface{}) error {
+func initTestingSettingsService(dbConn portainer.Connection, preSetObj map[string]any) error {
 	//insert a obj
 	return dbConn.UpdateObject("settings", []byte("SETTINGS"), preSetObj)
 }

 func setup(store *Store) error {
-	dummySettingsObj := map[string]interface{}{
+	dummySettingsObj := map[string]any{
 		"LogoURL": dummyLogoURL,
 	}

@@ -48,6 +48,7 @@ func TestMigrateSettings(t *testing.T) {
 	}

 	m := migrator.NewMigrator(&migrator.MigratorParameters{
+		Flags:                   store.flags,
 		EndpointGroupService:    store.EndpointGroupService,
 		EndpointService:         store.EndpointService,
 		EndpointRelationService: store.EndpointRelationService,
--- a/api/datastore/migrate_legacyversion.go
+++ b/api/datastore/migrate_legacyversion.go
@@ -111,5 +111,6 @@ func (store *Store) finishMigrateLegacyVersion(versionToWrite *models.Version) e
 	store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey))
 	store.connection.DeleteObject(bucketName, []byte(legacyEditionKey))
 	store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
+
 	return err
 }
--- a/api/datastore/migrator/migrate_ce.go
+++ b/api/datastore/migrator/migrate_ce.go
@@ -15,7 +15,7 @@ func migrationError(err error, context string) error {
 	return errors.Wrap(err, "failed in "+context)
 }

-func GetFunctionName(i interface{}) string {
+func GetFunctionName(i any) string {
 	return runtime.FuncForPC(reflect.ValueOf(i).Pointer()).Name()
 }

@@ -39,20 +39,19 @@ func (m *Migrator) Migrate() error {
 		latestMigrations := m.LatestMigrations()
 		if latestMigrations.Version.Equal(schemaVersion) &&
 			version.MigratorCount != len(latestMigrations.MigrationFuncs) {
-			err := runMigrations(latestMigrations.MigrationFuncs)
-			if err != nil {
+			if err := runMigrations(latestMigrations.MigrationFuncs); err != nil {
 				return err
 			}
+
 			newMigratorCount = len(latestMigrations.MigrationFuncs)
 		}
 	} else {
 		// regular path when major/minor/patch versions differ
 		for _, migration := range m.migrations {
 			if schemaVersion.LessThan(migration.Version) {
-
 				log.Info().Msgf("migrating data to %s", migration.Version.String())
-				err := runMigrations(migration.MigrationFuncs)
-				if err != nil {
+
+				if err := runMigrations(migration.MigrationFuncs); err != nil {
 					return err
 				}
 			}
@@ -63,16 +62,14 @@ func (m *Migrator) Migrate() error {
 		}
 	}

-	err = m.Always()
-	if err != nil {
+	if err := m.Always(); err != nil {
 		return migrationError(err, "Always migrations returned error")
 	}

 	version.SchemaVersion = portainer.APIVersion
 	version.MigratorCount = newMigratorCount

-	err = m.versionService.UpdateVersion(version)
-	if err != nil {
+	if err := m.versionService.UpdateVersion(version); err != nil {
 		return migrationError(err, "StoreDBVersion")
 	}

@@ -99,6 +96,7 @@ func (m *Migrator) NeedsMigration() bool {
 	// In this particular instance we should log a fatal error
 	if m.CurrentDBEdition() != portainer.PortainerCE {
 		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+
 		return false
 	}

--- a/api/datastore/migrator/migrate_dbversion100.go
+++ b/api/datastore/migrator/migrate_dbversion100.go
@@ -7,6 +7,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/chisel/crypto"
 	"github.com/portainer/portainer/api/dataservices"
+
 	"github.com/rs/zerolog/log"
 )

@@ -37,9 +38,11 @@ func (m *Migrator) convertSeedToPrivateKeyForDB100() error {
 			log.Info().Msg("ServerInfo object not found")
 			return nil
 		}
+
 		log.Error().
 			Err(err).
 			Msg("Failed to read ServerInfo from DB")
+
 		return err
 	}

@@ -49,14 +52,15 @@ func (m *Migrator) convertSeedToPrivateKeyForDB100() error {
 			log.Error().
 				Err(err).
 				Msg("Failed to read ServerInfo from DB")
+
 			return err
 		}

-		err = m.fileService.StoreChiselPrivateKey(key)
-		if err != nil {
+		if err := m.fileService.StoreChiselPrivateKey(key); err != nil {
 			log.Error().
 				Err(err).
 				Msg("Failed to save Chisel private key to disk")
+
 			return err
 		}
 	} else {
@@ -64,14 +68,14 @@ func (m *Migrator) convertSeedToPrivateKeyForDB100() error {
 	}

 	serverInfo.PrivateKeySeed = ""
-	err = m.TunnelServerService.UpdateInfo(serverInfo)
-	if err != nil {
+	if err := m.TunnelServerService.UpdateInfo(serverInfo); err != nil {
 		log.Error().
 			Err(err).
 			Msg("Failed to clean private key seed in DB")
 	} else {
 		log.Info().Msg("Success to migrate private key seed to private key file")
 	}
+
 	return err
 }

@@ -84,13 +88,16 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 	}

 	for _, edgeStack := range edgeStacks {
-
 		for environmentID, environmentStatus := range edgeStack.Status {
-			// skip if status is already updated
+			// Skip if status is already updated
 			if len(environmentStatus.Status) > 0 {
 				continue
 			}

+			if environmentStatus.Details == nil {
+				continue
+			}
+
 			statusArray := []portainer.EdgeStackDeploymentStatus{}
 			if environmentStatus.Details.Pending {
 				statusArray = append(statusArray, portainer.EdgeStackDeploymentStatus{
@@ -146,8 +153,7 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 			edgeStack.Status[environmentID] = environmentStatus
 		}

-		err = m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack)
-		if err != nil {
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
 			return err
 		}
 	}
--- a/api/datastore/migrator/migrate_dbversion20.go
+++ b/api/datastore/migrator/migrate_dbversion20.go
@@ -18,8 +18,7 @@ func (m *Migrator) updateResourceControlsToDBVersion22() error {
 	for _, resourceControl := range legacyResourceControls {
 		resourceControl.AdministratorsOnly = false

-		err := m.resourceControlService.Update(resourceControl.ID, &resourceControl)
-		if err != nil {
+		if err := m.resourceControlService.Update(resourceControl.ID, &resourceControl); err != nil {
 			return err
 		}
 	}
@@ -42,8 +41,8 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {

 	for _, user := range legacyUsers {
 		user.PortainerAuthorizations = authorization.DefaultPortainerAuthorizations()
-		err = m.userService.Update(user.ID, &user)
-		if err != nil {
+
+		if err := m.userService.Update(user.ID, &user); err != nil {
 			return err
 		}
 	}
@@ -52,38 +51,47 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+
 	endpointAdministratorRole.Priority = 1
 	endpointAdministratorRole.Authorizations = authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole()

-	err = m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole)
+	if err := m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole); err != nil {
+		return err
+	}

 	helpDeskRole, err := m.roleService.Read(portainer.RoleID(2))
 	if err != nil {
 		return err
 	}
+
 	helpDeskRole.Priority = 2
 	helpDeskRole.Authorizations = authorization.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(helpDeskRole.ID, helpDeskRole)
+	if err := m.roleService.Update(helpDeskRole.ID, helpDeskRole); err != nil {
+		return err
+	}

 	standardUserRole, err := m.roleService.Read(portainer.RoleID(3))
 	if err != nil {
 		return err
 	}
+
 	standardUserRole.Priority = 3
 	standardUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(standardUserRole.ID, standardUserRole)
+	if err := m.roleService.Update(standardUserRole.ID, standardUserRole); err != nil {
+		return err
+	}

 	readOnlyUserRole, err := m.roleService.Read(portainer.RoleID(4))
 	if err != nil {
 		return err
 	}
+
 	readOnlyUserRole.Priority = 4
 	readOnlyUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole)
-	if err != nil {
+	if err := m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole); err != nil {
 		return err
 	}

--- a/api/datastore/migrator/migrate_dbversion23.go
+++ b/api/datastore/migrator/migrate_dbversion23.go
@@ -32,8 +32,8 @@ func (m *Migrator) updateStacksToDB24() error {
 	for idx := range stacks {
 		stack := &stacks[idx]
 		stack.Status = portainer.StackStatusActive
-		err := m.stackService.Update(stack.ID, stack)
-		if err != nil {
+
+		if err := m.stackService.Update(stack.ID, stack); err != nil {
 			return err
 		}
 	}
--- a/api/datastore/migrator/migrate_dbversion32.go
+++ b/api/datastore/migrator/migrate_dbversion32.go
@@ -1,8 +1,6 @@
 package migrator

 import (
-	portainer "github.com/portainer/portainer/api"
-
 	"github.com/rs/zerolog/log"
 )

@@ -20,7 +18,7 @@ func (m *Migrator) migrateSettingsToDB33() error {
 	}

 	log.Info().Msg("setting default kubectl shell image")
-	settings.KubectlShellImage = portainer.DefaultKubectlShellImage
+	settings.KubectlShellImage = *m.flags.KubectlShellImage

 	return m.settingsService.UpdateSettings(settings)
 }
--- a/api/datastore/migrator/migrate_dbversion80.go
+++ b/api/datastore/migrator/migrate_dbversion80.go
@@ -75,6 +75,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {

 	for _, edgeStack := range edgeStacks {
 		for endpointId, status := range edgeStack.Status {
+			if status.Details == nil {
+				status.Details = &portainer.EdgeStackStatusDetails{}
+			}
+
 			switch status.Type {
 			case portainer.EdgeStackStatusPending:
 				status.Details.Pending = true
@@ -93,10 +97,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 			edgeStack.Status[endpointId] = status
 		}

-		err = m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack)
-		if err != nil {
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
 			return err
 		}
 	}
+
 	return nil
 }
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -13,7 +13,6 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
-	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/pendingactions"
 	"github.com/portainer/portainer/api/dataservices/registry"
 	"github.com/portainer/portainer/api/dataservices/resourcecontrol"
@@ -34,6 +33,7 @@ import (
 type (
 	// Migrator defines a service to migrate data after a Portainer version update.
 	Migrator struct {
+		flags            *portainer.CLIFlags
 		currentDBVersion *models.Version
 		migrations       []Migrations

@@ -41,7 +41,6 @@ type (
 		endpointService         *endpoint.Service
 		endpointRelationService *endpointrelation.Service
 		extensionService        *extension.Service
-		fdoProfilesService      *fdoprofile.Service
 		registryService         *registry.Service
 		resourceControlService  *resourcecontrol.Service
 		roleService             *role.Service
@@ -64,12 +63,12 @@ type (

 	// MigratorParameters represents the required parameters to create a new Migrator instance.
 	MigratorParameters struct {
+		Flags                   *portainer.CLIFlags
 		CurrentDBVersion        *models.Version
 		EndpointGroupService    *endpointgroup.Service
 		EndpointService         *endpoint.Service
 		EndpointRelationService *endpointrelation.Service
 		ExtensionService        *extension.Service
-		FDOProfilesService      *fdoprofile.Service
 		RegistryService         *registry.Service
 		ResourceControlService  *resourcecontrol.Service
 		RoleService             *role.Service
@@ -94,12 +93,12 @@ type (
 // NewMigrator creates a new Migrator.
 func NewMigrator(parameters *MigratorParameters) *Migrator {
 	migrator := &Migrator{
+		flags:                   parameters.Flags,
 		currentDBVersion:        parameters.CurrentDBVersion,
 		endpointGroupService:    parameters.EndpointGroupService,
 		endpointService:         parameters.EndpointService,
 		endpointRelationService: parameters.EndpointRelationService,
 		extensionService:        parameters.ExtensionService,
-		fdoProfilesService:      parameters.FDOProfilesService,
 		registryService:         parameters.RegistryService,
 		resourceControlService:  parameters.ResourceControlService,
 		roleService:             parameters.RoleService,
--- a/api/datastore/postinit/migrate_post_init.go
+++ b/api/datastore/postinit/migrate_post_init.go
@@ -11,6 +11,7 @@ import (
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/pendingactions/actions"
+	"github.com/portainer/portainer/pkg/endpoints"

 	"github.com/rs/zerolog/log"
 )
@@ -49,17 +50,29 @@ func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {

 	for _, environment := range environments {
 		// edge environments will run after the server starts, in pending actions
-		if endpointutils.IsEdgeEndpoint(&environment) {
-			log.Info().Msgf("Adding pending action 'PostInitMigrateEnvironment' for environment %d", environment.ID)
-			err = postInitMigrator.createPostInitMigrationPendingAction(environment.ID)
-			if err != nil {
-				log.Error().Err(err).Msgf("Error creating pending action for environment %d", environment.ID)
+		if endpoints.IsEdgeEndpoint(&environment) {
+			// Skip edge environments that do not have direct connectivity
+			if !endpoints.HasDirectConnectivity(&environment) {
+				continue
+			}
+
+			log.Info().
+				Int("endpoint_id", int(environment.ID)).
+				Msg("adding pending action 'PostInitMigrateEnvironment' for environment")
+
+			if err := postInitMigrator.createPostInitMigrationPendingAction(environment.ID); err != nil {
+				log.Error().
+					Err(err).
+					Int("endpoint_id", int(environment.ID)).
+					Msg("error creating pending action for environment")
 			}
 		} else {
-			// non-edge environments will run before the server starts.
-			err = postInitMigrator.MigrateEnvironment(&environment)
-			if err != nil {
-				log.Error().Err(err).Msgf("Error running post-init migrations for non-edge environment %d", environment.ID)
+			// Non-edge environments will run before the server starts.
+			if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
+				log.Error().
+					Err(err).
+					Int("endpoint_id", int(environment.ID)).
+					Msg("error running post-init migrations for non-edge environment")
 			}
 		}

@@ -90,7 +103,7 @@ func (migrator *PostInitMigrator) MigrateEnvironment(environment *portainer.Endp
 	switch {
 	case endpointutils.IsKubernetesEndpoint(environment):
 		// get the kubeclient for the environment, and skip all kube migrations if there's an error
-		kubeclient, err := migrator.kubeFactory.GetKubeClient(environment)
+		kubeclient, err := migrator.kubeFactory.GetPrivilegedKubeClient(environment)
 		if err != nil {
 			log.Error().Err(err).Msgf("Error creating kubeclient for environment: %d", environment.ID)
 			return err
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -17,7 +17,6 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
-	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/helmuserrepository"
 	"github.com/portainer/portainer/api/dataservices/pendingactions"
 	"github.com/portainer/portainer/api/dataservices/registry"
@@ -43,6 +42,7 @@ import (
 // Store defines the implementation of portainer.DataStore using
 // BoltDB as the storage system.
 type Store struct {
+	flags      *portainer.CLIFlags
 	connection portainer.Connection

 	fileService               portainer.FileService
@@ -55,7 +55,6 @@ type Store struct {
 	EndpointService           *endpoint.Service
 	EndpointRelationService   *endpointrelation.Service
 	ExtensionService          *extension.Service
-	FDOProfilesService        *fdoprofile.Service
 	HelmUserRepositoryService *helmuserrepository.Service
 	RegistryService           *registry.Service
 	ResourceControlService    *resourcecontrol.Service
@@ -101,7 +100,9 @@ func (store *Store) initServices() error {
 	}
 	store.EndpointRelationService = endpointRelationService

-	edgeStackService, err := edgestack.NewService(store.connection, endpointRelationService.InvalidateEdgeCacheForEdgeStack)
+	edgeStackService, err := edgestack.NewService(store.connection, func(tx portainer.Transaction, ID portainer.EdgeStackID) {
+		endpointRelationService.Tx(tx).InvalidateEdgeCacheForEdgeStack(ID)
+	})
 	if err != nil {
 		return err
 	}
@@ -138,12 +139,6 @@ func (store *Store) initServices() error {
 	}
 	store.ExtensionService = extensionService

-	fdoProfilesService, err := fdoprofile.NewService(store.connection)
-	if err != nil {
-		return err
-	}
-	store.FDOProfilesService = fdoProfilesService
-
 	helmUserRepositoryService, err := helmuserrepository.NewService(store.connection)
 	if err != nil {
 		return err
@@ -289,11 +284,6 @@ func (store *Store) EndpointRelation() dataservices.EndpointRelationService {
 	return store.EndpointRelationService
 }

-// FDOProfile gives access to the FDOProfile data management layer
-func (store *Store) FDOProfile() dataservices.FDOProfileService {
-	return store.FDOProfilesService
-}
-
 // HelmUserRepository access the helm user repository settings
 func (store *Store) HelmUserRepository() dataservices.HelmUserRepositoryService {
 	return store.HelmUserRepositoryService
@@ -398,11 +388,10 @@ type storeExport struct {
 	User               []portainer.User               `json:"users,omitempty"`
 	Version            models.Version                 `json:"version,omitempty"`
 	Webhook            []portainer.Webhook            `json:"webhooks,omitempty"`
-	Metadata           map[string]interface{}         `json:"metadata,omitempty"`
+	Metadata           map[string]any                 `json:"metadata,omitempty"`
 }

 func (store *Store) Export(filename string) (err error) {
-
 	backup := storeExport{}

 	if c, err := store.CustomTemplate().ReadAll(); err != nil {
@@ -606,6 +595,7 @@ func (store *Store) Export(filename string) (err error) {
 	if err != nil {
 		return err
 	}
+
 	return os.WriteFile(filename, b, 0600)
 }

--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -44,7 +44,6 @@ func (tx *StoreTx) EndpointRelation() dataservices.EndpointRelationService {
 	return tx.store.EndpointRelationService.Tx(tx.tx)
 }

-func (tx *StoreTx) FDOProfile() dataservices.FDOProfileService                 { return nil }
 func (tx *StoreTx) HelmUserRepository() dataservices.HelmUserRepositoryService { return nil }

 func (tx *StoreTx) Registry() dataservices.RegistryService {
@@ -83,7 +82,9 @@ func (tx *StoreTx) TeamMembership() dataservices.TeamMembershipService {
 	return tx.store.TeamMembershipService.Tx(tx.tx)
 }

-func (tx *StoreTx) Team() dataservices.TeamService { return nil }
+func (tx *StoreTx) Team() dataservices.TeamService {
+	return tx.store.TeamService.Tx(tx.tx)
+}

 func (tx *StoreTx) TunnelServer() dataservices.TunnelServerService { return nil }

--- a/api/datastore/test_data/input_24.json
+++ b/api/datastore/test_data/input_24.json
--- a/Show More
+++ b/Show More