Merge branch 'release/2.5'

Merge branch 'release/2.1'
2021-05-24 08:50:46 +12:00 · 2021-05-17 13:59:38 +12:00 · 2021-05-17 13:43:48 +12:00 · 2021-02-04 18:08:27 +13:00 · 2021-02-04 18:04:18 +13:00 · 2021-02-04 17:28:23 +13:00
1369 changed files with 16424 additions and 63759 deletions
--- a/.babelrc
+++ b/.babelrc
@@ -0,0 +1,13 @@
+{
+  "plugins": ["lodash", "angularjs-annotate"],
+  "presets": [
+    [
+      "@babel/preset-env",
+      {
+        "modules": false,
+        "useBuiltIns": "entry",
+        "corejs": "2"
+      }
+    ]
+  ]
+}
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -17,76 +17,12 @@ plugins:
 parserOptions:
  ecmaVersion: 2018
  sourceType: module
-  project: './tsconfig.json'
  ecmaFeatures:
    modules: true

 rules:
-  no-control-regex: 'off'
+  no-control-regex: off
  no-empty: warn
  no-empty-function: warn
-  no-useless-escape: 'off'
-  import/order:
-    [
-      'error',
-      {
-        pathGroups: [{ pattern: '@/**', group: 'internal' }, { pattern: '{Kubernetes,Portainer,Agent,Azure,Docker}/**', group: 'internal' }],
-        groups: ['builtin', 'external', 'internal', 'parent', 'sibling', 'index'],
-        pathGroupsExcludedImportTypes: ['internal'],
-      },
-    ]
-
-settings:
-  'import/resolver':
-    alias:
-      map:
-        - ['@', './app']
-      extensions: ['.js', '.ts', '.tsx']
-
-overrides:
-  - files:
-      - app/**/*.ts{,x}
-    parserOptions:
-      project: './tsconfig.json'
-    parser: '@typescript-eslint/parser'
-    plugins:
-      - '@typescript-eslint'
-    extends:
-      - airbnb
-      - airbnb-typescript
-      - 'plugin:eslint-comments/recommended'
-      - 'plugin:react-hooks/recommended'
-      - 'plugin:react/jsx-runtime'
-      - 'plugin:@typescript-eslint/recommended'
-      - 'plugin:@typescript-eslint/eslint-recommended'
-      - 'plugin:promise/recommended'
-      - prettier # should be last
-    settings:
-      react:
-        version: 'detect'
-    rules:
-      import/order:
-        ['error', { pathGroups: [{ pattern: '@/**', group: 'internal' }], groups: ['builtin', 'external', 'internal', 'parent', 'sibling', 'index'], 'newlines-between': 'always' }]
-      func-style: [error, 'declaration']
-      import/prefer-default-export: off
-      no-use-before-define: ['error', { functions: false }]
-      '@typescript-eslint/no-use-before-define': ['error', { functions: false }]
-      no-shadow: 'off'
-      '@typescript-eslint/no-shadow': off
-      jsx-a11y/no-autofocus: warn
-      react/forbid-prop-types: off
-      react/require-default-props: off
-      react/no-array-index-key: off
-      react/jsx-filename-extension: [0]
-      import/no-extraneous-dependencies: ['error', { devDependencies: true }]
-      '@typescript-eslint/explicit-module-boundary-types': off
-      '@typescript-eslint/no-unused-vars': 'error'
-      '@typescript-eslint/no-explicit-any': 'error'
-      'jsx-a11y/label-has-associated-control': ['error', { 'assert': 'either' }]
-  - files:
-      - app/**/*.test.*
-    extends:
-      - 'plugin:jest/recommended'
-      - 'plugin:jest/style'
-    env:
-      'jest/globals': true
+  no-useless-escape: off
+  import/order: error
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -28,15 +28,17 @@ Briefly describe the problem you are having in a few paragraphs.

 **Steps to reproduce the issue:**

-1. 2. 3.
+1.
+2.
+3.

 Any other info e.g. Why do you consider this to be a bug? What did you expect to happen instead?

 **Technical details:**

- Portainer version:
- Target Docker version (the host/cluster you manage):
- Platform (windows/linux):
- Command used to start Portainer (`docker run -p 9443:9443 portainer/portainer`):
- Target Swarm version (if applicable):
- Browser:
+* Portainer version:
+* Target Docker version (the host/cluster you manage):
+* Platform (windows/linux):
+* Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
+* Target Swarm version (if applicable):
+* Browser:
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -30,7 +30,7 @@ A clear and concise description of what you expected to happen.

 **Portainer Logs**
 Provide the logs of your Portainer container or Service.
-You can see how [here](https://documentation.portainer.io/r/portainer-logs)
+You can see how [here](https://documentation.portainer.io/archive/1.23.2/faq/#how-do-i-get-the-logs-from-portainer)

 **Steps to reproduce the issue:**

@@ -45,7 +45,7 @@ You can see how [here](https://documentation.portainer.io/r/portainer-logs)
 - Docker version (managed by Portainer):
 - Kubernetes version (managed by Portainer):
 - Platform (windows/linux):
- Command used to start Portainer (`docker run -p 9443:9443 portainer/portainer`):
+- Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
 - Browser:
 - Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.
 - Have you reviewed our technical documentation and knowledge base? Yes/No
--- a/.github/ISSUE_TEMPLATE/Custom.md
+++ b/.github/ISSUE_TEMPLATE/Custom.md
@@ -4,8 +4,8 @@ about: Ask us a question about Portainer usage or deployment
 title: ''
 labels: ''
 assignees: ''
-
 ---
+
 Before you start, we need a little bit more information from you:

 Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,5 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: Portainer Business Edition - Get 5 nodes free
-    url: https://portainer.io/pricing/take5 
-    about: Portainer Business Edition has more features, more support and you can now get 5 nodes free for as long as you want.
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -0,0 +1,54 @@
+# Config for Stalebot, limited to only `issues`
+only: issues
+
+# Issues config
+issues:
+  daysUntilStale: 60
+  daysUntilClose: 7
+
+  # Limit the number of actions per hour, from 1-30. Default is 30
+  limitPerRun: 30
+
+  # Issues with these labels will never be considered stale
+  exemptLabels:
+    - kind/enhancement
+    - kind/question
+    - kind/style
+    - kind/workaround
+    - kind/refactor
+    - bug/need-confirmation
+    - bug/confirmed
+    - status/discuss
+
+  # Only issues with all of these labels are checked if stale. Defaults to `[]` (disabled)
+  onlyLabels: []
+
+  # Set to true to ignore issues in a project (defaults to false)
+  exemptProjects: true
+  # Set to true to ignore issues in a milestone (defaults to false)
+  exemptMilestones: true
+  # Set to true to ignore issues with an assignee (defaults to false)
+  exemptAssignees: true
+
+  # Label to use when marking an issue as stale
+  staleLabel: status/stale
+
+  # Comment to post when marking an issue as stale. Set to `false` to disable
+  markComment: >
+    This issue has been marked as stale as it has not had recent activity,
+    it will be closed if no further activity occurs in the next 7 days.
+    If you believe that it has been incorrectly labelled as stale,
+    leave a comment and the label will be removed.
+
+  # Comment to post when removing the stale label.
+  # unmarkComment: >
+  #   Your comment here.
+
+  # Comment to post when closing a stale issue. Set to `false` to disable
+  closeComment: >
+    Since no further activity has appeared on this issue it will be closed.
+    If you believe that it has been incorrectly closed, leave a comment
+    mentioning `ametdoohan`, `balasu` or `keverv` and one of our staff will then review the issue.
+
+    Note - If it is an old bug report, make sure that it is reproduceable in the
+    latest version of Portainer as it may have already been fixed.
--- a/.github/workflows/label-conflcts.yaml
+++ b/.github/workflows/label-conflcts.yaml
@@ -1,15 +0,0 @@
-on:
-  push:
-    branches:
-      - develop
-      - 'release/**'
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: mschilde/auto-label-merge-conflicts@master
-        with:
-          CONFLICT_LABEL_NAME: 'has conflicts'
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MAX_RETRIES: 5
-          WAIT_MS: 5000
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,27 +0,0 @@
-name: Close Stale Issues
-on:
-  schedule:
-  - cron: '0 12 * * *'
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-
-    steps:
-    - uses: actions/stale@v4.0.0
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-
-        # Issue Config
-        days-before-issue-stale: 60
-        days-before-issue-close: 7
-        stale-issue-label: 'status/stale'
-        exempt-all-issue-milestones: true # Do not stale issues in a milestone
-        exempt-issue-labels: kind/enhancement, kind/style, kind/workaround, kind/refactor, bug/need-confirmation, bug/confirmed, status/discuss
-        stale-issue-message: 'This issue has been marked as stale as it has not had recent activity, it will be closed if no further activity occurs in the next 7 days. If you believe that it has been incorrectly labelled as stale, leave a comment and the label will be removed.'
-        close-issue-message: 'Since no further activity has appeared on this issue it will be closed. If you believe that it has been incorrectly closed, leave a comment mentioning `portainer/support` and one of our staff will then review the issue. Note - If it is an old bug report, make sure that it is reproduceable in the latest version of Portainer as it may have already been fixed.'
-        
-        # Pull Request Config
-        days-before-pr-stale: -1 # Do not stale pull request
-        days-before-pr-close: -1 # Do not close pull request
--- a/.github/workflows/validate-openapi-spec.yml
+++ b/.github/workflows/validate-openapi-spec.yml
@@ -1,53 +0,0 @@
-name: Validate
-
-on:
-  pull_request:
-    branches:
-      - master
-      - develop
-      - 'release/*'
-
-jobs:
-  openapi-spec:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Code
-      uses: actions/checkout@v2
-    - name: Setup Node v14
-      uses: actions/setup-node@v2
-      with:
-        node-version: 14
-
-    # https://github.com/actions/cache/blob/main/examples.md#node---yarn
-    - name: Get yarn cache directory path
-      id: yarn-cache-dir-path
-      run: echo "::set-output name=dir::$(yarn cache dir)"
-
-    - uses: actions/cache@v2
-      id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
-      with:
-        path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-        key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-        restore-keys: |
-          ${{ runner.os }}-yarn-
-
-    - name: Setup Go v1.17.3
-      uses: actions/setup-go@v2
-      with:
-        go-version: '^1.17.3'
-
-    - name: Prebuild docs
-      run: yarn prebuild:docs
-
-    - name: Build OpenAPI 2.0 Spec
-      run: yarn build:docs
-
-    # Install dependencies globally to bypass installing all frontend deps
-    - name: Install swagger2openapi and swagger-cli
-      run: yarn global add swagger2openapi @apidevtools/swagger-cli
-
-    # OpenAPI2.0 does not support multiple body params (which we utilise in some of our handlers).
-    # OAS3.0 however does support multiple body params - hence its best to convert the generated OAS 2.0
-    # to OAS 3.0 and validate the output of generated OAS 3.0 instead.
-    - name: Convert OpenAPI 2.0 to OpenAPI 3.0 and validate spec
-      run: yarn validate:docs
--- a/.gitignore
+++ b/.gitignore
@@ -3,15 +3,11 @@ bower_components
 dist
 portainer-checksum.txt
 api/cmd/portainer/portainer*
-storybook-static
 .tmp
 **/.vscode/settings.json
 **/.vscode/tasks.json
-*.DS_Store

 .eslintcache
 __debug_bin

 api/docs
-.idea
-.env
--- a/.prettierignore
+++ b/.prettierignore
@@ -1 +0,0 @@
-dist
--- a/.prettierrc
+++ b/.prettierrc
@@ -4,20 +4,10 @@
  "htmlWhitespaceSensitivity": "strict",
  "overrides": [
    {
-      "files": [
-        "*.html"
-      ],
+      "files": ["*.html"],
      "options": {
        "parser": "angular"
      }
-    },
-    {
-      "files": [
-        "*.{j,t}sx"
-      ],
-      "options": {
-        "printWidth": 80,
-      }
    }
  ]
-}
+}
--- a/.storybook/main.js
+++ b/.storybook/main.js
@@ -1,31 +0,0 @@
-const TsconfigPathsPlugin = require('tsconfig-paths-webpack-plugin');
-
-module.exports = {
-  stories: ['../app/**/*.stories.mdx', '../app/**/*.stories.@(ts|tsx)'],
-  addons: [
-    '@storybook/addon-links',
-    '@storybook/addon-essentials',
-    {
-      name: '@storybook/addon-postcss',
-      options: {
-        cssLoaderOptions: {
-          importLoaders: 1,
-          modules: {
-            localIdentName: '[path][name]__[local]',
-            auto: true,
-            exportLocalsConvention: 'camelCaseOnly',
-          },
-        },
-      },
-    },
-  ],
-  webpackFinal: (config) => {
-    config.resolve.plugins = [
-      ...(config.resolve.plugins || []),
-      new TsconfigPathsPlugin({
-        extensions: config.resolve.extensions,
-      }),
-    ];
-    return config;
-  },
-};
--- a/.storybook/preview.js
+++ b/.storybook/preview.js
@@ -1,11 +0,0 @@
-import '../app/assets/css';
-
-export const parameters = {
-  actions: { argTypesRegex: '^on[A-Z].*' },
-  controls: {
-    matchers: {
-      color: /(background|color)$/i,
-      date: /Date$/,
-    },
-  },
-};
--- a/.vscode.example/portainer.code-snippets
+++ b/.vscode.example/portainer.code-snippets
@@ -150,7 +150,6 @@
      "// @description ",
      "// @description **Access policy**: ",
      "// @tags ",
-      "// @security ApiKeyAuth",
      "// @security jwt",
      "// @accept json",
      "// @produce json",
@@ -164,19 +163,5 @@
      "// @failure 500 \"Server error\"",
      "// @router /{id} [get]"
    ]
-  },
-  "analytics": {
-    "prefix": "nlt",
-    "body": ["analytics-on", "analytics-category=\"$1\"", "analytics-event=\"$2\""],
-    "description": "analytics"
-  },
-  "analytics-if": {
-    "prefix": "nltf",
-    "body": ["analytics-if=\"$1\""],
-    "description": "analytics"
-  },
-  "analytics-metadata": {
-    "prefix": "nltm",
-    "body": "analytics-properties=\"{ metadata: { $1 } }\""
  }
 }
--- a/.vscode.example/settings.json
+++ b/.vscode.example/settings.json
@@ -1,4 +0,0 @@
-{
-  "go.lintTool": "golangci-lint",
-  "go.lintFlags": ["--fast", "-E", "exportloopref"]
-}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -75,7 +75,7 @@ The feature request process is similar to the bug report process but has an extr

 ![portainer_featurerequest_workflow](https://user-images.githubusercontent.com/5485061/45727229-5ad39f00-bbf5-11e8-9550-16ba66c50615.png)

-## Build and run Portainer locally
+## Build Portainer locally

 Ensure you have Docker, Node.js, yarn, and Golang installed in the correct versions.

@@ -85,24 +85,16 @@ Install dependencies with yarn:
 $ yarn
 ```

-Then build and run the project in a Docker container:
+Then build and run the project:

 ```sh
 $ yarn start
 ```

-Portainer can now be accessed at <https://localhost:9443>.
+Portainer can now be accessed at <http://localhost:9000>.

 Find more detailed steps at <https://documentation.portainer.io/contributing/instructions/>.

-### Build customisation
-
-You can customise the following settings:
-
- `PORTAINER_DATA`: The host dir or volume name used by portainer (default is `/tmp/portainer`, which won't persist over reboots).
- `PORTAINER_PROJECT`: The root dir of the repository - `${portainerRoot}/dist/` is imported into the container to get the build artifacts and external tools (defaults to `your current dir`).
- `PORTAINER_FLAGS`: a list of flags to be used on the portainer commandline, in the form `--admin-password=<pwd hash> --feat fdo=false --feat open-amt` (default: `""`).
-
 ## Adding api docs

 When adding a new resource (or a route handler), we should add a new tag to api/http/handler/handler.go#L136 like this:
@@ -120,7 +112,6 @@ When adding a new route to an existing handler use the following as a template (
 // @description
 // @description **Access policy**:
 // @tags
-// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
--- a/README.md
+++ b/README.md
@@ -1,16 +1,16 @@
 <p align="center">
-  <img title="portainer" src='https://github.com/portainer/portainer/blob/develop/app/assets/images/portainer-github-banner.png?raw=true' />
+  <img title="portainer" src='https://github.com/portainer/portainer/blob/develop/app/assets/images/logo_alt.png?raw=true' />
 </p>

-**Portainer Community Edition** is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. It is designed to be as simple to deploy as it is to use. The application allows you to manage all your orchestrator resources (containers, images, volumes, networks and more) through a ‘smart’ GUI and/or an extensive API.
+[![Docker Pulls](https://img.shields.io/docker/pulls/portainer/portainer.svg)](https://hub.docker.com/r/portainer/portainer/)
+[![Microbadger](https://images.microbadger.com/badges/image/portainer/portainer.svg)](http://microbadger.com/images/portainer/portainer 'Image size')
+[![Build Status](https://portainer.visualstudio.com/Portainer%20CI/_apis/build/status/Portainer%20CI?branchName=develop)](https://portainer.visualstudio.com/Portainer%20CI/_build/latest?definitionId=3&branchName=develop)
+[![Code Climate](https://codeclimate.com/github/portainer/portainer/badges/gpa.svg)](https://codeclimate.com/github/portainer/portainer)
+[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=YHXZJQNJQ36H6)

-Portainer consists of a single container that can run on any cluster. It can be deployed as a Linux container or a Windows native container.
-
-**Portainer Business Edition** builds on the open-source base and includes a range of advanced features and functions (like RBAC and Support) that are specific to the needs of business users.
-
- [Compare Portainer CE and Compare Portainer BE](https://portainer.io/products)
- [Take5 – get 5 free nodes of Portainer Business for as long as you want them](https://portainer.io/pricing/take5)
- [Portainer BE install guide](https://install.portainer.io)
+**_Portainer_** is a lightweight management UI which allows you to **easily** manage your different Docker environments (Docker hosts or Swarm clusters).
+**_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (can be deployed as Linux container or a Windows native container, supports other platforms too).
+**_Portainer_** allows you to manage all your Docker resources (containers, images, volumes, networks and more!) It is compatible with the _standalone Docker_ engine and with _Docker Swarm mode_.

 ## Demo

@@ -18,50 +18,39 @@ You can try out the public demo instance: http://demo.portainer.io/ (login with

 Please note that the public demo cluster is **reset every 15min**.

-## Latest Version
+Alternatively, you can deploy a copy of the demo stack inside a [play-with-docker (PWD)](https://labs.play-with-docker.com) playground:

-Portainer CE is updated regularly. We aim to do an update release every couple of months.
+- Browse [PWD/?stack=portainer-demo/play-with-docker/docker-stack.yml](http://play-with-docker.com/?stack=https://raw.githubusercontent.com/portainer/portainer-demo/master/play-with-docker/docker-stack.yml)
+- Sign in with your [Docker ID](https://docs.docker.com/docker-id)
+- Follow [these](https://github.com/portainer/portainer-demo/blob/master/play-with-docker/docker-stack.yml#L5-L8) steps.

-**The latest version of Portainer is 2.9.x**. Portainer is on version 2, the second number denotes the month of release.
+Unlike the public demo, the playground sessions are deleted after 4 hours. Apart from that, all the settings are the same, including default credentials.

 ## Getting started

- [Deploy Portainer](https://docs.portainer.io/v/ce-2.9/start/install)
+- [Deploy Portainer](https://documentation.portainer.io/quickstart/)
 - [Documentation](https://documentation.portainer.io)
- [Contribute to the project](https://documentation.portainer.io/contributing/instructions/)
-
-## Features & Functions
-
-View [this](https://www.portainer.io/products) table to see all of the Portainer CE functionality and compare to Portainer Business.
-
- [Portainer CE for Docker / Docker Swarm](https://www.portainer.io/solutions/docker)
- [Portainer CE for Kubernetes](https://www.portainer.io/solutions/kubernetes-ui)
- [Portainer CE for Azure ACI](https://www.portainer.io/solutions/serverless-containers)
+- [Building Portainer](https://documentation.portainer.io/contributing/instructions/)

 ## Getting help

-Portainer CE is an open source project and is supported by the community. You can buy a supported version of Portainer at portainer.io
+For FORMAL Support, please purchase a support subscription from here: https://www.portainer.io/products/portainer-business

-Learn more about Portainers community support channels [here.](https://www.portainer.io/community_help)
+For community support: You can find more information about Portainer's community support framework policy here: https://www.portainer.io/products/community-edition/customer-success

 - Issues: https://github.com/portainer/portainer/issues
- Slack (chat): [https://portainer.slack.com/](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA)
-
-You can join the Portainer Community by visiting community.portainer.io. This will give you advance notice of events, content and other related Portainer content.
+- FAQ: https://documentation.portainer.io
+- Slack (chat): https://portainer.io/slack/

 ## Reporting bugs and contributing

 - Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
- Want to help us build **_portainer_**? Follow our [contribution guidelines](https://documentation.portainer.io/contributing/instructions/) to build it locally and make a pull request.
+- Want to help us build **_portainer_**? Follow our [contribution guidelines](https://documentation.portainer.io/contributing/instructions/) to build it locally and make a pull request. We need all the help we can get!

 ## Security

 - Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.

-## Work for us
-
-If you are a developer, and our code in this repo makes sense to you, we would love to hear from you. We are always on the hunt for awesome devs, either freelance or employed. Drop us a line to info@portainer.io with your details and/or visit our [careers page](https://portainer.io/careers).
-
 ## Privacy

 **To make sure we focus our development effort in the right places we need to know which features get used most often. To give us this information we use [Matomo Analytics](https://matomo.org/), which is hosted in Germany and is fully GDPR compliant.**
--- a/api/api-description.md
+++ b/api/api-description.md
@@ -1,10 +1,10 @@
 Portainer API is an HTTP API served by Portainer. It is used by the Portainer UI and everything you can do with the UI can be done using the HTTP API.
-Examples are available at https://documentation.portainer.io/api/api-examples/
+Examples are available at https://gist.github.com/deviantony/77026d402366b4b43fa5918d41bc42f8
 You can find out more about Portainer at [http://portainer.io](http://portainer.io) and get some support on [Slack](http://portainer.io/slack/).

 # Authentication

-Most of the API environments(endpoints) require to be authenticated as well as some level of authorization to be used.
+Most of the API endpoints require to be authenticated as well as some level of authorization to be used.
 Portainer API uses JSON Web Token to manage authentication and thus requires you to provide a token in the **Authorization** header of each request
 with the **Bearer** authentication mechanism.

@@ -16,7 +16,7 @@ Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIs

 # Security

-Each API environment(endpoint) has an associated access policy, it is documented in the description of each environment(endpoint).
+Each API endpoint has an associated access policy, it is documented in the description of each endpoint.

 Different access policies are available:

@@ -27,27 +27,27 @@ Different access policies are available:

 ### Public access

-No authentication is required to access the environments(endpoints) with this access policy.
+No authentication is required to access the endpoints with this access policy.

 ### Authenticated access

-Authentication is required to access the environments(endpoints) with this access policy.
+Authentication is required to access the endpoints with this access policy.

 ### Restricted access

-Authentication is required to access the environments(endpoints) with this access policy.
+Authentication is required to access the endpoints with this access policy.
 Extra-checks might be added to ensure access to the resource is granted. Returned data might also be filtered.

 ### Administrator access

-Authentication as well as an administrator role are required to access the environments(endpoints) with this access policy.
+Authentication as well as an administrator role are required to access the endpoints with this access policy.

 # Execute Docker requests

-Portainer **DO NOT** expose specific environments(endpoints) to manage your Docker resources (create a container, remove a volume, etc...).
+Portainer **DO NOT** expose specific endpoints to manage your Docker resources (create a container, remove a volume, etc...).

 Instead, it acts as a reverse-proxy to the Docker HTTP API. This means that you can execute Docker requests **via** the Portainer HTTP API.

-To do so, you can use the `/endpoints/{id}/docker` Portainer API environment(endpoint) (which is not documented below due to Swagger limitations). This environment(endpoint) has a restricted access policy so you still need to be authenticated to be able to query this environment(endpoint). Any query on this environment(endpoint) will be proxied to the Docker API of the associated environment(endpoint) (requests and responses objects are the same as documented in the Docker API).
+To do so, you can use the `/endpoints/{id}/docker` Portainer API endpoint (which is not documented below due to Swagger limitations). This endpoint has a restricted access policy so you still need to be authenticated to be able to query this endpoint. Any query on this endpoint will be proxied to the Docker API of the associated endpoint (requests and responses objects are the same as documented in the Docker API).

-**NOTE**: You can find more information on how to query the Docker API in the [Docker official documentation](https://docs.docker.com/engine/api/v1.30/) as well as in [this Portainer example](https://documentation.portainer.io/api/api-examples/).
+**NOTE**: You can find more information on how to query the Docker API in the [Docker official documentation](https://docs.docker.com/engine/api/v1.30/) as well as in [this Portainer example](https://gist.github.com/deviantony/77026d402366b4b43fa5918d41bc42f8).
--- a/api/apikey/apikey.go
+++ b/api/apikey/apikey.go
@@ -1,30 +0,0 @@
-package apikey
-
-import (
-	"crypto/rand"
-	"io"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-// APIKeyService represents a service for managing API keys.
-type APIKeyService interface {
-	HashRaw(rawKey string) []byte
-	GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error)
-	GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error)
-	GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error)
-	GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error)
-	UpdateAPIKey(apiKey *portainer.APIKey) error
-	DeleteAPIKey(apiKeyID portainer.APIKeyID) error
-	InvalidateUserKeyCache(userId portainer.UserID) bool
-}
-
-// generateRandomKey generates a random key of specified length
-// source: https://github.com/gorilla/securecookie/blob/master/securecookie.go#L515
-func generateRandomKey(length int) []byte {
-	k := make([]byte, length)
-	if _, err := io.ReadFull(rand.Reader, k); err != nil {
-		return nil
-	}
-	return k
-}
--- a/api/apikey/apikey_test.go
+++ b/api/apikey/apikey_test.go
@@ -1,50 +0,0 @@
-package apikey
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_generateRandomKey(t *testing.T) {
-	is := assert.New(t)
-
-	tests := []struct {
-		name      string
-		wantLenth int
-	}{
-		{
-			name:      "Generate a random key of length 16",
-			wantLenth: 16,
-		},
-		{
-			name:      "Generate a random key of length 32",
-			wantLenth: 32,
-		},
-		{
-			name:      "Generate a random key of length 64",
-			wantLenth: 64,
-		},
-		{
-			name:      "Generate a random key of length 128",
-			wantLenth: 128,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := generateRandomKey(tt.wantLenth)
-			is.Equal(tt.wantLenth, len(got))
-		})
-	}
-
-	t.Run("Generated keys are unique", func(t *testing.T) {
-		keys := make(map[string]bool)
-		for i := 0; i < 100; i++ {
-			key := generateRandomKey(8)
-			_, ok := keys[string(key)]
-			is.False(ok)
-			keys[string(key)] = true
-		}
-	})
-}
--- a/api/apikey/cache.go
+++ b/api/apikey/cache.go
@@ -1,69 +0,0 @@
-package apikey
-
-import (
-	lru "github.com/hashicorp/golang-lru"
-	portainer "github.com/portainer/portainer/api"
-)
-
-const defaultAPIKeyCacheSize = 1024
-
-// entry is a tuple containing the user and API key associated to an API key digest
-type entry struct {
-	user   portainer.User
-	apiKey portainer.APIKey
-}
-
-// apiKeyCache is a concurrency-safe, in-memory cache which primarily exists for to reduce database roundtrips.
-// We store the api-key digest (keys) and the associated user and key-data (values) in the cache.
-// This is required because HTTP requests will contain only the api-key digest in the x-api-key request header;
-// digest value must be mapped to a portainer user (and respective key data) for validation.
-// This cache is used to avoid multiple database queries to retrieve these user/key associated to the digest.
-type apiKeyCache struct {
-	// cache type [string]entry cache (key: string(digest), value: user/key entry)
-	// note: []byte keys are not supported by golang-lru Cache
-	cache *lru.Cache
-}
-
-// NewAPIKeyCache creates a new cache for API keys
-func NewAPIKeyCache(cacheSize int) *apiKeyCache {
-	cache, _ := lru.New(cacheSize)
-	return &apiKeyCache{cache: cache}
-}
-
-// Get returns the user/key associated to an api-key's digest
-// This is required because HTTP requests will contain the digest of the API key in header,
-// the digest value must be mapped to a portainer user.
-func (c *apiKeyCache) Get(digest []byte) (portainer.User, portainer.APIKey, bool) {
-	val, ok := c.cache.Get(string(digest))
-	if !ok {
-		return portainer.User{}, portainer.APIKey{}, false
-	}
-	tuple := val.(entry)
-
-	return tuple.user, tuple.apiKey, true
-}
-
-// Set persists a user/key entry to the cache
-func (c *apiKeyCache) Set(digest []byte, user portainer.User, apiKey portainer.APIKey) {
-	c.cache.Add(string(digest), entry{
-		user:   user,
-		apiKey: apiKey,
-	})
-}
-
-// Delete evicts a digest's user/key entry key from the cache
-func (c *apiKeyCache) Delete(digest []byte) {
-	c.cache.Remove(string(digest))
-}
-
-// InvalidateUserKeyCache loops through all the api-keys associated to a user and removes them from the cache
-func (c *apiKeyCache) InvalidateUserKeyCache(userId portainer.UserID) bool {
-	present := false
-	for _, k := range c.cache.Keys() {
-		user, _, _ := c.Get([]byte(k.(string)))
-		if user.ID == userId {
-			present = c.cache.Remove(k)
-		}
-	}
-	return present
-}
--- a/api/apikey/cache_test.go
+++ b/api/apikey/cache_test.go
@@ -1,181 +0,0 @@
-package apikey
-
-import (
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_apiKeyCacheGet(t *testing.T) {
-	is := assert.New(t)
-
-	keyCache := NewAPIKeyCache(10)
-
-	// pre-populate cache
-	keyCache.cache.Add(string("foo"), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
-	keyCache.cache.Add(string(""), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
-
-	tests := []struct {
-		digest []byte
-		found  bool
-	}{
-		{
-			digest: []byte("foo"),
-			found:  true,
-		},
-		{
-			digest: []byte(""),
-			found:  true,
-		},
-		{
-			digest: []byte("bar"),
-			found:  false,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(string(test.digest), func(t *testing.T) {
-			_, _, found := keyCache.Get(test.digest)
-			is.Equal(test.found, found)
-		})
-	}
-}
-
-func Test_apiKeyCacheSet(t *testing.T) {
-	is := assert.New(t)
-
-	keyCache := NewAPIKeyCache(10)
-
-	// pre-populate cache
-	keyCache.Set([]byte("bar"), portainer.User{ID: 2}, portainer.APIKey{})
-	keyCache.Set([]byte("foo"), portainer.User{ID: 1}, portainer.APIKey{})
-
-	// overwrite existing entry
-	keyCache.Set([]byte("foo"), portainer.User{ID: 3}, portainer.APIKey{})
-
-	val, ok := keyCache.cache.Get(string("bar"))
-	is.True(ok)
-
-	tuple := val.(entry)
-	is.Equal(portainer.User{ID: 2}, tuple.user)
-
-	val, ok = keyCache.cache.Get(string("foo"))
-	is.True(ok)
-
-	tuple = val.(entry)
-	is.Equal(portainer.User{ID: 3}, tuple.user)
-}
-
-func Test_apiKeyCacheDelete(t *testing.T) {
-	is := assert.New(t)
-
-	keyCache := NewAPIKeyCache(10)
-
-	t.Run("Delete an existing entry", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
-		keyCache.Delete([]byte("foo"))
-
-		_, ok := keyCache.cache.Get(string("foo"))
-		is.False(ok)
-	})
-
-	t.Run("Delete a non-existing entry", func(t *testing.T) {
-		nonPanicFunc := func() { keyCache.Delete([]byte("non-existent-key")) }
-		is.NotPanics(nonPanicFunc)
-	})
-}
-
-func Test_apiKeyCacheLRU(t *testing.T) {
-	is := assert.New(t)
-
-	tests := []struct {
-		name        string
-		cacheLen    int
-		key         []string
-		foundKeys   []string
-		evictedKeys []string
-	}{
-		{
-			name:        "Cache length is 1, add 2 keys",
-			cacheLen:    1,
-			key:         []string{"foo", "bar"},
-			foundKeys:   []string{"bar"},
-			evictedKeys: []string{"foo"},
-		},
-		{
-			name:        "Cache length is 1, add 3 keys",
-			cacheLen:    1,
-			key:         []string{"foo", "bar", "baz"},
-			foundKeys:   []string{"baz"},
-			evictedKeys: []string{"foo", "bar"},
-		},
-		{
-			name:        "Cache length is 2, add 3 keys",
-			cacheLen:    2,
-			key:         []string{"foo", "bar", "baz"},
-			foundKeys:   []string{"bar", "baz"},
-			evictedKeys: []string{"foo"},
-		},
-		{
-			name:        "Cache length is 2, add 4 keys",
-			cacheLen:    2,
-			key:         []string{"foo", "bar", "baz", "qux"},
-			foundKeys:   []string{"baz", "qux"},
-			evictedKeys: []string{"foo", "bar"},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			keyCache := NewAPIKeyCache(test.cacheLen)
-
-			for _, key := range test.key {
-				keyCache.Set([]byte(key), portainer.User{ID: 1}, portainer.APIKey{})
-			}
-
-			for _, key := range test.foundKeys {
-				_, _, found := keyCache.Get([]byte(key))
-				is.True(found, "Key %s not found", key)
-			}
-
-			for _, key := range test.evictedKeys {
-				_, _, found := keyCache.Get([]byte(key))
-				is.False(found, "key %s should have been evicted", key)
-			}
-		})
-	}
-}
-
-func Test_apiKeyCacheInvalidateUserKeyCache(t *testing.T) {
-	is := assert.New(t)
-
-	keyCache := NewAPIKeyCache(10)
-
-	t.Run("Removes users keys from cache", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
-
-		ok := keyCache.InvalidateUserKeyCache(1)
-		is.True(ok)
-
-		_, ok = keyCache.cache.Get(string("foo"))
-		is.False(ok)
-	})
-
-	t.Run("Does not affect other keys", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
-		keyCache.cache.Add(string("bar"), entry{user: portainer.User{ID: 2}, apiKey: portainer.APIKey{}})
-
-		ok := keyCache.InvalidateUserKeyCache(1)
-		is.True(ok)
-
-		ok = keyCache.InvalidateUserKeyCache(1)
-		is.False(ok)
-
-		_, ok = keyCache.cache.Get(string("foo"))
-		is.False(ok)
-
-		_, ok = keyCache.cache.Get(string("bar"))
-		is.True(ok)
-	})
-}
--- a/api/apikey/service.go
+++ b/api/apikey/service.go
@@ -1,126 +0,0 @@
-package apikey
-
-import (
-	"crypto/sha256"
-	"encoding/base64"
-	"fmt"
-	"time"
-
-	"github.com/pkg/errors"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-const portainerAPIKeyPrefix = "ptr_"
-
-var ErrInvalidAPIKey = errors.New("Invalid API key")
-
-type apiKeyService struct {
-	apiKeyRepository portainer.APIKeyRepository
-	userRepository   portainer.UserService
-	cache            *apiKeyCache
-}
-
-func NewAPIKeyService(apiKeyRepository portainer.APIKeyRepository, userRepository portainer.UserService) *apiKeyService {
-	return &apiKeyService{
-		apiKeyRepository: apiKeyRepository,
-		userRepository:   userRepository,
-		cache:            NewAPIKeyCache(defaultAPIKeyCacheSize),
-	}
-}
-
-// HashRaw computes a hash digest of provided raw API key.
-func (a *apiKeyService) HashRaw(rawKey string) []byte {
-	hashDigest := sha256.Sum256([]byte(rawKey))
-	return hashDigest[:]
-}
-
-// GenerateApiKey generates a raw API key for a user (for one-time display).
-// The generated API key is stored in the cache and database.
-func (a *apiKeyService) GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error) {
-	randKey := generateRandomKey(32)
-	encodedRawAPIKey := base64.StdEncoding.EncodeToString(randKey)
-	prefixedAPIKey := portainerAPIKeyPrefix + encodedRawAPIKey
-
-	hashDigest := a.HashRaw(prefixedAPIKey)
-
-	apiKey := &portainer.APIKey{
-		UserID:      user.ID,
-		Description: description,
-		Prefix:      prefixedAPIKey[:7],
-		DateCreated: time.Now().Unix(),
-		Digest:      hashDigest,
-	}
-
-	err := a.apiKeyRepository.CreateAPIKey(apiKey)
-	if err != nil {
-		return "", nil, errors.Wrap(err, "Unable to create API key")
-	}
-
-	// persist api-key to cache
-	a.cache.Set(apiKey.Digest, user, *apiKey)
-
-	return prefixedAPIKey, apiKey, nil
-}
-
-// GetAPIKey returns an API key by its ID.
-func (a *apiKeyService) GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error) {
-	return a.apiKeyRepository.GetAPIKey(apiKeyID)
-}
-
-// GetAPIKeys returns all the API keys associated to a user.
-func (a *apiKeyService) GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error) {
-	return a.apiKeyRepository.GetAPIKeysByUserID(userID)
-}
-
-// GetDigestUserAndKey returns the user and api-key associated to a specified hash digest.
-// A cache lookup is performed first; if the user/api-key is not found in the cache, respective database lookups are performed.
-func (a *apiKeyService) GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error) {
-	// get api key from cache if possible
-	cachedUser, cachedKey, ok := a.cache.Get(digest)
-	if ok {
-		return cachedUser, cachedKey, nil
-	}
-
-	apiKey, err := a.apiKeyRepository.GetAPIKeyByDigest(digest)
-	if err != nil {
-		return portainer.User{}, portainer.APIKey{}, errors.Wrap(err, "Unable to retrieve API key")
-	}
-
-	user, err := a.userRepository.User(apiKey.UserID)
-	if err != nil {
-		return portainer.User{}, portainer.APIKey{}, errors.Wrap(err, "Unable to retrieve digest user")
-	}
-
-	// persist api-key to cache - for quicker future lookups
-	a.cache.Set(apiKey.Digest, *user, *apiKey)
-
-	return *user, *apiKey, nil
-}
-
-// UpdateAPIKey updates an API key and in cache and database.
-func (a *apiKeyService) UpdateAPIKey(apiKey *portainer.APIKey) error {
-	user, _, err := a.GetDigestUserAndKey(apiKey.Digest)
-	if err != nil {
-		return errors.Wrap(err, "Unable to retrieve API key")
-	}
-	a.cache.Set(apiKey.Digest, user, *apiKey)
-	return a.apiKeyRepository.UpdateAPIKey(apiKey)
-}
-
-// DeleteAPIKey deletes an API key and removes the digest/api-key entry from the cache.
-func (a *apiKeyService) DeleteAPIKey(apiKeyID portainer.APIKeyID) error {
-	// get api-key digest to remove from cache
-	apiKey, err := a.apiKeyRepository.GetAPIKey(apiKeyID)
-	if err != nil {
-		return errors.Wrap(err, fmt.Sprintf("Unable to retrieve API key: %d", apiKeyID))
-	}
-
-	// delete the user/api-key from cache
-	a.cache.Delete(apiKey.Digest)
-	return a.apiKeyRepository.DeleteAPIKey(apiKeyID)
-}
-
-func (a *apiKeyService) InvalidateUserKeyCache(userId portainer.UserID) bool {
-	return a.cache.InvalidateUserKeyCache(userId)
-}
--- a/api/apikey/service_test.go
+++ b/api/apikey/service_test.go
@@ -1,309 +0,0 @@
-package apikey
-
-import (
-	"crypto/sha256"
-	"log"
-	"strings"
-	"testing"
-	"time"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt"
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_SatisfiesAPIKeyServiceInterface(t *testing.T) {
-	is := assert.New(t)
-	is.Implements((*APIKeyService)(nil), NewAPIKeyService(nil, nil))
-}
-
-func Test_GenerateApiKey(t *testing.T) {
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
-
-	t.Run("Successfully generates API key", func(t *testing.T) {
-		desc := "test-1"
-		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, desc)
-		is.NoError(err)
-		is.NotEmpty(rawKey)
-		is.NotEmpty(apiKey)
-		is.Equal(desc, apiKey.Description)
-	})
-
-	t.Run("Api key prefix is 7 chars", func(t *testing.T) {
-		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-2")
-		is.NoError(err)
-
-		is.Equal(rawKey[:7], apiKey.Prefix)
-		is.Len(apiKey.Prefix, 7)
-	})
-
-	t.Run("Api key has 'ptr_' as prefix", func(t *testing.T) {
-		rawKey, _, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x")
-		is.NoError(err)
-
-		is.Equal(portainerAPIKeyPrefix, "ptr_")
-		is.True(strings.HasPrefix(rawKey, "ptr_"))
-	})
-
-	t.Run("Successfully caches API key", func(t *testing.T) {
-		user := portainer.User{ID: 1}
-		_, apiKey, err := service.GenerateApiKey(user, "test-3")
-		is.NoError(err)
-
-		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
-		is.True(ok)
-		is.Equal(user, userFromCache)
-		is.Equal(apiKey, &apiKeyFromCache)
-	})
-
-	t.Run("Decoded raw api-key digest matches generated digest", func(t *testing.T) {
-		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-4")
-		is.NoError(err)
-
-		generatedDigest := sha256.Sum256([]byte(rawKey))
-
-		is.Equal(apiKey.Digest, generatedDigest[:])
-	})
-}
-
-func Test_GetAPIKey(t *testing.T) {
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
-
-	t.Run("Successfully returns all API keys", func(t *testing.T) {
-		user := portainer.User{ID: 1}
-		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
-
-		apiKeyGot, err := service.GetAPIKey(apiKey.ID)
-		is.NoError(err)
-
-		is.Equal(apiKey, apiKeyGot)
-	})
-}
-
-func Test_GetAPIKeys(t *testing.T) {
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
-
-	t.Run("Successfully returns all API keys", func(t *testing.T) {
-		user := portainer.User{ID: 1}
-		_, _, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
-		_, _, err = service.GenerateApiKey(user, "test-2")
-		is.NoError(err)
-
-		keys, err := service.GetAPIKeys(user.ID)
-		is.NoError(err)
-		is.Len(keys, 2)
-	})
-}
-
-func Test_GetDigestUserAndKey(t *testing.T) {
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
-
-	t.Run("Successfully returns user and api key associated to digest", func(t *testing.T) {
-		user := portainer.User{ID: 1}
-		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
-
-		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
-		is.Equal(user, userGot)
-		is.Equal(*apiKey, apiKeyGot)
-	})
-
-	t.Run("Successfully caches user and api key associated to digest", func(t *testing.T) {
-		user := portainer.User{ID: 1}
-		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
-
-		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
-		is.Equal(user, userGot)
-		is.Equal(*apiKey, apiKeyGot)
-
-		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
-		is.True(ok)
-		is.Equal(userGot, userFromCache)
-		is.Equal(apiKeyGot, apiKeyFromCache)
-	})
-}
-
-func Test_UpdateAPIKey(t *testing.T) {
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
-
-	t.Run("Successfully updates the api-key LastUsed time", func(t *testing.T) {
-		user := portainer.User{ID: 1}
-		store.User().CreateUser(&user)
-		_, apiKey, err := service.GenerateApiKey(user, "test-x")
-		is.NoError(err)
-
-		apiKey.LastUsed = time.Now().UTC().Unix()
-		err = service.UpdateAPIKey(apiKey)
-		is.NoError(err)
-
-		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
-
-		log.Println(apiKey)
-		log.Println(apiKeyGot)
-
-		is.Equal(apiKey.LastUsed, apiKeyGot.LastUsed)
-
-	})
-
-	t.Run("Successfully updates api-key in cache upon api-key update", func(t *testing.T) {
-		_, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x2")
-		is.NoError(err)
-
-		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
-		is.True(ok)
-		is.Equal(*apiKey, apiKeyFromCache)
-
-		apiKey.LastUsed = time.Now().UTC().Unix()
-		is.NotEqual(*apiKey, apiKeyFromCache)
-
-		err = service.UpdateAPIKey(apiKey)
-		is.NoError(err)
-
-		_, updatedAPIKeyFromCache, ok := service.cache.Get(apiKey.Digest)
-		is.True(ok)
-		is.Equal(*apiKey, updatedAPIKeyFromCache)
-	})
-}
-
-func Test_DeleteAPIKey(t *testing.T) {
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
-
-	t.Run("Successfully updates the api-key", func(t *testing.T) {
-		user := portainer.User{ID: 1}
-		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
-
-		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
-		is.Equal(*apiKey, apiKeyGot)
-
-		err = service.DeleteAPIKey(apiKey.ID)
-		is.NoError(err)
-
-		_, _, err = service.GetDigestUserAndKey(apiKey.Digest)
-		is.Error(err)
-	})
-
-	t.Run("Successfully removes api-key from cache upon deletion", func(t *testing.T) {
-		user := portainer.User{ID: 1}
-		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
-
-		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
-		is.True(ok)
-		is.Equal(*apiKey, apiKeyFromCache)
-
-		err = service.DeleteAPIKey(apiKey.ID)
-		is.NoError(err)
-
-		_, _, ok = service.cache.Get(apiKey.Digest)
-		is.False(ok)
-	})
-}
-
-func Test_InvalidateUserKeyCache(t *testing.T) {
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
-
-	t.Run("Successfully updates evicts keys from cache", func(t *testing.T) {
-		// generate api keys
-		user := portainer.User{ID: 1}
-		_, apiKey1, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
-
-		_, apiKey2, err := service.GenerateApiKey(user, "test-2")
-		is.NoError(err)
-
-		// verify api keys are present in cache
-		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
-		is.True(ok)
-		is.Equal(*apiKey1, apiKeyFromCache)
-
-		_, apiKeyFromCache, ok = service.cache.Get(apiKey2.Digest)
-		is.True(ok)
-		is.Equal(*apiKey2, apiKeyFromCache)
-
-		// evict cache
-		ok = service.InvalidateUserKeyCache(user.ID)
-		is.True(ok)
-
-		// verify users keys have been flushed from cache
-		_, _, ok = service.cache.Get(apiKey1.Digest)
-		is.False(ok)
-
-		_, _, ok = service.cache.Get(apiKey2.Digest)
-		is.False(ok)
-	})
-
-	t.Run("User key eviction does not affect other users keys", func(t *testing.T) {
-		// generate keys for 2 users
-		user1 := portainer.User{ID: 1}
-		_, apiKey1, err := service.GenerateApiKey(user1, "test-1")
-		is.NoError(err)
-
-		user2 := portainer.User{ID: 2}
-		_, apiKey2, err := service.GenerateApiKey(user2, "test-2")
-		is.NoError(err)
-
-		// verify keys in cache
-		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
-		is.True(ok)
-		is.Equal(*apiKey1, apiKeyFromCache)
-
-		_, apiKeyFromCache, ok = service.cache.Get(apiKey2.Digest)
-		is.True(ok)
-		is.Equal(*apiKey2, apiKeyFromCache)
-
-		// evict key of single user from cache
-		ok = service.cache.InvalidateUserKeyCache(user1.ID)
-		is.True(ok)
-
-		// verify user1 key has been flushed from cache
-		_, _, ok = service.cache.Get(apiKey1.Digest)
-		is.False(ok)
-
-		// verify user2 key is still in cache
-		_, _, ok = service.cache.Get(apiKey2.Digest)
-		is.True(ok)
-	})
-}
--- a/api/archive/testdata/sample_archive.zip
+++ b/api/archive/testdata/sample_archive.zip
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -3,13 +3,10 @@ package archive
 import (
 	"archive/zip"
 	"bytes"
-	"fmt"
-	"github.com/pkg/errors"
 	"io"
 	"io/ioutil"
 	"os"
 	"path/filepath"
-	"strings"
 )

 // UnzipArchive will unzip an archive from bytes into the dest destination folder on disk
@@ -55,60 +52,3 @@ func extractFileFromArchive(file *zip.File, dest string) error {

 	return outFile.Close()
 }
-
-// UnzipFile will decompress a zip archive, moving all files and folders
-// within the zip file (parameter 1) to an output directory (parameter 2).
-func UnzipFile(src string, dest string) error {
-	r, err := zip.OpenReader(src)
-	if err != nil {
-		return err
-	}
-	defer r.Close()
-
-	for _, f := range r.File {
-		p := filepath.Join(dest, f.Name)
-
-		// Check for ZipSlip. More Info: http://bit.ly/2MsjAWE
-		if !strings.HasPrefix(p, filepath.Clean(dest)+string(os.PathSeparator)) {
-			return fmt.Errorf("%s: illegal file path", p)
-		}
-
-		if f.FileInfo().IsDir() {
-			// Make Folder
-			os.MkdirAll(p, os.ModePerm)
-			continue
-		}
-
-		err = unzipFile(f, p)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func unzipFile(f *zip.File, p string) error {
-	// Make File
-	if err := os.MkdirAll(filepath.Dir(p), os.ModePerm); err != nil {
-		return errors.Wrapf(err, "unzipFile: can't make a path %s", p)
-	}
-	outFile, err := os.OpenFile(p, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
-	if err != nil {
-		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
-	}
-	defer outFile.Close()
-	rc, err := f.Open()
-	if err != nil {
-		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
-	}
-	defer rc.Close()
-
-	_, err = io.Copy(outFile, rc)
-
-	if err != nil {
-		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
-	}
-
-	return nil
-}
--- a/api/archive/zip_test.go
+++ b/api/archive/zip_test.go
@@ -1,32 +0,0 @@
-package archive
-
-import (
-	"github.com/stretchr/testify/assert"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-func TestUnzipFile(t *testing.T) {
-	dir, err := ioutil.TempDir("", "unzip-test-")
-	assert.NoError(t, err)
-	defer os.RemoveAll(dir)
-	/*
-		Archive structure.
-		├── 0
-		│	├── 1
-		│	│	└── 2.txt
-		│	└── 1.txt
-		└── 0.txt
-	*/
-
-	err = UnzipFile("./testdata/sample_archive.zip", dir)
-
-	assert.NoError(t, err)
-	archiveDir := dir + "/sample_archive"
-	assert.FileExists(t, filepath.Join(archiveDir, "0.txt"))
-	assert.FileExists(t, filepath.Join(archiveDir, "0", "1.txt"))
-	assert.FileExists(t, filepath.Join(archiveDir, "0", "1", "2.txt"))
-
-}
--- a/api/aws/ecr/authorization_token.go
+++ b/api/aws/ecr/authorization_token.go
@@ -1,61 +0,0 @@
-package ecr
-
-import (
-	"context"
-	"encoding/base64"
-	"fmt"
-	"strings"
-	"time"
-)
-
-func (s *Service) GetEncodedAuthorizationToken() (token *string, expiry *time.Time, err error) {
-	getAuthorizationTokenOutput, err := s.client.GetAuthorizationToken(context.TODO(), nil)
-	if err != nil {
-		return
-	}
-
-	if len(getAuthorizationTokenOutput.AuthorizationData) == 0 {
-		err = fmt.Errorf("AuthorizationData is empty")
-		return
-	}
-
-	authData := getAuthorizationTokenOutput.AuthorizationData[0]
-
-	token = authData.AuthorizationToken
-	expiry = authData.ExpiresAt
-
-	return
-}
-
-func (s *Service) GetAuthorizationToken() (token *string, expiry *time.Time, err error) {
-	tokenEncodedStr, expiry, err := s.GetEncodedAuthorizationToken()
-	if err != nil {
-		return
-	}
-
-	tokenByte, err := base64.StdEncoding.DecodeString(*tokenEncodedStr)
-	if err != nil {
-		return
-	}
-	tokenStr := string(tokenByte)
-	token = &tokenStr
-
-	return
-}
-
-func (s *Service) ParseAuthorizationToken(token string) (username string, password string, err error) {
-	if len(token) == 0 {
-		return
-	}
-
-	splitToken := strings.Split(token, ":")
-	if len(splitToken) < 2 {
-		err = fmt.Errorf("invalid ECR authorization token")
-		return
-	}
-
-	username = splitToken[0]
-	password = splitToken[1]
-
-	return
-}
--- a/api/aws/ecr/ecr.go
+++ b/api/aws/ecr/ecr.go
@@ -1,32 +0,0 @@
-package ecr
-
-import (
-	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/credentials"
-	"github.com/aws/aws-sdk-go-v2/service/ecr"
-)
-
-type (
-	Service struct {
-		accessKey string
-		secretKey string
-		region    string
-		client    *ecr.Client
-	}
-)
-
-func NewService(accessKey, secretKey, region string) *Service {
-	options := ecr.Options{
-		Region:      region,
-		Credentials: aws.NewCredentialsCache(credentials.NewStaticCredentialsProvider(accessKey, secretKey, "")),
-	}
-
-	client := ecr.New(options)
-
-	return &Service{
-		accessKey: accessKey,
-		secretKey: secretKey,
-		region:    region,
-		client:    client,
-	}
-}
--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -10,24 +10,12 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/archive"
 	"github.com/portainer/portainer/api/crypto"
-	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
 )

 const rwxr__r__ os.FileMode = 0744

-var filesToBackup = []string{
-	"certs",
-	"compose",
-	"config.json",
-	"custom_templates",
-	"edge_jobs",
-	"edge_stacks",
-	"extensions",
-	"portainer.key",
-	"portainer.pub",
-	"tls",
-}
+var filesToBackup = []string{"compose", "config.json", "custom_templates", "edge_jobs", "edge_stacks", "extensions", "portainer.key", "portainer.pub", "tls"}

 // Creates a tar.gz system archive and encrypts it if password is not empty. Returns a path to the archive file.
 func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datastore portainer.DataStore, filestorePath string) (string, error) {
@@ -44,7 +32,7 @@ func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datasto
 	}

 	for _, filename := range filesToBackup {
-		err := filesystem.CopyPath(filepath.Join(filestorePath, filename), backupDirPath)
+		err := copyPath(filepath.Join(filestorePath, filename), backupDirPath)
 		if err != nil {
 			return "", errors.Wrap(err, "Failed to create backup file")
 		}
--- a/api/filesystem/copy.go
+++ b/api/filesystem/copy.go
@@ -1,4 +1,4 @@
-package filesystem
+package backup

 import (
 	"errors"
@@ -8,8 +8,7 @@ import (
 	"strings"
 )

-// CopyPath copies file or directory defined by the path to the toDir path
-func CopyPath(path string, toDir string) error {
+func copyPath(path string, toDir string) error {
 	info, err := os.Stat(path)
 	if err != nil && errors.Is(err, os.ErrNotExist) {
 		// skip copy if file does not exist
@@ -21,30 +20,17 @@ func CopyPath(path string, toDir string) error {
 		return copyFile(path, destination)
 	}

-	return CopyDir(path, toDir, true)
+	return copyDir(path, toDir)
 }

-// CopyDir copies contents of fromDir to toDir.
-// When keepParent is true, contents will be copied with their immediate parent dir,
-// i.e. given /from/dirA and /to/dirB with keepParent == true, result will be /to/dirB/dirA/<children>
-func CopyDir(fromDir, toDir string, keepParent bool) error {
+func copyDir(fromDir, toDir string) error {
 	cleanedSourcePath := filepath.Clean(fromDir)
 	parentDirectory := filepath.Dir(cleanedSourcePath)
 	err := filepath.Walk(cleanedSourcePath, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
-		var destination string
-		if keepParent {
-			destination = filepath.Join(toDir, strings.TrimPrefix(path, parentDirectory))
-		} else {
-			destination = filepath.Join(toDir, strings.TrimPrefix(path, cleanedSourcePath))
-		}
-
-		if destination == "" {
-			return nil
-		}
-
+		destination := filepath.Join(toDir, strings.TrimPrefix(path, parentDirectory))
 		if info.IsDir() {
 			return nil // skip directory creations
 		}
--- a/api/backup/copy_test.go
+++ b/api/backup/copy_test.go
@@ -0,0 +1,105 @@
+package backup
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/stretchr/testify/assert"
+)
+
+func listFiles(dir string) []string {
+	items := make([]string, 0)
+	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+		if path == dir {
+			return nil
+		}
+		items = append(items, path)
+		return nil
+	})
+
+	return items
+}
+
+func contains(t *testing.T, list []string, path string) {
+	assert.Contains(t, list, path)
+	copyContent, _ := ioutil.ReadFile(path)
+	assert.Equal(t, "content\n", string(copyContent))
+}
+
+func Test_copyFile_returnsError_whenSourceDoesNotExist(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	err := copyFile("does-not-exist", tmpdir)
+	assert.NotNil(t, err)
+}
+
+func Test_copyFile_shouldMakeAbackup(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	content := []byte("content")
+	ioutil.WriteFile(path.Join(tmpdir, "origin"), content, 0600)
+
+	err := copyFile(path.Join(tmpdir, "origin"), path.Join(tmpdir, "copy"))
+	assert.Nil(t, err)
+
+	copyContent, _ := ioutil.ReadFile(path.Join(tmpdir, "copy"))
+	assert.Equal(t, content, copyContent)
+}
+
+func Test_copyDir_shouldCopyAllFilesAndDirectories(t *testing.T) {
+	destination, _ := ioutils.TempDir("", "destination")
+	defer os.RemoveAll(destination)
+	err := copyDir("./test_assets/copy_test", destination)
+	assert.Nil(t, err)
+
+	createdFiles := listFiles(destination)
+
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "outer"))
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "dir", ".dotfile"))
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "dir", "inner"))
+}
+
+func Test_backupPath_shouldSkipWhenNotExist(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	err := copyPath("does-not-exists", tmpdir)
+	assert.Nil(t, err)
+
+	assert.Empty(t, listFiles(tmpdir))
+}
+
+func Test_backupPath_shouldCopyFile(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	content := []byte("content")
+	ioutil.WriteFile(path.Join(tmpdir, "file"), content, 0600)
+
+	os.MkdirAll(path.Join(tmpdir, "backup"), 0700)
+	err := copyPath(path.Join(tmpdir, "file"), path.Join(tmpdir, "backup"))
+	assert.Nil(t, err)
+
+	copyContent, err := ioutil.ReadFile(path.Join(tmpdir, "backup", "file"))
+	assert.Nil(t, err)
+	assert.Equal(t, content, copyContent)
+}
+
+func Test_backupPath_shouldCopyDir(t *testing.T) {
+	destination, _ := ioutils.TempDir("", "destination")
+	defer os.RemoveAll(destination)
+	err := copyPath("./test_assets/copy_test", destination)
+	assert.Nil(t, err)
+
+	createdFiles := listFiles(destination)
+
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "outer"))
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "dir", ".dotfile"))
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "dir", "inner"))
+}
--- a/api/backup/restore.go
+++ b/api/backup/restore.go
@@ -11,7 +11,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/archive"
 	"github.com/portainer/portainer/api/crypto"
-	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
 )

@@ -60,7 +59,7 @@ func extractArchive(r io.Reader, destinationDirPath string) error {

 func restoreFiles(srcDir string, destinationDir string) error {
 	for _, filename := range filesToRestore {
-		err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir)
+		err := copyPath(filepath.Join(srcDir, filename), destinationDir)
 		if err != nil {
 			return err
 		}
--- a/api/filesystem/testdata/copy_test/dir/.dotfile
+++ b/api/filesystem/testdata/copy_test/dir/.dotfile
--- a/api/filesystem/testdata/copy_test/dir/inner
+++ b/api/filesystem/testdata/copy_test/dir/inner
--- a/api/filesystem/testdata/copy_test/outer
+++ b/api/filesystem/testdata/copy_test/outer
--- a/api/bolt/apikeyrepository/apikeyrepository.go
+++ b/api/bolt/apikeyrepository/apikeyrepository.go
@@ -1,137 +0,0 @@
-package apikeyrepository
-
-import (
-	"bytes"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
-	"github.com/portainer/portainer/api/bolt/internal"
-
-	"github.com/boltdb/bolt"
-)
-
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "api_key"
-)
-
-// Service represents a service for managing api-key data.
-type Service struct {
-	connection *internal.DbConnection
-}
-
-// NewService creates a new instance of a service.
-func NewService(connection *internal.DbConnection) (*Service, error) {
-	err := internal.CreateBucket(connection, BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		connection: connection,
-	}, nil
-}
-
-// GetAPIKeysByUserID returns a slice containing all the APIKeys a user has access to.
-func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer.APIKey, error) {
-	var result = make([]portainer.APIKey, 0)
-
-	err := service.connection.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		cursor := bucket.Cursor()
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var record portainer.APIKey
-			err := internal.UnmarshalObject(v, &record)
-			if err != nil {
-				return err
-			}
-
-			if record.UserID == userID {
-				result = append(result, record)
-			}
-		}
-		return nil
-	})
-
-	return result, err
-}
-
-// GetAPIKeyByDigest returns the API key for the associated digest.
-// Note: there is a 1-to-1 mapping of api-key and digest
-func (service *Service) GetAPIKeyByDigest(digest []byte) (*portainer.APIKey, error) {
-	var result portainer.APIKey
-
-	err := service.connection.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		cursor := bucket.Cursor()
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var record portainer.APIKey
-			err := internal.UnmarshalObject(v, &record)
-			if err != nil {
-				return err
-			}
-
-			if bytes.Equal(record.Digest, digest) {
-				result = record
-				return nil
-			}
-		}
-		return nil
-	})
-
-	return &result, err
-}
-
-// CreateAPIKey creates a new APIKey object.
-func (service *Service) CreateAPIKey(record *portainer.APIKey) error {
-	return service.connection.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		id, _ := bucket.NextSequence()
-		record.ID = portainer.APIKeyID(id)
-
-		data, err := internal.MarshalObject(record)
-		if err != nil {
-			return err
-		}
-
-		return bucket.Put(internal.Itob(int(record.ID)), data)
-	})
-}
-
-// GetAPIKey retrieves an existing APIKey object by api key ID.
-func (service *Service) GetAPIKey(keyID portainer.APIKeyID) (*portainer.APIKey, error) {
-	var apiKey *portainer.APIKey
-
-	err := service.connection.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-		item := bucket.Get(internal.Itob(int(keyID)))
-		if item == nil {
-			return errors.ErrObjectNotFound
-		}
-
-		err := internal.UnmarshalObject(item, &apiKey)
-		if err != nil {
-			return err
-		}
-
-		return nil
-	})
-
-	return apiKey, err
-}
-
-func (service *Service) UpdateAPIKey(key *portainer.APIKey) error {
-	identifier := internal.Itob(int(key.ID))
-	return internal.UpdateObject(service.connection, BucketName, identifier, key)
-}
-
-func (service *Service) DeleteAPIKey(ID portainer.APIKeyID) error {
-	return service.connection.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		return bucket.Delete(internal.Itob(int(ID)))
-	})
-}
--- a/api/bolt/backup.go
+++ b/api/bolt/backup.go
@@ -1,142 +0,0 @@
-package bolt
-
-import (
-	"fmt"
-	"os"
-	"path"
-	"time"
-
-	plog "github.com/portainer/portainer/api/bolt/log"
-)
-
-var backupDefaults = struct {
-	backupDir        string
-	commonDir        string
-	databaseFileName string
-}{
-	"backups",
-	"common",
-	databaseFileName,
-}
-
-var backupLog = plog.NewScopedLog("bolt, backup")
-
-//
-// Backup Helpers
-//
-
-// createBackupFolders create initial folders for backups
-func (store *Store) createBackupFolders() {
-	// create common dir
-	commonDir := store.commonBackupDir()
-	if exists, _ := store.fileService.FileExists(commonDir); !exists {
-		if err := os.MkdirAll(commonDir, 0700); err != nil {
-			backupLog.Error("Error while creating common backup folder", err)
-		}
-	}
-}
-
-func (store *Store) databasePath() string {
-	return path.Join(store.path, databaseFileName)
-}
-
-func (store *Store) commonBackupDir() string {
-	return path.Join(store.path, backupDefaults.backupDir, backupDefaults.commonDir)
-}
-
-func (store *Store) copyDBFile(from string, to string) error {
-	backupLog.Info(fmt.Sprintf("Copying db file from %s to %s", from, to))
-	err := store.fileService.Copy(from, to, true)
-	if err != nil {
-		backupLog.Error("Failed", err)
-	}
-	return err
-}
-
-// BackupOptions provide a helper to inject backup options
-type BackupOptions struct {
-	Version        int
-	BackupDir      string
-	BackupFileName string
-	BackupPath     string
-}
-
-func (store *Store) setupOptions(options *BackupOptions) *BackupOptions {
-	if options == nil {
-		options = &BackupOptions{}
-	}
-	if options.Version == 0 {
-		options.Version, _ = store.version()
-	}
-	if options.BackupDir == "" {
-		options.BackupDir = store.commonBackupDir()
-	}
-	if options.BackupFileName == "" {
-		options.BackupFileName = fmt.Sprintf("%s.%s.%s", backupDefaults.databaseFileName, fmt.Sprintf("%03d", options.Version), time.Now().Format("20060102150405"))
-	}
-	if options.BackupPath == "" {
-		options.BackupPath = path.Join(options.BackupDir, options.BackupFileName)
-	}
-	return options
-}
-
-// BackupWithOptions backup current database with options
-func (store *Store) BackupWithOptions(options *BackupOptions) (string, error) {
-	backupLog.Info("creating db backup")
-	store.createBackupFolders()
-
-	options = store.setupOptions(options)
-
-	return options.BackupPath, store.copyDBFile(store.databasePath(), options.BackupPath)
-}
-
-// RestoreWithOptions previously saved backup for the current Edition  with options
-// Restore strategies:
-// - default: restore latest from current edition
-// - restore a specific
-func (store *Store) RestoreWithOptions(options *BackupOptions) error {
-	options = store.setupOptions(options)
-
-	// Check if backup file exist before restoring
-	_, err := os.Stat(options.BackupPath)
-	if os.IsNotExist(err) {
-		backupLog.Error(fmt.Sprintf("Backup file to restore does not exist %s", options.BackupPath), err)
-		return err
-	}
-
-	err = store.Close()
-	if err != nil {
-		backupLog.Error("Error while closing store before restore", err)
-		return err
-	}
-
-	backupLog.Info("Restoring db backup")
-	err = store.copyDBFile(options.BackupPath, store.databasePath())
-	if err != nil {
-		return err
-	}
-
-	return store.Open()
-}
-
-// RemoveWithOptions removes backup database based on supplied options
-func (store *Store) RemoveWithOptions(options *BackupOptions) error {
-	backupLog.Info("Removing db backup")
-
-	options = store.setupOptions(options)
-	_, err := os.Stat(options.BackupPath)
-
-	if os.IsNotExist(err) {
-		backupLog.Error(fmt.Sprintf("Backup file to remove does not exist %s", options.BackupPath), err)
-		return err
-	}
-
-	backupLog.Info(fmt.Sprintf("Removing db file at %s", options.BackupPath))
-	err = os.Remove(options.BackupPath)
-	if err != nil {
-		backupLog.Error("Failed", err)
-		return err
-	}
-
-	return nil
-}
--- a/api/bolt/backup_test.go
+++ b/api/bolt/backup_test.go
@@ -1,116 +0,0 @@
-package bolt
-
-import (
-	"fmt"
-	"os"
-	"path"
-	"path/filepath"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-// isFileExist is helper function to check for file existence
-func isFileExist(path string) bool {
-	matches, err := filepath.Glob(path)
-	if err != nil {
-		return false
-	}
-	return len(matches) > 0
-}
-
-func TestCreateBackupFolders(t *testing.T) {
-	store, teardown := MustNewTestStore(false)
-	defer teardown()
-
-	backupPath := path.Join(store.path, backupDefaults.backupDir)
-
-	if isFileExist(backupPath) {
-		t.Error("Expect backups folder to not exist")
-	}
-
-	store.createBackupFolders()
-	if !isFileExist(backupPath) {
-		t.Error("Expect backups folder to exist")
-	}
-}
-
-func TestStoreCreation(t *testing.T) {
-	store, teardown := MustNewTestStore(true)
-	defer teardown()
-
-	if store == nil {
-		t.Error("Expect to create a store")
-	}
-
-	if store.edition() != portainer.PortainerCE {
-		t.Error("Expect to get CE Edition")
-	}
-}
-
-func TestBackup(t *testing.T) {
-	store, teardown := MustNewTestStore(true)
-	defer teardown()
-
-	t.Run("Backup should create default db backup", func(t *testing.T) {
-		store.VersionService.StoreDBVersion(portainer.DBVersion)
-		store.BackupWithOptions(nil)
-
-		backupFileName := path.Join(store.path, "backups", "common", fmt.Sprintf("portainer.db.%03d.*", portainer.DBVersion))
-		if !isFileExist(backupFileName) {
-			t.Errorf("Expect backup file to be created %s", backupFileName)
-		}
-	})
-
-	t.Run("BackupWithOption should create a name specific backup at common path", func(t *testing.T) {
-		store.BackupWithOptions(&BackupOptions{
-			BackupFileName: beforePortainerVersionUpgradeBackup,
-			BackupDir:      store.commonBackupDir(),
-		})
-		backupFileName := path.Join(store.path, "backups", "common", beforePortainerVersionUpgradeBackup)
-		if !isFileExist(backupFileName) {
-			t.Errorf("Expect backup file to be created %s", backupFileName)
-		}
-	})
-}
-
-func TestRemoveWithOptions(t *testing.T) {
-	store, teardown := MustNewTestStore(true)
-	defer teardown()
-
-	t.Run("successfully removes file if existent", func(t *testing.T) {
-		store.createBackupFolders()
-		options := &BackupOptions{
-			BackupDir:      store.commonBackupDir(),
-			BackupFileName: "test.txt",
-		}
-
-		filePath := path.Join(options.BackupDir, options.BackupFileName)
-		f, err := os.Create(filePath)
-		if err != nil {
-			t.Fatalf("file should be created; err=%s", err)
-		}
-		f.Close()
-
-		err = store.RemoveWithOptions(options)
-		if err != nil {
-			t.Errorf("RemoveWithOptions should successfully remove file; err=%w", err)
-		}
-
-		if isFileExist(f.Name()) {
-			t.Errorf("RemoveWithOptions should successfully remove file; file=%s", f.Name())
-		}
-	})
-
-	t.Run("fails to removes file if non-existent", func(t *testing.T) {
-		options := &BackupOptions{
-			BackupDir:      store.commonBackupDir(),
-			BackupFileName: "test.txt",
-		}
-
-		err := store.RemoveWithOptions(options)
-		if err == nil {
-			t.Error("RemoveWithOptions should fail for non-existent file")
-		}
-	})
-}
--- a/api/bolt/datastore.go
+++ b/api/bolt/datastore.go
@@ -2,12 +2,10 @@ package bolt

 import (
 	"io"
+	"log"
 	"path"
 	"time"

-	"github.com/portainer/portainer/api/bolt/apikeyrepository"
-	"github.com/portainer/portainer/api/bolt/helmuserrepository"
-
 	"github.com/boltdb/bolt"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/customtemplate"
@@ -21,12 +19,12 @@ import (
 	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/extension"
 	"github.com/portainer/portainer/api/bolt/internal"
+	"github.com/portainer/portainer/api/bolt/migrator"
 	"github.com/portainer/portainer/api/bolt/registry"
 	"github.com/portainer/portainer/api/bolt/resourcecontrol"
 	"github.com/portainer/portainer/api/bolt/role"
 	"github.com/portainer/portainer/api/bolt/schedule"
 	"github.com/portainer/portainer/api/bolt/settings"
-	"github.com/portainer/portainer/api/bolt/ssl"
 	"github.com/portainer/portainer/api/bolt/stack"
 	"github.com/portainer/portainer/api/bolt/tag"
 	"github.com/portainer/portainer/api/bolt/team"
@@ -35,6 +33,7 @@ import (
 	"github.com/portainer/portainer/api/bolt/user"
 	"github.com/portainer/portainer/api/bolt/version"
 	"github.com/portainer/portainer/api/bolt/webhook"
+	"github.com/portainer/portainer/api/internal/authorization"
 )

 const (
@@ -44,43 +43,32 @@ const (
 // Store defines the implementation of portainer.DataStore using
 // BoltDB as the storage system.
 type Store struct {
-	path                      string
-	connection                *internal.DbConnection
-	isNew                     bool
-	fileService               portainer.FileService
-	CustomTemplateService     *customtemplate.Service
-	DockerHubService          *dockerhub.Service
-	EdgeGroupService          *edgegroup.Service
-	EdgeJobService            *edgejob.Service
-	EdgeStackService          *edgestack.Service
-	EndpointGroupService      *endpointgroup.Service
-	EndpointService           *endpoint.Service
-	EndpointRelationService   *endpointrelation.Service
-	ExtensionService          *extension.Service
-	HelmUserRepositoryService *helmuserrepository.Service
-	RegistryService           *registry.Service
-	ResourceControlService    *resourcecontrol.Service
-	RoleService               *role.Service
-	APIKeyRepositoryService   *apikeyrepository.Service
-	ScheduleService           *schedule.Service
-	SettingsService           *settings.Service
-	SSLSettingsService        *ssl.Service
-	StackService              *stack.Service
-	TagService                *tag.Service
-	TeamMembershipService     *teammembership.Service
-	TeamService               *team.Service
-	TunnelServerService       *tunnelserver.Service
-	UserService               *user.Service
-	VersionService            *version.Service
-	WebhookService            *webhook.Service
-}
-
-func (store *Store) version() (int, error) {
-	version, err := store.VersionService.DBVersion()
-	if err == errors.ErrObjectNotFound {
-		version = 0
-	}
-	return version, err
+	path                    string
+	connection              *internal.DbConnection
+	isNew                   bool
+	fileService             portainer.FileService
+	CustomTemplateService   *customtemplate.Service
+	DockerHubService        *dockerhub.Service
+	EdgeGroupService        *edgegroup.Service
+	EdgeJobService          *edgejob.Service
+	EdgeStackService        *edgestack.Service
+	EndpointGroupService    *endpointgroup.Service
+	EndpointService         *endpoint.Service
+	EndpointRelationService *endpointrelation.Service
+	ExtensionService        *extension.Service
+	RegistryService         *registry.Service
+	ResourceControlService  *resourcecontrol.Service
+	RoleService             *role.Service
+	ScheduleService         *schedule.Service
+	SettingsService         *settings.Service
+	StackService            *stack.Service
+	TagService              *tag.Service
+	TeamMembershipService   *teammembership.Service
+	TeamService             *team.Service
+	TunnelServerService     *tunnelserver.Service
+	UserService             *user.Service
+	VersionService          *version.Service
+	WebhookService          *webhook.Service
 }

 func (store *Store) edition() portainer.SoftwareEdition {
@@ -92,13 +80,25 @@ func (store *Store) edition() portainer.SoftwareEdition {
 }

 // NewStore initializes a new Store and the associated services
-func NewStore(storePath string, fileService portainer.FileService) *Store {
-	return &Store{
+func NewStore(storePath string, fileService portainer.FileService) (*Store, error) {
+	store := &Store{
 		path:        storePath,
 		fileService: fileService,
 		isNew:       true,
 		connection:  &internal.DbConnection{},
 	}
+
+	databasePath := path.Join(storePath, databaseFileName)
+	databaseFileExists, err := fileService.FileExists(databasePath)
+	if err != nil {
+		return nil, err
+	}
+
+	if databaseFileExists {
+		store.isNew = false
+	}
+
+	return store, nil
 }

 // Open opens and initializes the BoltDB database.
@@ -110,21 +110,10 @@ func (store *Store) Open() error {
 	}
 	store.connection.DB = db

-	err = store.initServices()
-	if err != nil {
-		return err
-	}
-
-	// if we have DBVersion in the database then ensure we flag this as NOT a new store
-	if _, err := store.VersionService.DBVersion(); err == nil {
-		store.isNew = false
-	}
-
-	return nil
+	return store.initServices()
 }

 // Close closes the BoltDB database.
-// Safe to being called multiple times.
 func (store *Store) Close() error {
 	if store.connection.DB != nil {
 		return store.connection.Close()
@@ -138,6 +127,63 @@ func (store *Store) IsNew() bool {
 	return store.isNew
 }

+// CheckCurrentEdition checks if current edition is community edition
+func (store *Store) CheckCurrentEdition() error {
+	if store.edition() != portainer.PortainerCE {
+		return errors.ErrWrongDBEdition
+	}
+	return nil
+}
+
+// MigrateData automatically migrate the data based on the DBVersion.
+// This process is only triggered on an existing database, not if the database was just created.
+// if force is true, then migrate regardless.
+func (store *Store) MigrateData(force bool) error {
+	if store.isNew && !force {
+		return store.VersionService.StoreDBVersion(portainer.DBVersion)
+	}
+
+	version, err := store.VersionService.DBVersion()
+	if err == errors.ErrObjectNotFound {
+		version = 0
+	} else if err != nil {
+		return err
+	}
+
+	if version < portainer.DBVersion {
+		migratorParams := &migrator.Parameters{
+			DB:                      store.connection.DB,
+			DatabaseVersion:         version,
+			EndpointGroupService:    store.EndpointGroupService,
+			EndpointService:         store.EndpointService,
+			EndpointRelationService: store.EndpointRelationService,
+			ExtensionService:        store.ExtensionService,
+			RegistryService:         store.RegistryService,
+			ResourceControlService:  store.ResourceControlService,
+			RoleService:             store.RoleService,
+			ScheduleService:         store.ScheduleService,
+			SettingsService:         store.SettingsService,
+			StackService:            store.StackService,
+			TagService:              store.TagService,
+			TeamMembershipService:   store.TeamMembershipService,
+			UserService:             store.UserService,
+			VersionService:          store.VersionService,
+			FileService:             store.fileService,
+			AuthorizationService:    authorization.NewService(store),
+		}
+		migrator := migrator.NewMigrator(migratorParams)
+
+		log.Printf("Migrating database from version %v to %v.\n", version, portainer.DBVersion)
+		err = migrator.Migrate()
+		if err != nil {
+			log.Printf("An error occurred during database migration: %s\n", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
 // BackupTo backs up db to a provided writer.
 // It does hot backup and doesn't block other database reads and writes
 func (store *Store) BackupTo(w io.Writer) error {
@@ -146,11 +192,3 @@ func (store *Store) BackupTo(w io.Writer) error {
 		return err
 	})
 }
-
-// CheckCurrentEdition checks if current edition is community edition
-func (store *Store) CheckCurrentEdition() error {
-	if store.edition() != portainer.PortainerCE {
-		return errors.ErrWrongDBEdition
-	}
-	return nil
-}
--- a/api/bolt/edgejob/edgejob.go
+++ b/api/bolt/edgejob/edgejob.go
@@ -95,7 +95,7 @@ func (service *Service) DeleteEdgeJob(ID portainer.EdgeJobID) error {
 	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

-// GetNextIdentifier returns the next identifier for an environment(endpoint).
+// GetNextIdentifier returns the next identifier for an endpoint.
 func (service *Service) GetNextIdentifier() int {
 	return internal.GetNextIdentifier(service.connection, BucketName)
 }
--- a/api/bolt/edgestack/edgestack.go
+++ b/api/bolt/edgestack/edgestack.go
@@ -95,7 +95,7 @@ func (service *Service) DeleteEdgeStack(ID portainer.EdgeStackID) error {
 	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

-// GetNextIdentifier returns the next identifier for an environment(endpoint).
+// GetNextIdentifier returns the next identifier for an endpoint.
 func (service *Service) GetNextIdentifier() int {
 	return internal.GetNextIdentifier(service.connection, BucketName)
 }
--- a/api/bolt/endpoint/endpoint.go
+++ b/api/bolt/endpoint/endpoint.go
@@ -11,7 +11,7 @@ const (
 	BucketName = "endpoints"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
@@ -28,7 +28,7 @@ func NewService(connection *internal.DbConnection) (*Service, error) {
 	}, nil
 }

-// Endpoint returns an environment(endpoint) by ID.
+// Endpoint returns an endpoint by ID.
 func (service *Service) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error) {
 	var endpoint portainer.Endpoint
 	identifier := internal.Itob(int(ID))
@@ -41,19 +41,19 @@ func (service *Service) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint,
 	return &endpoint, nil
 }

-// UpdateEndpoint updates an environment(endpoint).
+// UpdateEndpoint updates an endpoint.
 func (service *Service) UpdateEndpoint(ID portainer.EndpointID, endpoint *portainer.Endpoint) error {
 	identifier := internal.Itob(int(ID))
 	return internal.UpdateObject(service.connection, BucketName, identifier, endpoint)
 }

-// DeleteEndpoint deletes an environment(endpoint).
+// DeleteEndpoint deletes an endpoint.
 func (service *Service) DeleteEndpoint(ID portainer.EndpointID) error {
 	identifier := internal.Itob(int(ID))
 	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

-// Endpoints return an array containing all the environments(endpoints).
+// Endpoints return an array containing all the endpoints.
 func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 	var endpoints = make([]portainer.Endpoint, 0)

@@ -76,12 +76,12 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 	return endpoints, err
 }

-// CreateEndpoint assign an ID to a new environment(endpoint) and saves it.
+// CreateEndpoint assign an ID to a new endpoint and saves it.
 func (service *Service) CreateEndpoint(endpoint *portainer.Endpoint) error {
 	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))

-		// We manually manage sequences for environments(endpoints)
+		// We manually manage sequences for endpoints
 		err := bucket.SetSequence(uint64(endpoint.ID))
 		if err != nil {
 			return err
@@ -96,12 +96,12 @@ func (service *Service) CreateEndpoint(endpoint *portainer.Endpoint) error {
 	})
 }

-// GetNextIdentifier returns the next identifier for an environment(endpoint).
+// GetNextIdentifier returns the next identifier for an endpoint.
 func (service *Service) GetNextIdentifier() int {
 	return internal.GetNextIdentifier(service.connection, BucketName)
 }

-// Synchronize creates, updates and deletes environments(endpoints) inside a single transaction.
+// Synchronize creates, updates and deletes endpoints inside a single transaction.
 func (service *Service) Synchronize(toCreate, toUpdate, toDelete []*portainer.Endpoint) error {
 	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
--- a/api/bolt/endpointgroup/endpointgroup.go
+++ b/api/bolt/endpointgroup/endpointgroup.go
@@ -12,7 +12,7 @@ const (
 	BucketName = "endpoint_groups"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
@@ -29,7 +29,7 @@ func NewService(connection *internal.DbConnection) (*Service, error) {
 	}, nil
 }

-// EndpointGroup returns an environment(endpoint) group by ID.
+// EndpointGroup returns an endpoint group by ID.
 func (service *Service) EndpointGroup(ID portainer.EndpointGroupID) (*portainer.EndpointGroup, error) {
 	var endpointGroup portainer.EndpointGroup
 	identifier := internal.Itob(int(ID))
@@ -42,19 +42,19 @@ func (service *Service) EndpointGroup(ID portainer.EndpointGroupID) (*portainer.
 	return &endpointGroup, nil
 }

-// UpdateEndpointGroup updates an environment(endpoint) group.
+// UpdateEndpointGroup updates an endpoint group.
 func (service *Service) UpdateEndpointGroup(ID portainer.EndpointGroupID, endpointGroup *portainer.EndpointGroup) error {
 	identifier := internal.Itob(int(ID))
 	return internal.UpdateObject(service.connection, BucketName, identifier, endpointGroup)
 }

-// DeleteEndpointGroup deletes an environment(endpoint) group.
+// DeleteEndpointGroup deletes an endpoint group.
 func (service *Service) DeleteEndpointGroup(ID portainer.EndpointGroupID) error {
 	identifier := internal.Itob(int(ID))
 	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

-// EndpointGroups return an array containing all the environment(endpoint) groups.
+// EndpointGroups return an array containing all the endpoint groups.
 func (service *Service) EndpointGroups() ([]portainer.EndpointGroup, error) {
 	var endpointGroups = make([]portainer.EndpointGroup, 0)

@@ -77,7 +77,7 @@ func (service *Service) EndpointGroups() ([]portainer.EndpointGroup, error) {
 	return endpointGroups, err
 }

-// CreateEndpointGroup assign an ID to a new environment(endpoint) group and saves it.
+// CreateEndpointGroup assign an ID to a new endpoint group and saves it.
 func (service *Service) CreateEndpointGroup(endpointGroup *portainer.EndpointGroup) error {
 	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
--- a/api/bolt/endpointrelation/endpointrelation.go
+++ b/api/bolt/endpointrelation/endpointrelation.go
@@ -11,7 +11,7 @@ const (
 	BucketName = "endpoint_relations"
 )

-// Service represents a service for managing environment(endpoint) relation data.
+// Service represents a service for managing endpoint relation data.
 type Service struct {
 	connection *internal.DbConnection
 }
@@ -28,7 +28,7 @@ func NewService(connection *internal.DbConnection) (*Service, error) {
 	}, nil
 }

-// EndpointRelation returns a Environment(Endpoint) relation object by EndpointID
+// EndpointRelation returns a Endpoint relation object by EndpointID
 func (service *Service) EndpointRelation(endpointID portainer.EndpointID) (*portainer.EndpointRelation, error) {
 	var endpointRelation portainer.EndpointRelation
 	identifier := internal.Itob(int(endpointID))
@@ -55,13 +55,13 @@ func (service *Service) CreateEndpointRelation(endpointRelation *portainer.Endpo
 	})
 }

-// UpdateEndpointRelation updates an Environment(Endpoint) relation object
+// UpdateEndpointRelation updates an Endpoint relation object
 func (service *Service) UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error {
 	identifier := internal.Itob(int(EndpointID))
 	return internal.UpdateObject(service.connection, BucketName, identifier, endpointRelation)
 }

-// DeleteEndpointRelation deletes an Environment(Endpoint) relation object
+// DeleteEndpointRelation deletes an Endpoint relation object
 func (service *Service) DeleteEndpointRelation(EndpointID portainer.EndpointID) error {
 	identifier := internal.Itob(int(EndpointID))
 	return internal.DeleteObject(service.connection, BucketName, identifier)
--- a/api/bolt/errors/errors.go
+++ b/api/bolt/errors/errors.go
@@ -4,5 +4,5 @@ import "errors"

 var (
 	ErrObjectNotFound = errors.New("Object not found inside the database")
-	ErrWrongDBEdition = errors.New("The Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+	ErrWrongDBEdition = errors.New("The Portainer database is set for Portainer Business Edition, please follow the instructions in our documention to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
 )
--- a/api/bolt/extension/extension.go
+++ b/api/bolt/extension/extension.go
@@ -12,7 +12,7 @@ const (
 	BucketName = "extension"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/helmuserrepository/helmuserrepository.go
+++ b/api/bolt/helmuserrepository/helmuserrepository.go
@@ -1,73 +0,0 @@
-package helmuserrepository
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/internal"
-
-	"github.com/boltdb/bolt"
-)
-
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "helm_user_repository"
-)
-
-// Service represents a service for managing environment(endpoint) data.
-type Service struct {
-	connection *internal.DbConnection
-}
-
-// NewService creates a new instance of a service.
-func NewService(connection *internal.DbConnection) (*Service, error) {
-	err := internal.CreateBucket(connection, BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		connection: connection,
-	}, nil
-}
-
-// HelmUserRepositoryByUserID return an array containing all the HelmUserRepository objects where the specified userID is present.
-func (service *Service) HelmUserRepositoryByUserID(userID portainer.UserID) ([]portainer.HelmUserRepository, error) {
-	var result = make([]portainer.HelmUserRepository, 0)
-
-	err := service.connection.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		cursor := bucket.Cursor()
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var record portainer.HelmUserRepository
-			err := internal.UnmarshalObject(v, &record)
-			if err != nil {
-				return err
-			}
-
-			if record.UserID == userID {
-				result = append(result, record)
-			}
-		}
-
-		return nil
-	})
-
-	return result, err
-}
-
-// CreateHelmUserRepository creates a new HelmUserRepository object.
-func (service *Service) CreateHelmUserRepository(record *portainer.HelmUserRepository) error {
-	return service.connection.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		id, _ := bucket.NextSequence()
-		record.ID = portainer.HelmUserRepositoryID(id)
-
-		data, err := internal.MarshalObject(record)
-		if err != nil {
-			return err
-		}
-
-		return bucket.Put(internal.Itob(int(record.ID)), data)
-	})
-}
--- a/api/bolt/init.go
+++ b/api/bolt/init.go
@@ -44,10 +44,7 @@ func (store *Store) Init() error {

 			EdgeAgentCheckinInterval: portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
 			TemplatesURL:             portainer.DefaultTemplatesURL,
-			HelmRepositoryURL:        portainer.DefaultHelmRepositoryURL,
 			UserSessionTimeout:       portainer.DefaultUserSessionTimeout,
-			KubeconfigExpiry:         portainer.DefaultKubeconfigExpiry,
-			KubectlShellImage:        portainer.DefaultKubectlShellImage,
 		}

 		err = store.SettingsService.UpdateSettings(defaultSettings)
@@ -58,20 +55,20 @@ func (store *Store) Init() error {
 		return err
 	}

-	_, err = store.SSLSettings().Settings()
-	if err != nil {
-		if err != errors.ErrObjectNotFound {
-			return err
+	_, err = store.DockerHubService.DockerHub()
+	if err == errors.ErrObjectNotFound {
+		defaultDockerHub := &portainer.DockerHub{
+			Authentication: false,
+			Username:       "",
+			Password:       "",
 		}

-		defaultSSLSettings := &portainer.SSLSettings{
-			HTTPEnabled: true,
-		}
-
-		err = store.SSLSettings().UpdateSettings(defaultSSLSettings)
+		err := store.DockerHubService.UpdateDockerHub(defaultDockerHub)
 		if err != nil {
 			return err
 		}
+	} else if err != nil {
+		return err
 	}

 	groups, err := store.EndpointGroupService.EndpointGroups()
@@ -82,7 +79,7 @@ func (store *Store) Init() error {
 	if len(groups) == 0 {
 		unassignedGroup := &portainer.EndpointGroup{
 			Name:               "Unassigned",
-			Description:        "Unassigned environments",
+			Description:        "Unassigned endpoints",
 			Labels:             []portainer.Pair{},
 			UserAccessPolicies: portainer.UserAccessPolicies{},
 			TeamAccessPolicies: portainer.TeamAccessPolicies{},
--- a/api/bolt/internal/json.go
+++ b/api/bolt/internal/json.go
@@ -17,7 +17,7 @@ func UnmarshalObject(data []byte, object interface{}) error {
 }

 // UnmarshalObjectWithJsoniter decodes an object from binary data
-// using the jsoniter library. It is mainly used to accelerate environment(endpoint)
+// using the jsoniter library. It is mainly used to accelerate endpoint
 // decoding at the moment.
 func UnmarshalObjectWithJsoniter(data []byte, object interface{}) error {
 	var jsoni = jsoniter.ConfigCompatibleWithStandardLibrary
--- a/api/bolt/log/log.go
+++ b/api/bolt/log/log.go
@@ -1,41 +0,0 @@
-package log
-
-import (
-	"fmt"
-	"log"
-)
-
-const (
-	INFO  = "INFO"
-	ERROR = "ERROR"
-	DEBUG = "DEBUG"
-	FATAL = "FATAL"
-)
-
-type ScopedLog struct {
-	scope string
-}
-
-func NewScopedLog(scope string) *ScopedLog {
-	return &ScopedLog{scope: scope}
-}
-
-func (slog *ScopedLog) print(kind string, message string) {
-	log.Printf("[%s] [%s] %s", kind, slog.scope, message)
-}
-
-func (slog *ScopedLog) Debug(message string) {
-	slog.print(DEBUG, fmt.Sprintf("[message: %s]", message))
-}
-
-func (slog *ScopedLog) Info(message string) {
-	slog.print(INFO, fmt.Sprintf("[message: %s]", message))
-}
-
-func (slog *ScopedLog) Error(message string, err error) {
-	slog.print(ERROR, fmt.Sprintf("[message: %s] [error: %s]", message, err))
-}
-
-func (slog *ScopedLog) NotImplemented(method string) {
-	log.Fatalf("[%s] [%s] [%s]", FATAL, slog.scope, fmt.Sprintf("%s is not yet implemented", method))
-}
--- a/api/bolt/log/log.test.go
+++ b/api/bolt/log/log.test.go
@@ -1 +0,0 @@
-package log
--- a/api/bolt/migrate_data.go
+++ b/api/bolt/migrate_data.go
@@ -1,151 +0,0 @@
-package bolt
-
-import (
-	"fmt"
-	"runtime/debug"
-
-	"github.com/portainer/portainer/api/cli"
-
-	werrors "github.com/pkg/errors"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
-	plog "github.com/portainer/portainer/api/bolt/log"
-	"github.com/portainer/portainer/api/bolt/migrator"
-	"github.com/portainer/portainer/api/internal/authorization"
-)
-
-const beforePortainerVersionUpgradeBackup = "portainer.db.bak"
-
-var migrateLog = plog.NewScopedLog("bolt, migrate")
-
-// FailSafeMigrate backup and restore DB if migration fail
-func (store *Store) FailSafeMigrate(migrator *migrator.Migrator) (err error) {
-	defer func() {
-		if e := recover(); e != nil {
-			store.Rollback(true)
-			// return error with cause and stacktrace (recover() doesn't include a stacktrace)
-			err = fmt.Errorf("%v %s", e, string(debug.Stack()))
-		}
-	}()
-
-	// !Important: we must use a named return value in the function definition and not a local
-	// !variable referenced from the closure or else the return value will be incorrectly set
-	return migrator.Migrate()
-}
-
-// MigrateData automatically migrate the data based on the DBVersion.
-// This process is only triggered on an existing database, not if the database was just created.
-// if force is true, then migrate regardless.
-func (store *Store) MigrateData(force bool) error {
-	if store.isNew && !force {
-		return store.VersionService.StoreDBVersion(portainer.DBVersion)
-	}
-
-	migrator, err := store.newMigrator()
-	if err != nil {
-		return err
-	}
-
-	// backup db file before upgrading DB to support rollback
-	isUpdating, err := store.VersionService.IsUpdating()
-	if err != nil && err != errors.ErrObjectNotFound {
-		return err
-	}
-
-	if !isUpdating && migrator.Version() != portainer.DBVersion {
-		err = store.backupVersion(migrator)
-		if err != nil {
-			return werrors.Wrapf(err, "failed to backup database")
-		}
-	}
-
-	if migrator.Version() < portainer.DBVersion {
-		migrateLog.Info(fmt.Sprintf("Migrating database from version %v to %v.\n", migrator.Version(), portainer.DBVersion))
-		err = store.FailSafeMigrate(migrator)
-		if err != nil {
-			migrateLog.Error("An error occurred during database migration", err)
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (store *Store) newMigrator() (*migrator.Migrator, error) {
-	version, err := store.version()
-	if err != nil {
-		return nil, err
-	}
-
-	migratorParams := &migrator.Parameters{
-		DB:                      store.connection.DB,
-		DatabaseVersion:         version,
-		EndpointGroupService:    store.EndpointGroupService,
-		EndpointService:         store.EndpointService,
-		EndpointRelationService: store.EndpointRelationService,
-		ExtensionService:        store.ExtensionService,
-		RegistryService:         store.RegistryService,
-		ResourceControlService:  store.ResourceControlService,
-		RoleService:             store.RoleService,
-		ScheduleService:         store.ScheduleService,
-		SettingsService:         store.SettingsService,
-		StackService:            store.StackService,
-		TagService:              store.TagService,
-		TeamMembershipService:   store.TeamMembershipService,
-		UserService:             store.UserService,
-		VersionService:          store.VersionService,
-		FileService:             store.fileService,
-		DockerhubService:        store.DockerHubService,
-		AuthorizationService:    authorization.NewService(store),
-	}
-	return migrator.NewMigrator(migratorParams), nil
-}
-
-// getBackupRestoreOptions returns options to store db at common backup dir location; used by:
-// - db backup prior to version upgrade
-// - db rollback
-func getBackupRestoreOptions(store *Store) *BackupOptions {
-	return &BackupOptions{
-		BackupDir:      store.commonBackupDir(),
-		BackupFileName: beforePortainerVersionUpgradeBackup,
-	}
-}
-
-// backupVersion will backup the database or panic if any errors occur
-func (store *Store) backupVersion(migrator *migrator.Migrator) error {
-	migrateLog.Info("Backing up database prior to version upgrade...")
-
-	options := getBackupRestoreOptions(store)
-
-	_, err := store.BackupWithOptions(options)
-	if err != nil {
-		migrateLog.Error("An error occurred during database backup", err)
-		removalErr := store.RemoveWithOptions(options)
-		if removalErr != nil {
-			migrateLog.Error("An error occurred during store removal prior to backup", err)
-		}
-		return err
-	}
-
-	return nil
-}
-
-// Rollback to a pre-upgrade backup copy/snapshot of portainer.db
-func (store *Store) Rollback(force bool) error {
-
-	if !force {
-		confirmed, err := cli.Confirm("Are you sure you want to rollback your database to the previous backup?")
-		if err != nil || !confirmed {
-			return err
-		}
-	}
-
-	options := getBackupRestoreOptions(store)
-
-	err := store.RestoreWithOptions(options)
-	if err != nil {
-		return err
-	}
-
-	return store.Close()
-}
--- a/api/bolt/migrate_data_test.go
+++ b/api/bolt/migrate_data_test.go
@@ -1,172 +0,0 @@
-package bolt
-
-import (
-	"fmt"
-	"log"
-	"strings"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-// testVersion is a helper which tests current store version against wanted version
-func testVersion(store *Store, versionWant int, t *testing.T) {
-	if v, _ := store.version(); v != versionWant {
-		t.Errorf("Expect store version to be %d but was %d", versionWant, v)
-	}
-}
-
-func TestMigrateData(t *testing.T) {
-	t.Run("MigrateData for New Store & Re-Open Check", func(t *testing.T) {
-		store, teardown := MustNewTestStore(false)
-		defer teardown()
-
-		if !store.IsNew() {
-			t.Error("Expect a new DB")
-		}
-
-		store.MigrateData(false)
-
-		testVersion(store, portainer.DBVersion, t)
-		store.Close()
-
-		store.Open()
-		if store.IsNew() {
-			t.Error("Expect store to NOT be new DB")
-		}
-	})
-
-	tests := []struct {
-		version         int
-		expectedVersion int
-	}{
-		{version: 2, expectedVersion: portainer.DBVersion},
-		{version: 21, expectedVersion: portainer.DBVersion},
-	}
-	for _, tc := range tests {
-		store, teardown := MustNewTestStore(true)
-		defer teardown()
-
-		// Setup data
-		store.VersionService.StoreDBVersion(tc.version)
-
-		// Required roles by migrations 22.2
-		store.RoleService.CreateRole(&portainer.Role{ID: 1})
-		store.RoleService.CreateRole(&portainer.Role{ID: 2})
-		store.RoleService.CreateRole(&portainer.Role{ID: 3})
-		store.RoleService.CreateRole(&portainer.Role{ID: 4})
-
-		t.Run(fmt.Sprintf("MigrateData for version %d", tc.version), func(t *testing.T) {
-			store.MigrateData(true)
-			testVersion(store, tc.expectedVersion, t)
-		})
-
-		t.Run(fmt.Sprintf("Restoring DB after migrateData for version %d", tc.version), func(t *testing.T) {
-			store.Rollback(true)
-			store.Open()
-			testVersion(store, tc.version, t)
-		})
-	}
-
-	t.Run("Error in MigrateData should restore backup before MigrateData", func(t *testing.T) {
-		store, teardown := MustNewTestStore(false)
-		defer teardown()
-
-		version := 2
-		store.VersionService.StoreDBVersion(version)
-
-		store.MigrateData(true)
-
-		testVersion(store, version, t)
-	})
-
-	t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
-		store, teardown := MustNewTestStore(false)
-		defer teardown()
-		store.VersionService.StoreDBVersion(0)
-
-		store.MigrateData(true)
-
-		options := store.setupOptions(getBackupRestoreOptions(store))
-
-		if !isFileExist(options.BackupPath) {
-			t.Errorf("Backup file should exist; file=%s", options.BackupPath)
-		}
-	})
-
-	t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
-		store, teardown := MustNewTestStore(false)
-		defer teardown()
-
-		store.VersionService.StoreIsUpdating(true)
-
-		store.MigrateData(true)
-
-		options := store.setupOptions(getBackupRestoreOptions(store))
-
-		if isFileExist(options.BackupPath) {
-			t.Errorf("Backup file should not exist for dirty database; file=%s", options.BackupPath)
-		}
-	})
-
-	t.Run("MigrateData should not create backup on startup if portainer version matches db", func(t *testing.T) {
-		store, teardown := MustNewTestStore(false)
-		defer teardown()
-
-		store.MigrateData(true)
-
-		options := store.setupOptions(getBackupRestoreOptions(store))
-
-		if isFileExist(options.BackupPath) {
-			t.Errorf("Backup file should not exist for dirty database; file=%s", options.BackupPath)
-		}
-	})
-
-}
-
-func Test_getBackupRestoreOptions(t *testing.T) {
-	store, teardown := MustNewTestStore(false)
-	defer teardown()
-
-	options := getBackupRestoreOptions(store)
-
-	wantDir := store.commonBackupDir()
-	if !strings.HasSuffix(options.BackupDir, wantDir) {
-		log.Fatalf("incorrect backup dir; got=%s, want=%s", options.BackupDir, wantDir)
-	}
-
-	wantFilename := "portainer.db.bak"
-	if options.BackupFileName != wantFilename {
-		log.Fatalf("incorrect backup file; got=%s, want=%s", options.BackupFileName, wantFilename)
-	}
-}
-
-func TestRollback(t *testing.T) {
-	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
-		version := 21
-		store, teardown := MustNewTestStore(false)
-		defer teardown()
-		store.VersionService.StoreDBVersion(version)
-
-		_, err := store.BackupWithOptions(getBackupRestoreOptions(store))
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		// Change the current edition
-		err = store.VersionService.StoreDBVersion(version + 10)
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		err = store.Rollback(true)
-		if err != nil {
-			t.Logf("Rollback failed: %s", err)
-			t.Fail()
-			return
-		}
-
-		store.Open()
-		testVersion(store, version, t)
-	})
-}
--- a/api/bolt/migrator/migrate_ce.go
+++ b/api/bolt/migrator/migrate_ce.go
@@ -1,343 +0,0 @@
-package migrator
-
-import (
-	"fmt"
-
-	werrors "github.com/pkg/errors"
-	portainer "github.com/portainer/portainer/api"
-)
-
-func migrationError(err error, context string) error {
-	return werrors.Wrap(err, "failed in "+context)
-}
-
-// Migrate checks the database version and migrate the existing data to the most recent data model.
-func (m *Migrator) Migrate() error {
-	// set DB to updating status
-	err := m.versionService.StoreIsUpdating(true)
-	if err != nil {
-		return migrationError(err, "StoreIsUpdating")
-	}
-
-	// Portainer < 1.12
-	if m.currentDBVersion < 1 {
-		err := m.updateAdminUserToDBVersion1()
-		if err != nil {
-			return migrationError(err, "updateAdminUserToDBVersion1")
-		}
-	}
-
-	// Portainer 1.12.x
-	if m.currentDBVersion < 2 {
-		err := m.updateResourceControlsToDBVersion2()
-		if err != nil {
-			return migrationError(err, "updateResourceControlsToDBVersion2")
-		}
-		err = m.updateEndpointsToDBVersion2()
-		if err != nil {
-			return migrationError(err, "updateEndpointsToDBVersion2")
-		}
-	}
-
-	// Portainer 1.13.x
-	if m.currentDBVersion < 3 {
-		err := m.updateSettingsToDBVersion3()
-		if err != nil {
-			return migrationError(err, "updateSettingsToDBVersion3")
-		}
-	}
-
-	// Portainer 1.14.0
-	if m.currentDBVersion < 4 {
-		err := m.updateEndpointsToDBVersion4()
-		if err != nil {
-			return migrationError(err, "updateEndpointsToDBVersion4")
-		}
-	}
-
-	// https://github.com/portainer/portainer/issues/1235
-	if m.currentDBVersion < 5 {
-		err := m.updateSettingsToVersion5()
-		if err != nil {
-			return migrationError(err, "updateSettingsToVersion5")
-		}
-	}
-
-	// https://github.com/portainer/portainer/issues/1236
-	if m.currentDBVersion < 6 {
-		err := m.updateSettingsToVersion6()
-		if err != nil {
-			return migrationError(err, "updateSettingsToVersion6")
-		}
-	}
-
-	// https://github.com/portainer/portainer/issues/1449
-	if m.currentDBVersion < 7 {
-		err := m.updateSettingsToVersion7()
-		if err != nil {
-			return migrationError(err, "updateSettingsToVersion7")
-		}
-	}
-
-	if m.currentDBVersion < 8 {
-		err := m.updateEndpointsToVersion8()
-		if err != nil {
-			return migrationError(err, "updateEndpointsToVersion8")
-		}
-	}
-
-	// https: //github.com/portainer/portainer/issues/1396
-	if m.currentDBVersion < 9 {
-		err := m.updateEndpointsToVersion9()
-		if err != nil {
-			return migrationError(err, "updateEndpointsToVersion9")
-		}
-	}
-
-	// https://github.com/portainer/portainer/issues/461
-	if m.currentDBVersion < 10 {
-		err := m.updateEndpointsToVersion10()
-		if err != nil {
-			return migrationError(err, "updateEndpointsToVersion10")
-		}
-	}
-
-	// https://github.com/portainer/portainer/issues/1906
-	if m.currentDBVersion < 11 {
-		err := m.updateEndpointsToVersion11()
-		if err != nil {
-			return migrationError(err, "updateEndpointsToVersion11")
-		}
-	}
-
-	// Portainer 1.18.0
-	if m.currentDBVersion < 12 {
-		err := m.updateEndpointsToVersion12()
-		if err != nil {
-			return migrationError(err, "updateEndpointsToVersion12")
-		}
-
-		err = m.updateEndpointGroupsToVersion12()
-		if err != nil {
-			return migrationError(err, "updateEndpointGroupsToVersion12")
-		}
-
-		err = m.updateStacksToVersion12()
-		if err != nil {
-			return migrationError(err, "updateStacksToVersion12")
-		}
-	}
-
-	// Portainer 1.19.0
-	if m.currentDBVersion < 13 {
-		err := m.updateSettingsToVersion13()
-		if err != nil {
-			return migrationError(err, "updateSettingsToVersion13")
-		}
-	}
-
-	// Portainer 1.19.2
-	if m.currentDBVersion < 14 {
-		err := m.updateResourceControlsToDBVersion14()
-		if err != nil {
-			return migrationError(err, "updateResourceControlsToDBVersion14")
-		}
-	}
-
-	// Portainer 1.20.0
-	if m.currentDBVersion < 15 {
-		err := m.updateSettingsToDBVersion15()
-		if err != nil {
-			return migrationError(err, "updateSettingsToDBVersion15")
-		}
-
-		err = m.updateTemplatesToVersion15()
-		if err != nil {
-			return migrationError(err, "updateTemplatesToVersion15")
-		}
-	}
-
-	if m.currentDBVersion < 16 {
-		err := m.updateSettingsToDBVersion16()
-		if err != nil {
-			return migrationError(err, "updateSettingsToDBVersion16")
-		}
-	}
-
-	// Portainer 1.20.1
-	if m.currentDBVersion < 17 {
-		err := m.updateExtensionsToDBVersion17()
-		if err != nil {
-			return migrationError(err, "updateExtensionsToDBVersion17")
-		}
-	}
-
-	// Portainer 1.21.0
-	if m.currentDBVersion < 18 {
-		err := m.updateUsersToDBVersion18()
-		if err != nil {
-			return migrationError(err, "updateUsersToDBVersion18")
-		}
-
-		err = m.updateEndpointsToDBVersion18()
-		if err != nil {
-			return migrationError(err, "updateEndpointsToDBVersion18")
-		}
-
-		err = m.updateEndpointGroupsToDBVersion18()
-		if err != nil {
-			return migrationError(err, "updateEndpointGroupsToDBVersion18")
-		}
-
-		err = m.updateRegistriesToDBVersion18()
-		if err != nil {
-			return migrationError(err, "updateRegistriesToDBVersion18")
-		}
-	}
-
-	// Portainer 1.22.0
-	if m.currentDBVersion < 19 {
-		err := m.updateSettingsToDBVersion19()
-		if err != nil {
-			return migrationError(err, "updateSettingsToDBVersion19")
-		}
-	}
-
-	// Portainer 1.22.1
-	if m.currentDBVersion < 20 {
-		err := m.updateUsersToDBVersion20()
-		if err != nil {
-			return migrationError(err, "updateUsersToDBVersion20")
-		}
-
-		err = m.updateSettingsToDBVersion20()
-		if err != nil {
-			return migrationError(err, "updateSettingsToDBVersion20")
-		}
-
-		err = m.updateSchedulesToDBVersion20()
-		if err != nil {
-			return migrationError(err, "updateSchedulesToDBVersion20")
-		}
-	}
-
-	// Portainer 1.23.0
-	// DBVersion 21 is missing as it was shipped as via hotfix 1.22.2
-	if m.currentDBVersion < 22 {
-		err := m.updateResourceControlsToDBVersion22()
-		if err != nil {
-			return migrationError(err, "updateResourceControlsToDBVersion22")
-		}
-
-		err = m.updateUsersAndRolesToDBVersion22()
-		if err != nil {
-			return migrationError(err, "updateUsersAndRolesToDBVersion22")
-		}
-	}
-
-	// Portainer 1.24.0
-	if m.currentDBVersion < 23 {
-		migrateLog.Info("Migrating to DB 23")
-		err := m.updateTagsToDBVersion23()
-		if err != nil {
-			return migrationError(err, "updateTagsToDBVersion23")
-		}
-
-		err = m.updateEndpointsAndEndpointGroupsToDBVersion23()
-		if err != nil {
-			return migrationError(err, "updateEndpointsAndEndpointGroupsToDBVersion23")
-		}
-	}
-
-	// Portainer 1.24.1
-	if m.currentDBVersion < 24 {
-		migrateLog.Info("Migrating to DB 24")
-		err := m.updateSettingsToDB24()
-		if err != nil {
-			return migrationError(err, "updateSettingsToDB24")
-		}
-	}
-
-	// Portainer 2.0.0
-	if m.currentDBVersion < 25 {
-		migrateLog.Info("Migrating to DB 25")
-		err := m.updateSettingsToDB25()
-		if err != nil {
-			return migrationError(err, "updateSettingsToDB25")
-		}
-
-		err = m.updateStacksToDB24()
-		if err != nil {
-			return migrationError(err, "updateStacksToDB24")
-		}
-	}
-
-	// Portainer 2.1.0
-	if m.currentDBVersion < 26 {
-		migrateLog.Info("Migrating to DB 26")
-		err := m.updateEndpointSettingsToDB25()
-		if err != nil {
-			return migrationError(err, "updateEndpointSettingsToDB25")
-		}
-	}
-
-	// Portainer 2.2.0
-	if m.currentDBVersion < 27 {
-		migrateLog.Info("Migrating to DB 27")
-		err := m.updateStackResourceControlToDB27()
-		if err != nil {
-			return migrationError(err, "updateStackResourceControlToDB27")
-		}
-	}
-
-	// Portainer 2.6.0
-	if m.currentDBVersion < 30 {
-		migrateLog.Info("Migrating to DB 30")
-		err := m.migrateDBVersionToDB30()
-		if err != nil {
-			return migrationError(err, "migrateDBVersionToDB30")
-		}
-	}
-
-	// Portainer 2.9.0
-	if m.currentDBVersion < 32 {
-		err := m.migrateDBVersionToDB32()
-		if err != nil {
-			return migrationError(err, "migrateDBVersionToDB32")
-		}
-	}
-
-	// Portainer 2.9.1, 2.9.2
-	if m.currentDBVersion < 33 {
-		migrateLog.Info("Migrating to DB 33")
-		err := m.migrateDBVersionToDB33()
-		if err != nil {
-			return migrationError(err, "migrateDBVersionToDB33")
-		}
-	}
-
-	// Portainer 2.10
-	if m.currentDBVersion < 34 {
-		migrateLog.Info("Migrating to DB 34")
-		if err := m.migrateDBVersionToDB34(); err != nil {
-			return migrationError(err, "migrateDBVersionToDB34")
-		}
-	}
-
-	// Portainer 2.9.3 (yep out of order, but 2.10 is EE only)
-	if m.currentDBVersion < 35 {
-		migrateLog.Info("Migrating to DB 35")
-		if err := m.migrateDBVersionToDB35(); err != nil {
-			return migrationError(err, "migrateDBVersionToDB35")
-		}
-	}
-
-	err = m.versionService.StoreDBVersion(portainer.DBVersion)
-	if err != nil {
-		return migrationError(err, "StoreDBVersion")
-	}
-	migrateLog.Info(fmt.Sprintf("Updated DB version to %d", portainer.DBVersion))
-
-	// reset DB updating status
-	return m.versionService.StoreIsUpdating(false)
-}
--- a/api/bolt/migrator/migrate_dbversion22.go
+++ b/api/bolt/migrator/migrate_dbversion22.go
@@ -1,9 +1,8 @@
 package migrator

-import portainer "github.com/portainer/portainer/api"
+import "github.com/portainer/portainer/api"

 func (m *Migrator) updateTagsToDBVersion23() error {
-	migrateLog.Info("Updating tags")
 	tags, err := m.tagService.Tags()
 	if err != nil {
 		return err
@@ -21,7 +20,6 @@ func (m *Migrator) updateTagsToDBVersion23() error {
 }

 func (m *Migrator) updateEndpointsAndEndpointGroupsToDBVersion23() error {
-	migrateLog.Info("Updating endpoints and endpoint groups")
 	tags, err := m.tagService.Tags()
 	if err != nil {
 		return err
--- a/api/bolt/migrator/migrate_dbversion23.go
+++ b/api/bolt/migrator/migrate_dbversion23.go
@@ -3,8 +3,6 @@ package migrator
 import portainer "github.com/portainer/portainer/api"

 func (m *Migrator) updateSettingsToDB24() error {
-	migrateLog.Info("Updating Settings")
-
 	legacySettings, err := m.settingsService.Settings()
 	if err != nil {
 		return err
@@ -18,7 +16,6 @@ func (m *Migrator) updateSettingsToDB24() error {
 }

 func (m *Migrator) updateStacksToDB24() error {
-	migrateLog.Info("Updating stacks")
 	stacks, err := m.stackService.Stacks()
 	if err != nil {
 		return err
--- a/api/bolt/migrator/migrate_dbversion24.go
+++ b/api/bolt/migrator/migrate_dbversion24.go
@@ -1,12 +1,10 @@
 package migrator

 import (
-	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api"
 )

 func (m *Migrator) updateSettingsToDB25() error {
-	migrateLog.Info("Updating settings")
-
 	legacySettings, err := m.settingsService.Settings()
 	if err != nil {
 		return err
--- a/api/bolt/migrator/migrate_dbversion25.go
+++ b/api/bolt/migrator/migrate_dbversion25.go
@@ -5,7 +5,6 @@ import (
 )

 func (m *Migrator) updateEndpointSettingsToDB25() error {
-	migrateLog.Info("Updating endpoint settings")
 	settings, err := m.settingsService.Settings()
 	if err != nil {
 		return err
--- a/api/bolt/migrator/migrate_dbversion26.go
+++ b/api/bolt/migrator/migrate_dbversion26.go
@@ -7,7 +7,6 @@ import (
 )

 func (m *Migrator) updateStackResourceControlToDB27() error {
-	migrateLog.Info("Updating stack resource controls")
 	resourceControls, err := m.resourceControlService.ResourceControls()
 	if err != nil {
 		return err
--- a/api/bolt/migrator/migrate_dbversion29.go
+++ b/api/bolt/migrator/migrate_dbversion29.go
@@ -1,21 +0,0 @@
-package migrator
-
-func (m *Migrator) migrateDBVersionToDB30() error {
-	migrateLog.Info("Updating legacy settings")
-	if err := m.migrateSettingsToDB30(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (m *Migrator) migrateSettingsToDB30() error {
-	legacySettings, err := m.settingsService.Settings()
-	if err != nil {
-		return err
-	}
-
-	legacySettings.OAuthSettings.SSO = false
-	legacySettings.OAuthSettings.LogoutURI = ""
-	return m.settingsService.UpdateSettings(legacySettings)
-}
--- a/api/bolt/migrator/migrate_dbversion29_test.go
+++ b/api/bolt/migrator/migrate_dbversion29_test.go
@@ -1,95 +0,0 @@
-package migrator
-
-import (
-	"os"
-	"path"
-	"testing"
-	"time"
-
-	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api/bolt/internal"
-	"github.com/portainer/portainer/api/bolt/settings"
-)
-
-var (
-	testingDBStorePath string
-	testingDBFileName  string
-	dummyLogoURL       string
-	dbConn             *bolt.DB
-	settingsService    *settings.Service
-)
-
-// initTestingDBConn creates a raw bolt DB connection
-// for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
-func initTestingDBConn(storePath, fileName string) (*bolt.DB, error) {
-	databasePath := path.Join(storePath, fileName)
-	dbConn, err := bolt.Open(databasePath, 0600, &bolt.Options{Timeout: 1 * time.Second})
-	if err != nil {
-		return nil, err
-	}
-	return dbConn, nil
-}
-
-// initTestingDBConn creates a settings service with raw bolt DB connection
-// for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
-func initTestingSettingsService(dbConn *bolt.DB, preSetObj map[string]interface{}) (*settings.Service, error) {
-	internalDBConn := &internal.DbConnection{
-		DB: dbConn,
-	}
-	settingsService, err := settings.NewService(internalDBConn)
-	if err != nil {
-		return nil, err
-	}
-	//insert a obj
-	if err := internal.UpdateObject(internalDBConn, "settings", []byte("SETTINGS"), preSetObj); err != nil {
-		return nil, err
-	}
-	return settingsService, nil
-}
-
-func setup() error {
-	testingDBStorePath, _ = os.Getwd()
-	testingDBFileName = "portainer-ee-mig-30.db"
-	dummyLogoURL = "example.com"
-	var err error
-	dbConn, err = initTestingDBConn(testingDBStorePath, testingDBFileName)
-	if err != nil {
-		return err
-	}
-	dummySettingsObj := map[string]interface{}{
-		"LogoURL": dummyLogoURL,
-	}
-	settingsService, err = initTestingSettingsService(dbConn, dummySettingsObj)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func TestMigrateSettings(t *testing.T) {
-	if err := setup(); err != nil {
-		t.Errorf("failed to complete testing setups, err: %v", err)
-	}
-	defer dbConn.Close()
-	defer os.Remove(testingDBFileName)
-	m := &Migrator{
-		db:              dbConn,
-		settingsService: settingsService,
-	}
-	if err := m.migrateSettingsToDB30(); err != nil {
-		t.Errorf("failed to update settings: %v", err)
-	}
-	updatedSettings, err := m.settingsService.Settings()
-	if err != nil {
-		t.Errorf("failed to retrieve the updated settings: %v", err)
-	}
-	if updatedSettings.LogoURL != dummyLogoURL {
-		t.Errorf("unexpected value changes in the updated settings, want LogoURL value: %s, got LogoURL value: %s", dummyLogoURL, updatedSettings.LogoURL)
-	}
-	if updatedSettings.OAuthSettings.SSO != false {
-		t.Errorf("unexpected default OAuth SSO setting, want: false, got: %t", updatedSettings.OAuthSettings.SSO)
-	}
-	if updatedSettings.OAuthSettings.LogoutURI != "" {
-		t.Errorf("unexpected default OAuth HideInternalAuth setting, want:, got: %s", updatedSettings.OAuthSettings.LogoutURI)
-	}
-}
--- a/api/bolt/migrator/migrate_dbversion31.go
+++ b/api/bolt/migrator/migrate_dbversion31.go
@@ -1,282 +0,0 @@
-package migrator
-
-import (
-	"fmt"
-	"log"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
-	"github.com/portainer/portainer/api/internal/endpointutils"
-	snapshotutils "github.com/portainer/portainer/api/internal/snapshot"
-)
-
-func (m *Migrator) migrateDBVersionToDB32() error {
-	migrateLog.Info("Updating registries")
-	err := m.updateRegistriesToDB32()
-	if err != nil {
-		return err
-	}
-
-	migrateLog.Info("Updating dockerhub")
-	err = m.updateDockerhubToDB32()
-	if err != nil {
-		return err
-	}
-
-	migrateLog.Info("Updating resource controls")
-	if err := m.updateVolumeResourceControlToDB32(); err != nil {
-		return err
-	}
-
-	migrateLog.Info("Updating kubeconfig expiry")
-	if err := m.kubeconfigExpiryToDB32(); err != nil {
-		return err
-	}
-
-	migrateLog.Info("Setting default helm repository url")
-	if err := m.helmRepositoryURLToDB32(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (m *Migrator) updateRegistriesToDB32() error {
-	registries, err := m.registryService.Registries()
-	if err != nil {
-		return err
-	}
-
-	endpoints, err := m.endpointService.Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, registry := range registries {
-
-		registry.RegistryAccesses = portainer.RegistryAccesses{}
-
-		for _, endpoint := range endpoints {
-
-			filteredUserAccessPolicies := portainer.UserAccessPolicies{}
-			for userId, registryPolicy := range registry.UserAccessPolicies {
-				if _, found := endpoint.UserAccessPolicies[userId]; found {
-					filteredUserAccessPolicies[userId] = registryPolicy
-				}
-			}
-
-			filteredTeamAccessPolicies := portainer.TeamAccessPolicies{}
-			for teamId, registryPolicy := range registry.TeamAccessPolicies {
-				if _, found := endpoint.TeamAccessPolicies[teamId]; found {
-					filteredTeamAccessPolicies[teamId] = registryPolicy
-				}
-			}
-
-			registry.RegistryAccesses[endpoint.ID] = portainer.RegistryAccessPolicies{
-				UserAccessPolicies: filteredUserAccessPolicies,
-				TeamAccessPolicies: filteredTeamAccessPolicies,
-				Namespaces:         []string{},
-			}
-		}
-		m.registryService.UpdateRegistry(registry.ID, &registry)
-	}
-	return nil
-}
-
-func (m *Migrator) updateDockerhubToDB32() error {
-	dockerhub, err := m.dockerhubService.DockerHub()
-	if err == errors.ErrObjectNotFound {
-		return nil
-	} else if err != nil {
-		return err
-	}
-
-	if !dockerhub.Authentication {
-		return nil
-	}
-
-	registry := &portainer.Registry{
-		Type:             portainer.DockerHubRegistry,
-		Name:             "Dockerhub (authenticated - migrated)",
-		URL:              "docker.io",
-		Authentication:   true,
-		Username:         dockerhub.Username,
-		Password:         dockerhub.Password,
-		RegistryAccesses: portainer.RegistryAccesses{},
-	}
-
-	// The following code will make this function idempotent.
-	// i.e. if run again, it will not change the data.  It will ensure that
-	// we only have one migrated registry entry. Duplicates will be removed
-	// if they exist and which has been happening due to earlier migration bugs
-	migrated := false
-	registries, _ := m.registryService.Registries()
-	for _, r := range registries {
-		if r.Type == registry.Type &&
-			r.Name == registry.Name &&
-			r.URL == registry.URL &&
-			r.Authentication == registry.Authentication {
-
-			if !migrated {
-				// keep this one entry
-				migrated = true
-			} else {
-				// delete subsequent duplicates
-				m.registryService.DeleteRegistry(portainer.RegistryID(r.ID))
-			}
-		}
-	}
-
-	if migrated {
-		return nil
-	}
-
-	endpoints, err := m.endpointService.Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, endpoint := range endpoints {
-
-		if endpoint.Type != portainer.KubernetesLocalEnvironment &&
-			endpoint.Type != portainer.AgentOnKubernetesEnvironment &&
-			endpoint.Type != portainer.EdgeAgentOnKubernetesEnvironment {
-
-			userAccessPolicies := portainer.UserAccessPolicies{}
-			for userId := range endpoint.UserAccessPolicies {
-				if _, found := endpoint.UserAccessPolicies[userId]; found {
-					userAccessPolicies[userId] = portainer.AccessPolicy{
-						RoleID: 0,
-					}
-				}
-			}
-
-			teamAccessPolicies := portainer.TeamAccessPolicies{}
-			for teamId := range endpoint.TeamAccessPolicies {
-				if _, found := endpoint.TeamAccessPolicies[teamId]; found {
-					teamAccessPolicies[teamId] = portainer.AccessPolicy{
-						RoleID: 0,
-					}
-				}
-			}
-
-			registry.RegistryAccesses[endpoint.ID] = portainer.RegistryAccessPolicies{
-				UserAccessPolicies: userAccessPolicies,
-				TeamAccessPolicies: teamAccessPolicies,
-				Namespaces:         []string{},
-			}
-		}
-	}
-
-	return m.registryService.CreateRegistry(registry)
-}
-
-func (m *Migrator) updateVolumeResourceControlToDB32() error {
-	endpoints, err := m.endpointService.Endpoints()
-	if err != nil {
-		return fmt.Errorf("failed fetching environments: %w", err)
-	}
-
-	resourceControls, err := m.resourceControlService.ResourceControls()
-	if err != nil {
-		return fmt.Errorf("failed fetching resource controls: %w", err)
-	}
-
-	toUpdate := map[portainer.ResourceControlID]string{}
-	volumeResourceControls := map[string]*portainer.ResourceControl{}
-
-	for i := range resourceControls {
-		resourceControl := resourceControls[i]
-		if resourceControl.Type == portainer.VolumeResourceControl {
-			volumeResourceControls[resourceControl.ResourceID] = &resourceControl
-		}
-	}
-
-	for _, endpoint := range endpoints {
-		if !endpointutils.IsDockerEndpoint(&endpoint) {
-			continue
-		}
-
-		totalSnapshots := len(endpoint.Snapshots)
-		if totalSnapshots == 0 {
-			log.Println("[DEBUG] [volume migration] [message: no snapshot found]")
-			continue
-		}
-
-		snapshot := endpoint.Snapshots[totalSnapshots-1]
-
-		endpointDockerID, err := snapshotutils.FetchDockerID(snapshot)
-		if err != nil {
-			log.Printf("[WARN] [bolt,migrator,v31] [message: failed fetching environment docker id] [err: %s]", err)
-			continue
-		}
-
-		if volumesData, done := snapshot.SnapshotRaw.Volumes.(map[string]interface{}); done {
-			if volumesData["Volumes"] == nil {
-				log.Println("[DEBUG] [volume migration] [message: no volume data found]")
-				continue
-			}
-
-			findResourcesToUpdateForDB32(endpointDockerID, volumesData, toUpdate, volumeResourceControls)
-		}
-	}
-
-	for _, resourceControl := range volumeResourceControls {
-		if newResourceID, ok := toUpdate[resourceControl.ID]; ok {
-			resourceControl.ResourceID = newResourceID
-			err := m.resourceControlService.UpdateResourceControl(resourceControl.ID, resourceControl)
-			if err != nil {
-				return fmt.Errorf("failed updating resource control %d: %w", resourceControl.ID, err)
-			}
-
-		} else {
-			err := m.resourceControlService.DeleteResourceControl(resourceControl.ID)
-			if err != nil {
-				return fmt.Errorf("failed deleting resource control %d: %w", resourceControl.ID, err)
-			}
-			log.Printf("[DEBUG] [volume migration] [message: legacy resource control(%s) has been deleted]", resourceControl.ResourceID)
-		}
-	}
-
-	return nil
-}
-
-func findResourcesToUpdateForDB32(dockerID string, volumesData map[string]interface{}, toUpdate map[portainer.ResourceControlID]string, volumeResourceControls map[string]*portainer.ResourceControl) {
-	volumes := volumesData["Volumes"].([]interface{})
-	for _, volumeMeta := range volumes {
-		volume := volumeMeta.(map[string]interface{})
-		volumeName, nameExist := volume["Name"].(string)
-		if !nameExist {
-			continue
-		}
-		createTime, createTimeExist := volume["CreatedAt"].(string)
-		if !createTimeExist {
-			continue
-		}
-
-		oldResourceID := fmt.Sprintf("%s%s", volumeName, createTime)
-		resourceControl, ok := volumeResourceControls[oldResourceID]
-
-		if ok {
-			toUpdate[resourceControl.ID] = fmt.Sprintf("%s_%s", volumeName, dockerID)
-		}
-	}
-}
-
-func (m *Migrator) kubeconfigExpiryToDB32() error {
-	settings, err := m.settingsService.Settings()
-	if err != nil {
-		return err
-	}
-	settings.KubeconfigExpiry = portainer.DefaultKubeconfigExpiry
-	return m.settingsService.UpdateSettings(settings)
-}
-
-func (m *Migrator) helmRepositoryURLToDB32() error {
-	settings, err := m.settingsService.Settings()
-	if err != nil {
-		return err
-	}
-	settings.HelmRepositoryURL = portainer.DefaultHelmRepositoryURL
-	return m.settingsService.UpdateSettings(settings)
-}
--- a/api/bolt/migrator/migrate_dbversion32.go
+++ b/api/bolt/migrator/migrate_dbversion32.go
@@ -1,22 +0,0 @@
-package migrator
-
-import portainer "github.com/portainer/portainer/api"
-
-func (m *Migrator) migrateDBVersionToDB33() error {
-	if err := m.migrateSettingsToDB33(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (m *Migrator) migrateSettingsToDB33() error {
-	settings, err := m.settingsService.Settings()
-	if err != nil {
-		return err
-	}
-
-	migrateLog.Info("Setting default kubectl shell image")
-	settings.KubectlShellImage = portainer.DefaultKubectlShellImage
-	return m.settingsService.UpdateSettings(settings)
-}
--- a/api/bolt/migrator/migrate_dbversion33.go
+++ b/api/bolt/migrator/migrate_dbversion33.go
@@ -1,33 +0,0 @@
-package migrator
-
-import (
-	portainer "github.com/portainer/portainer/api"
-)
-
-func (m *Migrator) migrateDBVersionToDB34() error {
-	migrateLog.Info("Migrating stacks")
-	err := migrateStackEntryPoint(m.stackService)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func migrateStackEntryPoint(stackService portainer.StackService) error {
-	stacks, err := stackService.Stacks()
-	if err != nil {
-		return err
-	}
-	for i := range stacks {
-		stack := &stacks[i]
-		if stack.GitConfig == nil {
-			continue
-		}
-		stack.GitConfig.ConfigFilePath = stack.EntryPoint
-		if err := stackService.UpdateStack(stack.ID, stack); err != nil {
-			return err
-		}
-	}
-	return nil
-}
--- a/api/bolt/migrator/migrate_dbversion33_test.go
+++ b/api/bolt/migrator/migrate_dbversion33_test.go
@@ -1,51 +0,0 @@
-package migrator
-
-import (
-	"path"
-	"testing"
-	"time"
-
-	"github.com/boltdb/bolt"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/internal"
-	"github.com/portainer/portainer/api/bolt/stack"
-	gittypes "github.com/portainer/portainer/api/git/types"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestMigrateStackEntryPoint(t *testing.T) {
-	dbConn, err := bolt.Open(path.Join(t.TempDir(), "portainer-ee-mig-34.db"), 0600, &bolt.Options{Timeout: 1 * time.Second})
-	assert.NoError(t, err, "failed to init testing DB connection")
-	defer dbConn.Close()
-
-	stackService, err := stack.NewService(&internal.DbConnection{DB: dbConn})
-	assert.NoError(t, err, "failed to init testing Stack service")
-
-	stacks := []*portainer.Stack{
-		{
-			ID:         1,
-			EntryPoint: "dir/sub/compose.yml",
-		},
-		{
-			ID:         2,
-			EntryPoint: "dir/sub/compose.yml",
-			GitConfig:  &gittypes.RepoConfig{},
-		},
-	}
-
-	for _, s := range stacks {
-		err := stackService.CreateStack(s)
-		assert.NoError(t, err, "failed to create stack")
-	}
-
-	err = migrateStackEntryPoint(stackService)
-	assert.NoError(t, err, "failed to migrate entry point to Git ConfigFilePath")
-
-	s, err := stackService.Stack(1)
-	assert.NoError(t, err)
-	assert.Nil(t, s.GitConfig, "first stack should not have git config")
-
-	s, err = stackService.Stack(2)
-	assert.NoError(t, err)
-	assert.Equal(t, "dir/sub/compose.yml", s.GitConfig.ConfigFilePath, "second stack should have config file path migrated")
-}
--- a/api/bolt/migrator/migrate_dbversion34.go
+++ b/api/bolt/migrator/migrate_dbversion34.go
@@ -1,12 +0,0 @@
-package migrator
-
-func (m *Migrator) migrateDBVersionToDB35() error {
-	// These should have been migrated already, but due to an earlier bug and a bunch of duplicates,
-	// calling it again will now fix the issue as the function has been repaired.
-	migrateLog.Info("Updating dockerhub registries")
-	err := m.updateDockerhubToDB32()
-	if err != nil {
-		return err
-	}
-	return nil
-}
--- a/api/bolt/migrator/migrate_dbversion34_test.go
+++ b/api/bolt/migrator/migrate_dbversion34_test.go
@@ -1,108 +0,0 @@
-package migrator
-
-import (
-	"os"
-	"path"
-	"testing"
-	"time"
-
-	"github.com/boltdb/bolt"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/dockerhub"
-	"github.com/portainer/portainer/api/bolt/endpoint"
-	"github.com/portainer/portainer/api/bolt/internal"
-	"github.com/portainer/portainer/api/bolt/registry"
-	"github.com/stretchr/testify/assert"
-)
-
-const (
-	db35TestFile = "portainer-mig-35.db"
-	username     = "portainer"
-	password     = "password"
-)
-
-func setupDB35Test(t *testing.T) *Migrator {
-	is := assert.New(t)
-	dbConn, err := bolt.Open(path.Join(t.TempDir(), db35TestFile), 0600, &bolt.Options{Timeout: 1 * time.Second})
-	is.NoError(err, "failed to init testing DB connection")
-
-	// Create an old style dockerhub authenticated account
-	dockerhubService, err := dockerhub.NewService(&internal.DbConnection{DB: dbConn})
-	is.NoError(err, "failed to init testing registry service")
-	err = dockerhubService.UpdateDockerHub(&portainer.DockerHub{true, username, password})
-	is.NoError(err, "failed to create dockerhub account")
-
-	registryService, err := registry.NewService(&internal.DbConnection{DB: dbConn})
-	is.NoError(err, "failed to init testing registry service")
-
-	endpointService, err := endpoint.NewService(&internal.DbConnection{DB: dbConn})
-	is.NoError(err, "failed to init endpoint service")
-
-	m := &Migrator{
-		db:               dbConn,
-		dockerhubService: dockerhubService,
-		registryService:  registryService,
-		endpointService:  endpointService,
-	}
-
-	return m
-}
-
-// TestUpdateDockerhubToDB32 tests a normal upgrade
-func TestUpdateDockerhubToDB32(t *testing.T) {
-	is := assert.New(t)
-	m := setupDB35Test(t)
-	defer m.db.Close()
-	defer os.Remove(db35TestFile)
-
-	if err := m.updateDockerhubToDB32(); err != nil {
-		t.Errorf("failed to update settings: %v", err)
-	}
-
-	// Verify we have a single registry were created
-	registries, err := m.registryService.Registries()
-	is.NoError(err, "failed to read registries from the RegistryService")
-	is.Equal(len(registries), 1, "only one migrated registry expected")
-}
-
-// TestUpdateDockerhubToDB32_with_duplicate_migrations tests an upgrade where in earlier versions a broken migration
-// created a large number of duplicate "dockerhub migrated" registry entries.
-func TestUpdateDockerhubToDB32_with_duplicate_migrations(t *testing.T) {
-	is := assert.New(t)
-	m := setupDB35Test(t)
-	defer m.db.Close()
-	defer os.Remove(db35TestFile)
-
-	// Create lots of duplicate entries...
-	registry := &portainer.Registry{
-		Type:             portainer.DockerHubRegistry,
-		Name:             "Dockerhub (authenticated - migrated)",
-		URL:              "docker.io",
-		Authentication:   true,
-		Username:         "portainer",
-		Password:         "password",
-		RegistryAccesses: portainer.RegistryAccesses{},
-	}
-
-	for i := 1; i < 150; i++ {
-		err := m.registryService.CreateRegistry(registry)
-		assert.NoError(t, err, "create registry failed")
-	}
-
-	// Verify they were created
-	registries, err := m.registryService.Registries()
-	is.NoError(err, "failed to read registries from the RegistryService")
-	is.Condition(func() bool {
-		return len(registries) > 1
-	}, "expected multiple duplicate registry entries")
-
-	// Now run the migrator
-	if err := m.updateDockerhubToDB32(); err != nil {
-		t.Errorf("failed to update settings: %v", err)
-	}
-
-	// Verify we have a single registry were created
-	registries, err = m.registryService.Registries()
-	is.NoError(err, "failed to read registries from the RegistryService")
-	is.Equal(len(registries), 1, "only one migrated registry expected")
-}
--- a/api/bolt/migrator/migrator.go
+++ b/api/bolt/migrator/migrator.go
@@ -3,12 +3,10 @@ package migrator
 import (
 	"github.com/boltdb/bolt"
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/dockerhub"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
 	"github.com/portainer/portainer/api/bolt/endpointrelation"
 	"github.com/portainer/portainer/api/bolt/extension"
-	plog "github.com/portainer/portainer/api/bolt/log"
 	"github.com/portainer/portainer/api/bolt/registry"
 	"github.com/portainer/portainer/api/bolt/resourcecontrol"
 	"github.com/portainer/portainer/api/bolt/role"
@@ -22,14 +20,11 @@ import (
 	"github.com/portainer/portainer/api/internal/authorization"
 )

-var migrateLog = plog.NewScopedLog("bolt, migrate")
-
 type (
 	// Migrator defines a service to migrate data after a Portainer version update.
 	Migrator struct {
-		db               *bolt.DB
-		currentDBVersion int
-
+		currentDBVersion        int
+		db                      *bolt.DB
 		endpointGroupService    *endpointgroup.Service
 		endpointService         *endpoint.Service
 		endpointRelationService *endpointrelation.Service
@@ -46,7 +41,6 @@ type (
 		versionService          *version.Service
 		fileService             portainer.FileService
 		authorizationService    *authorization.Service
-		dockerhubService        *dockerhub.Service
 	}

 	// Parameters represents the required parameters to create a new Migrator instance.
@@ -69,7 +63,6 @@ type (
 		VersionService          *version.Service
 		FileService             portainer.FileService
 		AuthorizationService    *authorization.Service
-		DockerhubService        *dockerhub.Service
 	}
 )

@@ -94,11 +87,276 @@ func NewMigrator(parameters *Parameters) *Migrator {
 		versionService:          parameters.VersionService,
 		fileService:             parameters.FileService,
 		authorizationService:    parameters.AuthorizationService,
-		dockerhubService:        parameters.DockerhubService,
 	}
 }

-// Version exposes version of database
-func (migrator *Migrator) Version() int {
-	return migrator.currentDBVersion
+// Migrate checks the database version and migrate the existing data to the most recent data model.
+func (m *Migrator) Migrate() error {
+	// Portainer < 1.12
+	if m.currentDBVersion < 1 {
+		err := m.updateAdminUserToDBVersion1()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.12.x
+	if m.currentDBVersion < 2 {
+		err := m.updateResourceControlsToDBVersion2()
+		if err != nil {
+			return err
+		}
+		err = m.updateEndpointsToDBVersion2()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.13.x
+	if m.currentDBVersion < 3 {
+		err := m.updateSettingsToDBVersion3()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.14.0
+	if m.currentDBVersion < 4 {
+		err := m.updateEndpointsToDBVersion4()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1235
+	if m.currentDBVersion < 5 {
+		err := m.updateSettingsToVersion5()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1236
+	if m.currentDBVersion < 6 {
+		err := m.updateSettingsToVersion6()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1449
+	if m.currentDBVersion < 7 {
+		err := m.updateSettingsToVersion7()
+		if err != nil {
+			return err
+		}
+	}
+
+	if m.currentDBVersion < 8 {
+		err := m.updateEndpointsToVersion8()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https: //github.com/portainer/portainer/issues/1396
+	if m.currentDBVersion < 9 {
+		err := m.updateEndpointsToVersion9()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/461
+	if m.currentDBVersion < 10 {
+		err := m.updateEndpointsToVersion10()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1906
+	if m.currentDBVersion < 11 {
+		err := m.updateEndpointsToVersion11()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.18.0
+	if m.currentDBVersion < 12 {
+		err := m.updateEndpointsToVersion12()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateEndpointGroupsToVersion12()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateStacksToVersion12()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.19.0
+	if m.currentDBVersion < 13 {
+		err := m.updateSettingsToVersion13()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.19.2
+	if m.currentDBVersion < 14 {
+		err := m.updateResourceControlsToDBVersion14()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.20.0
+	if m.currentDBVersion < 15 {
+		err := m.updateSettingsToDBVersion15()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateTemplatesToVersion15()
+		if err != nil {
+			return err
+		}
+	}
+
+	if m.currentDBVersion < 16 {
+		err := m.updateSettingsToDBVersion16()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.20.1
+	if m.currentDBVersion < 17 {
+		err := m.updateExtensionsToDBVersion17()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.21.0
+	if m.currentDBVersion < 18 {
+		err := m.updateUsersToDBVersion18()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateEndpointsToDBVersion18()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateEndpointGroupsToDBVersion18()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateRegistriesToDBVersion18()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.22.0
+	if m.currentDBVersion < 19 {
+		err := m.updateSettingsToDBVersion19()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.22.1
+	if m.currentDBVersion < 20 {
+		err := m.updateUsersToDBVersion20()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateSettingsToDBVersion20()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateSchedulesToDBVersion20()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.23.0
+	// DBVersion 21 is missing as it was shipped as via hotfix 1.22.2
+	if m.currentDBVersion < 22 {
+		err := m.updateResourceControlsToDBVersion22()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateUsersAndRolesToDBVersion22()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.24.0
+	if m.currentDBVersion < 23 {
+		err := m.updateTagsToDBVersion23()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateEndpointsAndEndpointGroupsToDBVersion23()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.24.1
+	if m.currentDBVersion < 24 {
+		err := m.updateSettingsToDB24()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 2.0.0
+	if m.currentDBVersion < 25 {
+		err := m.updateSettingsToDB25()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateStacksToDB24()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 2.1.0
+	if m.currentDBVersion < 26 {
+		err := m.updateEndpointSettingsToDB25()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 2.2.0
+	if m.currentDBVersion < 27 {
+		err := m.updateStackResourceControlToDB27()
+		if err != nil {
+			return err
+		}
+	}
+
+	return m.versionService.StoreDBVersion(portainer.DBVersion)
 }
--- a/api/bolt/registry/registry.go
+++ b/api/bolt/registry/registry.go
@@ -12,7 +12,7 @@ const (
 	BucketName = "registries"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/resourcecontrol/resourcecontrol.go
+++ b/api/bolt/resourcecontrol/resourcecontrol.go
@@ -12,7 +12,7 @@ const (
 	BucketName = "resource_control"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/role/role.go
+++ b/api/bolt/role/role.go
@@ -12,7 +12,7 @@ const (
 	BucketName = "roles"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/services.go
+++ b/api/bolt/services.go
@@ -2,7 +2,6 @@ package bolt

 import (
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/apikeyrepository"
 	"github.com/portainer/portainer/api/bolt/customtemplate"
 	"github.com/portainer/portainer/api/bolt/dockerhub"
 	"github.com/portainer/portainer/api/bolt/edgegroup"
@@ -12,13 +11,11 @@ import (
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
 	"github.com/portainer/portainer/api/bolt/endpointrelation"
 	"github.com/portainer/portainer/api/bolt/extension"
-	"github.com/portainer/portainer/api/bolt/helmuserrepository"
 	"github.com/portainer/portainer/api/bolt/registry"
 	"github.com/portainer/portainer/api/bolt/resourcecontrol"
 	"github.com/portainer/portainer/api/bolt/role"
 	"github.com/portainer/portainer/api/bolt/schedule"
 	"github.com/portainer/portainer/api/bolt/settings"
-	"github.com/portainer/portainer/api/bolt/ssl"
 	"github.com/portainer/portainer/api/bolt/stack"
 	"github.com/portainer/portainer/api/bolt/tag"
 	"github.com/portainer/portainer/api/bolt/team"
@@ -90,12 +87,6 @@ func (store *Store) initServices() error {
 	}
 	store.ExtensionService = extensionService

-	helmUserRepositoryService, err := helmuserrepository.NewService(store.connection)
-	if err != nil {
-		return err
-	}
-	store.HelmUserRepositoryService = helmUserRepositoryService
-
 	registryService, err := registry.NewService(store.connection)
 	if err != nil {
 		return err
@@ -114,12 +105,6 @@ func (store *Store) initServices() error {
 	}
 	store.SettingsService = settingsService

-	sslSettingsService, err := ssl.NewService(store.connection)
-	if err != nil {
-		return err
-	}
-	store.SSLSettingsService = sslSettingsService
-
 	stackService, err := stack.NewService(store.connection)
 	if err != nil {
 		return err
@@ -156,12 +141,6 @@ func (store *Store) initServices() error {
 	}
 	store.UserService = userService

-	apiKeyService, err := apikeyrepository.NewService(store.connection)
-	if err != nil {
-		return err
-	}
-	store.APIKeyRepositoryService = apiKeyService
-
 	versionService, err := version.NewService(store.connection)
 	if err != nil {
 		return err
@@ -188,6 +167,11 @@ func (store *Store) CustomTemplate() portainer.CustomTemplateService {
 	return store.CustomTemplateService
 }

+// DockerHub gives access to the DockerHub data management layer
+func (store *Store) DockerHub() portainer.DockerHubService {
+	return store.DockerHubService
+}
+
 // EdgeGroup gives access to the EdgeGroup data management layer
 func (store *Store) EdgeGroup() portainer.EdgeGroupService {
 	return store.EdgeGroupService
@@ -203,7 +187,7 @@ func (store *Store) EdgeStack() portainer.EdgeStackService {
 	return store.EdgeStackService
 }

-// Environment(Endpoint) gives access to the Environment(Endpoint) data management layer
+// Endpoint gives access to the Endpoint data management layer
 func (store *Store) Endpoint() portainer.EndpointService {
 	return store.EndpointService
 }
@@ -218,11 +202,6 @@ func (store *Store) EndpointRelation() portainer.EndpointRelationService {
 	return store.EndpointRelationService
 }

-// HelmUserRepository access the helm user repository settings
-func (store *Store) HelmUserRepository() portainer.HelmUserRepositoryService {
-	return store.HelmUserRepositoryService
-}
-
 // Registry gives access to the Registry data management layer
 func (store *Store) Registry() portainer.RegistryService {
 	return store.RegistryService
@@ -238,21 +217,11 @@ func (store *Store) Role() portainer.RoleService {
 	return store.RoleService
 }

-// APIKeyRepository gives access to the api-key data management layer
-func (store *Store) APIKeyRepository() portainer.APIKeyRepository {
-	return store.APIKeyRepositoryService
-}
-
 // Settings gives access to the Settings data management layer
 func (store *Store) Settings() portainer.SettingsService {
 	return store.SettingsService
 }

-// SSLSettings gives access to the SSL Settings data management layer
-func (store *Store) SSLSettings() portainer.SSLSettingsService {
-	return store.SSLSettingsService
-}
-
 // Stack gives access to the Stack data management layer
 func (store *Store) Stack() portainer.StackService {
 	return store.StackService
--- a/api/bolt/settings/settings.go
+++ b/api/bolt/settings/settings.go
@@ -11,7 +11,7 @@ const (
 	settingsKey = "SETTINGS"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
@@ -44,17 +44,3 @@ func (service *Service) Settings() (*portainer.Settings, error) {
 func (service *Service) UpdateSettings(settings *portainer.Settings) error {
 	return internal.UpdateObject(service.connection, BucketName, []byte(settingsKey), settings)
 }
-
-func (service *Service) IsFeatureFlagEnabled(feature portainer.Feature) bool {
-	settings, err := service.Settings()
-	if err != nil {
-		return false
-	}
-
-	featureFlagSetting, ok := settings.FeatureFlagSettings[feature]
-	if ok {
-		return featureFlagSetting
-	}
-
-	return false
-}
--- a/api/bolt/ssl/ssl.go
+++ b/api/bolt/ssl/ssl.go
@@ -1,46 +0,0 @@
-package ssl
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/internal"
-)
-
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "ssl"
-	key        = "SSL"
-)
-
-// Service represents a service for managing ssl data.
-type Service struct {
-	connection *internal.DbConnection
-}
-
-// NewService creates a new instance of a service.
-func NewService(connection *internal.DbConnection) (*Service, error) {
-	err := internal.CreateBucket(connection, BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		connection: connection,
-	}, nil
-}
-
-// Settings retrieve the ssl settings object.
-func (service *Service) Settings() (*portainer.SSLSettings, error) {
-	var settings portainer.SSLSettings
-
-	err := internal.GetObject(service.connection, BucketName, []byte(key), &settings)
-	if err != nil {
-		return nil, err
-	}
-
-	return &settings, nil
-}
-
-// UpdateSettings persists a SSLSettings object.
-func (service *Service) UpdateSettings(settings *portainer.SSLSettings) error {
-	return internal.UpdateObject(service.connection, BucketName, []byte(key), settings)
-}
--- a/api/bolt/stack/stack.go
+++ b/api/bolt/stack/stack.go
@@ -1,14 +1,11 @@
 package stack

 import (
-	"strings"
-
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"

 	"github.com/boltdb/bolt"
-	pkgerrors "github.com/pkg/errors"
 )

 const (
@@ -16,7 +13,7 @@ const (
 	BucketName = "stacks"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
@@ -77,31 +74,6 @@ func (service *Service) StackByName(name string) (*portainer.Stack, error) {
 	return stack, err
 }

-// Stacks returns an array containing all the stacks with same name
-func (service *Service) StacksByName(name string) ([]portainer.Stack, error) {
-	var stacks = make([]portainer.Stack, 0)
-
-	err := service.connection.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-		cursor := bucket.Cursor()
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var t portainer.Stack
-			err := internal.UnmarshalObject(v, &t)
-			if err != nil {
-				return err
-			}
-
-			if t.Name == name {
-				stacks = append(stacks, t)
-			}
-		}
-
-		return nil
-	})
-
-	return stacks, err
-}
-
 // Stacks returns an array containing all the stacks.
 func (service *Service) Stacks() ([]portainer.Stack, error) {
 	var stacks = make([]portainer.Stack, 0)
@@ -161,76 +133,3 @@ func (service *Service) DeleteStack(ID portainer.StackID) error {
 	identifier := internal.Itob(int(ID))
 	return internal.DeleteObject(service.connection, BucketName, identifier)
 }
-
-// StackByWebhookID returns a pointer to a stack object by webhook ID.
-// It returns nil, errors.ErrObjectNotFound if there's no stack associated with the webhook ID.
-func (service *Service) StackByWebhookID(id string) (*portainer.Stack, error) {
-	if id == "" {
-		return nil, pkgerrors.New("webhook ID can't be empty string")
-	}
-	var stack portainer.Stack
-	found := false
-
-	err := service.connection.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-		cursor := bucket.Cursor()
-
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var t struct {
-				AutoUpdate *struct {
-					WebhookID string `json:"Webhook"`
-				} `json:"AutoUpdate"`
-			}
-
-			err := internal.UnmarshalObject(v, &t)
-			if err != nil {
-				return err
-			}
-
-			if t.AutoUpdate != nil && strings.EqualFold(t.AutoUpdate.WebhookID, id) {
-				found = true
-				err := internal.UnmarshalObject(v, &stack)
-				if err != nil {
-					return err
-				}
-				break
-			}
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		return nil, err
-	}
-	if !found {
-		return nil, errors.ErrObjectNotFound
-	}
-
-	return &stack, nil
-}
-
-// RefreshableStacks returns stacks that are configured for a periodic update
-func (service *Service) RefreshableStacks() ([]portainer.Stack, error) {
-	stacks := make([]portainer.Stack, 0)
-	err := service.connection.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-		cursor := bucket.Cursor()
-
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			stack := portainer.Stack{}
-			err := internal.UnmarshalObject(v, &stack)
-			if err != nil {
-				return err
-			}
-
-			if stack.AutoUpdate != nil && stack.AutoUpdate.Interval != "" {
-				stacks = append(stacks, stack)
-			}
-		}
-
-		return nil
-	})
-
-	return stacks, err
-}
--- a/api/bolt/stack/tests/stack_test.go
+++ b/api/bolt/stack/tests/stack_test.go
@@ -1,105 +0,0 @@
-package tests
-
-import (
-	"testing"
-	"time"
-
-	"github.com/gofrs/uuid"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	"github.com/portainer/portainer/api/filesystem"
-	"github.com/stretchr/testify/assert"
-)
-
-func newGuidString(t *testing.T) string {
-	uuid, err := uuid.NewV4()
-	assert.NoError(t, err)
-
-	return uuid.String()
-}
-
-type stackBuilder struct {
-	t     *testing.T
-	count int
-	store *bolt.Store
-}
-
-func TestService_StackByWebhookID(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping test in short mode. Normally takes ~1s to run.")
-	}
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	b := stackBuilder{t: t, store: store}
-	b.createNewStack(newGuidString(t))
-	for i := 0; i < 10; i++ {
-		b.createNewStack("")
-	}
-	webhookID := newGuidString(t)
-	stack := b.createNewStack(webhookID)
-
-	// can find a stack by webhook ID
-	got, err := store.StackService.StackByWebhookID(webhookID)
-	assert.NoError(t, err)
-	assert.Equal(t, stack, *got)
-
-	// returns nil and object not found error if there's no stack associated with the webhook
-	got, err = store.StackService.StackByWebhookID(newGuidString(t))
-	assert.Nil(t, got)
-	assert.ErrorIs(t, err, bolterrors.ErrObjectNotFound)
-}
-
-func (b *stackBuilder) createNewStack(webhookID string) portainer.Stack {
-	b.count++
-	stack := portainer.Stack{
-		ID:           portainer.StackID(b.count),
-		Name:         "Name",
-		Type:         portainer.DockerComposeStack,
-		EndpointID:   2,
-		EntryPoint:   filesystem.ComposeFileDefaultName,
-		Env:          []portainer.Pair{{"Name1", "Value1"}},
-		Status:       portainer.StackStatusActive,
-		CreationDate: time.Now().Unix(),
-		ProjectPath:  "/tmp/project",
-		CreatedBy:    "test",
-	}
-
-	if webhookID == "" {
-		if b.count%2 == 0 {
-			stack.AutoUpdate = &portainer.StackAutoUpdate{
-				Interval: "",
-				Webhook:  "",
-			}
-		} // else keep AutoUpdate nil
-	} else {
-		stack.AutoUpdate = &portainer.StackAutoUpdate{Webhook: webhookID}
-	}
-
-	err := b.store.StackService.CreateStack(&stack)
-	assert.NoError(b.t, err)
-
-	return stack
-}
-
-func Test_RefreshableStacks(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping test in short mode. Normally takes ~1s to run.")
-	}
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	staticStack := portainer.Stack{ID: 1}
-	stackWithWebhook := portainer.Stack{ID: 2, AutoUpdate: &portainer.StackAutoUpdate{Webhook: "webhook"}}
-	refreshableStack := portainer.Stack{ID: 3, AutoUpdate: &portainer.StackAutoUpdate{Interval: "1m"}}
-
-	for _, stack := range []*portainer.Stack{&staticStack, &stackWithWebhook, &refreshableStack} {
-		err := store.Stack().CreateStack(stack)
-		assert.NoError(t, err)
-	}
-
-	stacks, err := store.Stack().RefreshableStacks()
-	assert.NoError(t, err)
-	assert.ElementsMatch(t, []portainer.Stack{refreshableStack}, stacks)
-}
--- a/api/bolt/tag/tag.go
+++ b/api/bolt/tag/tag.go
@@ -12,7 +12,7 @@ const (
 	BucketName = "tags"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/team/team.go
+++ b/api/bolt/team/team.go
@@ -15,7 +15,7 @@ const (
 	BucketName = "teams"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/teammembership/teammembership.go
+++ b/api/bolt/teammembership/teammembership.go
@@ -12,7 +12,7 @@ const (
 	BucketName = "team_membership"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/teststore.go
+++ b/api/bolt/teststore.go
@@ -1,68 +0,0 @@
-package bolt
-
-import (
-	"io/ioutil"
-	"log"
-	"os"
-
-	"github.com/pkg/errors"
-	"github.com/portainer/portainer/api/filesystem"
-)
-
-var errTempDir = errors.New("can't create a temp dir")
-
-func MustNewTestStore(init bool) (*Store, func()) {
-	store, teardown, err := NewTestStore(init)
-	if err != nil {
-		if !errors.Is(err, errTempDir) {
-			teardown()
-		}
-		log.Fatal(err)
-	}
-
-	return store, teardown
-}
-
-func NewTestStore(init bool) (*Store, func(), error) {
-	// Creates unique temp directory in a concurrency friendly manner.
-	dataStorePath, err := ioutil.TempDir("", "boltdb")
-	if err != nil {
-		return nil, nil, errors.Wrap(errTempDir, err.Error())
-	}
-
-	fileService, err := filesystem.NewService(dataStorePath, "")
-	if err != nil {
-		return nil, nil, err
-	}
-
-	store := NewStore(dataStorePath, fileService)
-	err = store.Open()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if init {
-		err = store.Init()
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-
-	teardown := func() {
-		teardown(store, dataStorePath)
-	}
-
-	return store, teardown, nil
-}
-
-func teardown(store *Store, dataStorePath string) {
-	err := store.Close()
-	if err != nil {
-		log.Fatalln(err)
-	}
-
-	err = os.RemoveAll(dataStorePath)
-	if err != nil {
-		log.Fatalln(err)
-	}
-}
--- a/api/bolt/tunnelserver/tunnelserver.go
+++ b/api/bolt/tunnelserver/tunnelserver.go
@@ -11,7 +11,7 @@ const (
 	infoKey    = "INFO"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/user/user.go
+++ b/api/bolt/user/user.go
@@ -15,7 +15,7 @@ const (
 	BucketName = "users"
 )

-// Service represents a service for managing environment(endpoint) data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	connection *internal.DbConnection
 }
--- a/api/bolt/version/version.go
+++ b/api/bolt/version/version.go
@@ -15,7 +15,6 @@ const (
 	versionKey  = "DB_VERSION"
 	instanceKey = "INSTANCE_ID"
 	editionKey  = "EDITION"
-	updatingKey = "DB_UPDATING"
 )

 // Service represents a service to manage stored versions.
@@ -84,21 +83,6 @@ func (service *Service) StoreDBVersion(version int) error {
 	})
 }

-// IsUpdating retrieves the database updating status.
-func (service *Service) IsUpdating() (bool, error) {
-	isUpdating, err := service.getKey(updatingKey)
-	if err != nil {
-		return false, err
-	}
-
-	return strconv.ParseBool(string(isUpdating))
-}
-
-// StoreIsUpdating store the database updating status.
-func (service *Service) StoreIsUpdating(isUpdating bool) error {
-	return service.setKey(updatingKey, strconv.FormatBool(isUpdating))
-}
-
 // InstanceID retrieves the stored instance ID.
 func (service *Service) InstanceID() (string, error) {
 	var data []byte
--- a/api/bolt/webhook/webhook.go
+++ b/api/bolt/webhook/webhook.go
@@ -150,9 +150,3 @@ func (service *Service) CreateWebhook(webhook *portainer.Webhook) error {
 		return bucket.Put(internal.Itob(int(webhook.ID)), data)
 	})
 }
-
-// UpdateWebhook update a webhook.
-func (service *Service) UpdateWebhook(ID portainer.WebhookID, webhook *portainer.Webhook) error {
-	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.connection, BucketName, identifier, webhook)
-}
--- a/api/chisel/schedules.go
+++ b/api/chisel/schedules.go
@@ -6,7 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )

-// AddEdgeJob register an EdgeJob inside the tunnel details associated to an environment(endpoint).
+// AddEdgeJob register an EdgeJob inside the tunnel details associated to an endpoint.
 func (service *Service) AddEdgeJob(endpointID portainer.EndpointID, edgeJob *portainer.EdgeJob) {
 	tunnel := service.GetTunnelDetails(endpointID)

--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -3,9 +3,7 @@ package chisel
 import (
 	"context"
 	"fmt"
-	"github.com/portainer/portainer/api/http/proxy"
 	"log"
-	"net/http"
 	"strconv"
 	"time"

@@ -33,7 +31,6 @@ type Service struct {
 	snapshotService   portainer.SnapshotService
 	chiselServer      *chserver.Server
 	shutdownCtx       context.Context
-	ProxyManager      *proxy.Manager
 }

 // NewService returns a pointer to a new instance of Service
@@ -45,55 +42,6 @@ func NewService(dataStore portainer.DataStore, shutdownCtx context.Context) *Ser
 	}
 }

-// pingAgent ping the given agent so that the agent can keep the tunnel alive
-func (service *Service) pingAgent(endpointID portainer.EndpointID) error{
-	tunnel := service.GetTunnelDetails(endpointID)
-	requestURL := fmt.Sprintf("http://127.0.0.1:%d/ping", tunnel.Port)
-	req, err := http.NewRequest(http.MethodHead, requestURL, nil)
-	if err != nil {
-		return err
-	}
-
-	httpClient := &http.Client{
-		Timeout: 3 * time.Second,
-	}
-	_, err = httpClient.Do(req)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
-func (service *Service) KeepTunnelAlive(endpointID portainer.EndpointID, ctx context.Context, maxAlive time.Duration) {
-	go func() {
-		log.Printf("[DEBUG] [chisel,KeepTunnelAlive] [endpoint_id: %d] [message: start for %.0f minutes]\n", endpointID, maxAlive.Minutes())
-		maxAliveTicker := time.NewTicker(maxAlive)
-		defer maxAliveTicker.Stop()
-		pingTicker := time.NewTicker(tunnelCleanupInterval)
-		defer pingTicker.Stop()
-
-		for {
-			select {
-			case <-pingTicker.C:
-				service.SetTunnelStatusToActive(endpointID)
-				err := service.pingAgent(endpointID)
-				if err != nil {
-					log.Printf("[DEBUG] [chisel,KeepTunnelAlive] [endpoint_id: %d] [warning: ping agent err=%s]\n", endpointID, err)
-				}
-			case <-maxAliveTicker.C:
-				log.Printf("[DEBUG] [chisel,KeepTunnelAlive] [endpoint_id: %d] [message: stop as %.0f minutes timeout]\n", endpointID, maxAlive.Minutes())
-				return
-			case <-ctx.Done():
-				err := ctx.Err()
-				log.Printf("[DEBUG] [chisel,KeepTunnelAlive] [endpoint_id: %d] [message: stop as err=%s]\n", endpointID, err)
-				return
-			}
-		}
-	}()
-}
-
 // StartTunnelServer starts a tunnel server on the specified addr and port.
 // It uses a seed to generate a new private/public key pair. If the seed cannot
 // be found inside the database, it will generate a new one randomly and persist it.
@@ -193,7 +141,7 @@ func (service *Service) checkTunnels() {
 		}

 		elapsed := time.Since(tunnel.LastActivity)
-		log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %s] [status: %s] [status_time_seconds: %f] [message: environment tunnel monitoring]", item.Key, tunnel.Status, elapsed.Seconds())
+		log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %s] [status: %s] [status_time_seconds: %f] [message: endpoint tunnel monitoring]", item.Key, tunnel.Status, elapsed.Seconds())

 		if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed.Seconds() < requiredTimeout.Seconds() {
 			continue
@@ -208,22 +156,27 @@ func (service *Service) checkTunnels() {

 			endpointID, err := strconv.Atoi(item.Key)
 			if err != nil {
-				log.Printf("[ERROR] [chisel,snapshot,conversion] Invalid environment identifier (id: %s): %s", item.Key, err)
+				log.Printf("[ERROR] [chisel,snapshot,conversion] Invalid endpoint identifier (id: %s): %s", item.Key, err)
 			}

 			err = service.snapshotEnvironment(portainer.EndpointID(endpointID), tunnel.Port)
 			if err != nil {
-				log.Printf("[ERROR] [snapshot] Unable to snapshot Edge environment (id: %s): %s", item.Key, err)
+				log.Printf("[ERROR] [snapshot] Unable to snapshot Edge endpoint (id: %s): %s", item.Key, err)
 			}
 		}

-		endpointID, err := strconv.Atoi(item.Key)
-		if err != nil {
-			log.Printf("[ERROR] [chisel,conversion] Invalid environment identifier (id: %s): %s", item.Key, err)
-			continue
+		if len(tunnel.Jobs) > 0 {
+			endpointID, err := strconv.Atoi(item.Key)
+			if err != nil {
+				log.Printf("[ERROR] [chisel,conversion] Invalid endpoint identifier (id: %s): %s", item.Key, err)
+				continue
+			}
+
+			service.SetTunnelStatusToIdle(portainer.EndpointID(endpointID))
+		} else {
+			service.tunnelDetailsMap.Remove(item.Key)
 		}

-		service.SetTunnelStatusToIdle(portainer.EndpointID(endpointID))
 	}
 }

--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -38,7 +38,7 @@ func randomInt(min, max int) int {
 	return min + rand.Intn(max-min)
 }

-// GetTunnelDetails returns information about the tunnel associated to an environment(endpoint).
+// GetTunnelDetails returns information about the tunnel associated to an endpoint.
 func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) *portainer.TunnelDetails {
 	key := strconv.Itoa(int(endpointID))

@@ -56,39 +56,7 @@ func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) *porta
 	}
 }

-// GetActiveTunnel retrieves an active tunnel which allows communicating with edge agent
-func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (*portainer.TunnelDetails, error) {
-	tunnel := service.GetTunnelDetails(endpoint.ID)
-
-	if tunnel.Status == portainer.EdgeAgentActive {
-		// update the LastActivity
-		service.SetTunnelStatusToActive(endpoint.ID)
-	}
-
-	if tunnel.Status == portainer.EdgeAgentIdle || tunnel.Status == portainer.EdgeAgentManagementRequired {
-		err := service.SetTunnelStatusToRequired(endpoint.ID)
-		if err != nil {
-			return nil, fmt.Errorf("failed opening tunnel to endpoint: %w", err)
-		}
-
-		if endpoint.EdgeCheckinInterval == 0 {
-			settings, err := service.dataStore.Settings().Settings()
-			if err != nil {
-				return nil, fmt.Errorf("failed fetching settings from db: %w", err)
-			}
-
-			endpoint.EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
-		}
-
-		time.Sleep(2 * time.Duration(endpoint.EdgeCheckinInterval) * time.Second)
-	}
-
-	tunnel = service.GetTunnelDetails(endpoint.ID)
-
-	return tunnel, nil
-}
-
-// SetTunnelStatusToActive update the status of the tunnel associated to the specified environment(endpoint).
+// SetTunnelStatusToActive update the status of the tunnel associated to the specified endpoint.
 // It sets the status to ACTIVE.
 func (service *Service) SetTunnelStatusToActive(endpointID portainer.EndpointID) {
 	tunnel := service.GetTunnelDetails(endpointID)
@@ -100,7 +68,7 @@ func (service *Service) SetTunnelStatusToActive(endpointID portainer.EndpointID)
 	service.tunnelDetailsMap.Set(key, tunnel)
 }

-// SetTunnelStatusToIdle update the status of the tunnel associated to the specified environment(endpoint).
+// SetTunnelStatusToIdle update the status of the tunnel associated to the specified endpoint.
 // It sets the status to IDLE.
 // It removes any existing credentials associated to the tunnel.
 func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {
@@ -118,15 +86,13 @@ func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {

 	key := strconv.Itoa(int(endpointID))
 	service.tunnelDetailsMap.Set(key, tunnel)
-
-	service.ProxyManager.DeleteEndpointProxy(endpointID)
 }

-// SetTunnelStatusToRequired update the status of the tunnel associated to the specified environment(endpoint).
+// SetTunnelStatusToRequired update the status of the tunnel associated to the specified endpoint.
 // It sets the status to REQUIRED.
 // If no port is currently associated to the tunnel, it will associate a random unused port to the tunnel
 // and generate temporary credentials that can be used to establish a reverse tunnel on that port.
-// Credentials are encrypted using the Edge ID associated to the environment(endpoint).
+// Credentials are encrypted using the Edge ID associated to the endpoint.
 func (service *Service) SetTunnelStatusToRequired(endpointID portainer.EndpointID) error {
 	tunnel := service.GetTunnelDetails(endpointID)

--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -5,7 +5,7 @@ import (
 	"log"
 	"time"

-	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api"

 	"os"
 	"path/filepath"
@@ -18,7 +18,7 @@ import (
 type Service struct{}

 var (
-	errInvalidEndpointProtocol       = errors.New("Invalid environment protocol: Portainer only supports unix://, npipe:// or tcp://")
+	errInvalidEndpointProtocol       = errors.New("Invalid endpoint protocol: Portainer only supports unix://, npipe:// or tcp://")
 	errSocketOrNamedPipeNotFound     = errors.New("Unable to locate Unix socket or named pipe")
 	errInvalidSnapshotInterval       = errors.New("Invalid snapshot interval")
 	errAdminPassExcludeAdminPassFile = errors.New("Cannot use --admin-password with --admin-password-file")
@@ -30,13 +30,11 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {

 	flags := &portainer.CLIFlags{
 		Addr:                      kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
-		AddrHTTPS:                 kingpin.Flag("bind-https", "Address and port to serve Portainer via https").Default(defaultHTTPSBindAddress).String(),
 		TunnelAddr:                kingpin.Flag("tunnel-addr", "Address to serve the tunnel server").Default(defaultTunnelServerAddress).String(),
 		TunnelPort:                kingpin.Flag("tunnel-port", "Port to serve the tunnel server").Default(defaultTunnelServerPort).String(),
 		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
-		EndpointURL:               kingpin.Flag("host", "Environment URL").Short('H').String(),
-		FeatureFlags:              BoolPairs(kingpin.Flag("feat", "List of feature flags").Hidden()),
+		EndpointURL:               kingpin.Flag("host", "Endpoint URL").Short('H').String(),
 		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
 		NoAnalytics:               kingpin.Flag("no-analytics", "Disable Analytics in app (deprecated)").Bool(),
 		TLS:                       kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
@@ -44,18 +42,15 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		TLSCacert:                 kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
 		TLSCert:                   kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
 		TLSKey:                    kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
-		HTTPDisabled:              kingpin.Flag("http-disabled", "Serve portainer only on https").Default(defaultHTTPDisabled).Bool(),
-		SSL:                       kingpin.Flag("ssl", "Secure Portainer instance using SSL (deprecated)").Default(defaultSSL).Bool(),
-		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").String(),
-		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").String(),
-		Rollback:                  kingpin.Flag("rollback", "Rollback the database store to the previous version").Bool(),
-		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each environment snapshot job").Default(defaultSnapshotInterval).String(),
+		SSL:                       kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
+		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
+		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
+		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each endpoint snapshot job").Default(defaultSnapshotInterval).String(),
 		AdminPassword:             kingpin.Flag("admin-password", "Hashed admin password").String(),
 		AdminPasswordFile:         kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
 		Labels:                    pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
 		Logo:                      kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
 		Templates:                 kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
-		BaseURL:                   kingpin.Flag("base-url", "Base URL parameter such as portainer if running portainer as http://yourdomain.com/portainer/.").Short('b').Default(defaultBaseURL).String(),
 	}

 	kingpin.Parse()
@@ -97,10 +92,6 @@ func displayDeprecationWarnings(flags *portainer.CLIFlags) {
 	if *flags.NoAnalytics {
 		log.Println("Warning: The --no-analytics flag has been kept to allow migration of instances running a previous version of Portainer with this flag enabled, to version 2.0 where enabling this flag will have no effect.")
 	}
-
-	if *flags.SSL {
-		log.Println("Warning: SSL is enabled by default and there is no need for the --ssl flag. It has been kept to allow migration of instances running a previous version of Portainer with this flag enabled")
-	}
 }

 func validateEndpointURL(endpointURL string) error {
--- a/api/cli/confirm.go
+++ b/api/cli/confirm.go
@@ -1,24 +0,0 @@
-package cli
-
-import (
-	"bufio"
-	"log"
-	"os"
-	"strings"
-)
-
-// Confirm starts a rollback db cli application
-func Confirm(message string) (bool, error) {
-	log.Printf("%s [y/N]", message)
-
-	reader := bufio.NewReader(os.Stdin)
-	answer, err := reader.ReadString('\n')
-	if err != nil {
-		return false, err
-	}
-	answer = strings.Replace(answer, "\n", "", -1)
-	answer = strings.ToLower(answer)
-
-	return answer == "y" || answer == "yes", nil
-
-}
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -4,7 +4,6 @@ package cli

 const (
 	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
 	defaultTunnelServerAddress = "0.0.0.0"
 	defaultTunnelServerPort    = "8000"
 	defaultDataDirectory       = "/data"
@@ -14,10 +13,8 @@ const (
 	defaultTLSCACertPath       = "/certs/ca.pem"
 	defaultTLSCertPath         = "/certs/cert.pem"
 	defaultTLSKeyPath          = "/certs/key.pem"
-	defaultHTTPDisabled        = "false"
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "/certs/portainer.crt"
 	defaultSSLKeyPath          = "/certs/portainer.key"
 	defaultSnapshotInterval    = "5m"
-	defaultBaseURL             = "/"
 )
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -2,7 +2,6 @@ package cli

 const (
 	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
 	defaultTunnelServerAddress = "0.0.0.0"
 	defaultTunnelServerPort    = "8000"
 	defaultDataDirectory       = "C:\\data"
@@ -12,10 +11,8 @@ const (
 	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
 	defaultTLSCertPath         = "C:\\certs\\cert.pem"
 	defaultTLSKeyPath          = "C:\\certs\\key.pem"
-	defaultHTTPDisabled        = "false"
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "C:\\certs\\portainer.crt"
 	defaultSSLKeyPath          = "C:\\certs\\portainer.key"
 	defaultSnapshotInterval    = "5m"
-	defaultBaseURL             = "/"
 )
--- a/api/cli/pairlist.go
+++ b/api/cli/pairlist.go
@@ -1,12 +1,11 @@
 package cli

 import (
-	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api"

 	"fmt"
-	"strings"
-
 	"gopkg.in/alecthomas/kingpin.v2"
+	"strings"
 )

 type pairList []portainer.Pair
--- a/api/cli/pairlistbool.go
+++ b/api/cli/pairlistbool.go
@@ -1,45 +0,0 @@
-package cli
-
-import (
-	portainer "github.com/portainer/portainer/api"
-
-	"strings"
-
-	"gopkg.in/alecthomas/kingpin.v2"
-)
-
-type pairListBool []portainer.Pair
-
-// Set implementation for a list of portainer.Pair
-func (l *pairListBool) Set(value string) error {
-	p := new(portainer.Pair)
-
-	// default to true.  example setting=true is equivalent to setting
-	parts := strings.SplitN(value, "=", 2)
-	if len(parts) != 2 {
-		p.Name = parts[0]
-		p.Value = "true"
-	} else {
-		p.Name = parts[0]
-		p.Value = parts[1]
-	}
-
-	*l = append(*l, *p)
-	return nil
-}
-
-// String implementation for a list of pair
-func (l *pairListBool) String() string {
-	return ""
-}
-
-// IsCumulative implementation for a list of pair
-func (l *pairListBool) IsCumulative() bool {
-	return true
-}
-
-func BoolPairs(s kingpin.Settings) (target *[]portainer.Pair) {
-	target = new([]portainer.Pair)
-	s.SetValue((*pairListBool)(target))
-	return
-}
--- a/api/cmd/portainer/log.go
+++ b/api/cmd/portainer/log.go
@@ -1,19 +0,0 @@
-package main
-
-import (
-	"log"
-
-	"github.com/sirupsen/logrus"
-)
-
-func configureLogger() {
-	logger := logrus.New() // logger is to implicitly substitute stdlib's log
-	log.SetOutput(logger.Writer())
-
-	formatter := &logrus.TextFormatter{DisableTimestamp: true, DisableLevelTruncation: true}
-	logger.SetFormatter(formatter)
-	logrus.SetFormatter(formatter)
-
-	logger.SetLevel(logrus.DebugLevel)
-	logrus.SetLevel(logrus.DebugLevel)
-}
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -2,39 +2,32 @@ package main

 import (
 	"context"
-	"fmt"
 	"log"
 	"os"
-	"strconv"
 	"strings"

-	"github.com/portainer/libhelm"
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/apikey"
 	"github.com/portainer/portainer/api/bolt"
 	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/docker"
+
 	"github.com/portainer/portainer/api/exec"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/git"
-	"github.com/portainer/portainer/api/hostmanagement/openamt"
 	"github.com/portainer/portainer/api/http"
 	"github.com/portainer/portainer/api/http/client"
 	"github.com/portainer/portainer/api/http/proxy"
 	kubeproxy "github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
-	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/snapshot"
-	"github.com/portainer/portainer/api/internal/ssl"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
 	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
+	"github.com/portainer/portainer/api/libcompose"
 	"github.com/portainer/portainer/api/oauth"
-	"github.com/portainer/portainer/api/scheduler"
-	"github.com/portainer/portainer/api/stacks"
 )

 func initCLI() *portainer.CLIFlags {
@@ -59,22 +52,15 @@ func initFileService(dataStorePath string) portainer.FileService {
 	return fileService
 }

-func initDataStore(dataStorePath string, rollback bool, fileService portainer.FileService, shutdownCtx context.Context) portainer.DataStore {
-	store := bolt.NewStore(dataStorePath, fileService)
-	err := store.Open()
+func initDataStore(dataStorePath string, fileService portainer.FileService) portainer.DataStore {
+	store, err := bolt.NewStore(dataStorePath, fileService)
 	if err != nil {
-		log.Fatalf("failed opening store: %v", err)
+		log.Fatalf("failed creating data store: %v", err)
 	}

-	if rollback {
-		err := store.Rollback(false)
-		if err != nil {
-			log.Fatalf("failed rolling back: %s", err)
-		}
-
-		log.Println("Exiting rollback")
-		os.Exit(0)
-		return nil
+	err = store.Open()
+	if err != nil {
+		log.Fatalf("failed opening store: %v", err)
 	}

 	err = store.Init()
@@ -86,46 +72,24 @@ func initDataStore(dataStorePath string, rollback bool, fileService portainer.Fi
 	if err != nil {
 		log.Fatalf("failed migration: %v", err)
 	}
-
-	go shutdownDatastore(shutdownCtx, store)
 	return store
 }

-func shutdownDatastore(shutdownCtx context.Context, datastore portainer.DataStore) {
-	<-shutdownCtx.Done()
-	datastore.Close()
-}
-
-func initComposeStackManager(assetsPath string, configPath string, reverseTunnelService portainer.ReverseTunnelService, proxyManager *proxy.Manager) portainer.ComposeStackManager {
-	composeWrapper, err := exec.NewComposeStackManager(assetsPath, configPath, proxyManager)
-	if err != nil {
-		log.Fatalf("failed creating compose manager: %s", err)
+func initComposeStackManager(assetsPath string, dataStorePath string, reverseTunnelService portainer.ReverseTunnelService, proxyManager *proxy.Manager) portainer.ComposeStackManager {
+	composeWrapper := exec.NewComposeWrapper(assetsPath, dataStorePath, proxyManager)
+	if composeWrapper != nil {
+		return composeWrapper
 	}

-	return composeWrapper
+	return libcompose.NewComposeStackManager(dataStorePath, reverseTunnelService)
 }

-func initSwarmStackManager(
-	assetsPath string,
-	configPath string,
-	signatureService portainer.DigitalSignatureService,
-	fileService portainer.FileService,
-	reverseTunnelService portainer.ReverseTunnelService,
-	dataStore portainer.DataStore,
-) (portainer.SwarmStackManager, error) {
-	return exec.NewSwarmStackManager(assetsPath, configPath, signatureService, fileService, reverseTunnelService, dataStore)
+func initSwarmStackManager(assetsPath string, dataStorePath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) (portainer.SwarmStackManager, error) {
+	return exec.NewSwarmStackManager(assetsPath, dataStorePath, signatureService, fileService, reverseTunnelService)
 }

-func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore portainer.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, assetsPath string) portainer.KubernetesDeployer {
-	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, assetsPath)
-}
-
-func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, error) {
-	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
-}
-
-func initAPIKeyService(datastore portainer.DataStore) apikey.APIKeyService {
-	return apikey.NewAPIKeyService(datastore.APIKeyRepository(), datastore.User())
+func initKubernetesDeployer(assetsPath string) portainer.KubernetesDeployer {
+	return exec.NewKubernetesDeployer(assetsPath)
 }

 func initJWTService(dataStore portainer.DataStore) (portainer.JWTService, error) {
@@ -138,7 +102,7 @@ func initJWTService(dataStore portainer.DataStore) (portainer.JWTService, error)
 		settings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
 		dataStore.Settings().UpdateSettings(settings)
 	}
-	jwtService, err := jwt.NewService(settings.UserSessionTimeout, dataStore)
+	jwtService, err := jwt.NewService(settings.UserSessionTimeout)
 	if err != nil {
 		return nil, err
 	}
@@ -165,29 +129,12 @@ func initGitService() portainer.GitService {
 	return git.NewService()
 }

-func initSSLService(addr, dataPath, certPath, keyPath string, fileService portainer.FileService, dataStore portainer.DataStore, shutdownTrigger context.CancelFunc) (*ssl.Service, error) {
-	slices := strings.Split(addr, ":")
-	host := slices[0]
-	if host == "" {
-		host = "0.0.0.0"
-	}
-
-	sslService := ssl.NewService(fileService, dataStore, shutdownTrigger)
-
-	err := sslService.Init(host, certPath, keyPath)
-	if err != nil {
-		return nil, err
-	}
-
-	return sslService, nil
-}
-
 func initDockerClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *docker.ClientFactory {
 	return docker.NewClientFactory(signatureService, reverseTunnelService)
 }

-func initKubernetesClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, instanceID string, dataStore portainer.DataStore) *kubecli.ClientFactory {
-	return kubecli.NewClientFactory(signatureService, reverseTunnelService, instanceID, dataStore)
+func initKubernetesClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, instanceID string) *kubecli.ClientFactory {
+	return kubecli.NewClientFactory(signatureService, reverseTunnelService, instanceID)
 }

 func initSnapshotService(snapshotInterval string, dataStore portainer.DataStore, dockerClientFactory *docker.ClientFactory, kubernetesClientFactory *kubecli.ClientFactory, shutdownCtx context.Context) (portainer.SnapshotService, error) {
@@ -202,10 +149,9 @@ func initSnapshotService(snapshotInterval string, dataStore portainer.DataStore,
 	return snapshotService, nil
 }

-func initStatus(instanceID string) *portainer.Status {
+func initStatus(flags *portainer.CLIFlags) *portainer.Status {
 	return &portainer.Status{
-		Version:    portainer.APIVersion,
-		InstanceID: instanceID,
+		Version: portainer.APIVersion,
 	}
 }

@@ -219,7 +165,6 @@ func updateSettingsFromFlags(dataStore portainer.DataStore, flags *portainer.CLI
 	settings.SnapshotInterval = *flags.SnapshotInterval
 	settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
 	settings.EnableTelemetry = true
-	settings.OAuthSettings.SSO = true

 	if *flags.Templates != "" {
 		settings.TemplatesURL = *flags.Templates
@@ -229,68 +174,6 @@ func updateSettingsFromFlags(dataStore portainer.DataStore, flags *portainer.CLI
 		settings.BlackListedLabels = *flags.Labels
 	}

-	err = dataStore.Settings().UpdateSettings(settings)
-	if err != nil {
-		return err
-	}
-
-	httpEnabled := !*flags.HTTPDisabled
-
-	sslSettings, err := dataStore.SSLSettings().Settings()
-	if err != nil {
-		return err
-	}
-
-	sslSettings.HTTPEnabled = httpEnabled
-
-	err = dataStore.SSLSettings().UpdateSettings(sslSettings)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// enableFeaturesFromFlags turns on or off feature flags
-// e.g.  portainer --feat open-amt --feat fdo=true ... (defaults to true)
-// note, settings are persisted to the DB. To turn off `--feat open-amt=false`
-func enableFeaturesFromFlags(dataStore portainer.DataStore, flags *portainer.CLIFlags) error {
-	settings, err := dataStore.Settings().Settings()
-	if err != nil {
-		return err
-	}
-
-	if settings.FeatureFlagSettings == nil {
-		settings.FeatureFlagSettings = make(map[portainer.Feature]bool)
-	}
-
-	// loop through feature flags to check if they are supported
-	for _, feat := range *flags.FeatureFlags {
-		var correspondingFeature *portainer.Feature
-		for i, supportedFeat := range portainer.SupportedFeatureFlags {
-			if strings.EqualFold(feat.Name, string(supportedFeat)) {
-				correspondingFeature = &portainer.SupportedFeatureFlags[i]
-			}
-		}
-
-		if correspondingFeature == nil {
-			return fmt.Errorf("unknown feature flag '%s'", feat.Name)
-		}
-
-		featureState, err := strconv.ParseBool(feat.Value)
-		if err != nil {
-			return fmt.Errorf("feature flag's '%s' value should be true or false", feat.Name)
-		}
-
-		if featureState {
-			log.Printf("Feature %v : on", *correspondingFeature)
-		} else {
-			log.Printf("Feature %v : off", *correspondingFeature)
-		}
-
-		settings.FeatureFlagSettings[*correspondingFeature] = featureState
-	}
-
 	return dataStore.Settings().UpdateSettings(settings)
 }

@@ -357,7 +240,6 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 			AllowVolumeBrowserForRegularUsers: false,
 			EnableHostManagementFeatures:      false,

-			AllowSysctlSettingForRegularUsers:         true,
 			AllowBindMountsForRegularUsers:            true,
 			AllowPrivilegedModeForRegularUsers:        true,
 			AllowHostNamespaceForRegularUsers:         true,
@@ -385,7 +267,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat

 	err := snapshotService.SnapshotEndpoint(endpoint)
 	if err != nil {
-		log.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+		log.Printf("http error: endpoint snapshot error (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 	}

 	return dataStore.Endpoint().CreateEndpoint(endpoint)
@@ -419,7 +301,6 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,
 			AllowVolumeBrowserForRegularUsers: false,
 			EnableHostManagementFeatures:      false,

-			AllowSysctlSettingForRegularUsers:         true,
 			AllowBindMountsForRegularUsers:            true,
 			AllowPrivilegedModeForRegularUsers:        true,
 			AllowHostNamespaceForRegularUsers:         true,
@@ -431,7 +312,7 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,

 	err := snapshotService.SnapshotEndpoint(endpoint)
 	if err != nil {
-		log.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+		log.Printf("http error: endpoint snapshot error (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 	}

 	return dataStore.Endpoint().CreateEndpoint(endpoint)
@@ -448,7 +329,7 @@ func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snap
 	}

 	if len(endpoints) > 0 {
-		log.Println("Instance already has defined environments. Skipping the environment defined via CLI.")
+		log.Println("Instance already has defined endpoints. Skipping the endpoint defined via CLI.")
 		return nil
 	}

@@ -463,46 +344,27 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	fileService := initFileService(*flags.Data)

-	dataStore := initDataStore(*flags.Data, *flags.Rollback, fileService, shutdownCtx)
+	dataStore := initDataStore(*flags.Data, fileService)

 	if err := dataStore.CheckCurrentEdition(); err != nil {
 		log.Fatal(err)
 	}

-	apiKeyService := initAPIKeyService(dataStore)
-
 	jwtService, err := initJWTService(dataStore)
 	if err != nil {
 		log.Fatalf("failed initializing JWT service: %v", err)
 	}

-	err = enableFeaturesFromFlags(dataStore, flags)
-	if err != nil {
-		log.Fatalf("failed enabling feature flag: %v", err)
-	}
-
 	ldapService := initLDAPService()

 	oauthService := initOAuthService()

 	gitService := initGitService()

-	openAMTService := openamt.NewService(dataStore)
-
 	cryptoService := initCryptoService()

 	digitalSignatureService := initDigitalSignatureService()

-	sslService, err := initSSLService(*flags.AddrHTTPS, *flags.Data, *flags.SSLCert, *flags.SSLKey, fileService, dataStore, shutdownTrigger)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	sslSettings, err := sslService.GetSSLSettings()
-	if err != nil {
-		log.Fatalf("failed to get ssl settings: %s", err)
-	}
-
 	err = initKeyPair(fileService, digitalSignatureService)
 	if err != nil {
 		log.Fatalf("failed initializing key pai: %v", err)
@@ -516,7 +378,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	}

 	dockerClientFactory := initDockerClientFactory(digitalSignatureService, reverseTunnelService)
-	kubernetesClientFactory := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, instanceID, dataStore)
+	kubernetesClientFactory := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, instanceID)

 	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx)
 	if err != nil {
@@ -524,32 +386,16 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	}
 	snapshotService.Start()

-	authorizationService := authorization.NewService(dataStore)
-	authorizationService.K8sClientFactory = kubernetesClientFactory
-
+	swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService, reverseTunnelService)
+	if err != nil {
+		log.Fatalf("failed initializing swarm stack manager: %v", err)
+	}
 	kubernetesTokenCacheManager := kubeproxy.NewTokenCacheManager()
-
-	kubeConfigService := kubernetes.NewKubeConfigCAService(*flags.AddrHTTPS, sslSettings.CertPath)
-
 	proxyManager := proxy.NewManager(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager)

-	reverseTunnelService.ProxyManager = proxyManager
+	composeStackManager := initComposeStackManager(*flags.Assets, *flags.Data, reverseTunnelService, proxyManager)

-	dockerConfigPath := fileService.GetDockerConfigPath()
-
-	composeStackManager := initComposeStackManager(*flags.Assets, dockerConfigPath, reverseTunnelService, proxyManager)
-
-	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService, dataStore)
-	if err != nil {
-		log.Fatalf("failed initializing swarm stack manager: %s", err)
-	}
-
-	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, digitalSignatureService, proxyManager, *flags.Assets)
-
-	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
-	if err != nil {
-		log.Fatalf("failed initializing helm package manager: %s", err)
-	}
+	kubernetesDeployer := initKubernetesDeployer(*flags.Assets)

 	if dataStore.IsNew() {
 		err = updateSettingsFromFlags(dataStore, flags)
@@ -563,16 +409,16 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatalf("failed loading edge jobs from database: %v", err)
 	}

-	applicationStatus := initStatus(instanceID)
+	applicationStatus := initStatus(flags)

 	err = initEndpoint(flags, dataStore, snapshotService)
 	if err != nil {
-		log.Fatalf("failed initializing environment: %v", err)
+		log.Fatalf("failed initializing endpoint: %v", err)
 	}

 	adminPasswordHash := ""
 	if *flags.AdminPasswordFile != "" {
-		content, err := fileService.GetFileContent(*flags.AdminPasswordFile, "")
+		content, err := fileService.GetFileContent(*flags.AdminPasswordFile)
 		if err != nil {
 			log.Fatalf("failed getting admin password file: %v", err)
 		}
@@ -608,64 +454,45 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService)
 	if err != nil {
-		log.Fatalf("failed starting tunnel server: %s", err)
+		log.Fatalf("failed starting license service: %s", err)
 	}

-	sslDBSettings, err := dataStore.SSLSettings().Settings()
-	if err != nil {
-		log.Fatalf("failed to fetch ssl settings from DB")
-	}
-
-	scheduler := scheduler.NewScheduler(shutdownCtx)
-	stackDeployer := stacks.NewStackDeployer(swarmStackManager, composeStackManager, kubernetesDeployer)
-	stacks.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService)
-
 	return &http.Server{
-		AuthorizationService:        authorizationService,
 		ReverseTunnelService:        reverseTunnelService,
 		Status:                      applicationStatus,
 		BindAddress:                 *flags.Addr,
-		BindAddressHTTPS:            *flags.AddrHTTPS,
-		HTTPEnabled:                 sslDBSettings.HTTPEnabled,
 		AssetsPath:                  *flags.Assets,
 		DataStore:                   dataStore,
 		SwarmStackManager:           swarmStackManager,
 		ComposeStackManager:         composeStackManager,
 		KubernetesDeployer:          kubernetesDeployer,
-		HelmPackageManager:          helmPackageManager,
 		CryptoService:               cryptoService,
-		APIKeyService:               apiKeyService,
 		JWTService:                  jwtService,
 		FileService:                 fileService,
 		LDAPService:                 ldapService,
 		OAuthService:                oauthService,
 		GitService:                  gitService,
-		OpenAMTService:              openAMTService,
 		ProxyManager:                proxyManager,
 		KubernetesTokenCacheManager: kubernetesTokenCacheManager,
-		KubeConfigService:           kubeConfigService,
 		SignatureService:            digitalSignatureService,
 		SnapshotService:             snapshotService,
-		SSLService:                  sslService,
+		SSL:                         *flags.SSL,
+		SSLCert:                     *flags.SSLCert,
+		SSLKey:                      *flags.SSLKey,
 		DockerClientFactory:         dockerClientFactory,
 		KubernetesClientFactory:     kubernetesClientFactory,
-		Scheduler:                   scheduler,
 		ShutdownCtx:                 shutdownCtx,
 		ShutdownTrigger:             shutdownTrigger,
-		StackDeployer:               stackDeployer,
-		BaseURL:                     *flags.BaseURL,
 	}
 }

 func main() {
 	flags := initCLI()

-	configureLogger()
-
 	for {
 		server := buildServer(flags)
-		log.Printf("[INFO] [cmd,main] Starting Portainer version %s\n", portainer.APIVersion)
+		log.Printf("Starting Portainer %s on %s\n", portainer.APIVersion, *flags.Addr)
 		err := server.Start()
-		log.Printf("[INFO] [cmd,main] Http server exited: %s\n", err)
+		log.Printf("Http server exited: %s\n", err)
 	}
 }
--- a/api/cmd/portainer/main_test.go
+++ b/api/cmd/portainer/main_test.go
@@ -1,114 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt"
-	"github.com/portainer/portainer/api/cli"
-	"github.com/stretchr/testify/assert"
-	"gopkg.in/alecthomas/kingpin.v2"
-)
-
-type mockKingpinSetting string
-
-func (m mockKingpinSetting) SetValue(value kingpin.Value) {
-	value.Set(string(m))
-}
-
-func Test_enableFeaturesFromFlags(t *testing.T) {
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	tests := []struct {
-		featureFlag string
-		isSupported bool
-	}{
-		{"test", false},
-		{"openamt", false},
-		{"open-amt", true},
-		{"oPeN-amT", true},
-		{"fdo", true},
-		{"FDO", true},
-	}
-	for _, test := range tests {
-		t.Run(fmt.Sprintf("%s succeeds:%v", test.featureFlag, test.isSupported), func(t *testing.T) {
-			mockKingpinSetting := mockKingpinSetting(test.featureFlag)
-			flags := &portainer.CLIFlags{FeatureFlags: cli.BoolPairs(mockKingpinSetting)}
-			err := enableFeaturesFromFlags(store, flags)
-			if test.isSupported {
-				is.NoError(err)
-			} else {
-				is.Error(err)
-			}
-		})
-	}
-
-	t.Run("passes for all supported feature flags", func(t *testing.T) {
-		for _, flag := range portainer.SupportedFeatureFlags {
-			mockKingpinSetting := mockKingpinSetting(flag)
-			flags := &portainer.CLIFlags{FeatureFlags: cli.BoolPairs(mockKingpinSetting)}
-			err := enableFeaturesFromFlags(store, flags)
-			is.NoError(err)
-		}
-	})
-}
-
-const FeatTest portainer.Feature = "optional-test"
-
-func optionalFunc(dataStore portainer.DataStore) string {
-
-	// TODO: this is a code smell - finding out if a feature flag is enabled should not require having access to the store, and asking for a settings obj.
-	//       ideally, the `if` should look more like:
-	//       if featureflags.FlagEnabled(FeatTest) {}
-	settings, err := dataStore.Settings().Settings()
-	if err != nil {
-		return err.Error()
-	}
-
-	if settings.FeatureFlagSettings[FeatTest] {
-		return "enabled"
-	}
-	return "disabled"
-}
-
-func Test_optionalFeature(t *testing.T) {
-	portainer.SupportedFeatureFlags = append(portainer.SupportedFeatureFlags, FeatTest)
-
-	is := assert.New(t)
-
-	store, teardown := bolt.MustNewTestStore(true)
-	defer teardown()
-
-	// Enable the test feature
-	t.Run(fmt.Sprintf("%s succeeds:%v", FeatTest, true), func(t *testing.T) {
-		mockKingpinSetting := mockKingpinSetting(FeatTest)
-		flags := &portainer.CLIFlags{FeatureFlags: cli.BoolPairs(mockKingpinSetting)}
-		err := enableFeaturesFromFlags(store, flags)
-		is.NoError(err)
-		is.Equal("enabled", optionalFunc(store))
-	})
-
-	// Same store, so the feature flag should still be enabled
-	t.Run(fmt.Sprintf("%s succeeds:%v", FeatTest, true), func(t *testing.T) {
-		is.Equal("enabled", optionalFunc(store))
-	})
-
-	// disable the test feature
-	t.Run(fmt.Sprintf("%s succeeds:%v", FeatTest, true), func(t *testing.T) {
-		mockKingpinSetting := mockKingpinSetting(FeatTest + "=false")
-		flags := &portainer.CLIFlags{FeatureFlags: cli.BoolPairs(mockKingpinSetting)}
-		err := enableFeaturesFromFlags(store, flags)
-		is.NoError(err)
-		is.Equal("disabled", optionalFunc(store))
-	})
-
-	// Same store, so feature flag should still be disabled
-	t.Run(fmt.Sprintf("%s succeeds:%v", FeatTest, true), func(t *testing.T) {
-		is.Equal("disabled", optionalFunc(store))
-	})
-
-}
--- a/api/crypto/ecdsa.go
+++ b/api/crypto/ecdsa.go
@@ -22,7 +22,7 @@ const (
 )

 // ECDSAService is a service used to create digital signatures when communicating with
-// an agent based environment(endpoint). It will automatically generates a key pair using ECDSA or
+// an agent based environment. It will automatically generates a key pair using ECDSA or
 // can also reuse an existing ECDSA key pair.
 type ECDSAService struct {
 	privateKey    *ecdsa.PrivateKey
--- a/Show More
+++ b/Show More