fix(auth): prevent user enumeration attack [EE-6832] (#11591 )

Revert multiple commits to set it back to tag 2.19 (#10946 )
* Revert "docs(dashboard): update link for swarm node [EE-6318] (#10770)" This reverts commit 30356d2c15. * Revert "docs(api): default to pascal case for property name [EE-6471] (#10861)" This reverts commit 392819576c. * Revert "fix(edge/jobs): clear logs [EE-5923] (#10819)" This reverts commit e01386f63d. * Revert "disable html5 validation (#10843)" This reverts commit 4b0f08e92a. * Revert "fix(edgestack): allow to set retry deployment toggle EE-6167 (#10676) (#10805)" This reverts commit eee632b22d. * Revert "fix(stack): edit git stack validation (#10812)" This reverts commit d3b150b29c. * Revert "Revert "Revert "fix(rollback): reversed rollback code from 2.19.4 [EE-6435] (#10811)" (#10832)" This reverts commit 32e05bb705. * Revert "fix(setting/ssl): cert files are optional to upload [EE-6139] (#10779)" This reverts commit 7408668dbb. * Revert "fix(endpoint): delete the endpoint proxy when updating an endpoint address [EE-5577] (#10824)" This reverts commit 4b5ea01456. * Revert "fix(swagger): custom template create docs EE-6428 (#10806)" This reverts commit 0d55cb3e08. * Revert "fix(images): sort by tags [EE-6410] (#10755)" This reverts commit 7f51c727a0. * Revert "fix(stacks): sort by date [EE-5766] (#10758)" This reverts commit 57b80cd9ac. * Revert "fix(UI): remember backup settings tab [EE-6347] (#10764)" This reverts commit c20452492d. * Revert "fix(backup ui): minor typo on backup page EE-6348 (#10717)" This reverts commit d58046eb68. * Revert "fix(app): shift external to the top [EE-6392] (#10753) (#10802)" This reverts commit 4795e85d18. * Revert "fix(app): update sliders when limits are known [EE-5933] (#10769) (#10801)" This reverts commit d090b0043a. * Revert "fix(gitops): correct commit hash link [EE-6346] (#10800)" This reverts commit 0e59cf76ec. * Revert "fix toast error (#10804)" This reverts commit 9978b88ed4. * Revert "fix(kube): configmaps and secrets from envFrom in the app detail screen [EE-6282] (#10741) (#10798)" This reverts commit c1a01558d0. * Revert "fix(stacks): allow editing custom templates before stack deployment EE-6380 (#10713)" This reverts commit f0aa0554f8. * Reapply "fix(rollback): reversed rollback code from 2.19.4 [EE-6435] (#10811) This reverts commit c58fa274e7.
2024-04-17 16:09:05 +12:00 · 2024-01-25 12:50:56 +13:00 · 2024-01-08 08:24:52 +13:00 · 2024-01-04 17:02:41 +07:00 · 2024-01-02 13:28:42 +07:00 · 2023-12-25 11:19:49 +07:00
250 changed files with 4027 additions and 2051 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,176 @@
+name: ci
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'develop'
+      - 'release/*'
+  pull_request:
+    branches:
+      - 'develop'
+      - 'release/*'
+      - 'feat/*'
+      - 'fix/*'
+      - 'refactor/*'
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+env:
+  DOCKER_HUB_REPO: portainerci/portainer-ce
+  EXTENSION_HUB_REPO: portainerci/portainer-docker-extension
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x
+
+jobs:
+  build_images:
+    strategy:
+      matrix:
+        config:
+          - { platform: linux, arch: amd64, version: "" }
+          - { platform: linux, arch: arm64, version: "" }
+          - { platform: linux, arch: arm, version: "" }
+          - { platform: linux, arch: ppc64le, version: "" }
+          - { platform: linux, arch: s390x, version: "" }
+          - { platform: windows, arch: amd64, version: 1809 }
+          - { platform: windows, arch: amd64, version: ltsc2022 }
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: '[preparation] checkout the current branch'
+        uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.inputs.branch }}
+      - name: '[preparation] set up golang'
+        uses: actions/setup-go@v5.0.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - name: '[preparation] set up node.js'
+        uses: actions/setup-node@v4.0.1
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'yarn'
+      - name: '[preparation] set up qemu'
+        uses: docker/setup-qemu-action@v3.0.0
+      - name: '[preparation] set up docker context for buildx'
+        run: docker context create builders
+      - name: '[preparation] set up docker buildx'
+        uses: docker/setup-buildx-action@v3.0.0
+        with:
+          endpoint: builders
+      - name: '[preparation] docker login'
+        uses: docker/login-action@v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+      - name: '[preparation] set the container image tag'
+        run: |
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            # use the release branch name as the tag for release branches
+            # for instance, release/2.19 becomes 2.19
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
+          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
+            # use pr${{ github.event.number }} as the tag for pull requests
+            # for instance, pr123
+            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
+          else
+            # replace / with - in the branch name
+            # for instance, feature/1.0.0 -> feature-1.0.0
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
+          fi
+          
+          echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}${{ matrix.config.version }}-${{ matrix.config.arch }}" >> $GITHUB_ENV
+      - name: '[execution] build linux & windows portainer binaries'
+        run: |
+          export YARN_VERSION=$(yarn --version)
+          export WEBPACK_VERSION=$(yarn list webpack --depth=0 | grep webpack | awk -F@ '{print $2}')
+          export BUILDNUMBER=${GITHUB_RUN_NUMBER}
+          GIT_COMMIT_HASH_LONG=${{ github.sha }}
+          export GIT_COMMIT_HASH_SHORT={GIT_COMMIT_HASH_LONG:0:7}
+          
+          NODE_ENV="testing"
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            NODE_ENV="production"
+          fi
+          
+          make build-all PLATFORM=${{ matrix.config.platform }} ARCH=${{ matrix.config.arch }} ENV=${NODE_ENV}
+        env:
+          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
+      - name: '[execution] build and push docker images'
+        run: |
+          if [ "${{ matrix.config.platform }}" == "windows" ]; then
+            mv dist/portainer dist/portainer.exe
+            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} --build-arg OSVERSION=${{ matrix.config.version }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
+          else 
+            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
+            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
+            
+            if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+              docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
+              docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
+            fi
+          fi
+        env:
+          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
+  build_manifests:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    needs: [build_images]
+    steps:
+      - name: '[preparation] docker login'
+        uses: docker/login-action@v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+      - name: '[preparation] set up docker context for buildx'
+        run: docker version && docker context create builders
+      - name: '[preparation] set up docker buildx'
+        uses: docker/setup-buildx-action@v3.0.0
+        with:
+          endpoint: builders
+      - name: '[execution] build and push manifests'
+        run: |
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            # use the release branch name as the tag for release branches
+            # for instance, release/2.19 becomes 2.19
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
+          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
+            # use pr${{ github.event.number }} as the tag for pull requests
+            # for instance, pr123
+            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
+          else
+            # replace / with - in the branch name
+            # for instance, feature/1.0.0 -> feature-1.0.0
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
+          fi
+
+          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-s390x" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windows1809-amd64" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windowsltsc2022-amd64"
+          
+          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine"
+            
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-s390x"
+            
+            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine"
+          fi
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -11,21 +11,31 @@ on:
      - master
      - develop
      - release/*
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+env:
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x

 jobs:
  run-linters:
    name: Run linters
    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false

    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
-          node-version: '18'
+          node-version: ${{ env.NODE_VERSION }}
          cache: 'yarn'
      - uses: actions/setup-go@v4
        with:
-          go-version: 1.19.5
+          go-version: ${{ env.GO_VERSION }}
      - run: yarn --frozen-lockfile
      - name: Run linters
        uses: wearerequired/lint-action@v1
@@ -41,6 +51,5 @@ jobs:
      - name: GolangCI-Lint
        uses: golangci/golangci-lint-action@v3
        with:
-          version: v1.52.2
-          working-directory: api
+          version: v1.55.2
          args: --timeout=10m -c .golangci.yaml
--- a/.github/workflows/nightly-security-scan.yml
+++ b/.github/workflows/nightly-security-scan.yml
@@ -5,6 +5,9 @@ on:
    - cron: '0 20 * * *'
  workflow_dispatch:

+env:
+  GO_VERSION: 1.21.6
+
 jobs:
  client-dependencies:
    name: Client Dependency Check
@@ -25,7 +28,7 @@ jobs:
        with:
          json: true

-      - name: upload scan result as develop artifact 
+      - name: upload scan result as develop artifact
        uses: actions/upload-artifact@v3
        with:
          name: js-security-scan-develop-result
@@ -41,7 +44,7 @@ jobs:
          name: html-js-result-${{github.run_id}}
          path: js-result.html

-      - name: analyse vulnerabilities 
+      - name: analyse vulnerabilities
        id: set-matrix
        run: |
          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
@@ -58,10 +61,10 @@ jobs:
      - name: checkout repository
        uses: actions/checkout@master

-      - name: install Go 
+      - name: install Go
        uses: actions/setup-go@v3
        with:
-          go-version: '1.19.5'
+          go-version: ${{ env.GO_VERSION }}

      - name: download Go modules
        run: cd ./api && go get -t -v -d ./...
@@ -72,9 +75,9 @@ jobs:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          yarn global add snyk
-          snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || :
+          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :

-      - name: upload scan result as develop artifact 
+      - name: upload scan result as develop artifact
        uses: actions/upload-artifact@v3
        with:
          name: go-security-scan-develop-result
@@ -102,35 +105,68 @@ jobs:
    if: >-
      github.ref == 'refs/heads/develop'
    outputs:
-      image: ${{ steps.set-matrix.outputs.image_result }}
+      image-trivy: ${{ steps.set-trivy-matrix.outputs.image_trivy_result }}
+      image-docker-scout: ${{ steps.set-docker-scout-matrix.outputs.image_docker_scout_result }}
    steps:
-      - name: scan vulnerabilities by Trivy 
+      - name: scan vulnerabilities by Trivy
        uses: docker://docker.io/aquasec/trivy:latest
        continue-on-error: true
        with:
          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop

-      - name: upload image security scan result as artifact
+      - name: upload Trivy image security scan result as artifact
        uses: actions/upload-artifact@v3
        with:
          name: image-security-scan-develop-result
          path: image-trivy.json

-      - name: develop scan report export to html
+      - name: develop Trivy scan report export to html
        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result")

-      - name: upload html file as artifact
+      - name: upload html file as Trivy artifact
        uses: actions/upload-artifact@v3
        with:
          name: html-image-result-${{github.run_id}}
-          path: image-result.html
+          path: image-trivy-result.html

-      - name: analyse vulnerabilities
-        id: set-matrix
+      - name: analyse vulnerabilities from Trivy
+        id: set-trivy-matrix
        run: |
          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix)
-          echo "image_result=${result}" >> $GITHUB_OUTPUT
+          echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT
+
+      - name: scan vulnerabilities by Docker Scout
+        uses: docker/scout-action@v1
+        continue-on-error: true
+        with:
+          command: cves
+          image: portainerci/portainer:develop
+          sarif-file: image-docker-scout.json
+          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
+          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: upload Docker Scout image security scan result as artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: image-security-scan-develop-result
+          path: image-docker-scout.json
+
+      - name: develop Docker Scout scan report export to html
+        run: |
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
+
+      - name: upload html file as Docker Scout artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: html-image-result-${{github.run_id}}
+          path: image-docker-scout-result.html
+
+      - name: analyse vulnerabilities from Docker Scout
+        id: set-docker-scout-matrix
+        run: |
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix)
+          echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT

  result-analysis:
    name: Analyse Scan Results
@@ -142,22 +178,26 @@ jobs:
      matrix:
        js: ${{fromJson(needs.client-dependencies.outputs.js)}}
        go: ${{fromJson(needs.server-dependencies.outputs.go)}}
-        image: ${{fromJson(needs.image-vulnerability.outputs.image)}}
+        image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}}
+        image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}}
    steps:
      - name: display the results of js, Go, and image scan
        run: |
          echo "${{ matrix.js.status }}"
          echo "${{ matrix.go.status }}"
-          echo "${{ matrix.image.status }}"
+          echo "${{ matrix.image-trivy.status }}"
+          echo "${{ matrix.image-docker-scout.status }}"
          echo "${{ matrix.js.summary }}"
          echo "${{ matrix.go.summary }}"
-          echo "${{ matrix.image.summary }}"
+          echo "${{ matrix.image-trivy.summary }}"
+          echo "${{ matrix.image-docker-scout.summary }}"

-      - name: send message to Slack 
-        if: >- 
+      - name: send message to Slack
+        if: >-
          matrix.js.status == 'failure' ||
          matrix.go.status == 'failure' || 
-          matrix.image.status == 'failure'
+          matrix.image-trivy.status == 'failure' || 
+          matrix.image-docker-scout.status == 'failure'
        uses: slackapi/slack-github-action@v1.23.0
        with:
          payload: |
@@ -193,7 +233,14 @@ jobs:
                      "type": "section",
                      "text": {
                        "type": "mrkdwn",
-                        "text": "*Image vulnerability check*: *${{ matrix.image.status }}*\n${{ matrix.image.summary }}\n"
+                        "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n"
                      }
                    }
                  ]
--- a/.github/workflows/pr-security.yml
+++ b/.github/workflows/pr-security.yml
@@ -7,20 +7,24 @@ on:
      - edited
    paths:
      - 'package.json'
-      - 'api/go.mod'
-      - 'gruntfile.js'
+      - 'go.mod'
      - 'build/linux/Dockerfile'
      - 'build/linux/alpine.Dockerfile'
      - 'build/windows/Dockerfile'
      - '.github/workflows/pr-security.yml'

+env:
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x
+
 jobs:
  client-dependencies:
    name: Client Dependency Check
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request &&
-      github.event.review.body == '/scan'
+      github.event.review.body == '/scan' &&
+      github.event.pull_request.draft == false
    outputs:
      jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }}
    steps:
@@ -74,7 +78,8 @@ jobs:
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request &&
-      github.event.review.body == '/scan'
+      github.event.review.body == '/scan' &&
+      github.event.pull_request.draft == false
    outputs:
      godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }}
    steps:
@@ -84,7 +89,7 @@ jobs:
      - name: install Go
        uses: actions/setup-go@v3
        with:
-          go-version: '1.19.5'
+          go-version: ${{ env.GO_VERSION }}

      - name: download Go modules
        run: cd ./api && go get -t -v -d ./...
@@ -95,7 +100,7 @@ jobs:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          yarn global add snyk
-          snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || :
+          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :

      - name: upload scan result as pull-request artifact
        uses: actions/upload-artifact@v3
@@ -136,22 +141,24 @@ jobs:
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request &&
-      github.event.review.body == '/scan'
+      github.event.review.body == '/scan' &&
+      github.event.pull_request.draft == false
    outputs:
-      imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }}
+      imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }}
+      imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }}
    steps:
      - name: checkout code
        uses: actions/checkout@master

-      - name: install Go 1.19.5
+      - name: install Go
        uses: actions/setup-go@v3
        with:
-          go-version: '1.19.5'
+          go-version: ${{ env.GO_VERSION }}

-      - name: install Node.js 18.x
+      - name: install Node.js
        uses: actions/setup-node@v3
        with:
-          node-version: 18.x
+          node-version: ${{ env.NODE_VERSION }}

      - name: Install packages
        run: yarn --frozen-lockfile
@@ -167,26 +174,26 @@ jobs:
        with:
          context: .
          file: build/linux/Dockerfile
-          tags: trivy-portainer:${{ github.sha }}
-          outputs: type=docker,dest=/tmp/trivy-portainer-image.tar
+          tags: local-portainer:${{ github.sha }}
+          outputs: type=docker,dest=/tmp/local-portainer-image.tar

      - name: load docker image
        run: |
-          docker load --input /tmp/trivy-portainer-image.tar
+          docker load --input /tmp/local-portainer-image.tar

      - name: scan vulnerabilities by Trivy
        uses: docker://docker.io/aquasec/trivy:latest
        continue-on-error: true
        with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }}
+          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress local-portainer:${{ github.sha }}

-      - name: upload image security scan result as artifact
+      - name: upload Trivy image security scan result as artifact
        uses: actions/upload-artifact@v3
        with:
          name: image-security-scan-feature-result
          path: image-trivy.json

-      - name: download artifacts from develop branch built by nightly scan
+      - name: download Trivy artifacts from develop branch built by nightly scan
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
@@ -198,21 +205,65 @@ jobs:
            echo "null" > ./image-trivy-develop.json
          fi

-      - name: pr vs develop scan report comparison export to html
+      - name: pr vs develop Trivy scan report comparison export to html
        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result")

-      - name: upload html file as artifact
+      - name: upload html file as Trivy artifact
        uses: actions/upload-artifact@v3
        with:
          name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-result.html
+          path: image-trivy-result.html

-      - name: analyse different vulnerabilities against develop branch
-        id: set-diff-matrix
+      - name: analyse different vulnerabilities against develop branch by Trivy
+        id: set-diff-trivy-matrix
        run: |
          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
-          echo "image_diff_result=${result}" >> $GITHUB_OUTPUT
+          echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT
+
+      - name: scan vulnerabilities by Docker Scout
+        uses: docker/scout-action@v1
+        continue-on-error: true
+        with:
+          command: cves
+          image: local-portainer:${{ github.sha }}
+          sarif-file: image-docker-scout.json
+          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
+          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: upload Docker Scout image security scan result as artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: image-security-scan-feature-result
+          path: image-docker-scout.json
+
+      - name: download Docker Scout artifacts from develop branch built by nightly scan
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mv ./image-docker-scout.json ./image-docker-scout-feature.json
+          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
+          if [[ -e ./image-docker-scout.json ]]; then
+            mv ./image-docker-scout.json ./image-docker-scout-develop.json
+          else
+            echo "null" > ./image-docker-scout-develop.json
+          fi
+
+      - name: pr vs develop Docker Scout scan report comparison export to html
+        run: |
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
+
+      - name: upload html file as Docker Scout artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: html-image-result-compare-to-develop-${{github.run_id}}
+          path: image-docker-scout-result.html
+
+      - name: analyse different vulnerabilities against develop branch by Docker Scout
+        id: set-diff-docker-scout-matrix
+        run: |
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix)
+          echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT

  result-analysis:
    name: Analyse Scan Result Against develop Branch
@@ -220,23 +271,28 @@ jobs:
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request &&
-      github.event.review.body == '/scan'
+      github.event.review.body == '/scan' &&
+      github.event.pull_request.draft == false
    strategy:
      matrix:
        jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}}
        godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
-        imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}}
+        imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}}
+        imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}}
    steps:
      - name: check job status of diff result
        if: >-
          matrix.jsdiff.status == 'failure' ||
          matrix.godiff.status == 'failure' ||
-          matrix.imagediff.status == 'failure'
+          matrix.imagediff-trivy.status == 'failure' ||
+          matrix.imagediff-docker-scout.status == 'failure'
        run: |
          echo "${{ matrix.jsdiff.status }}"
          echo "${{ matrix.godiff.status }}"
-          echo "${{ matrix.imagediff.status }}"
+          echo "${{ matrix.imagediff-trivy.status }}"
+          echo "${{ matrix.imagediff-docker-scout.status }}"
          echo "${{ matrix.jsdiff.summary }}"
          echo "${{ matrix.godiff.summary }}"
-          echo "${{ matrix.imagediff.summary }}"
+          echo "${{ matrix.imagediff-trivy.summary }}"
+          echo "${{ matrix.imagediff-docker-scout.summary }}"
          exit 1
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,7 +1,8 @@
 name: Close Stale Issues
 on:
  schedule:
-  - cron: '0 12 * * *'
+    - cron: '0 12 * * *'
+  workflow_dispatch:
 jobs:
  stale:
    runs-on: ubuntu-latest
@@ -9,7 +10,7 @@ jobs:
      issues: write

    steps:
-    - uses: actions/stale@v4.0.0
+    - uses: actions/stale@v8
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}

--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,25 +1,56 @@
 name: Test
-on: push
+
+env:
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x
+
+on:
+  pull_request:
+    branches:
+      - master
+      - develop
+      - release/*
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+  push:
+    branches:
+      - master
+      - develop
+      - release/*
+
 jobs:
  test-client:
    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false

    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
-          node-version: '18'
+          node-version: ${{ env.NODE_VERSION }}
          cache: 'yarn'
      - run: yarn --frozen-lockfile

      - name: Run tests
-        run: yarn jest --maxWorkers=2
+        run: make test-client ARGS="--maxWorkers=2 --minWorkers=1"
  test-server:
+    strategy:
+      matrix:
+        config:
+          - { platform: linux, arch: amd64 }
+          - { platform: linux, arch: arm64 }
+          - { platform: windows, arch: amd64, version: 1809 }
+          - { platform: windows, arch: amd64, version: ltsc2022 }
    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v3
        with:
-          go-version: 1.19.5
+          go-version: ${{ env.GO_VERSION }}
      - name: Run tests
        run: make test-server
--- a/.github/workflows/validate-openapi-spec.yaml
+++ b/.github/workflows/validate-openapi-spec.yaml
@@ -6,22 +6,32 @@ on:
      - master
      - develop
      - 'release/*'
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+env:
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x

 jobs:
  openapi-spec:
    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
    steps:
      - uses: actions/checkout@v3

      - uses: actions/setup-go@v3
        with:
-          go-version: '1.18'
+          go-version: ${{ env.GO_VERSION }}

      - name: Download golang modules
        run: cd ./api && go get -t -v -d ./...
      - uses: actions/setup-node@v3
        with:
-          node-version: '18'
+          node-version: ${{ env.NODE_VERSION }}
          cache: 'yarn'
      - run: yarn --frozen-lockfile

--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,32 @@
+linters:
+  # Disable all linters, the defaults don't pass on our code yet
+  disable-all: true
+
+  # Enable these for now
+  enable:
+    - depguard
+    - govet
+    - errorlint
+    - exportloopref
+
+linters-settings:
+  depguard:
+    rules:
+      main:
+        deny:
+          - pkg: 'github.com/sirupsen/logrus'
+            desc: 'logging is allowed only by github.com/rs/zerolog'
+          - pkg: 'golang.org/x/exp'
+            desc: 'exp is not allowed'
+        files:
+          - '!**/*_test.go'
+          - '!**/base.go'
+          - '!**/base_tx.go'
+
+# errorlint is causing a typecheck error for some reason. The go compiler will report these
+# anyway, so ignore them from the linter
+issues:
+  exclude-rules:
+    - path: ./
+      linters:
+        - typecheck
--- a/4
+++ b/4
@@ -102,8 +102,7 @@ lint-client: ## Lint client code
 	yarn lint

 lint-server: ## Lint server code
-	cd api && go vet ./...
-
+	 golangci-lint run --timeout=10m -c .golangci.yaml

 ##@ Extension
 .PHONY: dev-extension
@@ -124,3 +123,4 @@ docs-validate: docs-build ## Validate docs
 .PHONY: help
 help:  ## Display this help
 	@awk 'BEGIN {FS = ":.*##"; printf "Usage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
--- a/api/.golangci.yaml
+++ b/api/.golangci.yaml
@@ -10,17 +10,17 @@ linters:
    - exportloopref
 linters-settings:
  depguard:
-    list-type: denylist
-    include-go-root: true
-    packages:
-      - github.com/sirupsen/logrus
-      - golang.org/x/exp
-    packages-with-error-message:
-      - github.com/sirupsen/logrus: 'logging is allowed only by github.com/rs/zerolog'
-    ignore-file-rules:
-      - '**/*_test.go'
-      - '**/base.go'
-      - '**/base_tx.go'
+    rules:
+      main:
+        deny:
+          - pkg: 'github.com/sirupsen/logrus'
+            desc: 'logging is allowed only by github.com/rs/zerolog'
+          - pkg: 'golang.org/x/exp'
+            desc: 'exp is not allowed'
+        files:
+          - '!**/*_test.go'
+          - '!**/base.go'
+          - '!**/base_tx.go'

 # errorlint is causing a typecheck error for some reason. The go compiler will report these
 # anyway, so ignore them from the linter
--- a/api/apikey/apikey.go
+++ b/api/apikey/apikey.go
@@ -1,9 +1,6 @@
 package apikey

 import (
-	"crypto/rand"
-	"io"
-
 	portainer "github.com/portainer/portainer/api"
 )

@@ -18,13 +15,3 @@ type APIKeyService interface {
 	DeleteAPIKey(apiKeyID portainer.APIKeyID) error
 	InvalidateUserKeyCache(userId portainer.UserID) bool
 }
-
-// generateRandomKey generates a random key of specified length
-// source: https://github.com/gorilla/securecookie/blob/master/securecookie.go#L515
-func generateRandomKey(length int) []byte {
-	k := make([]byte, length)
-	if _, err := io.ReadFull(rand.Reader, k); err != nil {
-		return nil
-	}
-	return k
-}
--- a/api/apikey/apikey_test.go
+++ b/api/apikey/apikey_test.go
@@ -3,6 +3,7 @@ package apikey
 import (
 	"testing"

+	"github.com/portainer/portainer/api/internal/securecookie"
 	"github.com/stretchr/testify/assert"
 )

@@ -33,7 +34,7 @@ func Test_generateRandomKey(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := generateRandomKey(tt.wantLenth)
+			got := securecookie.GenerateRandomKey(tt.wantLenth)
 			is.Equal(tt.wantLenth, len(got))
 		})
 	}
@@ -41,7 +42,7 @@ func Test_generateRandomKey(t *testing.T) {
 	t.Run("Generated keys are unique", func(t *testing.T) {
 		keys := make(map[string]bool)
 		for i := 0; i < 100; i++ {
-			key := generateRandomKey(8)
+			key := securecookie.GenerateRandomKey(8)
 			_, ok := keys[string(key)]
 			is.False(ok)
 			keys[string(key)] = true
--- a/api/apikey/service.go
+++ b/api/apikey/service.go
@@ -8,6 +8,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/internal/securecookie"

 	"github.com/pkg/errors"
 )
@@ -39,7 +40,7 @@ func (a *apiKeyService) HashRaw(rawKey string) []byte {
 // GenerateApiKey generates a raw API key for a user (for one-time display).
 // The generated API key is stored in the cache and database.
 func (a *apiKeyService) GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error) {
-	randKey := generateRandomKey(32)
+	randKey := securecookie.GenerateRandomKey(32)
 	encodedRawAPIKey := base64.StdEncoding.EncodeToString(randKey)
 	prefixedAPIKey := portainerAPIKeyPrefix + encodedRawAPIKey

--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -30,6 +30,7 @@ var filesToBackup = []string{
 	"portainer.key",
 	"portainer.pub",
 	"tls",
+	"chisel",
 }

 // Creates a tar.gz system archive and encrypts it if password is not empty. Returns a path to the archive file.
--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -75,10 +75,11 @@ func (service *Service) KeepTunnelAlive(endpointID portainer.EndpointID, ctx con
 		log.Debug().
 			Int("endpoint_id", int(endpointID)).
 			Float64("max_alive_minutes", maxAlive.Minutes()).
-			Msg("start")
+			Msg("KeepTunnelAlive: start")

 		maxAliveTicker := time.NewTicker(maxAlive)
 		defer maxAliveTicker.Stop()
+
 		pingTicker := time.NewTicker(tunnelCleanupInterval)
 		defer pingTicker.Stop()

@@ -91,13 +92,13 @@ func (service *Service) KeepTunnelAlive(endpointID portainer.EndpointID, ctx con
 					log.Debug().
 						Int("endpoint_id", int(endpointID)).
 						Err(err).
-						Msg("ping agent")
+						Msg("KeepTunnelAlive: ping agent")
 				}
 			case <-maxAliveTicker.C:
 				log.Debug().
 					Int("endpoint_id", int(endpointID)).
 					Float64("timeout_minutes", maxAlive.Minutes()).
-					Msg("tunnel keep alive timeout")
+					Msg("KeepTunnelAlive: tunnel keep alive timeout")

 				return
 			case <-ctx.Done():
@@ -105,7 +106,7 @@ func (service *Service) KeepTunnelAlive(endpointID portainer.EndpointID, ctx con
 				log.Debug().
 					Int("endpoint_id", int(endpointID)).
 					Err(err).
-					Msg("tunnel stop")
+					Msg("KeepTunnelAlive: tunnel stop")

 				return
 			}
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -20,6 +20,7 @@ import (
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/datastore/migrator"
 	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/docker"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
@@ -119,11 +120,15 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 			log.Fatal().Err(err).Msg("failed generating instance id")
 		}

+		migratorInstance := migrator.NewMigrator(&migrator.MigratorParameters{})
+		migratorCount := migratorInstance.GetMigratorCountOfCurrentAPIVersion()
+
 		// from MigrateData
 		v := models.Version{
 			SchemaVersion: portainer.APIVersion,
 			Edition:       int(portainer.PortainerCE),
 			InstanceID:    instanceId.String(),
+			MigratorCount: migratorCount,
 		}
 		store.VersionService.UpdateVersion(&v)

@@ -152,6 +157,16 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	return store
 }

+// checkDBSchemaServerVersionMatch checks if the server version matches the db scehma version
+func checkDBSchemaServerVersionMatch(dbStore dataservices.DataStore, serverVersion string, serverEdition int) bool {
+	v, err := dbStore.Version().Version()
+	if err != nil {
+		return false
+	}
+
+	return v.SchemaVersion == serverVersion && v.Edition == serverEdition
+}
+
 func initComposeStackManager(composeDeployer libstack.Deployer, proxyManager *proxy.Manager) portainer.ComposeStackManager {
 	composeWrapper, err := exec.NewComposeStackManager(composeDeployer, proxyManager)
 	if err != nil {
@@ -383,6 +398,11 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Err(err).Msg("")
 	}

+	// check if the db schema version matches with server version
+	if !checkDBSchemaServerVersionMatch(dataStore, portainer.APIVersion, int(portainer.Edition)) {
+		log.Fatal().Msg("The database schema version does not align with the server version. Please consider reverting to the previous server version or addressing the database migration issue.")
+	}
+
 	instanceID, err := dataStore.Version().InstanceID()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed getting instance id")
--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
 )

 // BucketName represents the name of the bucket where this service stores data.
@@ -144,6 +145,23 @@ func (service *Service) Create(endpoint *portainer.Endpoint) error {
 	})
 }

+func (service *Service) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error) {
+	var endpoints = make([]portainer.Endpoint, 0)
+
+	return endpoints, service.connection.GetAll(
+		BucketName,
+		&portainer.Endpoint{},
+		dataservices.FilterFn(&endpoints, func(e portainer.Endpoint) bool {
+			for t := range e.TeamAccessPolicies {
+				if t == teamID {
+					return true
+				}
+			}
+			return false
+		}),
+	)
+}
+
 // GetNextIdentifier returns the next identifier for an environment(endpoint).
 func (service *Service) GetNextIdentifier() int {
 	var identifier int
--- a/api/dataservices/endpoint/tx.go
+++ b/api/dataservices/endpoint/tx.go
@@ -122,6 +122,23 @@ func (service ServiceTx) Create(endpoint *portainer.Endpoint) error {
 	return nil
 }

+func (service ServiceTx) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error) {
+	var endpoints = make([]portainer.Endpoint, 0)
+
+	return endpoints, service.tx.GetAll(
+		BucketName,
+		&portainer.Endpoint{},
+		dataservices.FilterFn(&endpoints, func(e portainer.Endpoint) bool {
+			for t := range e.TeamAccessPolicies {
+				if t == teamID {
+					return true
+				}
+			}
+			return false
+		}),
+	)
+}
+
 // GetNextIdentifier returns the next identifier for an environment(endpoint).
 func (service ServiceTx) GetNextIdentifier() int {
 	return service.tx.GetNextIdentifier(BucketName)
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -89,6 +89,7 @@ type (
 	EndpointService interface {
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
 		EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool)
+		EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error)
 		Heartbeat(endpointID portainer.EndpointID) (int64, bool)
 		UpdateHeartbeat(endpointID portainer.EndpointID)
 		Endpoints() ([]portainer.Endpoint, error)
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@@ -50,10 +50,10 @@ func (store *Store) MigrateData() error {
 	if err != nil {
 		err = errors.Wrap(err, "failed to migrate database")

-		log.Warn().Msg("migration failed, restoring database to previous version")
-		err = store.restoreWithOptions(&BackupOptions{BackupPath: backupPath})
-		if err != nil {
-			return errors.Wrap(err, "failed to restore database")
+		log.Warn().Err(err).Msg("migration failed, restoring database to previous version")
+		restorErr := store.restoreWithOptions(&BackupOptions{BackupPath: backupPath})
+		if restorErr != nil {
+			return errors.Wrap(restorErr, "failed to restore database")
 		}

 		log.Info().Msg("database restored to previous version")
--- a/api/datastore/migrate_legacyversion.go
+++ b/api/datastore/migrate_legacyversion.go
@@ -1,7 +1,7 @@
 package datastore

 import (
-	portaineree "github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices"
 )
@@ -72,7 +72,7 @@ func dbVersionToSemanticVersion(dbVersion int) string {
 func (store *Store) getOrMigrateLegacyVersion() (*models.Version, error) {
 	// Very old versions of portainer did not have a version bucket, lets set some defaults
 	dbVersion := 24
-	edition := int(portaineree.PortainerCE)
+	edition := int(portainer.PortainerCE)
 	instanceId := ""

 	// If we already have a version key, we don't need to migrate
--- a/api/datastore/migrator/migrate_dbversion100.go
+++ b/api/datastore/migrator/migrate_dbversion100.go
@@ -115,10 +115,16 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 			}

 			if environmentStatus.Details.Ok {
-				statusArray = append(statusArray, portainer.EdgeStackDeploymentStatus{
-					Type: portainer.EdgeStackStatusRunning,
-					Time: time.Now().Unix(),
-				})
+				statusArray = append(statusArray,
+					portainer.EdgeStackDeploymentStatus{
+						Type: portainer.EdgeStackStatusDeploymentReceived,
+						Time: time.Now().Unix(),
+					},
+					portainer.EdgeStackDeploymentStatus{
+						Type: portainer.EdgeStackStatusRunning,
+						Time: time.Now().Unix(),
+					},
+				)
 			}

 			if environmentStatus.Details.ImagesPulled {
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -148,6 +148,17 @@ func (m *Migrator) LatestMigrations() Migrations {
 	return m.migrations[len(m.migrations)-1]
 }

+func (m *Migrator) GetMigratorCountOfCurrentAPIVersion() int {
+	migratorCount := 0
+	latestMigrations := m.LatestMigrations()
+
+	if latestMigrations.Version.Equal(semver.MustParse(portainer.APIVersion)) {
+		migratorCount = len(latestMigrations.MigrationFuncs)
+	}
+
+	return migratorCount
+}
+
 // !NOTE: Migration funtions should ideally be idempotent.
 // !      Which simply means the function can run over the same data many times but only transform it once.
 // !      In practice this really just means an extra check or two to ensure we're not destroying valid data.
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -944,6 +944,6 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.19.0\",\"MigratorCount\":3,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.19.5\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  }
 }
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -57,20 +57,20 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeNam
 func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 	)
 }

 func CreateClientFromEnv() (*client.Client, error) {
 	return client.NewClientWithOpts(
 		client.FromEnv,
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 	)
 }

 func CreateSimpleClient() (*client.Client, error) {
 	return client.NewClientWithOpts(
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 	)
 }

@@ -82,7 +82,7 @@ func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*cli

 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 		client.WithHTTPClient(httpCli),
 	)
 }
@@ -116,7 +116,7 @@ func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.D

 	return client.NewClientWithOpts(
 		client.WithHost(endpointURL),
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 		client.WithHTTPClient(httpCli),
 		client.WithHTTPHeaders(headers),
 	)
@@ -144,7 +144,7 @@ func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.

 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 		client.WithHTTPClient(httpCli),
 		client.WithHTTPHeaders(headers),
 	)
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -15,6 +15,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/registryutils"
 	"github.com/portainer/portainer/api/stacks/stackutils"
+	"github.com/rs/zerolog/log"
 )

 // SwarmStackManager represents a service for managing stacks.
@@ -64,16 +65,35 @@ func (manager *SwarmStackManager) Login(registries []portainer.Registry, endpoin
 		if registry.Authentication {
 			err = registryutils.EnsureRegTokenValid(manager.dataStore, &registry)
 			if err != nil {
-				return err
+				log.
+					Warn().
+					Err(err).
+					Str("RegistryName", registry.Name).
+					Msg("Failed to validate registry token. Skip logging with this registry.")
+
+				continue
 			}

 			username, password, err := registryutils.GetRegEffectiveCredential(&registry)
 			if err != nil {
-				return err
+				log.
+					Warn().
+					Err(err).
+					Str("RegistryName", registry.Name).
+					Msg("Failed to get effective credential. Skip logging with this registry.")
+
+				continue
 			}

 			registryArgs := append(args, "login", "--username", username, "--password", password, registry.URL)
-			runCommandAndCaptureStdErr(command, registryArgs, nil, "")
+			err = runCommandAndCaptureStdErr(command, registryArgs, nil, "")
+			if err != nil {
+				log.
+					Warn().
+					Err(err).
+					Str("RegistryName", registry.Name).
+					Msg("Failed to login.")
+			}
 		}
 	}

--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -302,6 +302,38 @@ func (service *Service) UpdateStoreStackFileFromBytes(stackIdentifier, fileName
 	return service.wrapFileStore(stackStorePath), nil
 }

+// UpdateStoreStackFileFromBytesByVersion makes stack file backup and updates a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) UpdateStoreStackFileFromBytesByVersion(stackIdentifier, fileName string, version int, commitHash string, data []byte) (string, error) {
+	stackStorePath := JoinPaths(ComposeStorePath, stackIdentifier)
+
+	versionStr := ""
+	if version != 0 {
+		versionStr = fmt.Sprintf("v%d", version)
+	}
+	if commitHash != "" {
+		versionStr = commitHash
+	}
+
+	if versionStr != "" {
+		stackStorePath = JoinPaths(stackStorePath, versionStr)
+	}
+
+	composeFilePath := JoinPaths(stackStorePath, fileName)
+	err := service.createBackupFileInStore(composeFilePath)
+	if err != nil {
+		return "", err
+	}
+
+	r := bytes.NewReader(data)
+	err = service.createFileInStore(composeFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return service.wrapFileStore(stackStorePath), nil
+}
+
 // RemoveStackFileBackup removes the stack file backup in the ComposeStorePath.
 func (service *Service) RemoveStackFileBackup(stackIdentifier, fileName string) error {
 	stackStorePath := JoinPaths(ComposeStorePath, stackIdentifier)
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -74,7 +74,12 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
 		if settings.AuthenticationMethod == portainer.AuthenticationInternal ||
 			settings.AuthenticationMethod == portainer.AuthenticationOAuth ||
 			(settings.AuthenticationMethod == portainer.AuthenticationLDAP && !settings.LDAPSettings.AutoCreateUsers) {
-			return &httperror.HandlerError{StatusCode: http.StatusUnprocessableEntity, Message: "Invalid credentials", Err: httperrors.ErrUnauthorized}
+			// avoid username enumeration timing attack by creating a fake user
+			// https://en.wikipedia.org/wiki/Timing_attack
+			user = &portainer.User{
+				Username: "portainer-fake-username",
+				Password: "$2a$10$abcdefghijklmnopqrstuvwx..ABCDEFGHIJKLMNOPQRSTUVWXYZ12", // fake but valid format bcrypt hash
+			}
 		}
 	}

@@ -111,7 +116,11 @@ func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portai
 func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
 	err := handler.LDAPService.AuthenticateUser(username, password, ldapSettings)
 	if err != nil {
-		return httperror.Forbidden("Only initial admin is allowed to login without oauth", err)
+		if errors.Is(err, httperrors.ErrUnauthorized) {
+			return httperror.NewError(http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized)
+		}
+
+		return httperror.InternalServerError("Unable to authenticate user against LDAP", err)
 	}

 	if user == nil {
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -24,6 +24,7 @@ type Handler struct {
 	ProxyManager                *proxy.Manager
 	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
 	passwordStrengthChecker     security.PasswordStrengthChecker
+	bouncer                     security.BouncerService
 }

 // NewHandler creates a handler to manage authentication operations.
@@ -31,6 +32,7 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	h := &Handler{
 		Router:                  mux.NewRouter(),
 		passwordStrengthChecker: passwordStrengthChecker,
+		bouncer:                 bouncer,
 	}

 	h.Handle("/auth/oauth/validate",
@@ -38,7 +40,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
 	h.Handle("/auth/logout",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.logout))).Methods(http.MethodPost)
-
+		bouncer.PublicAccess(httperror.LoggerHandler(h.logout))).Methods(http.MethodPost)
 	return h
 }
--- a/api/http/handler/auth/logout.go
+++ b/api/http/handler/auth/logout.go
@@ -5,12 +5,12 @@ import (

 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/logoutcontext"
 )

 // @id Logout
 // @summary Logout
-// @description **Access policy**: authenticated
+// @description **Access policy**: public
 // @security ApiKeyAuth
 // @security jwt
 // @tags auth
@@ -18,12 +18,12 @@ import (
 // @failure 500 "Server error"
 // @router /auth/logout [post]
 func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user details from authentication token", err)
-	}
+	tokenData := handler.bouncer.JWTAuthLookup(r)

-	handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
+	if tokenData != nil {
+		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
+		logoutcontext.Cancel(tokenData.Token)
+	}

 	return response.Empty(w)
 }
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@@ -3,6 +3,7 @@ package customtemplates
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"os"
 	"regexp"
@@ -472,3 +473,29 @@ func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*po

 	return customTemplate, nil
 }
+
+// @id CustomTemplateCreate
+// @summary Create a custom template
+// @description Create a custom template.
+// @description **Access policy**: authenticated
+// @tags custom_templates
+// @security ApiKeyAuth
+// @security jwt
+// @accept json,multipart/form-data
+// @produce json
+// @param method query string true "method for creating template" Enums(string, file, repository)
+// @param body body object true "for body documentation see the relevant /custom_templates/{method} endpoint"
+// @success 200 {object} portainer.CustomTemplate
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @deprecated
+// @router /custom_templates [post]
+func deprecatedCustomTemplateCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
+	method, err := request.RetrieveQueryParameter(r, "method", false)
+	if err != nil {
+		return "", httperror.BadRequest("Invalid query parameter: method", err)
+	}
+
+	url := fmt.Sprintf("/custom_templates/create/%s", method)
+	return url, nil
+}
--- a/api/http/handler/customtemplates/handler.go
+++ b/api/http/handler/customtemplates/handler.go
@@ -8,6 +8,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 )

@@ -32,6 +33,7 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor

 	h.Handle("/custom_templates/create/{method}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateCreate))).Methods(http.MethodPost)
+	h.Handle("/custom_templates", middlewares.Deprecated(h, deprecatedCustomTemplateCreateUrlParser)).Methods(http.MethodPost) // Deprecated
 	h.Handle("/custom_templates",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateList))).Methods(http.MethodGet)
 	h.Handle("/custom_templates/{id}",
--- a/api/http/handler/edgejobs/edgejob_create.go
+++ b/api/http/handler/edgejobs/edgejob_create.go
@@ -2,6 +2,7 @@ package edgejobs

 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"strconv"
 	"strings"
@@ -287,3 +288,26 @@ func (handler *Handler) addAndPersistEdgeJob(tx dataservices.DataStoreTx, edgeJo

 	return tx.EdgeJob().CreateWithID(edgeJob.ID, edgeJob)
 }
+
+// @id EdgeJobCreate
+// @summary Create an EdgeJob
+// @description **Access policy**: administrator
+// @tags edge_jobs
+// @security ApiKeyAuth
+// @security jwt
+// @produce json
+// @param method query string true "Creation Method" Enums(file, string)
+// @param body body object true "for body documentation see the relevant /edge_jobs/create/{method} endpoint"
+// @success 200 {object} portainer.EdgeGroup
+// @failure 503 "Edge compute features are disabled"
+// @failure 500
+// @deprecated
+// @router /edge_jobs [post]
+func deprecatedEdgeJobCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
+	method, err := request.RetrieveQueryParameter(r, "method", false)
+	if err != nil {
+		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
+	}
+
+	return fmt.Sprintf("/edge_jobs/create/%s", method), nil
+}
--- a/api/http/handler/edgejobs/handler.go
+++ b/api/http/handler/edgejobs/handler.go
@@ -8,6 +8,7 @@ import (
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"

 	"github.com/gorilla/mux"
@@ -29,6 +30,8 @@ func NewHandler(bouncer security.BouncerService) *Handler {

 	h.Handle("/edge_jobs",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobList)))).Methods(http.MethodGet)
+	h.Handle("/edge_jobs",
+		bouncer.AdminAccess(bouncer.EdgeComputeOperation(middlewares.Deprecated(h, deprecatedEdgeJobCreateUrlParser)))).Methods(http.MethodPost)
 	h.Handle("/edge_jobs/create/{method}",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobCreate)))).Methods(http.MethodPost)
 	h.Handle("/edge_jobs/{id}",
--- a/api/http/handler/edgestacks/edgestack_create.go
+++ b/api/http/handler/edgestacks/edgestack_create.go
@@ -1,6 +1,7 @@
 package edgestacks

 import (
+	"fmt"
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
@@ -18,6 +19,7 @@ func (handler *Handler) edgeStackCreate(w http.ResponseWriter, r *http.Request)
 	if err != nil {
 		return httperror.BadRequest("Invalid query parameter: method", err)
 	}
+
 	dryrun, _ := request.RetrieveBooleanQueryParameter(r, "dryrun", true)

 	tokenData, err := security.RetrieveTokenData(r)
@@ -60,3 +62,26 @@ func (handler *Handler) createSwarmStack(tx dataservices.DataStoreTx, method str

 	return nil, httperrors.NewInvalidPayloadError("Invalid value for query parameter: method. Value must be one of: string, repository or file")
 }
+
+// @id EdgeStackCreate
+// @summary Create an EdgeStack
+// @description **Access policy**: administrator
+// @tags edge_stacks
+// @security ApiKeyAuth
+// @security jwt
+// @produce json
+// @param method query string true "Creation Method" Enums(file,string,repository)
+// @param body body object true "for body documentation see the relevant /edge_stacks/create/{method} endpoint"
+// @success 200 {object} portainer.EdgeStack
+// @failure 500
+// @failure 503 "Edge compute features are disabled"
+// @deprecated
+// @router /edge_stacks [post]
+func deprecatedEdgeStackCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
+	method, err := request.RetrieveQueryParameter(r, "method", false)
+	if err != nil {
+		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
+	}
+
+	return fmt.Sprintf("/edge_stacks/create/%s", method), nil
+}
--- a/api/http/handler/edgestacks/handler.go
+++ b/api/http/handler/edgestacks/handler.go
@@ -38,6 +38,8 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor

 	h.Handle("/edge_stacks/create/{method}",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackCreate)))).Methods(http.MethodPost)
+	h.Handle("/edge_stacks",
+		bouncer.AdminAccess(bouncer.EdgeComputeOperation(middlewares.Deprecated(h, deprecatedEdgeStackCreateUrlParser)))).Methods(http.MethodPost) // Deprecated
 	h.Handle("/edge_stacks",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackList)))).Methods(http.MethodGet)
 	h.Handle("/edge_stacks/{id}",
--- a/api/http/handler/edgestacks/utils_update_stack_version.go
+++ b/api/http/handler/edgestacks/utils_update_stack_version.go
@@ -50,7 +50,7 @@ func (handler *Handler) storeStackFile(stack *portainer.EdgeStack, deploymentTyp
 		entryPoint = stack.ManifestPath
 	}

-	_, err := handler.FileService.StoreEdgeStackFileFromBytesByVersion(stackFolder, entryPoint, stack.Version, config)
+	_, err := handler.FileService.StoreEdgeStackFileFromBytes(stackFolder, entryPoint, config)
 	if err != nil {
 		return fmt.Errorf("unable to persist updated Compose file with version on disk: %w", err)
 	}
--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@@ -294,7 +294,7 @@ func shouldReloadTLSConfiguration(endpoint *portainer.Endpoint, payload *endpoin
 	// When updating Docker API environment, as long as TLS is true and TLSSkipVerify is false,
 	// we assume that new TLS files have been uploaded and we need to reload the TLS configuration.
 	if endpoint.Type != portainer.DockerEnvironment ||
-		!strings.HasPrefix(*payload.URL, "tcp://") ||
+		(payload.URL != nil && !strings.HasPrefix(*payload.URL, "tcp://")) ||
 		payload.TLS == nil || !*payload.TLS {
 		return false
 	}
--- a/api/http/handler/endpoints/filter.go
+++ b/api/http/handler/endpoints/filter.go
@@ -34,6 +34,7 @@ type EnvironmentsQuery struct {
 	edgeCheckInPassedSeconds int
 	edgeStackId              portainer.EdgeStackID
 	edgeStackStatus          *portainer.EdgeStackStatusType
+	excludeIds               []portainer.EndpointID
 }

 func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
@@ -69,6 +70,11 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		return EnvironmentsQuery{}, err
 	}

+	excludeIDs, err := getNumberArrayQueryParameter[portainer.EndpointID](r, "excludeIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
 	agentVersions := getArrayQueryParameter(r, "agentVersions")

 	name, _ := request.RetrieveQueryParameter(r, "name", true)
@@ -97,6 +103,7 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		types:                    endpointTypes,
 		tagIds:                   tagIDs,
 		endpointIds:              endpointIDs,
+		excludeIds:               excludeIDs,
 		tagsPartialMatch:         tagsPartialMatch,
 		groupIds:                 groupIDs,
 		status:                   status,
@@ -118,6 +125,12 @@ func (handler *Handler) filterEndpointsByQuery(filteredEndpoints []portainer.End
 		filteredEndpoints = filteredEndpointsByIds(filteredEndpoints, query.endpointIds)
 	}

+	if len(query.excludeIds) > 0 {
+		filteredEndpoints = filter(filteredEndpoints, func(endpoint portainer.Endpoint) bool {
+			return !slices.Contains(query.excludeIds, endpoint.ID)
+		})
+	}
+
 	if len(query.groupIds) > 0 {
 		filteredEndpoints = filterEndpointsByGroupIDs(filteredEndpoints, query.groupIds)
 	}
@@ -208,9 +221,12 @@ func endpointStatusInStackMatchesFilter(edgeStackStatus map[portainer.EndpointID
 	status, ok := edgeStackStatus[envId]

 	// consider that if the env has no status in the stack it is in Pending state
-	// workaround because Stack.Status[EnvId].Details.Pending is never set to True in the codebase
-	if !ok && statusFilter == portainer.EdgeStackStatusPending {
-		return true
+	if statusFilter == portainer.EdgeStackStatusPending {
+		return !ok || len(status.Status) == 0
+	}
+
+	if !ok {
+		return false
 	}

 	return slices.ContainsFunc(status.Status, func(s portainer.EdgeStackDeploymentStatus) bool {
--- a/api/http/handler/endpoints/filter_test.go
+++ b/api/http/handler/endpoints/filter_test.go
@@ -5,6 +5,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/internal/slices"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/stretchr/testify/assert"
 )
@@ -124,6 +125,28 @@ func Test_Filter_edgeFilter(t *testing.T) {
 	runTests(tests, t, handler, endpoints)
 }

+func Test_Filter_excludeIDs(t *testing.T) {
+	ids := []portainer.EndpointID{1, 2, 3, 4, 5, 6, 7, 8, 9}
+
+	environments := slices.Map(ids, func(id portainer.EndpointID) portainer.Endpoint {
+		return portainer.Endpoint{ID: id, GroupID: 1, Type: portainer.DockerEnvironment}
+	})
+
+	handler := setupFilterTest(t, environments)
+
+	tests := []filterTest{
+		{
+			title:    "should exclude IDs 2,5,8",
+			expected: []portainer.EndpointID{1, 3, 4, 6, 7, 9},
+			query: EnvironmentsQuery{
+				excludeIds: []portainer.EndpointID{2, 5, 8},
+			},
+		},
+	}
+
+	runTests(tests, t, handler, environments)
+}
+
 func runTests(tests []filterTest, t *testing.T, handler *Handler, endpoints []portainer.Endpoint) {
 	for _, test := range tests {
 		t.Run(test.title, func(t *testing.T) {
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -84,7 +84,7 @@ type Handler struct {
 }

 // @title PortainerCE API
-// @version 2.19.0
+// @version 2.19.5
 // @description.markdown api-description.md
 // @termsOfService

--- a/api/http/handler/stacks/create_kubernetes_stack.go
+++ b/api/http/handler/stacks/create_kubernetes_stack.go
@@ -13,6 +13,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/git/update"
 	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/internal/registryutils"
 	k "github.com/portainer/portainer/api/kubernetes"
 	"github.com/portainer/portainer/api/stacks/deployments"
 	"github.com/portainer/portainer/api/stacks/stackbuilders"
@@ -176,6 +177,14 @@ func (handler *Handler) createKubernetesStackFromFileContent(w http.ResponseWrit
 		handler.KubernetesDeployer,
 		user)

+	// Refresh ECR registry secret if needed
+	// RefreshEcrSecret method checks if the namespace has any ECR registry
+	// otherwise return nil
+	cli, err := handler.KubernetesClientFactory.GetKubeClient(endpoint)
+	if err == nil {
+		registryutils.RefreshEcrSecret(cli, endpoint, handler.DataStore, payload.Namespace)
+	}
+
 	stackBuilderDirector := stackbuilders.NewStackBuilderDirector(k8sStackBuilder)
 	_, httpErr := stackBuilderDirector.Build(&stackPayload, endpoint)
 	if httpErr != nil {
--- a/api/http/handler/stacks/handler.go
+++ b/api/http/handler/stacks/handler.go
@@ -14,6 +14,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
+	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/endpointutils"
@@ -58,6 +59,8 @@ func NewHandler(bouncer security.BouncerService) *Handler {

 	h.Handle("/stacks/create/{type}/{method}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackCreate))).Methods(http.MethodPost)
+	h.Handle("/stacks",
+		bouncer.AuthenticatedAccess(middlewares.Deprecated(h, deprecatedStackCreateUrlParser))).Methods(http.MethodPost) // Deprecated
 	h.Handle("/stacks",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackList))).Methods(http.MethodGet)
 	h.Handle("/stacks/{id}",
--- a/api/http/handler/stacks/stack_create.go
+++ b/api/http/handler/stacks/stack_create.go
@@ -1,6 +1,7 @@
 package stacks

 import (
+	"fmt"
 	"net/http"

 	"github.com/pkg/errors"
@@ -139,3 +140,53 @@ func (handler *Handler) decorateStackResponse(w http.ResponseWriter, stack *port

 	return response.JSON(w, stack)
 }
+
+func getStackTypeFromQueryParameter(r *http.Request) (string, error) {
+	stackType, err := request.RetrieveNumericQueryParameter(r, "type", false)
+	if err != nil {
+		return "", err
+	}
+
+	switch stackType {
+	case 1:
+		return "swarm", nil
+	case 2:
+		return "standalone", nil
+	case 3:
+		return "kubernetes", nil
+	}
+
+	return "", errors.New(request.ErrInvalidQueryParameter)
+}
+
+// @id StackCreate
+// @summary Deploy a new stack
+// @description Deploy a new stack into a Docker environment(endpoint) specified via the environment(endpoint) identifier.
+// @description **Access policy**: authenticated
+// @tags stacks
+// @security ApiKeyAuth
+// @security jwt
+// @accept json,multipart/form-data
+// @produce json
+// @param type query int true "Stack deployment type. Possible values: 1 (Swarm stack), 2 (Compose stack) or 3 (Kubernetes stack)." Enums(1,2,3)
+// @param method query string true "Stack deployment method. Possible values: file, string, repository or url." Enums(string, file, repository, url)
+// @param endpointId query int true "Identifier of the environment(endpoint) that will be used to deploy the stack"
+// @param body body object true "for body documentation see the relevant /stacks/create/{type}/{method} endpoint"
+// @success 200 {object} portainer.Stack
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @deprecated
+// @router /stacks [post]
+func deprecatedStackCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
+	method, err := request.RetrieveQueryParameter(r, "method", false)
+	if err != nil {
+		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
+	}
+
+	stackType, err := getStackTypeFromQueryParameter(r)
+	if err != nil {
+		return "", httperror.BadRequest("Invalid query parameter: type", err)
+	}
+
+	return fmt.Sprintf("/stacks/create/%s/%s", stackType, method), nil
+}
--- a/api/http/handler/stacks/stack_delete.go
+++ b/api/http/handler/stacks/stack_delete.go
@@ -190,7 +190,7 @@ func (handler *Handler) deleteStack(userID portainer.UserID, stack *portainer.St
 	if stack.Type == portainer.DockerSwarmStack {
 		stack.Name = handler.SwarmStackManager.NormalizeStackName(stack.Name)

-		if stackutils.IsGitStack(stack) {
+		if stackutils.IsRelativePathStack(stack) {
 			return handler.StackDeployer.UndeployRemoteSwarmStack(stack, endpoint)
 		}

@@ -200,7 +200,7 @@ func (handler *Handler) deleteStack(userID portainer.UserID, stack *portainer.St
 	if stack.Type == portainer.DockerComposeStack {
 		stack.Name = handler.ComposeStackManager.NormalizeStackName(stack.Name)

-		if stackutils.IsGitStack(stack) {
+		if stackutils.IsRelativePathStack(stack) {
 			return handler.StackDeployer.UndeployRemoteComposeStack(stack, endpoint)
 		}

--- a/api/http/handler/stacks/stack_start.go
+++ b/api/http/handler/stacks/stack_start.go
@@ -117,7 +117,7 @@ func (handler *Handler) stackStart(w http.ResponseWriter, r *http.Request) *http
 		stack.AutoUpdate.JobID = jobID
 	}

-	err = handler.startStack(stack, endpoint)
+	err = handler.startStack(stack, endpoint, securityContext)
 	if err != nil {
 		return httperror.InternalServerError("Unable to start stack", err)
 	}
@@ -136,12 +136,16 @@ func (handler *Handler) stackStart(w http.ResponseWriter, r *http.Request) *http
 	return response.JSON(w, stack)
 }

-func (handler *Handler) startStack(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+func (handler *Handler) startStack(
+	stack *portainer.Stack,
+	endpoint *portainer.Endpoint,
+	securityContext *security.RestrictedRequestContext,
+) error {
 	switch stack.Type {
 	case portainer.DockerComposeStack:
 		stack.Name = handler.ComposeStackManager.NormalizeStackName(stack.Name)

-		if stackutils.IsGitStack(stack) {
+		if stackutils.IsRelativePathStack(stack) {
 			return handler.StackDeployer.StartRemoteComposeStack(stack, endpoint)
 		}

@@ -149,11 +153,23 @@ func (handler *Handler) startStack(stack *portainer.Stack, endpoint *portainer.E
 	case portainer.DockerSwarmStack:
 		stack.Name = handler.SwarmStackManager.NormalizeStackName(stack.Name)

-		if stackutils.IsGitStack(stack) {
+		if stackutils.IsRelativePathStack(stack) {
 			return handler.StackDeployer.StartRemoteSwarmStack(stack, endpoint)
 		}

-		return handler.SwarmStackManager.Deploy(stack, true, true, endpoint)
+		user, err := handler.DataStore.User().Read(securityContext.UserID)
+		if err != nil {
+			return fmt.Errorf("unable to load user information from the database: %w", err)
+		}
+
+		registries, err := handler.DataStore.Registry().ReadAll()
+		if err != nil {
+			return fmt.Errorf("unable to retrieve registries from the database: %w", err)
+		}
+
+		filteredRegistries := security.FilterRegistries(registries, user, securityContext.UserMemberships, endpoint.ID)
+
+		return handler.StackDeployer.DeploySwarmStack(stack, endpoint, filteredRegistries, true, true)
 	}

 	return nil
--- a/api/http/handler/stacks/stack_stop.go
+++ b/api/http/handler/stacks/stack_stop.go
@@ -125,7 +125,7 @@ func (handler *Handler) stopStack(stack *portainer.Stack, endpoint *portainer.En
 	case portainer.DockerComposeStack:
 		stack.Name = handler.ComposeStackManager.NormalizeStackName(stack.Name)

-		if stackutils.IsGitStack(stack) {
+		if stackutils.IsRelativePathStack(stack) {
 			return handler.StackDeployer.StopRemoteComposeStack(stack, endpoint)
 		}

@@ -133,7 +133,7 @@ func (handler *Handler) stopStack(stack *portainer.Stack, endpoint *portainer.En
 	case portainer.DockerSwarmStack:
 		stack.Name = handler.SwarmStackManager.NormalizeStackName(stack.Name)

-		if stackutils.IsGitStack(stack) {
+		if stackutils.IsRelativePathStack(stack) {
 			return handler.StackDeployer.StopRemoteSwarmStack(stack, endpoint)
 		}

--- a/api/http/handler/stacks/stack_update.go
+++ b/api/http/handler/stacks/stack_update.go
@@ -198,6 +198,11 @@ func (handler *Handler) updateComposeStack(r *http.Request, stack *portainer.Sta

 	stack.Env = payload.Env

+	if stack.GitConfig != nil {
+		// detach from git
+		stack.GitConfig = nil
+	}
+
 	stackFolder := strconv.Itoa(int(stack.ID))
 	_, err = handler.FileService.UpdateStoreStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
 	if err != nil {
@@ -263,6 +268,11 @@ func (handler *Handler) updateSwarmStack(r *http.Request, stack *portainer.Stack

 	stack.Env = payload.Env

+	if stack.GitConfig != nil {
+		// detach from git
+		stack.GitConfig = nil
+	}
+
 	stackFolder := strconv.Itoa(int(stack.ID))
 	_, err = handler.FileService.UpdateStoreStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
 	if err != nil {
--- a/api/http/handler/stacks/update_kubernetes_stack.go
+++ b/api/http/handler/stacks/update_kubernetes_stack.go
@@ -13,6 +13,7 @@ import (
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/git/update"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/registryutils"
 	k "github.com/portainer/portainer/api/kubernetes"
 	"github.com/portainer/portainer/api/stacks/deployments"

@@ -113,6 +114,14 @@ func (handler *Handler) updateKubernetesStack(r *http.Request, stack *portainer.
 		return httperror.InternalServerError("Failed to persist deployment file in a temp directory", err)
 	}

+	// Refresh ECR registry secret if needed
+	// RefreshEcrSecret method checks if the namespace has any ECR registry
+	// otherwise return nil
+	cli, err := handler.KubernetesClientFactory.GetKubeClient(endpoint)
+	if err == nil {
+		registryutils.RefreshEcrSecret(cli, endpoint, handler.DataStore, stack.Namespace)
+	}
+
 	//use temp dir as the stack project path for deployment
 	//so if the deployment failed, the original file won't be over-written
 	stack.ProjectPath = tempFileDir
--- a/api/http/handler/teammemberships/handler.go
+++ b/api/http/handler/teammemberships/handler.go
@@ -4,8 +4,12 @@ import (
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/rs/zerolog/log"

 	"github.com/gorilla/mux"
 )
@@ -13,7 +17,8 @@ import (
 // Handler is the HTTP handler used to handle team membership operations.
 type Handler struct {
 	*mux.Router
-	DataStore dataservices.DataStore
+	DataStore        dataservices.DataStore
+	K8sClientFactory *cli.ClientFactory
 }

 // NewHandler creates a handler to manage team membership operations.
@@ -31,3 +36,27 @@ func NewHandler(bouncer security.BouncerService) *Handler {

 	return h
 }
+
+func (handler *Handler) updateUserServiceAccounts(membership *portainer.TeamMembership) {
+	endpoints, err := handler.DataStore.Endpoint().EndpointsByTeamID(membership.TeamID)
+	if err != nil {
+		log.Error().Err(err).Msgf("failed fetching environments for team %d", membership.TeamID)
+		return
+	}
+	for _, endpoint := range endpoints {
+		restrictDefaultNamespace := endpoint.Kubernetes.Configuration.RestrictDefaultNamespace
+		// update kubernenets service accounts if the team is associated with a kubernetes environment
+		if endpointutils.IsKubernetesEndpoint(&endpoint) {
+			kubecli, err := handler.K8sClientFactory.GetKubeClient(&endpoint)
+			if err != nil {
+				log.Error().Err(err).Msgf("failed getting kube client for environment %d", endpoint.ID)
+				continue
+			}
+			teamIDs := []int{int(membership.TeamID)}
+			err = kubecli.SetupUserServiceAccount(int(membership.UserID), teamIDs, restrictDefaultNamespace)
+			if err != nil {
+				log.Error().Err(err).Msgf("failed setting-up service account for user %d", membership.UserID)
+			}
+		}
+	}
+}
--- a/api/http/handler/teammemberships/teammembership_create.go
+++ b/api/http/handler/teammemberships/teammembership_create.go
@@ -91,5 +91,7 @@ func (handler *Handler) teamMembershipCreate(w http.ResponseWriter, r *http.Requ
 		return httperror.InternalServerError("Unable to persist team memberships inside the database", err)
 	}

+	defer handler.updateUserServiceAccounts(membership)
+
 	return response.JSON(w, membership)
 }
--- a/api/http/handler/teammemberships/teammembership_delete.go
+++ b/api/http/handler/teammemberships/teammembership_delete.go
@@ -52,5 +52,7 @@ func (handler *Handler) teamMembershipDelete(w http.ResponseWriter, r *http.Requ
 		return httperror.InternalServerError("Unable to remove the team membership from the database", err)
 	}

+	defer handler.updateUserServiceAccounts(membership)
+
 	return response.Empty(w)
 }
--- a/api/http/handler/teammemberships/teammembership_update.go
+++ b/api/http/handler/teammemberships/teammembership_update.go
@@ -90,5 +90,7 @@ func (handler *Handler) teamMembershipUpdate(w http.ResponseWriter, r *http.Requ
 		return httperror.InternalServerError("Unable to persist membership changes inside the database", err)
 	}

+	defer handler.updateUserServiceAccounts(membership)
+
 	return response.JSON(w, membership)
 }
--- a/api/http/handler/users/handler.go
+++ b/api/http/handler/users/handler.go
@@ -22,6 +22,7 @@ var (
 	errAdminCannotRemoveSelf      = errors.New("Cannot remove your own user account. Contact another administrator")
 	errCannotRemoveLastLocalAdmin = errors.New("Cannot remove the last local administrator account")
 	errCryptoHashFailure          = errors.New("Unable to hash data")
+	errWrongPassword              = errors.New("Wrong password")
 )

 func hideFields(user *portainer.User) {
--- a/api/http/handler/users/user_list.go
+++ b/api/http/handler/users/user_list.go
@@ -10,6 +10,13 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 )

+type User struct {
+	ID       portainer.UserID `json:"Id" example:"1"`
+	Username string           `json:"Username" example:"bob"`
+	// User role (1 for administrator account and 2 for regular account)
+	Role portainer.UserRole `json:"Role" example:"1"`
+}
+
 // @id UserList
 // @summary List users
 // @description List Portainer users.
@@ -26,24 +33,25 @@ import (
 // @failure 500 "Server error"
 // @router /users [get]
 func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	users, err := handler.DataStore.User().ReadAll()
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve users from the database", err)
-	}
-
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve info from request context", err)
 	}

-	availableUsers := security.FilterUsers(users, securityContext)
-	for i := range availableUsers {
-		hideFields(&availableUsers[i])
+	if !securityContext.IsAdmin && !securityContext.IsTeamLeader {
+		return httperror.Forbidden("Permission denied to access users list", err)
 	}

+	users, err := handler.DataStore.User().ReadAll()
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve users from the database", err)
+	}
+
+	availableUsers := security.FilterUsers(users, securityContext)
+
 	endpointID, _ := request.RetrieveNumericQueryParameter(r, "environmentId", true)
 	if endpointID == 0 {
-		return response.JSON(w, availableUsers)
+		return response.JSON(w, sanitizeUsers(availableUsers))
 	}

 	// filter out users who do not have access to the specific endpoint
@@ -57,11 +65,11 @@ func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httper
 		return httperror.InternalServerError("Unable to retrieve environment groups from the database", err)
 	}

-	canAccessEndpoint := make([]portainer.User, 0)
+	canAccessEndpoint := make([]User, 0)
 	for _, user := range availableUsers {
 		// the users who have the endpoint authorization
 		if _, ok := user.EndpointAuthorizations[endpoint.ID]; ok {
-			canAccessEndpoint = append(canAccessEndpoint, user)
+			canAccessEndpoint = append(canAccessEndpoint, sanitizeUser(user))
 			continue
 		}

@@ -72,9 +80,25 @@ func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httper
 		}

 		if security.AuthorizedEndpointAccess(endpoint, endpointGroup, user.ID, teamMemberships) {
-			canAccessEndpoint = append(canAccessEndpoint, user)
+			canAccessEndpoint = append(canAccessEndpoint, sanitizeUser(user))
 		}
 	}

 	return response.JSON(w, canAccessEndpoint)
 }
+
+func sanitizeUser(user portainer.User) User {
+	return User{
+		ID:       user.ID,
+		Username: user.Username,
+		Role:     user.Role,
+	}
+}
+
+func sanitizeUsers(users []portainer.User) []User {
+	u := make([]User, len(users))
+	for i := range users {
+		u[i] = sanitizeUser(users[i])
+	}
+	return u
+}
--- a/api/http/handler/users/user_list_test.go
+++ b/api/http/handler/users/user_list_test.go
@@ -111,28 +111,14 @@ func Test_userList(t *testing.T) {
 		}
 	})

-	t.Run("standard user cannot list amdin users", func(t *testing.T) {
+	t.Run("standard user cannot list users", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/users", nil)
 		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)

-		is.Equal(http.StatusOK, rr.Code)
-
-		body, err := io.ReadAll(rr.Body)
-		is.NoError(err, "ReadAll should not return error")
-
-		var resp []portainer.User
-		err = json.Unmarshal(body, &resp)
-		is.NoError(err, "response should be list json")
-
-		is.Len(resp, 2)
-		if len(resp) > 0 {
-			for _, user := range resp {
-				is.NotEqual(portainer.AdministratorRole, user.Role)
-			}
-		}
+		is.Equal(http.StatusForbidden, rr.Code)
 	})

 	// Case 2: the user is under an environment group and the environment group has endpoint access.
--- a/api/http/handler/users/user_update.go
+++ b/api/http/handler/users/user_update.go
@@ -21,9 +21,10 @@ type themePayload struct {
 }

 type userUpdatePayload struct {
-	Username string `validate:"required" example:"bob"`
-	Password string `validate:"required" example:"cg9Wgky3"`
-	Theme    *themePayload
+	Username    string `validate:"required" example:"bob"`
+	Password    string `validate:"required" example:"cg9Wgky3"`
+	NewPassword string `validate:"required" example:"asfj2emv"`
+	Theme       *themePayload

 	// User role (1 for administrator account and 2 for regular account)
 	Role int `validate:"required" enums:"1,2" example:"2"`
@@ -37,12 +38,14 @@ func (payload *userUpdatePayload) Validate(r *http.Request) error {
 	if payload.Role != 0 && payload.Role != 1 && payload.Role != 2 {
 		return errors.New("invalid role value. Value must be one of: 1 (administrator) or 2 (regular user)")
 	}
+
 	return nil
 }

 // @id UserUpdate
 // @summary Update a user
 // @description Update user details. A regular user account can only update his details.
+// @description A regular user account cannot change their username or role.
 // @description **Access policy**: authenticated
 // @tags users
 // @security ApiKeyAuth
@@ -95,6 +98,10 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http
 	}

 	if payload.Username != "" && payload.Username != user.Username {
+		if tokenData.Role != portainer.AdministratorRole {
+			return httperror.Forbidden("Permission denied. Unable to update username", httperrors.ErrResourceAccessDenied)
+		}
+
 		sameNameUser, err := handler.DataStore.User().UserByUsername(payload.Username)
 		if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
 			return httperror.InternalServerError("Unable to retrieve users from the database", err)
@@ -106,8 +113,28 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http
 		user.Username = payload.Username
 	}

-	if payload.Password != "" {
-		user.Password, err = handler.CryptoService.Hash(payload.Password)
+	if payload.Password != "" && payload.NewPassword == "" {
+		if tokenData.Role == portainer.AdministratorRole {
+			return httperror.BadRequest("Existing password field specified without new password field.", errors.New("To change the password as an admin, you only need 'newPassword' in your request"))
+		}
+
+		return httperror.BadRequest("Existing password field specified without new password field.", errors.New("To change the password, you must include both 'password' and 'newPassword' in your request"))
+	}
+
+	if payload.NewPassword != "" {
+		// Non-admins need to supply the previous password
+		if tokenData.Role != portainer.AdministratorRole {
+			err := handler.CryptoService.CompareHashAndData(user.Password, payload.Password)
+			if err != nil {
+				return httperror.Forbidden("Current password doesn't match. Password left unchanged", errors.New("Current password does not match the password provided. Please try again"))
+			}
+		}
+
+		if !handler.passwordStrengthChecker.Check(payload.NewPassword) {
+			return httperror.BadRequest("Password does not meet the minimum strength requirements", nil)
+		}
+
+		user.Password, err = handler.CryptoService.Hash(payload.NewPassword)
 		if err != nil {
 			return httperror.InternalServerError("Unable to hash user password", errCryptoHashFailure)
 		}
--- a/api/http/handler/users/user_update_password.go
+++ b/api/http/handler/users/user_update_password.go
@@ -87,7 +87,7 @@ func (handler *Handler) userUpdatePassword(w http.ResponseWriter, r *http.Reques
 	}

 	if !handler.passwordStrengthChecker.Check(payload.NewPassword) {
-		return httperror.BadRequest("Password does not meet the requirements", nil)
+		return httperror.BadRequest("Password does not meet the minimum strength requirements", nil)
 	}

 	user.Password, err = handler.CryptoService.Hash(payload.NewPassword)
--- a/api/http/handler/websocket/attach.go
+++ b/api/http/handler/websocket/attach.go
@@ -9,9 +9,11 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/security"

 	"github.com/asaskevich/govalidator"
 	"github.com/gorilla/websocket"
+	"github.com/rs/zerolog/log"
 )

 // @summary Attach a websocket
@@ -74,6 +76,13 @@ func (handler *Handler) websocketAttach(w http.ResponseWriter, r *http.Request)
 }

 func (handler *Handler) handleAttachRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		log.Warn().
+			Err(err).
+			Msg("unable to retrieve user details from authentication token")
+		return err
+	}

 	r.Header.Del("Origin")

@@ -89,10 +98,15 @@ func (handler *Handler) handleAttachRequest(w http.ResponseWriter, r *http.Reque
 	}
 	defer websocketConn.Close()

-	return hijackAttachStartOperation(websocketConn, params.endpoint, params.ID)
+	return hijackAttachStartOperation(websocketConn, params.endpoint, params.ID, tokenData.Token)
 }

-func hijackAttachStartOperation(websocketConn *websocket.Conn, endpoint *portainer.Endpoint, attachID string) error {
+func hijackAttachStartOperation(
+	websocketConn *websocket.Conn,
+	endpoint *portainer.Endpoint,
+	attachID string,
+	token string,
+) error {
 	dial, err := initDial(endpoint)
 	if err != nil {
 		return err
@@ -116,7 +130,7 @@ func hijackAttachStartOperation(websocketConn *websocket.Conn, endpoint *portain
 		return err
 	}

-	return hijackRequest(websocketConn, httpConn, attachStartRequest)
+	return hijackRequest(websocketConn, httpConn, attachStartRequest, token)
 }

 func createAttachStartRequest(attachID string) (*http.Request, error) {
--- a/api/http/handler/websocket/exec.go
+++ b/api/http/handler/websocket/exec.go
@@ -11,9 +11,11 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/security"

 	"github.com/asaskevich/govalidator"
 	"github.com/gorilla/websocket"
+	"github.com/rs/zerolog/log"
 )

 type execStartOperationPayload struct {
@@ -80,6 +82,14 @@ func (handler *Handler) websocketExec(w http.ResponseWriter, r *http.Request) *h
 }

 func (handler *Handler) handleExecRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		log.Warn().
+			Err(err).
+			Msg("unable to retrieve user details from authentication token")
+		return err
+	}
+
 	r.Header.Del("Origin")

 	if params.endpoint.Type == portainer.AgentOnDockerEnvironment {
@@ -94,10 +104,15 @@ func (handler *Handler) handleExecRequest(w http.ResponseWriter, r *http.Request
 	}
 	defer websocketConn.Close()

-	return hijackExecStartOperation(websocketConn, params.endpoint, params.ID)
+	return hijackExecStartOperation(websocketConn, params.endpoint, params.ID, tokenData.Token)
 }

-func hijackExecStartOperation(websocketConn *websocket.Conn, endpoint *portainer.Endpoint, execID string) error {
+func hijackExecStartOperation(
+	websocketConn *websocket.Conn,
+	endpoint *portainer.Endpoint,
+	execID string,
+	token string,
+) error {
 	dial, err := initDial(endpoint)
 	if err != nil {
 		return err
@@ -121,7 +136,7 @@ func hijackExecStartOperation(websocketConn *websocket.Conn, endpoint *portainer
 		return err
 	}

-	return hijackRequest(websocketConn, httpConn, execStartRequest)
+	return hijackRequest(websocketConn, httpConn, execStartRequest, token)
 }

 func createExecStartRequest(execID string) (*http.Request, error) {
--- a/api/http/handler/websocket/hijack.go
+++ b/api/http/handler/websocket/hijack.go
@@ -7,9 +7,15 @@ import (
 	"net/http/httputil"

 	"github.com/gorilla/websocket"
+	"github.com/portainer/portainer/api/internal/logoutcontext"
 )

-func hijackRequest(websocketConn *websocket.Conn, httpConn *httputil.ClientConn, request *http.Request) error {
+func hijackRequest(
+	websocketConn *websocket.Conn,
+	httpConn *httputil.ClientConn,
+	request *http.Request,
+	token string,
+) error {
 	// Server hijacks the connection, error 'connection closed' expected
 	resp, err := httpConn.Do(request)
 	if !errors.Is(err, httputil.ErrPersistEOF) {
@@ -29,9 +35,15 @@ func hijackRequest(websocketConn *websocket.Conn, httpConn *httputil.ClientConn,
 	go streamFromReaderToWebsocket(websocketConn, brw, errorChan)
 	go streamFromWebsocketToWriter(websocketConn, tcpConn, errorChan)

-	err = <-errorChan
-	if websocket.IsUnexpectedCloseError(err, websocket.CloseGoingAway, websocket.CloseNoStatusReceived) {
-		return err
+	logoutCtx := logoutcontext.GetContext(token)
+
+	select {
+	case <-logoutCtx.Done():
+		return fmt.Errorf("Your session has been logged out.")
+	case err = <-errorChan:
+		if websocket.IsUnexpectedCloseError(err, websocket.CloseGoingAway, websocket.CloseNoStatusReceived) {
+			return err
+		}
 	}

 	return nil
--- a/api/http/handler/websocket/proxy.go
+++ b/api/http/handler/websocket/proxy.go
@@ -1,15 +1,20 @@
 package websocket

 import (
+	"context"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/logoutcontext"

 	"github.com/gorilla/websocket"
 	"github.com/koding/websocketproxy"
+	"github.com/portainer/portainer/api/crypto"
+	"github.com/rs/zerolog/log"
 )

 func (handler *Handler) proxyEdgeAgentWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error {
@@ -18,33 +23,12 @@ func (handler *Handler) proxyEdgeAgentWebsocketRequest(w http.ResponseWriter, r
 		return err
 	}

-	endpointURL, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port))
+	agentURL, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port))
 	if err != nil {
 		return err
 	}

-	endpointURL.Scheme = "ws"
-	proxy := websocketproxy.NewProxy(endpointURL)
-
-	signature, err := handler.SignatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
-	if err != nil {
-		return err
-	}
-
-	proxy.Director = func(incoming *http.Request, out http.Header) {
-		out.Set(portainer.PortainerAgentPublicKeyHeader, handler.SignatureService.EncodedPublicKey())
-		out.Set(portainer.PortainerAgentSignatureHeader, signature)
-		out.Set(portainer.PortainerAgentTargetHeader, params.nodeName)
-		out.Set(portainer.PortainerAgentKubernetesSATokenHeader, params.token)
-	}
-
-	handler.ReverseTunnelService.SetTunnelStatusToActive(params.endpoint.ID)
-
-	handler.ReverseTunnelService.KeepTunnelAlive(params.endpoint.ID, r.Context(), portainer.WebSocketKeepAlive)
-
-	proxy.ServeHTTP(w, r)
-
-	return nil
+	return handler.doProxyWebsocketRequest(w, r, params, agentURL, true)
 }

 func (handler *Handler) proxyAgentWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error {
@@ -59,17 +43,41 @@ func (handler *Handler) proxyAgentWebsocketRequest(w http.ResponseWriter, r *htt
 	}

 	agentURL.Scheme = "ws"
-	proxy := websocketproxy.NewProxy(agentURL)
+	return handler.doProxyWebsocketRequest(w, r, params, agentURL, false)
+}

-	if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify {
+func (handler *Handler) doProxyWebsocketRequest(
+	w http.ResponseWriter,
+	r *http.Request,
+	params *webSocketRequestParams,
+	agentURL *url.URL,
+	isEdge bool,
+) error {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		log.
+			Warn().
+			Err(err).
+			Msg("unable to retrieve user details from authentication token")
+		return err
+	}
+
+	enableTLS := !isEdge && (params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify)
+
+	agentURL.Scheme = "ws"
+	if enableTLS {
 		agentURL.Scheme = "wss"
+	}

+	proxy := websocketproxy.NewProxy(agentURL)
+	proxyDialer := *websocket.DefaultDialer
+	proxy.Dialer = &proxyDialer
+
+	if enableTLS {
 		tlsConfig := crypto.CreateTLSConfiguration()
 		tlsConfig.InsecureSkipVerify = params.endpoint.TLSConfig.TLSSkipVerify

-		proxy.Dialer = &websocket.Dialer{
-			TLSClientConfig: tlsConfig,
-		}
+		proxyDialer.TLSClientConfig = tlsConfig
 	}

 	signature, err := handler.SignatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
@@ -84,7 +92,46 @@ func (handler *Handler) proxyAgentWebsocketRequest(w http.ResponseWriter, r *htt
 		out.Set(portainer.PortainerAgentKubernetesSATokenHeader, params.token)
 	}

+	if isEdge {
+		handler.ReverseTunnelService.SetTunnelStatusToActive(params.endpoint.ID)
+		handler.ReverseTunnelService.KeepTunnelAlive(params.endpoint.ID, r.Context(), portainer.WebSocketKeepAlive)
+	}
+
+	abortProxyOnLogout(r.Context(), proxy, tokenData.Token)
+
 	proxy.ServeHTTP(w, r)

 	return nil
 }
+
+func abortProxyOnLogout(ctx context.Context, proxy *websocketproxy.WebsocketProxy, token string) {
+	var wsConn net.Conn
+
+	proxy.Dialer.NetDial = func(network, addr string) (net.Conn, error) {
+		netDialer := &net.Dialer{}
+
+		conn, err := netDialer.DialContext(context.Background(), network, addr)
+		wsConn = conn
+
+		return conn, err
+	}
+
+	logoutCtx := logoutcontext.GetContext(token)
+
+	go func() {
+		log.Debug().
+			Msg("logout watcher for websocket proxy started")
+
+		select {
+		case <-logoutCtx.Done():
+			log.Debug().
+				Msg("logout watcher for websocket proxy stopped as user logged out")
+			if wsConn != nil {
+				wsConn.Close()
+			}
+		case <-ctx.Done():
+			log.Debug().
+				Msg("logout watcher for websocket proxy stopped as the ws connection closed")
+		}
+	}()
+}
--- a/api/http/middlewares/deprecated.go
+++ b/api/http/middlewares/deprecated.go
@@ -0,0 +1,25 @@
+package middlewares
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/rs/zerolog/log"
+)
+
+// deprecate api route
+func Deprecated(router http.Handler, urlBuilder func(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError)) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		newUrl, err := urlBuilder(w, r)
+		if err != nil {
+			httperror.WriteError(w, err.StatusCode, err.Error(), err)
+			return
+		}
+
+		log.Warn().Msgf("This api is deprecated. Use %s instead", newUrl)
+
+		redirectedRequest := r.Clone(r.Context())
+		redirectedRequest.URL.Path = newUrl
+		router.ServeHTTP(w, redirectedRequest)
+	})
+}
--- a/api/http/proxy/factory/kubernetes/deployments.go
+++ b/api/http/proxy/factory/kubernetes/deployments.go
@@ -6,7 +6,7 @@ import (

 func (transport *baseTransport) proxyDeploymentsRequest(request *http.Request, namespace, requestPath string) (*http.Response, error) {
 	switch request.Method {
-	case http.MethodPost, http.MethodPatch:
+	case http.MethodPost, http.MethodPatch, http.MethodPut:
 		transport.refreshRegistry(request, namespace)
 	}

--- a/api/http/proxy/factory/kubernetes/token.go
+++ b/api/http/proxy/factory/kubernetes/token.go
@@ -1,10 +1,12 @@
 package kubernetes

 import (
+	"fmt"
 	"os"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/rs/zerolog/log"
 )

 const defaultServiceAccountTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
@@ -43,28 +45,62 @@ func (manager *tokenManager) GetAdminServiceAccountToken() string {
 	return manager.adminToken
 }

+func (manager *tokenManager) setupUserServiceAccounts(userID portainer.UserID, endpoint *portainer.Endpoint) error {
+	memberships, err := manager.dataStore.TeamMembership().TeamMembershipsByUserID(userID)
+	if err != nil {
+		return err
+	}
+
+	teamIds := make([]int, 0, len(memberships))
+	for _, membership := range memberships {
+		teamIds = append(teamIds, int(membership.TeamID))
+	}
+
+	restrictDefaultNamespace := endpoint.Kubernetes.Configuration.RestrictDefaultNamespace
+	err = manager.kubecli.SetupUserServiceAccount(int(userID), teamIds, restrictDefaultNamespace)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (manager *tokenManager) UpdateUserServiceAccountsForEndpoint(endpointID portainer.EndpointID) {
+	endpoint, err := manager.dataStore.Endpoint().Endpoint(endpointID)
+	if err != nil {
+		log.Error().Err(err).Msgf("failed fetching environments %d", endpointID)
+		return
+	}
+
+	userIDs := make([]portainer.UserID, 0)
+	for u := range endpoint.UserAccessPolicies {
+		userIDs = append(userIDs, u)
+	}
+	for t := range endpoint.TeamAccessPolicies {
+		memberships, _ := manager.dataStore.TeamMembership().TeamMembershipsByTeamID(portainer.TeamID(t))
+		for _, membership := range memberships {
+			userIDs = append(userIDs, membership.UserID)
+		}
+	}
+
+	for _, userID := range userIDs {
+		if err := manager.setupUserServiceAccounts(userID, endpoint); err != nil {
+			log.Error().Err(err).Msgf("failed setting-up service account for user %d", userID)
+		}
+	}
+}
+
 // GetUserServiceAccountToken setup a user's service account if it does not exist, then retrieve its token
 func (manager *tokenManager) GetUserServiceAccountToken(userID int, endpointID portainer.EndpointID) (string, error) {
 	tokenFunc := func() (string, error) {
-		memberships, err := manager.dataStore.TeamMembership().TeamMembershipsByUserID(portainer.UserID(userID))
-		if err != nil {
-			return "", err
-		}
-
-		teamIds := make([]int, 0, len(memberships))
-		for _, membership := range memberships {
-			teamIds = append(teamIds, int(membership.TeamID))
-		}
-
 		endpoint, err := manager.dataStore.Endpoint().Endpoint(endpointID)
 		if err != nil {
+			log.Error().Err(err).Msgf("failed fetching environment %d", endpointID)
 			return "", err
 		}

-		restrictDefaultNamespace := endpoint.Kubernetes.Configuration.RestrictDefaultNamespace
-		err = manager.kubecli.SetupUserServiceAccount(userID, teamIds, restrictDefaultNamespace)
-		if err != nil {
-			return "", err
+		if err := manager.setupUserServiceAccounts(portainer.UserID(userID), endpoint); err != nil {
+			return "", fmt.Errorf("failed setting-up service account for user %d: %w", userID, err)
 		}

 		return manager.kubecli.GetServiceAccountBearerToken(userID)
--- a/api/http/proxy/factory/kubernetes/transport.go
+++ b/api/http/proxy/factory/kubernetes/transport.go
@@ -49,7 +49,17 @@ func (transport *baseTransport) proxyKubernetesRequest(request *http.Request) (*
 	apiVersionRe := regexp.MustCompile(`^(/kubernetes)?/(api|apis/apps)/v[0-9](\.[0-9])?`)
 	requestPath := apiVersionRe.ReplaceAllString(request.URL.Path, "")

+	endpointRe := regexp.MustCompile(`([0-9]+)`)
+	endpointIDMatch := endpointRe.FindAllString(request.RequestURI, 1)
+	endpointID := 0
+	if len(endpointIDMatch) > 0 {
+		endpointID, _ = strconv.Atoi(endpointIDMatch[0])
+	}
+
 	switch {
+	case strings.EqualFold(requestPath, "/namespaces/portainer/configmaps/portainer-config") && (request.Method == "PUT" || request.Method == "POST"):
+		defer transport.tokenManager.UpdateUserServiceAccountsForEndpoint(portainer.EndpointID(endpointID))
+		return transport.executeKubernetesRequest(request)
 	case strings.EqualFold(requestPath, "/namespaces"):
 		return transport.executeKubernetesRequest(request)
 	case strings.HasPrefix(requestPath, "/namespaces"):
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -60,15 +60,15 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService dataservices
 	}
 }

-// PublicAccess defines a security check for public API environments(endpoints).
-// No authentication is required to access these environments(endpoints).
+// PublicAccess defines a security check for public API endpoints.
+// No authentication is required to access these endpoints.
 func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler {
 	return mwSecureHeaders(h)
 }

-// AdminAccess defines a security check for API environments(endpoints) that require an authorization check.
-// Authentication is required to access these environments(endpoints).
-// The administrator role is required to use these environments(endpoints).
+// AdminAccess defines a security check for API endpoints that require an authorization check.
+// Authentication is required to access these endpoints.
+// The administrator role is required to use these endpoints.
 // The request context will be enhanced with a RestrictedRequestContext object
 // that might be used later to inside the API operation for extra authorization validation
 // and resource filtering.
@@ -79,8 +79,8 @@ func (bouncer *RequestBouncer) AdminAccess(h http.Handler) http.Handler {
 	return h
 }

-// RestrictedAccess defines a security check for restricted API environments(endpoints).
-// Authentication is required to access these environments(endpoints).
+// RestrictedAccess defines a security check for restricted API endpoints.
+// Authentication is required to access these endpoints.
 // The request context will be enhanced with a RestrictedRequestContext object
 // that might be used later to inside the API operation for extra authorization validation
 // and resource filtering.
@@ -104,8 +104,8 @@ func (bouncer *RequestBouncer) TeamLeaderAccess(h http.Handler) http.Handler {
 	return h
 }

-// AuthenticatedAccess defines a security check for restricted API environments(endpoints).
-// Authentication is required to access these environments(endpoints).
+// AuthenticatedAccess defines a security check for restricted API endpoints.
+// Authentication is required to access these endpoints.
 // The request context will be enhanced with a RestrictedRequestContext object
 // that might be used later to inside the API operation for extra authorization validation
 // and resource filtering.
--- a/api/http/security/filter.go
+++ b/api/http/security/filter.go
@@ -100,6 +100,7 @@ func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.Endpoint
 		endpointGroup := getAssociatedGroup(&endpoint, groups)

 		if AuthorizedEndpointAccess(&endpoint, endpointGroup, context.UserID, context.UserMemberships) {
+			endpoint.UserAccessPolicies = nil
 			endpoints[n] = endpoint
 			n++
 		}
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -259,6 +259,7 @@ func (server *Server) Start() error {

 	var teamMembershipHandler = teammemberships.NewHandler(requestBouncer)
 	teamMembershipHandler.DataStore = server.DataStore
+	teamMembershipHandler.K8sClientFactory = server.KubernetesClientFactory

 	var systemHandler = system.NewHandler(requestBouncer,
 		server.Status,
--- a/api/internal/logoutcontext/logout_context.go
+++ b/api/internal/logoutcontext/logout_context.go
@@ -0,0 +1,20 @@
+package logoutcontext
+
+import (
+	"context"
+)
+
+const LogoutPrefix = "logout-"
+
+func GetContext(token string) context.Context {
+	return GetService(logoutToken(token)).GetLogoutCtx()
+}
+
+func Cancel(token string) {
+	GetService(logoutToken(token)).Cancel()
+	RemoveService(logoutToken(token))
+}
+
+func logoutToken(token string) string {
+	return LogoutPrefix + token
+}
--- a/api/internal/logoutcontext/service.go
+++ b/api/internal/logoutcontext/service.go
@@ -0,0 +1,28 @@
+package logoutcontext
+
+import (
+	"context"
+)
+
+type (
+	Service struct {
+		ctx    context.Context
+		cancel context.CancelFunc
+	}
+)
+
+func NewService() *Service {
+	ctx, cancel := context.WithCancel(context.Background())
+	return &Service{
+		ctx:    ctx,
+		cancel: cancel,
+	}
+}
+
+func (s *Service) Cancel() {
+	s.cancel()
+}
+
+func (s *Service) GetLogoutCtx() context.Context {
+	return s.ctx
+}
--- a/api/internal/logoutcontext/service_factory.go
+++ b/api/internal/logoutcontext/service_factory.go
@@ -0,0 +1,34 @@
+package logoutcontext
+
+import "sync"
+
+type (
+	ServiceFactory struct {
+		mu       sync.Mutex
+		services map[string]*Service
+	}
+)
+
+var serviceFactory = ServiceFactory{
+	services: make(map[string]*Service),
+}
+
+func GetService(token string) *Service {
+	serviceFactory.mu.Lock()
+	defer serviceFactory.mu.Unlock()
+
+	service, ok := serviceFactory.services[token]
+	if !ok {
+		service = NewService()
+		serviceFactory.services[token] = service
+	}
+
+	return service
+}
+
+func RemoveService(token string) {
+	serviceFactory.mu.Lock()
+	defer serviceFactory.mu.Unlock()
+
+	delete(serviceFactory.services, token)
+}
--- a/api/internal/securecookie/securecookie.go
+++ b/api/internal/securecookie/securecookie.go
@@ -0,0 +1,16 @@
+package securecookie
+
+import (
+	"crypto/rand"
+	"io"
+)
+
+// GenerateRandomKey generates a random key of specified length
+// source: https://github.com/gorilla/securecookie/blob/master/securecookie.go#L515
+func GenerateRandomKey(length int) []byte {
+	k := make([]byte, length)
+	if _, err := io.ReadFull(rand.Reader, k); err != nil {
+		return nil
+	}
+	return k
+}
--- a/api/internal/slices/slices.go
+++ b/api/internal/slices/slices.go
@@ -63,3 +63,12 @@ func RemoveIndex[T any](s []T, index int) []T {
 	s[index] = s[len(s)-1]
 	return s[:len(s)-1]
 }
+
+// Map applies the given function to each element of the slice and returns a new slice with the results
+func Map[T, U any](s []T, f func(T) U) []U {
+	result := make([]U, len(s))
+	for i, v := range s {
+		result[i] = f(v)
+	}
+	return result
+}
--- a/api/internal/testhelpers/datastore.go
+++ b/api/internal/testhelpers/datastore.go
@@ -301,6 +301,19 @@ func (s *stubEndpointService) GetNextIdentifier() int {
 	return len(s.endpoints)
 }

+func (s *stubEndpointService) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error) {
+	var endpoints = make([]portainer.Endpoint, 0)
+
+	for _, e := range s.endpoints {
+		for t := range e.TeamAccessPolicies {
+			if t == teamID {
+				endpoints = append(endpoints, e)
+			}
+		}
+	}
+	return endpoints, nil
+}
+
 // WithEndpoints option will instruct testDatastore to return provided environments(endpoints)
 func WithEndpoints(endpoints []portainer.Endpoint) datastoreOption {
 	return func(d *testDatastore) {
--- a/api/internal/upgrade/upgrade_docker.go
+++ b/api/internal/upgrade/upgrade_docker.go
@@ -90,7 +90,10 @@ func (service *service) upgradeDocker(licenseKey, version, envType string) error
 }

 func (service *service) checkImageForDocker(ctx context.Context, image string, skipPullImage bool) error {
-	cli, err := client.NewClientWithOpts(client.FromEnv)
+	cli, err := client.NewClientWithOpts(
+		client.FromEnv,
+		client.WithAPIVersionNegotiation(),
+	)
 	if err != nil {
 		return errors.Wrap(err, "failed to create docker client")
 	}
--- a/api/jwt/jwt.go
+++ b/api/jwt/jwt.go
@@ -9,7 +9,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"

 	"github.com/golang-jwt/jwt/v4"
-	"github.com/gorilla/securecookie"
+	"github.com/portainer/portainer/api/internal/securecookie"
 	"github.com/rs/zerolog/log"
 )

@@ -137,6 +137,7 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,
 				ID:       portainer.UserID(cl.UserID),
 				Username: cl.Username,
 				Role:     portainer.UserRole(cl.Role),
+				Token:    token,
 			}, nil
 		}
 	}
--- a/api/kubernetes/cli/client.go
+++ b/api/kubernetes/cli/client.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
+	"strings"
 	"sync"
 	"time"

@@ -154,17 +155,29 @@ func (factory *ClientFactory) createCachedAdminKubeClient(endpoint *portainer.En
 	}, nil
 }

-// CreateClient returns a pointer to a new Clientset instance
+// CreateClient returns a pointer to a new Clientset instance.
 func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint) (*kubernetes.Clientset, error) {
 	switch endpoint.Type {
-	case portainer.KubernetesLocalEnvironment:
-		return buildLocalClient()
-	case portainer.AgentOnKubernetesEnvironment:
-		return factory.buildAgentClient(endpoint)
-	case portainer.EdgeAgentOnKubernetesEnvironment:
-		return factory.buildEdgeClient(endpoint)
+	case portainer.KubernetesLocalEnvironment, portainer.AgentOnKubernetesEnvironment, portainer.EdgeAgentOnKubernetesEnvironment:
+		c, err := factory.CreateConfig(endpoint)
+		if err != nil {
+			return nil, err
+		}
+		return kubernetes.NewForConfig(c)
 	}
+	return nil, errors.New("unsupported environment type")
+}

+// CreateConfig returns a pointer to a new kubeconfig ready to create a client.
+func (factory *ClientFactory) CreateConfig(endpoint *portainer.Endpoint) (*rest.Config, error) {
+	switch endpoint.Type {
+	case portainer.KubernetesLocalEnvironment:
+		return buildLocalConfig()
+	case portainer.AgentOnKubernetesEnvironment:
+		return factory.buildAgentConfig(endpoint)
+	case portainer.EdgeAgentOnKubernetesEnvironment:
+		return factory.buildEdgeConfig(endpoint)
+	}
 	return nil, errors.New("unsupported environment type")
 }

@@ -184,20 +197,64 @@ func (rt *agentHeaderRoundTripper) RoundTrip(req *http.Request) (*http.Response,
 	return rt.roundTripper.RoundTrip(req)
 }

-func (factory *ClientFactory) buildAgentClient(endpoint *portainer.Endpoint) (*kubernetes.Clientset, error) {
-	endpointURL := fmt.Sprintf("https://%s/kubernetes", endpoint.URL)
+func (factory *ClientFactory) buildAgentConfig(endpoint *portainer.Endpoint) (*rest.Config, error) {
+	var clientURL strings.Builder
+	if !strings.HasPrefix(endpoint.URL, "http") {
+		clientURL.WriteString("https://")
+	}
+	clientURL.WriteString(endpoint.URL)
+	clientURL.WriteString("/kubernetes")

-	return factory.createRemoteClient(endpointURL)
+	signature, err := factory.signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return nil, err
+	}
+
+	config, err := clientcmd.BuildConfigFromFlags(clientURL.String(), "")
+	if err != nil {
+		return nil, err
+	}
+
+	config.Insecure = true
+	config.QPS = DefaultKubeClientQPS
+	config.Burst = DefaultKubeClientBurst
+
+	config.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+		return &agentHeaderRoundTripper{
+			signatureHeader: signature,
+			publicKeyHeader: factory.signatureService.EncodedPublicKey(),
+			roundTripper:    rt,
+		}
+	})
+	return config, nil
 }

-func (factory *ClientFactory) buildEdgeClient(endpoint *portainer.Endpoint) (*kubernetes.Clientset, error) {
+func (factory *ClientFactory) buildEdgeConfig(endpoint *portainer.Endpoint) (*rest.Config, error) {
 	tunnel, err := factory.reverseTunnelService.GetActiveTunnel(endpoint)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed activating tunnel")
 	}
 	endpointURL := fmt.Sprintf("http://127.0.0.1:%d/kubernetes", tunnel.Port)

-	return factory.createRemoteClient(endpointURL)
+	config, err := clientcmd.BuildConfigFromFlags(endpointURL, "")
+	if err != nil {
+		return nil, err
+	}
+
+	signature, err := factory.signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
+	config.Insecure = true
+	config.QPS = DefaultKubeClientQPS
+	config.Burst = DefaultKubeClientBurst
+
+	config.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+		return &agentHeaderRoundTripper{
+			signatureHeader: signature,
+			publicKeyHeader: factory.signatureService.EncodedPublicKey(),
+			roundTripper:    rt,
+		}
+	})
+
+	return config, nil
 }

 func (factory *ClientFactory) createRemoteClient(endpointURL string) (*kubernetes.Clientset, error) {
@@ -227,34 +284,14 @@ func (factory *ClientFactory) createRemoteClient(endpointURL string) (*kubernete
 }

 func (factory *ClientFactory) CreateRemoteMetricsClient(endpoint *portainer.Endpoint) (*metricsv.Clientset, error) {
-	endpointURL := fmt.Sprintf("https://%s/kubernetes", endpoint.URL)
-
-	signature, err := factory.signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
+	config, err := factory.CreateConfig(endpoint)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to create metrics KubeConfig")
 	}
-
-	config, err := clientcmd.BuildConfigFromFlags(endpointURL, "")
-	if err != nil {
-		return nil, err
-	}
-
-	config.Insecure = true
-	config.QPS = DefaultKubeClientQPS
-	config.Burst = DefaultKubeClientBurst
-
-	config.Wrap(func(rt http.RoundTripper) http.RoundTripper {
-		return &agentHeaderRoundTripper{
-			signatureHeader: signature,
-			publicKeyHeader: factory.signatureService.EncodedPublicKey(),
-			roundTripper:    rt,
-		}
-	})
-
 	return metricsv.NewForConfig(config)
 }

-func buildLocalClient() (*kubernetes.Clientset, error) {
+func buildLocalConfig() (*rest.Config, error) {
 	config, err := rest.InClusterConfig()
 	if err != nil {
 		return nil, err
@@ -263,7 +300,7 @@ func buildLocalClient() (*kubernetes.Clientset, error) {
 	config.QPS = DefaultKubeClientQPS
 	config.Burst = DefaultKubeClientBurst

-	return kubernetes.NewForConfig(config)
+	return config, nil
 }

 func (factory *ClientFactory) MigrateEndpointIngresses(e *portainer.Endpoint) error {
--- a/api/ldap/ldap.go
+++ b/api/ldap/ldap.go
@@ -75,7 +75,14 @@ func (*Service) AuthenticateUser(username, password string, settings *portainer.

 	userDN, err := searchUser(username, connection, settings.SearchSettings)
 	if err != nil {
-		return err
+		if errors.Is(err, errUserNotFound) {
+			// prevent user enumeration timing attack by attempting the bind with a fake user
+			// and whatever password was provided should definately fail
+			// https://en.wikipedia.org/wiki/Timing_attack
+			userDN = "portainer-fake-ldap-username"
+		} else {
+			return err
+		}
 	}

 	err = connection.Bind(userDN, password)
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -301,6 +301,8 @@ type (

 	// StackDeploymentInfo records the information of a deployed stack
 	StackDeploymentInfo struct {
+		// Version is the version of the stack and also is the deployed version in edge agent
+		Version int `json:"Version"`
 		// FileVersion is the version of the stack file, used to detect changes
 		FileVersion int `json:"FileVersion"`
 		// ConfigHash is the commit hash of the git repository used for deploying the stack
@@ -1267,6 +1269,7 @@ type (
 		Username            string
 		Role                UserRole
 		ForceChangePassword bool
+		Token               string
 	}

 	// TunnelDetails represents information associated to a tunnel
@@ -1401,6 +1404,7 @@ type (
 		StoreStackFileFromBytes(stackIdentifier, fileName string, data []byte) (string, error)
 		StoreStackFileFromBytesByVersion(stackIdentifier, fileName string, version int, data []byte) (string, error)
 		UpdateStoreStackFileFromBytes(stackIdentifier, fileName string, data []byte) (string, error)
+		UpdateStoreStackFileFromBytesByVersion(stackIdentifier, fileName string, version int, commitHash string, data []byte) (string, error)
 		RemoveStackFileBackup(stackIdentifier, fileName string) error
 		RemoveStackFileBackupByVersion(stackIdentifier string, version int, fileName string) error
 		RollbackStackFile(stackIdentifier, fileName string) error
@@ -1557,7 +1561,7 @@ type (

 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.19.0"
+	APIVersion = "2.19.5"
 	// Edition is what this edition of Portainer is called
 	Edition = PortainerCE
 	// ComposeSyntaxMaxVersion is a maximum supported version of the docker compose syntax
@@ -1678,6 +1682,12 @@ const (
 	EdgeStackStatusDeploying
 	// EdgeStackStatusRemoving represents an Edge stack which is being removed
 	EdgeStackStatusRemoving
+	// EdgeStackStatusPausedDeploying represents a paused Edge stack
+	EdgeStackStatusPausedDeploying
+	// EdgeStackStatusRollingBack represents an Edge stack which is being rolled back
+	EdgeStackStatusRollingBack
+	// EdgeStackStatusRolledBack represents an Edge stack which has rolled back
+	EdgeStackStatusRolledBack
 )

 const (
--- a/api/scheduler/scheduler.go
+++ b/api/scheduler/scheduler.go
@@ -17,6 +17,18 @@ type Scheduler struct {
 	mu         sync.Mutex
 }

+type PermanentError struct {
+	err error
+}
+
+func NewPermanentError(err error) *PermanentError {
+	return &PermanentError{err: err}
+}
+
+func (e *PermanentError) Error() string {
+	return e.err.Error()
+}
+
 func NewScheduler(ctx context.Context) *Scheduler {
 	crontab := cron.New(cron.WithChain(cron.Recover(cron.DefaultLogger)))
 	crontab.Start()
@@ -84,14 +96,24 @@ func (s *Scheduler) StopJob(jobID string) error {
 func (s *Scheduler) StartJobEvery(duration time.Duration, job func() error) string {
 	ctx, cancel := context.WithCancel(context.Background())

-	j := cron.FuncJob(func() {
-		if err := job(); err != nil {
-			log.Debug().Msg("job returned an error")
-			cancel()
+	jobFn := cron.FuncJob(func() {
+		err := job()
+		if err == nil {
+			return
 		}
+
+		var permErr *PermanentError
+		if errors.As(err, &permErr) {
+			log.Error().Err(permErr).Msg("job returned a permanent error, it will be stopped")
+			cancel()
+
+			return
+		}
+
+		log.Error().Err(err).Msg("job returned an error, it will be rescheduled")
 	})

-	entryID := s.crontab.Schedule(cron.Every(duration), j)
+	entryID := s.crontab.Schedule(cron.Every(duration), jobFn)

 	s.mu.Lock()
 	s.activeJobs[entryID] = cancel
--- a/api/scheduler/scheduler_test.go
+++ b/api/scheduler/scheduler_test.go
@@ -49,7 +49,7 @@ func Test_JobCanBeStopped(t *testing.T) {
 	assert.False(t, workDone, "job shouldn't had a chance to run")
 }

-func Test_JobShouldStop_UponError(t *testing.T) {
+func Test_JobShouldStop_UponPermError(t *testing.T) {
 	s := NewScheduler(context.Background())
 	defer s.Shutdown()

@@ -58,7 +58,7 @@ func Test_JobShouldStop_UponError(t *testing.T) {
 	s.StartJobEvery(jobInterval, func() error {
 		acc++
 		close(ch)
-		return fmt.Errorf("failed")
+		return NewPermanentError(fmt.Errorf("failed"))
 	})

 	<-time.After(3 * jobInterval)
@@ -66,6 +66,28 @@ func Test_JobShouldStop_UponError(t *testing.T) {
 	assert.Equal(t, 1, acc, "job stop after the first run because it returns an error")
 }

+func Test_JobShouldNotStop_UponError(t *testing.T) {
+	s := NewScheduler(context.Background())
+	defer s.Shutdown()
+
+	var acc int
+	ch := make(chan struct{})
+	s.StartJobEvery(jobInterval, func() error {
+		acc++
+
+		if acc == 2 {
+			close(ch)
+			return NewPermanentError(fmt.Errorf("failed"))
+		}
+
+		return errors.New("non-permanent error")
+	})
+
+	<-time.After(3 * jobInterval)
+	<-ch
+	assert.Equal(t, 2, acc)
+}
+
 func Test_CanTerminateAllJobs_ByShuttingDownScheduler(t *testing.T) {
 	s := NewScheduler(context.Background())

--- a/api/stacks/deployments/deploy.go
+++ b/api/stacks/deployments/deploy.go
@@ -1,13 +1,17 @@
 package deployments

 import (
+	"crypto/tls"
 	"fmt"
 	"time"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/agent"
+	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/git/update"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/scheduler"
 	"github.com/portainer/portainer/api/stacks/stackutils"

 	"github.com/pkg/errors"
@@ -29,7 +33,9 @@ func RedeployWhenChanged(stackID portainer.StackID, deployer StackDeployer, data
 	log.Debug().Int("stack_id", int(stackID)).Msg("redeploying stack")

 	stack, err := datastore.Stack().Read(stackID)
-	if err != nil {
+	if dataservices.IsErrObjectNotFound(err) {
+		return scheduler.NewPermanentError(errors.WithMessagef(err, "failed to get the stack %v", stackID))
+	} else if err != nil {
 		return errors.WithMessagef(err, "failed to get the stack %v", stackID)
 	}

@@ -38,7 +44,15 @@ func RedeployWhenChanged(stackID portainer.StackID, deployer StackDeployer, data
 	}

 	endpoint, err := datastore.Endpoint().Endpoint(stack.EndpointID)
-	if err != nil {
+	if dataservices.IsErrObjectNotFound(err) {
+		return scheduler.NewPermanentError(
+			errors.WithMessagef(err,
+				"failed to find the environment %v associated to the stack %v",
+				stack.EndpointID,
+				stack.ID,
+			),
+		)
+	} else if err != nil {
 		return errors.WithMessagef(err, "failed to find the environment %v associated to the stack %v", stack.EndpointID, stack.ID)
 	}

@@ -59,6 +73,10 @@ func RedeployWhenChanged(stackID portainer.StackID, deployer StackDeployer, data
 		return &StackAuthorMissingErr{int(stack.ID), author}
 	}

+	if !isEnvironmentOnline(endpoint) {
+		return nil
+	}
+
 	var gitCommitChangedOrForceUpdate bool
 	if !stack.FromAppTemplate {
 		updated, newHash, err := update.UpdateGitObject(gitService, fmt.Sprintf("stack:%d", stackID), stack.GitConfig, false, false, stack.ProjectPath)
@@ -78,14 +96,16 @@ func RedeployWhenChanged(stackID portainer.StackID, deployer StackDeployer, data
 	}

 	registries, err := getUserRegistries(datastore, user, endpoint.ID)
-	if err != nil {
+	if dataservices.IsErrObjectNotFound(err) {
+		return scheduler.NewPermanentError(err)
+	} else if err != nil {
 		return err
 	}

 	switch stack.Type {
 	case portainer.DockerComposeStack:

-		if stackutils.IsGitStack(stack) {
+		if stackutils.IsRelativePathStack(stack) {
 			err = deployer.DeployRemoteComposeStack(stack, endpoint, registries, true, false)
 		} else {
 			err = deployer.DeployComposeStack(stack, endpoint, registries, true, false)
@@ -95,7 +115,7 @@ func RedeployWhenChanged(stackID portainer.StackID, deployer StackDeployer, data
 			return errors.WithMessagef(err, "failed to deploy a docker compose stack %v", stackID)
 		}
 	case portainer.DockerSwarmStack:
-		if stackutils.IsGitStack(stack) {
+		if stackutils.IsRelativePathStack(stack) {
 			err = deployer.DeployRemoteSwarmStack(stack, endpoint, registries, true, true)
 		} else {
 			err = deployer.DeploySwarmStack(stack, endpoint, registries, true, true)
@@ -116,6 +136,8 @@ func RedeployWhenChanged(stackID portainer.StackID, deployer StackDeployer, data
 		return errors.Errorf("cannot update stack, type %v is unsupported", stack.Type)
 	}

+	stack.Status = portainer.StackStatusActive
+
 	if err := datastore.Stack().Update(stack.ID, stack); err != nil {
 		return errors.WithMessagef(err, "failed to update the stack %v", stack.ID)
 	}
@@ -147,3 +169,22 @@ func getUserRegistries(datastore dataservices.DataStore, user *portainer.User, e

 	return filteredRegistries, nil
 }
+
+func isEnvironmentOnline(endpoint *portainer.Endpoint) bool {
+	if endpoint.Type != portainer.AgentOnDockerEnvironment &&
+		endpoint.Type != portainer.AgentOnKubernetesEnvironment {
+		return true
+	}
+
+	var err error
+	var tlsConfig *tls.Config
+	if endpoint.TLSConfig.TLS {
+		tlsConfig, err = crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
+		if err != nil {
+			return false
+		}
+	}
+
+	_, _, err = agent.GetAgentVersionAndPlatform(endpoint.URL, tlsConfig)
+	return err == nil
+}
--- a/api/stacks/deployments/deploy_test.go
+++ b/api/stacks/deployments/deploy_test.go
@@ -1,18 +1,78 @@
 package deployments

 import (
+	"context"
+	"crypto/tls"
 	"errors"
+	"net/http"
+	"strconv"
 	"strings"
 	"testing"

+	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/internal/testhelpers"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

+const localhostCert = `-----BEGIN CERTIFICATE-----
+MIIEOjCCAiKgAwIBAgIRALg8rJET2/9LjKSxHj0dQhYwDQYJKoZIhvcNAQELBQAw
+FzEVMBMGA1UEAxMMUG9ydGFpbmVyIENBMB4XDTIzMTAxMTE5NDcxMVoXDTI1MDQx
+MTE5NTM0MVowFDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAx4nNGiwcCqUCxZyVLIHqvjTy20ZtZDVCedssTv1W5tmz
+YqOIYGaW3CqzlRn6vBHu9bMHXef4+XfS0igKBn76MAKn5IcTccIWIal+5jq48pI3
+c2FzQ3qNujX2zqZPjAjhJnVeVCP3kJu4wUtuubswLPBVLdktGa6EkL+8nu6o0Phw
+6scV6s3gUmQk5/lpH4FIff8M7NAdTOxiFImQ1M0vplKtaEeiCnskpgyI8CbZl7X0
+38Pu178W3+LqB7N4iMy2gKnBwjsXzw/+1dfUGkKjYdDBD+kNEKrQ4dwkjkrkQVdt
+Z+GN26NvXHoeeyX/MLnVgdLbiIjvsf0DDIhabKqTcwIDAQABo4GDMIGAMA4GA1Ud
+DwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O
+BBYEFPCefmK5Szzlfs8FRCa5+kRCIEWuMB8GA1UdIwQYMBaAFKZZ074SR/ajD3zE
+gxpLGRvFT3XAMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQELBQADggIBABcQ
+/WPSUpuQvrcVBsmIlOMz74cDZYuIDls/mAcB/yP3mm+oWlO0qvH/F/BMs1P/bkgj
+fByQZq8Zmi6/TEZNlGvW7KGx077VxDKi8jd1jL3gLDPmkFjYuGeIWQusgxBu1y3m
+0WoTTqnkoism1mzV/dgNwrm3YQIV4H/fi9EEdQSm0UFRTKSAGBkwS7N2pmNb5yQO
+U8glFpyznCv4evDJbs/JUUXKYExgFFhWUd25P7iBRLXg/BFfqdSTiUGUj/Msz0pO
+Evqmq78eIiXjyyKSxzve6/mEIeq6AE3AC9zH+fwTd6Mhp+T2P/S/iO4EU19IMR4m
+sbNBd6h/3GvRekO1KbqQ42awuMnxvWT0NVclSxiU1lMpAmRmk/w9z7wB3r4n7oh4
+iiOTl5VSw1UBkcLDOJw+HB/FU2PdVFfIJKRfjLCZOGrcJX9vEcz7dYGpB5HrdqOc
+/8q5j1g6f/pGE+20HITrtz6ChguETzqw5dLNeKeolC6bVH8yEtmpnP2n8VPnT9Di
+V+hnONcJ+wd/dkBqabGr7LPG24Kj1F2Zp3CDDvJA94FaEsgaLfSg3JD+43uRCOWM
+RuqU8bGuhQRqilR2dSIOrFaW2+MeUHsb24cUn/pkHqKpSg+RBEnf6QfGDlIgqYEl
+19f/HFVBc/a8lM/D81lMyDbjQ9zH4LDYj4ipBbkL
+-----END CERTIFICATE-----`
+
+const localhostKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAx4nNGiwcCqUCxZyVLIHqvjTy20ZtZDVCedssTv1W5tmzYqOI
+YGaW3CqzlRn6vBHu9bMHXef4+XfS0igKBn76MAKn5IcTccIWIal+5jq48pI3c2Fz
+Q3qNujX2zqZPjAjhJnVeVCP3kJu4wUtuubswLPBVLdktGa6EkL+8nu6o0Phw6scV
+6s3gUmQk5/lpH4FIff8M7NAdTOxiFImQ1M0vplKtaEeiCnskpgyI8CbZl7X038Pu
+178W3+LqB7N4iMy2gKnBwjsXzw/+1dfUGkKjYdDBD+kNEKrQ4dwkjkrkQVdtZ+GN
+26NvXHoeeyX/MLnVgdLbiIjvsf0DDIhabKqTcwIDAQABAoIBAQCqSP6BPG195A52
+iEeCISksw9ERsou+fflKNvIcQvV7swP0xOyooERUhhiVwQMKpx9QDUXXLRV8CHch
+JExR+OEYQdv4GhJM/b6XYafLYQfe80thKyQLzTXQWSdUeffe4OEMShODKOKoRUyp
+oO9Qj9/wKfX3V6S2iwnU4dxdofztv+YP9rYQyjnhKbv/9OfeCp2Pb9eFKKRsA+QQ
+xneDz1+wr8ToTuiTn8HBPNSeSAKvhzXuzyluI7VAetRloNgCtumrA9kpVbW2cDgE
+Gk0q3RY125ejFELQO/cOJFuBsqoJlvPxzg8/vHyfyF9hFMqbqvcUw2e1eqHpnJd5
+dP4+ZGYZAoGBAOOFuPXMLBts0rN9mfNbVfx36H+aOCL77SafZvWm0D+rH69QN3/q
+/ZSWQEjwH5Tzn1e+NVcl/Um2vL/dIyEGBklXQ7yAyJo25gpEOD/rt1U94HKzMOwy
+yKtsKghRAOx0piie7ORS6MGbEOQxU3/1Eg1uvd0qoSnALqJ/le75QpFXAoGBAOCD
+aZQTszzDddr1cFPzLyqjIGJWfPcDYSONXVcCeQmhvC7mkfw9SWdIfku7JbdNgFYq
+ZAAU0klsLX0lEe8f4A12FnHNylKoxmTWdE3wWPptejdA1KUgzt/2kNljgOMFuY0Q
+rlCEW/Jabrg5aFMwVVG8bHLZR0xalfniDvXLvnFFAoGACdztJLKiIto31BIYz2Th
+OF2WVZnA3ztej3MPioydsHThnb7zePcd4QgWZ1MJe3KIMMyNEWcTMNPcINEcSb0y
+HpHK3OwURiMlG8LTUWoNe4OALFi6QTL+YfgBZnTkflucLFyfVlKFxobLV6kPvpdI
+Hg7z6heD/wRWwTKYtFBX42cCgYBIeoQJ9rYlRqB0eEm0AEzYweLBfFRJVgD0/j0E
+ytqSPnFG3s6AFLTur9t9zUPmwhFNP9Aaqp4cb9zbiq0YejzVe6rRQHMxbiTmBslz
+I8VFyzPqRHahfE7sxGeMlm/UWlPFc34ipigcvA8EUBwaxv60LVUBWp2Gy7OhANZ9
+iTHI1QKBgQCdHFj9dnbpaEHA426CoaPsyj5cv2nBLRf8p1cs71sq+qQOGlGJfajm
+L9x22ol5c5rToZa1qKSnSdSDCud298MyRujMUy2UcUKHeNs3MK9AT41sDv266I7b
+vJUUCFYm8+9p6gTVOcoMit+eGSwa81PCPEs1TnU1PV/PaDFeUhn/mg==
+-----END RSA PRIVATE KEY-----`
+
 type noopDeployer struct{}

 // without unpacker
@@ -54,6 +114,42 @@ func (s *noopDeployer) StopRemoteSwarmStack(stack *portainer.Stack, endpoint *po
 	return nil
 }

+func agentServer(t *testing.T) string {
+	h := http.NewServeMux()
+
+	h.HandleFunc("/ping", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set(portainer.PortainerAgentHeader, "v2.19.0")
+		w.Header().Set(portainer.HTTPResponseAgentPlatform, strconv.Itoa(int(portainer.AgentPlatformDocker)))
+
+		response.Empty(w)
+	})
+
+	cert, err := tls.X509KeyPair([]byte(localhostCert), []byte(localhostKey))
+	require.NoError(t, err)
+
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+
+	l, err := tls.Listen("tcp", "127.0.0.1:0", tlsConfig)
+	require.NoError(t, err)
+
+	s := &http.Server{
+		Handler: h,
+	}
+
+	go func() {
+		err := s.Serve(l)
+		require.ErrorIs(t, err, http.ErrServerClosed)
+	}()
+
+	t.Cleanup(func() {
+		s.Shutdown(context.Background())
+	})
+
+	return "http://" + l.Addr().String()
+}
+
 func Test_redeployWhenChanged_FailsWhenCannotFindStack(t *testing.T) {
 	_, store := datastore.MustNewTestStore(t, true, true)

@@ -114,7 +210,12 @@ func Test_redeployWhenChanged_FailsWhenCannotClone(t *testing.T) {
 	assert.NoError(t, err, "error creating an admin")

 	err = store.Endpoint().Create(&portainer.Endpoint{
-		ID: 0,
+		ID:  0,
+		URL: agentServer(t),
+		TLSConfig: portainer.TLSConfiguration{
+			TLS:           true,
+			TLSSkipVerify: true,
+		},
 	})
 	assert.NoError(t, err, "error creating environment")

--- a/api/stacks/deployments/deployer_remote.go
+++ b/api/stacks/deployments/deployer_remote.go
@@ -1,7 +1,9 @@
 package deployments

 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"math/rand"
@@ -12,6 +14,7 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
@@ -184,16 +187,18 @@ func (d *stackDeployer) remoteStack(stack *portainer.Stack, endpoint *portainer.
 	case <-statusCh:
 	}

+	stdErr := &bytes.Buffer{}
+
 	out, err := cli.ContainerLogs(ctx, unpackerContainer.ID, types.ContainerLogsOptions{ShowStdout: true, ShowStderr: true})
 	if err != nil {
 		log.Error().Err(err).Msg("unable to get logs from unpacker container")
 	} else {
-		outputBytes, err := io.ReadAll(out)
+		_, err = stdcopy.StdCopy(io.Discard, stdErr, out)
 		if err != nil {
-			log.Error().Err(err).Msg("unable to parse logs from unpacker container")
+			log.Warn().Err(err).Msg("unable to parse logs from unpacker container")
 		} else {
 			log.Info().
-				Str("output", string(outputBytes)).
+				Str("output", stdErr.String()).
 				Msg("Stack deployment output")
 		}
 	}
@@ -204,6 +209,26 @@ func (d *stackDeployer) remoteStack(stack *portainer.Stack, endpoint *portainer.
 	}

 	if status.State.ExitCode != 0 {
+		dec := json.NewDecoder(stdErr)
+		for {
+			errorStruct := struct {
+				Level string
+				Error string
+			}{}
+
+			if err := dec.Decode(&errorStruct); errors.Is(err, io.EOF) {
+				break
+			} else if err != nil {
+				log.Warn().Err(err).Msg("unable to parse logs from unpacker container")
+
+				continue
+			}
+
+			if errorStruct.Level == "error" {
+				return fmt.Errorf("an error occurred while running unpacker container with exit code %d: %s", status.State.ExitCode, errorStruct.Error)
+			}
+		}
+
 		return fmt.Errorf("an error occurred while running unpacker container with exit code %d", status.State.ExitCode)
 	}

--- a/api/stacks/deployments/deployment_compose_config.go
+++ b/api/stacks/deployments/deployment_compose_config.go
@@ -84,7 +84,7 @@ func (config *ComposeStackDeploymentConfig) Deploy() error {
 			return err
 		}
 	}
-	if stackutils.IsGitStack(config.stack) {
+	if stackutils.IsRelativePathStack(config.stack) {
 		return config.StackDeployer.DeployRemoteComposeStack(config.stack, config.endpoint, config.registries, config.forcePullImage, config.ForceCreate)
 	}

--- a/api/stacks/deployments/deployment_swarm_config.go
+++ b/api/stacks/deployments/deployment_swarm_config.go
@@ -78,7 +78,7 @@ func (config *SwarmStackDeploymentConfig) Deploy() error {
 		}
 	}

-	if stackutils.IsGitStack(config.stack) {
+	if stackutils.IsRelativePathStack(config.stack) {
 		return config.StackDeployer.DeployRemoteSwarmStack(config.stack, config.endpoint, config.registries, config.prune, config.pullImage)
 	}

--- a/api/stacks/stackutils/util.go
+++ b/api/stacks/stackutils/util.go
@@ -47,3 +47,10 @@ func SanitizeLabel(value string) string {
 func IsGitStack(stack *portainer.Stack) bool {
 	return stack.GitConfig != nil && len(stack.GitConfig.URL) != 0
 }
+
+// IsRelativePathStack checks if the stack is a git stack or not
+func IsRelativePathStack(stack *portainer.Stack) bool {
+	// Always return false in CE
+	// This function is only for code consistency with EE
+	return false
+}
--- a/app/assets/css/theme.css
+++ b/app/assets/css/theme.css
@@ -87,7 +87,7 @@

  --orange-1: #e86925;

-  --BE-only: var(--ui-warning-7);
+  --BE-only: var(--ui-gray-6);

  --text-log-viewer-color-json-grey: var(--text-log-viewer-color);
  --text-log-viewer-color-json-magenta: var(--text-log-viewer-color);
@@ -259,8 +259,7 @@

 /* Dark Theme */
 [theme='dark'] {
-  --BE-only: var(--ui-blue-8);
-  --bg-BE-only: rgba(225, 223, 223, 0.08);
+  --BE-only: var(--ui-gray-6);

  --text-log-viewer-color-json-grey: var(--text-log-viewer-color);
  --text-log-viewer-color-json-magenta: var(--text-log-viewer-color);
@@ -434,6 +433,7 @@

 /* High Contrast Theme */
 [theme='highcontrast'] {
+  --BE-only: var(--ui-gray-6);
  --text-log-viewer-color-json-grey: var(--text-log-viewer-color);
  --text-log-viewer-color-json-magenta: var(--text-log-viewer-color);
  --text-log-viewer-color-json-yellow: var(--text-log-viewer-color);
--- a/app/docker/helpers/configHelper.js
+++ b/app/docker/helpers/configHelper.js
@@ -7,10 +7,8 @@ angular.module('portainer.docker').factory('ConfigHelper', [
          return {
            Id: config.ConfigID,
            Name: config.ConfigName,
-            FileName: config.File.Name,
-            Uid: config.File.UID,
-            Gid: config.File.GID,
-            Mode: config.File.Mode,
+            ...(config.File ? { FileName: config.File.Name, Uid: config.File.UID, Gid: config.File.GID, Mode: config.File.Mode } : {}),
+            credSpec: !!config.Runtime,
          };
        }
        return {};
@@ -20,12 +18,15 @@ angular.module('portainer.docker').factory('ConfigHelper', [
          return {
            ConfigID: config.Id,
            ConfigName: config.Name,
-            File: {
-              Name: config.FileName || config.Name,
-              UID: config.Uid || '0',
-              GID: config.Gid || '0',
-              Mode: config.Mode || 292,
-            },
+            File: config.credSpec
+              ? null
+              : {
+                  Name: config.FileName || config.Name,
+                  UID: config.Uid || '0',
+                  GID: config.Gid || '0',
+                  Mode: config.Mode || 292,
+                },
+            Runtime: config.credSpec ? {} : null,
          };
        }
        return {};
--- a/app/docker/views/containers/console/containerConsoleController.js
+++ b/app/docker/views/containers/console/containerConsoleController.js
@@ -66,7 +66,6 @@ angular.module('portainer.docker').controller('ContainerConsoleController', [
          }

          const params = {
-            token: LocalStorage.getJWT(),
            endpointId: $state.params.endpointId,
            id: attachId,
          };
@@ -107,7 +106,6 @@ angular.module('portainer.docker').controller('ContainerConsoleController', [
      ContainerService.createExec(execConfig)
        .then(function success(data) {
          const params = {
-            token: LocalStorage.getJWT(),
            endpointId: $state.params.endpointId,
            id: data.Id,
          };
@@ -166,6 +164,9 @@ angular.module('portainer.docker').controller('ContainerConsoleController', [
      if ($transition$.params().nodeName) {
        url += '&nodeName=' + $transition$.params().nodeName;
      }
+
+      url += '&token=' + LocalStorage.getJWT();
+
      if (url.indexOf('https') > -1) {
        url = url.replace('https://', 'wss://');
      } else {
--- a/app/docker/views/images/edit/imageController.js
+++ b/app/docker/views/images/edit/imageController.js
@@ -1,6 +1,7 @@
 import _ from 'lodash-es';
 import { PorImageRegistryModel } from 'Docker/models/porImageRegistry';
 import { confirmImageExport } from '@/react/docker/images/common/ConfirmExportModal';
+import { confirmDelete } from '@@/modals/confirm';

 angular.module('portainer.docker').controller('ImageController', [
  '$async',
@@ -120,30 +121,42 @@ angular.module('portainer.docker').controller('ImageController', [
    }

    $scope.removeTag = function (repository) {
-      ImageService.deleteImage(repository, false)
-        .then(function success() {
-          if ($scope.image.RepoTags.length === 1) {
-            Notifications.success('Image successfully deleted', repository);
-            $state.go('docker.images', {}, { reload: true });
-          } else {
-            Notifications.success('Tag successfully deleted', repository);
-            $state.go('docker.images.image', { id: $transition$.params().id }, { reload: true });
-          }
-        })
-        .catch(function error(err) {
-          Notifications.error('Failure', err, 'Unable to remove image');
-        });
+      return $async(async () => {
+        if (!(await confirmDelete('Are you sure you want to delete this tag?'))) {
+          return;
+        }
+
+        ImageService.deleteImage(repository, false)
+          .then(function success() {
+            if ($scope.image.RepoTags.length === 1) {
+              Notifications.success('Image successfully deleted', repository);
+              $state.go('docker.images', {}, { reload: true });
+            } else {
+              Notifications.success('Tag successfully deleted', repository);
+              $state.go('docker.images.image', { id: $transition$.params().id }, { reload: true });
+            }
+          })
+          .catch(function error(err) {
+            Notifications.error('Failure', err, 'Unable to remove image');
+          });
+      });
    };

    $scope.removeImage = function (id) {
-      ImageService.deleteImage(id, false)
-        .then(function success() {
-          Notifications.success('Image successfully deleted', id);
-          $state.go('docker.images', {}, { reload: true });
-        })
-        .catch(function error(err) {
-          Notifications.error('Failure', err, 'Unable to remove image');
-        });
+      return $async(async () => {
+        if (!(await confirmDelete('Deleting this image will also delete all associated tags. Are you sure you want to delete this image?'))) {
+          return;
+        }
+
+        ImageService.deleteImage(id, false)
+          .then(function success() {
+            Notifications.success('Image successfully deleted', id);
+            $state.go('docker.images', {}, { reload: true });
+          })
+          .catch(function error(err) {
+            Notifications.error('Failure', err, 'Unable to remove image');
+          });
+      });
    };

    function exportImage(image) {
--- a/app/docker/views/images/imagesController.js
+++ b/app/docker/views/images/imagesController.js
@@ -57,7 +57,8 @@ angular.module('portainer.docker').controller('ImagesController', [
    function confirmImageForceRemoval() {
      return confirmDestructive({
        title: 'Are you sure?',
-        message: 'Forcing the removal of the image will remove the image even if it has multiple tags or if it is used by stopped containers.',
+        message:
+          "Forcing removal of an image will remove it even if it's used by stopped containers, and delete all associated tags. Are you sure you want to remove the selected image(s)?",
        confirmButton: buildConfirmButton('Remove the image', 'danger'),
      });
    }
@@ -65,7 +66,7 @@ angular.module('portainer.docker').controller('ImagesController', [
    function confirmRegularRemove() {
      return confirmDestructive({
        title: 'Are you sure?',
-        message: 'Removing the image will remove all tags associated to that image. Are you sure you want to remove the image?',
+        message: 'Removing an image will also delete all associated tags. Are you sure you want to remove the selected image(s)?',
        confirmButton: buildConfirmButton('Remove the image', 'danger'),
      });
    }
--- a/app/docker/views/services/edit/includes/configs.html
+++ b/app/docker/views/services/edit/includes/configs.html
@@ -4,7 +4,7 @@
    <rd-widget-body classes="no-padding">
      <div class="form-inline" style="padding: 10px" authorization="DockerServiceUpdate">
        Add a config:
-        <select class="form-control !h-[30px] !text-[13px]" ng-options="config.Name for config in configs | orderBy: 'Name'" ng-model="newConfig">
+        <select class="form-control !h-[30px] !text-[13px]" ng-options="config.Name for config in filterConfigs(configs) | orderBy: 'Name'" ng-model="newConfig">
          <option selected disabled hidden value="">Select a config</option>
        </select>
        <a class="btn btn-default btn-sm" ng-click="addConfig(service, newConfig)"> <pr-icon icon="'plus'"></pr-icon> add config </a>
@@ -22,10 +22,10 @@
        </thead>
        <tbody>
          <tr ng-repeat="config in service.ServiceConfigs">
-            <td
-              ><a ui-sref="docker.configs.config({id: config.Id})">{{ config.Name }}</a></td
-            >
            <td>
+              <a ui-sref="docker.configs.config({id: config.Id})">{{ config.Name }}</a>
+            </td>
+            <td ng-if="!config.credSpec">
              <input
                class="form-control"
                ng-model="config.FileName"
@@ -33,11 +33,13 @@
                placeholder="e.g. /path/in/container"
                required
                disable-authorization="DockerServiceUpdate"
+                ng-disabled="config.credSpec"
              />
            </td>
-            <td>{{ config.Uid }}</td>
-            <td>{{ config.Gid }}</td>
-            <td>{{ config.Mode }}</td>
+            <td ng-if="!config.credSpec">{{ config.Uid }}</td>
+            <td ng-if="!config.credSpec">{{ config.Gid }}</td>
+            <td ng-if="!config.credSpec">{{ config.Mode }}</td>
+            <td ng-if="config.credSpec" colspan="4">Credential Spec</td>
            <td authorization="DockerServiceUpdate">
              <button class="btn btn-dangerlight pull-right" type="button" ng-click="removeConfig(service, $index)" ng-disabled="isUpdating">
                <pr-icon icon="'trash-2'" size="'md'"></pr-icon>
--- a/app/docker/views/services/edit/serviceController.js
+++ b/app/docker/views/services/edit/serviceController.js
@@ -91,6 +91,7 @@ angular.module('portainer.docker').controller('ServiceController', [
    endpoint
  ) {
    $scope.resourceType = ResourceControlType.Service;
+    $scope.WebhookExists = false;

    $scope.onUpdateResourceControlSuccess = function () {
      $state.reload();
@@ -462,6 +463,27 @@ angular.module('portainer.docker').controller('ServiceController', [

      config.TaskTemplate.ContainerSpec.Secrets = service.ServiceSecrets ? service.ServiceSecrets.map(SecretHelper.secretConfig) : [];
      config.TaskTemplate.ContainerSpec.Configs = service.ServiceConfigs ? service.ServiceConfigs.map(ConfigHelper.configConfig) : [];
+
+      // support removal and (future) editing of credential specs
+      const credSpec = service.ServiceConfigs.find((config) => config.credSpec);
+      const credSpecId = credSpec ? credSpec.Id : '';
+      const oldCredSpecId =
+        (config.TaskTemplate.ContainerSpec.Privileges &&
+          config.TaskTemplate.ContainerSpec.Privileges.CredentialSpec &&
+          config.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config) ||
+        '';
+      if (oldCredSpecId && !credSpecId) {
+        delete config.TaskTemplate.ContainerSpec.Privileges.CredentialSpec;
+      } else if (credSpec && oldCredSpecId !== credSpec) {
+        config.TaskTemplate.ContainerSpec.Privileges = {
+          ...(config.TaskTemplate.ContainerSpec.Privileges || {}),
+          CredentialSpec: {
+            ...((config.TaskTemplate.ContainerSpec.Privileges && config.TaskTemplate.ContainerSpec.Privileges.CredentialSpec) || {}),
+            Config: credSpec,
+          },
+        };
+      }
+
      config.TaskTemplate.ContainerSpec.Hosts = service.Hosts ? ServiceHelper.translateHostnameIPToHostsEntries(service.Hosts) : [];

      if (service.Mode === 'replicated') {
@@ -582,8 +604,7 @@ angular.module('portainer.docker').controller('ServiceController', [
    }

    $scope.updateService = function updateService(service) {
-      let config = {};
-      service, (config = buildChanges(service));
+      const config = buildChanges(service);
      ServiceService.update(service, config).then(
        function (data) {
          if (data.message && data.message.match(/^rpc error:/)) {
@@ -735,7 +756,6 @@ angular.module('portainer.docker').controller('ServiceController', [
          $scope.isAdmin = Authentication.isAdmin();
          $scope.availableNetworks = data.availableNetworks;
          $scope.swarmNetworks = _.filter($scope.availableNetworks, (network) => network.Scope === 'swarm');
-          $scope.WebhookExists = false;

          const serviceNetworks = _.uniqBy(_.concat($scope.service.Model.Spec.Networks || [], $scope.service.Model.Spec.TaskTemplate.Networks || []), 'Target');
          const networks = _.filter(
@@ -832,6 +852,15 @@ angular.module('portainer.docker').controller('ServiceController', [
      return networks.filter((network) => !network.Ingress && (network.Id === current.Id || $scope.service.Networks.every((serviceNetwork) => network.Id !== serviceNetwork.Id)));
    }

+    $scope.filterConfigs = filterConfigs;
+    function filterConfigs(configs) {
+      if (!configs) {
+        return [];
+      }
+
+      return configs.filter((config) => $scope.service.ServiceConfigs.every((serviceConfig) => config.Id !== serviceConfig.Id));
+    }
+
    function updateServiceArray(service, name) {
      previousServiceValues.push(name);
      service.hasChanges = true;
--- a/app/edge/__module.js
+++ b/app/edge/__module.js
@@ -72,6 +72,11 @@ angular
          component: 'editEdgeStackView',
        },
      },
+      params: {
+        status: {
+          dynamic: true,
+        },
+      },
    };

    const edgeJobs = {
--- a/app/edge/react/components/index.ts
+++ b/app/edge/react/components/index.ts
@@ -92,7 +92,6 @@ export const componentsModule = angular
      'query',
      'title',
      'data-cy',
-      'hideEnvironmentIds',
    ])
  )
  .component(
--- a/app/edge/views/edge-groups/edgeGroupsView/edgeGroupsViewController.js
+++ b/app/edge/views/edge-groups/edgeGroupsView/edgeGroupsViewController.js
@@ -1,4 +1,5 @@
 import _ from 'lodash-es';
+import { confirmDelete } from '@@/modals/confirm';

 export class EdgeGroupsController {
  /* @ngInject */
@@ -26,6 +27,10 @@ export class EdgeGroupsController {
  }

  async removeActionAsync(selectedItems) {
+    if (!(await confirmDelete('Do you want to remove the selected Edge Group(s)?'))) {
+      return;
+    }
+
    for (let item of selectedItems) {
      try {
        await this.EdgeGroupService.remove(item.Id);
--- a/app/edge/views/edge-jobs/edgeJobsView/edgeJobsViewController.js
+++ b/app/edge/views/edge-jobs/edgeJobsView/edgeJobsViewController.js
@@ -15,7 +15,7 @@ export class EdgeJobsViewController {
  }

  removeAction(selectedItems) {
-    confirmDelete('Do you want to remove the selected edge job(s)?').then((confirmed) => {
+    confirmDelete('Do you want to remove the selected Edge job(s)?').then((confirmed) => {
      if (!confirmed) {
        return;
      }
--- a/app/kubernetes/components/kubernetes-configuration-data/kubernetesConfigurationData.html
+++ b/app/kubernetes/components/kubernetes-configuration-data/kubernetesConfigurationData.html
@@ -14,9 +14,13 @@
      <pr-icon icon="'info'" mode="'primary'"></pr-icon>
      Switch to advanced mode to copy and paste multiple key/values
    </div>
-    <div class="col-sm-12 small text-muted vertical-center" ng-if="!$ctrl.formValues.IsSimple">
+    <div class="col-sm-12 small text-muted vertical-center" ng-if="!$ctrl.formValues.IsSimple && $ctrl.type === 'configmap'">
      <pr-icon icon="'info'" mode="'primary'"></pr-icon>
-      Generate a configuration entry per line, use YAML format
+      Generate a ConfigMap entry per line, use YAML format
+    </div>
+    <div class="col-sm-12 small text-muted vertical-center" ng-if="!$ctrl.formValues.IsSimple && $ctrl.type === 'secret'">
+      <pr-icon icon="'info'" mode="'primary'"></pr-icon>
+      Generate a Secret entry per line, use YAML format
    </div>
  </div>

--- a/Show More
+++ b/Show More