chore: bump version to 2.32.0 (#933 )

chore: bump version to 2.32.0-rc1 (#928 )
feat(helm): show manifest previews/changes when installing and upgrading a helm chart [r8s-405] (#918 )
2025-07-24 09:48:45 +12:00 · 2025-07-23 12:51:47 +12:00 · 2025-07-23 10:53:03 +12:00 · 2025-07-21 21:32:05 -03:00 · 2025-07-21 15:05:04 +12:00 · 2025-07-17 12:07:20 +12:00
1227 changed files with 45955 additions and 21869 deletions
--- a/.air.toml
+++ b/.air.toml
@@ -0,0 +1,52 @@
+root = "."
+testdata_dir = "testdata"
+tmp_dir = ".tmp"
+
+[build]
+  args_bin = []
+  bin = "./dist/portainer"
+  cmd = "SKIP_GO_GET=true make build-server"
+  delay = 1000
+  exclude_dir = []
+  exclude_file = []
+  exclude_regex = ["_test.go"]
+  exclude_unchanged = false
+  follow_symlink = false
+  full_bin = "./dist/portainer --log-level=DEBUG"
+  include_dir = ["api"]
+  include_ext = ["go"]
+  include_file = []
+  kill_delay = "0s"
+  log = "build-errors.log"
+  poll = false
+  poll_interval = 0
+  post_cmd = []
+  pre_cmd = []
+  rerun = false
+  rerun_delay = 500
+  send_interrupt = false
+  stop_on_error = false
+
+[color]
+  app = ""
+  build = "yellow"
+  main = "magenta"
+  runner = "green"
+  watcher = "cyan"
+
+[log]
+  main_only = false
+  silent = false
+  time = false
+
+[misc]
+  clean_on_exit = false
+
+[proxy]
+  app_port = 0
+  enabled = false
+  proxy_port = 0
+
+[screen]
+  clear_on_rebuild = false
+  keep_scroll = true
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -2,16 +2,17 @@ name: Bug Report
 description: Create a report to help us improve.
 labels: kind/bug,bug/need-confirmation
 body:
-
  - type: markdown
    attributes:
      value: |
        # Welcome!
-        
+
        The issue tracker is for reporting bugs. If you have an [idea for a new feature](https://github.com/orgs/portainer/discussions/categories/ideas) or a [general question about Portainer](https://github.com/orgs/portainer/discussions/categories/help) please post in our [GitHub Discussions](https://github.com/orgs/portainer/discussions).
-        
+
        You can also ask for help in our [community Slack channel](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA).
-        
+
+        Please note that we only provide support for current versions of Portainer. You can find a list of supported versions in our [lifecycle policy](https://docs.portainer.io/start/lifecycle).
+
        **DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS**.

  - type: checkboxes
@@ -43,7 +44,7 @@ body:
  - type: textarea
    attributes:
      label: Problem Description
-      description: A clear and concise description of what the bug is. 
+      description: A clear and concise description of what the bug is.
    validations:
      required: true

@@ -69,7 +70,7 @@ body:
        1. Go to '...'
        2. Click on '....'
        3. Scroll down to '....'
-        4. See error   
+        4. See error
    validations:
      required: true

@@ -90,31 +91,44 @@ body:
  - type: dropdown
    attributes:
      label: Portainer version
-      description: We only provide support for the most recent version of Portainer and the previous 3 versions. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
+      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
+        - '2.31.3'
+        - '2.31.2'
+        - '2.31.1'
+        - '2.31.0'
+        - '2.30.1'
+        - '2.30.0'
+        - '2.29.2'
+        - '2.29.1'
+        - '2.29.0'
+        - '2.28.1'
+        - '2.28.0'
+        - '2.27.9'
+        - '2.27.8'
+        - '2.27.7'
+        - '2.27.6'
+        - '2.27.5'
+        - '2.27.4'
+        - '2.27.3'
+        - '2.27.2'
+        - '2.27.1'
+        - '2.27.0'
+        - '2.26.1'
+        - '2.26.0'
+        - '2.25.1'
+        - '2.25.0'
+        - '2.24.1'
+        - '2.24.0'
+        - '2.23.0'
+        - '2.22.0'
+        - '2.21.5'
+        - '2.21.4'
+        - '2.21.3'
        - '2.21.2'
        - '2.21.1'
        - '2.21.0'
-        - '2.20.3'
-        - '2.20.2'
-        - '2.20.1'
-        - '2.20.0'
-        - '2.19.5'
-        - '2.19.4'
-        - '2.19.3'
-        - '2.19.2'
-        - '2.19.1'
-        - '2.19.0'
-        - '2.18.4'
-        - '2.18.3'
-        - '2.18.2'
-        - '2.18.1'
-        - '2.17.1'
-        - '2.17.0'
-        - '2.16.2'
-        - '2.16.1'
-        - '2.16.0'
    validations:
      required: true

@@ -152,7 +166,7 @@ body:
  - type: input
    attributes:
      label: Browser
-      description: | 
+      description: |
        Enter your browser and version. Example: Google Chrome 114.0
    validations:
      required: false
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,166 +0,0 @@
-name: ci
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - 'develop'
-      - 'release/*'
-  pull_request:
-    branches:
-      - 'develop'
-      - 'release/*'
-      - 'feat/*'
-      - 'fix/*'
-      - 'refactor/*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  DOCKER_HUB_REPO: portainerci/portainer-ce
-  EXTENSION_HUB_REPO: portainerci/portainer-docker-extension
-  NODE_VERSION: 18.x
-
-jobs:
-  build_images:
-    strategy:
-      matrix:
-        config:
-          - { platform: linux, arch: amd64, version: "" }
-          - { platform: linux, arch: arm64, version: "" }
-          - { platform: linux, arch: arm, version: "" }
-          - { platform: linux, arch: ppc64le, version: "" }
-          - { platform: windows, arch: amd64, version: 1809 }
-          - { platform: windows, arch: amd64, version: ltsc2022 }
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    steps:
-      - name: '[preparation] checkout the current branch'
-        uses: actions/checkout@v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branch }}
-      - name: '[preparation] set up golang'
-        uses: actions/setup-go@v5.0.0
-        with:
-          go-version-file: go.mod
-      - name: '[preparation] set up node.js'
-        uses: actions/setup-node@v4.0.1
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - name: '[preparation] set up qemu'
-        uses: docker/setup-qemu-action@v3.0.0
-      - name: '[preparation] set up docker context for buildx'
-        run: docker context create builders
-      - name: '[preparation] set up docker buildx'
-        uses: docker/setup-buildx-action@v3.0.0
-        with:
-          endpoint: builders
-      - name: '[preparation] docker login'
-        uses: docker/login-action@v3.0.0
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-      - name: '[preparation] set the container image tag'
-        run: |
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            # use the release branch name as the tag for release branches
-            # for instance, release/2.19 becomes 2.19
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
-          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
-            # use pr${{ github.event.number }} as the tag for pull requests
-            # for instance, pr123
-            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
-          else
-            # replace / with - in the branch name
-            # for instance, feature/1.0.0 -> feature-1.0.0
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
-          fi
-          
-          echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}${{ matrix.config.version }}-${{ matrix.config.arch }}" >> $GITHUB_ENV
-      - name: '[execution] build linux & windows portainer binaries'
-        run: |
-          export YARN_VERSION=$(yarn --version)
-          export WEBPACK_VERSION=$(yarn list webpack --depth=0 | grep webpack | awk -F@ '{print $2}')
-          export BUILDNUMBER=${GITHUB_RUN_NUMBER}
-          GIT_COMMIT_HASH_LONG=${{ github.sha }}
-          export GIT_COMMIT_HASH_SHORT={GIT_COMMIT_HASH_LONG:0:7}
-          
-          NODE_ENV="testing"
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            NODE_ENV="production"
-          fi
-          
-          make build-all PLATFORM=${{ matrix.config.platform }} ARCH=${{ matrix.config.arch }} ENV=${NODE_ENV}
-        env:
-          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
-      - name: '[execution] build and push docker images'
-        run: |
-          if [ "${{ matrix.config.platform }}" == "windows" ]; then
-            mv dist/portainer dist/portainer.exe
-            docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} --build-arg OSVERSION=${{ matrix.config.version }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-          else 
-            docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-            docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
-            
-            if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-              docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-              docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
-            fi
-          fi
-        env:
-          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
-  build_manifests:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    needs: [build_images]
-    steps:
-      - name: '[preparation] docker login'
-        uses: docker/login-action@v3.0.0
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-      - name: '[preparation] set up docker context for buildx'
-        run: docker version && docker context create builders
-      - name: '[preparation] set up docker buildx'
-        uses: docker/setup-buildx-action@v3.0.0
-        with:
-          endpoint: builders
-      - name: '[execution] build and push manifests'
-        run: |
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            # use the release branch name as the tag for release branches
-            # for instance, release/2.19 becomes 2.19
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
-          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
-            # use pr${{ github.event.number }} as the tag for pull requests
-            # for instance, pr123
-            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
-          else
-            # replace / with - in the branch name
-            # for instance, feature/1.0.0 -> feature-1.0.0
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
-          fi
-
-          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windows1809-amd64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windowsltsc2022-amd64"
-          
-          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le-alpine"
-            
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64"
-          fi
--- a/.github/workflows/label-conflcts.yaml
+++ b/.github/workflows/label-conflcts.yaml
@@ -1,15 +0,0 @@
-on:
-  push:
-    branches:
-      - develop
-      - 'release/**'
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: mschilde/auto-label-merge-conflicts@master
-        with:
-          CONFLICT_LABEL_NAME: 'has conflicts'
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MAX_RETRIES: 10
-          WAIT_MS: 60000
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,55 +0,0 @@
-name: Lint
-
-on:
-  push:
-    branches:
-      - master
-      - develop
-      - release/*
-  pull_request:
-    branches:
-      - master
-      - develop
-      - release/*
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  GO_VERSION: 1.22.5
-  NODE_VERSION: 18.x
-
-jobs:
-  run-linters:
-    name: Run linters
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - run: yarn --frozen-lockfile
-      - name: Run linters
-        uses: wearerequired/lint-action@v1
-        with:
-          eslint: true
-          eslint_extensions: ts,tsx,js,jsx
-          prettier: true
-          prettier_dir: app/
-          gofmt: true
-          gofmt_dir: api/
-      - name: Typecheck
-        uses: icrawl/action-tsc@v1
-      - name: GolangCI-Lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: v1.59.1
-          args: --timeout=10m -c .golangci.yaml
--- a/.github/workflows/nightly-security-scan.yml
+++ b/.github/workflows/nightly-security-scan.yml
@@ -1,254 +0,0 @@
-name: Nightly Code Security Scan
-
-on:
-  schedule:
-    - cron: '0 20 * * *'
-  workflow_dispatch:
-
-env:
-  GO_VERSION: 1.22.5
-  DOCKER_HUB_REPO: portainerci/portainer-ce
-  DOCKER_HUB_IMAGE_TAG: develop
-
-jobs:
-  client-dependencies:
-    name: Client Dependency Check
-    runs-on: ubuntu-latest
-    if: >- # only run for develop branch
-      github.ref == 'refs/heads/develop'
-    outputs:
-      js: ${{ steps.set-matrix.outputs.js_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: scan vulnerabilities by Snyk
-        uses: snyk/actions/node@master
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          json: true
-
-      - name: upload scan result as develop artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: js-security-scan-develop-result
-          path: snyk.json
-
-      - name: develop scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/js-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-js-result-${{github.run_id}}
-          path: js-result.html
-
-      - name: analyse vulnerabilities
-        id: set-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
-          echo "js_result=${result}" >> $GITHUB_OUTPUT
-
-  server-dependencies:
-    name: Server Dependency Check
-    runs-on: ubuntu-latest
-    if: >- # only run for develop branch
-      github.ref == 'refs/heads/develop'
-    outputs:
-      go: ${{ steps.set-matrix.outputs.go_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: download Go modules
-        run: cd ./api && go get -t -v -d ./...
-
-      - name: scan vulnerabilities by Snyk
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: |
-          yarn global add snyk
-          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :
-
-      - name: upload scan result as develop artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: go-security-scan-develop-result
-          path: snyk.json
-
-      - name: develop scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-go-result-${{github.run_id}}
-          path: go-result.html
-
-      - name: analyse vulnerabilities
-        id: set-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
-          echo "go_result=${result}" >> $GITHUB_OUTPUT
-
-  image-vulnerability:
-    name: Image Vulnerability Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.ref == 'refs/heads/develop'
-    outputs:
-      image-trivy: ${{ steps.set-trivy-matrix.outputs.image_trivy_result }}
-      image-docker-scout: ${{ steps.set-docker-scout-matrix.outputs.image_docker_scout_result }}
-    steps:
-      - name: scan vulnerabilities by Trivy
-        uses: docker://docker.io/aquasec/trivy:latest
-        continue-on-error: true
-        with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress ${{ env.DOCKER_HUB_REPO }}:${{ env.DOCKER_HUB_IMAGE_TAG }}
-
-      - name: upload Trivy image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-develop-result
-          path: image-trivy.json
-
-      - name: develop Trivy scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result")
-
-      - name: upload html file as Trivy artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-${{github.run_id}}
-          path: image-trivy-result.html
-
-      - name: analyse vulnerabilities from Trivy
-        id: set-trivy-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix)
-          echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT
-
-      - name: scan vulnerabilities by Docker Scout
-        uses: docker/scout-action@v1
-        continue-on-error: true
-        with:
-          command: cves
-          image: ${{ env.DOCKER_HUB_REPO }}:${{ env.DOCKER_HUB_IMAGE_TAG }}
-          sarif-file: image-docker-scout.json
-          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
-          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: upload Docker Scout image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-develop-result
-          path: image-docker-scout.json
-
-      - name: develop Docker Scout scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
-
-      - name: upload html file as Docker Scout artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-${{github.run_id}}
-          path: image-docker-scout-result.html
-
-      - name: analyse vulnerabilities from Docker Scout
-        id: set-docker-scout-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix)
-          echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT
-
-  result-analysis:
-    name: Analyse Scan Results
-    needs: [client-dependencies, server-dependencies, image-vulnerability]
-    runs-on: ubuntu-latest
-    if: >-
-      github.ref == 'refs/heads/develop'
-    strategy:
-      matrix:
-        js: ${{fromJson(needs.client-dependencies.outputs.js)}}
-        go: ${{fromJson(needs.server-dependencies.outputs.go)}}
-        image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}}
-        image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}}
-    steps:
-      - name: display the results of js, Go, and image scan
-        run: |
-          echo "${{ matrix.js.status }}"
-          echo "${{ matrix.go.status }}"
-          echo "${{ matrix.image-trivy.status }}"
-          echo "${{ matrix.image-docker-scout.status }}"
-          echo "${{ matrix.js.summary }}"
-          echo "${{ matrix.go.summary }}"
-          echo "${{ matrix.image-trivy.summary }}"
-          echo "${{ matrix.image-docker-scout.summary }}"
-
-      - name: send message to Slack
-        if: >-
-          matrix.js.status == 'failure' ||
-          matrix.go.status == 'failure' || 
-          matrix.image-trivy.status == 'failure' || 
-          matrix.image-docker-scout.status == 'failure'
-        uses: slackapi/slack-github-action@v1.23.0
-        with:
-          payload: |
-            {
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "Code Scanning Result (*${{ github.repository }}*)\n*<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Actions Workflow URL>*"
-                  }
-                }
-              ],
-              "attachments": [
-                {
-                  "color": "#FF0000",
-                  "blocks": [
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*JS dependency check*: *${{ matrix.js.status }}*\n${{ matrix.js.summary }}"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Go dependency check*: *${{ matrix.go.status }}*\n${{ matrix.go.summary }}"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
--- a/.github/workflows/pr-security.yml
+++ b/.github/workflows/pr-security.yml
@@ -1,298 +0,0 @@
-name: PR Code Security Scan
-
-on:
-  pull_request_review:
-    types:
-      - submitted
-      - edited
-    paths:
-      - 'package.json'
-      - 'go.mod'
-      - 'build/linux/Dockerfile'
-      - 'build/linux/alpine.Dockerfile'
-      - 'build/windows/Dockerfile'
-      - '.github/workflows/pr-security.yml'
-
-env:
-  GO_VERSION: 1.22.5
-  NODE_VERSION: 18.x
-
-jobs:
-  client-dependencies:
-    name: Client Dependency Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: scan vulnerabilities by Snyk
-        uses: snyk/actions/node@master
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          json: true
-
-      - name: upload scan result as pull-request artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: js-security-scan-feat-result
-          path: snyk.json
-
-      - name: download artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./snyk.json ./js-snyk-feature.json
-          (gh run download -n js-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./snyk.json ]]; then
-            mv ./snyk.json ./js-snyk-develop.json
-          else
-            echo "null" > ./js-snyk-develop.json
-          fi
-
-      - name: pr vs develop scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=table --export --export-filename="/data/js-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-js-result-compare-to-develop-${{github.run_id}}
-          path: js-result.html
-
-      - name: analyse different vulnerabilities against develop branch
-        id: set-diff-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=matrix)
-          echo "js_diff_result=${result}" >> $GITHUB_OUTPUT
-
-  server-dependencies:
-    name: Server Dependency Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: download Go modules
-        run: cd ./api && go get -t -v -d ./...
-
-      - name: scan vulnerabilities by Snyk
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: |
-          yarn global add snyk
-          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :
-
-      - name: upload scan result as pull-request artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: go-security-scan-feature-result
-          path: snyk.json
-
-      - name: download artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./snyk.json ./go-snyk-feature.json
-          (gh run download -n go-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./snyk.json ]]; then
-            mv ./snyk.json ./go-snyk-develop.json
-          else
-            echo "null" > ./go-snyk-develop.json
-          fi
-
-      - name: pr vs develop scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-go-result-compare-to-develop-${{github.run_id}}
-          path: go-result.html
-
-      - name: analyse different vulnerabilities against develop branch
-        id: set-diff-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=matrix)
-          echo "go_diff_result=${result}" >> $GITHUB_OUTPUT
-
-  image-vulnerability:
-    name: Image Vulnerability Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }}
-      imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }}
-    steps:
-      - name: checkout code
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install packages
-        run: yarn --frozen-lockfile
-
-      - name: build
-        run: make build-all
-
-      - name: set up docker buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: build and compress image
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          file: build/linux/Dockerfile
-          tags: local-portainer:${{ github.sha }}
-          outputs: type=docker,dest=/tmp/local-portainer-image.tar
-
-      - name: load docker image
-        run: |
-          docker load --input /tmp/local-portainer-image.tar
-
-      - name: scan vulnerabilities by Trivy
-        uses: docker://docker.io/aquasec/trivy:latest
-        continue-on-error: true
-        with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress local-portainer:${{ github.sha }}
-
-      - name: upload Trivy image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-feature-result
-          path: image-trivy.json
-
-      - name: download Trivy artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./image-trivy.json ./image-trivy-feature.json
-          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./image-trivy.json ]]; then
-            mv ./image-trivy.json ./image-trivy-develop.json
-          else
-            echo "null" > ./image-trivy-develop.json
-          fi
-
-      - name: pr vs develop Trivy scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result")
-
-      - name: upload html file as Trivy artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-trivy-result.html
-
-      - name: analyse different vulnerabilities against develop branch by Trivy
-        id: set-diff-trivy-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
-          echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT
-
-      - name: scan vulnerabilities by Docker Scout
-        uses: docker/scout-action@v1
-        continue-on-error: true
-        with:
-          command: cves
-          image: local-portainer:${{ github.sha }}
-          sarif-file: image-docker-scout.json
-          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
-          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: upload Docker Scout image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-feature-result
-          path: image-docker-scout.json
-
-      - name: download Docker Scout artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./image-docker-scout.json ./image-docker-scout-feature.json
-          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./image-docker-scout.json ]]; then
-            mv ./image-docker-scout.json ./image-docker-scout-develop.json
-          else
-            echo "null" > ./image-docker-scout-develop.json
-          fi
-
-      - name: pr vs develop Docker Scout scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
-
-      - name: upload html file as Docker Scout artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-docker-scout-result.html
-
-      - name: analyse different vulnerabilities against develop branch by Docker Scout
-        id: set-diff-docker-scout-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix)
-          echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT
-
-  result-analysis:
-    name: Analyse Scan Result Against develop Branch
-    needs: [client-dependencies, server-dependencies, image-vulnerability]
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    strategy:
-      matrix:
-        jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}}
-        godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
-        imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}}
-        imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}}
-    steps:
-      - name: check job status of diff result
-        if: >-
-          matrix.jsdiff.status == 'failure' ||
-          matrix.godiff.status == 'failure' ||
-          matrix.imagediff-trivy.status == 'failure' ||
-          matrix.imagediff-docker-scout.status == 'failure'
-        run: |
-          echo "${{ matrix.jsdiff.status }}"
-          echo "${{ matrix.godiff.status }}"
-          echo "${{ matrix.imagediff-trivy.status }}"
-          echo "${{ matrix.imagediff-docker-scout.status }}"
-          echo "${{ matrix.jsdiff.summary }}"
-          echo "${{ matrix.godiff.summary }}"
-          echo "${{ matrix.imagediff-trivy.summary }}"
-          echo "${{ matrix.imagediff-docker-scout.summary }}"
-          exit 1
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -1,19 +0,0 @@
-name: Automatic Rebase
-on:
-  issue_comment:
-    types: [created]
-jobs:
-  rebase:
-    name: Rebase
-    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the latest code
-        uses: actions/checkout@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
-      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.4
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,28 +0,0 @@
-name: Close Stale Issues
-on:
-  schedule:
-    - cron: '0 12 * * *'
-  workflow_dispatch:
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-
-    steps:
-    - uses: actions/stale@v8
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-
-        # Issue Config
-        days-before-issue-stale: 60
-        days-before-issue-close: 7
-        stale-issue-label: 'status/stale'
-        exempt-all-issue-milestones: true # Do not stale issues in a milestone
-        exempt-issue-labels: kind/enhancement, kind/style, kind/workaround, kind/refactor, bug/need-confirmation, bug/confirmed, status/discuss
-        stale-issue-message: 'This issue has been marked as stale as it has not had recent activity, it will be closed if no further activity occurs in the next 7 days. If you believe that it has been incorrectly labelled as stale, leave a comment and the label will be removed.'
-        close-issue-message: 'Since no further activity has appeared on this issue it will be closed. If you believe that it has been incorrectly closed, leave a comment mentioning `portainer/support` and one of our staff will then review the issue. Note - If it is an old bug report, make sure that it is reproduceable in the latest version of Portainer as it may have already been fixed.'
-        
-        # Pull Request Config
-        days-before-pr-stale: -1 # Do not stale pull request
-        days-before-pr-close: -1 # Do not close pull request
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,76 +0,0 @@
-name: Test
-
-env:
-  GO_VERSION: 1.22.5
-  NODE_VERSION: 18.x
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches:
-      - master
-      - develop
-      - release/*
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-  push:
-    branches:
-      - master
-      - develop
-      - release/*
-
-jobs:
-  test-client:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - name: 'checkout the current branch'
-        uses: actions/checkout@v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branch }}
-
-      - name: 'set up node.js'
-        uses: actions/setup-node@v4.0.1
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-
-      - run: yarn --frozen-lockfile
-
-      - name: Run tests
-        run: make test-client ARGS="--maxWorkers=2 --minWorkers=1"
-
-  test-server:
-    strategy:
-      matrix:
-        config:
-          - { platform: linux, arch: amd64 }
-          - { platform: linux, arch: arm64 }
-          - { platform: windows, arch: amd64, version: 1809 }
-          - { platform: windows, arch: amd64, version: ltsc2022 }
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - name: 'checkout the current branch'
-        uses: actions/checkout@v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branch }}
-
-      - name: 'set up golang'
-        uses: actions/setup-go@v5.0.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: 'install dependencies'
-        run: make test-deps PLATFORM=linux ARCH=amd64
-
-      - name: 'update $PATH'
-        run: echo "$(pwd)/dist" >> $GITHUB_PATH
-
-      - name: 'run tests'
-        run: make test-server
--- a/.github/workflows/validate-openapi-spec.yaml
+++ b/.github/workflows/validate-openapi-spec.yaml
@@ -1,39 +0,0 @@
-name: Validate OpenAPI specs
-
-on:
-  pull_request:
-    branches:
-      - master
-      - develop
-      - 'release/*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  GO_VERSION: 1.22.5
-  NODE_VERSION: 18.x
-
-jobs:
-  openapi-spec:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Download golang modules
-        run: cd ./api && go get -t -v -d ./...
-      - uses: actions/setup-node@v3
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - run: yarn --frozen-lockfile
-
-      - name: Validate OpenAPI Spec
-        run: make docs-validate
--- a/.godir
+++ b/.godir
@@ -1 +0,0 @@
-portainer
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -9,6 +9,10 @@ linters:
    - gosimple
    - govet
    - errorlint
+    - copyloopvar
+    - intrange
+    - perfsprint
+    - ineffassign

 linters-settings:
  depguard:
@@ -17,8 +21,6 @@ linters-settings:
        deny:
          - pkg: 'encoding/json'
            desc: 'use github.com/segmentio/encoding/json'
-          - pkg: 'github.com/sirupsen/logrus'
-            desc: 'logging is allowed only by github.com/rs/zerolog'
          - pkg: 'golang.org/x/exp'
            desc: 'exp is not allowed'
          - pkg: 'github.com/portainer/libcrypto'
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

-yarn lint-staged
+cd $(dirname -- "$0") && yarn lint-staged
--- a/.vscode.example/launch.json
+++ b/.vscode.example/launch.json
@@ -1,19 +0,0 @@
-{
-  // Use IntelliSense to learn about possible attributes.
-  // Hover to view descriptions of existing attributes.
-  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
-  "version": "0.2.0",
-  "configurations": [
-    {
-      "name": "Launch",
-      "type": "go",
-      "request": "launch",
-      "mode": "debug",
-      "program": "${workspaceRoot}/api/cmd/portainer",
-      "cwd": "${workspaceRoot}",
-      "env": {},
-      "showLog": true,
-      "args": ["--data", "${env:HOME}/portainer-data", "--assets", "${workspaceRoot}/dist"]
-    }
-  ]
-}
--- a/.vscode.example/portainer.code-snippets
+++ b/.vscode.example/portainer.code-snippets
@@ -1,191 +0,0 @@
-{
-  // Place your portainer workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
-  // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
-  // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
-  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
-  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
-  // Placeholders with the same ids are connected.
-  // Example:
-  // "Print to console": {
-  // 	"scope": "javascript,typescript",
-  // 	"prefix": "log",
-  // 	"body": [
-  // 		"console.log('$1');",
-  // 		"$2"
-  // 	],
-  // 	"description": "Log output to console"
-  // }
-  "React Named Export Component": {
-    "prefix": "rnec",
-    "body": [
-      "export function $TM_FILENAME_BASE() {",
-      "  return <div>$TM_FILENAME_BASE</div>;",
-      "}"
-    ],
-    "description": "React Named Export Component"
-  },
-  "Component": {
-    "scope": "javascript",
-    "prefix": "mycomponent",
-    "description": "Dummy Angularjs Component",
-    "body": [
-      "import angular from 'angular';",
-      "import controller from './${TM_FILENAME_BASE}Controller'",
-      "",
-      "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').component('$TM_FILENAME_BASE', {",
-      "  templateUrl: './$TM_FILENAME_BASE.html',",
-      "  controller,",
-      "});",
-      ""
-    ]
-  },
-  "Controller": {
-    "scope": "javascript",
-    "prefix": "mycontroller",
-    "body": [
-      "class ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/} {",
-      "\t/* @ngInject */",
-      "\tconstructor($0) {",
-      "\t}",
-      "}",
-      "",
-      "export default ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/};"
-    ],
-    "description": "Dummy ES6+ controller"
-  },
-  "Service": {
-    "scope": "javascript",
-    "prefix": "myservice",
-    "description": "Dummy ES6+ service",
-    "body": [
-      "import angular from 'angular';",
-      "import PortainerError from 'Portainer/error';",
-      "",
-      "class $1 {",
-      "  /* @ngInject */",
-      "  constructor(\\$async, $0) {",
-      "    this.\\$async = \\$async;",
-      "",
-      "    this.getAsync = this.getAsync.bind(this);",
-      "    this.getAllAsync = this.getAllAsync.bind(this);",
-      "    this.createAsync = this.createAsync.bind(this);",
-      "    this.updateAsync = this.updateAsync.bind(this);",
-      "    this.deleteAsync = this.deleteAsync.bind(this);",
-      "  }",
-      "",
-      "  /**",
-      "   * GET",
-      "   */",
-      "  async getAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  async getAllAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  get() {",
-      "    if () {",
-      "      return this.\\$async(this.getAsync);",
-      "    }",
-      "    return this.\\$async(this.getAllAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * CREATE",
-      "   */",
-      "  async createAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  create() {",
-      "    return this.\\$async(this.createAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * UPDATE",
-      "   */",
-      "  async updateAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  update() {",
-      "    return this.\\$async(this.updateAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * DELETE",
-      "   */",
-      "  async deleteAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  delete() {",
-      "    return this.\\$async(this.deleteAsync);",
-      "  }",
-      "}",
-      "",
-      "export default $1;",
-      "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').service('$1', $1);"
-    ]
-  },
-  "swagger-api-doc": {
-    "prefix": "swapi",
-    "scope": "go",
-    "description": "Snippet for a api doc",
-    "body": [
-      "// @id ",
-      "// @summary ",
-      "// @description ",
-      "// @description **Access policy**: ",
-      "// @tags ",
-      "// @security ApiKeyAuth",
-      "// @security jwt",
-      "// @accept json",
-      "// @produce json",
-      "// @param id path int true \"identifier\"",
-      "// @param body body Object true \"details\"",
-      "// @success 200 {object} portainer. \"Success\"",
-      "// @success 204 \"Success\"",
-      "// @failure 400 \"Invalid request\"",
-      "// @failure 403 \"Permission denied\"",
-      "// @failure 404 \" not found\"",
-      "// @failure 500 \"Server error\"",
-      "// @router /{id} [get]"
-    ]
-  },
-  "analytics": {
-    "prefix": "nlt",
-    "body": ["analytics-on", "analytics-category=\"$1\"", "analytics-event=\"$2\""],
-    "description": "analytics"
-  },
-  "analytics-if": {
-    "prefix": "nltf",
-    "body": ["analytics-if=\"$1\""],
-    "description": "analytics"
-  },
-  "analytics-metadata": {
-    "prefix": "nltm",
-    "body": "analytics-properties=\"{ metadata: { $1 } }\""
-  }
-}
--- a/.vscode.example/settings.json
+++ b/.vscode.example/settings.json
@@ -1,8 +0,0 @@
-{
-  "go.lintTool": "golangci-lint",
-  "go.lintFlags": ["--fast", "-E", "exportloopref"],
-  "gopls": {
-    "build.expandWorkspaceToModule": false
-  },
-  "gitlens.advanced.blame.customArguments": ["--ignore-revs-file", ".git-blame-ignore-revs"]
-}
--- a/23
+++ b/23
@@ -9,7 +9,7 @@ ENV=development
 WEBPACK_CONFIG=webpack/webpack.$(ENV).js
 TAG=local

-SWAG=go run github.com/swaggo/swag/cmd/swag@v1.16.2 
+SWAG=go run github.com/swaggo/swag/cmd/swag@v1.16.2
 GOTESTSUM=go run gotest.tools/gotestsum@latest

 # Don't change anything below this line unless you know what you're doing
@@ -17,11 +17,13 @@ GOTESTSUM=go run gotest.tools/gotestsum@latest


 ##@ Building
-.PHONY: init-dist build-storybook build build-client build-server build-image devops
+.PHONY: all init-dist build-storybook build build-client build-server build-image devops
 init-dist:
 	@mkdir -p dist

-build-all: deps build-server build-client ## Build the client, server and download external dependancies (doesn't build an image)
+all: tidy deps build-server build-client ## Build the client, server and download external dependancies (doesn't build an image)
+
+build-all: all ## Alias for the 'all' target (used by CI)

 build-client: init-dist ## Build the client
 	export NODE_ENV=$(ENV) && yarn build --config $(WEBPACK_CONFIG)
@@ -50,7 +52,7 @@ client-deps: ## Install client dependencies
 	yarn

 tidy: ## Tidy up the go.mod file
-	cd api && go mod tidy
+	@go mod tidy


 ##@ Cleanup
@@ -64,22 +66,19 @@ clean: ## Remove all build and download artifacts
 .PHONY: test test-client test-server
 test: test-server test-client ## Run all tests

-test-deps: init-dist
-	./build/download_docker_compose_binary.sh $(PLATFORM) $(ARCH) $(shell jq -r '.dockerCompose' < "./binary-version.json")
-
 test-client: ## Run client tests
-	yarn test $(ARGS)
+	yarn test $(ARGS) --coverage

 test-server:	## Run server tests
-	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover  ./...
+	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover -covermode=atomic -coverprofile=coverage.out ./...

 ##@ Dev
 .PHONY: dev dev-client dev-server
-dev: ## Run both the client and server in development mode	
+dev: ## Run both the client and server in development mode
 	make dev-server
 	make dev-client

-dev-client: ## Run the client in development mode 
+dev-client: ## Run the client in development mode
 	yarn dev

 dev-server: build-server ## Run the server in development mode
@@ -119,7 +118,7 @@ dev-extension: build-server build-client ## Run the extension in development mod
 ##@ Docs
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
-	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./ 
+	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./

 docs-validate: docs-build ## Validate docs
 	yarn swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
--- a/api/archive/targz.go
+++ b/api/archive/targz.go
@@ -15,7 +15,7 @@ import (
 // abosolutePath should be an absolute path to a directory.
 // Archive name will be <directoryName>.tar.gz and will be placed next to the directory.
 func TarGzDir(absolutePath string) (string, error) {
-	targzPath := filepath.Join(absolutePath, fmt.Sprintf("%s.tar.gz", filepath.Base(absolutePath)))
+	targzPath := filepath.Join(absolutePath, filepath.Base(absolutePath)+".tar.gz")
 	outFile, err := os.Create(targzPath)
 	if err != nil {
 		return "", err
--- a/api/archive/targz_test.go
+++ b/api/archive/targz_test.go
@@ -1,7 +1,6 @@
 package archive

 import (
-	"fmt"
 	"os"
 	"os/exec"
 	"path"
@@ -24,7 +23,7 @@ func listFiles(dir string) []string {
 	return items
 }

-func Test_shouldCreateArhive(t *testing.T) {
+func Test_shouldCreateArchive(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
 	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
@@ -34,12 +33,11 @@ func Test_shouldCreateArhive(t *testing.T) {

 	gzPath, err := TarGzDir(tmpdir)
 	assert.Nil(t, err)
-	assert.Equal(t, filepath.Join(tmpdir, fmt.Sprintf("%s.tar.gz", filepath.Base(tmpdir))), gzPath)
+	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
 	cmd := exec.Command("tar", "-xzf", gzPath, "-C", extractionDir)
-	err = cmd.Run()
-	if err != nil {
+	if err := cmd.Run(); err != nil {
 		t.Fatal("Failed to extract archive: ", err)
 	}
 	extractedFiles := listFiles(extractionDir)
@@ -56,7 +54,7 @@ func Test_shouldCreateArhive(t *testing.T) {
 	wasExtracted("dir/.dotfile")
 }

-func Test_shouldCreateArhiveXXXXX(t *testing.T) {
+func Test_shouldCreateArchive2(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
 	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
@@ -66,12 +64,11 @@ func Test_shouldCreateArhiveXXXXX(t *testing.T) {

 	gzPath, err := TarGzDir(tmpdir)
 	assert.Nil(t, err)
-	assert.Equal(t, filepath.Join(tmpdir, fmt.Sprintf("%s.tar.gz", filepath.Base(tmpdir))), gzPath)
+	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
 	r, _ := os.Open(gzPath)
-	ExtractTarGz(r, extractionDir)
-	if err != nil {
+	if err := ExtractTarGz(r, extractionDir); err != nil {
 		t.Fatal("Failed to extract archive: ", err)
 	}
 	extractedFiles := listFiles(extractionDir)
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -2,7 +2,6 @@ package archive

 import (
 	"archive/zip"
-	"bytes"
 	"fmt"
 	"io"
 	"os"
@@ -12,50 +11,6 @@ import (
 	"github.com/pkg/errors"
 )

-// UnzipArchive will unzip an archive from bytes into the dest destination folder on disk
-func UnzipArchive(archiveData []byte, dest string) error {
-	zipReader, err := zip.NewReader(bytes.NewReader(archiveData), int64(len(archiveData)))
-	if err != nil {
-		return err
-	}
-
-	for _, zipFile := range zipReader.File {
-		err := extractFileFromArchive(zipFile, dest)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func extractFileFromArchive(file *zip.File, dest string) error {
-	f, err := file.Open()
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	data, err := io.ReadAll(f)
-	if err != nil {
-		return err
-	}
-
-	fpath := filepath.Join(dest, file.Name)
-
-	outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
-	if err != nil {
-		return err
-	}
-
-	_, err = io.Copy(outFile, bytes.NewReader(data))
-	if err != nil {
-		return err
-	}
-
-	return outFile.Close()
-}
-
 // UnzipFile will decompress a zip archive, moving all files and folders
 // within the zip file (parameter 1) to an output directory (parameter 2).
 func UnzipFile(src string, dest string) error {
@@ -76,11 +31,11 @@ func UnzipFile(src string, dest string) error {
 		if f.FileInfo().IsDir() {
 			// Make Folder
 			os.MkdirAll(p, os.ModePerm)
+
 			continue
 		}

-		err = unzipFile(f, p)
-		if err != nil {
+		if err := unzipFile(f, p); err != nil {
 			return err
 		}
 	}
@@ -93,20 +48,20 @@ func unzipFile(f *zip.File, p string) error {
 	if err := os.MkdirAll(filepath.Dir(p), os.ModePerm); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't make a path %s", p)
 	}
+
 	outFile, err := os.OpenFile(p, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
 	}
 	defer outFile.Close()
+
 	rc, err := f.Open()
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
 	}
 	defer rc.Close()

-	_, err = io.Copy(outFile, rc)
-
-	if err != nil {
+	if _, err = io.Copy(outFile, rc); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
 	}

--- a/api/aws/ecr/authorization_token.go
+++ b/api/aws/ecr/authorization_token.go
@@ -3,7 +3,7 @@ package ecr
 import (
 	"context"
 	"encoding/base64"
-	"fmt"
+	"errors"
 	"strings"
 	"time"
 )
@@ -15,7 +15,7 @@ func (s *Service) GetEncodedAuthorizationToken() (token *string, expiry *time.Ti
 	}

 	if len(getAuthorizationTokenOutput.AuthorizationData) == 0 {
-		err = fmt.Errorf("AuthorizationData is empty")
+		err = errors.New("AuthorizationData is empty")
 		return
 	}

@@ -50,7 +50,7 @@ func (s *Service) ParseAuthorizationToken(token string) (username string, passwo

 	splitToken := strings.Split(token, ":")
 	if len(splitToken) < 2 {
-		err = fmt.Errorf("invalid ECR authorization token")
+		err = errors.New("invalid ECR authorization token")
 		return
 	}

--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -21,6 +21,7 @@ const rwxr__r__ os.FileMode = 0o744

 var filesToBackup = []string{
 	"certs",
+	"chisel",
 	"compose",
 	"config.json",
 	"custom_templates",
@@ -30,40 +31,13 @@ var filesToBackup = []string{
 	"portainer.key",
 	"portainer.pub",
 	"tls",
-	"chisel",
 }

 // Creates a tar.gz system archive and encrypts it if password is not empty. Returns a path to the archive file.
 func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datastore dataservices.DataStore, filestorePath string) (string, error) {
-	unlock := gate.Lock()
-	defer unlock()
-
-	backupDirPath := filepath.Join(filestorePath, "backup", time.Now().Format("2006-01-02_15-04-05"))
-	if err := os.MkdirAll(backupDirPath, rwxr__r__); err != nil {
-		return "", errors.Wrap(err, "Failed to create backup dir")
-	}
-
-	{
-		// new export
-		exportFilename := path.Join(backupDirPath, fmt.Sprintf("export-%d.json", time.Now().Unix()))
-
-		err := datastore.Export(exportFilename)
-		if err != nil {
-			log.Error().Err(err).Str("filename", exportFilename).Msg("failed to export")
-		} else {
-			log.Debug().Str("filename", exportFilename).Msg("file exported")
-		}
-	}
-
-	if err := backupDb(backupDirPath, datastore); err != nil {
-		return "", errors.Wrap(err, "Failed to backup database")
-	}
-
-	for _, filename := range filesToBackup {
-		err := filesystem.CopyPath(filepath.Join(filestorePath, filename), backupDirPath)
-		if err != nil {
-			return "", errors.Wrap(err, "Failed to create backup file")
-		}
+	backupDirPath, err := backupDatabaseAndFilesystem(gate, datastore, filestorePath)
+	if err != nil {
+		return "", err
 	}

 	archivePath, err := archive.TarGzDir(backupDirPath)
@@ -81,6 +55,37 @@ func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datasto
 	return archivePath, nil
 }

+func backupDatabaseAndFilesystem(gate *offlinegate.OfflineGate, datastore dataservices.DataStore, filestorePath string) (string, error) {
+	unlock := gate.Lock()
+	defer unlock()
+
+	backupDirPath := filepath.Join(filestorePath, "backup", time.Now().Format("2006-01-02_15-04-05"))
+	if err := os.MkdirAll(backupDirPath, rwxr__r__); err != nil {
+		return "", errors.Wrap(err, "Failed to create backup dir")
+	}
+
+	// new export
+	exportFilename := path.Join(backupDirPath, fmt.Sprintf("export-%d.json", time.Now().Unix()))
+
+	if err := datastore.Export(exportFilename); err != nil {
+		log.Error().Err(err).Str("filename", exportFilename).Msg("failed to export")
+	} else {
+		log.Debug().Str("filename", exportFilename).Msg("file exported")
+	}
+
+	if err := backupDb(backupDirPath, datastore); err != nil {
+		return "", errors.Wrap(err, "Failed to backup database")
+	}
+
+	for _, filename := range filesToBackup {
+		if err := filesystem.CopyPath(filepath.Join(filestorePath, filename), backupDirPath); err != nil {
+			return "", errors.Wrap(err, "Failed to create backup file")
+		}
+	}
+
+	return backupDirPath, nil
+}
+
 func backupDb(backupDirPath string, datastore dataservices.DataStore) error {
 	dbFileName := datastore.Connection().GetDatabaseFileName()
 	_, err := datastore.Backup(filepath.Join(backupDirPath, dbFileName))
@@ -94,7 +99,7 @@ func encrypt(path string, passphrase string) (string, error) {
 	}
 	defer in.Close()

-	outFileName := fmt.Sprintf("%s.encrypted", path)
+	outFileName := path + ".encrypted"
 	out, err := os.Create(outFileName)
 	if err != nil {
 		return "", err
--- a/api/build/variables.go
+++ b/api/build/variables.go
@@ -1,12 +0,0 @@
-package build
-
-import "runtime"
-
-// Variables to be set during the build time
-var BuildNumber string
-var ImageTag string
-var NodejsVersion string
-var YarnVersion string
-var WebpackVersion string
-var GoVersion string = runtime.Version()
-var GitCommit string
--- a/api/chisel/schedules.go
+++ b/api/chisel/schedules.go
@@ -1,82 +0,0 @@
-package chisel
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/edge/cache"
-)
-
-// EdgeJobs retrieves the edge jobs for the given environment
-func (service *Service) EdgeJobs(endpointID portainer.EndpointID) []portainer.EdgeJob {
-	service.mu.RLock()
-	defer service.mu.RUnlock()
-
-	return append(
-		make([]portainer.EdgeJob, 0, len(service.edgeJobs[endpointID])),
-		service.edgeJobs[endpointID]...,
-	)
-}
-
-// AddEdgeJob register an EdgeJob inside the tunnel details associated to an environment(endpoint).
-func (service *Service) AddEdgeJob(endpoint *portainer.Endpoint, edgeJob *portainer.EdgeJob) {
-	if endpoint.Edge.AsyncMode {
-		return
-	}
-
-	service.mu.Lock()
-	defer service.mu.Unlock()
-
-	existingJobIndex := -1
-	for idx, existingJob := range service.edgeJobs[endpoint.ID] {
-		if existingJob.ID == edgeJob.ID {
-			existingJobIndex = idx
-
-			break
-		}
-	}
-
-	if existingJobIndex == -1 {
-		service.edgeJobs[endpoint.ID] = append(service.edgeJobs[endpoint.ID], *edgeJob)
-	} else {
-		service.edgeJobs[endpoint.ID][existingJobIndex] = *edgeJob
-	}
-
-	cache.Del(endpoint.ID)
-}
-
-// RemoveEdgeJob will remove the specified Edge job from each tunnel it was registered with.
-func (service *Service) RemoveEdgeJob(edgeJobID portainer.EdgeJobID) {
-	service.mu.Lock()
-
-	for endpointID := range service.edgeJobs {
-		n := 0
-		for _, edgeJob := range service.edgeJobs[endpointID] {
-			if edgeJob.ID != edgeJobID {
-				service.edgeJobs[endpointID][n] = edgeJob
-				n++
-			}
-		}
-
-		service.edgeJobs[endpointID] = service.edgeJobs[endpointID][:n]
-
-		cache.Del(endpointID)
-	}
-
-	service.mu.Unlock()
-}
-
-func (service *Service) RemoveEdgeJobFromEndpoint(endpointID portainer.EndpointID, edgeJobID portainer.EdgeJobID) {
-	service.mu.Lock()
-	defer service.mu.Unlock()
-
-	n := 0
-	for _, edgeJob := range service.edgeJobs[endpointID] {
-		if edgeJob.ID != edgeJobID {
-			service.edgeJobs[endpointID][n] = edgeJob
-			n++
-		}
-	}
-
-	service.edgeJobs[endpointID] = service.edgeJobs[endpointID][:n]
-
-	cache.Del(endpointID)
-}
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -59,6 +59,10 @@ func CLIFlags() *portainer.CLIFlags {
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
+		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
+		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
+		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
+		CSP:                       kingpin.Flag("csp", "Content Security Policy (CSP) header").Envar(portainer.CSPEnvVar).Default("true").Bool(),
 	}
 }

--- a/api/cli/confirm.go
+++ b/api/cli/confirm.go
@@ -19,7 +19,5 @@ func Confirm(message string) (bool, error) {
 	}

 	answer = strings.ReplaceAll(answer, "\n", "")
-	answer = strings.ToLower(answer)
-
-	return answer == "y" || answer == "yes", nil
+	return strings.EqualFold(answer, "y") || strings.EqualFold(answer, "yes"), nil
 }
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -4,20 +4,21 @@
 package cli

 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "/data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "/certs/ca.pem"
-	defaultTLSCertPath         = "/certs/cert.pem"
-	defaultTLSKeyPath          = "/certs/key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "/data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "/certs/ca.pem"
+	defaultTLSCertPath            = "/certs/cert.pem"
+	defaultTLSKeyPath             = "/certs/key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -1,21 +1,22 @@
 package cli

 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "C:\\data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
-	defaultTLSCertPath         = "C:\\certs\\cert.pem"
-	defaultTLSKeyPath          = "C:\\certs\\key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultSnapshotInterval    = "5m"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "C:\\data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "C:\\certs\\ca.pem"
+	defaultTLSCertPath            = "C:\\certs\\cert.pem"
+	defaultTLSKeyPath             = "C:\\certs\\key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultSnapshotInterval       = "5m"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )
--- a/api/cli/pairlistbool.go
+++ b/api/cli/pairlistbool.go
@@ -1,45 +0,0 @@
-package cli
-
-import (
-	"strings"
-
-	portainer "github.com/portainer/portainer/api"
-
-	"gopkg.in/alecthomas/kingpin.v2"
-)
-
-type pairListBool []portainer.Pair
-
-// Set implementation for a list of portainer.Pair
-func (l *pairListBool) Set(value string) error {
-	p := new(portainer.Pair)
-
-	// default to true.  example setting=true is equivalent to setting
-	parts := strings.SplitN(value, "=", 2)
-	if len(parts) != 2 {
-		p.Name = parts[0]
-		p.Value = "true"
-	} else {
-		p.Name = parts[0]
-		p.Value = parts[1]
-	}
-
-	*l = append(*l, *p)
-	return nil
-}
-
-// String implementation for a list of pair
-func (l *pairListBool) String() string {
-	return ""
-}
-
-// IsCumulative implementation for a list of pair
-func (l *pairListBool) IsCumulative() bool {
-	return true
-}
-
-func BoolPairs(s kingpin.Settings) (target *[]portainer.Pair) {
-	target = new([]portainer.Pair)
-	s.SetValue((*pairListBool)(target))
-	return
-}
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -10,7 +10,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/apikey"
-	"github.com/portainer/portainer/api/build"
 	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/crypto"
@@ -31,7 +30,6 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	kubeproxy "github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/internal/authorization"
-	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/edge/edgestacks"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/internal/snapshot"
@@ -41,6 +39,7 @@ import (
 	"github.com/portainer/portainer/api/kubernetes"
 	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/oauth"
 	"github.com/portainer/portainer/api/pendingactions"
 	"github.com/portainer/portainer/api/pendingactions/actions"
@@ -48,10 +47,12 @@ import (
 	"github.com/portainer/portainer/api/platform"
 	"github.com/portainer/portainer/api/scheduler"
 	"github.com/portainer/portainer/api/stacks/deployments"
+	"github.com/portainer/portainer/pkg/build"
 	"github.com/portainer/portainer/pkg/featureflags"
 	"github.com/portainer/portainer/pkg/libhelm"
-	"github.com/portainer/portainer/pkg/libstack"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"
+	"github.com/portainer/portainer/pkg/validate"

 	"github.com/gofrs/uuid"
 	"github.com/rs/zerolog/log"
@@ -95,7 +96,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 		log.Fatal().Msg("failed creating database connection: expecting a boltdb database type but a different one was received")
 	}

-	store := datastore.NewStore(*flags.Data, fileService, connection)
+	store := datastore.NewStore(flags, fileService, connection)

 	isNew, err := store.Open()
 	if err != nil {
@@ -122,7 +123,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 			log.Fatal().Err(err).Msg("failed generating instance id")
 		}

-		migratorInstance := migrator.NewMigrator(&migrator.MigratorParameters{})
+		migratorInstance := migrator.NewMigrator(&migrator.MigratorParameters{Flags: flags})
 		migratorCount := migratorInstance.GetMigratorCountOfCurrentAPIVersion()

 		// from MigrateData
@@ -167,32 +168,12 @@ func checkDBSchemaServerVersionMatch(dbStore dataservices.DataStore, serverVersi
 	return v.SchemaVersion == serverVersion && v.Edition == serverEdition
 }

-func initComposeStackManager(composeDeployer libstack.Deployer, proxyManager *proxy.Manager) portainer.ComposeStackManager {
-	composeWrapper, err := exec.NewComposeStackManager(composeDeployer, proxyManager)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed creating compose manager")
-	}
-
-	return composeWrapper
+func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager) portainer.KubernetesDeployer {
+	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager)
 }

-func initSwarmStackManager(
-	assetsPath string,
-	configPath string,
-	signatureService portainer.DigitalSignatureService,
-	fileService portainer.FileService,
-	reverseTunnelService portainer.ReverseTunnelService,
-	dataStore dataservices.DataStore,
-) (portainer.SwarmStackManager, error) {
-	return exec.NewSwarmStackManager(assetsPath, configPath, signatureService, fileService, reverseTunnelService, dataStore)
-}
-
-func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, assetsPath string) portainer.KubernetesDeployer {
-	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, assetsPath)
-}
-
-func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, error) {
-	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
+func initHelmPackageManager() (libhelmtypes.HelmPackageManager, error) {
+	return libhelm.NewHelmPackageManager()
 }

 func initAPIKeyService(datastore dataservices.DataStore) apikey.APIKeyService {
@@ -260,10 +241,10 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		return err
 	}

-	settings.SnapshotInterval = *cmp.Or(flags.SnapshotInterval, &settings.SnapshotInterval)
-	settings.LogoURL = *cmp.Or(flags.Logo, &settings.LogoURL)
-	settings.EnableEdgeComputeFeatures = *cmp.Or(flags.EnableEdgeComputeFeatures, &settings.EnableEdgeComputeFeatures)
-	settings.TemplatesURL = *cmp.Or(flags.Templates, &settings.TemplatesURL)
+	settings.SnapshotInterval = cmp.Or(*flags.SnapshotInterval, settings.SnapshotInterval)
+	settings.LogoURL = cmp.Or(*flags.Logo, settings.LogoURL)
+	settings.EnableEdgeComputeFeatures = cmp.Or(*flags.EnableEdgeComputeFeatures, settings.EnableEdgeComputeFeatures)
+	settings.TemplatesURL = cmp.Or(*flags.Templates, settings.TemplatesURL)

 	if *flags.Labels != nil {
 		settings.BlackListedLabels = *flags.Labels
@@ -350,6 +331,18 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		featureflags.Parse(*flags.FeatureFlags, portainer.SupportedFeatureFlags)
 	}

+	trustedOrigins := []string{}
+	if *flags.TrustedOrigins != "" {
+		// validate if the trusted origins are valid urls
+		for _, origin := range strings.Split(*flags.TrustedOrigins, ",") {
+			if !validate.IsTrustedOrigin(origin) {
+				log.Fatal().Str("trusted_origin", origin).Msg("invalid url for trusted origin. Please check the trusted origins flag.")
+			}
+
+			trustedOrigins = append(trustedOrigins, origin)
+		}
+	}
+
 	fileService := initFileService(*flags.Data)
 	encryptionKey := loadEncryptionSecretKey(*flags.SecretKeyName)
 	if encryptionKey == nil {
@@ -390,7 +383,8 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	gitService := git.NewService(shutdownCtx)

-	openAMTService := openamt.NewService()
+	// Setting insecureSkipVerify to true to preserve the old behaviour.
+	openAMTService := openamt.NewService(true)

 	cryptoService := &crypto.Service{}

@@ -434,19 +428,16 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	dockerConfigPath := fileService.GetDockerConfigPath()

-	composeDeployer, err := compose.NewComposeDeployer(*flags.Assets, dockerConfigPath)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed initializing compose deployer")
-	}
+	composeDeployer := compose.NewComposeDeployer()

-	composeStackManager := initComposeStackManager(composeDeployer, proxyManager)
+	composeStackManager := exec.NewComposeStackManager(composeDeployer, proxyManager, dataStore)

-	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, signatureService, fileService, reverseTunnelService, dataStore)
+	swarmStackManager, err := exec.NewSwarmStackManager(*flags.Assets, dockerConfigPath, signatureService, fileService, reverseTunnelService, dataStore)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing swarm stack manager")
 	}

-	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, *flags.Assets)
+	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager)

 	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory)
 	pendingActionsService.RegisterHandler(actions.CleanNAPWithOverridePolicies, handlers.NewHandlerCleanNAPWithOverridePolicies(authorizationService, dataStore))
@@ -462,15 +453,11 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)

-	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
+	helmPackageManager, err := initHelmPackageManager()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing helm package manager")
 	}

-	if err := edge.LoadEdgeJobs(dataStore, reverseTunnelService); err != nil {
-		log.Fatal().Err(err).Msg("failed loading edge jobs from database")
-	}
-
 	applicationStatus := initStatus(instanceID)

 	// channel to control when the admin user is created
@@ -572,6 +559,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		Status:                      applicationStatus,
 		BindAddress:                 *flags.Addr,
 		BindAddressHTTPS:            *flags.AddrHTTPS,
+		CSP:                         *flags.CSP,
 		HTTPEnabled:                 sslDBSettings.HTTPEnabled,
 		AssetsPath:                  *flags.Assets,
 		DataStore:                   dataStore,
@@ -604,17 +592,19 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		AdminCreationDone:           adminCreationDone,
 		PendingActionsService:       pendingActionsService,
 		PlatformService:             platformService,
+		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
+		TrustedOrigins:              trustedOrigins,
 	}
 }

 func main() {
-	configureLogger()
-	setLoggingMode("PRETTY")
+	logs.ConfigureLogger()
+	logs.SetLoggingMode("PRETTY")

 	flags := initCLI()

-	setLoggingLevel(*flags.LogLevel)
-	setLoggingMode(*flags.LogMode)
+	logs.SetLoggingLevel(*flags.LogLevel)
+	logs.SetLoggingMode(*flags.LogMode)

 	for {
 		server := buildServer(flags)
--- a/api/connection.go
+++ b/api/connection.go
@@ -6,8 +6,10 @@ import (

 type ReadTransaction interface {
 	GetObject(bucketName string, key []byte, object any) error
+	GetRawBytes(bucketName string, key []byte) ([]byte, error)
 	GetAll(bucketName string, obj any, append func(o any) (any, error)) error
 	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, append func(o any) (any, error)) error
+	KeyExists(bucketName string, key []byte) (bool, error)
 }

 type Transaction interface {
@@ -40,6 +42,7 @@ type Connection interface {
 	GetDatabaseFileName() string
 	GetDatabaseFilePath() string
 	GetStorePath() string
+	GetDatabaseFileSize() (int64, error)

 	IsEncryptedStore() bool
 	NeedsEncryptionMigration() (bool, error)
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -31,8 +31,7 @@ const (

 // AesEncrypt reads from input, encrypts with AES-256 and writes to output. passphrase is used to generate an encryption key
 func AesEncrypt(input io.Reader, output io.Writer, passphrase []byte) error {
-	err := aesEncryptGCM(input, output, passphrase)
-	if err != nil {
+	if err := aesEncryptGCM(input, output, passphrase); err != nil {
 		return fmt.Errorf("error encrypting file: %w", err)
 	}

@@ -142,7 +141,7 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 	}

 	if string(header) != aesGcmHeader {
-		return nil, fmt.Errorf("invalid header")
+		return nil, errors.New("invalid header")
 	}

 	// Read salt
@@ -194,8 +193,7 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 			return nil, err
 		}

-		_, err = buf.Write(plaintext)
-		if err != nil {
+		if _, err := buf.Write(plaintext); err != nil {
 			return nil, err
 		}

--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -62,6 +62,15 @@ func (connection *DbConnection) GetStorePath() string {
 	return connection.Path
 }

+func (connection *DbConnection) GetDatabaseFileSize() (int64, error) {
+	file, err := os.Stat(connection.GetDatabaseFilePath())
+	if err != nil {
+		return 0, fmt.Errorf("Failed to stat database file path: %s err: %w", connection.GetDatabaseFilePath(), err)
+	}
+
+	return file.Size(), nil
+}
+
 func (connection *DbConnection) SetEncrypted(flag bool) {
 	connection.isEncrypted = flag
 }
@@ -129,6 +138,8 @@ func (connection *DbConnection) Open() error {
 	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
 		Timeout:         1 * time.Second,
 		InitialMmapSize: connection.InitialMmapSize,
+		FreelistType:    bolt.FreelistMapType,
+		NoFreelistSync:  true,
 	})
 	if err != nil {
 		return err
@@ -235,6 +246,32 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object
 	})
 }

+func (connection *DbConnection) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	var value []byte
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		value, err = tx.GetRawBytes(bucketName, key)
+
+		return err
+	})
+
+	return value, err
+}
+
+func (connection *DbConnection) KeyExists(bucketName string, key []byte) (bool, error) {
+	var exists bool
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = tx.KeyExists(bucketName, key)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (connection *DbConnection) getEncryptionKey() []byte {
 	if !connection.isEncrypted {
 		return nil
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -49,8 +49,8 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 		backup["__metadata"] = meta
 	}

-	err = connection.View(func(tx *bolt.Tx) error {
-		err = tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
+	if err := connection.View(func(tx *bolt.Tx) error {
+		return tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
 			bucketName := string(name)
 			var list []any
 			version := make(map[string]string)
@@ -84,27 +84,22 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 				return nil
 			}

-			if len(list) > 0 {
-				if bucketName == "ssl" ||
-					bucketName == "settings" ||
-					bucketName == "tunnel_server" {
-					backup[bucketName] = nil
-					if len(list) > 0 {
-						backup[bucketName] = list[0]
-					}
-					return nil
+			if bucketName == "ssl" ||
+				bucketName == "settings" ||
+				bucketName == "tunnel_server" {
+				backup[bucketName] = nil
+				if len(list) > 0 {
+					backup[bucketName] = list[0]
 				}
-				backup[bucketName] = list
+
 				return nil
 			}

+			backup[bucketName] = list
+
 			return nil
 		})
-
-		return err
-	})
-
-	if err != nil {
+	}); err != nil {
 		return []byte("{}"), err
 	}

--- a/api/database/boltdb/tx.go
+++ b/api/database/boltdb/tx.go
@@ -6,6 +6,7 @@ import (

 	dserrors "github.com/portainer/portainer/api/dataservices/errors"

+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	bolt "go.etcd.io/bbolt"
 )
@@ -31,6 +32,33 @@ func (tx *DbTransaction) GetObject(bucketName string, key []byte, object any) er
 	return tx.conn.UnmarshalObject(value, object)
 }

+func (tx *DbTransaction) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+	if value == nil {
+		return nil, fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
+	}
+
+	if tx.conn.getEncryptionKey() != nil {
+		var err error
+
+		if value, err = decrypt(value, tx.conn.getEncryptionKey()); err != nil {
+			return value, errors.Wrap(err, "Failed decrypting object")
+		}
+	}
+
+	return value, nil
+}
+
+func (tx *DbTransaction) KeyExists(bucketName string, key []byte) (bool, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+
+	return value != nil, nil
+}
+
 func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object any) error {
 	data, err := tx.conn.MarshalObject(object)
 	if err != nil {
--- a/api/dataservices/apikeyrepository/apikeyrepository.go
+++ b/api/dataservices/apikeyrepository/apikeyrepository.go
@@ -21,8 +21,7 @@ type Service struct {

 // NewService creates a new instance of a service.
 func NewService(connection portainer.Connection) (*Service, error) {
-	err := connection.SetServiceName(BucketName)
-	if err != nil {
+	if err := connection.SetServiceName(BucketName); err != nil {
 		return nil, err
 	}

@@ -62,7 +61,7 @@ func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer
 // Note: there is a 1-to-1 mapping of api-key and digest
 func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, error) {
 	var k *portainer.APIKey
-	stop := fmt.Errorf("ok")
+	stop := errors.New("ok")
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.APIKey{},
--- a/api/dataservices/base.go
+++ b/api/dataservices/base.go
@@ -9,7 +9,8 @@ import (
 type BaseCRUD[T any, I constraints.Integer] interface {
 	Create(element *T) error
 	Read(ID I) (*T, error)
-	ReadAll() ([]T, error)
+	Exists(ID I) (bool, error)
+	ReadAll(predicates ...func(T) bool) ([]T, error)
 	Update(ID I, element *T) error
 	Delete(ID I) error
 }
@@ -42,12 +43,26 @@ func (service BaseDataService[T, I]) Read(ID I) (*T, error) {
 	})
 }

-func (service BaseDataService[T, I]) ReadAll() ([]T, error) {
+func (service BaseDataService[T, I]) Exists(ID I) (bool, error) {
+	var exists bool
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = service.Tx(tx).Exists(ID)
+
+		return err
+	})
+
+	return exists, err
+}
+
+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service BaseDataService[T, I]) ReadAll(predicates ...func(T) bool) ([]T, error) {
 	var collection = make([]T, 0)

 	return collection, service.Connection.ViewTx(func(tx portainer.Transaction) error {
 		var err error
-		collection, err = service.Tx(tx).ReadAll()
+		collection, err = service.Tx(tx).ReadAll(predicates...)

 		return err
 	})
--- a/api/dataservices/base_test.go
+++ b/api/dataservices/base_test.go
@@ -0,0 +1,92 @@
+package dataservices
+
+import (
+	"strconv"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/slicesx"
+
+	"github.com/stretchr/testify/require"
+)
+
+type testObject struct {
+	ID    int
+	Value int
+}
+
+type mockConnection struct {
+	store map[int]testObject
+
+	portainer.Connection
+}
+
+func (m mockConnection) UpdateObject(bucket string, key []byte, value interface{}) error {
+	obj := value.(*testObject)
+
+	m.store[obj.ID] = *obj
+
+	return nil
+}
+
+func (m mockConnection) GetAll(bucketName string, obj any, appendFn func(o any) (any, error)) error {
+	for _, v := range m.store {
+		if _, err := appendFn(&v); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m mockConnection) UpdateTx(fn func(portainer.Transaction) error) error {
+	return fn(m)
+}
+
+func (m mockConnection) ViewTx(fn func(portainer.Transaction) error) error {
+	return fn(m)
+}
+
+func (m mockConnection) ConvertToKey(v int) []byte {
+	return []byte(strconv.Itoa(v))
+}
+
+func TestReadAll(t *testing.T) {
+	service := BaseDataService[testObject, int]{
+		Bucket:     "testBucket",
+		Connection: mockConnection{store: make(map[int]testObject)},
+	}
+
+	data := []testObject{
+		{ID: 1, Value: 1},
+		{ID: 2, Value: 2},
+		{ID: 3, Value: 3},
+		{ID: 4, Value: 4},
+		{ID: 5, Value: 5},
+	}
+
+	for _, item := range data {
+		err := service.Update(item.ID, &item)
+		require.NoError(t, err)
+	}
+
+	// ReadAll without predicates
+	result, err := service.ReadAll()
+	require.NoError(t, err)
+
+	expected := append([]testObject{}, data...)
+
+	require.ElementsMatch(t, expected, result)
+
+	// ReadAll with predicates
+	hasLowID := func(obj testObject) bool { return obj.ID < 3 }
+	isEven := func(obj testObject) bool { return obj.Value%2 == 0 }
+
+	result, err = service.ReadAll(hasLowID, isEven)
+	require.NoError(t, err)
+
+	expected = slicesx.Filter(expected, hasLowID)
+	expected = slicesx.Filter(expected, isEven)
+
+	require.ElementsMatch(t, expected, result)
+}
--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -28,13 +28,38 @@ func (service BaseDataServiceTx[T, I]) Read(ID I) (*T, error) {
 	return &element, nil
 }

-func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
+func (service BaseDataServiceTx[T, I]) Exists(ID I) (bool, error) {
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	return service.Tx.KeyExists(service.Bucket, identifier)
+}
+
+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service BaseDataServiceTx[T, I]) ReadAll(predicates ...func(T) bool) ([]T, error) {
 	var collection = make([]T, 0)

+	if len(predicates) == 0 {
+		return collection, service.Tx.GetAll(
+			service.Bucket,
+			new(T),
+			AppendFn(&collection),
+		)
+	}
+
+	filterFn := func(element T) bool {
+		for _, p := range predicates {
+			if !p(element) {
+				return false
+			}
+		}
+
+		return true
+	}
+
 	return collection, service.Tx.GetAll(
 		service.Bucket,
 		new(T),
-		AppendFn(&collection),
+		FilterFn(&collection, filterFn),
 	)
 }

--- a/api/dataservices/edgestack/edgestack.go
+++ b/api/dataservices/edgestack/edgestack.go
@@ -15,7 +15,7 @@ type Service struct {
 	connection          portainer.Connection
 	idxVersion          map[portainer.EdgeStackID]int
 	mu                  sync.RWMutex
-	cacheInvalidationFn func(portainer.EdgeStackID)
+	cacheInvalidationFn func(portainer.Transaction, portainer.EdgeStackID)
 }

 func (service *Service) BucketName() string {
@@ -23,7 +23,7 @@ func (service *Service) BucketName() string {
 }

 // NewService creates a new instance of a service.
-func NewService(connection portainer.Connection, cacheInvalidationFn func(portainer.EdgeStackID)) (*Service, error) {
+func NewService(connection portainer.Connection, cacheInvalidationFn func(portainer.Transaction, portainer.EdgeStackID)) (*Service, error) {
 	err := connection.SetServiceName(BucketName)
 	if err != nil {
 		return nil, err
@@ -36,7 +36,7 @@ func NewService(connection portainer.Connection, cacheInvalidationFn func(portai
 	}

 	if s.cacheInvalidationFn == nil {
-		s.cacheInvalidationFn = func(portainer.EdgeStackID) {}
+		s.cacheInvalidationFn = func(portainer.Transaction, portainer.EdgeStackID) {}
 	}

 	es, err := s.EdgeStacks()
@@ -106,7 +106,7 @@ func (service *Service) Create(id portainer.EdgeStackID, edgeStack *portainer.Ed

 	service.mu.Lock()
 	service.idxVersion[id] = edgeStack.Version
-	service.cacheInvalidationFn(id)
+	service.cacheInvalidationFn(service.connection, id)
 	service.mu.Unlock()

 	return nil
@@ -125,7 +125,7 @@ func (service *Service) UpdateEdgeStack(ID portainer.EdgeStackID, edgeStack *por
 	}

 	service.idxVersion[ID] = edgeStack.Version
-	service.cacheInvalidationFn(ID)
+	service.cacheInvalidationFn(service.connection, ID)

 	return nil
 }
@@ -142,7 +142,7 @@ func (service *Service) UpdateEdgeStackFunc(ID portainer.EdgeStackID, updateFunc
 		updateFunc(edgeStack)

 		service.idxVersion[ID] = edgeStack.Version
-		service.cacheInvalidationFn(ID)
+		service.cacheInvalidationFn(service.connection, ID)
 	})
 }

@@ -165,7 +165,7 @@ func (service *Service) DeleteEdgeStack(ID portainer.EdgeStackID) error {

 	delete(service.idxVersion, ID)

-	service.cacheInvalidationFn(ID)
+	service.cacheInvalidationFn(service.connection, ID)

 	return nil
 }
--- a/api/dataservices/edgestack/tx.go
+++ b/api/dataservices/edgestack/tx.go
@@ -44,8 +44,7 @@ func (service ServiceTx) EdgeStack(ID portainer.EdgeStackID) (*portainer.EdgeSta
 	var stack portainer.EdgeStack
 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.GetObject(BucketName, identifier, &stack)
-	if err != nil {
+	if err := service.tx.GetObject(BucketName, identifier, &stack); err != nil {
 		return nil, err
 	}

@@ -65,18 +64,17 @@ func (service ServiceTx) EdgeStackVersion(ID portainer.EdgeStackID) (int, bool)
 func (service ServiceTx) Create(id portainer.EdgeStackID, edgeStack *portainer.EdgeStack) error {
 	edgeStack.ID = id

-	err := service.tx.CreateObjectWithId(
+	if err := service.tx.CreateObjectWithId(
 		BucketName,
 		int(edgeStack.ID),
 		edgeStack,
-	)
-	if err != nil {
+	); err != nil {
 		return err
 	}

 	service.service.mu.Lock()
 	service.service.idxVersion[id] = edgeStack.Version
-	service.service.cacheInvalidationFn(id)
+	service.service.cacheInvalidationFn(service.tx, id)
 	service.service.mu.Unlock()

 	return nil
@@ -89,13 +87,12 @@ func (service ServiceTx) UpdateEdgeStack(ID portainer.EdgeStackID, edgeStack *po

 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.UpdateObject(BucketName, identifier, edgeStack)
-	if err != nil {
+	if err := service.tx.UpdateObject(BucketName, identifier, edgeStack); err != nil {
 		return err
 	}

 	service.service.idxVersion[ID] = edgeStack.Version
-	service.service.cacheInvalidationFn(ID)
+	service.service.cacheInvalidationFn(service.tx, ID)

 	return nil
 }
@@ -119,14 +116,13 @@ func (service ServiceTx) DeleteEdgeStack(ID portainer.EdgeStackID) error {

 	identifier := service.service.connection.ConvertToKey(int(ID))

-	err := service.tx.DeleteObject(BucketName, identifier)
-	if err != nil {
+	if err := service.tx.DeleteObject(BucketName, identifier); err != nil {
 		return err
 	}

 	delete(service.service.idxVersion, ID)

-	service.service.cacheInvalidationFn(ID)
+	service.service.cacheInvalidationFn(service.tx, ID)

 	return nil
 }
--- a/api/dataservices/edgestackstatus/edgestackstatus.go
+++ b/api/dataservices/edgestackstatus/edgestackstatus.go
@@ -0,0 +1,89 @@
+package edgestackstatus
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+var _ dataservices.EdgeStackStatusService = &Service{}
+
+const BucketName = "edge_stack_status"
+
+type Service struct {
+	conn portainer.Connection
+}
+
+func (service *Service) BucketName() string {
+	return BucketName
+}
+
+func NewService(connection portainer.Connection) (*Service, error) {
+	if err := connection.SetServiceName(BucketName); err != nil {
+		return nil, err
+	}
+
+	return &Service{conn: connection}, nil
+}
+
+func (s *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		service: s,
+		tx:      tx,
+	}
+}
+
+func (s *Service) Create(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Create(edgeStackID, endpointID, status)
+	})
+}
+
+func (s *Service) Read(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) (*portainer.EdgeStackStatusForEnv, error) {
+	var element *portainer.EdgeStackStatusForEnv
+
+	return element, s.conn.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		element, err = s.Tx(tx).Read(edgeStackID, endpointID)
+
+		return err
+	})
+}
+
+func (s *Service) ReadAll(edgeStackID portainer.EdgeStackID) ([]portainer.EdgeStackStatusForEnv, error) {
+	var collection = make([]portainer.EdgeStackStatusForEnv, 0)
+
+	return collection, s.conn.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		collection, err = s.Tx(tx).ReadAll(edgeStackID)
+
+		return err
+	})
+}
+
+func (s *Service) Update(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Update(edgeStackID, endpointID, status)
+	})
+}
+
+func (s *Service) Delete(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Delete(edgeStackID, endpointID)
+	})
+}
+
+func (s *Service) DeleteAll(edgeStackID portainer.EdgeStackID) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).DeleteAll(edgeStackID)
+	})
+}
+
+func (s *Service) Clear(edgeStackID portainer.EdgeStackID, relatedEnvironmentsIDs []portainer.EndpointID) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Clear(edgeStackID, relatedEnvironmentsIDs)
+	})
+}
+
+func (s *Service) key(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) []byte {
+	return append(s.conn.ConvertToKey(int(edgeStackID)), s.conn.ConvertToKey(int(endpointID))...)
+}
--- a/api/dataservices/edgestackstatus/tx.go
+++ b/api/dataservices/edgestackstatus/tx.go
@@ -0,0 +1,95 @@
+package edgestackstatus
+
+import (
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+var _ dataservices.EdgeStackStatusService = &Service{}
+
+type ServiceTx struct {
+	service *Service
+	tx      portainer.Transaction
+}
+
+func (service ServiceTx) Create(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error {
+	identifier := service.service.key(edgeStackID, endpointID)
+	return service.tx.CreateObjectWithStringId(BucketName, identifier, status)
+}
+
+func (s ServiceTx) Read(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) (*portainer.EdgeStackStatusForEnv, error) {
+	var status portainer.EdgeStackStatusForEnv
+	identifier := s.service.key(edgeStackID, endpointID)
+
+	if err := s.tx.GetObject(BucketName, identifier, &status); err != nil {
+		return nil, err
+	}
+
+	return &status, nil
+}
+
+func (s ServiceTx) ReadAll(edgeStackID portainer.EdgeStackID) ([]portainer.EdgeStackStatusForEnv, error) {
+	keyPrefix := s.service.conn.ConvertToKey(int(edgeStackID))
+
+	statuses := make([]portainer.EdgeStackStatusForEnv, 0)
+
+	if err := s.tx.GetAllWithKeyPrefix(BucketName, keyPrefix, &portainer.EdgeStackStatusForEnv{}, dataservices.AppendFn(&statuses)); err != nil {
+		return nil, fmt.Errorf("unable to retrieve EdgeStackStatus for EdgeStack %d: %w", edgeStackID, err)
+	}
+
+	return statuses, nil
+}
+
+func (s ServiceTx) Update(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error {
+	identifier := s.service.key(edgeStackID, endpointID)
+	return s.tx.UpdateObject(BucketName, identifier, status)
+}
+
+func (s ServiceTx) Delete(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) error {
+	identifier := s.service.key(edgeStackID, endpointID)
+	return s.tx.DeleteObject(BucketName, identifier)
+}
+
+func (s ServiceTx) DeleteAll(edgeStackID portainer.EdgeStackID) error {
+	keyPrefix := s.service.conn.ConvertToKey(int(edgeStackID))
+
+	statuses := make([]portainer.EdgeStackStatusForEnv, 0)
+
+	if err := s.tx.GetAllWithKeyPrefix(BucketName, keyPrefix, &portainer.EdgeStackStatusForEnv{}, dataservices.AppendFn(&statuses)); err != nil {
+		return fmt.Errorf("unable to retrieve EdgeStackStatus for EdgeStack %d: %w", edgeStackID, err)
+	}
+
+	for _, status := range statuses {
+		if err := s.tx.DeleteObject(BucketName, s.service.key(edgeStackID, status.EndpointID)); err != nil {
+			return fmt.Errorf("unable to delete EdgeStackStatus for EdgeStack %d and Endpoint %d: %w", edgeStackID, status.EndpointID, err)
+		}
+	}
+
+	return nil
+}
+
+func (s ServiceTx) Clear(edgeStackID portainer.EdgeStackID, relatedEnvironmentsIDs []portainer.EndpointID) error {
+	for _, envID := range relatedEnvironmentsIDs {
+		existingStatus, err := s.Read(edgeStackID, envID)
+		if err != nil && !dataservices.IsErrObjectNotFound(err) {
+			return fmt.Errorf("unable to retrieve status for environment %d: %w", envID, err)
+		}
+
+		var deploymentInfo portainer.StackDeploymentInfo
+		if existingStatus != nil {
+			deploymentInfo = existingStatus.DeploymentInfo
+		}
+
+		if err := s.Update(edgeStackID, envID, &portainer.EdgeStackStatusForEnv{
+			EndpointID:     envID,
+			Status:         []portainer.EdgeStackDeploymentStatus{},
+			DeploymentInfo: deploymentInfo,
+		}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/api/dataservices/endpointrelation/endpointrelation.go
+++ b/api/dataservices/endpointrelation/endpointrelation.go
@@ -1,6 +1,8 @@
 package endpointrelation

 import (
+	"sync"
+
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/edge/cache"
@@ -13,11 +15,15 @@ const BucketName = "endpoint_relations"

 // Service represents a service for managing environment(endpoint) relation data.
 type Service struct {
-	connection      portainer.Connection
-	updateStackFn   func(ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
-	updateStackFnTx func(tx portainer.Transaction, ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
+	connection             portainer.Connection
+	updateStackFn          func(ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
+	updateStackFnTx        func(tx portainer.Transaction, ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
+	endpointRelationsCache []portainer.EndpointRelation
+	mu                     sync.Mutex
 }

+var _ dataservices.EndpointRelationService = &Service{}
+
 func (service *Service) BucketName() string {
 	return BucketName
 }
@@ -76,6 +82,10 @@ func (service *Service) Create(endpointRelation *portainer.EndpointRelation) err
 	err := service.connection.CreateObjectWithId(BucketName, int(endpointRelation.EndpointID), endpointRelation)
 	cache.Del(endpointRelation.EndpointID)

+	service.mu.Lock()
+	service.endpointRelationsCache = nil
+	service.mu.Unlock()
+
 	return err
 }

@@ -92,11 +102,27 @@ func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID,

 	updatedRelationState, _ := service.EndpointRelation(endpointID)

+	service.mu.Lock()
+	service.endpointRelationsCache = nil
+	service.mu.Unlock()
+
 	service.updateEdgeStacksAfterRelationChange(previousRelationState, updatedRelationState)

 	return nil
 }

+func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
+func (service *Service) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).RemoveEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service *Service) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)
@@ -108,27 +134,15 @@ func (service *Service) DeleteEndpointRelation(endpointID portainer.EndpointID)
 		return err
 	}

+	service.mu.Lock()
+	service.endpointRelationsCache = nil
+	service.mu.Unlock()
+
 	service.updateEdgeStacksAfterRelationChange(deletedRelation, nil)

 	return nil
 }

-func (service *Service) InvalidateEdgeCacheForEdgeStack(edgeStackID portainer.EdgeStackID) {
-	rels, err := service.EndpointRelations()
-	if err != nil {
-		log.Error().Err(err).Msg("cannot retrieve endpoint relations")
-		return
-	}
-
-	for _, rel := range rels {
-		for id := range rel.EdgeStacks {
-			if edgeStackID == id {
-				cache.Del(rel.EndpointID)
-			}
-		}
-	}
-}
-
 func (service *Service) updateEdgeStacksAfterRelationChange(previousRelationState *portainer.EndpointRelation, updatedRelationState *portainer.EndpointRelation) {
 	relations, _ := service.EndpointRelations()

--- a/api/dataservices/endpointrelation/tx.go
+++ b/api/dataservices/endpointrelation/tx.go
@@ -13,6 +13,8 @@ type ServiceTx struct {
 	tx      portainer.Transaction
 }

+var _ dataservices.EndpointRelationService = &ServiceTx{}
+
 func (service ServiceTx) BucketName() string {
 	return BucketName
 }
@@ -45,6 +47,10 @@ func (service ServiceTx) Create(endpointRelation *portainer.EndpointRelation) er
 	err := service.tx.CreateObjectWithId(BucketName, int(endpointRelation.EndpointID), endpointRelation)
 	cache.Del(endpointRelation.EndpointID)

+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	return err
 }

@@ -61,11 +67,75 @@ func (service ServiceTx) UpdateEndpointRelation(endpointID portainer.EndpointID,

 	updatedRelationState, _ := service.EndpointRelation(endpointID)

+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	service.updateEdgeStacksAfterRelationChange(previousRelationState, updatedRelationState)

 	return nil
 }

+func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		rel.EdgeStacks[edgeStackID] = true
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments += len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
+func (service ServiceTx) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		delete(rel.EdgeStacks, edgeStackID)
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments -= len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service ServiceTx) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)
@@ -77,27 +147,44 @@ func (service ServiceTx) DeleteEndpointRelation(endpointID portainer.EndpointID)
 		return err
 	}

+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	service.updateEdgeStacksAfterRelationChange(deletedRelation, nil)

 	return nil
 }

 func (service ServiceTx) InvalidateEdgeCacheForEdgeStack(edgeStackID portainer.EdgeStackID) {
-	rels, err := service.EndpointRelations()
+	rels, err := service.cachedEndpointRelations()
 	if err != nil {
 		log.Error().Err(err).Msg("cannot retrieve endpoint relations")
 		return
 	}

 	for _, rel := range rels {
-		for id := range rel.EdgeStacks {
-			if edgeStackID == id {
-				cache.Del(rel.EndpointID)
-			}
+		if _, ok := rel.EdgeStacks[edgeStackID]; ok {
+			cache.Del(rel.EndpointID)
 		}
 	}
 }

+func (service ServiceTx) cachedEndpointRelations() ([]portainer.EndpointRelation, error) {
+	service.service.mu.Lock()
+	defer service.service.mu.Unlock()
+
+	if service.service.endpointRelationsCache == nil {
+		var err error
+		service.service.endpointRelationsCache, err = service.EndpointRelations()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return service.service.endpointRelationsCache, nil
+}
+
 func (service ServiceTx) updateEdgeStacksAfterRelationChange(previousRelationState *portainer.EndpointRelation, updatedRelationState *portainer.EndpointRelation) {
 	relations, _ := service.EndpointRelations()

@@ -133,6 +220,7 @@ func (service ServiceTx) updateEdgeStacksAfterRelationChange(previousRelationSta
 		}

 		numDeployments := 0
+
 		for _, r := range relations {
 			for sId, enabled := range r.EdgeStacks {
 				if enabled && sId == refStackId {
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -12,6 +12,7 @@ type (
 		EdgeGroup() EdgeGroupService
 		EdgeJob() EdgeJobService
 		EdgeStack() EdgeStackService
+		EdgeStackStatus() EdgeStackStatusService
 		Endpoint() EndpointService
 		EndpointGroup() EndpointGroupService
 		EndpointRelation() EndpointRelationService
@@ -39,8 +40,8 @@ type (
 		Open() (newStore bool, err error)
 		Init() error
 		Close() error
-		UpdateTx(func(DataStoreTx) error) error
-		ViewTx(func(DataStoreTx) error) error
+		UpdateTx(func(tx DataStoreTx) error) error
+		ViewTx(func(tx DataStoreTx) error) error
 		MigrateData() error
 		Rollback(force bool) error
 		CheckCurrentEdition() error
@@ -89,6 +90,16 @@ type (
 		BucketName() string
 	}

+	EdgeStackStatusService interface {
+		Create(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error
+		Read(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) (*portainer.EdgeStackStatusForEnv, error)
+		ReadAll(edgeStackID portainer.EdgeStackID) ([]portainer.EdgeStackStatusForEnv, error)
+		Update(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error
+		Delete(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) error
+		DeleteAll(edgeStackID portainer.EdgeStackID) error
+		Clear(edgeStackID portainer.EdgeStackID, relatedEnvironmentsIDs []portainer.EndpointID) error
+	}
+
 	// EndpointService represents a service for managing environment(endpoint) data
 	EndpointService interface {
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
@@ -115,6 +126,8 @@ type (
 		EndpointRelation(EndpointID portainer.EndpointID) (*portainer.EndpointRelation, error)
 		Create(endpointRelation *portainer.EndpointRelation) error
 		UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error
+		AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
+		RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
 		DeleteEndpointRelation(EndpointID portainer.EndpointID) error
 		BucketName() string
 	}
@@ -157,6 +170,7 @@ type (

 	SnapshotService interface {
 		BaseCRUD[portainer.Snapshot, portainer.EndpointID]
+		ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error)
 	}

 	// SSLSettingsService represents a service for managing application settings
--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -48,7 +48,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 // if no ResourceControl was found.
 func (service *Service) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
 	var resourceControl *portainer.ResourceControl
-	stop := fmt.Errorf("ok")
+	stop := errors.New("ok")
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.ResourceControl{},
--- a/api/dataservices/resourcecontrol/tx.go
+++ b/api/dataservices/resourcecontrol/tx.go
@@ -19,7 +19,7 @@ type ServiceTx struct {
 // if no ResourceControl was found.
 func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
 	var resourceControl *portainer.ResourceControl
-	stop := fmt.Errorf("ok")
+	stop := errors.New("ok")
 	err := service.Tx.GetAll(
 		BucketName,
 		&portainer.ResourceControl{},
--- a/api/dataservices/snapshot/snapshot.go
+++ b/api/dataservices/snapshot/snapshot.go
@@ -38,3 +38,33 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(snapshot *portainer.Snapshot) error {
 	return service.Connection.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service *Service) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot *portainer.Snapshot
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		snapshot, err = service.Tx(tx).ReadWithoutSnapshotRaw(ID)
+
+		return err
+	})
+
+	return snapshot, err
+}
+
+func (service *Service) ReadRawMessage(ID portainer.EndpointID) (*portainer.SnapshotRawMessage, error) {
+	var snapshot *portainer.SnapshotRawMessage
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		snapshot, err = service.Tx(tx).ReadRawMessage(ID)
+
+		return err
+	})
+
+	return snapshot, err
+}
+
+func (service *Service) CreateRawMessage(snapshot *portainer.SnapshotRawMessage) error {
+	return service.Connection.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
+}
--- a/api/dataservices/snapshot/tx.go
+++ b/api/dataservices/snapshot/tx.go
@@ -12,3 +12,42 @@ type ServiceTx struct {
 func (service ServiceTx) Create(snapshot *portainer.Snapshot) error {
 	return service.Tx.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service ServiceTx) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot struct {
+		Docker *struct {
+			X struct{} `json:"DockerSnapshotRaw"`
+			*portainer.DockerSnapshot
+		} `json:"Docker"`
+
+		portainer.Snapshot
+	}
+
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	if err := service.Tx.GetObject(service.Bucket, identifier, &snapshot); err != nil {
+		return nil, err
+	}
+
+	if snapshot.Docker != nil {
+		snapshot.Snapshot.Docker = snapshot.Docker.DockerSnapshot
+	}
+
+	return &snapshot.Snapshot, nil
+}
+
+func (service ServiceTx) ReadRawMessage(ID portainer.EndpointID) (*portainer.SnapshotRawMessage, error) {
+	var snapshot = portainer.SnapshotRawMessage{}
+
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	if err := service.Tx.GetObject(service.Bucket, identifier, &snapshot); err != nil {
+		return nil, err
+	}
+
+	return &snapshot, nil
+}
+
+func (service ServiceTx) CreateRawMessage(snapshot *portainer.SnapshotRawMessage) error {
+	return service.Tx.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
+}
--- a/api/datastore/backup_test.go
+++ b/api/datastore/backup_test.go
@@ -1,7 +1,6 @@
 package datastore

 import (
-	"fmt"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
@@ -33,7 +32,7 @@ func TestStoreCreation(t *testing.T) {
 func TestBackup(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
 	backupFileName := store.backupFilename()
-	t.Run(fmt.Sprintf("Backup should create %s", backupFileName), func(t *testing.T) {
+	t.Run("Backup should create "+backupFileName, func(t *testing.T) {
 		v := models.Version{
 			Edition:       int(portainer.PortainerCE),
 			SchemaVersion: portainer.APIVersion,
--- a/api/datastore/datastore.go
+++ b/api/datastore/datastore.go
@@ -16,8 +16,9 @@ import (
 )

 // NewStore initializes a new Store and the associated services
-func NewStore(storePath string, fileService portainer.FileService, connection portainer.Connection) *Store {
+func NewStore(cliFlags *portainer.CLIFlags, fileService portainer.FileService, connection portainer.Connection) *Store {
 	return &Store{
+		flags:       cliFlags,
 		fileService: fileService,
 		connection:  connection,
 	}
--- a/api/datastore/init.go
+++ b/api/datastore/init.go
@@ -57,7 +57,7 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 			HelmRepositoryURL:        portainer.DefaultHelmRepositoryURL,
 			UserSessionTimeout:       portainer.DefaultUserSessionTimeout,
 			KubeconfigExpiry:         portainer.DefaultKubeconfigExpiry,
-			KubectlShellImage:        portainer.DefaultKubectlShellImage,
+			KubectlShellImage:        *store.flags.KubectlShellImage,

 			IsDockerDesktopExtension: isDDExtention,
 		}
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@@ -32,7 +32,7 @@ func (store *Store) MigrateData() error {
 		return errors.Wrap(err, "while migrating legacy version")
 	}

-	migratorParams := store.newMigratorParameters(version)
+	migratorParams := store.newMigratorParameters(version, store.flags)
 	migrator := migrator.NewMigrator(migratorParams)

 	if !migrator.NeedsMigration() {
@@ -40,13 +40,11 @@ func (store *Store) MigrateData() error {
 	}

 	// before we alter anything in the DB, create a backup
-	_, err = store.Backup("")
-	if err != nil {
+	if _, err := store.Backup(""); err != nil {
 		return errors.Wrap(err, "while backing up database")
 	}

-	err = store.FailSafeMigrate(migrator, version)
-	if err != nil {
+	if err := store.FailSafeMigrate(migrator, version); err != nil {
 		err = errors.Wrap(err, "failed to migrate database")

 		log.Warn().Err(err).Msg("migration failed, restoring database to previous version")
@@ -62,8 +60,9 @@ func (store *Store) MigrateData() error {
 	return nil
 }

-func (store *Store) newMigratorParameters(version *models.Version) *migrator.MigratorParameters {
+func (store *Store) newMigratorParameters(version *models.Version, flags *portainer.CLIFlags) *migrator.MigratorParameters {
 	return &migrator.MigratorParameters{
+		Flags:                   flags,
 		CurrentDBVersion:        version,
 		EndpointGroupService:    store.EndpointGroupService,
 		EndpointService:         store.EndpointService,
@@ -84,6 +83,7 @@ func (store *Store) newMigratorParameters(version *models.Version) *migrator.Mig
 		DockerhubService:        store.DockerHubService,
 		AuthorizationService:    authorization.NewService(store),
 		EdgeStackService:        store.EdgeStackService,
+		EdgeStackStatusService:  store.EdgeStackStatusService,
 		EdgeJobService:          store.EdgeJobService,
 		TunnelServerService:     store.TunnelServerService,
 		PendingActionsService:   store.PendingActionsService,
@@ -139,8 +139,7 @@ func (store *Store) connectionRollback(force bool) error {
 		}
 	}

-	err := store.Restore()
-	if err != nil {
+	if err := store.Restore(); err != nil {
 		return err
 	}

--- a/api/datastore/migrate_data_test.go
+++ b/api/datastore/migrate_data_test.go
@@ -109,7 +109,7 @@ func TestMigrateData(t *testing.T) {
 			t.FailNow()
 		}

-		migratorParams := store.newMigratorParameters(v)
+		migratorParams := store.newMigratorParameters(v, store.flags)
 		m := migrator.NewMigrator(migratorParams)
 		latestMigrations := m.LatestMigrations()

--- a/api/datastore/migrate_dbversion29_test.go
+++ b/api/datastore/migrate_dbversion29_test.go
@@ -48,6 +48,7 @@ func TestMigrateSettings(t *testing.T) {
 	}

 	m := migrator.NewMigrator(&migrator.MigratorParameters{
+		Flags:                   store.flags,
 		EndpointGroupService:    store.EndpointGroupService,
 		EndpointService:         store.EndpointService,
 		EndpointRelationService: store.EndpointRelationService,
--- a/api/datastore/migrator/migrate_2_31_0.go
+++ b/api/datastore/migrator/migrate_2_31_0.go
@@ -0,0 +1,31 @@
+package migrator
+
+import portainer "github.com/portainer/portainer/api"
+
+func (m *Migrator) migrateEdgeStacksStatuses_2_31_0() error {
+	edgeStacks, err := m.edgeStackService.EdgeStacks()
+	if err != nil {
+		return err
+	}
+
+	for _, edgeStack := range edgeStacks {
+		for envID, status := range edgeStack.Status {
+			if err := m.edgeStackStatusService.Create(edgeStack.ID, envID, &portainer.EdgeStackStatusForEnv{
+				EndpointID:       envID,
+				Status:           status.Status,
+				DeploymentInfo:   status.DeploymentInfo,
+				ReadyRePullImage: status.ReadyRePullImage,
+			}); err != nil {
+				return err
+			}
+		}
+
+		edgeStack.Status = nil
+
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/api/datastore/migrator/migrate_2_32_0.go
+++ b/api/datastore/migrator/migrate_2_32_0.go
@@ -0,0 +1,33 @@
+package migrator
+
+import (
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	perrors "github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/portainer/portainer/api/internal/endpointutils"
+)
+
+func (m *Migrator) addEndpointRelationForEdgeAgents_2_32_0() error {
+	endpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		if endpointutils.IsEdgeEndpoint(&endpoint) {
+			_, err := m.endpointRelationService.EndpointRelation(endpoint.ID)
+			if err != nil && errors.Is(err, perrors.ErrObjectNotFound) {
+				relation := &portainer.EndpointRelation{
+					EndpointID: endpoint.ID,
+					EdgeStacks: make(map[portainer.EdgeStackID]bool),
+				}
+
+				if err := m.endpointRelationService.Create(relation); err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}
--- a/api/datastore/migrator/migrate_dbversion100.go
+++ b/api/datastore/migrator/migrate_dbversion100.go
@@ -94,6 +94,10 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 				continue
 			}

+			if environmentStatus.Details == nil {
+				continue
+			}
+
 			statusArray := []portainer.EdgeStackDeploymentStatus{}
 			if environmentStatus.Details.Pending {
 				statusArray = append(statusArray, portainer.EdgeStackDeploymentStatus{
--- a/api/datastore/migrator/migrate_dbversion20.go
+++ b/api/datastore/migrator/migrate_dbversion20.go
@@ -18,8 +18,7 @@ func (m *Migrator) updateResourceControlsToDBVersion22() error {
 	for _, resourceControl := range legacyResourceControls {
 		resourceControl.AdministratorsOnly = false

-		err := m.resourceControlService.Update(resourceControl.ID, &resourceControl)
-		if err != nil {
+		if err := m.resourceControlService.Update(resourceControl.ID, &resourceControl); err != nil {
 			return err
 		}
 	}
@@ -42,8 +41,8 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {

 	for _, user := range legacyUsers {
 		user.PortainerAuthorizations = authorization.DefaultPortainerAuthorizations()
-		err = m.userService.Update(user.ID, &user)
-		if err != nil {
+
+		if err := m.userService.Update(user.ID, &user); err != nil {
 			return err
 		}
 	}
@@ -52,38 +51,47 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+
 	endpointAdministratorRole.Priority = 1
 	endpointAdministratorRole.Authorizations = authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole()

-	err = m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole)
+	if err := m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole); err != nil {
+		return err
+	}

 	helpDeskRole, err := m.roleService.Read(portainer.RoleID(2))
 	if err != nil {
 		return err
 	}
+
 	helpDeskRole.Priority = 2
 	helpDeskRole.Authorizations = authorization.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(helpDeskRole.ID, helpDeskRole)
+	if err := m.roleService.Update(helpDeskRole.ID, helpDeskRole); err != nil {
+		return err
+	}

 	standardUserRole, err := m.roleService.Read(portainer.RoleID(3))
 	if err != nil {
 		return err
 	}
+
 	standardUserRole.Priority = 3
 	standardUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(standardUserRole.ID, standardUserRole)
+	if err := m.roleService.Update(standardUserRole.ID, standardUserRole); err != nil {
+		return err
+	}

 	readOnlyUserRole, err := m.roleService.Read(portainer.RoleID(4))
 	if err != nil {
 		return err
 	}
+
 	readOnlyUserRole.Priority = 4
 	readOnlyUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole)
-	if err != nil {
+	if err := m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole); err != nil {
 		return err
 	}

--- a/api/datastore/migrator/migrate_dbversion32.go
+++ b/api/datastore/migrator/migrate_dbversion32.go
@@ -1,8 +1,6 @@
 package migrator

 import (
-	portainer "github.com/portainer/portainer/api"
-
 	"github.com/rs/zerolog/log"
 )

@@ -20,7 +18,7 @@ func (m *Migrator) migrateSettingsToDB33() error {
 	}

 	log.Info().Msg("setting default kubectl shell image")
-	settings.KubectlShellImage = portainer.DefaultKubectlShellImage
+	settings.KubectlShellImage = *m.flags.KubectlShellImage

 	return m.settingsService.UpdateSettings(settings)
 }
--- a/api/datastore/migrator/migrate_dbversion80.go
+++ b/api/datastore/migrator/migrate_dbversion80.go
@@ -75,6 +75,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {

 	for _, edgeStack := range edgeStacks {
 		for endpointId, status := range edgeStack.Status {
+			if status.Details == nil {
+				status.Details = &portainer.EdgeStackStatusDetails{}
+			}
+
 			switch status.Type {
 			case portainer.EdgeStackStatusPending:
 				status.Details.Pending = true
@@ -93,10 +97,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 			edgeStack.Status[endpointId] = status
 		}

-		err = m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack)
-		if err != nil {
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
 			return err
 		}
 	}
+
 	return nil
 }
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -3,12 +3,12 @@ package migrator
 import (
 	"errors"

-	"github.com/Masterminds/semver"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices/dockerhub"
 	"github.com/portainer/portainer/api/dataservices/edgejob"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
+	"github.com/portainer/portainer/api/dataservices/edgestackstatus"
 	"github.com/portainer/portainer/api/dataservices/endpoint"
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
@@ -27,12 +27,15 @@ import (
 	"github.com/portainer/portainer/api/dataservices/user"
 	"github.com/portainer/portainer/api/dataservices/version"
 	"github.com/portainer/portainer/api/internal/authorization"
+
+	"github.com/Masterminds/semver"
 	"github.com/rs/zerolog/log"
 )

 type (
 	// Migrator defines a service to migrate data after a Portainer version update.
 	Migrator struct {
+		flags            *portainer.CLIFlags
 		currentDBVersion *models.Version
 		migrations       []Migrations

@@ -55,6 +58,7 @@ type (
 		authorizationService    *authorization.Service
 		dockerhubService        *dockerhub.Service
 		edgeStackService        *edgestack.Service
+		edgeStackStatusService  *edgestackstatus.Service
 		edgeJobService          *edgejob.Service
 		TunnelServerService     *tunnelserver.Service
 		pendingActionsService   *pendingactions.Service
@@ -62,6 +66,7 @@ type (

 	// MigratorParameters represents the required parameters to create a new Migrator instance.
 	MigratorParameters struct {
+		Flags                   *portainer.CLIFlags
 		CurrentDBVersion        *models.Version
 		EndpointGroupService    *endpointgroup.Service
 		EndpointService         *endpoint.Service
@@ -82,6 +87,7 @@ type (
 		AuthorizationService    *authorization.Service
 		DockerhubService        *dockerhub.Service
 		EdgeStackService        *edgestack.Service
+		EdgeStackStatusService  *edgestackstatus.Service
 		EdgeJobService          *edgejob.Service
 		TunnelServerService     *tunnelserver.Service
 		PendingActionsService   *pendingactions.Service
@@ -91,6 +97,7 @@ type (
 // NewMigrator creates a new Migrator.
 func NewMigrator(parameters *MigratorParameters) *Migrator {
 	migrator := &Migrator{
+		flags:                   parameters.Flags,
 		currentDBVersion:        parameters.CurrentDBVersion,
 		endpointGroupService:    parameters.EndpointGroupService,
 		endpointService:         parameters.EndpointService,
@@ -111,6 +118,7 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		authorizationService:    parameters.AuthorizationService,
 		dockerhubService:        parameters.DockerhubService,
 		edgeStackService:        parameters.EdgeStackService,
+		edgeStackStatusService:  parameters.EdgeStackStatusService,
 		edgeJobService:          parameters.EdgeJobService,
 		TunnelServerService:     parameters.TunnelServerService,
 		pendingActionsService:   parameters.PendingActionsService,
@@ -239,6 +247,10 @@ func (m *Migrator) initMigrations() {
 		m.migratePendingActionsDataForDB130,
 	)

+	m.addMigrations("2.31.0", m.migrateEdgeStacksStatuses_2_31_0)
+
+	m.addMigrations("2.32.0", m.addEndpointRelationForEdgeAgents_2_32_0)
+
 	// Add new migrations above...
 	// One function per migration, each versions migration funcs in the same file.
 }
--- a/api/datastore/postinit/migrate_post_init.go
+++ b/api/datastore/postinit/migrate_post_init.go
@@ -11,6 +11,7 @@ import (
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/pendingactions/actions"
+	"github.com/portainer/portainer/pkg/endpoints"

 	"github.com/rs/zerolog/log"
 )
@@ -49,17 +50,29 @@ func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {

 	for _, environment := range environments {
 		// edge environments will run after the server starts, in pending actions
-		if endpointutils.IsEdgeEndpoint(&environment) {
-			log.Info().Msgf("Adding pending action 'PostInitMigrateEnvironment' for environment %d", environment.ID)
-			err = postInitMigrator.createPostInitMigrationPendingAction(environment.ID)
-			if err != nil {
-				log.Error().Err(err).Msgf("Error creating pending action for environment %d", environment.ID)
+		if endpoints.IsEdgeEndpoint(&environment) {
+			// Skip edge environments that do not have direct connectivity
+			if !endpoints.HasDirectConnectivity(&environment) {
+				continue
+			}
+
+			log.Info().
+				Int("endpoint_id", int(environment.ID)).
+				Msg("adding pending action 'PostInitMigrateEnvironment' for environment")
+
+			if err := postInitMigrator.createPostInitMigrationPendingAction(environment.ID); err != nil {
+				log.Error().
+					Err(err).
+					Int("endpoint_id", int(environment.ID)).
+					Msg("error creating pending action for environment")
 			}
 		} else {
-			// non-edge environments will run before the server starts.
-			err = postInitMigrator.MigrateEnvironment(&environment)
-			if err != nil {
-				log.Error().Err(err).Msgf("Error running post-init migrations for non-edge environment %d", environment.ID)
+			// Non-edge environments will run before the server starts.
+			if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
+				log.Error().
+					Err(err).
+					Int("endpoint_id", int(environment.ID)).
+					Msg("error running post-init migrations for non-edge environment")
 			}
 		}

--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -13,6 +13,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/edgegroup"
 	"github.com/portainer/portainer/api/dataservices/edgejob"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
+	"github.com/portainer/portainer/api/dataservices/edgestackstatus"
 	"github.com/portainer/portainer/api/dataservices/endpoint"
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
@@ -39,9 +40,12 @@ import (
 	"github.com/segmentio/encoding/json"
 )

+var _ dataservices.DataStore = &Store{}
+
 // Store defines the implementation of portainer.DataStore using
 // BoltDB as the storage system.
 type Store struct {
+	flags      *portainer.CLIFlags
 	connection portainer.Connection

 	fileService               portainer.FileService
@@ -50,6 +54,7 @@ type Store struct {
 	EdgeGroupService          *edgegroup.Service
 	EdgeJobService            *edgejob.Service
 	EdgeStackService          *edgestack.Service
+	EdgeStackStatusService    *edgestackstatus.Service
 	EndpointGroupService      *endpointgroup.Service
 	EndpointService           *endpoint.Service
 	EndpointRelationService   *endpointrelation.Service
@@ -99,13 +104,21 @@ func (store *Store) initServices() error {
 	}
 	store.EndpointRelationService = endpointRelationService

-	edgeStackService, err := edgestack.NewService(store.connection, endpointRelationService.InvalidateEdgeCacheForEdgeStack)
+	edgeStackService, err := edgestack.NewService(store.connection, func(tx portainer.Transaction, ID portainer.EdgeStackID) {
+		endpointRelationService.Tx(tx).InvalidateEdgeCacheForEdgeStack(ID)
+	})
 	if err != nil {
 		return err
 	}
 	store.EdgeStackService = edgeStackService
 	endpointRelationService.RegisterUpdateStackFunction(edgeStackService.UpdateEdgeStackFunc, edgeStackService.UpdateEdgeStackFuncTx)

+	edgeStackStatusService, err := edgestackstatus.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.EdgeStackStatusService = edgeStackStatusService
+
 	edgeGroupService, err := edgegroup.NewService(store.connection)
 	if err != nil {
 		return err
@@ -266,6 +279,10 @@ func (store *Store) EdgeStack() dataservices.EdgeStackService {
 	return store.EdgeStackService
 }

+func (store *Store) EdgeStackStatus() dataservices.EdgeStackStatusService {
+	return store.EdgeStackStatusService
+}
+
 // Environment(Endpoint) gives access to the Environment(Endpoint) data management layer
 func (store *Store) Endpoint() dataservices.EndpointService {
 	return store.EndpointService
--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -32,6 +32,10 @@ func (tx *StoreTx) EdgeStack() dataservices.EdgeStackService {
 	return tx.store.EdgeStackService.Tx(tx.tx)
 }

+func (tx *StoreTx) EdgeStackStatus() dataservices.EdgeStackStatusService {
+	return tx.store.EdgeStackStatusService.Tx(tx.tx)
+}
+
 func (tx *StoreTx) Endpoint() dataservices.EndpointService {
 	return tx.store.EndpointService.Tx(tx.tx)
 }
--- a/api/datastore/test_data/input_24.json
+++ b/api/datastore/test_data/input_24.json
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -1,10 +1,16 @@
 {
+  "api_key": null,
+  "customtemplates": null,
  "dockerhub": [
    {
      "Authentication": false,
      "Username": ""
    }
  ],
+  "edge_stack": null,
+  "edge_stack_status": null,
+  "edgegroups": null,
+  "edgejobs": null,
  "endpoint_groups": [
    {
      "AuthorizedTeams": null,
@@ -103,6 +109,9 @@
      "UserAccessPolicies": {}
    }
  ],
+  "extension": null,
+  "helm_user_repository": null,
+  "pending_actions": null,
  "registries": [
    {
      "Authentication": true,
@@ -112,6 +121,10 @@
      "Ecr": {
        "Region": ""
      },
+      "Github": {
+        "OrganisationName": "",
+        "UseOrganisation": false
+      },
      "Gitlab": {
        "InstanceURL": "",
        "ProjectId": 0,
@@ -602,7 +615,7 @@
      "RequiredPasswordLength": 12
    },
    "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.22.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.32.0",
    "LDAPSettings": {
      "AnonymousMode": true,
      "AutoCreateUsers": true,
@@ -664,19 +677,17 @@
    {
      "Docker": {
        "ContainerCount": 0,
+        "DiagnosticsData": {},
        "DockerSnapshotRaw": {
          "Containers": null,
          "Images": null,
          "Info": {
            "Architecture": "",
-            "BridgeNfIp6tables": false,
-            "BridgeNfIptables": false,
            "CDISpecDirs": null,
            "CPUSet": false,
            "CPUShares": false,
            "CgroupDriver": "",
            "ContainerdCommit": {
-              "Expected": "",
              "ID": ""
            },
            "Containers": 0,
@@ -700,7 +711,6 @@
            "IndexServerAddress": "",
            "InitBinary": "",
            "InitCommit": {
-              "Expected": "",
              "ID": ""
            },
            "Isolation": "",
@@ -729,7 +739,6 @@
            },
            "RegistryConfig": null,
            "RuncCommit": {
-              "Expected": "",
              "ID": ""
            },
            "Runtimes": null,
@@ -771,6 +780,7 @@
        "ImageCount": 9,
        "IsPodman": false,
        "NodeCount": 0,
+        "PerformanceMetrics": null,
        "RunningContainerCount": 5,
        "ServiceCount": 0,
        "StackCount": 2,
@@ -860,6 +870,8 @@
      "UpdatedBy": ""
    }
  ],
+  "tags": null,
+  "team_membership": null,
  "teams": [
    {
      "Id": 1,
@@ -932,6 +944,7 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.22.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
-  }
+    "VERSION": "{\"SchemaVersion\":\"2.32.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+  },
+  "webhooks": null
 }
--- a/api/datastore/teststore.go
+++ b/api/datastore/teststore.go
@@ -29,6 +29,10 @@ func MustNewTestStore(t testing.TB, init, secure bool) (bool, *Store) {
 func NewTestStore(t testing.TB, init, secure bool) (bool, *Store, func(), error) {
 	// Creates unique temp directory in a concurrency friendly manner.
 	storePath := t.TempDir()
+	defaultKubectlShellImage := portainer.DefaultKubectlShellImage
+	flags := &portainer.CLIFlags{
+		KubectlShellImage: &defaultKubectlShellImage,
+	}

 	fileService, err := filesystem.NewService(storePath, "")
 	if err != nil {
@@ -45,7 +49,7 @@ func NewTestStore(t testing.TB, init, secure bool) (bool, *Store, func(), error)
 		panic(err)
 	}

-	store := NewStore(storePath, fileService, connection)
+	store := NewStore(flags, fileService, connection)
 	newStore, err := store.Open()
 	if err != nil {
 		return newStore, nil, nil, err
--- a/api/datastore/validate/validate.go
+++ b/api/datastore/validate/validate.go
@@ -1,15 +0,0 @@
-package validate
-
-import (
-	"github.com/go-playground/validator/v10"
-	portainer "github.com/portainer/portainer/api"
-)
-
-var validate *validator.Validate
-
-func ValidateLDAPSettings(ldp *portainer.LDAPSettings) error {
-	validate = validator.New()
-	registerValidationMethods(validate)
-
-	return validate.Struct(ldp)
-}
--- a/api/datastore/validate/validate_test.go
+++ b/api/datastore/validate/validate_test.go
@@ -1,61 +0,0 @@
-package validate
-
-import (
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-func TestValidateLDAPSettings(t *testing.T) {
-
-	tests := []struct {
-		name    string
-		ldap    portainer.LDAPSettings
-		wantErr bool
-	}{
-		{
-			name:    "Empty LDAP Settings",
-			ldap:    portainer.LDAPSettings{},
-			wantErr: true,
-		},
-		{
-			name: "With URL",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: true,
-				URL:           "192.168.0.1:323",
-			},
-			wantErr: false,
-		},
-		{
-			name: "Validate URL and URLs",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: true,
-				URL:           "192.168.0.1:323",
-			},
-			wantErr: false,
-		},
-		{
-			name: "validate client ldap",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: false,
-				ReaderDN:      "CN=LDAP API Service Account",
-				Password:      "Qu**dfUUU**",
-				URL:           "aukdc15.pgc.co:389",
-				TLSConfig: portainer.TLSConfiguration{
-					TLS:           false,
-					TLSSkipVerify: false,
-				},
-			},
-			wantErr: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := ValidateLDAPSettings(&tt.ldap)
-			if (err == nil) == tt.wantErr {
-				t.Errorf("No error expected but got %s", err)
-			}
-		})
-	}
-}
--- a/api/datastore/validate/validationMethods.go
+++ b/api/datastore/validate/validationMethods.go
@@ -1,17 +0,0 @@
-package validate
-
-import (
-	"github.com/go-playground/validator/v10"
-)
-
-func registerValidationMethods(v *validator.Validate) {
-	v.RegisterValidation("validate_bool", ValidateBool)
-}
-
-/**
- * Validation methods below are being used for custom validation
- */
-func ValidateBool(fl validator.FieldLevel) bool {
-	_, ok := fl.Field().Interface().(bool)
-	return ok
-}
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -3,8 +3,8 @@ package client
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
-	"maps"
 	"net/http"
 	"strings"
 	"time"
@@ -73,19 +73,6 @@ func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	)
 }

-func CreateClientFromEnv() (*client.Client, error) {
-	return client.NewClientWithOpts(
-		client.FromEnv,
-		client.WithAPIVersionNegotiation(),
-	)
-}
-
-func CreateSimpleClient() (*client.Client, error) {
-	return client.NewClientWithOpts(
-		client.WithAPIVersionNegotiation(),
-	)
-}
-
 func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*client.Client, error) {
 	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
@@ -141,7 +128,6 @@ func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatu

 type NodeNameTransport struct {
 	*http.Transport
-	nodeNames map[string]string
 }

 func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -176,18 +162,19 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)
 		return resp, nil
 	}

-	t.nodeNames = make(map[string]string)
-	for _, r := range rs {
-		t.nodeNames[r.ID] = r.Portainer.Agent.NodeName
+	nodeNames, ok := req.Context().Value("nodeNames").(map[string]string)
+	if ok {
+		for idx, r := range rs {
+			// as there is no way to differentiate the same image available in multiple nodes only by their ID
+			// we append the index of the image in the payload response to match the node name later
+			// from the image.Summary[] list returned by docker's client.ImageList()
+			nodeNames[fmt.Sprintf("%s-%d", r.ID, idx)] = r.Portainer.Agent.NodeName
+		}
 	}

 	return resp, err
 }

-func (t *NodeNameTransport) NodeNames() map[string]string {
-	return maps.Clone(t.nodeNames)
-}
-
 func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Client, error) {
 	transport := &NodeNameTransport{
 		Transport: &http.Transport{},
--- a/api/docker/images/digest.go
+++ b/api/docker/images/digest.go
@@ -38,10 +38,10 @@ func NewClientWithRegistry(registryClient *RegistryClient, clientFactory *docker
 func (c *DigestClient) RemoteDigest(image Image) (digest.Digest, error) {
 	ctx, cancel := c.timeoutContext()
 	defer cancel()
+
 	// Docker references with both a tag and digest are currently not supported
 	if image.Tag != "" && image.Digest != "" {
-		err := image.trimDigest()
-		if err != nil {
+		if err := image.TrimDigest(); err != nil {
 			return "", err
 		}
 	}
@@ -69,7 +69,7 @@ func (c *DigestClient) RemoteDigest(image Image) (digest.Digest, error) {
 	// Retrieve remote digest through HEAD request
 	rmDigest, err := docker.GetDigest(ctx, sysCtx, rmRef)
 	if err != nil {
-		// fallback to public registry for hub
+		// Fallback to public registry for hub
 		if image.HubLink != "" {
 			rmDigest, err = docker.GetDigest(ctx, c.sysCtx, rmRef)
 			if err == nil {
@@ -131,8 +131,7 @@ func ParseRepoDigests(repoDigests []string) []digest.Digest {
 func ParseRepoTags(repoTags []string) []*Image {
 	images := make([]*Image, 0)
 	for _, repoTag := range repoTags {
-		image := ParseRepoTag(repoTag)
-		if image != nil {
+		if image := ParseRepoTag(repoTag); image != nil {
 			images = append(images, image)
 		}
 	}
@@ -147,7 +146,7 @@ func ParseRepoDigest(repoDigest string) digest.Digest {

 	d, err := digest.Parse(strings.Split(repoDigest, "@")[1])
 	if err != nil {
-		log.Warn().Msgf("Skip invalid repo digest item: %s [error: %v]", repoDigest, err)
+		log.Warn().Err(err).Str("digest", repoDigest).Msg("skip invalid repo item")

 		return ""
 	}
--- a/api/docker/images/image.go
+++ b/api/docker/images/image.go
@@ -26,7 +26,7 @@ type Image struct {
 	Digest  digest.Digest
 	HubLink string
 	named   reference.Named
-	opts    ParseImageOptions
+	Opts    ParseImageOptions `json:"-"`
 }

 // ParseImageOptions holds image options for parsing.
@@ -43,9 +43,10 @@ func (i *Image) Name() string {
 // FullName return the real full name may include Tag or Digest of the image, Tag first.
 func (i *Image) FullName() string {
 	if i.Tag == "" {
-		return fmt.Sprintf("%s@%s", i.Name(), i.Digest)
+		return i.Name() + "@" + i.Digest.String()
 	}
-	return fmt.Sprintf("%s:%s", i.Name(), i.Tag)
+
+	return i.Name() + ":" + i.Tag
 }

 // String returns the string representation of an image, including Tag and Digest if existed.
@@ -66,22 +67,25 @@ func (i *Image) Reference() string {
 func (i *Image) WithDigest(digest digest.Digest) (err error) {
 	i.Digest = digest
 	i.named, err = reference.WithDigest(i.named, digest)
+
 	return err
 }

 func (i *Image) WithTag(tag string) (err error) {
 	i.Tag = tag
 	i.named, err = reference.WithTag(i.named, tag)
+
 	return err
 }

-func (i *Image) trimDigest() error {
+func (i *Image) TrimDigest() error {
 	i.Digest = ""
 	named, err := ParseImage(ParseImageOptions{Name: i.FullName()})
 	if err != nil {
 		return err
 	}
 	i.named = &named
+
 	return nil
 }

@@ -92,11 +96,12 @@ func ParseImage(parseOpts ParseImageOptions) (Image, error) {
 	if err != nil {
 		return Image{}, errors.Wrapf(err, "parsing image %s failed", parseOpts.Name)
 	}
+
 	// Add the latest lag if they did not provide one.
 	named = reference.TagNameOnly(named)

 	i := Image{
-		opts:   parseOpts,
+		Opts:   parseOpts,
 		named:  named,
 		Domain: reference.Domain(named),
 		Path:   reference.Path(named),
@@ -122,15 +127,16 @@ func ParseImage(parseOpts ParseImageOptions) (Image, error) {
 }

 func (i *Image) hubLink() (string, error) {
-	if i.opts.HubTpl != "" {
+	if i.Opts.HubTpl != "" {
 		var out bytes.Buffer
 		tmpl, err := template.New("tmpl").
 			Option("missingkey=error").
-			Parse(i.opts.HubTpl)
+			Parse(i.Opts.HubTpl)
 		if err != nil {
 			return "", err
 		}
 		err = tmpl.Execute(&out, i)
+
 		return out.String(), err
 	}

@@ -142,23 +148,24 @@ func (i *Image) hubLink() (string, error) {
 			prefix = "_"
 			path = strings.Replace(i.Path, "library/", "", 1)
 		}
-		return fmt.Sprintf("https://hub.docker.com/%s/%s", prefix, path), nil
+
+		return "https://hub.docker.com/" + prefix + "/" + path, nil
 	case "docker.bintray.io", "jfrog-docker-reg2.bintray.io":
-		return fmt.Sprintf("https://bintray.com/jfrog/reg2/%s", strings.ReplaceAll(i.Path, "/", "%3A")), nil
+		return "https://bintray.com/jfrog/reg2/" + strings.ReplaceAll(i.Path, "/", "%3A"), nil
 	case "docker.pkg.github.com":
-		return fmt.Sprintf("https://github.com/%s/packages", filepath.ToSlash(filepath.Dir(i.Path))), nil
+		return "https://github.com/" + filepath.ToSlash(filepath.Dir(i.Path)) + "/packages", nil
 	case "gcr.io":
-		return fmt.Sprintf("https://%s/%s", i.Domain, i.Path), nil
+		return "https://" + i.Domain + "/" + i.Path, nil
 	case "ghcr.io":
 		ref := strings.Split(i.Path, "/")
 		ghUser, ghPackage := ref[0], ref[1]
-		return fmt.Sprintf("https://github.com/users/%s/packages/container/package/%s", ghUser, ghPackage), nil
+		return "https://github.com/users/" + ghUser + "/packages/container/package/" + ghPackage, nil
 	case "quay.io":
-		return fmt.Sprintf("https://quay.io/repository/%s", i.Path), nil
+		return "https://quay.io/repository/" + i.Path, nil
 	case "registry.access.redhat.com":
-		return fmt.Sprintf("https://access.redhat.com/containers/#/registry.access.redhat.com/%s", i.Path), nil
+		return "https://access.redhat.com/containers/#/registry.access.redhat.com/" + i.Path, nil
 	case "registry.gitlab.com":
-		return fmt.Sprintf("https://gitlab.com/%s/container_registry", i.Path), nil
+		return "https://gitlab.com/" + i.Path + "/container_registry", nil
 	default:
 		return "", nil
 	}
--- a/api/docker/images/image_test.go
+++ b/api/docker/images/image_test.go
@@ -16,7 +16,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("docker.io/portainer/portainer-ee:latest", image.FullName())
-		is.Equal("portainer/portainer-ee", image.opts.Name)
+		is.Equal("portainer/portainer-ee", image.Opts.Name)
 		is.Equal("latest", image.Tag)
 		is.Equal("portainer/portainer-ee", image.Path)
 		is.Equal("docker.io", image.Domain)
@@ -32,7 +32,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -49,7 +49,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -71,7 +71,7 @@ func TestUpdateParsedImage(t *testing.T) {
 		is.NoError(err, "")
 		_ = image.WithTag("v0.0.31")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.31", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.31", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -89,7 +89,7 @@ func TestUpdateParsedImage(t *testing.T) {
 		is.NoError(err, "")
 		_ = image.WithDigest("sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b3")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -105,9 +105,9 @@ func TestUpdateParsedImage(t *testing.T) {
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
 		is.NoError(err, "")
-		_ = image.trimDigest()
+		_ = image.TrimDigest()
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
--- a/api/docker/images/puller.go
+++ b/api/docker/images/puller.go
@@ -6,7 +6,7 @@ import (

 	"github.com/portainer/portainer/api/dataservices"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
 	"github.com/rs/zerolog/log"
 )
@@ -25,18 +25,18 @@ func NewPuller(client *client.Client, registryClient *RegistryClient, dataStore
 	}
 }

-func (puller *Puller) Pull(ctx context.Context, image Image) error {
-	log.Debug().Str("image", image.FullName()).Msg("starting to pull the image")
+func (puller *Puller) Pull(ctx context.Context, img Image) error {
+	log.Debug().Str("image", img.FullName()).Msg("starting to pull the image")

-	registryAuth, err := puller.registryClient.EncodedRegistryAuth(image)
+	registryAuth, err := puller.registryClient.EncodedRegistryAuth(img)
 	if err != nil {
 		log.Debug().
-			Str("image", image.FullName()).
+			Str("image", img.FullName()).
 			Err(err).
 			Msg("failed to get an encoded registry auth via image, try to pull image without registry auth")
 	}

-	out, err := puller.client.ImagePull(ctx, image.FullName(), types.ImagePullOptions{
+	out, err := puller.client.ImagePull(ctx, img.FullName(), image.PullOptions{
 		RegistryAuth: registryAuth,
 	})
 	if err != nil {
--- a/api/docker/images/ref.go
+++ b/api/docker/images/ref.go
@@ -1,7 +1,6 @@
 package images

 import (
-	"fmt"
 	"strings"

 	"github.com/containers/image/v5/docker"
@@ -10,7 +9,7 @@ import (

 func ParseReference(imageStr string) (types.ImageReference, error) {
 	if !strings.HasPrefix(imageStr, "//") {
-		imageStr = fmt.Sprintf("//%s", imageStr)
+		imageStr = "//" + imageStr
 	}
 	return docker.ParseReference(imageStr)
 }
--- a/api/docker/images/registry.go
+++ b/api/docker/images/registry.go
@@ -29,7 +29,7 @@ func (c *RegistryClient) RegistryAuth(image Image) (string, string, error) {
 		return "", "", err
 	}

-	registry, err := findBestMatchRegistry(image.opts.Name, registries)
+	registry, err := findBestMatchRegistry(image.Opts.Name, registries)
 	if err != nil {
 		return "", "", err
 	}
@@ -59,7 +59,7 @@ func (c *RegistryClient) EncodedRegistryAuth(image Image) (string, error) {
 		return "", err
 	}

-	registry, err := findBestMatchRegistry(image.opts.Name, registries)
+	registry, err := findBestMatchRegistry(image.Opts.Name, registries)
 	if err != nil {
 		return "", err
 	}
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -1,20 +1,9 @@
 package docker

 import (
-	"context"
-	"strings"
-	"time"
-
 	portainer "github.com/portainer/portainer/api"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
-	"github.com/portainer/portainer/api/docker/consts"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	_container "github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/volume"
-	"github.com/docker/docker/client"
-	"github.com/rs/zerolog/log"
+	"github.com/portainer/portainer/pkg/snapshot"
 )

 // Snapshotter represents a service used to create environment(endpoint) snapshots
@@ -37,247 +26,5 @@ func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*p
 	}
 	defer cli.Close()

-	return snapshot(cli, endpoint)
-}
-
-func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.DockerSnapshot, error) {
-	if _, err := cli.Ping(context.Background()); err != nil {
-		return nil, err
-	}
-
-	snapshot := &portainer.DockerSnapshot{
-		StackCount: 0,
-	}
-
-	if err := snapshotInfo(snapshot, cli); err != nil {
-		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot engine information")
-	}
-
-	if snapshot.Swarm {
-		if err := snapshotSwarmServices(snapshot, cli); err != nil {
-			log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot Swarm services")
-		}
-
-		if err := snapshotNodes(snapshot, cli); err != nil {
-			log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot Swarm nodes")
-		}
-	}
-
-	if err := snapshotContainers(snapshot, cli); err != nil {
-		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot containers")
-	}
-
-	if err := snapshotImages(snapshot, cli); err != nil {
-		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot images")
-	}
-
-	if err := snapshotVolumes(snapshot, cli); err != nil {
-		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot volumes")
-	}
-
-	if err := snapshotNetworks(snapshot, cli); err != nil {
-		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot networks")
-	}
-
-	if err := snapshotVersion(snapshot, cli); err != nil {
-		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot engine version")
-	}
-
-	snapshot.Time = time.Now().Unix()
-
-	return snapshot, nil
-}
-
-func snapshotInfo(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	info, err := cli.Info(context.Background())
-	if err != nil {
-		return err
-	}
-
-	snapshot.Swarm = info.Swarm.ControlAvailable
-	snapshot.DockerVersion = info.ServerVersion
-	snapshot.TotalCPU = info.NCPU
-	snapshot.TotalMemory = info.MemTotal
-	snapshot.SnapshotRaw.Info = info
-
-	return nil
-}
-
-func snapshotNodes(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	nodes, err := cli.NodeList(context.Background(), types.NodeListOptions{})
-	if err != nil {
-		return err
-	}
-
-	var nanoCpus int64
-	var totalMem int64
-
-	for _, node := range nodes {
-		nanoCpus += node.Description.Resources.NanoCPUs
-		totalMem += node.Description.Resources.MemoryBytes
-	}
-
-	snapshot.TotalCPU = int(nanoCpus / 1e9)
-	snapshot.TotalMemory = totalMem
-	snapshot.NodeCount = len(nodes)
-
-	return nil
-}
-
-func snapshotSwarmServices(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	stacks := make(map[string]struct{})
-
-	services, err := cli.ServiceList(context.Background(), types.ServiceListOptions{})
-	if err != nil {
-		return err
-	}
-
-	for _, service := range services {
-		for k, v := range service.Spec.Labels {
-			if k == "com.docker.stack.namespace" {
-				stacks[v] = struct{}{}
-			}
-		}
-	}
-
-	snapshot.ServiceCount = len(services)
-	snapshot.StackCount += len(stacks)
-
-	return nil
-}
-
-func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	containers, err := cli.ContainerList(context.Background(), container.ListOptions{All: true})
-	if err != nil {
-		return err
-	}
-
-	stacks := make(map[string]struct{})
-	gpuUseSet := make(map[string]struct{})
-	gpuUseAll := false
-
-	for _, container := range containers {
-		if container.State == "running" {
-			// Snapshot GPUs
-			response, err := cli.ContainerInspect(context.Background(), container.ID)
-			if err != nil {
-				// Inspect a container will fail when the container runs on a different
-				// Swarm node, so it is better to log the error instead of return error
-				// when the Swarm mode is enabled
-				if !snapshot.Swarm {
-					return err
-				} else {
-					if !strings.Contains(err.Error(), "No such container") {
-						return err
-					}
-					// It is common to have containers running on different Swarm nodes,
-					// so we just log the error in the debug level
-					log.Debug().Str("container", container.ID).Err(err).Msg("unable to inspect container in other Swarm nodes")
-				}
-			} else {
-				var gpuOptions *_container.DeviceRequest = nil
-				for _, deviceRequest := range response.HostConfig.Resources.DeviceRequests {
-					if deviceRequest.Driver == "nvidia" || deviceRequest.Capabilities[0][0] == "gpu" {
-						gpuOptions = &deviceRequest
-					}
-				}
-
-				if gpuOptions != nil {
-					if gpuOptions.Count == -1 {
-						gpuUseAll = true
-					}
-
-					for _, id := range gpuOptions.DeviceIDs {
-						gpuUseSet[id] = struct{}{}
-					}
-				}
-			}
-		}
-
-		for k, v := range container.Labels {
-			if k == consts.ComposeStackNameLabel {
-				stacks[v] = struct{}{}
-			}
-		}
-	}
-
-	gpuUseList := make([]string, 0, len(gpuUseSet))
-	for gpuUse := range gpuUseSet {
-		gpuUseList = append(gpuUseList, gpuUse)
-	}
-
-	snapshot.GpuUseAll = gpuUseAll
-	snapshot.GpuUseList = gpuUseList
-
-	stats := CalculateContainerStats(containers)
-
-	snapshot.ContainerCount = stats.Total
-	snapshot.RunningContainerCount = stats.Running
-	snapshot.StoppedContainerCount = stats.Stopped
-	snapshot.HealthyContainerCount = stats.Healthy
-	snapshot.UnhealthyContainerCount = stats.Unhealthy
-	snapshot.StackCount += len(stacks)
-
-	for _, container := range containers {
-		snapshot.SnapshotRaw.Containers = append(snapshot.SnapshotRaw.Containers, portainer.DockerContainerSnapshot{Container: container})
-	}
-
-	return nil
-}
-
-func snapshotImages(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	images, err := cli.ImageList(context.Background(), types.ImageListOptions{})
-	if err != nil {
-		return err
-	}
-
-	snapshot.ImageCount = len(images)
-	snapshot.SnapshotRaw.Images = images
-
-	return nil
-}
-
-func snapshotVolumes(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	volumes, err := cli.VolumeList(context.Background(), volume.ListOptions{})
-	if err != nil {
-		return err
-	}
-
-	snapshot.VolumeCount = len(volumes.Volumes)
-	snapshot.SnapshotRaw.Volumes = volumes
-
-	return nil
-}
-
-func snapshotNetworks(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	networks, err := cli.NetworkList(context.Background(), types.NetworkListOptions{})
-	if err != nil {
-		return err
-	}
-
-	snapshot.SnapshotRaw.Networks = networks
-
-	return nil
-}
-
-func snapshotVersion(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	version, err := cli.ServerVersion(context.Background())
-	if err != nil {
-		return err
-	}
-
-	snapshot.SnapshotRaw.Version = version
-	snapshot.IsPodman = isPodman(version)
-	return nil
-}
-
-// isPodman checks if the version is for Podman by checking if any of the components contain "podman".
-// If it's podman, a component name should be "Podman Engine"
-func isPodman(version types.Version) bool {
-	for _, component := range version.Components {
-		if strings.Contains(strings.ToLower(component.Name), "podman") {
-			return true
-		}
-	}
-	return false
+	return snapshot.CreateDockerSnapshot(cli)
 }
--- a/api/edge/edge.go
+++ b/api/edge/edge.go
@@ -31,15 +31,18 @@ type (
 		// RegistryCredentials holds the credentials for a Docker registry.
 		// Used only for EE
 		RegistryCredentials []RegistryCredentials
-		// PrePullImage is a flag indicating if the agent should pull the image before deploying the stack.
+		// PrePullImage is a flag indicating if the agent must pull the image before deploying the stack.
 		// Used only for EE
 		PrePullImage bool
-		// RePullImage is a flag indicating if the agent should pull the image if it is already present on the node.
+		// RePullImage is a flag indicating if the agent must pull the image if it is already present on the node.
 		// Used only for EE
 		RePullImage bool
-		// RetryDeploy is a flag indicating if the agent should retry to deploy the stack if it fails.
+		// RetryDeploy is a flag indicating if the agent must retry to deploy the stack if it fails.
 		// Used only for EE
 		RetryDeploy bool
+		// RetryPeriod specifies the duration, in seconds, for which the agent should continue attempting to deploy the stack after a failure
+		// Used only for EE
+		RetryPeriod int
 		// EdgeUpdateID is the ID of the edge update related to this stack.
 		// Used only for EE
 		EdgeUpdateID int
@@ -55,6 +58,20 @@ type (
 		// Used only for EE async edge agent
 		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
 		ReadyRePullImage bool
+
+		DeployerOptionsPayload DeployerOptionsPayload
+	}
+
+	DeployerOptionsPayload struct {
+		// Prune is a flag indicating if the agent must prune the containers or not when creating/updating an edge stack
+		// This flag drives `docker compose up --remove-orphans` and `docker stack up --prune` options
+		// Used only for EE
+		Prune bool
+		// RemoveVolumes is a flag indicating if the agent must remove the named volumes declared
+		// in the compose file and anonymouse volumes attached to containers
+		// This flag drives `docker compose down --volumes` option
+		// Used only for EE
+		RemoveVolumes bool
 	}

 	// RegistryCredentials holds the credentials for a Docker registry.
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@@ -9,27 +9,32 @@ import (
 	"strings"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory"
+	"github.com/portainer/portainer/api/internal/registryutils"
 	"github.com/portainer/portainer/api/stacks/stackutils"
 	"github.com/portainer/portainer/pkg/libstack"

+	"github.com/docker/cli/cli/config/types"
 	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
 )

 // ComposeStackManager is a wrapper for docker-compose binary
 type ComposeStackManager struct {
 	deployer     libstack.Deployer
 	proxyManager *proxy.Manager
+	dataStore    dataservices.DataStore
 }

-// NewComposeStackManager returns a docker-compose wrapper if corresponding binary present, otherwise nil
-func NewComposeStackManager(deployer libstack.Deployer, proxyManager *proxy.Manager) (*ComposeStackManager, error) {
-
+// NewComposeStackManager returns a Compose stack manager
+func NewComposeStackManager(deployer libstack.Deployer, proxyManager *proxy.Manager, dataStore dataservices.DataStore) *ComposeStackManager {
 	return &ComposeStackManager{
 		deployer:     deployer,
 		proxyManager: proxyManager,
-	}, nil
+		dataStore:    dataStore,
+	}
 }

 // ComposeSyntaxMaxVersion returns the maximum supported version of the docker compose syntax
@@ -60,6 +65,7 @@ func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Sta
 			EnvFilePath: envFilePath,
 			Host:        url,
 			ProjectName: stack.Name,
+			Registries:  portainerRegistriesToAuthConfigs(manager.dataStore, options.Registries),
 		},
 		ForceRecreate:        options.ForceRecreate,
 		AbortOnContainerExit: options.AbortOnContainerExit,
@@ -90,6 +96,7 @@ func (manager *ComposeStackManager) Run(ctx context.Context, stack *portainer.St
 			EnvFilePath: envFilePath,
 			Host:        url,
 			ProjectName: stack.Name,
+			Registries:  portainerRegistriesToAuthConfigs(manager.dataStore, options.Registries),
 		},
 		Remove:   options.Remove,
 		Args:     options.Args,
@@ -103,14 +110,15 @@ func (manager *ComposeStackManager) Down(ctx context.Context, stack *portainer.S
 	url, proxy, err := manager.fetchEndpointProxy(endpoint)
 	if err != nil {
 		return err
-	}
-	if proxy != nil {
+	} else if proxy != nil {
 		defer proxy.Close()
 	}

-	err = manager.deployer.Remove(ctx, stack.Name, nil, libstack.Options{
-		WorkingDir: "",
-		Host:       url,
+	err = manager.deployer.Remove(ctx, stack.Name, nil, libstack.RemoveOptions{
+		Options: libstack.Options{
+			WorkingDir: "",
+			Host:       url,
+		},
 	})

 	return errors.Wrap(err, "failed to remove a stack")
@@ -118,12 +126,11 @@ func (manager *ComposeStackManager) Down(ctx context.Context, stack *portainer.S

 // Pull an image associated with a service defined in a docker-compose.yml or docker-stack.yml file,
 // but does not start containers based on those images.
-func (manager *ComposeStackManager) Pull(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+func (manager *ComposeStackManager) Pull(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint, options portainer.ComposeOptions) error {
 	url, proxy, err := manager.fetchEndpointProxy(endpoint)
 	if err != nil {
 		return err
-	}
-	if proxy != nil {
+	} else if proxy != nil {
 		defer proxy.Close()
 	}

@@ -138,6 +145,7 @@ func (manager *ComposeStackManager) Pull(ctx context.Context, stack *portainer.S
 		EnvFilePath: envFilePath,
 		Host:        url,
 		ProjectName: stack.Name,
+		Registries:  portainerRegistriesToAuthConfigs(manager.dataStore, options.Registries),
 	})
 	return errors.Wrap(err, "failed to pull images of the stack")
 }
@@ -176,16 +184,16 @@ func createEnvFile(stack *portainer.Stack) (string, error) {

 	// Copy from default .env file
 	defaultEnvPath := path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint), ".env")
-	if err = copyDefaultEnvFile(envfile, defaultEnvPath); err != nil {
+	if err := copyDefaultEnvFile(envfile, defaultEnvPath); err != nil {
 		return "", err
 	}

 	// Copy from stack env vars
-	if err = copyConfigEnvVars(envfile, stack.Env); err != nil {
+	if err := copyConfigEnvVars(envfile, stack.Env); err != nil {
 		return "", err
 	}

-	return "stack.env", nil
+	return envFilePath, nil
 }

 // copyDefaultEnvFile copies the default .env file if it exists to the provided writer
@@ -217,3 +225,49 @@ func copyConfigEnvVars(w io.Writer, envs []portainer.Pair) error {
 	}
 	return nil
 }
+
+func portainerRegistriesToAuthConfigs(tx dataservices.DataStoreTx, registries []portainer.Registry) []types.AuthConfig {
+	var authConfigs []types.AuthConfig
+
+	for _, r := range registries {
+		ac := types.AuthConfig{
+			Username:      r.Username,
+			Password:      r.Password,
+			ServerAddress: r.URL,
+		}
+
+		if r.Authentication {
+			var err error
+
+			ac.Username, ac.Password, err = getEffectiveRegUsernamePassword(tx, &r)
+			if err != nil {
+				continue
+			}
+		}
+
+		authConfigs = append(authConfigs, ac)
+	}
+
+	return authConfigs
+}
+
+func getEffectiveRegUsernamePassword(tx dataservices.DataStoreTx, registry *portainer.Registry) (string, string, error) {
+	if err := registryutils.EnsureRegTokenValid(tx, registry); err != nil {
+		log.Warn().
+			Err(err).
+			Str("RegistryName", registry.Name).
+			Msg("Failed to validate registry token. Skip logging with this registry.")
+
+		return "", "", err
+	}
+
+	username, password, err := registryutils.GetRegEffectiveCredential(registry)
+	if err != nil {
+		log.Warn().
+			Err(err).
+			Str("RegistryName", registry.Name).
+			Msg("Failed to get effective credential. Skip logging with this registry.")
+	}
+
+	return username, password, err
+}
--- a/api/exec/compose_stack_integration_test.go
+++ b/api/exec/compose_stack_integration_test.go
@@ -2,7 +2,6 @@ package exec

 import (
 	"context"
-	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -43,25 +42,17 @@ func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
 }

 func Test_UpAndDown(t *testing.T) {
-
 	testhelpers.IntegrationTest(t)

 	stack, endpoint := setup(t)

-	deployer, err := compose.NewComposeDeployer("", "")
-	if err != nil {
-		t.Fatal(err)
-	}
+	deployer := compose.NewComposeDeployer()

-	w, err := NewComposeStackManager(deployer, nil)
-	if err != nil {
-		t.Fatalf("Failed creating manager: %s", err)
-	}
+	w := NewComposeStackManager(deployer, nil, nil)

 	ctx := context.TODO()

-	err = w.Up(ctx, stack, endpoint, portainer.ComposeUpOptions{})
-	if err != nil {
+	if err := w.Up(ctx, stack, endpoint, portainer.ComposeUpOptions{}); err != nil {
 		t.Fatalf("Error calling docker-compose up: %s", err)
 	}

@@ -69,8 +60,7 @@ func Test_UpAndDown(t *testing.T) {
 		t.Fatal("container should exist")
 	}

-	err = w.Down(ctx, stack, endpoint)
-	if err != nil {
+	if err := w.Down(ctx, stack, endpoint); err != nil {
 		t.Fatalf("Error calling docker-compose down: %s", err)
 	}

@@ -80,7 +70,7 @@ func Test_UpAndDown(t *testing.T) {
 }

 func containerExists(containerName string) bool {
-	cmd := exec.Command("docker", "ps", "-a", "-f", fmt.Sprintf("name=%s", containerName))
+	cmd := exec.Command("docker", "ps", "-a", "-f", "name="+containerName)

 	out, err := cmd.Output()
 	if err != nil {
--- a/api/exec/compose_stack_test.go
+++ b/api/exec/compose_stack_test.go
@@ -4,6 +4,7 @@ import (
 	"io"
 	"os"
 	"path"
+	"path/filepath"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
@@ -53,7 +54,7 @@ func Test_createEnvFile(t *testing.T) {
 			result, _ := createEnvFile(tt.stack)

 			if tt.expected != "" {
-				assert.Equal(t, "stack.env", result)
+				assert.Equal(t, filepath.Join(tt.stack.ProjectPath, "stack.env"), result)

 				f, _ := os.Open(path.Join(dir, "stack.env"))
 				content, _ := io.ReadAll(f)
@@ -77,7 +78,7 @@ func Test_createEnvFile_mergesDefultAndInplaceEnvVars(t *testing.T) {
 		},
 	}
 	result, err := createEnvFile(stack)
-	assert.Equal(t, "stack.env", result)
+	assert.Equal(t, filepath.Join(stack.ProjectPath, "stack.env"), result)
 	assert.NoError(t, err)
 	assert.FileExists(t, path.Join(dir, "stack.env"))
 	f, _ := os.Open(path.Join(dir, "stack.env"))
--- a/api/exec/exectest/kubernetes_mocks.go
+++ b/api/exec/exectest/kubernetes_mocks.go
@@ -4,10 +4,12 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )

-type kubernetesMockDeployer struct{}
+type kubernetesMockDeployer struct {
+	portainer.KubernetesDeployer
+}

 // NewKubernetesDeployer creates a mock kubernetes deployer
-func NewKubernetesDeployer() portainer.KubernetesDeployer {
+func NewKubernetesDeployer() *kubernetesMockDeployer {
 	return &kubernetesMockDeployer{}
 }

@@ -18,3 +20,7 @@ func (deployer *kubernetesMockDeployer) Deploy(userID portainer.UserID, endpoint
 func (deployer *kubernetesMockDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
 	return "", nil
 }
+
+func (deployer *kubernetesMockDeployer) Restart(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
+	return "", nil
+}
--- a/api/exec/kubernetes_deploy.go
+++ b/api/exec/kubernetes_deploy.go
@@ -1,13 +1,8 @@
 package exec

 import (
-	"bytes"
+	"context"
 	"fmt"
-	"os"
-	"os/exec"
-	"path"
-	"runtime"
-	"strings"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -15,13 +10,17 @@ import (
 	"github.com/portainer/portainer/api/http/proxy/factory"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/portainer/portainer/pkg/libkubectl"

 	"github.com/pkg/errors"
 )

+const (
+	defaultServerURL = "https://kubernetes.default.svc"
+)
+
 // KubernetesDeployer represents a service to deploy resources inside a Kubernetes environment(endpoint).
 type KubernetesDeployer struct {
-	binaryPath                  string
 	dataStore                   dataservices.DataStore
 	reverseTunnelService        portainer.ReverseTunnelService
 	signatureService            portainer.DigitalSignatureService
@@ -31,9 +30,8 @@ type KubernetesDeployer struct {
 }

 // NewKubernetesDeployer initializes a new KubernetesDeployer service.
-func NewKubernetesDeployer(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, kubernetesClientFactory *cli.ClientFactory, datastore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, binaryPath string) *KubernetesDeployer {
+func NewKubernetesDeployer(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, kubernetesClientFactory *cli.ClientFactory, datastore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager) *KubernetesDeployer {
 	return &KubernetesDeployer{
-		binaryPath:                  binaryPath,
 		dataStore:                   datastore,
 		reverseTunnelService:        reverseTunnelService,
 		signatureService:            signatureService,
@@ -71,70 +69,63 @@ func (deployer *KubernetesDeployer) getToken(userID portainer.UserID, endpoint *
 	}

 	if token == "" {
-		return "", fmt.Errorf("can not get a valid user service account token")
+		return "", errors.New("can not get a valid user service account token")
 	}

 	return token, nil
 }

 // Deploy upserts Kubernetes resources defined in manifest(s)
-func (deployer *KubernetesDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return deployer.command("apply", userID, endpoint, manifestFiles, namespace)
+func (deployer *KubernetesDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
+	return deployer.command("apply", userID, endpoint, resources, namespace)
 }

 // Remove deletes Kubernetes resources defined in manifest(s)
-func (deployer *KubernetesDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return deployer.command("delete", userID, endpoint, manifestFiles, namespace)
+func (deployer *KubernetesDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
+	return deployer.command("delete", userID, endpoint, resources, namespace)
 }

-func (deployer *KubernetesDeployer) command(operation string, userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
+func (deployer *KubernetesDeployer) command(operation string, userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
 	token, err := deployer.getToken(userID, endpoint, endpoint.Type == portainer.KubernetesLocalEnvironment)
 	if err != nil {
 		return "", errors.Wrap(err, "failed generating a user token")
 	}

-	command := path.Join(deployer.binaryPath, "kubectl")
-	if runtime.GOOS == "windows" {
-		command = path.Join(deployer.binaryPath, "kubectl.exe")
-	}
-
-	args := []string{"--token", token}
-	if namespace != "" {
-		args = append(args, "--namespace", namespace)
-	}
-
+	serverURL := defaultServerURL
 	if endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
 		url, proxy, err := deployer.getAgentURL(endpoint)
 		if err != nil {
 			return "", errors.WithMessage(err, "failed generating endpoint URL")
 		}
-
 		defer proxy.Close()
-		args = append(args, "--server", url)
-		args = append(args, "--insecure-skip-tls-verify")
+
+		serverURL = url
 	}

-	if operation == "delete" {
-		args = append(args, "--ignore-not-found=true")
-	}
-
-	args = append(args, operation)
-	for _, path := range manifestFiles {
-		args = append(args, "-f", strings.TrimSpace(path))
-	}
-
-	var stderr bytes.Buffer
-	cmd := exec.Command(command, args...)
-	cmd.Env = os.Environ()
-	cmd.Env = append(cmd.Env, "POD_NAMESPACE=default")
-	cmd.Stderr = &stderr
-
-	output, err := cmd.Output()
+	client, err := libkubectl.NewClient(&libkubectl.ClientAccess{
+		Token:     token,
+		ServerUrl: serverURL,
+	}, namespace, "", true)
 	if err != nil {
-		return "", errors.Wrapf(err, "failed to execute kubectl command: %q", stderr.String())
+		return "", errors.Wrap(err, "failed to create kubectl client")
 	}

-	return string(output), nil
+	operations := map[string]func(context.Context, []string) (string, error){
+		"apply":  client.Apply,
+		"delete": client.Delete,
+	}
+
+	operationFunc, ok := operations[operation]
+	if !ok {
+		return "", errors.Errorf("unsupported operation: %s", operation)
+	}
+
+	output, err := operationFunc(context.Background(), resources)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to execute kubectl %s command", operation)
+	}
+
+	return output, nil
 }

 func (deployer *KubernetesDeployer) getAgentURL(endpoint *portainer.Endpoint) (string, *factory.ProxyServer, error) {
--- a/api/exec/kubernetes_deploy_test.go
+++ b/api/exec/kubernetes_deploy_test.go
@@ -0,0 +1,173 @@
+package exec
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type mockKubectlClient struct {
+	applyFunc          func(ctx context.Context, files []string) error
+	deleteFunc         func(ctx context.Context, files []string) error
+	rolloutRestartFunc func(ctx context.Context, resources []string) error
+}
+
+func (m *mockKubectlClient) Apply(ctx context.Context, files []string) error {
+	if m.applyFunc != nil {
+		return m.applyFunc(ctx, files)
+	}
+	return nil
+}
+
+func (m *mockKubectlClient) Delete(ctx context.Context, files []string) error {
+	if m.deleteFunc != nil {
+		return m.deleteFunc(ctx, files)
+	}
+	return nil
+}
+
+func (m *mockKubectlClient) RolloutRestart(ctx context.Context, resources []string) error {
+	if m.rolloutRestartFunc != nil {
+		return m.rolloutRestartFunc(ctx, resources)
+	}
+	return nil
+}
+
+func testExecuteKubectlOperation(client *mockKubectlClient, operation string, manifestFiles []string) error {
+	operations := map[string]func(context.Context, []string) error{
+		"apply":           client.Apply,
+		"delete":          client.Delete,
+		"rollout-restart": client.RolloutRestart,
+	}
+
+	operationFunc, ok := operations[operation]
+	if !ok {
+		return fmt.Errorf("unsupported operation: %s", operation)
+	}
+
+	if err := operationFunc(context.Background(), manifestFiles); err != nil {
+		return fmt.Errorf("failed to execute kubectl %s command: %w", operation, err)
+	}
+
+	return nil
+}
+
+func TestExecuteKubectlOperation_Apply_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		applyFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"manifest1.yaml", "manifest2.yaml"}, files)
+			return nil
+		},
+	}
+
+	manifests := []string{"manifest1.yaml", "manifest2.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "apply", manifests)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Apply_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl apply failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		applyFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"error.yaml"}, files)
+			return expectedErr
+		},
+	}
+
+	manifests := []string{"error.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "apply", manifests)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Delete_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		deleteFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"manifest1.yaml"}, files)
+			return nil
+		},
+	}
+
+	manifests := []string{"manifest1.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "delete", manifests)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Delete_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl delete failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		deleteFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"error.yaml"}, files)
+			return expectedErr
+		},
+	}
+
+	manifests := []string{"error.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "delete", manifests)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_RolloutRestart_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		rolloutRestartFunc: func(ctx context.Context, resources []string) error {
+			called = true
+			assert.Equal(t, []string{"deployment/nginx"}, resources)
+			return nil
+		},
+	}
+
+	resources := []string{"deployment/nginx"}
+	err := testExecuteKubectlOperation(mockClient, "rollout-restart", resources)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_RolloutRestart_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl rollout restart failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		rolloutRestartFunc: func(ctx context.Context, resources []string) error {
+			called = true
+			assert.Equal(t, []string{"deployment/error"}, resources)
+			return expectedErr
+		},
+	}
+
+	resources := []string{"deployment/error"}
+	err := testExecuteKubectlOperation(mockClient, "rollout-restart", resources)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_UnsupportedOperation(t *testing.T) {
+	mockClient := &mockKubectlClient{}
+
+	err := testExecuteKubectlOperation(mockClient, "unsupported", []string{})
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "unsupported operation")
+}
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -11,7 +11,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/internal/registryutils"
 	"github.com/portainer/portainer/api/stacks/stackutils"

 	"github.com/rs/zerolog/log"
@@ -46,8 +45,7 @@ func NewSwarmStackManager(
 		dataStore:            datastore,
 	}

-	err := manager.updateDockerCLIConfiguration(manager.configPath)
-	if err != nil {
+	if err := manager.updateDockerCLIConfiguration(manager.configPath); err != nil {
 		return nil, err
 	}

@@ -63,33 +61,14 @@ func (manager *SwarmStackManager) Login(registries []portainer.Registry, endpoin

 	for _, registry := range registries {
 		if registry.Authentication {
-			err = registryutils.EnsureRegTokenValid(manager.dataStore, &registry)
+			username, password, err := getEffectiveRegUsernamePassword(manager.dataStore, &registry)
 			if err != nil {
-				log.
-					Warn().
-					Err(err).
-					Str("RegistryName", registry.Name).
-					Msg("Failed to validate registry token. Skip logging with this registry.")
-
-				continue
-			}
-
-			username, password, err := registryutils.GetRegEffectiveCredential(&registry)
-			if err != nil {
-				log.
-					Warn().
-					Err(err).
-					Str("RegistryName", registry.Name).
-					Msg("Failed to get effective credential. Skip logging with this registry.")
-
 				continue
 			}

 			registryArgs := append(args, "login", "--username", username, "--password", password, registry.URL)
-			err = runCommandAndCaptureStdErr(command, registryArgs, nil, "")
-			if err != nil {
-				log.
-					Warn().
+			if err := runCommandAndCaptureStdErr(command, registryArgs, nil, ""); err != nil {
+				log.Warn().
 					Err(err).
 					Str("RegistryName", registry.Name).
 					Msg("Failed to login.")
@@ -148,13 +127,14 @@ func (manager *SwarmStackManager) Remove(stack *portainer.Stack, endpoint *porta
 		return err
 	}

-	args = append(args, "stack", "rm", stack.Name)
+	args = append(args, "stack", "rm", "--detach=false", stack.Name)

 	return runCommandAndCaptureStdErr(command, args, nil, "")
 }

 func runCommandAndCaptureStdErr(command string, args []string, env []string, workingDir string) error {
 	var stderr bytes.Buffer
+
 	cmd := exec.Command(command, args...)
 	cmd.Stderr = &stderr

@@ -167,8 +147,7 @@ func runCommandAndCaptureStdErr(command string, args []string, env []string, wor
 		cmd.Env = append(cmd.Env, env...)
 	}

-	err := cmd.Run()
-	if err != nil {
+	if err := cmd.Run(); err != nil {
 		return errors.New(stderr.String())
 	}

@@ -192,6 +171,7 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, config
 		if err != nil {
 			return "", nil, err
 		}
+
 		endpointURL = "tcp://" + tunnelAddr
 	}

@@ -216,9 +196,10 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, config

 func (manager *SwarmStackManager) updateDockerCLIConfiguration(configPath string) error {
 	configFilePath := path.Join(configPath, "config.json")
+
 	config, err := manager.retrieveConfigurationFromDisk(configFilePath)
 	if err != nil {
-		return err
+		log.Warn().Err(err).Msg("unable to retrieve the Swarm configuration from disk, proceeding without it")
 	}

 	signature, err := manager.signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
@@ -246,8 +227,7 @@ func (manager *SwarmStackManager) retrieveConfigurationFromDisk(path string) (ma
 		return make(map[string]any), nil
 	}

-	err = json.Unmarshal(raw, &config)
-	if err != nil {
+	if err := json.Unmarshal(raw, &config); err != nil {
 		return nil, err
 	}

--- a/api/filesystem/copy.go
+++ b/api/filesystem/copy.go
@@ -68,7 +68,7 @@ func copyFile(src, dst string) error {
 	defer from.Close()

 	// has to include 'execute' bit, otherwise fails. MkdirAll follows `mkdir -m` restrictions
-	if err := os.MkdirAll(filepath.Dir(dst), 0744); err != nil {
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
 		return err
 	}
 	to, err := os.Create(dst)
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"

 	portainer "github.com/portainer/portainer/api"
@@ -357,7 +358,7 @@ func (service *Service) RollbackStackFile(stackIdentifier, fileName string) erro
 	stackStorePath := JoinPaths(ComposeStorePath, stackIdentifier)
 	composeFilePath := JoinPaths(stackStorePath, fileName)
 	path := service.wrapFileStore(composeFilePath)
-	backupPath := fmt.Sprintf("%s.bak", path)
+	backupPath := path + ".bak"

 	exists, err := service.FileExists(backupPath)
 	if err != nil {
@@ -381,12 +382,12 @@ func (service *Service) RollbackStackFile(stackIdentifier, fileName string) erro
 func (service *Service) RollbackStackFileByVersion(stackIdentifier string, version int, fileName string) error {
 	versionStr := ""
 	if version != 0 {
-		versionStr = fmt.Sprintf("v%d", version)
+		versionStr = "v" + strconv.Itoa(version)
 	}
 	stackStorePath := JoinPaths(ComposeStorePath, stackIdentifier, versionStr)
 	composeFilePath := JoinPaths(stackStorePath, fileName)
 	path := service.wrapFileStore(composeFilePath)
-	backupPath := fmt.Sprintf("%s.bak", path)
+	backupPath := path + ".bak"

 	exists, err := service.FileExists(backupPath)
 	if err != nil {
@@ -671,7 +672,7 @@ func (service *Service) createFileInStore(filePath string, r io.Reader) error {
 // createBackupFileInStore makes a copy in the file store.
 func (service *Service) createBackupFileInStore(filePath string) error {
 	path := service.wrapFileStore(filePath)
-	backupPath := fmt.Sprintf("%s.bak", path)
+	backupPath := path + ".bak"

 	return service.Copy(path, backupPath, true)
 }
@@ -679,7 +680,7 @@ func (service *Service) createBackupFileInStore(filePath string) error {
 // removeBackupFileInStore removes the copy in the file store.
 func (service *Service) removeBackupFileInStore(filePath string) error {
 	path := service.wrapFileStore(filePath)
-	backupPath := fmt.Sprintf("%s.bak", path)
+	backupPath := path + ".bak"

 	exists, err := service.FileExists(backupPath)
 	if err != nil {
@@ -799,7 +800,7 @@ func (service *Service) StoreEdgeJobTaskLogFileFromBytes(edgeJobID, taskID strin
 		return err
 	}

-	filePath := JoinPaths(edgeJobStorePath, fmt.Sprintf("logs_%s", taskID))
+	filePath := JoinPaths(edgeJobStorePath, "logs_"+taskID)
 	r := bytes.NewReader(data)
 	return service.createFileInStore(filePath, r)
 }
@@ -840,11 +841,11 @@ func (service *Service) GetDefaultSSLCertsPath() (string, string) {
 }

 func defaultMTLSCertPathUnderFileStore() (string, string, string) {
-	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	caCertPath := JoinPaths(SSLCertPath, MTLSCACertFilename)
+	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	keyPath := JoinPaths(SSLCertPath, MTLSKeyFilename)

-	return certPath, caCertPath, keyPath
+	return caCertPath, certPath, keyPath
 }

 // GetDefaultChiselPrivateKeyPath returns the chisle private key path
@@ -990,7 +991,7 @@ func MoveDirectory(originalPath, newPath string, overwriteTargetPath bool) error

 	if alreadyExists {
 		if !overwriteTargetPath {
-			return fmt.Errorf("Target path already exists")
+			return errors.New("Target path already exists")
 		}

 		if err = os.RemoveAll(newPath); err != nil {
@@ -1013,26 +1014,45 @@ func CreateFile(path string, r io.Reader) error {
 	return err
 }

-func (service *Service) StoreMTLSCertificates(cert, caCert, key []byte) (string, string, string, error) {
-	certPath, caCertPath, keyPath := defaultMTLSCertPathUnderFileStore()
+func (service *Service) StoreMTLSCertificates(caCert, cert, key []byte) (string, string, string, error) {
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()

-	r := bytes.NewReader(cert)
-	err := service.createFileInStore(certPath, r)
-	if err != nil {
+	r := bytes.NewReader(caCert)
+	if err := service.createFileInStore(caCertPath, r); err != nil {
 		return "", "", "", err
 	}

-	r = bytes.NewReader(caCert)
-	err = service.createFileInStore(caCertPath, r)
-	if err != nil {
+	r = bytes.NewReader(cert)
+	if err := service.createFileInStore(certPath, r); err != nil {
 		return "", "", "", err
 	}

 	r = bytes.NewReader(key)
-	err = service.createFileInStore(keyPath, r)
-	if err != nil {
+	if err := service.createFileInStore(keyPath, r); err != nil {
 		return "", "", "", err
 	}

-	return service.wrapFileStore(certPath), service.wrapFileStore(caCertPath), service.wrapFileStore(keyPath), nil
+	return service.wrapFileStore(caCertPath), service.wrapFileStore(certPath), service.wrapFileStore(keyPath), nil
+}
+
+func (service *Service) GetMTLSCertificates() (string, string, string, error) {
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()
+
+	caCertPath = service.wrapFileStore(caCertPath)
+	certPath = service.wrapFileStore(certPath)
+	keyPath = service.wrapFileStore(keyPath)
+
+	paths := [...]string{caCertPath, certPath, keyPath}
+	for _, path := range paths {
+		exists, err := service.FileExists(path)
+		if err != nil {
+			return "", "", "", err
+		}
+
+		if !exists {
+			return "", "", "", fmt.Errorf("file %s does not exist", path)
+		}
+	}
+
+	return caCertPath, certPath, keyPath, nil
 }
--- a/api/filesystem/serialize.go
+++ b/api/filesystem/serialize.go
@@ -51,7 +51,7 @@ func FilterDirForEntryFile(dirEntries []DirEntry, entryFile string) []DirEntry {

 // FilterDirForCompatibility returns the content of the entry file if agent version is less than 2.19.0
 func FilterDirForCompatibility(dirEntries []DirEntry, entryFilePath, agentVersion string) (string, error) {
-	if semver.Compare(fmt.Sprintf("v%s", agentVersion), "v2.19.0") == -1 {
+	if semver.Compare("v"+agentVersion, "v2.19.0") == -1 {
 		for _, dirEntry := range dirEntries {
 			if dirEntry.IsFile {
 				if dirEntry.Name == entryFilePath {
--- a/api/filesystem/serialize_per_dev_configs.go
+++ b/api/filesystem/serialize_per_dev_configs.go
@@ -15,15 +15,19 @@ type MultiFilterArgs []struct {
 }

 // MultiFilterDirForPerDevConfigs filers the given dirEntries with multiple filter args, returns the merged entries for the given device
-func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) []DirEntry {
+func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry

+	var envFiles []string
+
 	for _, multiFilterArg := range multiFilterArgs {
-		tmp := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
+		tmp, efs := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
 		filteredDirEntries = append(filteredDirEntries, tmp...)
+
+		envFiles = append(envFiles, efs...)
 	}

-	return deduplicate(filteredDirEntries)
+	return deduplicate(filteredDirEntries), envFiles
 }

 func deduplicate(dirEntries []DirEntry) []DirEntry {
@@ -32,8 +36,7 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 	marks := make(map[string]struct{})

 	for _, dirEntry := range dirEntries {
-		_, ok := marks[dirEntry.Name]
-		if !ok {
+		if _, ok := marks[dirEntry.Name]; !ok {
 			marks[dirEntry.Name] = struct{}{}
 			deduplicatedDirEntries = append(deduplicatedDirEntries, dirEntry)
 		}
@@ -44,34 +47,33 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {

 // FilterDirForPerDevConfigs filers the given dirEntries, returns entries for the given device
 // For given configPath A/B/C, return entries:
-//  1. all entries outside of dir A
-//  2. dir entries A, A/B, A/B/C
-//  3. For filterType file:
+//  1. all entries outside of dir A/B/C
+//  2. For filterType file:
 //     file entries: A/B/C/<deviceName> and A/B/C/<deviceName>.*
-//  4. For filterType dir:
+//  3. For filterType dir:
 //     dir entry:   A/B/C/<deviceName>
 //     all entries: A/B/C/<deviceName>/*
-func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) []DirEntry {
+func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry

+	var envFiles []string
+
 	for _, dirEntry := range dirEntries {
 		if shouldIncludeEntry(dirEntry, deviceName, configPath, filterType) {
 			filteredDirEntries = append(filteredDirEntries, dirEntry)
+
+			if shouldParseEnvVars(dirEntry, deviceName, configPath, filterType) {
+				envFiles = append(envFiles, dirEntry.Name)
+			}
 		}
 	}

-	return filteredDirEntries
+	return filteredDirEntries, envFiles
 }

 func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
-
 	// Include all entries outside of dir A
-	if !isInConfigRootDir(dirEntry, configPath) {
-		return true
-	}
-
-	// Include dir entries A, A/B, A/B/C
-	if isParentDir(dirEntry, configPath) {
+	if !isInConfigDir(dirEntry, configPath) {
 		return true
 	}

@@ -90,21 +92,9 @@ func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filter
 	return false
 }

-func isInConfigRootDir(dirEntry DirEntry, configPath string) bool {
-	// get the first element of the configPath
-	rootDir := strings.Split(configPath, string(os.PathSeparator))[0]
-
-	// return true if entry name starts with "A/"
-	return strings.HasPrefix(dirEntry.Name, appendTailSeparator(rootDir))
-}
-
-func isParentDir(dirEntry DirEntry, configPath string) bool {
-	if dirEntry.IsFile {
-		return false
-	}
-
-	// return true for dir entries A, A/B, A/B/C
-	return strings.HasPrefix(appendTailSeparator(configPath), appendTailSeparator(dirEntry.Name))
+func isInConfigDir(dirEntry DirEntry, configPath string) bool {
+	// return true if entry name starts with "A/B"
+	return strings.HasPrefix(dirEntry.Name, appendTailSeparator(configPath))
 }

 func shouldIncludeFile(dirEntry DirEntry, deviceName, configPath string) bool {
@@ -116,7 +106,7 @@ func shouldIncludeFile(dirEntry DirEntry, deviceName, configPath string) bool {
 	filterEqual := filepath.Join(configPath, deviceName)

 	// example: A/B/C/<deviceName>/
-	filterPrefix := fmt.Sprintf("%s.", filterEqual)
+	filterPrefix := filterEqual + "."

 	// include file entries: A/B/C/<deviceName> or A/B/C/<deviceName>.*
 	return dirEntry.Name == filterEqual || strings.HasPrefix(dirEntry.Name, filterPrefix)
@@ -138,6 +128,15 @@ func shouldIncludeDir(dirEntry DirEntry, deviceName, configPath string) bool {
 	return strings.HasPrefix(dirEntry.Name, filterPrefix)
 }

+func shouldParseEnvVars(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
+	if !dirEntry.IsFile {
+		return false
+	}
+
+	return isInConfigDir(dirEntry, configPath) &&
+		filepath.Base(dirEntry.Name) == deviceName+".env"
+}
+
 func appendTailSeparator(path string) string {
 	return fmt.Sprintf("%s%c", path, os.PathSeparator)
 }
--- a/api/filesystem/serialize_per_dev_configs_test.go
+++ b/api/filesystem/serialize_per_dev_configs_test.go
@@ -4,14 +4,17 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
-	type args struct {
-		dirEntries      []DirEntry
-		configPath      string
-		multiFilterArgs MultiFilterArgs
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantDirEntries []DirEntry) {
+		t.Helper()
+
+		dirEntries, _ = MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantDirEntries, dirEntries)
 	}

 	baseDirEntries := []DirEntry{
@@ -26,67 +29,94 @@ func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
 		{"configs/folder2/config2", "", true, 420},
 	}

-	tests := []struct {
-		name string
-		args args
-		want []DirEntry
-	}{
-		{
-			name: "filter file1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	// Filter file1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	)
+
+	// Filter folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and file2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"file2", portainer.PerDevConfigsTypeFile},
 		},
-		{
-			name: "filter folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and file2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"file1", portainer.PerDevConfigsTypeFile},
-					{"file2", portainer.PerDevConfigsTypeFile},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
-		},
-		{
-			name: "filter folder1 and folder2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"folder1", portainer.PerDevConfigsTypeDir},
-					{"folder2", portainer.PerDevConfigsTypeDir},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
+	)
+
+	// Filter folder1 and folder2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"folder1", portainer.PerDevConfigsTypeDir},
+			{"folder2", portainer.PerDevConfigsTypeDir},
 		},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+	)
+}
+
+func TestMultiFilterDirForPerDevConfigsEnvFiles(t *testing.T) {
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantEnvFiles []string) {
+		t.Helper()
+
+		_, envFiles := MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantEnvFiles, envFiles)
 	}

-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equalf(t, tt.want, MultiFilterDirForPerDevConfigs(tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs), "MultiFilterDirForPerDevConfigs(%v, %v, %v)", tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs)
-		})
+	baseDirEntries := []DirEntry{
+		{".env", "", true, 420},
+		{"docker-compose.yaml", "", true, 420},
+		{"configs", "", false, 420},
+		{"configs/edge-id/edge-id.env", "", true, 420},
 	}
+
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"edge-id", portainer.PerDevConfigsTypeDir}},
+		[]string{"configs/edge-id/edge-id.env"},
+	)
+
+}
+
+func TestIsInConfigDir(t *testing.T) {
+	f := func(dirEntry DirEntry, configPath string, expect bool) {
+		t.Helper()
+
+		actual := isInConfigDir(dirEntry, configPath)
+		assert.Equal(t, expect, actual)
+	}
+
+	f(DirEntry{Name: "edge-configs"}, "edge-configs", false)
+	f(DirEntry{Name: "edge-configs_backup"}, "edge-configs", false)
+	f(DirEntry{Name: "edge-configs/standalone-edge-agent-standard"}, "edge-configs", true)
+	f(DirEntry{Name: "parent/edge-configs/"}, "edge-configs", false)
+	f(DirEntry{Name: "edgestacktest"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edgeconfigs-test.yaml"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/file1.conf"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgeconfigs-test.yaml"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edge-configs"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edge-configs/standalone-edge-agent-async"}, "edgestacktest/edge-configs", true)
+	f(DirEntry{Name: "edgestacktest/edge-configs/abc.txt"}, "edgestacktest/edge-configs", true)
 }
--- a/api/git/backup.go
+++ b/api/git/backup.go
@@ -1,12 +1,11 @@
 package git

 import (
-	"fmt"
-
-	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 	gittypes "github.com/portainer/portainer/api/git/types"
+
+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 )

@@ -25,32 +24,28 @@ type CloneOptions struct {
 }

 func CloneWithBackup(gitService portainer.GitService, fileService portainer.FileService, options CloneOptions) (clean func(), err error) {
-	backupProjectPath := fmt.Sprintf("%s-old", options.ProjectPath)
+	backupProjectPath := options.ProjectPath + "-old"
 	cleanUp := false
 	cleanFn := func() {
 		if !cleanUp {
 			return
 		}

-		err = fileService.RemoveDirectory(backupProjectPath)
-		if err != nil {
+		if err := fileService.RemoveDirectory(backupProjectPath); err != nil {
 			log.Warn().Err(err).Msg("unable to remove git repository directory")
 		}
 	}

-	err = filesystem.MoveDirectory(options.ProjectPath, backupProjectPath, true)
-	if err != nil {
+	if err := filesystem.MoveDirectory(options.ProjectPath, backupProjectPath, true); err != nil {
 		return cleanFn, errors.WithMessage(err, "Unable to move git repository directory")
 	}

 	cleanUp = true

-	err = gitService.CloneRepository(options.ProjectPath, options.URL, options.ReferenceName, options.Username, options.Password, options.TLSSkipVerify)
-	if err != nil {
+	if err := gitService.CloneRepository(options.ProjectPath, options.URL, options.ReferenceName, options.Username, options.Password, options.TLSSkipVerify); err != nil {
 		cleanUp = false
-		restoreError := filesystem.MoveDirectory(backupProjectPath, options.ProjectPath, false)
-		if restoreError != nil {
-			log.Warn().Err(restoreError).Msg("failed restoring backup folder")
+		if err := filesystem.MoveDirectory(backupProjectPath, options.ProjectPath, false); err != nil {
+			log.Warn().Err(err).Msg("failed restoring backup folder")
 		}

 		if errors.Is(err, gittypes.ErrAuthenticationFailure) {
--- a/api/git/git.go
+++ b/api/git/git.go
@@ -34,6 +34,7 @@ func (c *gitClient) download(ctx context.Context, dst string, opt cloneOption) e
 		Depth:           opt.depth,
 		InsecureSkipTLS: opt.tlsSkipVerify,
 		Auth:            getAuth(opt.username, opt.password),
+		Tags:            git.NoTags,
 	}

 	if opt.referenceName != "" {
--- a/api/git/git_test.go
+++ b/api/git/git_test.go
@@ -24,8 +24,7 @@ func setup(t *testing.T) string {
 		t.Fatal(errors.Wrap(err, "failed to open an archive"))
 	}

-	err = archive.ExtractTarGz(file, dir)
-	if err != nil {
+	if err := archive.ExtractTarGz(file, dir); err != nil {
 		t.Fatal(errors.Wrapf(err, "failed to extract file from the archive to a folder %s", dir))
 	}

--- a/api/git/update/validate.go
+++ b/api/git/update/validate.go
@@ -3,9 +3,9 @@ package update
 import (
 	"time"

-	"github.com/asaskevich/govalidator"
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/pkg/validate"
 )

 func ValidateAutoUpdateSettings(autoUpdate *portainer.AutoUpdateSettings) error {
@@ -17,7 +17,7 @@ func ValidateAutoUpdateSettings(autoUpdate *portainer.AutoUpdateSettings) error
 		return httperrors.NewInvalidPayloadError("Webhook or Interval must be provided")
 	}

-	if autoUpdate.Webhook != "" && !govalidator.IsUUID(autoUpdate.Webhook) {
+	if autoUpdate.Webhook != "" && !validate.IsUUID(autoUpdate.Webhook) {
 		return httperrors.NewInvalidPayloadError("invalid Webhook format")
 	}

--- a/api/git/validate.go
+++ b/api/git/validate.go
@@ -1,19 +1,17 @@
 package git

 import (
-	"github.com/asaskevich/govalidator"
-
 	gittypes "github.com/portainer/portainer/api/git/types"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/pkg/validate"
 )

 func ValidateRepoConfig(repoConfig *gittypes.RepoConfig) error {
-	if len(repoConfig.URL) == 0 || !govalidator.IsURL(repoConfig.URL) {
+	if len(repoConfig.URL) == 0 || !validate.IsURL(repoConfig.URL) {
 		return httperrors.NewInvalidPayloadError("Invalid repository URL. Must correspond to a valid URL format")
 	}

 	return ValidateRepoAuthentication(repoConfig.Authentication)
-
 }

 func ValidateRepoAuthentication(auth *gittypes.GitAuthentication) error {
--- a/api/hostmanagement/openamt/configCIRA.go
+++ b/api/hostmanagement/openamt/configCIRA.go
@@ -123,7 +123,7 @@ func (service *Service) getCIRACertificate(configuration portainer.OpenAMTConfig
 	if err != nil {
 		return "", err
 	}
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", configuration.MPSToken))
+	req.Header.Set("Authorization", "Bearer "+configuration.MPSToken)

 	response, err := service.httpsClient.Do(req)
 	if err != nil {
--- a/Show More
+++ b/Show More