chore: bump version to 2.30.0 (#735 )

feat(helm): make the atomic flag optional [r8s-314] (#733 )
feat(helm): helm actions [r8s-259] (#715 )
2025-05-15 09:06:22 +12:00 · 2025-05-14 16:31:42 +12:00 · 2025-05-13 22:15:04 +12:00 · 2025-05-13 16:33:14 +12:00 · 2025-05-13 14:28:42 +12:00 · 2025-05-13 11:35:44 +12:00
565 changed files with 20359 additions and 10987 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -2,18 +2,17 @@ name: Bug Report
 description: Create a report to help us improve.
 labels: kind/bug,bug/need-confirmation
 body:
-
  - type: markdown
    attributes:
      value: |
        # Welcome!
-        
+
        The issue tracker is for reporting bugs. If you have an [idea for a new feature](https://github.com/orgs/portainer/discussions/categories/ideas) or a [general question about Portainer](https://github.com/orgs/portainer/discussions/categories/help) please post in our [GitHub Discussions](https://github.com/orgs/portainer/discussions).
-        
+
        You can also ask for help in our [community Slack channel](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA).

        Please note that we only provide support for current versions of Portainer. You can find a list of supported versions in our [lifecycle policy](https://docs.portainer.io/start/lifecycle).
-        
+
        **DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS**.

  - type: checkboxes
@@ -45,7 +44,7 @@ body:
  - type: textarea
    attributes:
      label: Problem Description
-      description: A clear and concise description of what the bug is. 
+      description: A clear and concise description of what the bug is.
    validations:
      required: true

@@ -71,7 +70,7 @@ body:
        1. Go to '...'
        2. Click on '....'
        3. Scroll down to '....'
-        4. See error   
+        4. See error
    validations:
      required: true

@@ -92,9 +91,23 @@ body:
  - type: dropdown
    attributes:
      label: Portainer version
-      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
+      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
+        - '2.29.2'
+        - '2.29.1'
+        - '2.29.0'
+        - '2.28.1'
+        - '2.28.0'
+        - '2.27.6'
+        - '2.27.5'
+        - '2.27.4'
+        - '2.27.3'
+        - '2.27.2'
+        - '2.27.1'
+        - '2.27.0'
+        - '2.26.1'
+        - '2.26.0'
        - '2.25.1'
        - '2.25.0'
        - '2.24.1'
@@ -107,20 +120,6 @@ body:
        - '2.21.2'
        - '2.21.1'
        - '2.21.0'
-        - '2.20.3'
-        - '2.20.2'
-        - '2.20.1'
-        - '2.20.0'
-        - '2.19.5'
-        - '2.19.4'
-        - '2.19.3'
-        - '2.19.2'
-        - '2.19.1'
-        - '2.19.0'
-        - '2.18.4'
-        - '2.18.3'
-        - '2.18.2'
-        - '2.18.1'
    validations:
      required: true

@@ -158,7 +157,7 @@ body:
  - type: input
    attributes:
      label: Browser
-      description: | 
+      description: |
        Enter your browser and version. Example: Google Chrome 114.0
    validations:
      required: false
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -12,6 +12,7 @@ linters:
    - copyloopvar
    - intrange
    - perfsprint
+    - ineffassign

 linters-settings:
  depguard:
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -2,7 +2,6 @@ package archive

 import (
 	"archive/zip"
-	"bytes"
 	"fmt"
 	"io"
 	"os"
@@ -12,50 +11,6 @@ import (
 	"github.com/pkg/errors"
 )

-// UnzipArchive will unzip an archive from bytes into the dest destination folder on disk
-func UnzipArchive(archiveData []byte, dest string) error {
-	zipReader, err := zip.NewReader(bytes.NewReader(archiveData), int64(len(archiveData)))
-	if err != nil {
-		return err
-	}
-
-	for _, zipFile := range zipReader.File {
-		err := extractFileFromArchive(zipFile, dest)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func extractFileFromArchive(file *zip.File, dest string) error {
-	f, err := file.Open()
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	data, err := io.ReadAll(f)
-	if err != nil {
-		return err
-	}
-
-	fpath := filepath.Join(dest, file.Name)
-
-	outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
-	if err != nil {
-		return err
-	}
-
-	_, err = io.Copy(outFile, bytes.NewReader(data))
-	if err != nil {
-		return err
-	}
-
-	return outFile.Close()
-}
-
 // UnzipFile will decompress a zip archive, moving all files and folders
 // within the zip file (parameter 1) to an output directory (parameter 2).
 func UnzipFile(src string, dest string) error {
@@ -76,11 +31,11 @@ func UnzipFile(src string, dest string) error {
 		if f.FileInfo().IsDir() {
 			// Make Folder
 			os.MkdirAll(p, os.ModePerm)
+
 			continue
 		}

-		err = unzipFile(f, p)
-		if err != nil {
+		if err := unzipFile(f, p); err != nil {
 			return err
 		}
 	}
@@ -93,20 +48,20 @@ func unzipFile(f *zip.File, p string) error {
 	if err := os.MkdirAll(filepath.Dir(p), os.ModePerm); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't make a path %s", p)
 	}
+
 	outFile, err := os.OpenFile(p, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
 	}
 	defer outFile.Close()
+
 	rc, err := f.Open()
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
 	}
 	defer rc.Close()

-	_, err = io.Copy(outFile, rc)
-
-	if err != nil {
+	if _, err = io.Copy(outFile, rc); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
 	}

--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -60,6 +60,7 @@ func CLIFlags() *portainer.CLIFlags {
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
 		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
+		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 	}
 }

--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -4,20 +4,21 @@
 package cli

 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "/data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "/certs/ca.pem"
-	defaultTLSCertPath         = "/certs/cert.pem"
-	defaultTLSKeyPath          = "/certs/key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "/data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "/certs/ca.pem"
+	defaultTLSCertPath            = "/certs/cert.pem"
+	defaultTLSKeyPath             = "/certs/key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -1,21 +1,22 @@
 package cli

 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "C:\\data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
-	defaultTLSCertPath         = "C:\\certs\\cert.pem"
-	defaultTLSKeyPath          = "C:\\certs\\key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultSnapshotInterval    = "5m"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "C:\\data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "C:\\certs\\ca.pem"
+	defaultTLSCertPath            = "C:\\certs\\cert.pem"
+	defaultTLSKeyPath             = "C:\\certs\\key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultSnapshotInterval       = "5m"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )
--- a/api/cli/pairlistbool.go
+++ b/api/cli/pairlistbool.go
@@ -1,45 +0,0 @@
-package cli
-
-import (
-	"strings"
-
-	portainer "github.com/portainer/portainer/api"
-
-	"gopkg.in/alecthomas/kingpin.v2"
-)
-
-type pairListBool []portainer.Pair
-
-// Set implementation for a list of portainer.Pair
-func (l *pairListBool) Set(value string) error {
-	p := new(portainer.Pair)
-
-	// default to true.  example setting=true is equivalent to setting
-	parts := strings.SplitN(value, "=", 2)
-	if len(parts) != 2 {
-		p.Name = parts[0]
-		p.Value = "true"
-	} else {
-		p.Name = parts[0]
-		p.Value = parts[1]
-	}
-
-	*l = append(*l, *p)
-	return nil
-}
-
-// String implementation for a list of pair
-func (l *pairListBool) String() string {
-	return ""
-}
-
-// IsCumulative implementation for a list of pair
-func (l *pairListBool) IsCumulative() bool {
-	return true
-}
-
-func BoolPairs(s kingpin.Settings) (target *[]portainer.Pair) {
-	target = new([]portainer.Pair)
-	s.SetValue((*pairListBool)(target))
-	return
-}
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -39,6 +39,7 @@ import (
 	"github.com/portainer/portainer/api/kubernetes"
 	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/oauth"
 	"github.com/portainer/portainer/api/pendingactions"
 	"github.com/portainer/portainer/api/pendingactions/actions"
@@ -49,6 +50,7 @@ import (
 	"github.com/portainer/portainer/pkg/build"
 	"github.com/portainer/portainer/pkg/featureflags"
 	"github.com/portainer/portainer/pkg/libhelm"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"

 	"github.com/gofrs/uuid"
@@ -165,12 +167,12 @@ func checkDBSchemaServerVersionMatch(dbStore dataservices.DataStore, serverVersi
 	return v.SchemaVersion == serverVersion && v.Edition == serverEdition
 }

-func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, assetsPath string) portainer.KubernetesDeployer {
-	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, assetsPath)
+func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager) portainer.KubernetesDeployer {
+	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager)
 }

-func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, error) {
-	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
+func initHelmPackageManager() (libhelmtypes.HelmPackageManager, error) {
+	return libhelm.NewHelmPackageManager()
 }

 func initAPIKeyService(datastore dataservices.DataStore) apikey.APIKeyService {
@@ -238,10 +240,10 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		return err
 	}

-	settings.SnapshotInterval = *cmp.Or(flags.SnapshotInterval, &settings.SnapshotInterval)
-	settings.LogoURL = *cmp.Or(flags.Logo, &settings.LogoURL)
-	settings.EnableEdgeComputeFeatures = *cmp.Or(flags.EnableEdgeComputeFeatures, &settings.EnableEdgeComputeFeatures)
-	settings.TemplatesURL = *cmp.Or(flags.Templates, &settings.TemplatesURL)
+	settings.SnapshotInterval = cmp.Or(*flags.SnapshotInterval, settings.SnapshotInterval)
+	settings.LogoURL = cmp.Or(*flags.Logo, settings.LogoURL)
+	settings.EnableEdgeComputeFeatures = cmp.Or(*flags.EnableEdgeComputeFeatures, settings.EnableEdgeComputeFeatures)
+	settings.TemplatesURL = cmp.Or(*flags.Templates, settings.TemplatesURL)

 	if *flags.Labels != nil {
 		settings.BlackListedLabels = *flags.Labels
@@ -421,7 +423,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Err(err).Msg("failed initializing swarm stack manager")
 	}

-	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, *flags.Assets)
+	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager)

 	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory)
 	pendingActionsService.RegisterHandler(actions.CleanNAPWithOverridePolicies, handlers.NewHandlerCleanNAPWithOverridePolicies(authorizationService, dataStore))
@@ -437,7 +439,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)

-	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
+	helmPackageManager, err := initHelmPackageManager()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing helm package manager")
 	}
@@ -575,17 +577,18 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		AdminCreationDone:           adminCreationDone,
 		PendingActionsService:       pendingActionsService,
 		PlatformService:             platformService,
+		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
 	}
 }

 func main() {
-	configureLogger()
-	setLoggingMode("PRETTY")
+	logs.ConfigureLogger()
+	logs.SetLoggingMode("PRETTY")

 	flags := initCLI()

-	setLoggingLevel(*flags.LogLevel)
-	setLoggingMode(*flags.LogMode)
+	logs.SetLoggingLevel(*flags.LogLevel)
+	logs.SetLoggingMode(*flags.LogMode)

 	for {
 		server := buildServer(flags)
--- a/api/connection.go
+++ b/api/connection.go
@@ -6,8 +6,10 @@ import (

 type ReadTransaction interface {
 	GetObject(bucketName string, key []byte, object any) error
+	GetRawBytes(bucketName string, key []byte) ([]byte, error)
 	GetAll(bucketName string, obj any, append func(o any) (any, error)) error
 	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, append func(o any) (any, error)) error
+	KeyExists(bucketName string, key []byte) (bool, error)
 }

 type Transaction interface {
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -244,6 +244,32 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object
 	})
 }

+func (connection *DbConnection) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	var value []byte
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		value, err = tx.GetRawBytes(bucketName, key)
+
+		return err
+	})
+
+	return value, err
+}
+
+func (connection *DbConnection) KeyExists(bucketName string, key []byte) (bool, error) {
+	var exists bool
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = tx.KeyExists(bucketName, key)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (connection *DbConnection) getEncryptionKey() []byte {
 	if !connection.isEncrypted {
 		return nil
--- a/api/database/boltdb/tx.go
+++ b/api/database/boltdb/tx.go
@@ -6,6 +6,7 @@ import (

 	dserrors "github.com/portainer/portainer/api/dataservices/errors"

+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	bolt "go.etcd.io/bbolt"
 )
@@ -31,6 +32,33 @@ func (tx *DbTransaction) GetObject(bucketName string, key []byte, object any) er
 	return tx.conn.UnmarshalObject(value, object)
 }

+func (tx *DbTransaction) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+	if value == nil {
+		return nil, fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
+	}
+
+	if tx.conn.getEncryptionKey() != nil {
+		var err error
+
+		if value, err = decrypt(value, tx.conn.getEncryptionKey()); err != nil {
+			return value, errors.Wrap(err, "Failed decrypting object")
+		}
+	}
+
+	return value, nil
+}
+
+func (tx *DbTransaction) KeyExists(bucketName string, key []byte) (bool, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+
+	return value != nil, nil
+}
+
 func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object any) error {
 	data, err := tx.conn.MarshalObject(object)
 	if err != nil {
--- a/api/dataservices/base.go
+++ b/api/dataservices/base.go
@@ -9,6 +9,7 @@ import (
 type BaseCRUD[T any, I constraints.Integer] interface {
 	Create(element *T) error
 	Read(ID I) (*T, error)
+	Exists(ID I) (bool, error)
 	ReadAll() ([]T, error)
 	Update(ID I, element *T) error
 	Delete(ID I) error
@@ -42,6 +43,19 @@ func (service BaseDataService[T, I]) Read(ID I) (*T, error) {
 	})
 }

+func (service BaseDataService[T, I]) Exists(ID I) (bool, error) {
+	var exists bool
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = service.Tx(tx).Exists(ID)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (service BaseDataService[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)

--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -28,6 +28,12 @@ func (service BaseDataServiceTx[T, I]) Read(ID I) (*T, error) {
 	return &element, nil
 }

+func (service BaseDataServiceTx[T, I]) Exists(ID I) (bool, error) {
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	return service.Tx.KeyExists(service.Bucket, identifier)
+}
+
 func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)

--- a/api/dataservices/endpointrelation/endpointrelation.go
+++ b/api/dataservices/endpointrelation/endpointrelation.go
@@ -22,6 +22,8 @@ type Service struct {
 	mu                     sync.Mutex
 }

+var _ dataservices.EndpointRelationService = &Service{}
+
 func (service *Service) BucketName() string {
 	return BucketName
 }
@@ -109,6 +111,18 @@ func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID,
 	return nil
 }

+func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
+func (service *Service) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).RemoveEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service *Service) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)
--- a/api/dataservices/endpointrelation/tx.go
+++ b/api/dataservices/endpointrelation/tx.go
@@ -13,6 +13,8 @@ type ServiceTx struct {
 	tx      portainer.Transaction
 }

+var _ dataservices.EndpointRelationService = &ServiceTx{}
+
 func (service ServiceTx) BucketName() string {
 	return BucketName
 }
@@ -74,6 +76,66 @@ func (service ServiceTx) UpdateEndpointRelation(endpointID portainer.EndpointID,
 	return nil
 }

+func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		rel.EdgeStacks[edgeStackID] = true
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments += len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
+func (service ServiceTx) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		delete(rel.EdgeStacks, edgeStackID)
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments -= len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service ServiceTx) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -115,6 +115,8 @@ type (
 		EndpointRelation(EndpointID portainer.EndpointID) (*portainer.EndpointRelation, error)
 		Create(endpointRelation *portainer.EndpointRelation) error
 		UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error
+		AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
+		RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
 		DeleteEndpointRelation(EndpointID portainer.EndpointID) error
 		BucketName() string
 	}
@@ -157,6 +159,7 @@ type (

 	SnapshotService interface {
 		BaseCRUD[portainer.Snapshot, portainer.EndpointID]
+		ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error)
 	}

 	// SSLSettingsService represents a service for managing application settings
--- a/api/dataservices/snapshot/snapshot.go
+++ b/api/dataservices/snapshot/snapshot.go
@@ -38,3 +38,16 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(snapshot *portainer.Snapshot) error {
 	return service.Connection.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service *Service) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot *portainer.Snapshot
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		snapshot, err = service.Tx(tx).ReadWithoutSnapshotRaw(ID)
+
+		return err
+	})
+
+	return snapshot, err
+}
--- a/api/dataservices/snapshot/tx.go
+++ b/api/dataservices/snapshot/tx.go
@@ -12,3 +12,26 @@ type ServiceTx struct {
 func (service ServiceTx) Create(snapshot *portainer.Snapshot) error {
 	return service.Tx.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service ServiceTx) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot struct {
+		Docker *struct {
+			X struct{} `json:"DockerSnapshotRaw"`
+			*portainer.DockerSnapshot
+		} `json:"Docker"`
+
+		portainer.Snapshot
+	}
+
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	if err := service.Tx.GetObject(service.Bucket, identifier, &snapshot); err != nil {
+		return nil, err
+	}
+
+	if snapshot.Docker != nil {
+		snapshot.Snapshot.Docker = snapshot.Docker.DockerSnapshot
+	}
+
+	return &snapshot.Snapshot, nil
+}
--- a/api/datastore/migrator/migrate_dbversion100.go
+++ b/api/datastore/migrator/migrate_dbversion100.go
@@ -94,6 +94,10 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 				continue
 			}

+			if environmentStatus.Details == nil {
+				continue
+			}
+
 			statusArray := []portainer.EdgeStackDeploymentStatus{}
 			if environmentStatus.Details.Pending {
 				statusArray = append(statusArray, portainer.EdgeStackDeploymentStatus{
--- a/api/datastore/migrator/migrate_dbversion20.go
+++ b/api/datastore/migrator/migrate_dbversion20.go
@@ -18,8 +18,7 @@ func (m *Migrator) updateResourceControlsToDBVersion22() error {
 	for _, resourceControl := range legacyResourceControls {
 		resourceControl.AdministratorsOnly = false

-		err := m.resourceControlService.Update(resourceControl.ID, &resourceControl)
-		if err != nil {
+		if err := m.resourceControlService.Update(resourceControl.ID, &resourceControl); err != nil {
 			return err
 		}
 	}
@@ -42,8 +41,8 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {

 	for _, user := range legacyUsers {
 		user.PortainerAuthorizations = authorization.DefaultPortainerAuthorizations()
-		err = m.userService.Update(user.ID, &user)
-		if err != nil {
+
+		if err := m.userService.Update(user.ID, &user); err != nil {
 			return err
 		}
 	}
@@ -52,38 +51,47 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+
 	endpointAdministratorRole.Priority = 1
 	endpointAdministratorRole.Authorizations = authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole()

-	err = m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole)
+	if err := m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole); err != nil {
+		return err
+	}

 	helpDeskRole, err := m.roleService.Read(portainer.RoleID(2))
 	if err != nil {
 		return err
 	}
+
 	helpDeskRole.Priority = 2
 	helpDeskRole.Authorizations = authorization.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(helpDeskRole.ID, helpDeskRole)
+	if err := m.roleService.Update(helpDeskRole.ID, helpDeskRole); err != nil {
+		return err
+	}

 	standardUserRole, err := m.roleService.Read(portainer.RoleID(3))
 	if err != nil {
 		return err
 	}
+
 	standardUserRole.Priority = 3
 	standardUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(standardUserRole.ID, standardUserRole)
+	if err := m.roleService.Update(standardUserRole.ID, standardUserRole); err != nil {
+		return err
+	}

 	readOnlyUserRole, err := m.roleService.Read(portainer.RoleID(4))
 	if err != nil {
 		return err
 	}
+
 	readOnlyUserRole.Priority = 4
 	readOnlyUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)

-	err = m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole)
-	if err != nil {
+	if err := m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole); err != nil {
 		return err
 	}

--- a/api/datastore/migrator/migrate_dbversion80.go
+++ b/api/datastore/migrator/migrate_dbversion80.go
@@ -75,6 +75,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {

 	for _, edgeStack := range edgeStacks {
 		for endpointId, status := range edgeStack.Status {
+			if status.Details == nil {
+				status.Details = &portainer.EdgeStackStatusDetails{}
+			}
+
 			switch status.Type {
 			case portainer.EdgeStackStatusPending:
 				status.Details.Pending = true
@@ -93,10 +97,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 			edgeStack.Status[endpointId] = status
 		}

-		err = m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack)
-		if err != nil {
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
 			return err
 		}
 	}
+
 	return nil
 }
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -610,7 +610,7 @@
      "RequiredPasswordLength": 12
    },
    "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.25.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.30.0",
    "LDAPSettings": {
      "AnonymousMode": true,
      "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.25.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.30.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  },
  "webhooks": null
 }
--- a/api/datastore/validate/validate.go
+++ b/api/datastore/validate/validate.go
@@ -1,15 +0,0 @@
-package validate
-
-import (
-	"github.com/go-playground/validator/v10"
-	portainer "github.com/portainer/portainer/api"
-)
-
-var validate *validator.Validate
-
-func ValidateLDAPSettings(ldp *portainer.LDAPSettings) error {
-	validate = validator.New()
-	registerValidationMethods(validate)
-
-	return validate.Struct(ldp)
-}
--- a/api/datastore/validate/validate_test.go
+++ b/api/datastore/validate/validate_test.go
@@ -1,61 +0,0 @@
-package validate
-
-import (
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-func TestValidateLDAPSettings(t *testing.T) {
-
-	tests := []struct {
-		name    string
-		ldap    portainer.LDAPSettings
-		wantErr bool
-	}{
-		{
-			name:    "Empty LDAP Settings",
-			ldap:    portainer.LDAPSettings{},
-			wantErr: true,
-		},
-		{
-			name: "With URL",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: true,
-				URL:           "192.168.0.1:323",
-			},
-			wantErr: false,
-		},
-		{
-			name: "Validate URL and URLs",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: true,
-				URL:           "192.168.0.1:323",
-			},
-			wantErr: false,
-		},
-		{
-			name: "validate client ldap",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: false,
-				ReaderDN:      "CN=LDAP API Service Account",
-				Password:      "Qu**dfUUU**",
-				URL:           "aukdc15.pgc.co:389",
-				TLSConfig: portainer.TLSConfiguration{
-					TLS:           false,
-					TLSSkipVerify: false,
-				},
-			},
-			wantErr: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := ValidateLDAPSettings(&tt.ldap)
-			if (err == nil) == tt.wantErr {
-				t.Errorf("No error expected but got %s", err)
-			}
-		})
-	}
-}
--- a/api/datastore/validate/validationMethods.go
+++ b/api/datastore/validate/validationMethods.go
@@ -1,17 +0,0 @@
-package validate
-
-import (
-	"github.com/go-playground/validator/v10"
-)
-
-func registerValidationMethods(v *validator.Validate) {
-	v.RegisterValidation("validate_bool", ValidateBool)
-}
-
-/**
- * Validation methods below are being used for custom validation
- */
-func ValidateBool(fl validator.FieldLevel) bool {
-	_, ok := fl.Field().Interface().(bool)
-	return ok
-}
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -3,8 +3,8 @@ package client
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
-	"maps"
 	"net/http"
 	"strings"
 	"time"
@@ -73,19 +73,6 @@ func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	)
 }

-func CreateClientFromEnv() (*client.Client, error) {
-	return client.NewClientWithOpts(
-		client.FromEnv,
-		client.WithAPIVersionNegotiation(),
-	)
-}
-
-func CreateSimpleClient() (*client.Client, error) {
-	return client.NewClientWithOpts(
-		client.WithAPIVersionNegotiation(),
-	)
-}
-
 func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*client.Client, error) {
 	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
@@ -141,7 +128,6 @@ func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatu

 type NodeNameTransport struct {
 	*http.Transport
-	nodeNames map[string]string
 }

 func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -176,18 +162,19 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)
 		return resp, nil
 	}

-	t.nodeNames = make(map[string]string)
-	for _, r := range rs {
-		t.nodeNames[r.ID] = r.Portainer.Agent.NodeName
+	nodeNames, ok := req.Context().Value("nodeNames").(map[string]string)
+	if ok {
+		for idx, r := range rs {
+			// as there is no way to differentiate the same image available in multiple nodes only by their ID
+			// we append the index of the image in the payload response to match the node name later
+			// from the image.Summary[] list returned by docker's client.ImageList()
+			nodeNames[fmt.Sprintf("%s-%d", r.ID, idx)] = r.Portainer.Agent.NodeName
+		}
 	}

 	return resp, err
 }

-func (t *NodeNameTransport) NodeNames() map[string]string {
-	return maps.Clone(t.nodeNames)
-}
-
 func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Client, error) {
 	transport := &NodeNameTransport{
 		Transport: &http.Transport{},
--- a/api/docker/images/digest.go
+++ b/api/docker/images/digest.go
@@ -38,10 +38,10 @@ func NewClientWithRegistry(registryClient *RegistryClient, clientFactory *docker
 func (c *DigestClient) RemoteDigest(image Image) (digest.Digest, error) {
 	ctx, cancel := c.timeoutContext()
 	defer cancel()
+
 	// Docker references with both a tag and digest are currently not supported
 	if image.Tag != "" && image.Digest != "" {
-		err := image.trimDigest()
-		if err != nil {
+		if err := image.TrimDigest(); err != nil {
 			return "", err
 		}
 	}
@@ -69,7 +69,7 @@ func (c *DigestClient) RemoteDigest(image Image) (digest.Digest, error) {
 	// Retrieve remote digest through HEAD request
 	rmDigest, err := docker.GetDigest(ctx, sysCtx, rmRef)
 	if err != nil {
-		// fallback to public registry for hub
+		// Fallback to public registry for hub
 		if image.HubLink != "" {
 			rmDigest, err = docker.GetDigest(ctx, c.sysCtx, rmRef)
 			if err == nil {
@@ -131,8 +131,7 @@ func ParseRepoDigests(repoDigests []string) []digest.Digest {
 func ParseRepoTags(repoTags []string) []*Image {
 	images := make([]*Image, 0)
 	for _, repoTag := range repoTags {
-		image := ParseRepoTag(repoTag)
-		if image != nil {
+		if image := ParseRepoTag(repoTag); image != nil {
 			images = append(images, image)
 		}
 	}
@@ -147,7 +146,7 @@ func ParseRepoDigest(repoDigest string) digest.Digest {

 	d, err := digest.Parse(strings.Split(repoDigest, "@")[1])
 	if err != nil {
-		log.Warn().Msgf("Skip invalid repo digest item: %s [error: %v]", repoDigest, err)
+		log.Warn().Err(err).Str("digest", repoDigest).Msg("skip invalid repo item")

 		return ""
 	}
--- a/api/docker/images/image.go
+++ b/api/docker/images/image.go
@@ -26,7 +26,7 @@ type Image struct {
 	Digest  digest.Digest
 	HubLink string
 	named   reference.Named
-	opts    ParseImageOptions
+	Opts    ParseImageOptions `json:"-"`
 }

 // ParseImageOptions holds image options for parsing.
@@ -43,9 +43,10 @@ func (i *Image) Name() string {
 // FullName return the real full name may include Tag or Digest of the image, Tag first.
 func (i *Image) FullName() string {
 	if i.Tag == "" {
-		return fmt.Sprintf("%s@%s", i.Name(), i.Digest)
+		return i.Name() + "@" + i.Digest.String()
 	}
-	return fmt.Sprintf("%s:%s", i.Name(), i.Tag)
+
+	return i.Name() + ":" + i.Tag
 }

 // String returns the string representation of an image, including Tag and Digest if existed.
@@ -66,22 +67,25 @@ func (i *Image) Reference() string {
 func (i *Image) WithDigest(digest digest.Digest) (err error) {
 	i.Digest = digest
 	i.named, err = reference.WithDigest(i.named, digest)
+
 	return err
 }

 func (i *Image) WithTag(tag string) (err error) {
 	i.Tag = tag
 	i.named, err = reference.WithTag(i.named, tag)
+
 	return err
 }

-func (i *Image) trimDigest() error {
+func (i *Image) TrimDigest() error {
 	i.Digest = ""
 	named, err := ParseImage(ParseImageOptions{Name: i.FullName()})
 	if err != nil {
 		return err
 	}
 	i.named = &named
+
 	return nil
 }

@@ -92,11 +96,12 @@ func ParseImage(parseOpts ParseImageOptions) (Image, error) {
 	if err != nil {
 		return Image{}, errors.Wrapf(err, "parsing image %s failed", parseOpts.Name)
 	}
+
 	// Add the latest lag if they did not provide one.
 	named = reference.TagNameOnly(named)

 	i := Image{
-		opts:   parseOpts,
+		Opts:   parseOpts,
 		named:  named,
 		Domain: reference.Domain(named),
 		Path:   reference.Path(named),
@@ -122,15 +127,16 @@ func ParseImage(parseOpts ParseImageOptions) (Image, error) {
 }

 func (i *Image) hubLink() (string, error) {
-	if i.opts.HubTpl != "" {
+	if i.Opts.HubTpl != "" {
 		var out bytes.Buffer
 		tmpl, err := template.New("tmpl").
 			Option("missingkey=error").
-			Parse(i.opts.HubTpl)
+			Parse(i.Opts.HubTpl)
 		if err != nil {
 			return "", err
 		}
 		err = tmpl.Execute(&out, i)
+
 		return out.String(), err
 	}

@@ -142,6 +148,7 @@ func (i *Image) hubLink() (string, error) {
 			prefix = "_"
 			path = strings.Replace(i.Path, "library/", "", 1)
 		}
+
 		return "https://hub.docker.com/" + prefix + "/" + path, nil
 	case "docker.bintray.io", "jfrog-docker-reg2.bintray.io":
 		return "https://bintray.com/jfrog/reg2/" + strings.ReplaceAll(i.Path, "/", "%3A"), nil
--- a/api/docker/images/image_test.go
+++ b/api/docker/images/image_test.go
@@ -16,7 +16,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("docker.io/portainer/portainer-ee:latest", image.FullName())
-		is.Equal("portainer/portainer-ee", image.opts.Name)
+		is.Equal("portainer/portainer-ee", image.Opts.Name)
 		is.Equal("latest", image.Tag)
 		is.Equal("portainer/portainer-ee", image.Path)
 		is.Equal("docker.io", image.Domain)
@@ -32,7 +32,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -49,7 +49,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -71,7 +71,7 @@ func TestUpdateParsedImage(t *testing.T) {
 		is.NoError(err, "")
 		_ = image.WithTag("v0.0.31")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.31", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.31", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -89,7 +89,7 @@ func TestUpdateParsedImage(t *testing.T) {
 		is.NoError(err, "")
 		_ = image.WithDigest("sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b3")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -105,9 +105,9 @@ func TestUpdateParsedImage(t *testing.T) {
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
 		is.NoError(err, "")
-		_ = image.trimDigest()
+		_ = image.TrimDigest()
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
--- a/api/docker/images/registry.go
+++ b/api/docker/images/registry.go
@@ -29,7 +29,7 @@ func (c *RegistryClient) RegistryAuth(image Image) (string, string, error) {
 		return "", "", err
 	}

-	registry, err := findBestMatchRegistry(image.opts.Name, registries)
+	registry, err := findBestMatchRegistry(image.Opts.Name, registries)
 	if err != nil {
 		return "", "", err
 	}
@@ -59,7 +59,7 @@ func (c *RegistryClient) EncodedRegistryAuth(image Image) (string, error) {
 		return "", err
 	}

-	registry, err := findBestMatchRegistry(image.opts.Name, registries)
+	registry, err := findBestMatchRegistry(image.Opts.Name, registries)
 	if err != nil {
 		return "", err
 	}
--- a/api/exec/exectest/kubernetes_mocks.go
+++ b/api/exec/exectest/kubernetes_mocks.go
@@ -4,10 +4,12 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )

-type kubernetesMockDeployer struct{}
+type kubernetesMockDeployer struct {
+	portainer.KubernetesDeployer
+}

 // NewKubernetesDeployer creates a mock kubernetes deployer
-func NewKubernetesDeployer() portainer.KubernetesDeployer {
+func NewKubernetesDeployer() *kubernetesMockDeployer {
 	return &kubernetesMockDeployer{}
 }

@@ -18,3 +20,7 @@ func (deployer *kubernetesMockDeployer) Deploy(userID portainer.UserID, endpoint
 func (deployer *kubernetesMockDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
 	return "", nil
 }
+
+func (deployer *kubernetesMockDeployer) Restart(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
+	return "", nil
+}
--- a/api/exec/kubernetes_deploy.go
+++ b/api/exec/kubernetes_deploy.go
@@ -1,13 +1,8 @@
 package exec

 import (
-	"bytes"
+	"context"
 	"fmt"
-	"os"
-	"os/exec"
-	"path"
-	"runtime"
-	"strings"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -15,13 +10,17 @@ import (
 	"github.com/portainer/portainer/api/http/proxy/factory"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/portainer/portainer/pkg/libkubectl"

 	"github.com/pkg/errors"
 )

+const (
+	defaultServerURL = "https://kubernetes.default.svc"
+)
+
 // KubernetesDeployer represents a service to deploy resources inside a Kubernetes environment(endpoint).
 type KubernetesDeployer struct {
-	binaryPath                  string
 	dataStore                   dataservices.DataStore
 	reverseTunnelService        portainer.ReverseTunnelService
 	signatureService            portainer.DigitalSignatureService
@@ -31,9 +30,8 @@ type KubernetesDeployer struct {
 }

 // NewKubernetesDeployer initializes a new KubernetesDeployer service.
-func NewKubernetesDeployer(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, kubernetesClientFactory *cli.ClientFactory, datastore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, binaryPath string) *KubernetesDeployer {
+func NewKubernetesDeployer(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, kubernetesClientFactory *cli.ClientFactory, datastore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager) *KubernetesDeployer {
 	return &KubernetesDeployer{
-		binaryPath:                  binaryPath,
 		dataStore:                   datastore,
 		reverseTunnelService:        reverseTunnelService,
 		signatureService:            signatureService,
@@ -78,63 +76,56 @@ func (deployer *KubernetesDeployer) getToken(userID portainer.UserID, endpoint *
 }

 // Deploy upserts Kubernetes resources defined in manifest(s)
-func (deployer *KubernetesDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return deployer.command("apply", userID, endpoint, manifestFiles, namespace)
+func (deployer *KubernetesDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
+	return deployer.command("apply", userID, endpoint, resources, namespace)
 }

 // Remove deletes Kubernetes resources defined in manifest(s)
-func (deployer *KubernetesDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return deployer.command("delete", userID, endpoint, manifestFiles, namespace)
+func (deployer *KubernetesDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
+	return deployer.command("delete", userID, endpoint, resources, namespace)
 }

-func (deployer *KubernetesDeployer) command(operation string, userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
+func (deployer *KubernetesDeployer) command(operation string, userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
 	token, err := deployer.getToken(userID, endpoint, endpoint.Type == portainer.KubernetesLocalEnvironment)
 	if err != nil {
 		return "", errors.Wrap(err, "failed generating a user token")
 	}

-	command := path.Join(deployer.binaryPath, "kubectl")
-	if runtime.GOOS == "windows" {
-		command = path.Join(deployer.binaryPath, "kubectl.exe")
-	}
-
-	args := []string{"--token", token}
-	if namespace != "" {
-		args = append(args, "--namespace", namespace)
-	}
-
+	serverURL := defaultServerURL
 	if endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
 		url, proxy, err := deployer.getAgentURL(endpoint)
 		if err != nil {
 			return "", errors.WithMessage(err, "failed generating endpoint URL")
 		}
-
 		defer proxy.Close()
-		args = append(args, "--server", url)
-		args = append(args, "--insecure-skip-tls-verify")
+
+		serverURL = url
 	}

-	if operation == "delete" {
-		args = append(args, "--ignore-not-found=true")
-	}
-
-	args = append(args, operation)
-	for _, path := range manifestFiles {
-		args = append(args, "-f", strings.TrimSpace(path))
-	}
-
-	var stderr bytes.Buffer
-	cmd := exec.Command(command, args...)
-	cmd.Env = os.Environ()
-	cmd.Env = append(cmd.Env, "POD_NAMESPACE=default")
-	cmd.Stderr = &stderr
-
-	output, err := cmd.Output()
+	client, err := libkubectl.NewClient(&libkubectl.ClientAccess{
+		Token:     token,
+		ServerUrl: serverURL,
+	}, namespace, "", true)
 	if err != nil {
-		return "", errors.Wrapf(err, "failed to execute kubectl command: %q", stderr.String())
+		return "", errors.Wrap(err, "failed to create kubectl client")
 	}

-	return string(output), nil
+	operations := map[string]func(context.Context, []string) (string, error){
+		"apply":  client.Apply,
+		"delete": client.Delete,
+	}
+
+	operationFunc, ok := operations[operation]
+	if !ok {
+		return "", errors.Errorf("unsupported operation: %s", operation)
+	}
+
+	output, err := operationFunc(context.Background(), resources)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to execute kubectl %s command", operation)
+	}
+
+	return output, nil
 }

 func (deployer *KubernetesDeployer) getAgentURL(endpoint *portainer.Endpoint) (string, *factory.ProxyServer, error) {
--- a/api/exec/kubernetes_deploy_test.go
+++ b/api/exec/kubernetes_deploy_test.go
@@ -0,0 +1,173 @@
+package exec
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type mockKubectlClient struct {
+	applyFunc          func(ctx context.Context, files []string) error
+	deleteFunc         func(ctx context.Context, files []string) error
+	rolloutRestartFunc func(ctx context.Context, resources []string) error
+}
+
+func (m *mockKubectlClient) Apply(ctx context.Context, files []string) error {
+	if m.applyFunc != nil {
+		return m.applyFunc(ctx, files)
+	}
+	return nil
+}
+
+func (m *mockKubectlClient) Delete(ctx context.Context, files []string) error {
+	if m.deleteFunc != nil {
+		return m.deleteFunc(ctx, files)
+	}
+	return nil
+}
+
+func (m *mockKubectlClient) RolloutRestart(ctx context.Context, resources []string) error {
+	if m.rolloutRestartFunc != nil {
+		return m.rolloutRestartFunc(ctx, resources)
+	}
+	return nil
+}
+
+func testExecuteKubectlOperation(client *mockKubectlClient, operation string, manifestFiles []string) error {
+	operations := map[string]func(context.Context, []string) error{
+		"apply":           client.Apply,
+		"delete":          client.Delete,
+		"rollout-restart": client.RolloutRestart,
+	}
+
+	operationFunc, ok := operations[operation]
+	if !ok {
+		return fmt.Errorf("unsupported operation: %s", operation)
+	}
+
+	if err := operationFunc(context.Background(), manifestFiles); err != nil {
+		return fmt.Errorf("failed to execute kubectl %s command: %w", operation, err)
+	}
+
+	return nil
+}
+
+func TestExecuteKubectlOperation_Apply_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		applyFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"manifest1.yaml", "manifest2.yaml"}, files)
+			return nil
+		},
+	}
+
+	manifests := []string{"manifest1.yaml", "manifest2.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "apply", manifests)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Apply_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl apply failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		applyFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"error.yaml"}, files)
+			return expectedErr
+		},
+	}
+
+	manifests := []string{"error.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "apply", manifests)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Delete_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		deleteFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"manifest1.yaml"}, files)
+			return nil
+		},
+	}
+
+	manifests := []string{"manifest1.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "delete", manifests)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Delete_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl delete failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		deleteFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"error.yaml"}, files)
+			return expectedErr
+		},
+	}
+
+	manifests := []string{"error.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "delete", manifests)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_RolloutRestart_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		rolloutRestartFunc: func(ctx context.Context, resources []string) error {
+			called = true
+			assert.Equal(t, []string{"deployment/nginx"}, resources)
+			return nil
+		},
+	}
+
+	resources := []string{"deployment/nginx"}
+	err := testExecuteKubectlOperation(mockClient, "rollout-restart", resources)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_RolloutRestart_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl rollout restart failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		rolloutRestartFunc: func(ctx context.Context, resources []string) error {
+			called = true
+			assert.Equal(t, []string{"deployment/error"}, resources)
+			return expectedErr
+		},
+	}
+
+	resources := []string{"deployment/error"}
+	err := testExecuteKubectlOperation(mockClient, "rollout-restart", resources)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_UnsupportedOperation(t *testing.T) {
+	mockClient := &mockKubectlClient{}
+
+	err := testExecuteKubectlOperation(mockClient, "unsupported", []string{})
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "unsupported operation")
+}
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -127,7 +127,7 @@ func (manager *SwarmStackManager) Remove(stack *portainer.Stack, endpoint *porta
 		return err
 	}

-	args = append(args, "stack", "rm", stack.Name)
+	args = append(args, "stack", "rm", "--detach=false", stack.Name)

 	return runCommandAndCaptureStdErr(command, args, nil, "")
 }
--- a/api/filesystem/copy.go
+++ b/api/filesystem/copy.go
@@ -68,7 +68,7 @@ func copyFile(src, dst string) error {
 	defer from.Close()

 	// has to include 'execute' bit, otherwise fails. MkdirAll follows `mkdir -m` restrictions
-	if err := os.MkdirAll(filepath.Dir(dst), 0744); err != nil {
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
 		return err
 	}
 	to, err := os.Create(dst)
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -841,11 +841,11 @@ func (service *Service) GetDefaultSSLCertsPath() (string, string) {
 }

 func defaultMTLSCertPathUnderFileStore() (string, string, string) {
-	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	caCertPath := JoinPaths(SSLCertPath, MTLSCACertFilename)
+	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	keyPath := JoinPaths(SSLCertPath, MTLSKeyFilename)

-	return certPath, caCertPath, keyPath
+	return caCertPath, certPath, keyPath
 }

 // GetDefaultChiselPrivateKeyPath returns the chisle private key path
@@ -1014,26 +1014,45 @@ func CreateFile(path string, r io.Reader) error {
 	return err
 }

-func (service *Service) StoreMTLSCertificates(cert, caCert, key []byte) (string, string, string, error) {
-	certPath, caCertPath, keyPath := defaultMTLSCertPathUnderFileStore()
+func (service *Service) StoreMTLSCertificates(caCert, cert, key []byte) (string, string, string, error) {
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()

-	r := bytes.NewReader(cert)
-	err := service.createFileInStore(certPath, r)
-	if err != nil {
+	r := bytes.NewReader(caCert)
+	if err := service.createFileInStore(caCertPath, r); err != nil {
 		return "", "", "", err
 	}

-	r = bytes.NewReader(caCert)
-	err = service.createFileInStore(caCertPath, r)
-	if err != nil {
+	r = bytes.NewReader(cert)
+	if err := service.createFileInStore(certPath, r); err != nil {
 		return "", "", "", err
 	}

 	r = bytes.NewReader(key)
-	err = service.createFileInStore(keyPath, r)
-	if err != nil {
+	if err := service.createFileInStore(keyPath, r); err != nil {
 		return "", "", "", err
 	}

-	return service.wrapFileStore(certPath), service.wrapFileStore(caCertPath), service.wrapFileStore(keyPath), nil
+	return service.wrapFileStore(caCertPath), service.wrapFileStore(certPath), service.wrapFileStore(keyPath), nil
+}
+
+func (service *Service) GetMTLSCertificates() (string, string, string, error) {
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()
+
+	caCertPath = service.wrapFileStore(caCertPath)
+	certPath = service.wrapFileStore(certPath)
+	keyPath = service.wrapFileStore(keyPath)
+
+	paths := [...]string{caCertPath, certPath, keyPath}
+	for _, path := range paths {
+		exists, err := service.FileExists(path)
+		if err != nil {
+			return "", "", "", err
+		}
+
+		if !exists {
+			return "", "", "", fmt.Errorf("file %s does not exist", path)
+		}
+	}
+
+	return caCertPath, certPath, keyPath, nil
 }
--- a/api/filesystem/serialize_per_dev_configs.go
+++ b/api/filesystem/serialize_per_dev_configs.go
@@ -15,15 +15,19 @@ type MultiFilterArgs []struct {
 }

 // MultiFilterDirForPerDevConfigs filers the given dirEntries with multiple filter args, returns the merged entries for the given device
-func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) []DirEntry {
+func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry

+	var envFiles []string
+
 	for _, multiFilterArg := range multiFilterArgs {
-		tmp := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
+		tmp, efs := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
 		filteredDirEntries = append(filteredDirEntries, tmp...)
+
+		envFiles = append(envFiles, efs...)
 	}

-	return deduplicate(filteredDirEntries)
+	return deduplicate(filteredDirEntries), envFiles
 }

 func deduplicate(dirEntries []DirEntry) []DirEntry {
@@ -32,8 +36,7 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 	marks := make(map[string]struct{})

 	for _, dirEntry := range dirEntries {
-		_, ok := marks[dirEntry.Name]
-		if !ok {
+		if _, ok := marks[dirEntry.Name]; !ok {
 			marks[dirEntry.Name] = struct{}{}
 			deduplicatedDirEntries = append(deduplicatedDirEntries, dirEntry)
 		}
@@ -44,34 +47,33 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {

 // FilterDirForPerDevConfigs filers the given dirEntries, returns entries for the given device
 // For given configPath A/B/C, return entries:
-//  1. all entries outside of dir A
-//  2. dir entries A, A/B, A/B/C
-//  3. For filterType file:
+//  1. all entries outside of dir A/B/C
+//  2. For filterType file:
 //     file entries: A/B/C/<deviceName> and A/B/C/<deviceName>.*
-//  4. For filterType dir:
+//  3. For filterType dir:
 //     dir entry:   A/B/C/<deviceName>
 //     all entries: A/B/C/<deviceName>/*
-func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) []DirEntry {
+func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry

+	var envFiles []string
+
 	for _, dirEntry := range dirEntries {
 		if shouldIncludeEntry(dirEntry, deviceName, configPath, filterType) {
 			filteredDirEntries = append(filteredDirEntries, dirEntry)
+
+			if shouldParseEnvVars(dirEntry, deviceName, configPath, filterType) {
+				envFiles = append(envFiles, dirEntry.Name)
+			}
 		}
 	}

-	return filteredDirEntries
+	return filteredDirEntries, envFiles
 }

 func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
-
 	// Include all entries outside of dir A
-	if !isInConfigRootDir(dirEntry, configPath) {
-		return true
-	}
-
-	// Include dir entries A, A/B, A/B/C
-	if isParentDir(dirEntry, configPath) {
+	if !isInConfigDir(dirEntry, configPath) {
 		return true
 	}

@@ -90,21 +92,9 @@ func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filter
 	return false
 }

-func isInConfigRootDir(dirEntry DirEntry, configPath string) bool {
-	// get the first element of the configPath
-	rootDir := strings.Split(configPath, string(os.PathSeparator))[0]
-
-	// return true if entry name starts with "A/"
-	return strings.HasPrefix(dirEntry.Name, appendTailSeparator(rootDir))
-}
-
-func isParentDir(dirEntry DirEntry, configPath string) bool {
-	if dirEntry.IsFile {
-		return false
-	}
-
-	// return true for dir entries A, A/B, A/B/C
-	return strings.HasPrefix(appendTailSeparator(configPath), appendTailSeparator(dirEntry.Name))
+func isInConfigDir(dirEntry DirEntry, configPath string) bool {
+	// return true if entry name starts with "A/B"
+	return strings.HasPrefix(dirEntry.Name, appendTailSeparator(configPath))
 }

 func shouldIncludeFile(dirEntry DirEntry, deviceName, configPath string) bool {
@@ -138,6 +128,15 @@ func shouldIncludeDir(dirEntry DirEntry, deviceName, configPath string) bool {
 	return strings.HasPrefix(dirEntry.Name, filterPrefix)
 }

+func shouldParseEnvVars(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
+	if !dirEntry.IsFile {
+		return false
+	}
+
+	return isInConfigDir(dirEntry, configPath) &&
+		filepath.Base(dirEntry.Name) == deviceName+".env"
+}
+
 func appendTailSeparator(path string) string {
 	return fmt.Sprintf("%s%c", path, os.PathSeparator)
 }
--- a/api/filesystem/serialize_per_dev_configs_test.go
+++ b/api/filesystem/serialize_per_dev_configs_test.go
@@ -4,14 +4,17 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
-	type args struct {
-		dirEntries      []DirEntry
-		configPath      string
-		multiFilterArgs MultiFilterArgs
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantDirEntries []DirEntry) {
+		t.Helper()
+
+		dirEntries, _ = MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantDirEntries, dirEntries)
 	}

 	baseDirEntries := []DirEntry{
@@ -26,67 +29,94 @@ func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
 		{"configs/folder2/config2", "", true, 420},
 	}

-	tests := []struct {
-		name string
-		args args
-		want []DirEntry
-	}{
-		{
-			name: "filter file1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	// Filter file1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	)
+
+	// Filter folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and file2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"file2", portainer.PerDevConfigsTypeFile},
 		},
-		{
-			name: "filter folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and file2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"file1", portainer.PerDevConfigsTypeFile},
-					{"file2", portainer.PerDevConfigsTypeFile},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
-		},
-		{
-			name: "filter folder1 and folder2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"folder1", portainer.PerDevConfigsTypeDir},
-					{"folder2", portainer.PerDevConfigsTypeDir},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
+	)
+
+	// Filter folder1 and folder2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"folder1", portainer.PerDevConfigsTypeDir},
+			{"folder2", portainer.PerDevConfigsTypeDir},
 		},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+	)
+}
+
+func TestMultiFilterDirForPerDevConfigsEnvFiles(t *testing.T) {
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantEnvFiles []string) {
+		t.Helper()
+
+		_, envFiles := MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantEnvFiles, envFiles)
 	}

-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equalf(t, tt.want, MultiFilterDirForPerDevConfigs(tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs), "MultiFilterDirForPerDevConfigs(%v, %v, %v)", tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs)
-		})
+	baseDirEntries := []DirEntry{
+		{".env", "", true, 420},
+		{"docker-compose.yaml", "", true, 420},
+		{"configs", "", false, 420},
+		{"configs/edge-id/edge-id.env", "", true, 420},
 	}
+
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"edge-id", portainer.PerDevConfigsTypeDir}},
+		[]string{"configs/edge-id/edge-id.env"},
+	)
+
+}
+
+func TestIsInConfigDir(t *testing.T) {
+	f := func(dirEntry DirEntry, configPath string, expect bool) {
+		t.Helper()
+
+		actual := isInConfigDir(dirEntry, configPath)
+		assert.Equal(t, expect, actual)
+	}
+
+	f(DirEntry{Name: "edge-configs"}, "edge-configs", false)
+	f(DirEntry{Name: "edge-configs_backup"}, "edge-configs", false)
+	f(DirEntry{Name: "edge-configs/standalone-edge-agent-standard"}, "edge-configs", true)
+	f(DirEntry{Name: "parent/edge-configs/"}, "edge-configs", false)
+	f(DirEntry{Name: "edgestacktest"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edgeconfigs-test.yaml"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/file1.conf"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgeconfigs-test.yaml"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edge-configs"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edge-configs/standalone-edge-agent-async"}, "edgestacktest/edge-configs", true)
+	f(DirEntry{Name: "edgestacktest/edge-configs/abc.txt"}, "edgestacktest/edge-configs", true)
 }
--- a/api/git/update/validate.go
+++ b/api/git/update/validate.go
@@ -3,9 +3,9 @@ package update
 import (
 	"time"

-	"github.com/asaskevich/govalidator"
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/pkg/validate"
 )

 func ValidateAutoUpdateSettings(autoUpdate *portainer.AutoUpdateSettings) error {
@@ -17,7 +17,7 @@ func ValidateAutoUpdateSettings(autoUpdate *portainer.AutoUpdateSettings) error
 		return httperrors.NewInvalidPayloadError("Webhook or Interval must be provided")
 	}

-	if autoUpdate.Webhook != "" && !govalidator.IsUUID(autoUpdate.Webhook) {
+	if autoUpdate.Webhook != "" && !validate.IsUUID(autoUpdate.Webhook) {
 		return httperrors.NewInvalidPayloadError("invalid Webhook format")
 	}

--- a/api/git/validate.go
+++ b/api/git/validate.go
@@ -1,19 +1,17 @@
 package git

 import (
-	"github.com/asaskevich/govalidator"
-
 	gittypes "github.com/portainer/portainer/api/git/types"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/pkg/validate"
 )

 func ValidateRepoConfig(repoConfig *gittypes.RepoConfig) error {
-	if len(repoConfig.URL) == 0 || !govalidator.IsURL(repoConfig.URL) {
+	if len(repoConfig.URL) == 0 || !validate.IsURL(repoConfig.URL) {
 		return httperrors.NewInvalidPayloadError("Invalid repository URL. Must correspond to a valid URL format")
 	}

 	return ValidateRepoAuthentication(repoConfig.Authentication)
-
 }

 func ValidateRepoAuthentication(auth *gittypes.GitAuthentication) error {
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@@ -16,8 +16,8 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/validate"

-	"github.com/asaskevich/govalidator"
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 )
@@ -228,7 +228,7 @@ func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request)
 	if len(payload.Description) == 0 {
 		return errors.New("Invalid custom template description")
 	}
-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
 		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
 	}
 	if payload.RepositoryAuthentication && (len(payload.RepositoryUsername) == 0 || len(payload.RepositoryPassword) == 0) {
@@ -482,28 +482,3 @@ func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*po

 	return customTemplate, nil
 }
-
-// @id CustomTemplateCreate
-// @summary Create a custom template
-// @description Create a custom template.
-// @description **Access policy**: authenticated
-// @tags custom_templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json,multipart/form-data
-// @produce json
-// @param method query string true "method for creating template" Enums(string, file, repository)
-// @param body body object true "for body documentation see the relevant /custom_templates/{method} endpoint"
-// @success 200 {object} portainer.CustomTemplate
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @deprecated
-// @router /custom_templates [post]
-func deprecatedCustomTemplateCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method", err)
-	}
-
-	return "/custom_templates/create/" + method, nil
-}
--- a/api/http/handler/customtemplates/customtemplate_update.go
+++ b/api/http/handler/customtemplates/customtemplate_update.go
@@ -15,8 +15,7 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )

 type customTemplateUpdatePayload struct {
@@ -170,7 +169,7 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 	customTemplate.EdgeTemplate = payload.EdgeTemplate

 	if payload.RepositoryURL != "" {
-		if !govalidator.IsURL(payload.RepositoryURL) {
+		if !validate.IsURL(payload.RepositoryURL) {
 			return httperror.BadRequest("Invalid repository URL. Must correspond to a valid URL format", err)
 		}

--- a/api/http/handler/customtemplates/handler.go
+++ b/api/http/handler/customtemplates/handler.go
@@ -7,7 +7,6 @@ import (
 	"github.com/gorilla/mux"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 )
@@ -33,7 +32,6 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor

 	h.Handle("/custom_templates/create/{method}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateCreate))).Methods(http.MethodPost)
-	h.Handle("/custom_templates", middlewares.Deprecated(h, deprecatedCustomTemplateCreateUrlParser)).Methods(http.MethodPost) // Deprecated
 	h.Handle("/custom_templates",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateList))).Methods(http.MethodGet)
 	h.Handle("/custom_templates/{id}",
--- a/api/http/handler/docker/images/images_list.go
+++ b/api/http/handler/docker/images/images_list.go
@@ -1,10 +1,11 @@
 package images

 import (
+	"context"
+	"fmt"
 	"net/http"
 	"strings"

-	"github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/handler/docker/utils"
 	"github.com/portainer/portainer/api/set"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@@ -46,17 +47,16 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http
 		return httpErr
 	}

-	images, err := cli.ImageList(r.Context(), image.ListOptions{})
+	nodeNames := make(map[string]string)
+
+	// Pass the node names map to the context so the custom NodeNameTransport can use it
+	ctx := context.WithValue(r.Context(), "nodeNames", nodeNames)
+
+	images, err := cli.ImageList(ctx, image.ListOptions{})
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve Docker images", err)
 	}

-	// Extract the node name from the custom transport
-	nodeNames := make(map[string]string)
-	if t, ok := cli.HTTPClient().Transport.(*client.NodeNameTransport); ok {
-		nodeNames = t.NodeNames()
-	}
-
 	withUsage, err := request.RetrieveBooleanQueryParameter(r, "withUsage", true)
 	if err != nil {
 		return httperror.BadRequest("Invalid query parameter: withUsage", err)
@@ -85,8 +85,12 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http
 		}

 		imagesList[i] = ImageResponse{
-			Created:  image.Created,
-			NodeName: nodeNames[image.ID],
+			Created: image.Created,
+			// Only works if the order of `images` is not changed between unmarshaling the agent's response
+			// in NodeNameTransport.RoundTrip()  (api/docker/client/client.go)
+			// and docker's cli.ImageList()
+			// As both functions unmarshal the same response body, the resulting array will be ordered the same way.
+			NodeName: nodeNames[fmt.Sprintf("%s-%d", image.ID, i)],
 			ID:       image.ID,
 			Size:     image.Size,
 			Tags:     image.RepoTags,
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -24,10 +24,6 @@ type edgeGroupUpdatePayload struct {
 }

 func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
-	if len(payload.Name) == 0 {
-		return errors.New("invalid Edge group name")
-	}
-
 	if payload.Dynamic && len(payload.TagIDs) == 0 {
 		return errors.New("tagIDs is mandatory for a dynamic Edge group")
 	}
@@ -35,7 +31,7 @@ func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }

-// @id EgeGroupUpdate
+// @id EdgeGroupUpdate
 // @summary Updates an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
@@ -167,7 +163,7 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)

 func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
+	if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
 		return err
 	}

@@ -183,6 +179,12 @@ func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoi
 		edgeStackSet[edgeStackID] = true
 	}

+	if relation == nil {
+		relation = &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+			EdgeStacks: make(map[portainer.EdgeStackID]bool),
+		}
+	}
 	relation.EdgeStacks = edgeStackSet

 	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, relation)
--- a/api/http/handler/edgejobs/edgejob_create.go
+++ b/api/http/handler/edgejobs/edgejob_create.go
@@ -15,8 +15,7 @@ import (
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )

 type edgeJobBasePayload struct {
@@ -53,7 +52,7 @@ func (payload *edgeJobCreateFromFileContentPayload) Validate(r *http.Request) er
 		return errors.New("invalid Edge job name")
 	}

-	if !govalidator.Matches(payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]*$`) {
+	if !validate.Matches(payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]*$`) {
 		return errors.New("invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
 	}

@@ -136,7 +135,7 @@ func (payload *edgeJobCreateFromFilePayload) Validate(r *http.Request) error {
 		return errors.New("invalid Edge job name")
 	}

-	if !govalidator.Matches(name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
+	if !validate.Matches(name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
 		return errors.New("invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
 	}
 	payload.Name = name
@@ -271,26 +270,3 @@ func (handler *Handler) addAndPersistEdgeJob(tx dataservices.DataStoreTx, edgeJo

 	return tx.EdgeJob().CreateWithID(edgeJob.ID, edgeJob)
 }
-
-// @id EdgeJobCreate
-// @summary Create an EdgeJob
-// @description **Access policy**: administrator
-// @tags edge_jobs
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param method query string true "Creation Method" Enums(file, string)
-// @param body body object true "for body documentation see the relevant /edge_jobs/create/{method} endpoint"
-// @success 200 {object} portainer.EdgeGroup
-// @failure 503 "Edge compute features are disabled"
-// @failure 500
-// @deprecated
-// @router /edge_jobs [post]
-func deprecatedEdgeJobCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
-	}
-
-	return "/edge_jobs/create/" + method, nil
-}
--- a/api/http/handler/edgejobs/edgejob_update.go
+++ b/api/http/handler/edgejobs/edgejob_update.go
@@ -14,8 +14,7 @@ import (
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )

 type edgeJobUpdatePayload struct {
@@ -28,7 +27,7 @@ type edgeJobUpdatePayload struct {
 }

 func (payload *edgeJobUpdatePayload) Validate(r *http.Request) error {
-	if payload.Name != nil && !govalidator.Matches(*payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
+	if payload.Name != nil && !validate.Matches(*payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
 		return errors.New("invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
 	}

--- a/api/http/handler/edgejobs/handler.go
+++ b/api/http/handler/edgejobs/handler.go
@@ -6,7 +6,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -30,8 +29,6 @@ func NewHandler(bouncer security.BouncerService) *Handler {

 	h.Handle("/edge_jobs",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobList)))).Methods(http.MethodGet)
-	h.Handle("/edge_jobs",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(middlewares.Deprecated(h, deprecatedEdgeJobCreateUrlParser)))).Methods(http.MethodPost)
 	h.Handle("/edge_jobs/create/{method}",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobCreate)))).Methods(http.MethodPost)
 	h.Handle("/edge_jobs/{id}",
--- a/api/http/handler/edgestacks/edgestack_create.go
+++ b/api/http/handler/edgestacks/edgestack_create.go
@@ -55,26 +55,3 @@ func (handler *Handler) createSwarmStack(tx dataservices.DataStoreTx, method str

 	return nil, httperrors.NewInvalidPayloadError("Invalid value for query parameter: method. Value must be one of: string, repository or file")
 }
-
-// @id EdgeStackCreate
-// @summary Create an EdgeStack
-// @description **Access policy**: administrator
-// @tags edge_stacks
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param method query string true "Creation Method" Enums(file,string,repository)
-// @param body body object true "for body documentation see the relevant /edge_stacks/create/{method} endpoint"
-// @success 200 {object} portainer.EdgeStack
-// @failure 500
-// @failure 503 "Edge compute features are disabled"
-// @deprecated
-// @router /edge_stacks [post]
-func deprecatedEdgeStackCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
-	}
-
-	return "/edge_stacks/create/" + method, nil
-}
--- a/api/http/handler/edgestacks/edgestack_create_git.go
+++ b/api/http/handler/edgestacks/edgestack_create_git.go
@@ -11,8 +11,8 @@ import (
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/pkg/edge"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/validate"

-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 )

@@ -59,7 +59,7 @@ func (payload *edgeStackFromGitRepositoryPayload) Validate(r *http.Request) erro
 		return httperrors.NewInvalidPayloadError("Invalid stack name. Stack name must only consist of lowercase alpha characters, numbers, hyphens, or underscores as well as start with a lowercase character or number")
 	}

-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
 		return httperrors.NewInvalidPayloadError("Invalid repository URL. Must correspond to a valid URL format")
 	}

--- a/api/http/handler/edgestacks/edgestack_delete.go
+++ b/api/http/handler/edgestacks/edgestack_delete.go
@@ -3,6 +3,7 @@ package edgestacks
 import (
 	"errors"
 	"net/http"
+	"strconv"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -52,10 +53,14 @@ func (handler *Handler) deleteEdgeStack(tx dataservices.DataStoreTx, edgeStackID
 		return httperror.InternalServerError("Unable to find an edge stack with the specified identifier inside the database", err)
 	}

-	err = handler.edgeStacksService.DeleteEdgeStack(tx, edgeStack.ID, edgeStack.EdgeGroups)
-	if err != nil {
+	if err := handler.edgeStacksService.DeleteEdgeStack(tx, edgeStack.ID, edgeStack.EdgeGroups); err != nil {
 		return httperror.InternalServerError("Unable to delete edge stack", err)
 	}

+	stackFolder := handler.FileService.GetEdgeStackProjectPath(strconv.Itoa(int(edgeStack.ID)))
+	if err := handler.FileService.RemoveDirectory(stackFolder); err != nil {
+		return httperror.InternalServerError("Unable to remove edge stack project folder", err)
+	}
+
 	return nil
 }
--- a/api/http/handler/edgestacks/edgestack_delete_test.go
+++ b/api/http/handler/edgestacks/edgestack_delete_test.go
@@ -1,12 +1,14 @@
 package edgestacks

 import (
+	"bytes"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/assert"

 	"github.com/segmentio/encoding/json"
 )
@@ -101,3 +103,52 @@ func TestDeleteInvalidEdgeStack(t *testing.T) {
 		})
 	}
 }
+
+func TestDeleteEdgeStack_RemoveProjectFolder(t *testing.T) {
+	handler, rawAPIKey := setupHandler(t)
+
+	edgeGroup := createEdgeGroup(t, handler.DataStore)
+
+	payload := edgeStackFromStringPayload{
+		Name:             "test-stack",
+		DeploymentType:   portainer.EdgeStackDeploymentCompose,
+		EdgeGroups:       []portainer.EdgeGroupID{edgeGroup.ID},
+		StackFileContent: "version: '3.7'\nservices:\n  test:\n    image: test",
+	}
+
+	var buf bytes.Buffer
+	if err := json.NewEncoder(&buf).Encode(payload); err != nil {
+		t.Fatal("error encoding payload:", err)
+	}
+
+	// Create
+	req, err := http.NewRequest(http.MethodPost, "/edge_stacks/create/string", &buf)
+	if err != nil {
+		t.Fatal("request error:", err)
+	}
+
+	req.Header.Add("x-api-key", rawAPIKey)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected a %d response, found: %d", http.StatusNoContent, rec.Code)
+	}
+
+	assert.DirExists(t, handler.FileService.GetEdgeStackProjectPath("1"))
+
+	// Delete
+	if req, err = http.NewRequest(http.MethodDelete, "/edge_stacks/1", nil); err != nil {
+		t.Fatal("request error:", err)
+	}
+
+	req.Header.Add("x-api-key", rawAPIKey)
+	rec = httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusNoContent {
+		t.Fatalf("expected a %d response, found: %d", http.StatusNoContent, rec.Code)
+	}
+
+	assert.NoDirExists(t, handler.FileService.GetEdgeStackProjectPath("1"))
+}
--- a/api/http/handler/edgestacks/edgestack_file.go
+++ b/api/http/handler/edgestacks/edgestack_file.go
@@ -34,7 +34,7 @@ func (handler *Handler) edgeStackFile(w http.ResponseWriter, r *http.Request) *h

 	stack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
 	if err != nil {
-		return handler.handlerDBErr(err, "Unable to find an edge stack with the specified identifier inside the database")
+		return handlerDBErr(err, "Unable to find an edge stack with the specified identifier inside the database")
 	}

 	fileName := stack.EntryPoint
--- a/api/http/handler/edgestacks/edgestack_inspect.go
+++ b/api/http/handler/edgestacks/edgestack_inspect.go
@@ -30,7 +30,7 @@ func (handler *Handler) edgeStackInspect(w http.ResponseWriter, r *http.Request)

 	edgeStack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(edgeStackID))
 	if err != nil {
-		return handler.handlerDBErr(err, "Unable to find an edge stack with the specified identifier inside the database")
+		return handlerDBErr(err, "Unable to find an edge stack with the specified identifier inside the database")
 	}

 	return response.JSON(w, edgeStack)
--- a/api/http/handler/edgestacks/edgestack_status_delete.go
+++ b/api/http/handler/edgestacks/edgestack_status_delete.go
@@ -1,87 +0,0 @@
-package edgestacks
-
-import (
-	"errors"
-	"net/http"
-	"time"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-)
-
-// @id EdgeStackStatusDelete
-// @summary Delete an EdgeStack status
-// @description Authorized only if the request is done by an Edge Environment(Endpoint)
-// @tags edge_stacks
-// @produce json
-// @param id path int true "EdgeStack Id"
-// @param environmentId path int true "Environment identifier"
-// @success 200 {object} portainer.EdgeStack
-// @failure 500
-// @failure 400
-// @failure 404
-// @failure 403
-// @deprecated
-// @router /edge_stacks/{id}/status/{environmentId} [delete]
-func (handler *Handler) edgeStackStatusDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return httperror.BadRequest("Invalid stack identifier route variable", err)
-	}
-
-	endpoint, err := middlewares.FetchEndpoint(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve a valid endpoint from the handler context", err)
-	}
-
-	err = handler.requestBouncer.AuthorizedEdgeEndpointOperation(r, endpoint)
-	if err != nil {
-		return httperror.Forbidden("Permission denied to access environment", err)
-	}
-
-	var stack *portainer.EdgeStack
-	err = handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
-		stack, err = handler.deleteEdgeStackStatus(tx, portainer.EdgeStackID(stackID), endpoint)
-		return err
-	})
-	if err != nil {
-		var httpErr *httperror.HandlerError
-		if errors.As(err, &httpErr) {
-			return httpErr
-		}
-
-		return httperror.InternalServerError("Unexpected error", err)
-	}
-
-	return response.JSON(w, stack)
-}
-
-func (handler *Handler) deleteEdgeStackStatus(tx dataservices.DataStoreTx, stackID portainer.EdgeStackID, endpoint *portainer.Endpoint) (*portainer.EdgeStack, error) {
-	stack, err := tx.EdgeStack().EdgeStack(stackID)
-	if err != nil {
-		return nil, handler.handlerDBErr(err, "Unable to find a stack with the specified identifier inside the database")
-	}
-
-	environmentStatus, ok := stack.Status[endpoint.ID]
-	if !ok {
-		environmentStatus = portainer.EdgeStackStatus{}
-	}
-
-	environmentStatus.Status = append(environmentStatus.Status, portainer.EdgeStackDeploymentStatus{
-		Time: time.Now().Unix(),
-		Type: portainer.EdgeStackStatusRemoved,
-	})
-
-	stack.Status[endpoint.ID] = environmentStatus
-
-	err = tx.EdgeStack().UpdateEdgeStack(stack.ID, stack)
-	if err != nil {
-		return nil, httperror.InternalServerError("Unable to persist the stack changes inside the database", err)
-	}
-
-	return stack, nil
-}
--- a/api/http/handler/edgestacks/edgestack_status_delete_test.go
+++ b/api/http/handler/edgestacks/edgestack_status_delete_test.go
@@ -1,30 +0,0 @@
-package edgestacks
-
-import (
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-func TestDeleteStatus(t *testing.T) {
-	handler, _ := setupHandler(t)
-
-	endpoint := createEndpoint(t, handler.DataStore)
-	edgeStack := createEdgeStack(t, handler.DataStore, endpoint.ID)
-
-	req, err := http.NewRequest(http.MethodDelete, fmt.Sprintf("/edge_stacks/%d/status/%d", edgeStack.ID, endpoint.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
-
-	req.Header.Set(portainer.PortainerAgentEdgeIDHeader, endpoint.EdgeID)
-	rec := httptest.NewRecorder()
-	handler.ServeHTTP(rec, req)
-
-	if rec.Code != http.StatusOK {
-		t.Fatalf("expected a %d response, found: %d", http.StatusOK, rec.Code)
-	}
-}
--- a/api/http/handler/edgestacks/edgestack_status_update.go
+++ b/api/http/handler/edgestacks/edgestack_status_update.go
@@ -4,11 +4,11 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"slices"
 	"strconv"
 	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -69,15 +69,21 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 		return httperror.BadRequest("Invalid request payload", fmt.Errorf("edge polling error: %w. Environment ID: %d", err, payload.EndpointID))
 	}

-	var stack *portainer.EdgeStack
-	if err := handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
-		if r.Context().Err() != nil {
-			return err
-		}
+	endpoint, err := handler.DataStore.Endpoint().Endpoint(payload.EndpointID)
+	if err != nil {
+		return handlerDBErr(fmt.Errorf("unable to find the environment from the database: %w. Environment ID: %d", err, payload.EndpointID), "unable to find the environment")
+	}

-		stack, err = handler.updateEdgeStackStatus(tx, r, portainer.EdgeStackID(stackID), payload)
-		return err
-	}); err != nil {
+	if err := handler.requestBouncer.AuthorizedEdgeEndpointOperation(r, endpoint); err != nil {
+		return httperror.Forbidden("Permission denied to access environment", fmt.Errorf("unauthorized edge endpoint operation: %w. Environment name: %s", err, endpoint.Name))
+	}
+
+	updateFn := func(stack *portainer.EdgeStack) (*portainer.EdgeStack, error) {
+		return handler.updateEdgeStackStatus(stack, stack.ID, payload)
+	}
+
+	stack, err := handler.stackCoordinator.UpdateStatus(r, portainer.EdgeStackID(stackID), updateFn)
+	if err != nil {
 		var httpErr *httperror.HandlerError
 		if errors.As(err, &httpErr) {
 			return httpErr
@@ -93,36 +99,11 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 	return response.JSON(w, stack)
 }

-func (handler *Handler) updateEdgeStackStatus(tx dataservices.DataStoreTx, r *http.Request, stackID portainer.EdgeStackID, payload updateStatusPayload) (*portainer.EdgeStack, error) {
-	stack, err := tx.EdgeStack().EdgeStack(stackID)
-	if err != nil {
-		if dataservices.IsErrObjectNotFound(err) {
-			// Skip error because agent tries to report on deleted stack
-			log.Debug().
-				Err(err).
-				Int("stackID", int(stackID)).
-				Int("status", int(*payload.Status)).
-				Msg("Unable to find a stack inside the database, skipping error")
-
-			return nil, nil
-		}
-
-		return nil, fmt.Errorf("unable to retrieve Edge stack from the database: %w. Environment ID: %d", err, payload.EndpointID)
-	}
-
+func (handler *Handler) updateEdgeStackStatus(stack *portainer.EdgeStack, stackID portainer.EdgeStackID, payload updateStatusPayload) (*portainer.EdgeStack, error) {
 	if payload.Version > 0 && payload.Version < stack.Version {
 		return stack, nil
 	}

-	endpoint, err := tx.Endpoint().Endpoint(payload.EndpointID)
-	if err != nil {
-		return nil, handler.handlerDBErr(fmt.Errorf("unable to find the environment from the database: %w. Environment ID: %d", err, payload.EndpointID), "unable to find the environment")
-	}
-
-	if err := handler.requestBouncer.AuthorizedEdgeEndpointOperation(r, endpoint); err != nil {
-		return nil, httperror.Forbidden("Permission denied to access environment", fmt.Errorf("unauthorized edge endpoint operation: %w. Environment name: %s", err, endpoint.Name))
-	}
-
 	status := *payload.Status

 	log.Debug().
@@ -138,10 +119,6 @@ func (handler *Handler) updateEdgeStackStatus(tx dataservices.DataStoreTx, r *ht

 	updateEnvStatus(payload.EndpointID, stack, deploymentStatus)

-	if err := tx.EdgeStack().UpdateEdgeStack(stackID, stack); err != nil {
-		return nil, handler.handlerDBErr(fmt.Errorf("unable to update Edge stack to the database: %w. Environment name: %s", err, endpoint.Name), "unable to update Edge stack")
-	}
-
 	return stack, nil
 }

@@ -160,7 +137,11 @@ func updateEnvStatus(environmentId portainer.EndpointID, stack *portainer.EdgeSt
 		}
 	}

-	environmentStatus.Status = append(environmentStatus.Status, deploymentStatus)
+	if containsStatus := slices.ContainsFunc(environmentStatus.Status, func(e portainer.EdgeStackDeploymentStatus) bool {
+		return e.Type == deploymentStatus.Type
+	}); !containsStatus {
+		environmentStatus.Status = append(environmentStatus.Status, deploymentStatus)
+	}

 	stack.Status[environmentId] = environmentStatus
 }
--- a/api/http/handler/edgestacks/edgestack_status_update_coordinator.go
+++ b/api/http/handler/edgestacks/edgestack_status_update_coordinator.go
@@ -0,0 +1,155 @@
+package edgestacks
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+
+	"github.com/rs/zerolog/log"
+)
+
+type statusRequest struct {
+	respCh   chan statusResponse
+	stackID  portainer.EdgeStackID
+	updateFn statusUpdateFn
+}
+
+type statusResponse struct {
+	Stack *portainer.EdgeStack
+	Error error
+}
+
+type statusUpdateFn func(*portainer.EdgeStack) (*portainer.EdgeStack, error)
+
+type EdgeStackStatusUpdateCoordinator struct {
+	updateCh  chan statusRequest
+	dataStore dataservices.DataStore
+}
+
+var errAnotherStackUpdateInProgress = errors.New("another stack update is in progress")
+
+func NewEdgeStackStatusUpdateCoordinator(dataStore dataservices.DataStore) *EdgeStackStatusUpdateCoordinator {
+	return &EdgeStackStatusUpdateCoordinator{
+		updateCh:  make(chan statusRequest),
+		dataStore: dataStore,
+	}
+}
+
+func (c *EdgeStackStatusUpdateCoordinator) Start() {
+	for {
+		c.loop()
+	}
+}
+
+func (c *EdgeStackStatusUpdateCoordinator) loop() {
+	u := <-c.updateCh
+
+	respChs := []chan statusResponse{u.respCh}
+
+	var stack *portainer.EdgeStack
+
+	err := c.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		// 1. Load the edge stack
+		var err error
+
+		stack, err = loadEdgeStack(tx, u.stackID)
+		if err != nil {
+			return err
+		}
+
+		// Return early when the agent tries to update the status on a deleted stack
+		if stack == nil {
+			return nil
+		}
+
+		// 2. Mutate the edge stack opportunistically until there are no more pending updates
+		for {
+			stack, err = u.updateFn(stack)
+			if err != nil {
+				return err
+			}
+
+			if m, ok := c.getNextUpdate(stack.ID); ok {
+				u = m
+			} else {
+				break
+			}
+
+			respChs = append(respChs, u.respCh)
+		}
+
+		// 3. Save the changes back to the database
+		if err := tx.EdgeStack().UpdateEdgeStack(stack.ID, stack); err != nil {
+			return handlerDBErr(fmt.Errorf("unable to update Edge stack: %w.", err), "Unable to persist the stack changes inside the database")
+		}
+
+		return nil
+	})
+
+	// 4. Send back the responses
+	for _, ch := range respChs {
+		ch <- statusResponse{Stack: stack, Error: err}
+	}
+}
+
+func loadEdgeStack(tx dataservices.DataStoreTx, stackID portainer.EdgeStackID) (*portainer.EdgeStack, error) {
+	stack, err := tx.EdgeStack().EdgeStack(stackID)
+	if err != nil {
+		if dataservices.IsErrObjectNotFound(err) {
+			// Skip the error when the agent tries to update the status on a deleted stack
+			log.Debug().
+				Err(err).
+				Int("stackID", int(stackID)).
+				Msg("Unable to find a stack inside the database, skipping error")
+
+			return nil, nil
+		}
+
+		return nil, fmt.Errorf("unable to retrieve Edge stack from the database: %w.", err)
+	}
+
+	return stack, nil
+}
+
+func (c *EdgeStackStatusUpdateCoordinator) getNextUpdate(stackID portainer.EdgeStackID) (statusRequest, bool) {
+	for {
+		select {
+		case u := <-c.updateCh:
+			// Discard the update and let the agent retry
+			if u.stackID != stackID {
+				u.respCh <- statusResponse{Error: errAnotherStackUpdateInProgress}
+
+				continue
+			}
+
+			return u, true
+
+		default:
+			return statusRequest{}, false
+		}
+	}
+}
+
+func (c *EdgeStackStatusUpdateCoordinator) UpdateStatus(r *http.Request, stackID portainer.EdgeStackID, updateFn statusUpdateFn) (*portainer.EdgeStack, error) {
+	respCh := make(chan statusResponse)
+	defer close(respCh)
+
+	msg := statusRequest{
+		respCh:   respCh,
+		stackID:  stackID,
+		updateFn: updateFn,
+	}
+
+	select {
+	case c.updateCh <- msg:
+		r := <-respCh
+
+		return r.Stack, r.Error
+
+	case <-r.Context().Done():
+		return nil, r.Context().Err()
+	}
+}
--- a/api/http/handler/edgestacks/edgestack_test.go
+++ b/api/http/handler/edgestacks/edgestack_test.go
@@ -51,10 +51,14 @@ func setupHandler(t *testing.T) (*Handler, string) {
 		t.Fatal(err)
 	}

+	coord := NewEdgeStackStatusUpdateCoordinator(store)
+	go coord.Start()
+
 	handler := NewHandler(
 		security.NewRequestBouncer(store, jwtService, apiKeyService),
 		store,
 		edgestacks.NewService(store),
+		coord,
 	)

 	handler.FileService = fs
@@ -144,3 +148,15 @@ func createEdgeStack(t *testing.T, store dataservices.DataStore, endpointID port

 	return edgeStack
 }
+
+func createEdgeGroup(t *testing.T, store dataservices.DataStore) portainer.EdgeGroup {
+	edgeGroup := portainer.EdgeGroup{
+		ID:   1,
+		Name: "EdgeGroup 1",
+	}
+
+	if err := store.EdgeGroup().Create(&edgeGroup); err != nil {
+		t.Fatal(err)
+	}
+	return edgeGroup
+}
--- a/api/http/handler/edgestacks/edgestack_update.go
+++ b/api/http/handler/edgestacks/edgestack_update.go
@@ -80,7 +80,7 @@ func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request)
 func (handler *Handler) updateEdgeStack(tx dataservices.DataStoreTx, stackID portainer.EdgeStackID, payload updateEdgeStackPayload) (*portainer.EdgeStack, error) {
 	stack, err := tx.EdgeStack().EdgeStack(stackID)
 	if err != nil {
-		return nil, handler.handlerDBErr(err, "Unable to find a stack with the specified identifier inside the database")
+		return nil, handlerDBErr(err, "Unable to find a stack with the specified identifier inside the database")
 	}

 	relationConfig, err := edge.FetchEndpointRelationsConfig(tx)
@@ -107,7 +107,7 @@ func (handler *Handler) updateEdgeStack(tx dataservices.DataStoreTx, stackID por

 	hasWrongType, err := hasWrongEnvironmentType(tx.Endpoint(), relatedEndpointIds, payload.DeploymentType)
 	if err != nil {
-		return nil, httperror.BadRequest("unable to check for existence of non fitting environments: %w", err)
+		return nil, httperror.InternalServerError("unable to check for existence of non fitting environments: %w", err)
 	}
 	if hasWrongType {
 		return nil, httperror.BadRequest("edge stack with config do not match the environment type", nil)
@@ -138,48 +138,23 @@ func (handler *Handler) handleChangeEdgeGroups(tx dataservices.DataStoreTx, edge
 		return nil, nil, errors.WithMessage(err, "Unable to retrieve edge stack related environments from database")
 	}

-	oldRelatedSet := set.ToSet(oldRelatedEnvironmentIDs)
-	newRelatedSet := set.ToSet(newRelatedEnvironmentIDs)
+	oldRelatedEnvironmentsSet := set.ToSet(oldRelatedEnvironmentIDs)
+	newRelatedEnvironmentsSet := set.ToSet(newRelatedEnvironmentIDs)

-	endpointsToRemove := set.Set[portainer.EndpointID]{}
-	for endpointID := range oldRelatedSet {
-		if !newRelatedSet[endpointID] {
-			endpointsToRemove[endpointID] = true
+	relatedEnvironmentsToAdd := newRelatedEnvironmentsSet.Difference(oldRelatedEnvironmentsSet)
+	relatedEnvironmentsToRemove := oldRelatedEnvironmentsSet.Difference(newRelatedEnvironmentsSet)
+
+	if len(relatedEnvironmentsToRemove) > 0 {
+		if err := tx.EndpointRelation().RemoveEndpointRelationsForEdgeStack(relatedEnvironmentsToRemove.Keys(), edgeStackID); err != nil {
+			return nil, nil, errors.WithMessage(err, "Unable to remove edge stack relations from the database")
 		}
 	}

-	for endpointID := range endpointsToRemove {
-		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to find environment relation in database")
-		}
-
-		delete(relation.EdgeStacks, edgeStackID)
-
-		if err := tx.EndpointRelation().UpdateEndpointRelation(endpointID, relation); err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to persist environment relation in database")
+	if len(relatedEnvironmentsToAdd) > 0 {
+		if err := tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEnvironmentsToAdd.Keys(), edgeStackID); err != nil {
+			return nil, nil, errors.WithMessage(err, "Unable to add edge stack relations to the database")
 		}
 	}

-	endpointsToAdd := set.Set[portainer.EndpointID]{}
-	for endpointID := range newRelatedSet {
-		if !oldRelatedSet[endpointID] {
-			endpointsToAdd[endpointID] = true
-		}
-	}
-
-	for endpointID := range endpointsToAdd {
-		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to find environment relation in database")
-		}
-
-		relation.EdgeStacks[edgeStackID] = true
-
-		if err := tx.EndpointRelation().UpdateEndpointRelation(endpointID, relation); err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to persist environment relation in database")
-		}
-	}
-
-	return newRelatedEnvironmentIDs, endpointsToAdd, nil
+	return newRelatedEnvironmentIDs, relatedEnvironmentsToAdd, nil
 }
--- a/api/http/handler/edgestacks/handler.go
+++ b/api/http/handler/edgestacks/handler.go
@@ -22,21 +22,21 @@ type Handler struct {
 	GitService         portainer.GitService
 	edgeStacksService  *edgestackservice.Service
 	KubernetesDeployer portainer.KubernetesDeployer
+	stackCoordinator   *EdgeStackStatusUpdateCoordinator
 }

 // NewHandler creates a handler to manage environment(endpoint) group operations.
-func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, edgeStacksService *edgestackservice.Service) *Handler {
+func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, edgeStacksService *edgestackservice.Service, stackCoordinator *EdgeStackStatusUpdateCoordinator) *Handler {
 	h := &Handler{
 		Router:            mux.NewRouter(),
 		requestBouncer:    bouncer,
 		DataStore:         dataStore,
 		edgeStacksService: edgeStacksService,
+		stackCoordinator:  stackCoordinator,
 	}

 	h.Handle("/edge_stacks/create/{method}",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackCreate)))).Methods(http.MethodPost)
-	h.Handle("/edge_stacks",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(middlewares.Deprecated(h, deprecatedEdgeStackCreateUrlParser)))).Methods(http.MethodPost) // Deprecated
 	h.Handle("/edge_stacks",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackList)))).Methods(http.MethodGet)
 	h.Handle("/edge_stacks/{id}",
@@ -53,15 +53,13 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	edgeStackStatusRouter := h.NewRoute().Subrouter()
 	edgeStackStatusRouter.Use(middlewares.WithEndpoint(h.DataStore.Endpoint(), "endpoint_id"))

-	edgeStackStatusRouter.PathPrefix("/edge_stacks/{id}/status/{endpoint_id}").Handler(bouncer.PublicAccess(httperror.LoggerHandler(h.edgeStackStatusDelete))).Methods(http.MethodDelete)
-
 	return h
 }

-func (handler *Handler) handlerDBErr(err error, msg string) *httperror.HandlerError {
+func handlerDBErr(err error, msg string) *httperror.HandlerError {
 	httpErr := httperror.InternalServerError(msg, err)

-	if handler.DataStore.IsErrObjectNotFound(err) {
+	if dataservices.IsErrObjectNotFound(err) {
 		httpErr.StatusCode = http.StatusNotFound
 	}

--- a/api/http/handler/edgetemplates/edgetemplate_list.go
+++ b/api/http/handler/edgetemplates/edgetemplate_list.go
@@ -1,71 +0,0 @@
-package edgetemplates
-
-import (
-	"net/http"
-	"slices"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/client"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/segmentio/encoding/json"
-)
-
-type templateFileFormat struct {
-	Version   string               `json:"version"`
-	Templates []portainer.Template `json:"templates"`
-}
-
-// @id EdgeTemplateList
-// @deprecated
-// @summary Fetches the list of Edge Templates
-// @description **Access policy**: administrator
-// @tags edge_templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @success 200 {array} portainer.Template
-// @failure 500
-// @router /edge_templates [get]
-func (handler *Handler) edgeTemplateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve settings from the database", err)
-	}
-
-	url := portainer.DefaultTemplatesURL
-	if settings.TemplatesURL != "" {
-		url = settings.TemplatesURL
-	}
-
-	var templateData []byte
-	templateData, err = client.Get(url, 10)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve external templates", err)
-	}
-
-	var templateFile templateFileFormat
-
-	err = json.Unmarshal(templateData, &templateFile)
-	if err != nil {
-		return httperror.InternalServerError("Unable to parse template file", err)
-	}
-
-	// We only support version 3 of the template format
-	// this is only a temporary fix until we have custom edge templates
-	if templateFile.Version != "3" {
-		return httperror.InternalServerError("Unsupported template version", nil)
-	}
-
-	filteredTemplates := make([]portainer.Template, 0)
-
-	for _, template := range templateFile.Templates {
-		if slices.Contains(template.Categories, "edge") && slices.Contains([]portainer.TemplateType{portainer.ComposeStackTemplate, portainer.SwarmStackTemplate}, template.Type) {
-			filteredTemplates = append(filteredTemplates, template)
-		}
-	}
-
-	return response.JSON(w, filteredTemplates)
-}
--- a/api/http/handler/edgetemplates/handler.go
+++ b/api/http/handler/edgetemplates/handler.go
@@ -1,32 +0,0 @@
-package edgetemplates
-
-import (
-	"net/http"
-
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
-	"github.com/portainer/portainer/api/http/security"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-
-	"github.com/gorilla/mux"
-)
-
-// Handler is the HTTP handler used to handle edge environment(endpoint) operations.
-type Handler struct {
-	*mux.Router
-	requestBouncer security.BouncerService
-	DataStore      dataservices.DataStore
-}
-
-// NewHandler creates a handler to manage environment(endpoint) operations.
-func NewHandler(bouncer security.BouncerService) *Handler {
-	h := &Handler{
-		Router:         mux.NewRouter(),
-		requestBouncer: bouncer,
-	}
-
-	h.Handle("/edge_templates",
-		bouncer.AdminAccess(middlewares.Deprecated(httperror.LoggerHandler(h.edgeTemplateList), func(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) { return "", nil }))).Methods(http.MethodGet)
-
-	return h
-}
--- a/api/http/handler/endpointedge/endpointedge_status_inspect.go
+++ b/api/http/handler/endpointedge/endpointedge_status_inspect.go
@@ -264,6 +264,9 @@ func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpointID p
 func (handler *Handler) buildEdgeStacks(tx dataservices.DataStoreTx, endpointID portainer.EndpointID) ([]stackStatusResponse, *httperror.HandlerError) {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
 	if err != nil {
+		if tx.IsErrObjectNotFound(err) {
+			return nil, nil
+		}
 		return nil, httperror.InternalServerError("Unable to retrieve relation object from the database", err)
 	}

--- a/api/http/handler/endpointgroups/endpoints.go
+++ b/api/http/handler/endpointgroups/endpoints.go
@@ -21,10 +21,17 @@ func (handler *Handler) updateEndpointRelations(tx dataservices.DataStoreTx, end
 	}

 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
+	if err != nil && !tx.IsErrObjectNotFound(err) {
 		return err
 	}

+	if endpointRelation == nil {
+		endpointRelation = &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+			EdgeStacks: make(map[portainer.EdgeStackID]bool),
+		}
+	}
+
 	edgeGroups, err := tx.EdgeGroup().ReadAll()
 	if err != nil {
 		return err
@@ -32,6 +39,9 @@ func (handler *Handler) updateEndpointRelations(tx dataservices.DataStoreTx, end

 	edgeStacks, err := tx.EdgeStack().EdgeStacks()
 	if err != nil {
+		if tx.IsErrObjectNotFound(err) {
+			return nil
+		}
 		return err
 	}

--- a/api/http/handler/endpoints/endpoint_delete.go
+++ b/api/http/handler/endpoints/endpoint_delete.go
@@ -91,7 +91,7 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 403 "Unauthorized access or operation not allowed."
 // @failure 500 "Server error occurred while attempting to delete the specified environments."
-// @router /endpoints [delete]
+// @router /endpoints/delete [post]
 func (handler *Handler) endpointDeleteBatch(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var p endpointDeleteBatchPayload
 	if err := request.DecodeAndValidateJSONPayload(r, &p); err != nil {
@@ -127,6 +127,27 @@ func (handler *Handler) endpointDeleteBatch(w http.ResponseWriter, r *http.Reque
 	return response.Empty(w)
 }

+// @id EndpointDeleteBatchDeprecated
+// @summary Remove multiple environments
+// @deprecated
+// @description Deprecated: use the `POST` endpoint instead.
+// @description Remove multiple environments and optionally clean-up associated resources.
+// @description **Access policy**: Administrator only.
+// @tags endpoints
+// @security ApiKeyAuth || jwt
+// @accept json
+// @produce json
+// @param body body endpointDeleteBatchPayload true "List of environments to delete, with optional deleteCluster flag to clean-up associated resources (cloud environments only)"
+// @success 204 "Environment(s) successfully deleted."
+// @failure 207 {object} endpointDeleteBatchPartialResponse "Partial success. Some environments were deleted successfully, while others failed."
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 403 "Unauthorized access or operation not allowed."
+// @failure 500 "Server error occurred while attempting to delete the specified environments."
+// @router /endpoints [delete]
+func (handler *Handler) endpointDeleteBatchDeprecated(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	return handler.endpointDeleteBatch(w, r)
+}
+
 func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID portainer.EndpointID, deleteCluster bool) error {
 	endpoint, err := tx.Endpoint().Endpoint(endpointID)
 	if tx.IsErrObjectNotFound(err) {
--- a/api/http/handler/endpoints/endpoint_dockerhub_status.go
+++ b/api/http/handler/endpoints/endpoint_dockerhub_status.go
@@ -80,6 +80,13 @@ func (handler *Handler) endpointDockerhubStatus(w http.ResponseWriter, r *http.R
 		}
 	}

+	if handler.PullLimitCheckDisabled {
+		return response.JSON(w, &dockerhubStatusResponse{
+			Limit:     10,
+			Remaining: 10,
+		})
+	}
+
 	httpClient := client.NewHTTPClient()
 	token, err := getDockerHubToken(httpClient, registry)
 	if err != nil {
--- a/api/http/handler/endpoints/endpoint_inspect.go
+++ b/api/http/handler/endpoints/endpoint_inspect.go
@@ -19,6 +19,8 @@ import (
 // @security jwt
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"
+// @param excludeSnapshot query bool false "if true, the snapshot data won't be retrieved"
+// @param excludeSnapshotRaw query bool false "if true, the SnapshotRaw field won't be retrieved"
 // @success 200 {object} portainer.Endpoint "Success"
 // @failure 400 "Invalid request"
 // @failure 404 "Environment(Endpoint) not found"
@@ -37,8 +39,7 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unable to find an environment with the specified identifier inside the database", err)
 	}

-	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
-	if err != nil {
+	if err := handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint); err != nil {
 		return httperror.Forbidden("Permission denied to access environment", err)
 	}

@@ -51,9 +52,11 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 	endpointutils.UpdateEdgeEndpointHeartbeat(endpoint, settings)
 	endpoint.ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()

-	if !excludeSnapshot(r) {
-		err = handler.SnapshotService.FillSnapshotData(endpoint)
-		if err != nil {
+	excludeSnapshot, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshot", true)
+	excludeRaw, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshotRaw", true)
+
+	if !excludeSnapshot {
+		if err := handler.SnapshotService.FillSnapshotData(endpoint, !excludeRaw); err != nil {
 			return httperror.InternalServerError("Unable to add snapshot data", err)
 		}
 	}
@@ -83,9 +86,3 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)

 	return response.JSON(w, endpoint)
 }
-
-func excludeSnapshot(r *http.Request) bool {
-	excludeSnapshot, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshot", true)
-
-	return excludeSnapshot
-}
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@@ -38,15 +38,19 @@ const (
 // @param tagIds query []int false "search environments(endpoints) with these tags (depends on tagsPartialMatch)"
 // @param tagsPartialMatch query bool false "If true, will return environment(endpoint) which has one of tagIds, if false (or missing) will return only environments(endpoints) that has all the tags"
 // @param endpointIds query []int false "will return only these environments(endpoints)"
+// @param excludeIds query []int false "will exclude these environments(endpoints)"
 // @param provisioned query bool false "If true, will return environment(endpoint) that were provisioned"
 // @param agentVersions query []string false "will return only environments with on of these agent versions"
 // @param edgeAsync query bool false "if exists true show only edge async agents, false show only standard edge agents. if missing, will show both types (relevant only for edge agents)"
 // @param edgeDeviceUntrusted query bool false "if true, show only untrusted edge agents, if false show only trusted edge agents (relevant only for edge agents)"
 // @param edgeCheckInPassedSeconds query number false "if bigger then zero, show only edge agents that checked-in in the last provided seconds (relevant only for edge agents)"
 // @param excludeSnapshots query bool false "if true, the snapshot data won't be retrieved"
+// @param excludeSnapshotRaw query bool false "if true, the SnapshotRaw field won't be retrieved"
 // @param name query string false "will return only environments(endpoints) with this name"
 // @param edgeStackId query portainer.EdgeStackID false "will return the environements of the specified edge stack"
 // @param edgeStackStatus query string false "only applied when edgeStackId exists. Filter the returned environments based on their deployment status in the stack (not the environment status!)" Enum("Pending", "Ok", "Error", "Acknowledged", "Remove", "RemoteUpdateSuccess", "ImagesPulled")
+// @param edgeGroupIds query []int false "List environments(endpoints) of these edge groups"
+// @param excludeEdgeGroupIds query []int false "Exclude environments(endpoints) of these edge groups"
 // @success 200 {array} portainer.Endpoint "Endpoints"
 // @failure 500 "Server error"
 // @router /endpoints [get]
@@ -59,6 +63,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 	limit, _ := request.RetrieveNumericQueryParameter(r, "limit", true)
 	sortField, _ := request.RetrieveQueryParameter(r, "sort", true)
 	sortOrder, _ := request.RetrieveQueryParameter(r, "order", true)
+	excludeRaw, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshotRaw", true)

 	endpointGroups, err := handler.DataStore.EndpointGroup().ReadAll()
 	if err != nil {
@@ -105,14 +110,16 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht

 	for idx := range paginatedEndpoints {
 		hideFields(&paginatedEndpoints[idx])
+
 		paginatedEndpoints[idx].ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 		if paginatedEndpoints[idx].EdgeCheckinInterval == 0 {
 			paginatedEndpoints[idx].EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
 		}
+
 		endpointutils.UpdateEdgeEndpointHeartbeat(&paginatedEndpoints[idx], settings)
+
 		if !query.excludeSnapshots {
-			err = handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx])
-			if err != nil {
+			if err := handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx], !excludeRaw); err != nil {
 				return httperror.InternalServerError("Unable to add snapshot data", err)
 			}
 		}
@@ -120,6 +127,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht

 	w.Header().Set("X-Total-Count", strconv.Itoa(filteredEndpointCount))
 	w.Header().Set("X-Total-Available", strconv.Itoa(totalAvailableEndpoints))
+
 	return response.JSON(w, paginatedEndpoints)
 }

@@ -130,18 +138,8 @@ func paginateEndpoints(endpoints []portainer.Endpoint, start, limit int) []porta

 	endpointCount := len(endpoints)

-	if start < 0 {
-		start = 0
-	}
-
-	if start > endpointCount {
-		start = endpointCount
-	}
-
-	end := start + limit
-	if end > endpointCount {
-		end = endpointCount
-	}
+	start = min(max(start, 0), endpointCount)
+	end := min(start+limit, endpointCount)

 	return endpoints[start:end]
 }
@@ -151,8 +149,10 @@ func getEndpointGroup(groupID portainer.EndpointGroupID, groups []portainer.Endp
 	for _, group := range groups {
 		if group.ID == groupID {
 			endpointGroup = group
+
 			break
 		}
 	}
+
 	return endpointGroup
 }
--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@@ -272,7 +272,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

-	if err := handler.SnapshotService.FillSnapshotData(endpoint); err != nil {
+	if err := handler.SnapshotService.FillSnapshotData(endpoint, true); err != nil {
 		return httperror.InternalServerError("Unable to add snapshot data", err)
 	}

--- a/api/http/handler/endpoints/filter.go
+++ b/api/http/handler/endpoints/filter.go
@@ -37,6 +37,8 @@ type EnvironmentsQuery struct {
 	edgeStackId              portainer.EdgeStackID
 	edgeStackStatus          *portainer.EdgeStackStatusType
 	excludeIds               []portainer.EndpointID
+	edgeGroupIds             []portainer.EdgeGroupID
+	excludeEdgeGroupIds      []portainer.EdgeGroupID
 }

 func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
@@ -77,6 +79,16 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		return EnvironmentsQuery{}, err
 	}

+	edgeGroupIDs, err := getNumberArrayQueryParameter[portainer.EdgeGroupID](r, "edgeGroupIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
+	excludeEdgeGroupIds, err := getNumberArrayQueryParameter[portainer.EdgeGroupID](r, "excludeEdgeGroupIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
 	agentVersions := getArrayQueryParameter(r, "agentVersions")

 	name, _ := request.RetrieveQueryParameter(r, "name", true)
@@ -117,6 +129,8 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		edgeCheckInPassedSeconds: edgeCheckInPassedSeconds,
 		edgeStackId:              portainer.EdgeStackID(edgeStackId),
 		edgeStackStatus:          edgeStackStatus,
+		edgeGroupIds:             edgeGroupIDs,
+		excludeEdgeGroupIds:      excludeEdgeGroupIds,
 	}, nil
 }

@@ -143,6 +157,14 @@ func (handler *Handler) filterEndpointsByQuery(
 		filteredEndpoints = filterEndpointsByGroupIDs(filteredEndpoints, query.groupIds)
 	}

+	if len(query.edgeGroupIds) > 0 {
+		filteredEndpoints, edgeGroups = filterEndpointsByEdgeGroupIDs(filteredEndpoints, edgeGroups, query.edgeGroupIds)
+	}
+
+	if len(query.excludeEdgeGroupIds) > 0 {
+		filteredEndpoints, edgeGroups = filterEndpointsByExcludeEdgeGroupIDs(filteredEndpoints, edgeGroups, query.excludeEdgeGroupIds)
+	}
+
 	if query.name != "" {
 		filteredEndpoints = filterEndpointsByName(filteredEndpoints, query.name)
 	}
@@ -295,6 +317,70 @@ func filterEndpointsByGroupIDs(endpoints []portainer.Endpoint, endpointGroupIDs
 	return endpoints[:n]
 }

+func filterEndpointsByEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeGroupIDs []portainer.EdgeGroupID) ([]portainer.Endpoint, []portainer.EdgeGroup) {
+	edgeGroupIDFilterSet := make(map[portainer.EdgeGroupID]struct{}, len(edgeGroupIDs))
+	for _, id := range edgeGroupIDs {
+		edgeGroupIDFilterSet[id] = struct{}{}
+	}
+
+	n := 0
+	for _, edgeGroup := range edgeGroups {
+		if _, exists := edgeGroupIDFilterSet[edgeGroup.ID]; exists {
+			edgeGroups[n] = edgeGroup
+			n++
+		}
+	}
+	edgeGroups = edgeGroups[:n]
+
+	endpointIDSet := make(map[portainer.EndpointID]struct{})
+	for _, edgeGroup := range edgeGroups {
+		for _, endpointID := range edgeGroup.Endpoints {
+			endpointIDSet[endpointID] = struct{}{}
+		}
+	}
+
+	n = 0
+	for _, endpoint := range endpoints {
+		if _, exists := endpointIDSet[endpoint.ID]; exists {
+			endpoints[n] = endpoint
+			n++
+		}
+	}
+
+	return endpoints[:n], edgeGroups
+}
+
+func filterEndpointsByExcludeEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []portainer.EdgeGroup, excludeEdgeGroupIds []portainer.EdgeGroupID) ([]portainer.Endpoint, []portainer.EdgeGroup) {
+	excludeEdgeGroupIDSet := make(map[portainer.EdgeGroupID]struct{}, len(excludeEdgeGroupIds))
+	for _, id := range excludeEdgeGroupIds {
+		excludeEdgeGroupIDSet[id] = struct{}{}
+	}
+
+	n := 0
+	excludeEndpointIDSet := make(map[portainer.EndpointID]struct{})
+	for _, edgeGroup := range edgeGroups {
+		if _, ok := excludeEdgeGroupIDSet[edgeGroup.ID]; ok {
+			for _, endpointID := range edgeGroup.Endpoints {
+				excludeEndpointIDSet[endpointID] = struct{}{}
+			}
+		} else {
+			edgeGroups[n] = edgeGroup
+			n++
+		}
+	}
+	edgeGroups = edgeGroups[:n]
+
+	n = 0
+	for _, endpoint := range endpoints {
+		if _, ok := excludeEndpointIDSet[endpoint.ID]; !ok {
+			endpoints[n] = endpoint
+			n++
+		}
+	}
+
+	return endpoints[:n], edgeGroups
+}
+
 func filterEndpointsBySearchCriteria(
 	endpoints []portainer.Endpoint,
 	endpointGroups []portainer.EndpointGroup,
--- a/api/http/handler/endpoints/handler.go
+++ b/api/http/handler/endpoints/handler.go
@@ -26,19 +26,20 @@ func hideFields(endpoint *portainer.Endpoint) {
 // Handler is the HTTP handler used to handle environment(endpoint) operations.
 type Handler struct {
 	*mux.Router
-	requestBouncer        security.BouncerService
-	DataStore             dataservices.DataStore
-	FileService           portainer.FileService
-	ProxyManager          *proxy.Manager
-	ReverseTunnelService  portainer.ReverseTunnelService
-	SnapshotService       portainer.SnapshotService
-	K8sClientFactory      *cli.ClientFactory
-	ComposeStackManager   portainer.ComposeStackManager
-	AuthorizationService  *authorization.Service
-	DockerClientFactory   *dockerclient.ClientFactory
-	BindAddress           string
-	BindAddressHTTPS      string
-	PendingActionsService *pendingactions.PendingActionsService
+	requestBouncer         security.BouncerService
+	DataStore              dataservices.DataStore
+	FileService            portainer.FileService
+	ProxyManager           *proxy.Manager
+	ReverseTunnelService   portainer.ReverseTunnelService
+	SnapshotService        portainer.SnapshotService
+	K8sClientFactory       *cli.ClientFactory
+	ComposeStackManager    portainer.ComposeStackManager
+	AuthorizationService   *authorization.Service
+	DockerClientFactory    *dockerclient.ClientFactory
+	BindAddress            string
+	BindAddressHTTPS       string
+	PendingActionsService  *pendingactions.PendingActionsService
+	PullLimitCheckDisabled bool
 }

 // NewHandler creates a handler to manage environment(endpoint) operations.
@@ -68,8 +69,8 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointUpdate))).Methods(http.MethodPut)
 	h.Handle("/endpoints/{id}",
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDelete))).Methods(http.MethodDelete)
-	h.Handle("/endpoints",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatch))).Methods(http.MethodDelete)
+	h.Handle("/endpoints/delete",
+		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatch))).Methods(http.MethodPost)
 	h.Handle("/endpoints/{id}/dockerhub/{registryId}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.endpointDockerhubStatus))).Methods(http.MethodGet)
 	h.Handle("/endpoints/{id}/snapshot",
@@ -85,6 +86,7 @@ func NewHandler(bouncer security.BouncerService) *Handler {

 	// DEPRECATED
 	h.Handle("/endpoints/{id}/status", bouncer.PublicAccess(httperror.LoggerHandler(h.endpointStatusInspect))).Methods(http.MethodGet)
+	h.Handle("/endpoints", bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatchDeprecated))).Methods(http.MethodDelete)

 	return h
 }
--- a/api/http/handler/endpoints/update_edge_relations.go
+++ b/api/http/handler/endpoints/update_edge_relations.go
@@ -23,6 +23,7 @@ func (handler *Handler) updateEdgeRelations(tx dataservices.DataStoreTx, endpoin

 		relation = &portainer.EndpointRelation{
 			EndpointID: endpoint.ID,
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
 		}
 		if err := tx.EndpointRelation().Create(relation); err != nil {
 			return errors.WithMessage(err, "Unable to create environment relation inside the database")
--- a/api/http/handler/gitops/git_repo_file_preview.go
+++ b/api/http/handler/gitops/git_repo_file_preview.go
@@ -9,8 +9,7 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )

 type fileResponse struct {
@@ -29,7 +28,7 @@ type repositoryFilePreviewPayload struct {
 }

 func (payload *repositoryFilePreviewPayload) Validate(r *http.Request) error {
-	if len(payload.Repository) == 0 || !govalidator.IsURL(payload.Repository) {
+	if len(payload.Repository) == 0 || !validate.IsURL(payload.Repository) {
 		return errors.New("invalid repository URL. Must correspond to a valid URL format")
 	}

--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -11,7 +11,6 @@ import (
 	"github.com/portainer/portainer/api/http/handler/edgegroups"
 	"github.com/portainer/portainer/api/http/handler/edgejobs"
 	"github.com/portainer/portainer/api/http/handler/edgestacks"
-	"github.com/portainer/portainer/api/http/handler/edgetemplates"
 	"github.com/portainer/portainer/api/http/handler/endpointedge"
 	"github.com/portainer/portainer/api/http/handler/endpointgroups"
 	"github.com/portainer/portainer/api/http/handler/endpointproxy"
@@ -50,7 +49,6 @@ type Handler struct {
 	EdgeGroupsHandler      *edgegroups.Handler
 	EdgeJobsHandler        *edgejobs.Handler
 	EdgeStacksHandler      *edgestacks.Handler
-	EdgeTemplatesHandler   *edgetemplates.Handler
 	EndpointEdgeHandler    *endpointedge.Handler
 	EndpointGroupHandler   *endpointgroups.Handler
 	EndpointHandler        *endpoints.Handler
@@ -83,7 +81,7 @@ type Handler struct {
 }

 // @title PortainerCE API
-// @version 2.25.0
+// @version 2.30.0
 // @description.markdown api-description.md
 // @termsOfService

@@ -190,8 +188,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.StripPrefix("/api", h.EdgeGroupsHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/edge_jobs"):
 		http.StripPrefix("/api", h.EdgeJobsHandler).ServeHTTP(w, r)
-	case strings.HasPrefix(r.URL.Path, "/api/edge_templates"):
-		http.StripPrefix("/api", h.EdgeTemplatesHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):
 		http.StripPrefix("/api", h.EndpointGroupHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/kubernetes"):
--- a/api/http/handler/helm/handler.go
+++ b/api/http/handler/helm/handler.go
@@ -1,6 +1,7 @@
 package helm

 import (
+	"fmt"
 	"net/http"

 	portainer "github.com/portainer/portainer/api"
@@ -8,8 +9,8 @@ import (
 	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"

 	"github.com/gorilla/mux"
@@ -23,11 +24,11 @@ type Handler struct {
 	jwtService               portainer.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
 	kubernetesDeployer       portainer.KubernetesDeployer
-	helmPackageManager       libhelm.HelmPackageManager
+	helmPackageManager       libhelmtypes.HelmPackageManager
 }

 // NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
+func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelmtypes.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
 	h := &Handler{
 		Router:                   mux.NewRouter(),
 		requestBouncer:           bouncer,
@@ -53,17 +54,23 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	h.Handle("/{id}/kubernetes/helm",
 		httperror.LoggerHandler(h.helmInstall)).Methods(http.MethodPost)

-	// Deprecated
-	h.Handle("/{id}/kubernetes/helm/repositories",
-		httperror.LoggerHandler(h.userGetHelmRepos)).Methods(http.MethodGet)
-	h.Handle("/{id}/kubernetes/helm/repositories",
-		httperror.LoggerHandler(h.userCreateHelmRepo)).Methods(http.MethodPost)
+	// `helm get all [RELEASE_NAME]`
+	h.Handle("/{id}/kubernetes/helm/{release}",
+		httperror.LoggerHandler(h.helmGet)).Methods(http.MethodGet)
+
+	// `helm history [RELEASE_NAME]`
+	h.Handle("/{id}/kubernetes/helm/{release}/history",
+		httperror.LoggerHandler(h.helmGetHistory)).Methods(http.MethodGet)
+
+	// `helm rollback [RELEASE_NAME] [REVISION]`
+	h.Handle("/{id}/kubernetes/helm/{release}/rollback",
+		httperror.LoggerHandler(h.helmRollback)).Methods(http.MethodPost)

 	return h
 }

 // NewTemplateHandler creates a template handler to manage environment(endpoint) group operations.
-func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libhelm.HelmPackageManager) *Handler {
+func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libhelmtypes.HelmPackageManager) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
 		helmPackageManager: helmPackageManager,
@@ -84,7 +91,7 @@ func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libh

 // getHelmClusterAccess obtains the core k8s cluster access details from request.
 // The cluster access includes the cluster server url, the user's bearer token and the tls certificate.
-// The cluster access is passed in as kube config CLI params to helm binary.
+// The cluster access is passed in as kube config CLI params to helm.
 func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.KubernetesClusterAccess, *httperror.HandlerError) {
 	endpoint, err := middlewares.FetchEndpoint(r)
 	if err != nil {
@@ -113,6 +120,9 @@ func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.Kubernet

 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(hostURL, endpoint.ID, true)
 	return &options.KubernetesClusterAccess{
+		ClusterName:              fmt.Sprintf("%s-%s", "portainer-cluster", endpoint.Name),
+		ContextName:              fmt.Sprintf("%s-%s", "portainer-ctx", endpoint.Name),
+		UserName:                 fmt.Sprintf("%s-%s", "portainer-sa-user", tokenData.Username),
 		ClusterServerURL:         kubeConfigInternal.ClusterServerURL,
 		CertificateAuthorityFile: kubeConfigInternal.CertificateAuthorityFile,
 		AuthToken:                bearerToken,
--- a/api/http/handler/helm/helm_delete_test.go
+++ b/api/http/handler/helm/helm_delete_test.go
@@ -13,8 +13,8 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"

 	"github.com/stretchr/testify/assert"
 )
@@ -34,7 +34,7 @@ func Test_helmDelete(t *testing.T) {
 	is.NoError(err, "Error initiating jwt service")

 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)

@@ -42,7 +42,7 @@ func Test_helmDelete(t *testing.T) {

 	// Install a single chart directly, to be deleted by the handler
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
-	h.helmPackageManager.Install(options)
+	h.helmPackageManager.Upgrade(options)

 	t.Run("helmDelete succeeds with admin user", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodDelete, "/1/kubernetes/helm/"+options.Name, nil)
--- a/api/http/handler/helm/helm_get.go
+++ b/api/http/handler/helm/helm_get.go
@@ -0,0 +1,67 @@
+package helm
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmGet
+// @summary Get a helm release
+// @description Get details of a helm release by release name
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param name path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @param showResources query boolean false "show resources of the release"
+// @param revision query int false "specify an optional revision"
+// @success 200 {object} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve the release."
+// @router /endpoints/{id}/kubernetes/helm/{name} [get]
+func (handler *Handler) helmGet(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	// build the get options
+	getOpts := options.GetOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+	}
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	// optional namespace.  The library defaults to "default"
+	if namespace != "" {
+		getOpts.Namespace = namespace
+	}
+	showResources, _ := request.RetrieveBooleanQueryParameter(r, "showResources", true)
+	getOpts.ShowResources = showResources
+	revision, _ := request.RetrieveNumericQueryParameter(r, "revision", true)
+	// optional revision.  The library defaults to the latest revision if not specified
+	if revision > 0 {
+		getOpts.Revision = revision
+	}
+
+	releases, err := handler.helmPackageManager.Get(getOpts)
+	if err != nil {
+		return httperror.InternalServerError("Helm returned an error", err)
+	}
+
+	return response.JSON(w, releases)
+}
--- a/api/http/handler/helm/helm_get_test.go
+++ b/api/http/handler/helm/helm_get_test.go
@@ -0,0 +1,66 @@
+package helm
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_helmGet(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{ID: 1})
+	is.NoError(err, "Error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "Error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	kubernetesDeployer := exectest.NewKubernetesDeployer()
+	helmPackageManager := test.NewMockHelmPackageManager()
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
+
+	is.NotNil(h, "Handler should not fail")
+
+	// Install a single chart, to be retrieved by the handler
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
+	h.helmPackageManager.Upgrade(options)
+
+	t.Run("helmGet sucessfuly retrieves helm release", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm/"+options.Name+"?namespace="+options.Namespace, nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		data := release.Release{}
+		body, err := io.ReadAll(rr.Body)
+		is.NoError(err, "ReadAll should not return error")
+		json.Unmarshal(body, &data)
+		is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+		is.Equal("nginx-1", data.Name)
+	})
+}
--- a/api/http/handler/helm/helm_history.go
+++ b/api/http/handler/helm/helm_history.go
@@ -0,0 +1,58 @@
+package helm
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmGetHistory
+// @summary Get a historical list of releases
+// @description Get a historical list of releases by release name
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param name path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @success 200 {array} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve the historical list of releases."
+// @router /endpoints/{id}/kubernetes/helm/{release}/history [get]
+func (handler *Handler) helmGetHistory(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	historyOptions := options.HistoryOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+	}
+
+	// optional namespace.  The library defaults to "default"
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	if namespace != "" {
+		historyOptions.Namespace = namespace
+	}
+
+	releases, err := handler.helmPackageManager.GetHistory(historyOptions)
+	if err != nil {
+		return httperror.InternalServerError("Helm returned an error", err)
+	}
+
+	return response.JSON(w, releases)
+}
--- a/api/http/handler/helm/helm_history_test.go
+++ b/api/http/handler/helm/helm_history_test.go
@@ -0,0 +1,67 @@
+package helm
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_helmGetHistory(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{ID: 1})
+	is.NoError(err, "Error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "Error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	kubernetesDeployer := exectest.NewKubernetesDeployer()
+	helmPackageManager := test.NewMockHelmPackageManager()
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
+
+	is.NotNil(h, "Handler should not fail")
+
+	// Install a single chart, to be retrieved by the handler
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
+	h.helmPackageManager.Upgrade(options)
+
+	t.Run("helmGetHistory sucessfuly retrieves helm release history", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm/"+options.Name+"/history?namespace="+options.Namespace, nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		data := []release.Release{}
+		body, err := io.ReadAll(rr.Body)
+		is.NoError(err, "ReadAll should not return error")
+		json.Unmarshal(body, &data)
+		is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+		is.Equal(1, len(data))
+		is.Equal("nginx-1", data[0].Name)
+	})
+}
--- a/api/http/handler/helm/helm_install.go
+++ b/api/http/handler/helm/helm_install.go
@@ -26,6 +26,8 @@ type installChartPayload struct {
 	Chart     string `json:"chart"`
 	Repo      string `json:"repo"`
 	Values    string `json:"values"`
+	Version   string `json:"version"`
+	Atomic    bool   `json:"atomic"`
 }

 var errChartNameInvalid = errors.New("invalid chart name. " +
@@ -99,15 +101,13 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 	}

 	installOpts := options.InstallOptions{
-		Name:      p.Name,
-		Chart:     p.Chart,
-		Namespace: p.Namespace,
-		Repo:      p.Repo,
-		KubernetesClusterAccess: &options.KubernetesClusterAccess{
-			ClusterServerURL:         clusterAccess.ClusterServerURL,
-			CertificateAuthorityFile: clusterAccess.CertificateAuthorityFile,
-			AuthToken:                clusterAccess.AuthToken,
-		},
+		Name:                    p.Name,
+		Chart:                   p.Chart,
+		Version:                 p.Version,
+		Namespace:               p.Namespace,
+		Repo:                    p.Repo,
+		Atomic:                  p.Atomic,
+		KubernetesClusterAccess: clusterAccess,
 	}

 	if p.Values != "" {
@@ -129,7 +129,7 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		installOpts.ValuesFile = file.Name()
 	}

-	release, err := handler.helmPackageManager.Install(installOpts)
+	release, err := handler.helmPackageManager.Upgrade(installOpts)
 	if err != nil {
 		return nil, err
 	}
@@ -196,7 +196,7 @@ func (handler *Handler) updateHelmAppManifest(r *http.Request, manifest []byte,
 	g := new(errgroup.Group)
 	for _, resource := range yamlResources {
 		g.Go(func() error {
-			tmpfile, err := os.CreateTemp("", "helm-manifest-*")
+			tmpfile, err := os.CreateTemp("", "helm-manifest-*.yaml")
 			if err != nil {
 				return errors.Wrap(err, "failed to create a tmp helm manifest file")
 			}
--- a/api/http/handler/helm/helm_install_test.go
+++ b/api/http/handler/helm/helm_install_test.go
@@ -15,9 +15,9 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"

 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -38,7 +38,7 @@ func Test_helmInstall(t *testing.T) {
 	is.NoError(err, "Error initiating jwt service")

 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)

--- a/api/http/handler/helm/helm_list_test.go
+++ b/api/http/handler/helm/helm_list_test.go
@@ -14,9 +14,9 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"

 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -37,13 +37,13 @@ func Test_helmList(t *testing.T) {
 	is.NoError(err, "Error initialising jwt service")

 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)

 	// Install a single chart.  We expect to get these values back
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
-	h.helmPackageManager.Install(options)
+	h.helmPackageManager.Upgrade(options)

 	t.Run("helmList", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm", nil)
--- a/api/http/handler/helm/helm_repo_search_test.go
+++ b/api/http/handler/helm/helm_repo_search_test.go
@@ -8,14 +8,14 @@ import (
 	"testing"

 	helper "github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )

 func Test_helmRepoSearch(t *testing.T) {
 	is := assert.New(t)

-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	h := NewTemplateHandler(helper.NewTestRequestBouncer(), helmPackageManager)

 	assert.NotNil(t, h, "Handler should not fail")
--- a/api/http/handler/helm/helm_rollback.go
+++ b/api/http/handler/helm/helm_rollback.go
@@ -0,0 +1,105 @@
+package helm
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmRollback
+// @summary Rollback a helm release
+// @description Rollback a helm release to a previous revision
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param release path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @param revision query int false "specify the revision to rollback to (defaults to previous revision if not specified)"
+// @param wait query boolean false "wait for resources to be ready (default: false)"
+// @param waitForJobs query boolean false "wait for jobs to complete before marking the release as successful (default: false)"
+// @param recreate query boolean false "performs pods restart for the resource if applicable (default: true)"
+// @param force query boolean false "force resource update through delete/recreate if needed (default: false)"
+// @param timeout query int false "time to wait for any individual Kubernetes operation in seconds (default: 300)"
+// @success 200 {object} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier or release name."
+// @failure 500 "Server error occurred while attempting to rollback the release."
+// @router /endpoints/{id}/kubernetes/helm/{release}/rollback [post]
+func (handler *Handler) helmRollback(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	// build the rollback options
+	rollbackOpts := options.RollbackOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+		// Set default values
+		Recreate: true,            // Default to recreate pods (restart)
+		Timeout:  5 * time.Minute, // Default timeout of 5 minutes
+	}
+
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	// optional namespace. The library defaults to "default"
+	if namespace != "" {
+		rollbackOpts.Namespace = namespace
+	}
+
+	revision, _ := request.RetrieveNumericQueryParameter(r, "revision", true)
+	// optional revision. If not specified, it will rollback to the previous revision
+	if revision > 0 {
+		rollbackOpts.Version = revision
+	}
+
+	// Default for wait is false, only set to true if explicitly requested
+	wait, err := request.RetrieveBooleanQueryParameter(r, "wait", true)
+	if err == nil {
+		rollbackOpts.Wait = wait
+	}
+
+	// Default for waitForJobs is false, only set to true if explicitly requested
+	waitForJobs, err := request.RetrieveBooleanQueryParameter(r, "waitForJobs", true)
+	if err == nil {
+		rollbackOpts.WaitForJobs = waitForJobs
+	}
+
+	// Default for recreate is true (set above), override if specified
+	recreate, err := request.RetrieveBooleanQueryParameter(r, "recreate", true)
+	if err == nil {
+		rollbackOpts.Recreate = recreate
+	}
+
+	// Default for force is false, only set to true if explicitly requested
+	force, err := request.RetrieveBooleanQueryParameter(r, "force", true)
+	if err == nil {
+		rollbackOpts.Force = force
+	}
+
+	timeout, _ := request.RetrieveNumericQueryParameter(r, "timeout", true)
+	// Override default timeout if specified
+	if timeout > 0 {
+		rollbackOpts.Timeout = time.Duration(timeout) * time.Second
+	}
+
+	releaseInfo, err := handler.helmPackageManager.Rollback(rollbackOpts)
+	if err != nil {
+		return httperror.InternalServerError("Failed to rollback helm release", err)
+	}
+
+	return response.JSON(w, releaseInfo)
+}
--- a/api/http/handler/helm/helm_show_test.go
+++ b/api/http/handler/helm/helm_show_test.go
@@ -9,14 +9,14 @@ import (
 	"testing"

 	helper "github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )

 func Test_helmShow(t *testing.T) {
 	is := assert.New(t)

-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	h := NewTemplateHandler(helper.NewTestRequestBouncer(), helmPackageManager)

 	is.NotNil(h, "Handler should not fail")
--- a/api/http/handler/helm/user_helm_repos.go
+++ b/api/http/handler/helm/user_helm_repos.go
@@ -1,127 +0,0 @@
-package helm
-
-import (
-	"net/http"
-	"strings"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/pkg/libhelm"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/pkg/errors"
-)
-
-type helmUserRepositoryResponse struct {
-	GlobalRepository string                         `json:"GlobalRepository"`
-	UserRepositories []portainer.HelmUserRepository `json:"UserRepositories"`
-}
-
-type addHelmRepoUrlPayload struct {
-	URL string `json:"url"`
-}
-
-func (p *addHelmRepoUrlPayload) Validate(_ *http.Request) error {
-	return libhelm.ValidateHelmRepositoryURL(p.URL, nil)
-}
-
-// @id HelmUserRepositoryCreateDeprecated
-// @summary Create a user helm repository
-// @description Create a user helm repository.
-// @description **Access policy**: authenticated
-// @tags helm
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @param id path int true "Environment(Endpoint) identifier"
-// @param payload body addHelmRepoUrlPayload true "Helm Repository"
-// @success 200 {object} portainer.HelmUserRepository "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 500 "Server error"
-// @deprecated
-// @router /endpoints/{id}/kubernetes/helm/repositories [post]
-func (handler *Handler) userCreateHelmRepo(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user authentication token", err)
-	}
-	userID := tokenData.ID
-
-	p := new(addHelmRepoUrlPayload)
-	err = request.DecodeAndValidateJSONPayload(r, p)
-	if err != nil {
-		return httperror.BadRequest("Invalid Helm repository URL", err)
-	}
-
-	// lowercase, remove trailing slash
-	p.URL = strings.TrimSuffix(strings.ToLower(p.URL), "/")
-
-	records, err := handler.dataStore.HelmUserRepository().HelmUserRepositoryByUserID(userID)
-	if err != nil {
-		return httperror.InternalServerError("Unable to access the DataStore", err)
-	}
-
-	// check if repo already exists - by doing case insensitive comparison
-	for _, record := range records {
-		if strings.EqualFold(record.URL, p.URL) {
-			errMsg := "Helm repo already registered for user"
-			return httperror.BadRequest(errMsg, errors.New(errMsg))
-		}
-	}
-
-	record := portainer.HelmUserRepository{
-		UserID: userID,
-		URL:    p.URL,
-	}
-
-	err = handler.dataStore.HelmUserRepository().Create(&record)
-	if err != nil {
-		return httperror.InternalServerError("Unable to save a user Helm repository URL", err)
-	}
-
-	return response.JSON(w, record)
-}
-
-// @id HelmUserRepositoriesListDeprecated
-// @summary List a users helm repositories
-// @description Inspect a user helm repositories.
-// @description **Access policy**: authenticated
-// @tags helm
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param id path int true "User identifier"
-// @success 200 {object} helmUserRepositoryResponse "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 500 "Server error"
-// @deprecated
-// @router /endpoints/{id}/kubernetes/helm/repositories [get]
-func (handler *Handler) userGetHelmRepos(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user authentication token", err)
-	}
-	userID := tokenData.ID
-
-	settings, err := handler.dataStore.Settings().Settings()
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve settings from the database", err)
-	}
-
-	userRepos, err := handler.dataStore.HelmUserRepository().HelmUserRepositoryByUserID(userID)
-	if err != nil {
-		return httperror.InternalServerError("Unable to get user Helm repositories", err)
-	}
-
-	resp := helmUserRepositoryResponse{
-		GlobalRepository: settings.HelmRepositoryURL,
-		UserRepositories: userRepos,
-	}
-
-	return response.JSON(w, resp)
-}
--- a/api/http/handler/kubernetes/application.go
+++ b/api/http/handler/kubernetes/application.go
@@ -69,7 +69,6 @@ func (handler *Handler) getApplicationsResources(w http.ResponseWriter, r *http.
 // @param id path int true "Environment(Endpoint) identifier"
 // @param namespace query string true "Namespace name"
 // @param nodeName query string true "Node name"
-// @param withDependencies query boolean false "Include dependencies in the response"
 // @success 200 {array} models.K8sApplication "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
@@ -117,12 +116,6 @@ func (handler *Handler) getAllKubernetesApplications(r *http.Request) ([]models.
 		return nil, httperror.BadRequest("Unable to parse the namespace query parameter", err)
 	}

-	withDependencies, err := request.RetrieveBooleanQueryParameter(r, "withDependencies", true)
-	if err != nil {
-		log.Error().Err(err).Str("context", "getAllKubernetesApplications").Msg("Unable to parse the withDependencies query parameter")
-		return nil, httperror.BadRequest("Unable to parse the withDependencies query parameter", err)
-	}
-
 	nodeName, err := request.RetrieveQueryParameter(r, "nodeName", true)
 	if err != nil {
 		log.Error().Err(err).Str("context", "getAllKubernetesApplications").Msg("Unable to parse the nodeName query parameter")
@@ -135,7 +128,7 @@ func (handler *Handler) getAllKubernetesApplications(r *http.Request) ([]models.
 		return nil, httperror.InternalServerError("Unable to get a Kubernetes client for the user", httpErr)
 	}

-	applications, err := cli.GetApplications(namespace, nodeName, withDependencies)
+	applications, err := cli.GetApplications(namespace, nodeName)
 	if err != nil {
 		if k8serrors.IsUnauthorized(err) {
 			log.Error().Err(err).Str("context", "getAllKubernetesApplications").Str("namespace", namespace).Str("nodeName", nodeName).Msg("Unable to get the list of applications")
--- a/api/http/handler/kubernetes/config.go
+++ b/api/http/handler/kubernetes/config.go
@@ -1,9 +1,14 @@
 package kubernetes

 import (
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
+	"os"
+	"strings"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
@@ -162,11 +167,48 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 func (handler *Handler) buildCluster(r *http.Request, endpoint portainer.Endpoint, isInternal bool) clientV1.NamedCluster {
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(r.Host, endpoint.ID, isInternal)

+	if isInternal {
+		return clientV1.NamedCluster{
+			Name: buildClusterName(endpoint.Name),
+			Cluster: clientV1.Cluster{
+				Server:                kubeConfigInternal.ClusterServerURL,
+				InsecureSkipTLSVerify: true,
+			},
+		}
+	}
+
+	selfSignedCert := false
+	serverUrl, err := url.Parse(kubeConfigInternal.ClusterServerURL)
+	if err != nil {
+		log.Warn().Err(err).Msg("Failed to parse server URL")
+	}
+
+	if strings.EqualFold(serverUrl.Scheme, "https") {
+		var certPem []byte
+		var err error
+
+		if kubeConfigInternal.CertificateAuthorityData != "" {
+			certPem = []byte(kubeConfigInternal.CertificateAuthorityData)
+		} else if kubeConfigInternal.CertificateAuthorityFile != "" {
+			certPem, err = os.ReadFile(kubeConfigInternal.CertificateAuthorityFile)
+			if err != nil {
+				log.Warn().Err(err).Msg("Failed to open certificate file")
+			}
+		}
+
+		if certPem != nil {
+			selfSignedCert, err = IsSelfSignedCertificate(certPem)
+			if err != nil {
+				log.Warn().Err(err).Msg("Failed to verify if certificate is self-signed")
+			}
+		}
+	}
+
 	return clientV1.NamedCluster{
 		Name: buildClusterName(endpoint.Name),
 		Cluster: clientV1.Cluster{
 			Server:                kubeConfigInternal.ClusterServerURL,
-			InsecureSkipTLSVerify: true,
+			InsecureSkipTLSVerify: selfSignedCert,
 		},
 	}
 }
@@ -215,3 +257,38 @@ func writeFileContent(w http.ResponseWriter, r *http.Request, endpoints []portai
 	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; %s.json", filenameBase))
 	return response.JSON(w, config)
 }
+
+func IsSelfSignedCertificate(certPem []byte) (bool, error) {
+	if certPem == nil {
+		return false, errors.New("certificate data is empty")
+	}
+
+	if !strings.Contains(string(certPem), "BEGIN CERTIFICATE") {
+		certPem = []byte(fmt.Sprintf("-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----", string(certPem)))
+	}
+
+	block, _ := pem.Decode(certPem)
+	if block == nil {
+		return false, errors.New("failed to decode certificate")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return false, err
+	}
+
+	if cert.Issuer.String() != cert.Subject.String() {
+		return false, nil
+	}
+
+	roots := x509.NewCertPool()
+	roots.AddCert(cert)
+
+	opts := x509.VerifyOptions{
+		Roots:       roots,
+		CurrentTime: cert.NotBefore,
+	}
+
+	_, err = cert.Verify(opts)
+	return err == nil, err
+}
--- a/api/http/handler/kubernetes/config_test.go
+++ b/api/http/handler/kubernetes/config_test.go
@@ -0,0 +1,186 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsSelfSignedCertificate(t *testing.T) {
+
+	tc := []struct {
+		name     string
+		cert     string
+		expected bool
+	}{
+		{
+			name: "portainer self-signed",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIBUTCB+KADAgECAhBB7psNiJlJd/nRCCKUPVenMAoGCCqGSM49BAMCMAAwHhcN
+MjUwMzEzMDQwODI0WhcNMzAwMzEzMDQwODI0WjAAMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAESdGCaXq0r1GDxF89yKjjLeCIixiPDdXAg+lw4NqAWeJq2AOo+8IH
+vcCq9bSlYlezK8RzTsbf9Z1m5jRqUEbSjqNUMFIwDgYDVR0PAQH/BAQDAgWgMBMG
+A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0RAQH/BBMwEYIJ
+bG9jYWxob3N0hwQAAAAAMAoGCCqGSM49BAMCA0gAMEUCIApLliukFaCZHbc/2pkH
+0VDY+fBMb12jhmVpgKh1Cqg9AiEAwFrMQLUkzATUpiHuukdUg5VsUiMIkWTPLglz
+E4+1dRc=
+-----END CERTIFICATE-----
+`,
+			expected: true,
+		},
+		{
+			name:     "portainer self-signed without header",
+			cert:     `MIIBUzCB+aADAgECAhEAjsskPzuCS5BeHjXGwYqc2jAKBggqhkjOPQQDAjAAMB4XDTI1MDMxMzA0MzQyNloXDTMwMDMxMzA0MzQyNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABITD+dNDLYQbLYDE3UMlTzD61OYRSVkVZspdp1MvZITIG4VOxtfQUqcW3P7OHQdoi52GIQ/GM6iDgxwB1BOyi3mjVDBSMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdEQEB/wQTMBGCCWxvY2FsaG9zdIcEAAAAADAKBggqhkjOPQQDAgNJADBGAiEA8SmyeYLhrnrNLAFcxZp0dk6nMN70XVAfqGnbK/s8NR8CIQDgQdqhfge8QvN2TsH4gg98a9VHDv+RlcOlJ80SS+G/Ww==`,
+			expected: true,
+		},
+		{
+			name: "custom certificate generated by openssl",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIB9TCCAZugAwIBAgIULTkNYfYHiqfOiX7mKOIGxRefx/YwCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yNTAyMjgwNjI3MDBaFw0zNTAy
+MjYwNjI3MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT3WlLvbGw7wPkQ
+3LuHFJEaNrDv3n359JMV1CkjQi3U37u0fJrjd+8o7TxPBYgt9HDD9vsURhy41DNo
+g71F2AIto4GqMIGnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+nMxx/VCE9fzrlHI
+FX9mF5SRPrkwHwYDVR0jBBgwFoAUOlUIToGwnBOqzZ1dBfOvdKbwNaAwKAYDVR0R
+AQH/BB4wHIIaZWRnZS4xNzIuMTcuMjIxLjIwOC5uaXAuaW8wCgYIKoZIzj0EAwID
+SAAwRQIgeYrkjY0z/ypMKXZbvbMi8qOK44qoISKkSErBUCBLuwoCIQDRaJA9r931
+utpXXnysVGecVXHHKOOl1YhWglmuPvcZhw==
+-----END CERTIFICATE-----`,
+			expected: false,
+		},
+		{
+			name: "google.com certificate",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIOITCCDQmgAwIBAgIQKS0IQxknY8USDjt3IYchljANBgkqhkiG9w0BAQsFADA7
+MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQww
+CgYDVQQDEwNXUjIwHhcNMjUwMjI2MTUzMjU1WhcNMjUwNTIxMTUzMjU0WjAXMRUw
+EwYDVQQDDAwqLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARx
+nMOmIG3BuO7my/BbF/rGPAMH/JbxBDufbYFQHV+6l5pF5sdT/Zov3X+qsR3IYFl7
+F2a0gAUmK1Bq7//zTb3uo4IMDjCCDAowDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFN+aEjBz3PaUtelz
+3g9rVTkGRgU0MB8GA1UdIwQYMBaAFN4bHu15FdQ+NyTDIbvsNDltQrIwMFgGCCsG
+AQUFBwEBBEwwSjAhBggrBgEFBQcwAYYVaHR0cDovL28ucGtpLmdvb2cvd3IyMCUG
+CCsGAQUFBzAChhlodHRwOi8vaS5wa2kuZ29vZy93cjIuY3J0MIIJ5AYDVR0RBIIJ
+2zCCCdeCDCouZ29vZ2xlLmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYIJKi5i
+ZG4uZGV2ghUqLm9yaWdpbi10ZXN0LmJkbi5kZXaCEiouY2xvdWQuZ29vZ2xlLmNv
+bYIYKi5jcm93ZHNvdXJjZS5nb29nbGUuY29tghgqLmRhdGFjb21wdXRlLmdvb2ds
+ZS5jb22CCyouZ29vZ2xlLmNhggsqLmdvb2dsZS5jbIIOKi5nb29nbGUuY28uaW6C
+DiouZ29vZ2xlLmNvLmpwgg4qLmdvb2dsZS5jby51a4IPKi5nb29nbGUuY29tLmFy
+gg8qLmdvb2dsZS5jb20uYXWCDyouZ29vZ2xlLmNvbS5icoIPKi5nb29nbGUuY29t
+LmNvgg8qLmdvb2dsZS5jb20ubXiCDyouZ29vZ2xlLmNvbS50coIPKi5nb29nbGUu
+Y29tLnZuggsqLmdvb2dsZS5kZYILKi5nb29nbGUuZXOCCyouZ29vZ2xlLmZyggsq
+Lmdvb2dsZS5odYILKi5nb29nbGUuaXSCCyouZ29vZ2xlLm5sggsqLmdvb2dsZS5w
+bIILKi5nb29nbGUucHSCDyouZ29vZ2xlYXBpcy5jboIRKi5nb29nbGV2aWRlby5j
+b22CDCouZ3N0YXRpYy5jboIQKi5nc3RhdGljLWNuLmNvbYIPZ29vZ2xlY25hcHBz
+LmNughEqLmdvb2dsZWNuYXBwcy5jboIRZ29vZ2xlYXBwcy1jbi5jb22CEyouZ29v
+Z2xlYXBwcy1jbi5jb22CDGdrZWNuYXBwcy5jboIOKi5na2VjbmFwcHMuY26CEmdv
+b2dsZWRvd25sb2Fkcy5jboIUKi5nb29nbGVkb3dubG9hZHMuY26CEHJlY2FwdGNo
+YS5uZXQuY26CEioucmVjYXB0Y2hhLm5ldC5jboIQcmVjYXB0Y2hhLWNuLm5ldIIS
+Ki5yZWNhcHRjaGEtY24ubmV0ggt3aWRldmluZS5jboINKi53aWRldmluZS5jboIR
+YW1wcHJvamVjdC5vcmcuY26CEyouYW1wcHJvamVjdC5vcmcuY26CEWFtcHByb2pl
+Y3QubmV0LmNughMqLmFtcHByb2plY3QubmV0LmNughdnb29nbGUtYW5hbHl0aWNz
+LWNuLmNvbYIZKi5nb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIXZ29vZ2xlYWRzZXJ2
+aWNlcy1jbi5jb22CGSouZ29vZ2xlYWRzZXJ2aWNlcy1jbi5jb22CEWdvb2dsZXZh
+ZHMtY24uY29tghMqLmdvb2dsZXZhZHMtY24uY29tghFnb29nbGVhcGlzLWNuLmNv
+bYITKi5nb29nbGVhcGlzLWNuLmNvbYIVZ29vZ2xlb3B0aW1pemUtY24uY29tghcq
+Lmdvb2dsZW9wdGltaXplLWNuLmNvbYISZG91YmxlY2xpY2stY24ubmV0ghQqLmRv
+dWJsZWNsaWNrLWNuLm5ldIIYKi5mbHMuZG91YmxlY2xpY2stY24ubmV0ghYqLmcu
+ZG91YmxlY2xpY2stY24ubmV0gg5kb3VibGVjbGljay5jboIQKi5kb3VibGVjbGlj
+ay5jboIUKi5mbHMuZG91YmxlY2xpY2suY26CEiouZy5kb3VibGVjbGljay5jboIR
+ZGFydHNlYXJjaC1jbi5uZXSCEyouZGFydHNlYXJjaC1jbi5uZXSCHWdvb2dsZXRy
+YXZlbGFkc2VydmljZXMtY24uY29tgh8qLmdvb2dsZXRyYXZlbGFkc2VydmljZXMt
+Y24uY29tghhnb29nbGV0YWdzZXJ2aWNlcy1jbi5jb22CGiouZ29vZ2xldGFnc2Vy
+dmljZXMtY24uY29tghdnb29nbGV0YWdtYW5hZ2VyLWNuLmNvbYIZKi5nb29nbGV0
+YWdtYW5hZ2VyLWNuLmNvbYIYZ29vZ2xlc3luZGljYXRpb24tY24uY29tghoqLmdv
+b2dsZXN5bmRpY2F0aW9uLWNuLmNvbYIkKi5zYWZlZnJhbWUuZ29vZ2xlc3luZGlj
+YXRpb24tY24uY29tghZhcHAtbWVhc3VyZW1lbnQtY24uY29tghgqLmFwcC1tZWFz
+dXJlbWVudC1jbi5jb22CC2d2dDEtY24uY29tgg0qLmd2dDEtY24uY29tggtndnQy
+LWNuLmNvbYINKi5ndnQyLWNuLmNvbYILMm1kbi1jbi5uZXSCDSouMm1kbi1jbi5u
+ZXSCFGdvb2dsZWZsaWdodHMtY24ubmV0ghYqLmdvb2dsZWZsaWdodHMtY24ubmV0
+ggxhZG1vYi1jbi5jb22CDiouYWRtb2ItY24uY29tghRnb29nbGVzYW5kYm94LWNu
+LmNvbYIWKi5nb29nbGVzYW5kYm94LWNuLmNvbYIeKi5zYWZlbnVwLmdvb2dsZXNh
+bmRib3gtY24uY29tgg0qLmdzdGF0aWMuY29tghQqLm1ldHJpYy5nc3RhdGljLmNv
+bYIKKi5ndnQxLmNvbYIRKi5nY3BjZG4uZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CDiou
+Z2NwLmd2dDIuY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29r
+aWUuY29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CDSouYW5kcm9pZC5jb22C
+EyouZmxhc2guYW5kcm9pZC5jb22CBGcuY26CBiouZy5jboIEZy5jb4IGKi5nLmNv
+ggZnb28uZ2yCCnd3dy5nb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29tghYqLmdv
+b2dsZS1hbmFseXRpY3MuY29tggpnb29nbGUuY29tghJnb29nbGVjb21tZXJjZS5j
+b22CFCouZ29vZ2xlY29tbWVyY2UuY29tgghnZ3BodC5jboIKKi5nZ3BodC5jboIK
+dXJjaGluLmNvbYIMKi51cmNoaW4uY29tggh5b3V0dS5iZYILeW91dHViZS5jb22C
+DSoueW91dHViZS5jb22CEW11c2ljLnlvdXR1YmUuY29tghMqLm11c2ljLnlvdXR1
+YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9u
+LmNvbYIPeW91dHViZWtpZHMuY29tghEqLnlvdXR1YmVraWRzLmNvbYIFeXQuYmWC
+ByoueXQuYmWCGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tghMqLmFuZHJvaWQu
+Z29vZ2xlLmNughIqLmNocm9tZS5nb29nbGUuY26CFiouZGV2ZWxvcGVycy5nb29n
+bGUuY26CFSouYWlzdHVkaW8uZ29vZ2xlLmNvbTATBgNVHSAEDDAKMAgGBmeBDAEC
+ATA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vYy5wa2kuZ29vZy93cjIvb0JGWVlh
+aHpnVkkuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAzxFW7tUufK/zh1vZ
+aS6b6RpxZ0qwF+ysAdJbd87MOwgAAAGVQxqxaQAABAMASDBGAiEAk6r74vfyJIaa
+hYTWqNRsjl/RpCWq/wyzzMi21zgGmfkCIQCZafyS/fl0tiutICL9aOSnDBRfPYqd
+CeNqKOy11EjvigB1AN6FgddQJHxrzcuvVjfF54HGTORu1hdjn480pybJ4r03AAAB
+lUMasUkAAAQDAEYwRAIgYfG2iyRnmn8MI86RFDxOQW1/IOBAjQxNfIQ8toZlZkoC
+IA1BHw7cqmlTP7Ks+ebX6hGfNlVsgTQS8iYyKL5/BSvTMA0GCSqGSIb3DQEBCwUA
+A4IBAQAYSNtoW72rqhPfjV5Ug1ENbbimfqmqiJS4JdzaEFRpftzachTuvx8relaY
+7FAz5y4YULu9LGNjpBRYW8yW9pgfWyc53CCHSkDODguUOMCRo3hdglxZ2d5pJ/8
+TQY4zRBd8OHzOAx2kH6jLEj9I0nDie3vowSYm7FCBRLjzfForRNQWmzPu+5hS3De
+QM0R2jWpmPcG3ffQ5qQwnAQnP9HCK9oEZ5cFqLvOQWfttj/rzKOz856iSEoRpf8S
+wVFRu3Uv2TXQ6UYF2cDfiWCe6/mO35CIynC6FVkunze/Q/2rtaCDttLRYZcLllj8
+PSl7nmLhtqDlO7da/S34BFiyyRjN
+-----END CERTIFICATE-----
+`,
+			expected: false,
+		},
+		{
+			name: "let's encrypt certificate",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIGMjCCBRqgAwIBAgISBVHH05rEMkaCuDQvABDjiam0MA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTAwHhcNMjUwMzEzMDIyMzE2WhcNMjUwNjExMDIyMzE1WjAkMSIwIAYDVQQD
+Exlvei1kZW1vLnBvcnRhaW5lcmNsb3VkLmlvMIICIjANBgkqhkiG9w0BAQEFAAOC
+Ag8AMIICCgKCAgEAwNCcr9azSaldEwgL54bQScuWBnmw3FMHgEATxDVp2MEawQkV
+I3VScUcJWBnlHlb7TUanRC/c/vJGbzc+KDuCRTZ2/Ob2yQ9G5mZjGttBAnBSQPpV
+arEEBFCClhVBn4LhLNmIsCjCy25+m0HY/dwWbKjTMT/KxpTa3L3mdmIFa7XNs6W2
+vEZGwYM+2JPMJ9DwemVrrrvRqd5vLWTZcWvWJQ7HMfw3PoELpeqyycmxDqd9PCMz
+yMp8q3UwLDur3+KfDXGtGOoubxcOuJrpemOe8JeM5cEYEhvOy8D16zmWwWYDT19D
+ElFfUbM0GGITpJ41Qie03DvmI0hDYDqTEZfKza967VsvD7K9bFgLHmHdv7gLNutB
+FConpziNqslapWwQ5j7bKircxKjRQVkOiXH48m2IUzylqWgJPVMvHukRu0YVnvbt
+Q53xNVZQEbjvZmIuz8jqo22Y/1Jr7Plnb1lUvvDznA58MHT0KA4LSZwk9tvMJJCw
+vh7AoWB6/Jnl8QVnApOdCa6M/An128rBwgrCmp0wSvhMecTkWC8/gsah0Q5wKFL3
+ziBth728Qy8RlNghRUw88e/y4pdGHN8egjK1NpdgsvTFdRNQ8qwu0lx9pO3b6TNQ
+qDG5pirXjS/DhPYvZtJRDK6SMTHJNm+0NGdWB8qpNssFrU6u2cRl0533LtECAwEA
+AaOCAk0wggJJMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUiQi/3pZamfPxRGPI8DTZ
+tej1494wHwYDVR0jBBgwFoAUu7zDR6XkvKnGw6RyDBCNojXhyOgwVwYIKwYBBQUH
+AQEESzBJMCIGCCsGAQUFBzABhhZodHRwOi8vcjEwLm8ubGVuY3Iub3JnMCMGCCsG
+AQUFBzAChhdodHRwOi8vcjEwLmkubGVuY3Iub3JnLzAkBgNVHREEHTAbghlvei1k
+ZW1vLnBvcnRhaW5lcmNsb3VkLmlvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMC4GA1Ud
+HwQnMCUwI6AhoB+GHWh0dHA6Ly9yMTAuYy5sZW5jci5vcmcvNTMuY3JsMIIBBAYK
+KwYBBAHWeQIEAgSB9QSB8gDwAHcAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5U
+wP5MDbAAAAGVjYW7/QAABAMASDBGAiEA8CjMOIj7wqQ60BX22A5pDkA23IxZPzwV
+1MF5+VSgdqgCIQCZhry5AK2VyZX/cIODEl6eHBCUWS4vHB+J8RxeclKCpAB1AKLj
+CuRF772tm3447Udnd1PXgluElNcrXhssxLlQpEfnAAABlY2Fu/QAAAQDAEYwRAIg
+bwjJgZJew/1LoL9yzDD1P4Xkd8ezFucxfU3AzlV1XEYCIH5RPyW1HP9GSr+aAx+I
+o3inVl1NagJFYiApAPvFmIEgMA0GCSqGSIb3DQEBCwUAA4IBAQATJWi1sJSBstO+
+hyH7DsrAtDhiQTOWzUZezBlgCn8hfmA3nX5uKsHyxPPPEQ/GFYOltRD/+34X9kFF
+YNzUjJOP0bGk45I1JbspxRRvtbDpk0+dj2VE2toM8vLRDz3+DB4YB2lFofYlex++
+16xFzOIE+ZW41qBs3G8InsyHADsaFY2CQ9re/kZvenptU/ax1U2a21JJ3TT2DmXW
+AHZYQ5/whVIowsebw1e28I12VhLl2BKn7v4MpCn3GUzBBQAEbJ6TIjHtFKWWnVfH
+FisaUX6N4hMzGZVJOsbH4QVBGuNwUshHiD8MSpbans2w+T4bCe11XayerqxFhTao
+w/pjiPVy
+-----END CERTIFICATE-----
+`,
+			expected: false,
+		},
+	}
+
+	for _, tt := range tc {
+		t.Run(tt.name, func(t *testing.T) {
+			actual, err := IsSelfSignedCertificate([]byte(tt.cert))
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}
--- a/api/http/handler/kubernetes/configmaps.go
+++ b/api/http/handler/kubernetes/configmaps.go
@@ -146,13 +146,11 @@ func (handler *Handler) getAllKubernetesConfigMaps(r *http.Request) ([]models.K8
 	}

 	if isUsed {
-		configMapsWithApplications, err := cli.CombineConfigMapsWithApplications(configMaps)
+		err = cli.SetConfigMapsIsUsed(&configMaps)
 		if err != nil {
 			log.Error().Err(err).Str("context", "getAllKubernetesConfigMaps").Msg("Unable to combine configMaps with associated applications")
 			return nil, httperror.InternalServerError("Unable to combine configMaps with associated applications", err)
 		}
-
-		return configMapsWithApplications, nil
 	}

 	return configMaps, nil
--- a/api/http/handler/kubernetes/deprecated_routes.go
+++ b/api/http/handler/kubernetes/deprecated_routes.go
@@ -36,11 +36,14 @@ func deprecatedNamespaceParser(w http.ResponseWriter, r *http.Request) (string,

 	// Restore the original body for further use
 	bodyBytes, err := io.ReadAll(r.Body)
+	if err != nil {
+		return "", httperror.InternalServerError("Unable to read request body", err)
+	}
+
 	r.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))

 	payload := models.K8sNamespaceDetails{}
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
+	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
 		return "", httperror.BadRequest("Invalid request. Unable to parse namespace payload", err)
 	}
 	namespaceName := payload.Name
--- a/api/http/handler/kubernetes/describe.go
+++ b/api/http/handler/kubernetes/describe.go
@@ -0,0 +1,73 @@
+package kubernetes
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/libkubectl"
+	"github.com/rs/zerolog/log"
+)
+
+type describeResourceResponse struct {
+	Describe string `json:"describe"`
+}
+
+// @id DescribeResource
+// @summary Get a description of a kubernetes resource
+// @description Get a description of a kubernetes resource.
+// @description **Access policy**: Authenticated user.
+// @tags kubernetes
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment identifier"
+// @param name query string true "Resource name"
+// @param kind query string true "Resource kind"
+// @param namespace query string false "Namespace"
+// @success 200 {object} describeResourceResponse "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve resource description"
+// @router /kubernetes/{id}/describe [get]
+func (handler *Handler) describeResource(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	name, err := request.RetrieveQueryParameter(r, "name", false)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter name")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter name. Error: ", err)
+	}
+
+	kind, err := request.RetrieveQueryParameter(r, "kind", false)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter kind")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter kind. Error: ", err)
+	}
+
+	namespace, err := request.RetrieveQueryParameter(r, "namespace", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter namespace")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter namespace. Error: ", err)
+	}
+
+	// fetches the token and the correct server URL for the endpoint, similar to getHelmClusterAccess
+	libKubectlAccess, err := handler.getLibKubectlAccess(r)
+	if err != nil {
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to get libKubectlAccess. Error: ", err)
+	}
+
+	client, err := libkubectl.NewClient(libKubectlAccess, namespace, "", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Failed to create kubernetes client")
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to create kubernetes client. Error: ", err)
+	}
+
+	out, err := client.Describe(namespace, name, kind)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Failed to describe kubernetes resource")
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to describe kubernetes resource. Error: ", err)
+	}
+
+	return response.JSON(w, describeResourceResponse{Describe: out})
+}
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@@ -15,6 +15,7 @@ import (
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libkubectl"
 	"github.com/rs/zerolog/log"

 	"github.com/gorilla/mux"
@@ -102,6 +103,7 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 	endpointRouter.Handle("/cluster_roles/delete", httperror.LoggerHandler(h.deleteClusterRoles)).Methods(http.MethodPost)
 	endpointRouter.Handle("/cluster_role_bindings", httperror.LoggerHandler(h.getAllKubernetesClusterRoleBindings)).Methods(http.MethodGet)
 	endpointRouter.Handle("/cluster_role_bindings/delete", httperror.LoggerHandler(h.deleteClusterRoleBindings)).Methods(http.MethodPost)
+	endpointRouter.Handle("/describe", httperror.LoggerHandler(h.describeResource)).Methods(http.MethodGet)

 	// namespaces
 	// in the future this piece of code might be in another package (or a few different packages - namespaces/namespace?)
@@ -269,3 +271,36 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func (handler *Handler) getLibKubectlAccess(r *http.Request) (*libkubectl.ClientAccess, error) {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve user authentication token", err)
+	}
+
+	bearerToken, _, err := handler.JwtService.GenerateToken(tokenData)
+	if err != nil {
+		return nil, httperror.Unauthorized("Unauthorized", err)
+	}
+
+	endpoint, err := middlewares.FetchEndpoint(r)
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to find the Kubernetes endpoint associated to the request.", err)
+	}
+
+	sslSettings, err := handler.DataStore.SSLSettings().Settings()
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve settings from the database", err)
+	}
+
+	hostURL := "localhost"
+	if !sslSettings.SelfSigned {
+		hostURL = r.Host
+	}
+
+	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(hostURL, endpoint.ID, true)
+	return &libkubectl.ClientAccess{
+		Token:     bearerToken,
+		ServerUrl: kubeConfigInternal.ClusterServerURL,
+	}, nil
+}
--- a/api/http/handler/kubernetes/secrets.go
+++ b/api/http/handler/kubernetes/secrets.go
@@ -130,13 +130,11 @@ func (handler *Handler) getAllKubernetesSecrets(r *http.Request) ([]models.K8sSe
 	}

 	if isUsed {
-		secretsWithApplications, err := cli.CombineSecretsWithApplications(secrets)
+		err = cli.SetSecretsIsUsed(&secrets)
 		if err != nil {
 			log.Error().Err(err).Str("context", "GetAllKubernetesSecrets").Msg("Unable to combine secrets with associated applications")
 			return nil, httperror.InternalServerError("unable to combine secrets with associated applications. Error: ", err)
 		}
-
-		return secretsWithApplications, nil
 	}

 	return secrets, nil
--- a/api/http/handler/registries/registry_list.go
+++ b/api/http/handler/registries/registry_list.go
@@ -36,5 +36,9 @@ func (handler *Handler) registryList(w http.ResponseWriter, r *http.Request) *ht
 		return httperror.InternalServerError("Unable to retrieve registries from the database", err)
 	}

+	for idx := range registries {
+		hideFields(&registries[idx], false)
+	}
+
 	return response.JSON(w, registries)
 }
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -14,8 +14,8 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/validate"

-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2"
 )
@@ -62,15 +62,15 @@ func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
 		return errors.New("Invalid authentication method value. Value must be one of: 1 (internal), 2 (LDAP/AD) or 3 (OAuth)")
 	}

-	if payload.LogoURL != nil && *payload.LogoURL != "" && !govalidator.IsURL(*payload.LogoURL) {
+	if payload.LogoURL != nil && *payload.LogoURL != "" && !validate.IsURL(*payload.LogoURL) {
 		return errors.New("Invalid logo URL. Must correspond to a valid URL format")
 	}

-	if payload.TemplatesURL != nil && *payload.TemplatesURL != "" && !govalidator.IsURL(*payload.TemplatesURL) {
+	if payload.TemplatesURL != nil && *payload.TemplatesURL != "" && !validate.IsURL(*payload.TemplatesURL) {
 		return errors.New("Invalid external templates URL. Must correspond to a valid URL format")
 	}

-	if payload.HelmRepositoryURL != nil && *payload.HelmRepositoryURL != "" && !govalidator.IsURL(*payload.HelmRepositoryURL) {
+	if payload.HelmRepositoryURL != nil && *payload.HelmRepositoryURL != "" && !validate.IsURL(*payload.HelmRepositoryURL) {
 		return errors.New("Invalid Helm repository URL. Must correspond to a valid URL format")
 	}

--- a/api/http/handler/stacks/create_compose_stack.go
+++ b/api/http/handler/stacks/create_compose_stack.go
@@ -14,8 +14,8 @@ import (
 	"github.com/portainer/portainer/api/stacks/stackutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/validate"

-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 )
@@ -205,7 +205,7 @@ func (payload *composeStackFromGitRepositoryPayload) Validate(r *http.Request) e
 	if len(payload.Name) == 0 {
 		return errors.New("Invalid stack name")
 	}
-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
 		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
 	}
 	if payload.RepositoryAuthentication && len(payload.RepositoryPassword) == 0 {
--- a/api/http/handler/stacks/create_kubernetes_stack.go
+++ b/api/http/handler/stacks/create_kubernetes_stack.go
@@ -15,8 +15,8 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/validate"

-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 )

@@ -96,7 +96,7 @@ func (payload *kubernetesStringDeploymentPayload) Validate(r *http.Request) erro
 }

 func (payload *kubernetesGitDeploymentPayload) Validate(r *http.Request) error {
-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
 		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
 	}

@@ -112,7 +112,7 @@ func (payload *kubernetesGitDeploymentPayload) Validate(r *http.Request) error {
 }

 func (payload *kubernetesManifestURLDeploymentPayload) Validate(r *http.Request) error {
-	if len(payload.ManifestURL) == 0 || !govalidator.IsURL(payload.ManifestURL) {
+	if len(payload.ManifestURL) == 0 || !validate.IsURL(payload.ManifestURL) {
 		return errors.New("Invalid manifest URL")
 	}

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ali	f60e13adbb	chore: bump version to 2.30.0 (#735 )	2025-05-15 09:06:22 +12:00
Ali	d49fcd8f3e	feat(helm): make the atomic flag optional [r8s-314] (#733 )	2025-05-14 16:31:42 +12:00
Ali	4ee349bd6b	feat(helm): helm actions [r8s-259] (#715 ) Co-authored-by: James Player <james.player@portainer.io> Co-authored-by: Cara Ryan <cara.ryan@portainer.io> Co-authored-by: stevensbkang <skan070@gmail.com>	2025-05-13 22:15:04 +12:00
Steven Kang	dfa32b6755	chore: add KaaS deprecation notice (#727 ) Co-authored-by: testA113 <aliharriss1995@gmail.com>	2025-05-13 16:33:14 +12:00
Ali	0b69729173	chrore(microk8s): add deprecation notice [r8s-320] (#728 )	2025-05-13 14:28:42 +12:00
Steven Kang	3b313b9308	fix(kubectl): rollout restart [r8s-322] (#729 )	2025-05-13 11:35:44 +12:00
Devon Steenberg	1abdf42f99	feat(libstack): expose env vars with PORTAINER_ prefix [BE-11661] (#687 )	2025-05-12 11:18:04 +12:00
andres-portainer	9fdc535d6b	fix(csrf): skip the trusted origins check for plain-text HTTP requests BE-11832 (#710 ) Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com> Co-authored-by: oscarzhou <oscar.zhou@portainer.io>	2025-05-09 14:39:29 +12:00
James Carppe	b9b734ceda	Update bug report template for 2.27.6 (#721 )	2025-05-09 14:39:15 +12:00
Viktor Pettersson	3b05505527	fix(update-schedules): display enriched error logs for agent updates [BE-11756] (#693 )	2025-05-08 10:24:20 +02:00
Steven Kang	bc29419c17	refactor: replace the `kubectl` binary with the upstream sdk (#524 )	2025-05-07 20:40:38 +12:00
James Carppe	4d4360b86b	Update bug report template for 2.27.5 (#705 )	2025-05-02 13:14:39 +12:00
James Carppe	8cc28761d7	Update bug report template for 2.29.2 (#692 )	2025-04-24 16:47:31 +12:00
Viktor Pettersson	24b3499c70	fix(dependencies): downgrade gorilla/csrf to v1.7.2 (#684 )	2025-04-24 12:13:45 +12:00
Devon Steenberg	4e4fd5a4b4	fix(validate): refactor validate functions [BE-11574] (#683 )	2025-04-24 08:59:44 +12:00
Devon Steenberg	1a3df54c04	fix(govalidator): replace govalidator dependency [BE-11574] (#673 )	2025-04-23 13:59:51 +12:00
James Carppe	3edacee59b	Update bug report template for 2.29.1 (#682 )	2025-04-23 13:35:20 +12:00
andres-portainer	f25d31b92b	fix(code): remove dead code and reduce duplication BE-11826 (#680 )	2025-04-22 18:09:36 -03:00
Ali	c91c8a6467	feat(helm): rollback helm chart [r8s-287] (#660 )	2025-04-23 08:58:34 +12:00
Ali	61d6ac035d	feat(helm): auto refresh helm resources [r8s-298] (#672 )	2025-04-23 08:58:21 +12:00
Oscar Zhou	9a9373dd0f	fix: cve-2025-22871 [BE-11825] (#678 )	2025-04-22 21:29:39 +12:00
andres-portainer	e319a7a5ae	fix(linter): enable ineffassign BE-10204 (#669 )	2025-04-21 19:27:14 -03:00
andres-portainer	342549b546	fix(validate): remove dead code BE-11824 (#671 )	2025-04-21 18:59:51 -03:00
Ali	bbe94f55b6	feat(helm): uninstall helm app from details view [r8s-285] (#648 )	2025-04-22 09:52:52 +12:00
andres-portainer	6fcf1893d3	fix(code): remove duplicated code BE-11821 (#667 )	2025-04-18 17:34:34 -03:00
Ali	01afe34df7	fix(namespaces): fix service not found error [r8s-296] (#664 )	2025-04-17 12:29:37 +12:00
Devon Steenberg	be3e8e3332	fix(proxy): don't forward sensitive headers [BE-11819] (#654 )	2025-04-16 15:30:56 +12:00
James Carppe	cf31700903	Update bug report template for 2.29.0 (#655 )	2025-04-16 13:34:38 +12:00
andres-portainer	66dee6fd06	fix(codemirror): optimize the autocompletion performance R8S-294 (#650 ) Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>	2025-04-16 12:27:30 +12:00
andres-portainer	bfa55f8c67	fix(logs): remove duplicated code BE-11821 (#653 )	2025-04-15 17:16:04 -03:00
James Carppe	5a2318d01f	Update bug report template for 2.27.4 (#646 )	2025-04-15 13:50:14 +12:00
Steven Kang	7de037029f	security: cve-2025-30204 and other low ones - develop [BE-11781] (#638 )	2025-04-15 09:58:55 +12:00
andres-portainer	730c1115ce	fix(proxy): remove code duplication BE-11627 (#644 )	2025-04-14 17:46:40 -03:00
Oscar Zhou	2c37f32fa6	version: bump version to 2.29.0 (#637 )	2025-04-14 13:13:38 +12:00
LP B	7aa9f8b1c3	Revert "feat(app): 1s staleTime to avoid sending repeated requests" (#639 )	2025-04-14 11:12:11 +12:00
LP B	c331ada086	feat(app): 1s staleTime to avoid sending repeated requests (#607 )	2025-04-14 09:05:48 +12:00
Oscar Zhou	ebc25e45d3	fix(edge): redeploy edge stack doesn't apply to std agents [BE-11766] (#633 )	2025-04-12 10:24:23 +12:00
andres-portainer	f82921d2a1	fix(edgestacks): fix edge stack update when using Git BE-11766 (#629 )	2025-04-10 20:12:27 -03:00
Ali	d68fe42918	fix(apps): better align sub tables [r8s-255] (#617 )	2025-04-11 08:39:39 +12:00
Oscar Zhou	823f2a7991	fix(edge): missing env var in async agent docker snapshot [BE-11709] (#625 )	2025-04-11 08:26:11 +12:00
Ali	0ca9321db1	feat(helm): update helm view [r8s-256] (#582 ) Co-authored-by: Cara Ryan <cara.ryan@portainer.io> Co-authored-by: James Player <james.player@portainer.io> Co-authored-by: stevensbkang <skan070@gmail.com>	2025-04-10 16:08:24 +12:00
James Player	46eddbe7b9	fix(UI): Make sure localStorage.getUserId actually returns user id R8S-290 (#623 )	2025-04-09 09:09:07 +12:00
James Player	64c796a8c3	fix(kubernetes): Config maps and secrets show as unused BE-11684 (#596 ) Co-authored-by: stevensbkang <skan070@gmail.com>	2025-04-08 12:52:21 +12:00
James Player	264ff5457b	chore(kubernetes): Migrate Helm Templates View to React R8S-239 (#587 )	2025-04-08 12:51:36 +12:00
LP B	ad89df4d0d	refactor(app): reword docker security features (#608 )	2025-04-07 17:14:51 +02:00
Anthony Lapenna	0f10b8ba2b	api: update TeamInspect doc (#618 )	2025-04-07 11:25:23 +12:00
Oscar Zhou	940bf990f9	fix(edgeconfig): add edge config file interpolation info message on edge stack page [BE-11741] (#606 )	2025-04-04 11:56:42 +13:00
Devon Steenberg	1b8fbbe7d7	fix(libstack): compose project working directory [BE-11751] (#600 )	2025-04-04 09:07:35 +13:00
James Player	f6f07f4690	improvement(kubernetes): right align tags in datatables R8S-250 (#601 ) Co-authored-by: testA113 <aliharriss1995@gmail.com>	2025-04-03 14:18:31 +13:00
Anthony Lapenna	3800249921	api: use response code 200 (#604 )	2025-04-03 11:12:24 +13:00
Oscar Zhou	a5d857d5e7	feat(docker): add --pull-limit-check-disabled cli flag [BE-11739] (#581 )	2025-04-03 09:13:01 +13:00
Devon Steenberg	4c1e80ff58	fix(axios): correctly encode urls [BE-11648] (#517 ) fix(edgegroup): nil pointer defer	2025-04-02 08:51:58 +13:00
Oscar Zhou	7e5db1f55e	refactor(edgegroup): optimize edge group search performance [BE-11716] (#579 )	2025-04-01 14:05:56 +13:00
Anthony Lapenna	1edc56c0ce	api: remove name from edgegroupupdate payload validation (#588 )	2025-04-01 13:25:09 +13:00
Anthony Lapenna	4066a70ea5	api: fix typo in operation name (#585 )	2025-04-01 13:24:55 +13:00
andres-portainer	a0d36cf87a	fix(server): add panic logging middleware BE-11750 (#599 )	2025-03-31 18:58:20 -03:00
Viktor Pettersson	1d12011eb5	fix(edge groups): make large edge groups editable [BE-11720] (#558 )	2025-03-28 15:16:05 +01:00
Steven Kang	7c01f84a5c	fix: improve the node view for detecting roles - develop (#354 )	2025-03-28 10:52:59 +13:00
Ali	81c5f4acc3	feat(editor): provide yaml validation for docker compose in the portainer web editor [BE-11697] (#526 )	2025-03-27 17:11:55 +13:00
Ali	0ebfe047d1	feat(helm): use helm upgrade for install [r8s-258] (#568 )	2025-03-26 11:32:26 +13:00
samdulam	e68bd53e30	Update bug_report template with 2.27.3 (#572 )	2025-03-25 08:40:15 +05:30
andres-portainer	cdd9851f72	fix(stubs): clean up the stubs and mocks BE-11722 (#557 )	2025-03-24 19:56:08 -03:00
andres-portainer	995c3ef81b	feat(snapshots): avoid parsing raw snapshots when possible BE-11724 (#560 )	2025-03-24 19:33:05 -03:00
James Player	0dfde1374d	fix(kubernetes): Cluster reservation CPU not showing R8S-268 (#569 )	2025-03-25 10:59:28 +13:00
Devon Steenberg	34235199dd	fix(libstack): correctly load COMPOSE_* env vars [BE-11474] (#536 )	2025-03-25 08:57:23 +13:00
Anthony Lapenna	5d1cd670e9	docs: review TeamMembershipCreate API operation (#565 )	2025-03-24 09:55:33 +13:00
Anthony Lapenna	1d8ea7b0ee	docs: review TeamUpdate API operation (#564 )	2025-03-21 16:45:43 +13:00
Oscar Zhou	4b218553c3	fix(libstack): data loss for stack with relative path [FR-437] (#548 )	2025-03-21 09:19:25 +13:00
Viktor Pettersson	a61c1004d3	fix(agent-updates): fix remote agent updates cannot be scheduled properly for large edge groups [BE-11691] (#528 )	2025-03-20 10:05:15 +01:00
James Carppe	5d1b42b314	Update bug report template for 2.28.1 (#549 )	2025-03-20 15:54:53 +13:00
Oscar Zhou	4b992c6f3e	fix(k8s/config): force insecure-skip-tls-verify option for internal use [BE-11706] (#537 )	2025-03-20 08:49:27 +13:00
Viktor Pettersson	38562f9560	fix(api): remove duplicated /users/me route [BE-11689] (#516 )	2025-03-19 13:08:03 +01:00
James Carppe	c01f0271fe	Update bug report template for 2.27.2 (#539 )	2025-03-19 17:41:36 +13:00
andres-portainer	0296998fae	fix(users): optimize the /users/me API endpoint BE-11688 (#515 ) Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com> Co-authored-by: LP B <xAt0mZ@users.noreply.github.com> Co-authored-by: JamesPlayer <james.player@portainer.io>	2025-03-18 17:55:53 -03:00
James Player	a67b917bdd	Bump version to 2.28.0 (#523 )	2025-03-17 16:00:33 +13:00
Steven Kang	2791bd123c	fix: cve-2025-22869 develop (#511 )	2025-03-17 12:24:39 +13:00
andres-portainer	e1f9b69cd5	feat(edgestack): improve the structure to make JSON operations faster BE-11668 (#475 )	2025-03-15 10:10:17 -03:00
andres-portainer	2c05496962	feat(edgeconfigs): parse .env config files for interpolation BE-11673 (#514 )	2025-03-15 10:09:22 -03:00
Oscar Zhou	66bcf9223a	fix(k8s/config): avoid hardcoded "insecure-skip-tls-verify" in kubeconfig [BE-11651] (#500 )	2025-03-14 11:20:41 +13:00
James Player	993f69db37	chore(app): Migrate helm templates list to react (#492 )	2025-03-14 10:37:14 +13:00
Ali	58317edb6d	fix(namespaces): only show namespaces with access [r8s-251] (#501 )	2025-03-14 07:57:06 +13:00
Steven Kang	417891675d	fix: ensure no non-admin users have access to system namespaces (#499 )	2025-03-13 16:43:56 +13:00
Steven Kang	8b7aef883a	fix: display unscheduled applications (#496 ) Co-authored-by: JamesPlayer <james.player@portainer.io>	2025-03-13 14:13:18 +13:00
Ali	b5961d79f8	refactor(helm): helm binary to sdk refactor [r8s-229] (#463 ) Co-authored-by: stevensbkang <skan070@gmail.com>	2025-03-13 12:20:16 +13:00
LP B	0d25f3f430	fix(app): restore gitops update options (#419 )	2025-03-12 14:00:31 +01:00
Steven Kang	798fa2396a	feat: kubernets service - display external hostname (#486 )	2025-03-12 22:34:00 +13:00
James Player	28b222fffa	fix(app): Make sure empty tables don't have select all rows checkbox checked (#489 )	2025-03-12 10:34:07 +13:00
James Player	b57855f20d	fix(app): datatable global checkbox doesn't reflect the selected state (#470 )	2025-03-10 09:21:20 +13:00
Cara Ryan	438b1f9815	fix(helm): Remove duplicate helm instructions in CE [BE-11670] (#482 )	2025-03-06 09:35:31 +13:00
LP B	2bccb3589e	fix(app/images): nodeName on images list links (#484 )	2025-03-05 16:04:16 +01:00
James Player	52bb06eb7b	chore(helm): Convert helm details view to react (#476 )	2025-03-03 11:29:58 +13:00
Malcolm Lockyer	8e6d0e7d42	perf(endpointrelation): Part 2 of fixing endpointrelation perf [be-11616] (#471 )	2025-02-28 14:41:54 +13:00
Steven Kang	5526fd8296	chore: bump 2.27.1 - develop (#468 )	2025-02-27 11:02:25 +13:00
Anthony Lapenna	a554a8c49f	api: remove server-ce swagger.json (#467 )	2025-02-26 16:10:02 +13:00
James Player	7759d762ab	chore(react): Convert cluster details to react CE (#466 )	2025-02-26 14:13:50 +13:00
Oscar Zhou	dd98097897	fix(libstack): miss to read default .env file [BE-11638] (#458 )	2025-02-26 13:00:25 +13:00
Steven Kang	cc73b7831f	fix: cve-2024-50338 - develop (#461 )	2025-02-25 12:55:44 +13:00
James Carppe	9c243cc8dd	Update bug report template for 2.27.0 (#450 )	2025-02-20 13:38:26 +13:00
Oscar Zhou	5d568a3f32	fix(edge): edge stack pending when yaml file is under same root folder of edge configs [BE-11620] (#447 )	2025-02-20 12:09:26 +13:00
Steven Kang	1b83542d41	chore: bump version to 2.27.0 - develop (#445 )	2025-02-20 09:42:52 +13:00
LP B	cf95d91db3	fix(swarm): keep swarm stack stop command attached (#444 )	2025-02-19 19:25:28 +01:00
Viktor Pettersson	41c1d88615	fix(edge): configure persisted mTLS certificates on start-up [BE-11622] (#437 ) Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com> Co-authored-by: oscarzhou <oscar.zhou@portainer.io> Co-authored-by: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>	2025-02-19 14:46:39 +13:00
Steven Kang	df8673ba40	version: bump version to 2.27.0-rc3 - develop (#426 )	2025-02-14 08:39:02 +13:00
andres-portainer	96b1869a0c	fix(swarm): fix the Host field when listing images BE-10827 (#352 ) Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com> Co-authored-by: LP B <xAt0mZ@users.noreply.github.com>	2025-02-12 00:47:45 +01:00
Oscar Zhou	e45b852c09	fix(platform): remove error log when local env is not found [BE-11353] (#364 )	2025-02-12 09:23:52 +13:00
Steven Kang	2d3e5c3499	workaround: leave the globally set helm repo to empty and add disclaimer - develop (#409 )	2025-02-11 15:36:29 +13:00
Oscar Zhou	b25bf1e341	fix(podman): missing filter in homepage [BE-11502] (#404 )	2025-02-10 21:08:27 +13:00
Oscar Zhou	4bb80d3e3a	fix(setting): failed to persist edge computer setting [BE-11403] (#395 )	2025-02-10 21:05:15 +13:00
Steven Kang	03575186a7	remove deprecated api endpoints - develop [BE-11510] (#399 )	2025-02-10 10:46:36 +13:00
Steven Kang	935c7dd496	feat: improve diagnostics stability - develop (#355 )	2025-02-10 10:45:47 +13:00
Steven Kang	1b2dc6a133	version: bump version to 2.27.0-rc2 - develop (#402 )	2025-02-07 14:47:49 +13:00
Steven Kang	d4e2b2188e	chore: bump go version to 1.23.5 develop (#392 )	2025-02-07 08:48:19 +13:00
viktigpetterr	9658f757c2	fix(endpoints): use the post method for batch delete API operations [BE-11573] (#394 )	2025-02-06 18:14:43 +01:00
Ali	371e84d9a5	fix(podman): create new image from a container in podman [r8s-90] (#347 )	2025-02-05 20:22:33 +13:00
Steven Kang	5423a2f1b9	security: cve-2025-21613 develop (#390 )	2025-02-05 15:56:30 +13:00
Oscar Zhou	7001f8e088	fix(edge): check all endpoint_relation db query logic [BE-11602] (#378 )	2025-02-05 15:20:20 +13:00
Steven Kang	678cd54553	security: cve-2024-45338 develop (#386 )	2025-02-05 15:03:39 +13:00
Oscar Zhou	bc19d6592f	fix(libstack): cannot open std edge stack log page [BE-11603] (#384 )	2025-02-05 12:17:51 +13:00
James Player	5af0859f67	fix(datatables): "Select all" should select only elements of the current page (#376 )	2025-02-04 15:34:33 +13:00
Oscar Zhou	379711951c	fix(edgegroup): failed to associate env to static edge group [BE-11599] (#368 )	2025-02-04 09:41:24 +13:00
LP B	a50a9c5617	fix(app/edge): edge stacks webhooks cannot be disabled once created (#372 )	2025-02-03 20:50:24 +01:00
LP B	c0d30a455f	fix(api/edge): backend panic on edge stack removal (#371 )	2025-02-03 20:25:25 +01:00
LP B	9a3f6b21d2	feat(app/service-details): hide view while loading data (#348 )	2025-02-03 14:20:35 +01:00
Steven Kang	9ea41f68bc	version: bump version to 2.27.0-rc1 (#363 ) Co-authored-by: steven <steven@stevens-Mini.hub>	2025-02-03 11:38:38 +13:00
James Player	e943aa8f03	feat(documentation): change docs to use LTS/STS instead of version number (#357 )	2025-02-03 11:17:36 +13:00
James Player	17a4750d8e	fix(kubernetes): Resource reservation wasn't displaying properly in business edition and remove leader status (#362 )	2025-02-03 11:02:23 +13:00
Malcolm Lockyer	7d18c22aa1	fix(ui): bring back k8s applications page row expand published urls [r8s-145] (#356 )	2025-01-31 13:16:18 +13:00
Ali	c80cc6e268	chore(automation): give unique selectors [r8s-168] (#345 ) Co-authored-by: JamesPlayer <james.player@portainer.io>	2025-01-30 15:42:32 +13:00
andres-portainer	b30a1b5250	fix(edgestacks): avoid repeated statuses BE-11561 (#351 )	2025-01-27 16:00:05 -03:00
LP B	b753371700	fix(app/edge-stack): edge stack create form validation (#343 )	2025-01-24 17:02:52 +01:00
andres-portainer	3ca5ab180f	fix(system): optimize the memory usage when counting nodes BE-11575 (#342 )	2025-01-23 20:41:09 -03:00
Ali	4971f5510c	fix(app): edit app with configmap [r8s-95] (#341 )	2025-01-24 11:35:47 +13:00
andres-portainer	20fa7e508d	fix(edgestacks): decouple the EdgeStackStatusUpdateCoordinator so it can be used by other packages BE-11572 (#340 )	2025-01-23 17:10:46 -03:00
James Player	ebffc340d9	fix(k8s): Changed 'Deploy from file' button text to 'Deploy from code' (#338 )	2025-01-23 16:47:52 +13:00
andres-portainer	9a86737caa	fix(edgestacks): add a status update coordinator to increase performance BE-11572 (#337 )	2025-01-22 20:24:54 -03:00
Steven Kang	d35d8a7307	feat(oauth): fix mapping (#330 )	2025-01-23 09:03:51 +13:00
andres-portainer	701ff5d6bc	refactor(edgestacks): move handlerDBErr() out of the handler BE-11572 (#336 )	2025-01-22 16:35:06 -03:00
LP B	9044b25a23	fix(app): remove passwords from registries list response (#334 )	2025-01-22 17:40:21 +01:00
Ali	7f089fab86	fix(apps): use replicas from application spec [r8s-142] (#335 )	2025-01-22 12:31:27 +13:00
James Carppe	a259c28678	Update bug report template for 2.26.1 (#329 )	2025-01-21 16:19:03 +13:00
LP B	db48da185a	fix(app/editor): reduce editor slowness by debouncing onChange calls (#326 )	2025-01-17 22:41:06 +01:00
LP B	cab667c23b	fix(app/edge-stack): UI notification on creation error (#325 )	2025-01-17 20:33:01 +01:00
andres-portainer	154ca9f1b1	fix(edge): return proper error from context BE-11564 (#323 )	2025-01-16 20:18:51 -03:00
Oscar Zhou	2abe40b786	fix(edgestack): remove project folder after deleting edgestack [BE-11559] (#320 )	2025-01-16 09:16:09 +13:00
James Carppe	6be2420b32	Update bug report template for 2.26.0 (#319 )	2025-01-15 14:38:59 +13:00
Ali	9405cc0e04	chore(portainer): bump version to 2.26.0 (#302 )	2025-01-14 07:20:11 +13:00