version: bump version to 2.29.2 (#691)

Co-authored-by: Cara Ryan <cara.ryan@portainer.io>
Co-authored-by: James Player <james.player@portainer.io>
Co-authored-by: stevensbkang <skan070@gmail.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -2,18 +2,17 @@ name: Bug Report
 description: Create a report to help us improve.
 labels: kind/bug,bug/need-confirmation
 body:
-
   - type: markdown
     attributes:
       value: |
         # Welcome!
-        
+
         The issue tracker is for reporting bugs. If you have an [idea for a new feature](https://github.com/orgs/portainer/discussions/categories/ideas) or a [general question about Portainer](https://github.com/orgs/portainer/discussions/categories/help) please post in our [GitHub Discussions](https://github.com/orgs/portainer/discussions).
-        
+
         You can also ask for help in our [community Slack channel](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA).
 
         Please note that we only provide support for current versions of Portainer. You can find a list of supported versions in our [lifecycle policy](https://docs.portainer.io/start/lifecycle).
-        
+
         **DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS**.
 
   - type: checkboxes
@@ -45,7 +44,7 @@ body:
   - type: textarea
     attributes:
       label: Problem Description
-      description: A clear and concise description of what the bug is. 
+      description: A clear and concise description of what the bug is.
     validations:
       required: true
 
@@ -71,7 +70,7 @@ body:
         1. Go to '...'
         2. Click on '....'
         3. Scroll down to '....'
-        4. See error   
+        4. See error
     validations:
       required: true
 
@@ -92,9 +91,13 @@ body:
   - type: dropdown
     attributes:
       label: Portainer version
-      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
+      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.28.1'
+        - '2.28.0'
+        - '2.27.3'
+        - '2.27.2'
         - '2.27.1'
         - '2.27.0'
         - '2.26.1'
@@ -111,16 +114,6 @@ body:
         - '2.21.2'
         - '2.21.1'
         - '2.21.0'
-        - '2.20.3'
-        - '2.20.2'
-        - '2.20.1'
-        - '2.20.0'
-        - '2.19.5'
-        - '2.19.4'
-        - '2.19.3'
-        - '2.19.2'
-        - '2.19.1'
-        - '2.19.0'
     validations:
       required: true
 
@@ -158,7 +151,7 @@ body:
   - type: input
     attributes:
       label: Browser
-      description: | 
+      description: |
         Enter your browser and version. Example: Google Chrome 114.0
     validations:
       required: false

api/cli/cli.go

@@ -60,6 +60,7 @@ func CLIFlags() *portainer.CLIFlags {
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
 		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
+		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 	}
 }
 

api/cli/defaults.go

@@ -4,20 +4,21 @@
 package cli
 
 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "/data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "/certs/ca.pem"
-	defaultTLSCertPath         = "/certs/cert.pem"
-	defaultTLSKeyPath          = "/certs/key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "/data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "/certs/ca.pem"
+	defaultTLSCertPath            = "/certs/cert.pem"
+	defaultTLSKeyPath             = "/certs/key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )

api/cli/defaults_windows.go

@@ -1,21 +1,22 @@
 package cli
 
 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "C:\\data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
-	defaultTLSCertPath         = "C:\\certs\\cert.pem"
-	defaultTLSKeyPath          = "C:\\certs\\key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultSnapshotInterval    = "5m"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "C:\\data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "C:\\certs\\ca.pem"
+	defaultTLSCertPath            = "C:\\certs\\cert.pem"
+	defaultTLSKeyPath             = "C:\\certs\\key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultSnapshotInterval       = "5m"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )

api/cmd/portainer/main.go

@@ -49,6 +49,7 @@ import (
 	"github.com/portainer/portainer/pkg/build"
 	"github.com/portainer/portainer/pkg/featureflags"
 	"github.com/portainer/portainer/pkg/libhelm"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"
 
 	"github.com/gofrs/uuid"
@@ -169,8 +170,8 @@ func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheMan
 	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, assetsPath)
 }
 
-func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, error) {
-	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
+func initHelmPackageManager() (libhelmtypes.HelmPackageManager, error) {
+	return libhelm.NewHelmPackageManager()
 }
 
 func initAPIKeyService(datastore dataservices.DataStore) apikey.APIKeyService {
@@ -437,7 +438,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
 
-	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
+	helmPackageManager, err := initHelmPackageManager()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing helm package manager")
 	}
@@ -575,6 +576,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		AdminCreationDone:           adminCreationDone,
 		PendingActionsService:       pendingActionsService,
 		PlatformService:             platformService,
+		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
 	}
 }
 

api/connection.go

@@ -6,8 +6,10 @@ import (
 
 type ReadTransaction interface {
 	GetObject(bucketName string, key []byte, object any) error
+	GetRawBytes(bucketName string, key []byte) ([]byte, error)
 	GetAll(bucketName string, obj any, append func(o any) (any, error)) error
 	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, append func(o any) (any, error)) error
+	KeyExists(bucketName string, key []byte) (bool, error)
 }
 
 type Transaction interface {

api/database/boltdb/db.go

@@ -244,6 +244,32 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object
 	})
 }
 
+func (connection *DbConnection) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	var value []byte
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		value, err = tx.GetRawBytes(bucketName, key)
+
+		return err
+	})
+
+	return value, err
+}
+
+func (connection *DbConnection) KeyExists(bucketName string, key []byte) (bool, error) {
+	var exists bool
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = tx.KeyExists(bucketName, key)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (connection *DbConnection) getEncryptionKey() []byte {
 	if !connection.isEncrypted {
 		return nil

api/database/boltdb/json_test.go

@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://kubernetes.github.io/ingress-nginx","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
 	passphrase = "my secret key"
 )
 

api/database/boltdb/tx.go

@@ -6,6 +6,7 @@ import (
 
 	dserrors "github.com/portainer/portainer/api/dataservices/errors"
 
+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	bolt "go.etcd.io/bbolt"
 )
@@ -31,6 +32,33 @@ func (tx *DbTransaction) GetObject(bucketName string, key []byte, object any) er
 	return tx.conn.UnmarshalObject(value, object)
 }
 
+func (tx *DbTransaction) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+	if value == nil {
+		return nil, fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
+	}
+
+	if tx.conn.getEncryptionKey() != nil {
+		var err error
+
+		if value, err = decrypt(value, tx.conn.getEncryptionKey()); err != nil {
+			return value, errors.Wrap(err, "Failed decrypting object")
+		}
+	}
+
+	return value, nil
+}
+
+func (tx *DbTransaction) KeyExists(bucketName string, key []byte) (bool, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+
+	return value != nil, nil
+}
+
 func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object any) error {
 	data, err := tx.conn.MarshalObject(object)
 	if err != nil {

api/dataservices/base.go

@@ -9,6 +9,7 @@ import (
 type BaseCRUD[T any, I constraints.Integer] interface {
 	Create(element *T) error
 	Read(ID I) (*T, error)
+	Exists(ID I) (bool, error)
 	ReadAll() ([]T, error)
 	Update(ID I, element *T) error
 	Delete(ID I) error
@@ -42,6 +43,19 @@ func (service BaseDataService[T, I]) Read(ID I) (*T, error) {
 	})
 }
 
+func (service BaseDataService[T, I]) Exists(ID I) (bool, error) {
+	var exists bool
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = service.Tx(tx).Exists(ID)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (service BaseDataService[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)
 

api/dataservices/base_tx.go

@@ -28,6 +28,12 @@ func (service BaseDataServiceTx[T, I]) Read(ID I) (*T, error) {
 	return &element, nil
 }
 
+func (service BaseDataServiceTx[T, I]) Exists(ID I) (bool, error) {
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	return service.Tx.KeyExists(service.Bucket, identifier)
+}
+
 func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)
 

api/dataservices/endpointrelation/tx.go

@@ -93,6 +93,10 @@ func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portaine
 		}
 	}
 
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
 		edgeStack.NumDeployments += len(endpointIDs)
 	}); err != nil {
@@ -119,6 +123,10 @@ func (service ServiceTx) RemoveEndpointRelationsForEdgeStack(endpointIDs []porta
 		}
 	}
 
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
 		edgeStack.NumDeployments -= len(endpointIDs)
 	}); err != nil {

api/dataservices/interface.go

@@ -159,6 +159,7 @@ type (
 
 	SnapshotService interface {
 		BaseCRUD[portainer.Snapshot, portainer.EndpointID]
+		ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error)
 	}
 
 	// SSLSettingsService represents a service for managing application settings

api/dataservices/snapshot/snapshot.go

@@ -38,3 +38,16 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(snapshot *portainer.Snapshot) error {
 	return service.Connection.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service *Service) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot *portainer.Snapshot
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		snapshot, err = service.Tx(tx).ReadWithoutSnapshotRaw(ID)
+
+		return err
+	})
+
+	return snapshot, err
+}

api/dataservices/snapshot/tx.go

@@ -12,3 +12,26 @@ type ServiceTx struct {
 func (service ServiceTx) Create(snapshot *portainer.Snapshot) error {
 	return service.Tx.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service ServiceTx) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot struct {
+		Docker *struct {
+			X struct{} `json:"DockerSnapshotRaw"`
+			*portainer.DockerSnapshot
+		} `json:"Docker"`
+
+		portainer.Snapshot
+	}
+
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	if err := service.Tx.GetObject(service.Bucket, identifier, &snapshot); err != nil {
+		return nil, err
+	}
+
+	if snapshot.Docker != nil {
+		snapshot.Snapshot.Docker = snapshot.Docker.DockerSnapshot
+	}
+
+	return &snapshot.Snapshot, nil
+}

api/datastore/migrator/migrate_dbversion100.go

@@ -94,6 +94,10 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 				continue
 			}
 
+			if environmentStatus.Details == nil {
+				continue
+			}
+
 			statusArray := []portainer.EdgeStackDeploymentStatus{}
 			if environmentStatus.Details.Pending {
 				statusArray = append(statusArray, portainer.EdgeStackDeploymentStatus{

api/datastore/migrator/migrate_dbversion80.go

@@ -75,6 +75,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 
 	for _, edgeStack := range edgeStacks {
 		for endpointId, status := range edgeStack.Status {
+			if status.Details == nil {
+				status.Details = &portainer.EdgeStackStatusDetails{}
+			}
+
 			switch status.Type {
 			case portainer.EdgeStackStatusPending:
 				status.Details.Pending = true
@@ -93,10 +97,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 			edgeStack.Status[endpointId] = status
 		}
 
-		err = m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack)
-		if err != nil {
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
 			return err
 		}
 	}
+
 	return nil
 }

api/datastore/test_data/output_24_to_latest.json

@@ -605,12 +605,12 @@
     "GlobalDeploymentOptions": {
       "hideStacksFunctionality": false
     },
-    "HelmRepositoryURL": "",
+    "HelmRepositoryURL": "https://charts.bitnami.com/bitnami",
     "InternalAuthSettings": {
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.27.1",
+    "KubectlShellImage": "portainer/kubectl-shell:2.29.2",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.27.1\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.29.2\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }

api/exec/exectest/kubernetes_mocks.go

@@ -4,17 +4,11 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )
 
-type kubernetesMockDeployer struct{}
+type kubernetesMockDeployer struct {
+	portainer.KubernetesDeployer
+}
 
 // NewKubernetesDeployer creates a mock kubernetes deployer
-func NewKubernetesDeployer() portainer.KubernetesDeployer {
+func NewKubernetesDeployer() *kubernetesMockDeployer {
 	return &kubernetesMockDeployer{}
 }
-
-func (deployer *kubernetesMockDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return "", nil
-}
-
-func (deployer *kubernetesMockDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return "", nil
-}

api/filesystem/copy.go

@@ -68,7 +68,7 @@ func copyFile(src, dst string) error {
 	defer from.Close()
 
 	// has to include 'execute' bit, otherwise fails. MkdirAll follows `mkdir -m` restrictions
-	if err := os.MkdirAll(filepath.Dir(dst), 0744); err != nil {
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
 		return err
 	}
 	to, err := os.Create(dst)

api/filesystem/serialize_per_dev_configs.go

@@ -15,15 +15,19 @@ type MultiFilterArgs []struct {
 }
 
 // MultiFilterDirForPerDevConfigs filers the given dirEntries with multiple filter args, returns the merged entries for the given device
-func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) []DirEntry {
+func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry
 
+	var envFiles []string
+
 	for _, multiFilterArg := range multiFilterArgs {
-		tmp := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
+		tmp, efs := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
 		filteredDirEntries = append(filteredDirEntries, tmp...)
+
+		envFiles = append(envFiles, efs...)
 	}
 
-	return deduplicate(filteredDirEntries)
+	return deduplicate(filteredDirEntries), envFiles
 }
 
 func deduplicate(dirEntries []DirEntry) []DirEntry {
@@ -32,8 +36,7 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 	marks := make(map[string]struct{})
 
 	for _, dirEntry := range dirEntries {
-		_, ok := marks[dirEntry.Name]
-		if !ok {
+		if _, ok := marks[dirEntry.Name]; !ok {
 			marks[dirEntry.Name] = struct{}{}
 			deduplicatedDirEntries = append(deduplicatedDirEntries, dirEntry)
 		}
@@ -50,20 +53,25 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 //  3. For filterType dir:
 //     dir entry:   A/B/C/<deviceName>
 //     all entries: A/B/C/<deviceName>/*
-func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) []DirEntry {
+func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry
 
+	var envFiles []string
+
 	for _, dirEntry := range dirEntries {
 		if shouldIncludeEntry(dirEntry, deviceName, configPath, filterType) {
 			filteredDirEntries = append(filteredDirEntries, dirEntry)
+
+			if shouldParseEnvVars(dirEntry, deviceName, configPath, filterType) {
+				envFiles = append(envFiles, dirEntry.Name)
+			}
 		}
 	}
 
-	return filteredDirEntries
+	return filteredDirEntries, envFiles
 }
 
 func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
-
 	// Include all entries outside of dir A
 	if !isInConfigDir(dirEntry, configPath) {
 		return true
@@ -120,6 +128,15 @@ func shouldIncludeDir(dirEntry DirEntry, deviceName, configPath string) bool {
 	return strings.HasPrefix(dirEntry.Name, filterPrefix)
 }
 
+func shouldParseEnvVars(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
+	if !dirEntry.IsFile {
+		return false
+	}
+
+	return isInConfigDir(dirEntry, configPath) &&
+		filepath.Base(dirEntry.Name) == deviceName+".env"
+}
+
 func appendTailSeparator(path string) string {
 	return fmt.Sprintf("%s%c", path, os.PathSeparator)
 }

api/filesystem/serialize_per_dev_configs_test.go

@@ -4,14 +4,17 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
-	type args struct {
-		dirEntries      []DirEntry
-		configPath      string
-		multiFilterArgs MultiFilterArgs
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantDirEntries []DirEntry) {
+		t.Helper()
+
+		dirEntries, _ = MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantDirEntries, dirEntries)
 	}
 
 	baseDirEntries := []DirEntry{
@@ -26,69 +29,75 @@ func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
 		{"configs/folder2/config2", "", true, 420},
 	}
 
-	tests := []struct {
-		name string
-		args args
-		want []DirEntry
-	}{
-		{
-			name: "filter file1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	// Filter file1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	)
+
+	// Filter folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and file2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"file2", portainer.PerDevConfigsTypeFile},
 		},
-		{
-			name: "filter folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and file2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"file1", portainer.PerDevConfigsTypeFile},
-					{"file2", portainer.PerDevConfigsTypeFile},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
-		},
-		{
-			name: "filter folder1 and folder2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"folder1", portainer.PerDevConfigsTypeDir},
-					{"folder2", portainer.PerDevConfigsTypeDir},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
+	)
+
+	// Filter folder1 and folder2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"folder1", portainer.PerDevConfigsTypeDir},
+			{"folder2", portainer.PerDevConfigsTypeDir},
 		},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+	)
+}
+
+func TestMultiFilterDirForPerDevConfigsEnvFiles(t *testing.T) {
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantEnvFiles []string) {
+		t.Helper()
+
+		_, envFiles := MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantEnvFiles, envFiles)
 	}
 
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equalf(t, tt.want, MultiFilterDirForPerDevConfigs(tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs), "MultiFilterDirForPerDevConfigs(%v, %v, %v)", tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs)
-		})
+	baseDirEntries := []DirEntry{
+		{".env", "", true, 420},
+		{"docker-compose.yaml", "", true, 420},
+		{"configs", "", false, 420},
+		{"configs/edge-id/edge-id.env", "", true, 420},
 	}
+
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"edge-id", portainer.PerDevConfigsTypeDir}},
+		[]string{"configs/edge-id/edge-id.env"},
+	)
+
 }
 
 func TestIsInConfigDir(t *testing.T) {

api/http/handler/edgegroups/edgegroup_update.go

@@ -24,10 +24,6 @@ type edgeGroupUpdatePayload struct {
 }
 
 func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
-	if len(payload.Name) == 0 {
-		return errors.New("invalid Edge group name")
-	}
-
 	if payload.Dynamic && len(payload.TagIDs) == 0 {
 		return errors.New("tagIDs is mandatory for a dynamic Edge group")
 	}
@@ -35,7 +31,7 @@ func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// @id EgeGroupUpdate
+// @id EdgeGroupUpdate
 // @summary Updates an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups

api/http/handler/edgestacks/edgestack_update.go

@@ -145,11 +145,15 @@ func (handler *Handler) handleChangeEdgeGroups(tx dataservices.DataStoreTx, edge
 	relatedEnvironmentsToRemove := oldRelatedEnvironmentsSet.Difference(newRelatedEnvironmentsSet)
 
 	if len(relatedEnvironmentsToRemove) > 0 {
-		tx.EndpointRelation().RemoveEndpointRelationsForEdgeStack(relatedEnvironmentsToRemove.Keys(), edgeStackID)
+		if err := tx.EndpointRelation().RemoveEndpointRelationsForEdgeStack(relatedEnvironmentsToRemove.Keys(), edgeStackID); err != nil {
+			return nil, nil, errors.WithMessage(err, "Unable to remove edge stack relations from the database")
+		}
 	}
 
 	if len(relatedEnvironmentsToAdd) > 0 {
-		tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEnvironmentsToAdd.Keys(), edgeStackID)
+		if err := tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEnvironmentsToAdd.Keys(), edgeStackID); err != nil {
+			return nil, nil, errors.WithMessage(err, "Unable to add edge stack relations to the database")
+		}
 	}
 
 	return newRelatedEnvironmentIDs, relatedEnvironmentsToAdd, nil

api/http/handler/endpoints/endpoint_dockerhub_status.go

@@ -80,6 +80,13 @@ func (handler *Handler) endpointDockerhubStatus(w http.ResponseWriter, r *http.R
 		}
 	}
 
+	if handler.PullLimitCheckDisabled {
+		return response.JSON(w, &dockerhubStatusResponse{
+			Limit:     10,
+			Remaining: 10,
+		})
+	}
+
 	httpClient := client.NewHTTPClient()
 	token, err := getDockerHubToken(httpClient, registry)
 	if err != nil {

api/http/handler/endpoints/endpoint_inspect.go

@@ -19,6 +19,8 @@ import (
 // @security jwt
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"
+// @param excludeSnapshot query bool false "if true, the snapshot data won't be retrieved"
+// @param excludeSnapshotRaw query bool false "if true, the SnapshotRaw field won't be retrieved"
 // @success 200 {object} portainer.Endpoint "Success"
 // @failure 400 "Invalid request"
 // @failure 404 "Environment(Endpoint) not found"
@@ -37,8 +39,7 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unable to find an environment with the specified identifier inside the database", err)
 	}
 
-	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
-	if err != nil {
+	if err := handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint); err != nil {
 		return httperror.Forbidden("Permission denied to access environment", err)
 	}
 
@@ -51,9 +52,11 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 	endpointutils.UpdateEdgeEndpointHeartbeat(endpoint, settings)
 	endpoint.ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 
-	if !excludeSnapshot(r) {
-		err = handler.SnapshotService.FillSnapshotData(endpoint)
-		if err != nil {
+	excludeSnapshot, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshot", true)
+	excludeRaw, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshotRaw", true)
+
+	if !excludeSnapshot {
+		if err := handler.SnapshotService.FillSnapshotData(endpoint, !excludeRaw); err != nil {
 			return httperror.InternalServerError("Unable to add snapshot data", err)
 		}
 	}
@@ -83,9 +86,3 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 
 	return response.JSON(w, endpoint)
 }
-
-func excludeSnapshot(r *http.Request) bool {
-	excludeSnapshot, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshot", true)
-
-	return excludeSnapshot
-}

api/http/handler/endpoints/endpoint_list.go

@@ -38,15 +38,19 @@ const (
 // @param tagIds query []int false "search environments(endpoints) with these tags (depends on tagsPartialMatch)"
 // @param tagsPartialMatch query bool false "If true, will return environment(endpoint) which has one of tagIds, if false (or missing) will return only environments(endpoints) that has all the tags"
 // @param endpointIds query []int false "will return only these environments(endpoints)"
+// @param excludeIds query []int false "will exclude these environments(endpoints)"
 // @param provisioned query bool false "If true, will return environment(endpoint) that were provisioned"
 // @param agentVersions query []string false "will return only environments with on of these agent versions"
 // @param edgeAsync query bool false "if exists true show only edge async agents, false show only standard edge agents. if missing, will show both types (relevant only for edge agents)"
 // @param edgeDeviceUntrusted query bool false "if true, show only untrusted edge agents, if false show only trusted edge agents (relevant only for edge agents)"
 // @param edgeCheckInPassedSeconds query number false "if bigger then zero, show only edge agents that checked-in in the last provided seconds (relevant only for edge agents)"
 // @param excludeSnapshots query bool false "if true, the snapshot data won't be retrieved"
+// @param excludeSnapshotRaw query bool false "if true, the SnapshotRaw field won't be retrieved"
 // @param name query string false "will return only environments(endpoints) with this name"
 // @param edgeStackId query portainer.EdgeStackID false "will return the environements of the specified edge stack"
 // @param edgeStackStatus query string false "only applied when edgeStackId exists. Filter the returned environments based on their deployment status in the stack (not the environment status!)" Enum("Pending", "Ok", "Error", "Acknowledged", "Remove", "RemoteUpdateSuccess", "ImagesPulled")
+// @param edgeGroupIds query []int false "List environments(endpoints) of these edge groups"
+// @param excludeEdgeGroupIds query []int false "Exclude environments(endpoints) of these edge groups"
 // @success 200 {array} portainer.Endpoint "Endpoints"
 // @failure 500 "Server error"
 // @router /endpoints [get]
@@ -59,6 +63,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 	limit, _ := request.RetrieveNumericQueryParameter(r, "limit", true)
 	sortField, _ := request.RetrieveQueryParameter(r, "sort", true)
 	sortOrder, _ := request.RetrieveQueryParameter(r, "order", true)
+	excludeRaw, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshotRaw", true)
 
 	endpointGroups, err := handler.DataStore.EndpointGroup().ReadAll()
 	if err != nil {
@@ -105,14 +110,16 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 
 	for idx := range paginatedEndpoints {
 		hideFields(&paginatedEndpoints[idx])
+
 		paginatedEndpoints[idx].ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 		if paginatedEndpoints[idx].EdgeCheckinInterval == 0 {
 			paginatedEndpoints[idx].EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
 		}
+
 		endpointutils.UpdateEdgeEndpointHeartbeat(&paginatedEndpoints[idx], settings)
+
 		if !query.excludeSnapshots {
-			err = handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx])
-			if err != nil {
+			if err := handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx], !excludeRaw); err != nil {
 				return httperror.InternalServerError("Unable to add snapshot data", err)
 			}
 		}
@@ -120,6 +127,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 
 	w.Header().Set("X-Total-Count", strconv.Itoa(filteredEndpointCount))
 	w.Header().Set("X-Total-Available", strconv.Itoa(totalAvailableEndpoints))
+
 	return response.JSON(w, paginatedEndpoints)
 }
 
@@ -130,18 +138,8 @@ func paginateEndpoints(endpoints []portainer.Endpoint, start, limit int) []porta
 
 	endpointCount := len(endpoints)
 
-	if start < 0 {
-		start = 0
-	}
-
-	if start > endpointCount {
-		start = endpointCount
-	}
-
-	end := start + limit
-	if end > endpointCount {
-		end = endpointCount
-	}
+	start = min(max(start, 0), endpointCount)
+	end := min(start+limit, endpointCount)
 
 	return endpoints[start:end]
 }
@@ -151,8 +149,10 @@ func getEndpointGroup(groupID portainer.EndpointGroupID, groups []portainer.Endp
 	for _, group := range groups {
 		if group.ID == groupID {
 			endpointGroup = group
+
 			break
 		}
 	}
+
 	return endpointGroup
 }

api/http/handler/endpoints/endpoint_update.go

@@ -272,7 +272,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}
 
-	if err := handler.SnapshotService.FillSnapshotData(endpoint); err != nil {
+	if err := handler.SnapshotService.FillSnapshotData(endpoint, true); err != nil {
 		return httperror.InternalServerError("Unable to add snapshot data", err)
 	}
 

api/http/handler/endpoints/filter.go

@@ -37,6 +37,8 @@ type EnvironmentsQuery struct {
 	edgeStackId              portainer.EdgeStackID
 	edgeStackStatus          *portainer.EdgeStackStatusType
 	excludeIds               []portainer.EndpointID
+	edgeGroupIds             []portainer.EdgeGroupID
+	excludeEdgeGroupIds      []portainer.EdgeGroupID
 }
 
 func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
@@ -77,6 +79,16 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		return EnvironmentsQuery{}, err
 	}
 
+	edgeGroupIDs, err := getNumberArrayQueryParameter[portainer.EdgeGroupID](r, "edgeGroupIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
+	excludeEdgeGroupIds, err := getNumberArrayQueryParameter[portainer.EdgeGroupID](r, "excludeEdgeGroupIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
 	agentVersions := getArrayQueryParameter(r, "agentVersions")
 
 	name, _ := request.RetrieveQueryParameter(r, "name", true)
@@ -117,6 +129,8 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		edgeCheckInPassedSeconds: edgeCheckInPassedSeconds,
 		edgeStackId:              portainer.EdgeStackID(edgeStackId),
 		edgeStackStatus:          edgeStackStatus,
+		edgeGroupIds:             edgeGroupIDs,
+		excludeEdgeGroupIds:      excludeEdgeGroupIds,
 	}, nil
 }
 
@@ -143,6 +157,14 @@ func (handler *Handler) filterEndpointsByQuery(
 		filteredEndpoints = filterEndpointsByGroupIDs(filteredEndpoints, query.groupIds)
 	}
 
+	if len(query.edgeGroupIds) > 0 {
+		filteredEndpoints, edgeGroups = filterEndpointsByEdgeGroupIDs(filteredEndpoints, edgeGroups, query.edgeGroupIds)
+	}
+
+	if len(query.excludeEdgeGroupIds) > 0 {
+		filteredEndpoints, edgeGroups = filterEndpointsByExcludeEdgeGroupIDs(filteredEndpoints, edgeGroups, query.excludeEdgeGroupIds)
+	}
+
 	if query.name != "" {
 		filteredEndpoints = filterEndpointsByName(filteredEndpoints, query.name)
 	}
@@ -295,6 +317,70 @@ func filterEndpointsByGroupIDs(endpoints []portainer.Endpoint, endpointGroupIDs
 	return endpoints[:n]
 }
 
+func filterEndpointsByEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeGroupIDs []portainer.EdgeGroupID) ([]portainer.Endpoint, []portainer.EdgeGroup) {
+	edgeGroupIDFilterSet := make(map[portainer.EdgeGroupID]struct{}, len(edgeGroupIDs))
+	for _, id := range edgeGroupIDs {
+		edgeGroupIDFilterSet[id] = struct{}{}
+	}
+
+	n := 0
+	for _, edgeGroup := range edgeGroups {
+		if _, exists := edgeGroupIDFilterSet[edgeGroup.ID]; exists {
+			edgeGroups[n] = edgeGroup
+			n++
+		}
+	}
+	edgeGroups = edgeGroups[:n]
+
+	endpointIDSet := make(map[portainer.EndpointID]struct{})
+	for _, edgeGroup := range edgeGroups {
+		for _, endpointID := range edgeGroup.Endpoints {
+			endpointIDSet[endpointID] = struct{}{}
+		}
+	}
+
+	n = 0
+	for _, endpoint := range endpoints {
+		if _, exists := endpointIDSet[endpoint.ID]; exists {
+			endpoints[n] = endpoint
+			n++
+		}
+	}
+
+	return endpoints[:n], edgeGroups
+}
+
+func filterEndpointsByExcludeEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []portainer.EdgeGroup, excludeEdgeGroupIds []portainer.EdgeGroupID) ([]portainer.Endpoint, []portainer.EdgeGroup) {
+	excludeEdgeGroupIDSet := make(map[portainer.EdgeGroupID]struct{}, len(excludeEdgeGroupIds))
+	for _, id := range excludeEdgeGroupIds {
+		excludeEdgeGroupIDSet[id] = struct{}{}
+	}
+
+	n := 0
+	excludeEndpointIDSet := make(map[portainer.EndpointID]struct{})
+	for _, edgeGroup := range edgeGroups {
+		if _, ok := excludeEdgeGroupIDSet[edgeGroup.ID]; ok {
+			for _, endpointID := range edgeGroup.Endpoints {
+				excludeEndpointIDSet[endpointID] = struct{}{}
+			}
+		} else {
+			edgeGroups[n] = edgeGroup
+			n++
+		}
+	}
+	edgeGroups = edgeGroups[:n]
+
+	n = 0
+	for _, endpoint := range endpoints {
+		if _, ok := excludeEndpointIDSet[endpoint.ID]; !ok {
+			endpoints[n] = endpoint
+			n++
+		}
+	}
+
+	return endpoints[:n], edgeGroups
+}
+
 func filterEndpointsBySearchCriteria(
 	endpoints []portainer.Endpoint,
 	endpointGroups []portainer.EndpointGroup,

api/http/handler/endpoints/handler.go

@@ -26,19 +26,20 @@ func hideFields(endpoint *portainer.Endpoint) {
 // Handler is the HTTP handler used to handle environment(endpoint) operations.
 type Handler struct {
 	*mux.Router
-	requestBouncer        security.BouncerService
-	DataStore             dataservices.DataStore
-	FileService           portainer.FileService
-	ProxyManager          *proxy.Manager
-	ReverseTunnelService  portainer.ReverseTunnelService
-	SnapshotService       portainer.SnapshotService
-	K8sClientFactory      *cli.ClientFactory
-	ComposeStackManager   portainer.ComposeStackManager
-	AuthorizationService  *authorization.Service
-	DockerClientFactory   *dockerclient.ClientFactory
-	BindAddress           string
-	BindAddressHTTPS      string
-	PendingActionsService *pendingactions.PendingActionsService
+	requestBouncer         security.BouncerService
+	DataStore              dataservices.DataStore
+	FileService            portainer.FileService
+	ProxyManager           *proxy.Manager
+	ReverseTunnelService   portainer.ReverseTunnelService
+	SnapshotService        portainer.SnapshotService
+	K8sClientFactory       *cli.ClientFactory
+	ComposeStackManager    portainer.ComposeStackManager
+	AuthorizationService   *authorization.Service
+	DockerClientFactory    *dockerclient.ClientFactory
+	BindAddress            string
+	BindAddressHTTPS       string
+	PendingActionsService  *pendingactions.PendingActionsService
+	PullLimitCheckDisabled bool
 }
 
 // NewHandler creates a handler to manage environment(endpoint) operations.

api/http/handler/handler.go

@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.27.1
+// @version 2.29.2
 // @description.markdown api-description.md
 // @termsOfService
 

api/http/handler/helm/handler.go

@@ -1,6 +1,7 @@
 package helm
 
 import (
+	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
@@ -8,8 +9,8 @@ import (
 	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/gorilla/mux"
@@ -23,11 +24,11 @@ type Handler struct {
 	jwtService               portainer.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
 	kubernetesDeployer       portainer.KubernetesDeployer
-	helmPackageManager       libhelm.HelmPackageManager
+	helmPackageManager       libhelmtypes.HelmPackageManager
 }
 
 // NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
+func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelmtypes.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
 	h := &Handler{
 		Router:                   mux.NewRouter(),
 		requestBouncer:           bouncer,
@@ -53,11 +54,19 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	h.Handle("/{id}/kubernetes/helm",
 		httperror.LoggerHandler(h.helmInstall)).Methods(http.MethodPost)
 
+	// `helm get all [RELEASE_NAME]`
+	h.Handle("/{id}/kubernetes/helm/{release}",
+		httperror.LoggerHandler(h.helmGet)).Methods(http.MethodGet)
+
+	// `helm history [RELEASE_NAME]`
+	h.Handle("/{id}/kubernetes/helm/{release}/history",
+		httperror.LoggerHandler(h.helmGetHistory)).Methods(http.MethodGet)
+
 	return h
 }
 
 // NewTemplateHandler creates a template handler to manage environment(endpoint) group operations.
-func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libhelm.HelmPackageManager) *Handler {
+func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libhelmtypes.HelmPackageManager) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
 		helmPackageManager: helmPackageManager,
@@ -78,7 +87,7 @@ func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libh
 
 // getHelmClusterAccess obtains the core k8s cluster access details from request.
 // The cluster access includes the cluster server url, the user's bearer token and the tls certificate.
-// The cluster access is passed in as kube config CLI params to helm binary.
+// The cluster access is passed in as kube config CLI params to helm.
 func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.KubernetesClusterAccess, *httperror.HandlerError) {
 	endpoint, err := middlewares.FetchEndpoint(r)
 	if err != nil {
@@ -107,6 +116,9 @@ func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.Kubernet
 
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(hostURL, endpoint.ID, true)
 	return &options.KubernetesClusterAccess{
+		ClusterName:              fmt.Sprintf("%s-%s", "portainer-cluster", endpoint.Name),
+		ContextName:              fmt.Sprintf("%s-%s", "portainer-ctx", endpoint.Name),
+		UserName:                 fmt.Sprintf("%s-%s", "portainer-sa-user", tokenData.Username),
 		ClusterServerURL:         kubeConfigInternal.ClusterServerURL,
 		CertificateAuthorityFile: kubeConfigInternal.CertificateAuthorityFile,
 		AuthToken:                bearerToken,

api/http/handler/helm/helm_delete_test.go

@@ -13,8 +13,8 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -34,7 +34,7 @@ func Test_helmDelete(t *testing.T) {
 	is.NoError(err, "Error initiating jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 
@@ -42,7 +42,7 @@ func Test_helmDelete(t *testing.T) {
 
 	// Install a single chart directly, to be deleted by the handler
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
-	h.helmPackageManager.Install(options)
+	h.helmPackageManager.Upgrade(options)
 
 	t.Run("helmDelete succeeds with admin user", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodDelete, "/1/kubernetes/helm/"+options.Name, nil)

api/http/handler/helm/helm_get.go

@@ -0,0 +1,67 @@
+package helm
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmGet
+// @summary Get a helm release
+// @description Get details of a helm release by release name
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param name path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @param showResources query boolean false "show resources of the release"
+// @param revision query int false "specify an optional revision"
+// @success 200 {object} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve the release."
+// @router /endpoints/{id}/kubernetes/helm/{name} [get]
+func (handler *Handler) helmGet(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	// build the get options
+	getOpts := options.GetOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+	}
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	// optional namespace.  The library defaults to "default"
+	if namespace != "" {
+		getOpts.Namespace = namespace
+	}
+	showResources, _ := request.RetrieveBooleanQueryParameter(r, "showResources", true)
+	getOpts.ShowResources = showResources
+	revision, _ := request.RetrieveNumericQueryParameter(r, "revision", true)
+	// optional revision.  The library defaults to the latest revision if not specified
+	if revision > 0 {
+		getOpts.Revision = revision
+	}
+
+	releases, err := handler.helmPackageManager.Get(getOpts)
+	if err != nil {
+		return httperror.InternalServerError("Helm returned an error", err)
+	}
+
+	return response.JSON(w, releases)
+}

api/http/handler/helm/helm_get_test.go

@@ -0,0 +1,66 @@
+package helm
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_helmGet(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{ID: 1})
+	is.NoError(err, "Error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "Error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	kubernetesDeployer := exectest.NewKubernetesDeployer()
+	helmPackageManager := test.NewMockHelmPackageManager()
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
+
+	is.NotNil(h, "Handler should not fail")
+
+	// Install a single chart, to be retrieved by the handler
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
+	h.helmPackageManager.Upgrade(options)
+
+	t.Run("helmGet sucessfuly retrieves helm release", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm/"+options.Name+"?namespace="+options.Namespace, nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		data := release.Release{}
+		body, err := io.ReadAll(rr.Body)
+		is.NoError(err, "ReadAll should not return error")
+		json.Unmarshal(body, &data)
+		is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+		is.Equal("nginx-1", data.Name)
+	})
+}

api/http/handler/helm/helm_history.go

@@ -0,0 +1,58 @@
+package helm
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmGetHistory
+// @summary Get a historical list of releases
+// @description Get a historical list of releases by release name
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param name path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @success 200 {array} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve the historical list of releases."
+// @router /endpoints/{id}/kubernetes/helm/{release}/history [get]
+func (handler *Handler) helmGetHistory(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	historyOptions := options.HistoryOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+	}
+
+	// optional namespace.  The library defaults to "default"
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	if namespace != "" {
+		historyOptions.Namespace = namespace
+	}
+
+	releases, err := handler.helmPackageManager.GetHistory(historyOptions)
+	if err != nil {
+		return httperror.InternalServerError("Helm returned an error", err)
+	}
+
+	return response.JSON(w, releases)
+}

api/http/handler/helm/helm_history_test.go

@@ -0,0 +1,67 @@
+package helm
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_helmGetHistory(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{ID: 1})
+	is.NoError(err, "Error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "Error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	kubernetesDeployer := exectest.NewKubernetesDeployer()
+	helmPackageManager := test.NewMockHelmPackageManager()
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
+
+	is.NotNil(h, "Handler should not fail")
+
+	// Install a single chart, to be retrieved by the handler
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
+	h.helmPackageManager.Upgrade(options)
+
+	t.Run("helmGetHistory sucessfuly retrieves helm release history", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm/"+options.Name+"/history?namespace="+options.Namespace, nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		data := []release.Release{}
+		body, err := io.ReadAll(rr.Body)
+		is.NoError(err, "ReadAll should not return error")
+		json.Unmarshal(body, &data)
+		is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+		is.Equal(1, len(data))
+		is.Equal("nginx-1", data[0].Name)
+	})
+}

api/http/handler/helm/helm_install.go

@@ -99,15 +99,11 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 	}
 
 	installOpts := options.InstallOptions{
-		Name:      p.Name,
-		Chart:     p.Chart,
-		Namespace: p.Namespace,
-		Repo:      p.Repo,
-		KubernetesClusterAccess: &options.KubernetesClusterAccess{
-			ClusterServerURL:         clusterAccess.ClusterServerURL,
-			CertificateAuthorityFile: clusterAccess.CertificateAuthorityFile,
-			AuthToken:                clusterAccess.AuthToken,
-		},
+		Name:                    p.Name,
+		Chart:                   p.Chart,
+		Namespace:               p.Namespace,
+		Repo:                    p.Repo,
+		KubernetesClusterAccess: clusterAccess,
 	}
 
 	if p.Values != "" {
@@ -129,7 +125,7 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		installOpts.ValuesFile = file.Name()
 	}
 
-	release, err := handler.helmPackageManager.Install(installOpts)
+	release, err := handler.helmPackageManager.Upgrade(installOpts)
 	if err != nil {
 		return nil, err
 	}

api/http/handler/helm/helm_install_test.go

@@ -15,9 +15,9 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -38,14 +38,14 @@ func Test_helmInstall(t *testing.T) {
 	is.NoError(err, "Error initiating jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 
 	is.NotNil(h, "Handler should not fail")
 
 	// Install a single chart.  We expect to get these values back
-	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default", Repo: "https://kubernetes.github.io/ingress-nginx"}
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default", Repo: "https://charts.bitnami.com/bitnami"}
 	optdata, err := json.Marshal(options)
 	is.NoError(err)
 

api/http/handler/helm/helm_list_test.go

@@ -14,9 +14,9 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -37,13 +37,13 @@ func Test_helmList(t *testing.T) {
 	is.NoError(err, "Error initialising jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 
 	// Install a single chart.  We expect to get these values back
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
-	h.helmPackageManager.Install(options)
+	h.helmPackageManager.Upgrade(options)
 
 	t.Run("helmList", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm", nil)

api/http/handler/helm/helm_repo_search_test.go

@@ -8,19 +8,19 @@ import (
 	"testing"
 
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )
 
 func Test_helmRepoSearch(t *testing.T) {
 	is := assert.New(t)
 
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	h := NewTemplateHandler(helper.NewTestRequestBouncer(), helmPackageManager)
 
 	assert.NotNil(t, h, "Handler should not fail")
 
-	repos := []string{"https://kubernetes.github.io/ingress-nginx", "https://portainer.github.io/k8s"}
+	repos := []string{"https://charts.bitnami.com/bitnami", "https://portainer.github.io/k8s"}
 
 	for _, repo := range repos {
 		t.Run(repo, func(t *testing.T) {

api/http/handler/helm/helm_show_test.go

@@ -9,14 +9,14 @@ import (
 	"testing"
 
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )
 
 func Test_helmShow(t *testing.T) {
 	is := assert.New(t)
 
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	h := NewTemplateHandler(helper.NewTestRequestBouncer(), helmPackageManager)
 
 	is.NotNil(h, "Handler should not fail")
@@ -31,7 +31,7 @@ func Test_helmShow(t *testing.T) {
 		t.Run(cmd, func(t *testing.T) {
 			is.NotNil(h, "Handler should not fail")
 
-			repoUrlEncoded := url.QueryEscape("https://kubernetes.github.io/ingress-nginx")
+			repoUrlEncoded := url.QueryEscape("https://charts.bitnami.com/bitnami")
 			chart := "nginx"
 			req := httptest.NewRequest("GET", fmt.Sprintf("/templates/helm/%s?repo=%s&chart=%s", cmd, repoUrlEncoded, chart), nil)
 			rr := httptest.NewRecorder()

api/http/handler/kubernetes/application.go

@@ -69,7 +69,6 @@ func (handler *Handler) getApplicationsResources(w http.ResponseWriter, r *http.
 // @param id path int true "Environment(Endpoint) identifier"
 // @param namespace query string true "Namespace name"
 // @param nodeName query string true "Node name"
-// @param withDependencies query boolean false "Include dependencies in the response"
 // @success 200 {array} models.K8sApplication "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
@@ -117,12 +116,6 @@ func (handler *Handler) getAllKubernetesApplications(r *http.Request) ([]models.
 		return nil, httperror.BadRequest("Unable to parse the namespace query parameter", err)
 	}
 
-	withDependencies, err := request.RetrieveBooleanQueryParameter(r, "withDependencies", true)
-	if err != nil {
-		log.Error().Err(err).Str("context", "getAllKubernetesApplications").Msg("Unable to parse the withDependencies query parameter")
-		return nil, httperror.BadRequest("Unable to parse the withDependencies query parameter", err)
-	}
-
 	nodeName, err := request.RetrieveQueryParameter(r, "nodeName", true)
 	if err != nil {
 		log.Error().Err(err).Str("context", "getAllKubernetesApplications").Msg("Unable to parse the nodeName query parameter")
@@ -135,7 +128,7 @@ func (handler *Handler) getAllKubernetesApplications(r *http.Request) ([]models.
 		return nil, httperror.InternalServerError("Unable to get a Kubernetes client for the user", httpErr)
 	}
 
-	applications, err := cli.GetApplications(namespace, nodeName, withDependencies)
+	applications, err := cli.GetApplications(namespace, nodeName)
 	if err != nil {
 		if k8serrors.IsUnauthorized(err) {
 			log.Error().Err(err).Str("context", "getAllKubernetesApplications").Str("namespace", namespace).Str("nodeName", nodeName).Msg("Unable to get the list of applications")

api/http/handler/kubernetes/config.go

@@ -1,9 +1,14 @@
 package kubernetes
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
+	"os"
+	"strings"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
@@ -162,11 +167,48 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 func (handler *Handler) buildCluster(r *http.Request, endpoint portainer.Endpoint, isInternal bool) clientV1.NamedCluster {
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(r.Host, endpoint.ID, isInternal)
 
+	if isInternal {
+		return clientV1.NamedCluster{
+			Name: buildClusterName(endpoint.Name),
+			Cluster: clientV1.Cluster{
+				Server:                kubeConfigInternal.ClusterServerURL,
+				InsecureSkipTLSVerify: true,
+			},
+		}
+	}
+
+	selfSignedCert := false
+	serverUrl, err := url.Parse(kubeConfigInternal.ClusterServerURL)
+	if err != nil {
+		log.Warn().Err(err).Msg("Failed to parse server URL")
+	}
+
+	if strings.EqualFold(serverUrl.Scheme, "https") {
+		var certPem []byte
+		var err error
+
+		if kubeConfigInternal.CertificateAuthorityData != "" {
+			certPem = []byte(kubeConfigInternal.CertificateAuthorityData)
+		} else if kubeConfigInternal.CertificateAuthorityFile != "" {
+			certPem, err = os.ReadFile(kubeConfigInternal.CertificateAuthorityFile)
+			if err != nil {
+				log.Warn().Err(err).Msg("Failed to open certificate file")
+			}
+		}
+
+		if certPem != nil {
+			selfSignedCert, err = IsSelfSignedCertificate(certPem)
+			if err != nil {
+				log.Warn().Err(err).Msg("Failed to verify if certificate is self-signed")
+			}
+		}
+	}
+
 	return clientV1.NamedCluster{
 		Name: buildClusterName(endpoint.Name),
 		Cluster: clientV1.Cluster{
 			Server:                kubeConfigInternal.ClusterServerURL,
-			InsecureSkipTLSVerify: true,
+			InsecureSkipTLSVerify: selfSignedCert,
 		},
 	}
 }
@@ -215,3 +257,38 @@ func writeFileContent(w http.ResponseWriter, r *http.Request, endpoints []portai
 	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; %s.json", filenameBase))
 	return response.JSON(w, config)
 }
+
+func IsSelfSignedCertificate(certPem []byte) (bool, error) {
+	if certPem == nil {
+		return false, errors.New("certificate data is empty")
+	}
+
+	if !strings.Contains(string(certPem), "BEGIN CERTIFICATE") {
+		certPem = []byte(fmt.Sprintf("-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----", string(certPem)))
+	}
+
+	block, _ := pem.Decode(certPem)
+	if block == nil {
+		return false, errors.New("failed to decode certificate")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return false, err
+	}
+
+	if cert.Issuer.String() != cert.Subject.String() {
+		return false, nil
+	}
+
+	roots := x509.NewCertPool()
+	roots.AddCert(cert)
+
+	opts := x509.VerifyOptions{
+		Roots:       roots,
+		CurrentTime: cert.NotBefore,
+	}
+
+	_, err = cert.Verify(opts)
+	return err == nil, err
+}

api/http/handler/kubernetes/config_test.go

@@ -0,0 +1,186 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsSelfSignedCertificate(t *testing.T) {
+
+	tc := []struct {
+		name     string
+		cert     string
+		expected bool
+	}{
+		{
+			name: "portainer self-signed",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIBUTCB+KADAgECAhBB7psNiJlJd/nRCCKUPVenMAoGCCqGSM49BAMCMAAwHhcN
+MjUwMzEzMDQwODI0WhcNMzAwMzEzMDQwODI0WjAAMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAESdGCaXq0r1GDxF89yKjjLeCIixiPDdXAg+lw4NqAWeJq2AOo+8IH
+vcCq9bSlYlezK8RzTsbf9Z1m5jRqUEbSjqNUMFIwDgYDVR0PAQH/BAQDAgWgMBMG
+A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0RAQH/BBMwEYIJ
+bG9jYWxob3N0hwQAAAAAMAoGCCqGSM49BAMCA0gAMEUCIApLliukFaCZHbc/2pkH
+0VDY+fBMb12jhmVpgKh1Cqg9AiEAwFrMQLUkzATUpiHuukdUg5VsUiMIkWTPLglz
+E4+1dRc=
+-----END CERTIFICATE-----
+`,
+			expected: true,
+		},
+		{
+			name:     "portainer self-signed without header",
+			cert:     `MIIBUzCB+aADAgECAhEAjsskPzuCS5BeHjXGwYqc2jAKBggqhkjOPQQDAjAAMB4XDTI1MDMxMzA0MzQyNloXDTMwMDMxMzA0MzQyNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABITD+dNDLYQbLYDE3UMlTzD61OYRSVkVZspdp1MvZITIG4VOxtfQUqcW3P7OHQdoi52GIQ/GM6iDgxwB1BOyi3mjVDBSMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdEQEB/wQTMBGCCWxvY2FsaG9zdIcEAAAAADAKBggqhkjOPQQDAgNJADBGAiEA8SmyeYLhrnrNLAFcxZp0dk6nMN70XVAfqGnbK/s8NR8CIQDgQdqhfge8QvN2TsH4gg98a9VHDv+RlcOlJ80SS+G/Ww==`,
+			expected: true,
+		},
+		{
+			name: "custom certificate generated by openssl",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIB9TCCAZugAwIBAgIULTkNYfYHiqfOiX7mKOIGxRefx/YwCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yNTAyMjgwNjI3MDBaFw0zNTAy
+MjYwNjI3MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT3WlLvbGw7wPkQ
+3LuHFJEaNrDv3n359JMV1CkjQi3U37u0fJrjd+8o7TxPBYgt9HDD9vsURhy41DNo
+g71F2AIto4GqMIGnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+nMxx/VCE9fzrlHI
+FX9mF5SRPrkwHwYDVR0jBBgwFoAUOlUIToGwnBOqzZ1dBfOvdKbwNaAwKAYDVR0R
+AQH/BB4wHIIaZWRnZS4xNzIuMTcuMjIxLjIwOC5uaXAuaW8wCgYIKoZIzj0EAwID
+SAAwRQIgeYrkjY0z/ypMKXZbvbMi8qOK44qoISKkSErBUCBLuwoCIQDRaJA9r931
+utpXXnysVGecVXHHKOOl1YhWglmuPvcZhw==
+-----END CERTIFICATE-----`,
+			expected: false,
+		},
+		{
+			name: "google.com certificate",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIOITCCDQmgAwIBAgIQKS0IQxknY8USDjt3IYchljANBgkqhkiG9w0BAQsFADA7
+MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQww
+CgYDVQQDEwNXUjIwHhcNMjUwMjI2MTUzMjU1WhcNMjUwNTIxMTUzMjU0WjAXMRUw
+EwYDVQQDDAwqLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARx
+nMOmIG3BuO7my/BbF/rGPAMH/JbxBDufbYFQHV+6l5pF5sdT/Zov3X+qsR3IYFl7
+F2a0gAUmK1Bq7//zTb3uo4IMDjCCDAowDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFN+aEjBz3PaUtelz
+3g9rVTkGRgU0MB8GA1UdIwQYMBaAFN4bHu15FdQ+NyTDIbvsNDltQrIwMFgGCCsG
+AQUFBwEBBEwwSjAhBggrBgEFBQcwAYYVaHR0cDovL28ucGtpLmdvb2cvd3IyMCUG
+CCsGAQUFBzAChhlodHRwOi8vaS5wa2kuZ29vZy93cjIuY3J0MIIJ5AYDVR0RBIIJ
+2zCCCdeCDCouZ29vZ2xlLmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYIJKi5i
+ZG4uZGV2ghUqLm9yaWdpbi10ZXN0LmJkbi5kZXaCEiouY2xvdWQuZ29vZ2xlLmNv
+bYIYKi5jcm93ZHNvdXJjZS5nb29nbGUuY29tghgqLmRhdGFjb21wdXRlLmdvb2ds
+ZS5jb22CCyouZ29vZ2xlLmNhggsqLmdvb2dsZS5jbIIOKi5nb29nbGUuY28uaW6C
+DiouZ29vZ2xlLmNvLmpwgg4qLmdvb2dsZS5jby51a4IPKi5nb29nbGUuY29tLmFy
+gg8qLmdvb2dsZS5jb20uYXWCDyouZ29vZ2xlLmNvbS5icoIPKi5nb29nbGUuY29t
+LmNvgg8qLmdvb2dsZS5jb20ubXiCDyouZ29vZ2xlLmNvbS50coIPKi5nb29nbGUu
+Y29tLnZuggsqLmdvb2dsZS5kZYILKi5nb29nbGUuZXOCCyouZ29vZ2xlLmZyggsq
+Lmdvb2dsZS5odYILKi5nb29nbGUuaXSCCyouZ29vZ2xlLm5sggsqLmdvb2dsZS5w
+bIILKi5nb29nbGUucHSCDyouZ29vZ2xlYXBpcy5jboIRKi5nb29nbGV2aWRlby5j
+b22CDCouZ3N0YXRpYy5jboIQKi5nc3RhdGljLWNuLmNvbYIPZ29vZ2xlY25hcHBz
+LmNughEqLmdvb2dsZWNuYXBwcy5jboIRZ29vZ2xlYXBwcy1jbi5jb22CEyouZ29v
+Z2xlYXBwcy1jbi5jb22CDGdrZWNuYXBwcy5jboIOKi5na2VjbmFwcHMuY26CEmdv
+b2dsZWRvd25sb2Fkcy5jboIUKi5nb29nbGVkb3dubG9hZHMuY26CEHJlY2FwdGNo
+YS5uZXQuY26CEioucmVjYXB0Y2hhLm5ldC5jboIQcmVjYXB0Y2hhLWNuLm5ldIIS
+Ki5yZWNhcHRjaGEtY24ubmV0ggt3aWRldmluZS5jboINKi53aWRldmluZS5jboIR
+YW1wcHJvamVjdC5vcmcuY26CEyouYW1wcHJvamVjdC5vcmcuY26CEWFtcHByb2pl
+Y3QubmV0LmNughMqLmFtcHByb2plY3QubmV0LmNughdnb29nbGUtYW5hbHl0aWNz
+LWNuLmNvbYIZKi5nb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIXZ29vZ2xlYWRzZXJ2
+aWNlcy1jbi5jb22CGSouZ29vZ2xlYWRzZXJ2aWNlcy1jbi5jb22CEWdvb2dsZXZh
+ZHMtY24uY29tghMqLmdvb2dsZXZhZHMtY24uY29tghFnb29nbGVhcGlzLWNuLmNv
+bYITKi5nb29nbGVhcGlzLWNuLmNvbYIVZ29vZ2xlb3B0aW1pemUtY24uY29tghcq
+Lmdvb2dsZW9wdGltaXplLWNuLmNvbYISZG91YmxlY2xpY2stY24ubmV0ghQqLmRv
+dWJsZWNsaWNrLWNuLm5ldIIYKi5mbHMuZG91YmxlY2xpY2stY24ubmV0ghYqLmcu
+ZG91YmxlY2xpY2stY24ubmV0gg5kb3VibGVjbGljay5jboIQKi5kb3VibGVjbGlj
+ay5jboIUKi5mbHMuZG91YmxlY2xpY2suY26CEiouZy5kb3VibGVjbGljay5jboIR
+ZGFydHNlYXJjaC1jbi5uZXSCEyouZGFydHNlYXJjaC1jbi5uZXSCHWdvb2dsZXRy
+YXZlbGFkc2VydmljZXMtY24uY29tgh8qLmdvb2dsZXRyYXZlbGFkc2VydmljZXMt
+Y24uY29tghhnb29nbGV0YWdzZXJ2aWNlcy1jbi5jb22CGiouZ29vZ2xldGFnc2Vy
+dmljZXMtY24uY29tghdnb29nbGV0YWdtYW5hZ2VyLWNuLmNvbYIZKi5nb29nbGV0
+YWdtYW5hZ2VyLWNuLmNvbYIYZ29vZ2xlc3luZGljYXRpb24tY24uY29tghoqLmdv
+b2dsZXN5bmRpY2F0aW9uLWNuLmNvbYIkKi5zYWZlZnJhbWUuZ29vZ2xlc3luZGlj
+YXRpb24tY24uY29tghZhcHAtbWVhc3VyZW1lbnQtY24uY29tghgqLmFwcC1tZWFz
+dXJlbWVudC1jbi5jb22CC2d2dDEtY24uY29tgg0qLmd2dDEtY24uY29tggtndnQy
+LWNuLmNvbYINKi5ndnQyLWNuLmNvbYILMm1kbi1jbi5uZXSCDSouMm1kbi1jbi5u
+ZXSCFGdvb2dsZWZsaWdodHMtY24ubmV0ghYqLmdvb2dsZWZsaWdodHMtY24ubmV0
+ggxhZG1vYi1jbi5jb22CDiouYWRtb2ItY24uY29tghRnb29nbGVzYW5kYm94LWNu
+LmNvbYIWKi5nb29nbGVzYW5kYm94LWNuLmNvbYIeKi5zYWZlbnVwLmdvb2dsZXNh
+bmRib3gtY24uY29tgg0qLmdzdGF0aWMuY29tghQqLm1ldHJpYy5nc3RhdGljLmNv
+bYIKKi5ndnQxLmNvbYIRKi5nY3BjZG4uZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CDiou
+Z2NwLmd2dDIuY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29r
+aWUuY29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CDSouYW5kcm9pZC5jb22C
+EyouZmxhc2guYW5kcm9pZC5jb22CBGcuY26CBiouZy5jboIEZy5jb4IGKi5nLmNv
+ggZnb28uZ2yCCnd3dy5nb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29tghYqLmdv
+b2dsZS1hbmFseXRpY3MuY29tggpnb29nbGUuY29tghJnb29nbGVjb21tZXJjZS5j
+b22CFCouZ29vZ2xlY29tbWVyY2UuY29tgghnZ3BodC5jboIKKi5nZ3BodC5jboIK
+dXJjaGluLmNvbYIMKi51cmNoaW4uY29tggh5b3V0dS5iZYILeW91dHViZS5jb22C
+DSoueW91dHViZS5jb22CEW11c2ljLnlvdXR1YmUuY29tghMqLm11c2ljLnlvdXR1
+YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9u
+LmNvbYIPeW91dHViZWtpZHMuY29tghEqLnlvdXR1YmVraWRzLmNvbYIFeXQuYmWC
+ByoueXQuYmWCGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tghMqLmFuZHJvaWQu
+Z29vZ2xlLmNughIqLmNocm9tZS5nb29nbGUuY26CFiouZGV2ZWxvcGVycy5nb29n
+bGUuY26CFSouYWlzdHVkaW8uZ29vZ2xlLmNvbTATBgNVHSAEDDAKMAgGBmeBDAEC
+ATA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vYy5wa2kuZ29vZy93cjIvb0JGWVlh
+aHpnVkkuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAzxFW7tUufK/zh1vZ
+aS6b6RpxZ0qwF+ysAdJbd87MOwgAAAGVQxqxaQAABAMASDBGAiEAk6r74vfyJIaa
+hYTWqNRsjl/RpCWq/wyzzMi21zgGmfkCIQCZafyS/fl0tiutICL9aOSnDBRfPYqd
+CeNqKOy11EjvigB1AN6FgddQJHxrzcuvVjfF54HGTORu1hdjn480pybJ4r03AAAB
+lUMasUkAAAQDAEYwRAIgYfG2iyRnmn8MI86RFDxOQW1/IOBAjQxNfIQ8toZlZkoC
+IA1BHw7cqmlTP7Ks+ebX6hGfNlVsgTQS8iYyKL5/BSvTMA0GCSqGSIb3DQEBCwUA
+A4IBAQAYSNtoW72rqhPfjV5Ug1ENbbimfqmqiJS4JdzaEFRpftzachTuvx8relaY
++7FAz5y4YULu9LGNjpBRYW8yW9pgfWyc53CCHSkDODguUOMCRo3hdglxZ2d5pJ/8
+TQY4zRBd8OHzOAx2kH6jLEj9I0nDie3vowSYm7FCBRLjzfForRNQWmzPu+5hS3De
+QM0R2jWpmPcG3ffQ5qQwnAQnP9HCK9oEZ5cFqLvOQWfttj/rzKOz856iSEoRpf8S
+wVFRu3Uv2TXQ6UYF2cDfiWCe6/mO35CIynC6FVkunze/Q/2rtaCDttLRYZcLllj8
+PSl7nmLhtqDlO7da/S34BFiyyRjN
+-----END CERTIFICATE-----
+`,
+			expected: false,
+		},
+		{
+			name: "let's encrypt certificate",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIGMjCCBRqgAwIBAgISBVHH05rEMkaCuDQvABDjiam0MA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTAwHhcNMjUwMzEzMDIyMzE2WhcNMjUwNjExMDIyMzE1WjAkMSIwIAYDVQQD
+Exlvei1kZW1vLnBvcnRhaW5lcmNsb3VkLmlvMIICIjANBgkqhkiG9w0BAQEFAAOC
+Ag8AMIICCgKCAgEAwNCcr9azSaldEwgL54bQScuWBnmw3FMHgEATxDVp2MEawQkV
+I3VScUcJWBnlHlb7TUanRC/c/vJGbzc+KDuCRTZ2/Ob2yQ9G5mZjGttBAnBSQPpV
+arEEBFCClhVBn4LhLNmIsCjCy25+m0HY/dwWbKjTMT/KxpTa3L3mdmIFa7XNs6W2
+vEZGwYM+2JPMJ9DwemVrrrvRqd5vLWTZcWvWJQ7HMfw3PoELpeqyycmxDqd9PCMz
+yMp8q3UwLDur3+KfDXGtGOoubxcOuJrpemOe8JeM5cEYEhvOy8D16zmWwWYDT19D
+ElFfUbM0GGITpJ41Qie03DvmI0hDYDqTEZfKza967VsvD7K9bFgLHmHdv7gLNutB
+FConpziNqslapWwQ5j7bKircxKjRQVkOiXH48m2IUzylqWgJPVMvHukRu0YVnvbt
+Q53xNVZQEbjvZmIuz8jqo22Y/1Jr7Plnb1lUvvDznA58MHT0KA4LSZwk9tvMJJCw
+vh7AoWB6/Jnl8QVnApOdCa6M/An128rBwgrCmp0wSvhMecTkWC8/gsah0Q5wKFL3
+ziBth728Qy8RlNghRUw88e/y4pdGHN8egjK1NpdgsvTFdRNQ8qwu0lx9pO3b6TNQ
+qDG5pirXjS/DhPYvZtJRDK6SMTHJNm+0NGdWB8qpNssFrU6u2cRl0533LtECAwEA
+AaOCAk0wggJJMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUiQi/3pZamfPxRGPI8DTZ
+tej1494wHwYDVR0jBBgwFoAUu7zDR6XkvKnGw6RyDBCNojXhyOgwVwYIKwYBBQUH
+AQEESzBJMCIGCCsGAQUFBzABhhZodHRwOi8vcjEwLm8ubGVuY3Iub3JnMCMGCCsG
+AQUFBzAChhdodHRwOi8vcjEwLmkubGVuY3Iub3JnLzAkBgNVHREEHTAbghlvei1k
+ZW1vLnBvcnRhaW5lcmNsb3VkLmlvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMC4GA1Ud
+HwQnMCUwI6AhoB+GHWh0dHA6Ly9yMTAuYy5sZW5jci5vcmcvNTMuY3JsMIIBBAYK
+KwYBBAHWeQIEAgSB9QSB8gDwAHcAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5U
+wP5MDbAAAAGVjYW7/QAABAMASDBGAiEA8CjMOIj7wqQ60BX22A5pDkA23IxZPzwV
+1MF5+VSgdqgCIQCZhry5AK2VyZX/cIODEl6eHBCUWS4vHB+J8RxeclKCpAB1AKLj
+CuRF772tm3447Udnd1PXgluElNcrXhssxLlQpEfnAAABlY2Fu/QAAAQDAEYwRAIg
+bwjJgZJew/1LoL9yzDD1P4Xkd8ezFucxfU3AzlV1XEYCIH5RPyW1HP9GSr+aAx+I
+o3inVl1NagJFYiApAPvFmIEgMA0GCSqGSIb3DQEBCwUAA4IBAQATJWi1sJSBstO+
+hyH7DsrAtDhiQTOWzUZezBlgCn8hfmA3nX5uKsHyxPPPEQ/GFYOltRD/+34X9kFF
+YNzUjJOP0bGk45I1JbspxRRvtbDpk0+dj2VE2toM8vLRDz3+DB4YB2lFofYlex++
+16xFzOIE+ZW41qBs3G8InsyHADsaFY2CQ9re/kZvenptU/ax1U2a21JJ3TT2DmXW
+AHZYQ5/whVIowsebw1e28I12VhLl2BKn7v4MpCn3GUzBBQAEbJ6TIjHtFKWWnVfH
+FisaUX6N4hMzGZVJOsbH4QVBGuNwUshHiD8MSpbans2w+T4bCe11XayerqxFhTao
+w/pjiPVy
+-----END CERTIFICATE-----
+`,
+			expected: false,
+		},
+	}
+
+	for _, tt := range tc {
+		t.Run(tt.name, func(t *testing.T) {
+			actual, err := IsSelfSignedCertificate([]byte(tt.cert))
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}

api/http/handler/kubernetes/configmaps.go

@@ -146,13 +146,11 @@ func (handler *Handler) getAllKubernetesConfigMaps(r *http.Request) ([]models.K8
 	}
 
 	if isUsed {
-		configMapsWithApplications, err := cli.CombineConfigMapsWithApplications(configMaps)
+		err = cli.SetConfigMapsIsUsed(&configMaps)
 		if err != nil {
 			log.Error().Err(err).Str("context", "getAllKubernetesConfigMaps").Msg("Unable to combine configMaps with associated applications")
 			return nil, httperror.InternalServerError("Unable to combine configMaps with associated applications", err)
 		}
-
-		return configMapsWithApplications, nil
 	}
 
 	return configMaps, nil

api/http/handler/kubernetes/describe.go

@@ -0,0 +1,73 @@
+package kubernetes
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/libkubectl"
+	"github.com/rs/zerolog/log"
+)
+
+type describeResourceResponse struct {
+	Describe string `json:"describe"`
+}
+
+// @id DescribeResource
+// @summary Get a description of a kubernetes resource
+// @description Get a description of a kubernetes resource.
+// @description **Access policy**: Authenticated user.
+// @tags kubernetes
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment identifier"
+// @param name query string true "Resource name"
+// @param kind query string true "Resource kind"
+// @param namespace query string false "Namespace"
+// @success 200 {object} describeResourceResponse "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve resource description"
+// @router /kubernetes/{id}/describe [get]
+func (handler *Handler) describeResource(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	name, err := request.RetrieveQueryParameter(r, "name", false)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter name")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter name. Error: ", err)
+	}
+
+	kind, err := request.RetrieveQueryParameter(r, "kind", false)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter kind")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter kind. Error: ", err)
+	}
+
+	namespace, err := request.RetrieveQueryParameter(r, "namespace", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter namespace")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter namespace. Error: ", err)
+	}
+
+	// fetches the token and the correct server URL for the endpoint, similar to getHelmClusterAccess
+	libKubectlAccess, err := handler.getLibKubectlAccess(r)
+	if err != nil {
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to get libKubectlAccess. Error: ", err)
+	}
+
+	client, err := libkubectl.NewClient(libKubectlAccess, namespace, "", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Failed to create kubernetes client")
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to create kubernetes client. Error: ", err)
+	}
+
+	out, err := client.Describe(namespace, name, kind)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Failed to describe kubernetes resource")
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to describe kubernetes resource. Error: ", err)
+	}
+
+	return response.JSON(w, describeResourceResponse{Describe: out})
+}

api/http/handler/kubernetes/handler.go

@@ -15,6 +15,7 @@ import (
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libkubectl"
 	"github.com/rs/zerolog/log"
 
 	"github.com/gorilla/mux"
@@ -102,6 +103,7 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 	endpointRouter.Handle("/cluster_roles/delete", httperror.LoggerHandler(h.deleteClusterRoles)).Methods(http.MethodPost)
 	endpointRouter.Handle("/cluster_role_bindings", httperror.LoggerHandler(h.getAllKubernetesClusterRoleBindings)).Methods(http.MethodGet)
 	endpointRouter.Handle("/cluster_role_bindings/delete", httperror.LoggerHandler(h.deleteClusterRoleBindings)).Methods(http.MethodPost)
+	endpointRouter.Handle("/describe", httperror.LoggerHandler(h.describeResource)).Methods(http.MethodGet)
 
 	// namespaces
 	// in the future this piece of code might be in another package (or a few different packages - namespaces/namespace?)
@@ -269,3 +271,36 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func (handler *Handler) getLibKubectlAccess(r *http.Request) (*libkubectl.ClientAccess, error) {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve user authentication token", err)
+	}
+
+	bearerToken, _, err := handler.JwtService.GenerateToken(tokenData)
+	if err != nil {
+		return nil, httperror.Unauthorized("Unauthorized", err)
+	}
+
+	endpoint, err := middlewares.FetchEndpoint(r)
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to find the Kubernetes endpoint associated to the request.", err)
+	}
+
+	sslSettings, err := handler.DataStore.SSLSettings().Settings()
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve settings from the database", err)
+	}
+
+	hostURL := "localhost"
+	if !sslSettings.SelfSigned {
+		hostURL = r.Host
+	}
+
+	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(hostURL, endpoint.ID, true)
+	return &libkubectl.ClientAccess{
+		Token:     bearerToken,
+		ServerUrl: kubeConfigInternal.ClusterServerURL,
+	}, nil
+}

api/http/handler/kubernetes/secrets.go

@@ -130,13 +130,11 @@ func (handler *Handler) getAllKubernetesSecrets(r *http.Request) ([]models.K8sSe
 	}
 
 	if isUsed {
-		secretsWithApplications, err := cli.CombineSecretsWithApplications(secrets)
+		err = cli.SetSecretsIsUsed(&secrets)
 		if err != nil {
 			log.Error().Err(err).Str("context", "GetAllKubernetesSecrets").Msg("Unable to combine secrets with associated applications")
 			return nil, httperror.InternalServerError("unable to combine secrets with associated applications. Error: ", err)
 		}
-
-		return secretsWithApplications, nil
 	}
 
 	return secrets, nil

api/http/handler/settings/settings_update.go

@@ -46,7 +46,7 @@ type settingsUpdatePayload struct {
 	// Whether telemetry is enabled
 	EnableTelemetry *bool `example:"false"`
 	// Helm repository URL
-	HelmRepositoryURL *string `example:"https://kubernetes.github.io/ingress-nginx"`
+	HelmRepositoryURL *string `example:"https://charts.bitnami.com/bitnami"`
 	// Kubectl Shell Image
 	KubectlShellImage *string `example:"portainer/kubectl-shell:latest"`
 	// TrustOnFirstConnect makes Portainer accepting edge agent connection by default

api/http/handler/system/nodes_count.go

@@ -33,7 +33,7 @@ func (handler *Handler) systemNodesCount(w http.ResponseWriter, r *http.Request)
 	var nodes int
 
 	for _, endpoint := range endpoints {
-		if err := snapshot.FillSnapshotData(handler.dataStore, &endpoint); err != nil {
+		if err := snapshot.FillSnapshotData(handler.dataStore, &endpoint, false); err != nil {
 			return httperror.InternalServerError("Unable to add snapshot data", err)
 		}
 

api/http/handler/teammemberships/teammembership_create.go

@@ -45,7 +45,6 @@ func (payload *teamMembershipCreatePayload) Validate(r *http.Request) error {
 // @produce json
 // @param body body teamMembershipCreatePayload true "Team membership details"
 // @success 200 {object} portainer.TeamMembership "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied to manage memberships"
 // @failure 409 "Team membership already registered"

api/http/handler/teams/team_inspect.go

@@ -21,7 +21,6 @@ import (
 // @produce json
 // @param id path int true "Team identifier"
 // @success 200 {object} portainer.Team "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied"
 // @failure 404 "Team not found"

api/http/handler/teams/team_update.go

@@ -30,7 +30,6 @@ func (payload *teamUpdatePayload) Validate(r *http.Request) error {
 // @param id path int true "Team identifier"
 // @param body body teamUpdatePayload true "Team details"
 // @success 200 {object} portainer.Team "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied"
 // @failure 404 "Team not found"

api/http/handler/users/handler.go

@@ -52,12 +52,12 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	teamLeaderRouter := h.NewRoute().Subrouter()
 	teamLeaderRouter.Use(bouncer.TeamLeaderAccess)
 
-	restrictedRouter := h.NewRoute().Subrouter()
-	restrictedRouter.Use(bouncer.RestrictedAccess)
-
 	authenticatedRouter := h.NewRoute().Subrouter()
 	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
 
+	restrictedRouter := h.NewRoute().Subrouter()
+	restrictedRouter.Use(bouncer.RestrictedAccess)
+
 	publicRouter := h.NewRoute().Subrouter()
 	publicRouter.Use(bouncer.PublicAccess)
 
@@ -65,7 +65,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	restrictedRouter.Handle("/users", httperror.LoggerHandler(h.userList)).Methods(http.MethodGet)
 
 	authenticatedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
-	restrictedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
 	restrictedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userInspect)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userUpdate)).Methods(http.MethodPut)
 	adminRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userDelete)).Methods(http.MethodDelete)

api/http/handler/users/user_create_access_token.go

@@ -50,7 +50,7 @@ type accessTokenResponse struct {
 // @produce json
 // @param id path int true "User identifier"
 // @param body body userAccessTokenCreatePayload true "details"
-// @success 200 {object} accessTokenResponse "Created"
+// @success 200 {object} accessTokenResponse "Success"
 // @failure 400 "Invalid request"
 // @failure 401 "Unauthorized"
 // @failure 403 "Permission denied"
@@ -115,7 +115,7 @@ func (handler *Handler) userCreateAccessToken(w http.ResponseWriter, r *http.Req
 		return httperror.InternalServerError("Internal Server Error", err)
 	}
 
-	return response.JSONWithStatus(w, accessTokenResponse{rawAPIKey, *apiKey}, http.StatusCreated)
+	return response.JSONWithStatus(w, accessTokenResponse{rawAPIKey, *apiKey}, http.StatusOK)
 }
 
 func (handler *Handler) usesInternalAuthentication(userid portainer.UserID) (bool, error) {

api/http/handler/users/user_create_access_token_test.go

@@ -60,7 +60,7 @@ func Test_userCreateAccessToken(t *testing.T) {
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
 
-		is.Equal(http.StatusCreated, rr.Code)
+		is.Equal(http.StatusOK, rr.Code)
 
 		body, err := io.ReadAll(rr.Body)
 		is.NoError(err, "ReadAll should not return error")

api/http/middlewares/panic_logger.go

@@ -0,0 +1,25 @@
+package middlewares
+
+import (
+	"net/http"
+	"runtime/debug"
+
+	"github.com/rs/zerolog/log"
+)
+
+func WithPanicLogger(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		defer func() {
+			if err := recover(); err != nil {
+				log.Error().
+					Any("panic", err).
+					Str("method", req.Method).
+					Str("url", req.URL.String()).
+					Str("stack", string(debug.Stack())).
+					Msg("Panic in request handler")
+			}
+		}()
+
+		next.ServeHTTP(w, req)
+	})
+}

api/http/models/kubernetes/services.go

@@ -35,8 +35,8 @@ type (
 	}
 
 	K8sServiceIngress struct {
-		IP   string `json:"IP"`
-		Host string `json:"Host"`
+		IP       string `json:"IP"`
+		Hostname string `json:"Hostname"`
 	}
 
 	// K8sServiceDeleteRequests is a mapping of namespace names to a slice of

api/http/proxy/factory/docker/volumes.go

@@ -224,7 +224,7 @@ func (transport *Transport) getDockerID() (string, error) {
 	if transport.snapshotService != nil {
 		endpoint := portainer.Endpoint{ID: transport.endpoint.ID}
 
-		if err := transport.snapshotService.FillSnapshotData(&endpoint); err == nil && len(endpoint.Snapshots) > 0 {
+		if err := transport.snapshotService.FillSnapshotData(&endpoint, true); err == nil && len(endpoint.Snapshots) > 0 {
 			if dockerID, err := snapshot.FetchDockerID(endpoint.Snapshots[0]); err == nil {
 				transport.dockerID = dockerID
 				return dockerID, nil

api/http/security/bouncer.go

@@ -243,8 +243,7 @@ func (bouncer *RequestBouncer) mwCheckPortainerAuthorizations(next http.Handler,
 			return
 		}
 
-		_, err = bouncer.dataStore.User().Read(tokenData.ID)
-		if bouncer.dataStore.IsErrObjectNotFound(err) {
+		if ok, err := bouncer.dataStore.User().Exists(tokenData.ID); !ok {
 			httperror.WriteError(w, http.StatusUnauthorized, "Unauthorized", httperrors.ErrUnauthorized)
 			return
 		} else if err != nil {
@@ -322,9 +321,8 @@ func (bouncer *RequestBouncer) mwAuthenticateFirst(tokenLookups []tokenLookup, n
 			return
 		}
 
-		user, _ := bouncer.dataStore.User().Read(token.ID)
-		if user == nil {
-			httperror.WriteError(w, http.StatusUnauthorized, "An authorization token is invalid", httperrors.ErrUnauthorized)
+		if ok, _ := bouncer.dataStore.User().Exists(token.ID); !ok {
+			httperror.WriteError(w, http.StatusUnauthorized, "The authorization token is invalid", httperrors.ErrUnauthorized)
 
 			return
 		}

api/http/server.go

@@ -67,7 +67,7 @@ import (
 	"github.com/portainer/portainer/api/platform"
 	"github.com/portainer/portainer/api/scheduler"
 	"github.com/portainer/portainer/api/stacks/deployments"
-	"github.com/portainer/portainer/pkg/libhelm"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 
 	"github.com/rs/zerolog/log"
 )
@@ -103,7 +103,7 @@ type Server struct {
 	DockerClientFactory         *dockerclient.ClientFactory
 	KubernetesClientFactory     *cli.ClientFactory
 	KubernetesDeployer          portainer.KubernetesDeployer
-	HelmPackageManager          libhelm.HelmPackageManager
+	HelmPackageManager          libhelmtypes.HelmPackageManager
 	Scheduler                   *scheduler.Scheduler
 	ShutdownCtx                 context.Context
 	ShutdownTrigger             context.CancelFunc
@@ -112,6 +112,7 @@ type Server struct {
 	AdminCreationDone           chan struct{}
 	PendingActionsService       *pendingactions.PendingActionsService
 	PlatformService             platform.Service
+	PullLimitCheckDisabled      bool
 }
 
 // Start starts the HTTP server
@@ -181,6 +182,7 @@ func (server *Server) Start() error {
 	endpointHandler.BindAddress = server.BindAddress
 	endpointHandler.BindAddressHTTPS = server.BindAddressHTTPS
 	endpointHandler.PendingActionsService = server.PendingActionsService
+	endpointHandler.PullLimitCheckDisabled = server.PullLimitCheckDisabled
 
 	var endpointEdgeHandler = endpointedge.NewHandler(requestBouncer, server.DataStore, server.FileService, server.ReverseTunnelService)
 
@@ -335,7 +337,7 @@ func (server *Server) Start() error {
 
 	handler := adminMonitor.WithRedirect(offlineGate.WaitingMiddleware(time.Minute, server.Handler))
 
-	handler = middlewares.WithSlowRequestsLogger(handler)
+	handler = middlewares.WithPanicLogger(middlewares.WithSlowRequestsLogger(handler))
 
 	handler, err := csrf.WithProtect(handler)
 	if err != nil {

api/internal/edge/edgegroup.go

@@ -1,6 +1,8 @@
 package edge
 
 import (
+	"slices"
+
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/endpointutils"
@@ -13,21 +15,19 @@ func EdgeGroupRelatedEndpoints(edgeGroup *portainer.EdgeGroup, endpoints []porta
 		return edgeGroup.Endpoints
 	}
 
+	endpointGroupsMap := map[portainer.EndpointGroupID]*portainer.EndpointGroup{}
+	for i, group := range endpointGroups {
+		endpointGroupsMap[group.ID] = &endpointGroups[i]
+	}
+
 	endpointIDs := []portainer.EndpointID{}
 	for _, endpoint := range endpoints {
 		if !endpointutils.IsEdgeEndpoint(&endpoint) {
 			continue
 		}
 
-		var endpointGroup portainer.EndpointGroup
-		for _, group := range endpointGroups {
-			if endpoint.GroupID == group.ID {
-				endpointGroup = group
-				break
-			}
-		}
-
-		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, &endpointGroup) {
+		endpointGroup := endpointGroupsMap[endpoint.GroupID]
+		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, endpointGroup) {
 			endpointIDs = append(endpointIDs, endpoint.ID)
 		}
 	}
@@ -72,17 +72,11 @@ func GetEndpointsFromEdgeGroups(edgeGroupIDs []portainer.EdgeGroupID, datastore
 // edgeGroupRelatedToEndpoint returns true if edgeGroup is associated with environment(endpoint)
 func edgeGroupRelatedToEndpoint(edgeGroup *portainer.EdgeGroup, endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup) bool {
 	if !edgeGroup.Dynamic {
-		for _, endpointID := range edgeGroup.Endpoints {
-			if endpoint.ID == endpointID {
-				return true
-			}
-		}
-
-		return false
+		return slices.Contains(edgeGroup.Endpoints, endpoint.ID)
 	}
 
 	endpointTags := tag.Set(endpoint.TagIDs)
-	if endpointGroup.TagIDs != nil {
+	if endpointGroup != nil && endpointGroup.TagIDs != nil {
 		endpointTags = tag.Union(endpointTags, tag.Set(endpointGroup.TagIDs))
 	}
 

api/internal/snapshot/snapshot.go

@@ -170,8 +170,8 @@ func (service *Service) Create(snapshot portainer.Snapshot) error {
 	return service.dataStore.Snapshot().Create(&snapshot)
 }
 
-func (service *Service) FillSnapshotData(endpoint *portainer.Endpoint) error {
-	return FillSnapshotData(service.dataStore, endpoint)
+func (service *Service) FillSnapshotData(endpoint *portainer.Endpoint, includeRaw bool) error {
+	return FillSnapshotData(service.dataStore, endpoint, includeRaw)
 }
 
 func (service *Service) snapshotKubernetesEndpoint(endpoint *portainer.Endpoint) error {
@@ -328,8 +328,16 @@ func FetchDockerID(snapshot portainer.DockerSnapshot) (string, error) {
 	return info.Swarm.Cluster.ID, nil
 }
 
-func FillSnapshotData(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint) error {
-	snapshot, err := tx.Snapshot().Read(endpoint.ID)
+func FillSnapshotData(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, includeRaw bool) error {
+	var snapshot *portainer.Snapshot
+	var err error
+
+	if includeRaw {
+		snapshot, err = tx.Snapshot().Read(endpoint.ID)
+	} else {
+		snapshot, err = tx.Snapshot().ReadWithoutSnapshotRaw(endpoint.ID)
+	}
+
 	if tx.IsErrObjectNotFound(err) {
 		endpoint.Snapshots = []portainer.DockerSnapshot{}
 		endpoint.Kubernetes.Snapshots = []portainer.KubernetesSnapshot{}

api/internal/testhelpers/datastore.go

@@ -110,9 +110,11 @@ type datastoreOption = func(d *testDatastore)
 func NewDatastore(options ...datastoreOption) *testDatastore {
 	conn, _ := database.NewDatabase("boltdb", "", nil)
 	d := testDatastore{connection: conn}
+
 	for _, o := range options {
 		o(&d)
 	}
+
 	return &d
 }
 
@@ -128,6 +130,7 @@ func (s *stubSettingsService) Settings() (*portainer.Settings, error) {
 
 func (s *stubSettingsService) UpdateSettings(settings *portainer.Settings) error {
 	s.settings = settings
+
 	return nil
 }
 
@@ -140,19 +143,16 @@ func WithSettingsService(settings *portainer.Settings) datastoreOption {
 }
 
 type stubUserService struct {
+	dataservices.UserService
+
 	users []portainer.User
 }
 
-func (s *stubUserService) BucketName() string                                      { return "users" }
-func (s *stubUserService) Read(ID portainer.UserID) (*portainer.User, error)       { return nil, nil }
-func (s *stubUserService) UserByUsername(username string) (*portainer.User, error) { return nil, nil }
-func (s *stubUserService) ReadAll() ([]portainer.User, error)                      { return s.users, nil }
+func (s *stubUserService) BucketName() string                 { return "users" }
+func (s *stubUserService) ReadAll() ([]portainer.User, error) { return s.users, nil }
 func (s *stubUserService) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	return s.users, nil
 }
-func (s *stubUserService) Create(user *portainer.User) error                      { return nil }
-func (s *stubUserService) Update(ID portainer.UserID, user *portainer.User) error { return nil }
-func (s *stubUserService) Delete(ID portainer.UserID) error                       { return nil }
 
 // WithUsers testDatastore option that will instruct testDatastore to return provided users
 func WithUsers(us []portainer.User) datastoreOption {
@@ -162,32 +162,13 @@ func WithUsers(us []portainer.User) datastoreOption {
 }
 
 type stubEdgeJobService struct {
+	dataservices.EdgeJobService
+
 	jobs []portainer.EdgeJob
 }
 
 func (s *stubEdgeJobService) BucketName() string                    { return "edgejobs" }
 func (s *stubEdgeJobService) ReadAll() ([]portainer.EdgeJob, error) { return s.jobs, nil }
-func (s *stubEdgeJobService) Read(ID portainer.EdgeJobID) (*portainer.EdgeJob, error) {
-	return nil, nil
-}
-
-func (s *stubEdgeJobService) Create(edgeJob *portainer.EdgeJob) error {
-	return nil
-}
-
-func (s *stubEdgeJobService) CreateWithID(ID portainer.EdgeJobID, edgeJob *portainer.EdgeJob) error {
-	return nil
-}
-
-func (s *stubEdgeJobService) Update(ID portainer.EdgeJobID, edgeJob *portainer.EdgeJob) error {
-	return nil
-}
-
-func (s *stubEdgeJobService) UpdateEdgeJobFunc(ID portainer.EdgeJobID, updateFunc func(edgeJob *portainer.EdgeJob)) error {
-	return nil
-}
-func (s *stubEdgeJobService) Delete(ID portainer.EdgeJobID) error { return nil }
-func (s *stubEdgeJobService) GetNextIdentifier() int              { return 0 }
 
 // WithEdgeJobs option will instruct testDatastore to return provided jobs
 func WithEdgeJobs(js []portainer.EdgeJob) datastoreOption {
@@ -197,6 +178,8 @@ func WithEdgeJobs(js []portainer.EdgeJob) datastoreOption {
 }
 
 type stubEndpointRelationService struct {
+	dataservices.EndpointRelationService
+
 	relations []portainer.EndpointRelation
 }
 
@@ -215,10 +198,6 @@ func (s *stubEndpointRelationService) EndpointRelation(ID portainer.EndpointID)
 	return nil, errors.ErrObjectNotFound
 }
 
-func (s *stubEndpointRelationService) Create(EndpointRelation *portainer.EndpointRelation) error {
-	return nil
-}
-
 func (s *stubEndpointRelationService) UpdateEndpointRelation(ID portainer.EndpointID, relation *portainer.EndpointRelation) error {
 	for i, r := range s.relations {
 		if r.EndpointID == ID {
@@ -253,11 +232,6 @@ func (s *stubEndpointRelationService) RemoveEndpointRelationsForEdgeStack(endpoi
 	return nil
 }
 
-func (s *stubEndpointRelationService) DeleteEndpointRelation(ID portainer.EndpointID) error {
-	return nil
-}
-func (s *stubEndpointRelationService) GetNextIdentifier() int { return 0 }
-
 // WithEndpointRelations option will instruct testDatastore to return provided jobs
 func WithEndpointRelations(relations []portainer.EndpointRelation) datastoreOption {
 	return func(d *testDatastore) {
@@ -356,6 +330,7 @@ func (s *stubEndpointService) EndpointsByTeamID(teamID portainer.TeamID) ([]port
 			}
 		}
 	}
+
 	return endpoints, nil
 }
 
@@ -367,29 +342,19 @@ func WithEndpoints(endpoints []portainer.Endpoint) datastoreOption {
 }
 
 type stubStacksService struct {
+	dataservices.StackService
 	stacks []portainer.Stack
 }
 
 func (s *stubStacksService) BucketName() string { return "stacks" }
 
-func (s *stubStacksService) Create(stack *portainer.Stack) error {
-	return nil
-}
-
-func (s *stubStacksService) Update(ID portainer.StackID, stack *portainer.Stack) error {
-	return nil
-}
-
-func (s *stubStacksService) Delete(ID portainer.StackID) error {
-	return nil
-}
-
 func (s *stubStacksService) Read(ID portainer.StackID) (*portainer.Stack, error) {
 	for _, stack := range s.stacks {
 		if stack.ID == ID {
 			return &stack, nil
 		}
 	}
+
 	return nil, errors.ErrObjectNotFound
 }
 
@@ -405,6 +370,7 @@ func (s *stubStacksService) StacksByEndpointID(endpointID portainer.EndpointID)
 			result = append(result, stack)
 		}
 	}
+
 	return result, nil
 }
 
@@ -416,6 +382,7 @@ func (s *stubStacksService) RefreshableStacks() ([]portainer.Stack, error) {
 			result = append(result, stack)
 		}
 	}
+
 	return result, nil
 }
 
@@ -425,6 +392,7 @@ func (s *stubStacksService) StackByName(name string) (*portainer.Stack, error) {
 			return &stack, nil
 		}
 	}
+
 	return nil, errors.ErrObjectNotFound
 }
 
@@ -436,6 +404,7 @@ func (s *stubStacksService) StacksByName(name string) ([]portainer.Stack, error)
 			result = append(result, stack)
 		}
 	}
+
 	return result, nil
 }
 
@@ -445,6 +414,7 @@ func (s *stubStacksService) StackByWebhookID(webhookID string) (*portainer.Stack
 			return &stack, nil
 		}
 	}
+
 	return nil, errors.ErrObjectNotFound
 }
 
@@ -452,6 +422,10 @@ func (s *stubStacksService) GetNextIdentifier() int {
 	return len(s.stacks)
 }
 
+func (s *stubStacksService) Exists(ID portainer.StackID) (bool, error) {
+	return false, nil
+}
+
 // WithStacks option will instruct testDatastore to return provided stacks
 func WithStacks(stacks []portainer.Stack) datastoreOption {
 	return func(d *testDatastore) {

api/kubernetes/cli/applications.go

@@ -12,45 +12,58 @@ import (
 	labels "k8s.io/apimachinery/pkg/labels"
 )
 
+// PortainerApplicationResources contains collections of various Kubernetes resources
+// associated with a Portainer application.
+type PortainerApplicationResources struct {
+	Pods                     []corev1.Pod
+	ReplicaSets              []appsv1.ReplicaSet
+	Deployments              []appsv1.Deployment
+	StatefulSets             []appsv1.StatefulSet
+	DaemonSets               []appsv1.DaemonSet
+	Services                 []corev1.Service
+	HorizontalPodAutoscalers []autoscalingv2.HorizontalPodAutoscaler
+}
+
 // GetAllKubernetesApplications gets a list of kubernetes workloads (or applications) across all namespaces in the cluster
 // if the user is an admin, all namespaces in the current k8s environment(endpoint) are fetched using the fetchApplications function.
 // otherwise, namespaces the non-admin user has access to will be used to filter the applications based on the allowed namespaces.
-func (kcl *KubeClient) GetApplications(namespace, nodeName string, withDependencies bool) ([]models.K8sApplication, error) {
+func (kcl *KubeClient) GetApplications(namespace, nodeName string) ([]models.K8sApplication, error) {
 	if kcl.IsKubeAdmin {
-		return kcl.fetchApplications(namespace, nodeName, withDependencies)
+		return kcl.fetchApplications(namespace, nodeName)
 	}
 
-	return kcl.fetchApplicationsForNonAdmin(namespace, nodeName, withDependencies)
+	return kcl.fetchApplicationsForNonAdmin(namespace, nodeName)
 }
 
 // fetchApplications fetches the applications in the namespaces the user has access to.
 // This function is called when the user is an admin.
-func (kcl *KubeClient) fetchApplications(namespace, nodeName string, withDependencies bool) ([]models.K8sApplication, error) {
+func (kcl *KubeClient) fetchApplications(namespace, nodeName string) ([]models.K8sApplication, error) {
 	podListOptions := metav1.ListOptions{}
 	if nodeName != "" {
 		podListOptions.FieldSelector = "spec.nodeName=" + nodeName
 	}
-	if !withDependencies {
-		// TODO: make sure not to fetch services in fetchAllApplicationsListResources from this call
-		pods, replicaSets, deployments, statefulSets, daemonSets, _, _, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
-		if err != nil {
-			return nil, err
-		}
 
-		return kcl.convertPodsToApplications(pods, replicaSets, deployments, statefulSets, daemonSets, nil, nil)
-	}
-
-	pods, replicaSets, deployments, statefulSets, daemonSets, services, hpas, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
+	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
 	if err != nil {
 		return nil, err
 	}
 
-	return kcl.convertPodsToApplications(pods, replicaSets, deployments, statefulSets, daemonSets, services, hpas)
+	applications, err := kcl.convertPodsToApplications(portainerApplicationResources)
+	if err != nil {
+		return nil, err
+	}
+
+	unhealthyApplications, err := fetchUnhealthyApplications(portainerApplicationResources)
+	if err != nil {
+		return nil, err
+	}
+
+	return append(applications, unhealthyApplications...), nil
 }
 
 // fetchApplicationsForNonAdmin fetches the applications in the namespaces the user has access to.
 // This function is called when the user is not an admin.
-func (kcl *KubeClient) fetchApplicationsForNonAdmin(namespace, nodeName string, withDependencies bool) ([]models.K8sApplication, error) {
+func (kcl *KubeClient) fetchApplicationsForNonAdmin(namespace, nodeName string) ([]models.K8sApplication, error) {
 	log.Debug().Msgf("Fetching applications for non-admin user: %v", kcl.NonAdminNamespaces)
 
 	if len(kcl.NonAdminNamespaces) == 0 {
@@ -62,28 +75,24 @@ func (kcl *KubeClient) fetchApplicationsForNonAdmin(namespace, nodeName string,
 		podListOptions.FieldSelector = "spec.nodeName=" + nodeName
 	}
 
-	if !withDependencies {
-		pods, replicaSets, _, _, _, _, _, err := kcl.fetchAllPodsAndReplicaSets(namespace, podListOptions)
-		if err != nil {
-			return nil, err
-		}
-
-		return kcl.convertPodsToApplications(pods, replicaSets, nil, nil, nil, nil, nil)
-	}
-
-	pods, replicaSets, deployments, statefulSets, daemonSets, services, hpas, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
+	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
 	if err != nil {
 		return nil, err
 	}
 
-	applications, err := kcl.convertPodsToApplications(pods, replicaSets, deployments, statefulSets, daemonSets, services, hpas)
+	applications, err := kcl.convertPodsToApplications(portainerApplicationResources)
+	if err != nil {
+		return nil, err
+	}
+
+	unhealthyApplications, err := fetchUnhealthyApplications(portainerApplicationResources)
 	if err != nil {
 		return nil, err
 	}
 
 	nonAdminNamespaceSet := kcl.buildNonAdminNamespacesMap()
 	results := make([]models.K8sApplication, 0)
-	for _, application := range applications {
+	for _, application := range append(applications, unhealthyApplications...) {
 		if _, ok := nonAdminNamespaceSet[application.ResourcePool]; ok {
 			results = append(results, application)
 		}
@@ -93,11 +102,11 @@ func (kcl *KubeClient) fetchApplicationsForNonAdmin(namespace, nodeName string,
 }
 
 // convertPodsToApplications processes pods and converts them to applications, ensuring uniqueness by owner reference.
-func (kcl *KubeClient) convertPodsToApplications(pods []corev1.Pod, replicaSets []appsv1.ReplicaSet, deployments []appsv1.Deployment, statefulSets []appsv1.StatefulSet, daemonSets []appsv1.DaemonSet, services []corev1.Service, hpas []autoscalingv2.HorizontalPodAutoscaler) ([]models.K8sApplication, error) {
+func (kcl *KubeClient) convertPodsToApplications(portainerApplicationResources PortainerApplicationResources) ([]models.K8sApplication, error) {
 	applications := []models.K8sApplication{}
 	processedOwners := make(map[string]struct{})
 
-	for _, pod := range pods {
+	for _, pod := range portainerApplicationResources.Pods {
 		if len(pod.OwnerReferences) > 0 {
 			ownerUID := string(pod.OwnerReferences[0].UID)
 			if _, exists := processedOwners[ownerUID]; exists {
@@ -106,7 +115,7 @@ func (kcl *KubeClient) convertPodsToApplications(pods []corev1.Pod, replicaSets
 			processedOwners[ownerUID] = struct{}{}
 		}
 
-		application, err := kcl.ConvertPodToApplication(pod, replicaSets, deployments, statefulSets, daemonSets, services, hpas, true)
+		application, err := kcl.ConvertPodToApplication(pod, portainerApplicationResources, true)
 		if err != nil {
 			return nil, err
 		}
@@ -144,49 +153,13 @@ func (kcl *KubeClient) GetApplicationsResource(namespace, node string) (models.K
 	return resource, nil
 }
 
-// GetApplicationsFromConfigMap gets a list of applications that use a specific ConfigMap
-// by checking all pods in the same namespace as the ConfigMap
-func (kcl *KubeClient) GetApplicationNamesFromConfigMap(configMap models.K8sConfigMap, pods []corev1.Pod, replicaSets []appsv1.ReplicaSet) ([]string, error) {
-	applications := []string{}
-	for _, pod := range pods {
-		if pod.Namespace == configMap.Namespace {
-			if isPodUsingConfigMap(&pod, configMap.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, replicaSets, nil, nil, nil, nil, nil, false)
-				if err != nil {
-					return nil, err
-				}
-				applications = append(applications, application.Name)
-			}
-		}
-	}
-
-	return applications, nil
-}
-
-func (kcl *KubeClient) GetApplicationNamesFromSecret(secret models.K8sSecret, pods []corev1.Pod, replicaSets []appsv1.ReplicaSet) ([]string, error) {
-	applications := []string{}
-	for _, pod := range pods {
-		if pod.Namespace == secret.Namespace {
-			if isPodUsingSecret(&pod, secret.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, replicaSets, nil, nil, nil, nil, nil, false)
-				if err != nil {
-					return nil, err
-				}
-				applications = append(applications, application.Name)
-			}
-		}
-	}
-
-	return applications, nil
-}
-
 // ConvertPodToApplication converts a pod to an application, updating owner references if necessary
-func (kcl *KubeClient) ConvertPodToApplication(pod corev1.Pod, replicaSets []appsv1.ReplicaSet, deployments []appsv1.Deployment, statefulSets []appsv1.StatefulSet, daemonSets []appsv1.DaemonSet, services []corev1.Service, hpas []autoscalingv2.HorizontalPodAutoscaler, withResource bool) (*models.K8sApplication, error) {
+func (kcl *KubeClient) ConvertPodToApplication(pod corev1.Pod, portainerApplicationResources PortainerApplicationResources, withResource bool) (*models.K8sApplication, error) {
 	if isReplicaSetOwner(pod) {
-		updateOwnerReferenceToDeployment(&pod, replicaSets)
+		updateOwnerReferenceToDeployment(&pod, portainerApplicationResources.ReplicaSets)
 	}
 
-	application := createApplication(&pod, deployments, statefulSets, daemonSets, services, hpas)
+	application := createApplicationFromPod(&pod, portainerApplicationResources)
 	if application.ID == "" && application.Name == "" {
 		return nil, nil
 	}
@@ -203,9 +176,9 @@ func (kcl *KubeClient) ConvertPodToApplication(pod corev1.Pod, replicaSets []app
 	return &application, nil
 }
 
-// createApplication creates a K8sApplication object from a pod
+// createApplicationFromPod creates a K8sApplication object from a pod
 // it sets the application name, namespace, kind, image, stack id, stack name, and labels
-func createApplication(pod *corev1.Pod, deployments []appsv1.Deployment, statefulSets []appsv1.StatefulSet, daemonSets []appsv1.DaemonSet, services []corev1.Service, hpas []autoscalingv2.HorizontalPodAutoscaler) models.K8sApplication {
+func createApplicationFromPod(pod *corev1.Pod, portainerApplicationResources PortainerApplicationResources) models.K8sApplication {
 	kind := "Pod"
 	name := pod.Name
 
@@ -221,120 +194,172 @@ func createApplication(pod *corev1.Pod, deployments []appsv1.Deployment, statefu
 
 	switch kind {
 	case "Deployment":
-		for _, deployment := range deployments {
+		for _, deployment := range portainerApplicationResources.Deployments {
 			if deployment.Name == name && deployment.Namespace == pod.Namespace {
-				application.ApplicationType = "Deployment"
-				application.Kind = "Deployment"
-				application.ID = string(deployment.UID)
-				application.ResourcePool = deployment.Namespace
-				application.Name = name
-				application.Image = deployment.Spec.Template.Spec.Containers[0].Image
-				application.ApplicationOwner = deployment.Labels["io.portainer.kubernetes.application.owner"]
-				application.StackID = deployment.Labels["io.portainer.kubernetes.application.stackid"]
-				application.StackName = deployment.Labels["io.portainer.kubernetes.application.stack"]
-				application.Labels = deployment.Labels
-				application.MatchLabels = deployment.Spec.Selector.MatchLabels
-				application.CreationDate = deployment.CreationTimestamp.Time
-				application.TotalPodsCount = int(deployment.Status.Replicas)
-				application.RunningPodsCount = int(deployment.Status.ReadyReplicas)
-				application.DeploymentType = "Replicated"
-				application.Metadata = &models.Metadata{
-					Labels: deployment.Labels,
-				}
-
+				populateApplicationFromDeployment(&application, deployment)
 				break
 			}
 		}
-
 	case "StatefulSet":
-		for _, statefulSet := range statefulSets {
+		for _, statefulSet := range portainerApplicationResources.StatefulSets {
 			if statefulSet.Name == name && statefulSet.Namespace == pod.Namespace {
-				application.Kind = "StatefulSet"
-				application.ApplicationType = "StatefulSet"
-				application.ID = string(statefulSet.UID)
-				application.ResourcePool = statefulSet.Namespace
-				application.Name = name
-				application.Image = statefulSet.Spec.Template.Spec.Containers[0].Image
-				application.ApplicationOwner = statefulSet.Labels["io.portainer.kubernetes.application.owner"]
-				application.StackID = statefulSet.Labels["io.portainer.kubernetes.application.stackid"]
-				application.StackName = statefulSet.Labels["io.portainer.kubernetes.application.stack"]
-				application.Labels = statefulSet.Labels
-				application.MatchLabels = statefulSet.Spec.Selector.MatchLabels
-				application.CreationDate = statefulSet.CreationTimestamp.Time
-				application.TotalPodsCount = int(statefulSet.Status.Replicas)
-				application.RunningPodsCount = int(statefulSet.Status.ReadyReplicas)
-				application.DeploymentType = "Replicated"
-				application.Metadata = &models.Metadata{
-					Labels: statefulSet.Labels,
-				}
-
+				populateApplicationFromStatefulSet(&application, statefulSet)
 				break
 			}
 		}
-
 	case "DaemonSet":
-		for _, daemonSet := range daemonSets {
+		for _, daemonSet := range portainerApplicationResources.DaemonSets {
 			if daemonSet.Name == name && daemonSet.Namespace == pod.Namespace {
-				application.Kind = "DaemonSet"
-				application.ApplicationType = "DaemonSet"
-				application.ID = string(daemonSet.UID)
-				application.ResourcePool = daemonSet.Namespace
-				application.Name = name
-				application.Image = daemonSet.Spec.Template.Spec.Containers[0].Image
-				application.ApplicationOwner = daemonSet.Labels["io.portainer.kubernetes.application.owner"]
-				application.StackID = daemonSet.Labels["io.portainer.kubernetes.application.stackid"]
-				application.StackName = daemonSet.Labels["io.portainer.kubernetes.application.stack"]
-				application.Labels = daemonSet.Labels
-				application.MatchLabels = daemonSet.Spec.Selector.MatchLabels
-				application.CreationDate = daemonSet.CreationTimestamp.Time
-				application.TotalPodsCount = int(daemonSet.Status.DesiredNumberScheduled)
-				application.RunningPodsCount = int(daemonSet.Status.NumberReady)
-				application.DeploymentType = "Global"
-				application.Metadata = &models.Metadata{
-					Labels: daemonSet.Labels,
-				}
-
+				populateApplicationFromDaemonSet(&application, daemonSet)
 				break
 			}
 		}
-
 	case "Pod":
-		runningPodsCount := 1
-		if pod.Status.Phase != corev1.PodRunning {
-			runningPodsCount = 0
-		}
-
-		application.ApplicationType = "Pod"
-		application.Kind = "Pod"
-		application.ID = string(pod.UID)
-		application.ResourcePool = pod.Namespace
-		application.Name = pod.Name
-		application.Image = pod.Spec.Containers[0].Image
-		application.ApplicationOwner = pod.Labels["io.portainer.kubernetes.application.owner"]
-		application.StackID = pod.Labels["io.portainer.kubernetes.application.stackid"]
-		application.StackName = pod.Labels["io.portainer.kubernetes.application.stack"]
-		application.Labels = pod.Labels
-		application.MatchLabels = pod.Labels
-		application.CreationDate = pod.CreationTimestamp.Time
-		application.TotalPodsCount = 1
-		application.RunningPodsCount = runningPodsCount
-		application.DeploymentType = string(pod.Status.Phase)
-		application.Metadata = &models.Metadata{
-			Labels: pod.Labels,
-		}
+		populateApplicationFromPod(&application, *pod)
 	}
 
-	if application.ID != "" && application.Name != "" && len(services) > 0 {
-		updateApplicationWithService(&application, services)
+	if application.ID != "" && application.Name != "" && len(portainerApplicationResources.Services) > 0 {
+		updateApplicationWithService(&application, portainerApplicationResources.Services)
 	}
 
-	if application.ID != "" && application.Name != "" && len(hpas) > 0 {
-		updateApplicationWithHorizontalPodAutoscaler(&application, hpas)
+	if application.ID != "" && application.Name != "" && len(portainerApplicationResources.HorizontalPodAutoscalers) > 0 {
+		updateApplicationWithHorizontalPodAutoscaler(&application, portainerApplicationResources.HorizontalPodAutoscalers)
 	}
 
 	return application
 }
 
+// createApplicationFromDeployment creates a K8sApplication from a Deployment
+func createApplicationFromDeployment(deployment appsv1.Deployment) models.K8sApplication {
+	var app models.K8sApplication
+	populateApplicationFromDeployment(&app, deployment)
+	return app
+}
+
+// createApplicationFromStatefulSet creates a K8sApplication from a StatefulSet
+func createApplicationFromStatefulSet(statefulSet appsv1.StatefulSet) models.K8sApplication {
+	var app models.K8sApplication
+	populateApplicationFromStatefulSet(&app, statefulSet)
+	return app
+}
+
+// createApplicationFromDaemonSet creates a K8sApplication from a DaemonSet
+func createApplicationFromDaemonSet(daemonSet appsv1.DaemonSet) models.K8sApplication {
+	var app models.K8sApplication
+	populateApplicationFromDaemonSet(&app, daemonSet)
+	return app
+}
+
+func populateApplicationFromDeployment(application *models.K8sApplication, deployment appsv1.Deployment) {
+	application.ApplicationType = "Deployment"
+	application.Kind = "Deployment"
+	application.ID = string(deployment.UID)
+	application.ResourcePool = deployment.Namespace
+	application.Name = deployment.Name
+	application.ApplicationOwner = deployment.Labels["io.portainer.kubernetes.application.owner"]
+	application.StackID = deployment.Labels["io.portainer.kubernetes.application.stackid"]
+	application.StackName = deployment.Labels["io.portainer.kubernetes.application.stack"]
+	application.Labels = deployment.Labels
+	application.MatchLabels = deployment.Spec.Selector.MatchLabels
+	application.CreationDate = deployment.CreationTimestamp.Time
+	application.TotalPodsCount = 0
+	if deployment.Spec.Replicas != nil {
+		application.TotalPodsCount = int(*deployment.Spec.Replicas)
+	}
+	application.RunningPodsCount = int(deployment.Status.ReadyReplicas)
+	application.DeploymentType = "Replicated"
+	application.Metadata = &models.Metadata{
+		Labels: deployment.Labels,
+	}
+
+	// If the deployment has containers, use the first container's image
+	if len(deployment.Spec.Template.Spec.Containers) > 0 {
+		application.Image = deployment.Spec.Template.Spec.Containers[0].Image
+	}
+}
+
+func populateApplicationFromStatefulSet(application *models.K8sApplication, statefulSet appsv1.StatefulSet) {
+	application.Kind = "StatefulSet"
+	application.ApplicationType = "StatefulSet"
+	application.ID = string(statefulSet.UID)
+	application.ResourcePool = statefulSet.Namespace
+	application.Name = statefulSet.Name
+	application.ApplicationOwner = statefulSet.Labels["io.portainer.kubernetes.application.owner"]
+	application.StackID = statefulSet.Labels["io.portainer.kubernetes.application.stackid"]
+	application.StackName = statefulSet.Labels["io.portainer.kubernetes.application.stack"]
+	application.Labels = statefulSet.Labels
+	application.MatchLabels = statefulSet.Spec.Selector.MatchLabels
+	application.CreationDate = statefulSet.CreationTimestamp.Time
+	application.TotalPodsCount = 0
+	if statefulSet.Spec.Replicas != nil {
+		application.TotalPodsCount = int(*statefulSet.Spec.Replicas)
+	}
+	application.RunningPodsCount = int(statefulSet.Status.ReadyReplicas)
+	application.DeploymentType = "Replicated"
+	application.Metadata = &models.Metadata{
+		Labels: statefulSet.Labels,
+	}
+
+	// If the statefulSet has containers, use the first container's image
+	if len(statefulSet.Spec.Template.Spec.Containers) > 0 {
+		application.Image = statefulSet.Spec.Template.Spec.Containers[0].Image
+	}
+}
+
+func populateApplicationFromDaemonSet(application *models.K8sApplication, daemonSet appsv1.DaemonSet) {
+	application.Kind = "DaemonSet"
+	application.ApplicationType = "DaemonSet"
+	application.ID = string(daemonSet.UID)
+	application.ResourcePool = daemonSet.Namespace
+	application.Name = daemonSet.Name
+	application.ApplicationOwner = daemonSet.Labels["io.portainer.kubernetes.application.owner"]
+	application.StackID = daemonSet.Labels["io.portainer.kubernetes.application.stackid"]
+	application.StackName = daemonSet.Labels["io.portainer.kubernetes.application.stack"]
+	application.Labels = daemonSet.Labels
+	application.MatchLabels = daemonSet.Spec.Selector.MatchLabels
+	application.CreationDate = daemonSet.CreationTimestamp.Time
+	application.TotalPodsCount = int(daemonSet.Status.DesiredNumberScheduled)
+	application.RunningPodsCount = int(daemonSet.Status.NumberReady)
+	application.DeploymentType = "Global"
+	application.Metadata = &models.Metadata{
+		Labels: daemonSet.Labels,
+	}
+
+	if len(daemonSet.Spec.Template.Spec.Containers) > 0 {
+		application.Image = daemonSet.Spec.Template.Spec.Containers[0].Image
+	}
+}
+
+func populateApplicationFromPod(application *models.K8sApplication, pod corev1.Pod) {
+	runningPodsCount := 1
+	if pod.Status.Phase != corev1.PodRunning {
+		runningPodsCount = 0
+	}
+
+	application.ApplicationType = "Pod"
+	application.Kind = "Pod"
+	application.ID = string(pod.UID)
+	application.ResourcePool = pod.Namespace
+	application.Name = pod.Name
+	application.ApplicationOwner = pod.Labels["io.portainer.kubernetes.application.owner"]
+	application.StackID = pod.Labels["io.portainer.kubernetes.application.stackid"]
+	application.StackName = pod.Labels["io.portainer.kubernetes.application.stack"]
+	application.Labels = pod.Labels
+	application.MatchLabels = pod.Labels
+	application.CreationDate = pod.CreationTimestamp.Time
+	application.TotalPodsCount = 1
+	application.RunningPodsCount = runningPodsCount
+	application.DeploymentType = string(pod.Status.Phase)
+	application.Metadata = &models.Metadata{
+		Labels: pod.Labels,
+	}
+
+	// If the pod has containers, use the first container's image
+	if len(pod.Spec.Containers) > 0 {
+		application.Image = pod.Spec.Containers[0].Image
+	}
+}
+
 // updateApplicationWithService updates the application with the services that match the application's selector match labels
 // and are in the same namespace as the application
 func updateApplicationWithService(application *models.K8sApplication, services []corev1.Service) {
@@ -408,21 +433,23 @@ func (kcl *KubeClient) GetApplicationFromServiceSelector(pods []corev1.Pod, serv
 func (kcl *KubeClient) GetApplicationConfigurationOwnersFromConfigMap(configMap models.K8sConfigMap, pods []corev1.Pod, replicaSets []appsv1.ReplicaSet) ([]models.K8sConfigurationOwnerResource, error) {
 	configurationOwners := []models.K8sConfigurationOwnerResource{}
 	for _, pod := range pods {
-		if pod.Namespace == configMap.Namespace {
-			if isPodUsingConfigMap(&pod, configMap.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, replicaSets, nil, nil, nil, nil, nil, false)
-				if err != nil {
-					return nil, err
-				}
+		if isPodUsingConfigMap(&pod, configMap) {
+			kind := "Pod"
+			name := pod.Name
 
-				if application != nil {
-					configurationOwners = append(configurationOwners, models.K8sConfigurationOwnerResource{
-						Name:         application.Name,
-						ResourceKind: application.Kind,
-						Id:           application.UID,
-					})
-				}
+			if len(pod.OwnerReferences) > 0 {
+				kind = pod.OwnerReferences[0].Kind
+				name = pod.OwnerReferences[0].Name
 			}
+
+			if isReplicaSetOwner(pod) {
+				updateOwnerReferenceToDeployment(&pod, replicaSets)
+			}
+
+			configurationOwners = append(configurationOwners, models.K8sConfigurationOwnerResource{
+				Name:         name,
+				ResourceKind: kind,
+			})
 		}
 	}
 
@@ -434,23 +461,106 @@ func (kcl *KubeClient) GetApplicationConfigurationOwnersFromConfigMap(configMap
 func (kcl *KubeClient) GetApplicationConfigurationOwnersFromSecret(secret models.K8sSecret, pods []corev1.Pod, replicaSets []appsv1.ReplicaSet) ([]models.K8sConfigurationOwnerResource, error) {
 	configurationOwners := []models.K8sConfigurationOwnerResource{}
 	for _, pod := range pods {
-		if pod.Namespace == secret.Namespace {
-			if isPodUsingSecret(&pod, secret.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, replicaSets, nil, nil, nil, nil, nil, false)
-				if err != nil {
-					return nil, err
-				}
+		if isPodUsingSecret(&pod, secret) {
+			kind := "Pod"
+			name := pod.Name
 
-				if application != nil {
-					configurationOwners = append(configurationOwners, models.K8sConfigurationOwnerResource{
-						Name:         application.Name,
-						ResourceKind: application.Kind,
-						Id:           application.UID,
-					})
-				}
+			if len(pod.OwnerReferences) > 0 {
+				kind = pod.OwnerReferences[0].Kind
+				name = pod.OwnerReferences[0].Name
 			}
+
+			if isReplicaSetOwner(pod) {
+				updateOwnerReferenceToDeployment(&pod, replicaSets)
+			}
+
+			configurationOwners = append(configurationOwners, models.K8sConfigurationOwnerResource{
+				Name:         name,
+				ResourceKind: kind,
+			})
 		}
 	}
 
 	return configurationOwners, nil
 }
+
+// fetchUnhealthyApplications fetches applications that failed to schedule any pods
+// due to issues like missing resource limits or other scheduling constraints
+func fetchUnhealthyApplications(resources PortainerApplicationResources) ([]models.K8sApplication, error) {
+	var unhealthyApplications []models.K8sApplication
+
+	// Process Deployments
+	for _, deployment := range resources.Deployments {
+		if hasNoScheduledPods(deployment) {
+			app := createApplicationFromDeployment(deployment)
+			addRelatedResourcesToApplication(&app, resources)
+			unhealthyApplications = append(unhealthyApplications, app)
+		}
+	}
+
+	// Process StatefulSets
+	for _, statefulSet := range resources.StatefulSets {
+		if hasNoScheduledPods(statefulSet) {
+			app := createApplicationFromStatefulSet(statefulSet)
+			addRelatedResourcesToApplication(&app, resources)
+			unhealthyApplications = append(unhealthyApplications, app)
+		}
+	}
+
+	// Process DaemonSets
+	for _, daemonSet := range resources.DaemonSets {
+		if hasNoScheduledPods(daemonSet) {
+			app := createApplicationFromDaemonSet(daemonSet)
+			addRelatedResourcesToApplication(&app, resources)
+			unhealthyApplications = append(unhealthyApplications, app)
+		}
+	}
+
+	return unhealthyApplications, nil
+}
+
+// addRelatedResourcesToApplication adds Services and HPA information to the application
+func addRelatedResourcesToApplication(app *models.K8sApplication, resources PortainerApplicationResources) {
+	if app.ID == "" || app.Name == "" {
+		return
+	}
+
+	if len(resources.Services) > 0 {
+		updateApplicationWithService(app, resources.Services)
+	}
+
+	if len(resources.HorizontalPodAutoscalers) > 0 {
+		updateApplicationWithHorizontalPodAutoscaler(app, resources.HorizontalPodAutoscalers)
+	}
+}
+
+// hasNoScheduledPods checks if a workload has completely failed to schedule any pods
+// it checks for no replicas desired, i.e. nothing to schedule and see if any pods are running
+// if any pods exist at all (even if not ready), it returns false
+func hasNoScheduledPods(obj interface{}) bool {
+	switch resource := obj.(type) {
+	case appsv1.Deployment:
+		if resource.Status.Replicas > 0 {
+			return false
+		}
+
+		return resource.Status.ReadyReplicas == 0 && resource.Status.AvailableReplicas == 0
+
+	case appsv1.StatefulSet:
+		if resource.Status.Replicas > 0 {
+			return false
+		}
+
+		return resource.Status.ReadyReplicas == 0 && resource.Status.CurrentReplicas == 0
+
+	case appsv1.DaemonSet:
+		if resource.Status.CurrentNumberScheduled > 0 || resource.Status.NumberMisscheduled > 0 {
+			return false
+		}
+
+		return resource.Status.NumberReady == 0 && resource.Status.DesiredNumberScheduled > 0
+
+	default:
+		return false
+	}
+}

api/kubernetes/cli/applications_test.go

@@ -0,0 +1,461 @@
+package cli
+
+import (
+	"context"
+	"testing"
+
+	models "github.com/portainer/portainer/api/http/models/kubernetes"
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+// Helper functions to create test resources
+func createTestDeployment(name, namespace string, replicas int32) *appsv1.Deployment {
+	return &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("deploy-" + name),
+			Labels: map[string]string{
+				"app": name,
+			},
+		},
+		Spec: appsv1.DeploymentSpec{
+			Replicas: &replicas,
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": name,
+				},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app": name,
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  name,
+							Image: "nginx:latest",
+							Resources: corev1.ResourceRequirements{
+								Limits:   corev1.ResourceList{},
+								Requests: corev1.ResourceList{},
+							},
+						},
+					},
+				},
+			},
+		},
+		Status: appsv1.DeploymentStatus{
+			Replicas:      replicas,
+			ReadyReplicas: replicas,
+		},
+	}
+}
+
+func createTestReplicaSet(name, namespace, deploymentName string) *appsv1.ReplicaSet {
+	return &appsv1.ReplicaSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("rs-" + name),
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					Kind: "Deployment",
+					Name: deploymentName,
+					UID:  types.UID("deploy-" + deploymentName),
+				},
+			},
+		},
+		Spec: appsv1.ReplicaSetSpec{
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": deploymentName,
+				},
+			},
+		},
+	}
+}
+
+func createTestStatefulSet(name, namespace string, replicas int32) *appsv1.StatefulSet {
+	return &appsv1.StatefulSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("sts-" + name),
+			Labels: map[string]string{
+				"app": name,
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: &replicas,
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": name,
+				},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app": name,
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  name,
+							Image: "redis:latest",
+							Resources: corev1.ResourceRequirements{
+								Limits:   corev1.ResourceList{},
+								Requests: corev1.ResourceList{},
+							},
+						},
+					},
+				},
+			},
+		},
+		Status: appsv1.StatefulSetStatus{
+			Replicas:      replicas,
+			ReadyReplicas: replicas,
+		},
+	}
+}
+
+func createTestDaemonSet(name, namespace string) *appsv1.DaemonSet {
+	return &appsv1.DaemonSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("ds-" + name),
+			Labels: map[string]string{
+				"app": name,
+			},
+		},
+		Spec: appsv1.DaemonSetSpec{
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": name,
+				},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app": name,
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  name,
+							Image: "fluentd:latest",
+							Resources: corev1.ResourceRequirements{
+								Limits:   corev1.ResourceList{},
+								Requests: corev1.ResourceList{},
+							},
+						},
+					},
+				},
+			},
+		},
+		Status: appsv1.DaemonSetStatus{
+			DesiredNumberScheduled: 2,
+			NumberReady:            2,
+		},
+	}
+}
+
+func createTestPod(name, namespace, ownerKind, ownerName string, isRunning bool) *corev1.Pod {
+	phase := corev1.PodPending
+	if isRunning {
+		phase = corev1.PodRunning
+	}
+
+	var ownerReferences []metav1.OwnerReference
+	if ownerKind != "" && ownerName != "" {
+		ownerReferences = []metav1.OwnerReference{
+			{
+				Kind: ownerKind,
+				Name: ownerName,
+				UID:  types.UID(ownerKind + "-" + ownerName),
+			},
+		}
+	}
+
+	return &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            name,
+			Namespace:       namespace,
+			UID:             types.UID("pod-" + name),
+			OwnerReferences: ownerReferences,
+			Labels: map[string]string{
+				"app": ownerName,
+			},
+		},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{
+				{
+					Name:  "container-" + name,
+					Image: "busybox:latest",
+					Resources: corev1.ResourceRequirements{
+						Limits:   corev1.ResourceList{},
+						Requests: corev1.ResourceList{},
+					},
+				},
+			},
+		},
+		Status: corev1.PodStatus{
+			Phase: phase,
+		},
+	}
+}
+
+func createTestService(name, namespace string, selector map[string]string) *corev1.Service {
+	return &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("svc-" + name),
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: selector,
+			Type:     corev1.ServiceTypeClusterIP,
+		},
+	}
+}
+
+func TestGetApplications(t *testing.T) {
+	t.Run("Admin user - Mix of deployments, statefulsets and daemonsets with and without pods", func(t *testing.T) {
+		// Create a fake K8s client
+		fakeClient := fake.NewSimpleClientset()
+
+		// Setup the test namespace
+		namespace := "test-namespace"
+		defaultNamespace := "default"
+
+		// Create resources in the test namespace
+		// 1. Deployment with pods
+		deployWithPods := createTestDeployment("deploy-with-pods", namespace, 2)
+		_, err := fakeClient.AppsV1().Deployments(namespace).Create(context.TODO(), deployWithPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		replicaSet := createTestReplicaSet("rs-deploy-with-pods", namespace, "deploy-with-pods")
+		_, err = fakeClient.AppsV1().ReplicaSets(namespace).Create(context.TODO(), replicaSet, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod1 := createTestPod("pod1-deploy", namespace, "ReplicaSet", "rs-deploy-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod1, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod2 := createTestPod("pod2-deploy", namespace, "ReplicaSet", "rs-deploy-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod2, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 2. Deployment without pods (scaled to 0)
+		deployNoPods := createTestDeployment("deploy-no-pods", namespace, 0)
+		_, err = fakeClient.AppsV1().Deployments(namespace).Create(context.TODO(), deployNoPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 3. StatefulSet with pods
+		stsWithPods := createTestStatefulSet("sts-with-pods", namespace, 1)
+		_, err = fakeClient.AppsV1().StatefulSets(namespace).Create(context.TODO(), stsWithPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod3 := createTestPod("pod1-sts", namespace, "StatefulSet", "sts-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod3, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 4. StatefulSet without pods
+		stsNoPods := createTestStatefulSet("sts-no-pods", namespace, 0)
+		_, err = fakeClient.AppsV1().StatefulSets(namespace).Create(context.TODO(), stsNoPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 5. DaemonSet with pods
+		dsWithPods := createTestDaemonSet("ds-with-pods", namespace)
+		_, err = fakeClient.AppsV1().DaemonSets(namespace).Create(context.TODO(), dsWithPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod4 := createTestPod("pod1-ds", namespace, "DaemonSet", "ds-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod4, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod5 := createTestPod("pod2-ds", namespace, "DaemonSet", "ds-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod5, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 6. Naked Pod (no owner reference)
+		nakedPod := createTestPod("naked-pod", namespace, "", "", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), nakedPod, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 7. Resources in another namespace
+		deployOtherNs := createTestDeployment("deploy-other-ns", defaultNamespace, 1)
+		_, err = fakeClient.AppsV1().Deployments(defaultNamespace).Create(context.TODO(), deployOtherNs, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		podOtherNs := createTestPod("pod-other-ns", defaultNamespace, "Deployment", "deploy-other-ns", true)
+		_, err = fakeClient.CoreV1().Pods(defaultNamespace).Create(context.TODO(), podOtherNs, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 8. Add a service (dependency)
+		service := createTestService("svc-deploy", namespace, map[string]string{"app": "deploy-with-pods"})
+		_, err = fakeClient.CoreV1().Services(namespace).Create(context.TODO(), service, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create the KubeClient with admin privileges
+		kubeClient := &KubeClient{
+			cli:         fakeClient,
+			instanceID:  "test-instance",
+			IsKubeAdmin: true,
+		}
+
+		// Test cases
+
+		// 1. All resources, no filtering
+		t.Run("All resources with dependencies", func(t *testing.T) {
+			apps, err := kubeClient.GetApplications("", "")
+			assert.NoError(t, err)
+
+			// We expect 7 resources: 2 deployments + 2 statefulsets + 1 daemonset + 1 naked pod + 1 deployment in other namespace
+			// Note: Each controller with pods should count once, not per pod
+			assert.Equal(t, 7, len(apps))
+
+			// Verify one of the deployments has services attached
+			appsWithServices := []models.K8sApplication{}
+			for _, app := range apps {
+				if len(app.Services) > 0 {
+					appsWithServices = append(appsWithServices, app)
+				}
+			}
+			assert.Equal(t, 1, len(appsWithServices))
+			assert.Equal(t, "deploy-with-pods", appsWithServices[0].Name)
+		})
+
+		// 2. Filter by namespace
+		t.Run("Filter by namespace", func(t *testing.T) {
+			apps, err := kubeClient.GetApplications(namespace, "")
+			assert.NoError(t, err)
+
+			// We expect 6 resources in the test namespace
+			assert.Equal(t, 6, len(apps))
+
+			// Verify resources from other namespaces are not included
+			for _, app := range apps {
+				assert.Equal(t, namespace, app.ResourcePool)
+			}
+		})
+	})
+
+	t.Run("Non-admin user - Resources filtered by accessible namespaces", func(t *testing.T) {
+		// Create a fake K8s client
+		fakeClient := fake.NewSimpleClientset()
+
+		// Setup the test namespaces
+		namespace1 := "allowed-ns"
+		namespace2 := "restricted-ns"
+
+		// Create resources in the allowed namespace
+		sts1 := createTestStatefulSet("sts-allowed", namespace1, 1)
+		_, err := fakeClient.AppsV1().StatefulSets(namespace1).Create(context.TODO(), sts1, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod1 := createTestPod("pod-allowed", namespace1, "StatefulSet", "sts-allowed", true)
+		_, err = fakeClient.CoreV1().Pods(namespace1).Create(context.TODO(), pod1, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Add a StatefulSet without pods in the allowed namespace
+		stsNoPods := createTestStatefulSet("sts-no-pods-allowed", namespace1, 0)
+		_, err = fakeClient.AppsV1().StatefulSets(namespace1).Create(context.TODO(), stsNoPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create resources in the restricted namespace
+		sts2 := createTestStatefulSet("sts-restricted", namespace2, 1)
+		_, err = fakeClient.AppsV1().StatefulSets(namespace2).Create(context.TODO(), sts2, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod2 := createTestPod("pod-restricted", namespace2, "StatefulSet", "sts-restricted", true)
+		_, err = fakeClient.CoreV1().Pods(namespace2).Create(context.TODO(), pod2, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create the KubeClient with non-admin privileges (only allowed namespace1)
+		kubeClient := &KubeClient{
+			cli:                fakeClient,
+			instanceID:         "test-instance",
+			IsKubeAdmin:        false,
+			NonAdminNamespaces: []string{namespace1},
+		}
+
+		// Test that only resources from allowed namespace are returned
+		apps, err := kubeClient.GetApplications("", "")
+		assert.NoError(t, err)
+
+		// We expect 2 resources from the allowed namespace (1 sts with pod + 1 sts without pod)
+		assert.Equal(t, 2, len(apps))
+
+		// Verify resources are from the allowed namespace
+		for _, app := range apps {
+			assert.Equal(t, namespace1, app.ResourcePool)
+			assert.Equal(t, "StatefulSet", app.Kind)
+		}
+
+		// Verify names of returned resources
+		stsNames := make(map[string]bool)
+		for _, app := range apps {
+			stsNames[app.Name] = true
+		}
+
+		assert.True(t, stsNames["sts-allowed"], "Expected StatefulSet 'sts-allowed' was not found")
+		assert.True(t, stsNames["sts-no-pods-allowed"], "Expected StatefulSet 'sts-no-pods-allowed' was not found")
+	})
+
+	t.Run("Filter by node name", func(t *testing.T) {
+		// Create a fake K8s client
+		fakeClient := fake.NewSimpleClientset()
+
+		// Setup test namespace
+		namespace := "node-filter-ns"
+		nodeName := "worker-node-1"
+
+		// Create a deployment with pods on specific node
+		deploy := createTestDeployment("node-deploy", namespace, 2)
+		_, err := fakeClient.AppsV1().Deployments(namespace).Create(context.TODO(), deploy, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create ReplicaSet for the deployment
+		rs := createTestReplicaSet("rs-node-deploy", namespace, "node-deploy")
+		_, err = fakeClient.AppsV1().ReplicaSets(namespace).Create(context.TODO(), rs, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create 2 pods, one on the specified node, one on a different node
+		pod1 := createTestPod("pod-on-node", namespace, "ReplicaSet", "rs-node-deploy", true)
+		pod1.Spec.NodeName = nodeName
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod1, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod2 := createTestPod("pod-other-node", namespace, "ReplicaSet", "rs-node-deploy", true)
+		pod2.Spec.NodeName = "worker-node-2"
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod2, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create the KubeClient
+		kubeClient := &KubeClient{
+			cli:         fakeClient,
+			instanceID:  "test-instance",
+			IsKubeAdmin: true,
+		}
+
+		// Test filtering by node name
+		apps, err := kubeClient.GetApplications(namespace, nodeName)
+		assert.NoError(t, err)
+
+		// We expect to find only the pod on the specified node
+		assert.Equal(t, 1, len(apps))
+		if len(apps) > 0 {
+			assert.Equal(t, "node-deploy", apps[0].Name)
+		}
+	})
+}

api/kubernetes/cli/configmap.go

@@ -7,6 +7,7 @@ import (
 
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/rs/zerolog/log"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -24,7 +25,7 @@ func (kcl *KubeClient) GetConfigMaps(namespace string) ([]models.K8sConfigMap, e
 // fetchConfigMapsForNonAdmin fetches the configMaps in the namespaces the user has access to.
 // This function is called when the user is not an admin.
 func (kcl *KubeClient) fetchConfigMapsForNonAdmin(namespace string) ([]models.K8sConfigMap, error) {
-	log.Debug().Msgf("Fetching volumes for non-admin user: %v", kcl.NonAdminNamespaces)
+	log.Debug().Msgf("Fetching configMaps for non-admin user: %v", kcl.NonAdminNamespaces)
 
 	if len(kcl.NonAdminNamespaces) == 0 {
 		return nil, nil
@@ -95,35 +96,28 @@ func parseConfigMap(configMap *corev1.ConfigMap, withData bool) models.K8sConfig
 	return result
 }
 
-// CombineConfigMapsWithApplications combines the config maps with the applications that use them.
+// SetConfigMapsIsUsed combines the config maps with the applications that use them.
 // the function fetches all the pods and replica sets in the cluster and checks if the config map is used by any of the pods.
 // if the config map is used by a pod, the application that uses the pod is added to the config map.
 // otherwise, the config map is returned as is.
-func (kcl *KubeClient) CombineConfigMapsWithApplications(configMaps []models.K8sConfigMap) ([]models.K8sConfigMap, error) {
-	updatedConfigMaps := make([]models.K8sConfigMap, len(configMaps))
-
-	pods, replicaSets, _, _, _, _, _, err := kcl.fetchAllPodsAndReplicaSets("", metav1.ListOptions{})
+func (kcl *KubeClient) SetConfigMapsIsUsed(configMaps *[]models.K8sConfigMap) error {
+	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources("", metav1.ListOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("an error occurred during the CombineConfigMapsWithApplications operation, unable to fetch pods and replica sets. Error: %w", err)
+		return fmt.Errorf("an error occurred during the SetConfigMapsIsUsed operation, unable to fetch Portainer application resources. Error: %w", err)
 	}
 
-	for index, configMap := range configMaps {
-		updatedConfigMap := configMap
+	for i := range *configMaps {
+		configMap := &(*configMaps)[i]
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromConfigMap(configMap, pods, replicaSets)
-		if err != nil {
-			return nil, fmt.Errorf("an error occurred during the CombineConfigMapsWithApplications operation, unable to get applications from config map. Error: %w", err)
+		for _, pod := range portainerApplicationResources.Pods {
+			if isPodUsingConfigMap(&pod, *configMap) {
+				configMap.IsUsed = true
+				break
+			}
 		}
-
-		if len(applicationConfigurationOwners) > 0 {
-			updatedConfigMap.ConfigurationOwnerResources = applicationConfigurationOwners
-			updatedConfigMap.IsUsed = true
-		}
-
-		updatedConfigMaps[index] = updatedConfigMap
 	}
 
-	return updatedConfigMaps, nil
+	return nil
 }
 
 // CombineConfigMapWithApplications combines the config map with the applications that use it.
@@ -141,20 +135,22 @@ func (kcl *KubeClient) CombineConfigMapWithApplications(configMap models.K8sConf
 		break
 	}
 
+	var replicaSets *appsv1.ReplicaSetList
 	if containsReplicaSetOwner {
-		replicaSets, err := kcl.cli.AppsV1().ReplicaSets(configMap.Namespace).List(context.Background(), metav1.ListOptions{})
+		replicaSets, err = kcl.cli.AppsV1().ReplicaSets(configMap.Namespace).List(context.Background(), metav1.ListOptions{})
 		if err != nil {
 			return models.K8sConfigMap{}, fmt.Errorf("an error occurred during the CombineConfigMapWithApplications operation, unable to get replica sets. Error: %w", err)
 		}
+	}
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromConfigMap(configMap, pods.Items, replicaSets.Items)
-		if err != nil {
-			return models.K8sConfigMap{}, fmt.Errorf("an error occurred during the CombineConfigMapWithApplications operation, unable to get applications from config map. Error: %w", err)
-		}
+	applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromConfigMap(configMap, pods.Items, replicaSets.Items)
+	if err != nil {
+		return models.K8sConfigMap{}, fmt.Errorf("an error occurred during the CombineConfigMapWithApplications operation, unable to get applications from config map. Error: %w", err)
+	}
 
-		if len(applicationConfigurationOwners) > 0 {
-			configMap.ConfigurationOwnerResources = applicationConfigurationOwners
-		}
+	if len(applicationConfigurationOwners) > 0 {
+		configMap.ConfigurationOwnerResources = applicationConfigurationOwners
+		configMap.IsUsed = true
 	}
 
 	return configMap, nil

api/kubernetes/cli/namespace.go

@@ -265,9 +265,12 @@ func isSystemNamespace(namespace *corev1.Namespace) bool {
 		return systemLabelValue == "true"
 	}
 
-	systemNamespaces := defaultSystemNamespaces()
+	return isSystemDefaultNamespace(namespace.Name)
+}
 
-	_, isSystem := systemNamespaces[namespace.Name]
+func isSystemDefaultNamespace(namespace string) bool {
+	systemNamespaces := defaultSystemNamespaces()
+	_, isSystem := systemNamespaces[namespace]
 	return isSystem
 }
 
@@ -390,7 +393,9 @@ func (kcl *KubeClient) CombineNamespaceWithResourceQuota(namespace portainer.K8s
 func (kcl *KubeClient) buildNonAdminNamespacesMap() map[string]struct{} {
 	nonAdminNamespaceSet := make(map[string]struct{}, len(kcl.NonAdminNamespaces))
 	for _, namespace := range kcl.NonAdminNamespaces {
-		nonAdminNamespaceSet[namespace] = struct{}{}
+		if !isSystemDefaultNamespace(namespace) {
+			nonAdminNamespaceSet[namespace] = struct{}{}
+		}
 	}
 
 	return nonAdminNamespaceSet

api/kubernetes/cli/pod.go

@@ -7,11 +7,11 @@ import (
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
+	models "github.com/portainer/portainer/api/http/models/kubernetes"
 
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	appsv1 "k8s.io/api/apps/v1"
-	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -110,7 +110,7 @@ func (kcl *KubeClient) CreateUserShellPod(ctx context.Context, serviceAccountNam
 		},
 	}
 
-	shellPod, err := kcl.cli.CoreV1().Pods(portainerNamespace).Create(ctx, podSpec, metav1.CreateOptions{})
+	shellPod, err := kcl.cli.CoreV1().Pods(portainerNamespace).Create(context.TODO(), podSpec, metav1.CreateOptions{})
 	if err != nil {
 		return nil, errors.Wrap(err, "error creating shell pod")
 	}
@@ -158,7 +158,7 @@ func (kcl *KubeClient) waitForPodStatus(ctx context.Context, phase corev1.PodPha
 		case <-ctx.Done():
 			return ctx.Err()
 		default:
-			pod, err := kcl.cli.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
+			pod, err := kcl.cli.CoreV1().Pods(pod.Namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
 			if err != nil {
 				return err
 			}
@@ -172,83 +172,84 @@ func (kcl *KubeClient) waitForPodStatus(ctx context.Context, phase corev1.PodPha
 	}
 }
 
-// fetchAllPodsAndReplicaSets fetches all pods and replica sets across the cluster, i.e. all namespaces
-func (kcl *KubeClient) fetchAllPodsAndReplicaSets(namespace string, podListOptions metav1.ListOptions) ([]corev1.Pod, []appsv1.ReplicaSet, []appsv1.Deployment, []appsv1.StatefulSet, []appsv1.DaemonSet, []corev1.Service, []autoscalingv2.HorizontalPodAutoscaler, error) {
-	return kcl.fetchResourcesWithOwnerReferences(namespace, podListOptions, false, false)
-}
-
 // fetchAllApplicationsListResources fetches all pods, replica sets, stateful sets, and daemon sets across the cluster, i.e. all namespaces
 // this is required for the applications list view
-func (kcl *KubeClient) fetchAllApplicationsListResources(namespace string, podListOptions metav1.ListOptions) ([]corev1.Pod, []appsv1.ReplicaSet, []appsv1.Deployment, []appsv1.StatefulSet, []appsv1.DaemonSet, []corev1.Service, []autoscalingv2.HorizontalPodAutoscaler, error) {
+func (kcl *KubeClient) fetchAllApplicationsListResources(namespace string, podListOptions metav1.ListOptions) (PortainerApplicationResources, error) {
 	return kcl.fetchResourcesWithOwnerReferences(namespace, podListOptions, true, true)
 }
 
 // fetchResourcesWithOwnerReferences fetches pods and other resources based on owner references
-func (kcl *KubeClient) fetchResourcesWithOwnerReferences(namespace string, podListOptions metav1.ListOptions, includeStatefulSets, includeDaemonSets bool) ([]corev1.Pod, []appsv1.ReplicaSet, []appsv1.Deployment, []appsv1.StatefulSet, []appsv1.DaemonSet, []corev1.Service, []autoscalingv2.HorizontalPodAutoscaler, error) {
+func (kcl *KubeClient) fetchResourcesWithOwnerReferences(namespace string, podListOptions metav1.ListOptions, includeStatefulSets, includeDaemonSets bool) (PortainerApplicationResources, error) {
 	pods, err := kcl.cli.CoreV1().Pods(namespace).List(context.Background(), podListOptions)
 	if err != nil {
 		if k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, nil
+			return PortainerApplicationResources{}, nil
 		}
-		return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list pods across the cluster: %w", err)
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list pods across the cluster: %w", err)
 	}
 
-	// if replicaSet owner reference exists, fetch the replica sets
-	// this also means that the deployments will be fetched because deployments own replica sets
-	replicaSets := &appsv1.ReplicaSetList{}
-	deployments := &appsv1.DeploymentList{}
-	if containsReplicaSetOwnerReference(pods) {
-		replicaSets, err = kcl.cli.AppsV1().ReplicaSets(namespace).List(context.Background(), metav1.ListOptions{})
-		if err != nil && !k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list replica sets across the cluster: %w", err)
-		}
-
-		deployments, err = kcl.cli.AppsV1().Deployments(namespace).List(context.Background(), metav1.ListOptions{})
-		if err != nil && !k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list deployments across the cluster: %w", err)
-		}
+	portainerApplicationResources := PortainerApplicationResources{
+		Pods: pods.Items,
 	}
 
-	statefulSets := &appsv1.StatefulSetList{}
-	if includeStatefulSets && containsStatefulSetOwnerReference(pods) {
-		statefulSets, err = kcl.cli.AppsV1().StatefulSets(namespace).List(context.Background(), metav1.ListOptions{})
+	replicaSets, err := kcl.cli.AppsV1().ReplicaSets(namespace).List(context.Background(), metav1.ListOptions{})
+	if err != nil && !k8serrors.IsNotFound(err) {
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list replica sets across the cluster: %w", err)
+	}
+	portainerApplicationResources.ReplicaSets = replicaSets.Items
+
+	deployments, err := kcl.cli.AppsV1().Deployments(namespace).List(context.Background(), metav1.ListOptions{})
+	if err != nil && !k8serrors.IsNotFound(err) {
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list deployments across the cluster: %w", err)
+	}
+	portainerApplicationResources.Deployments = deployments.Items
+
+	if includeStatefulSets {
+		statefulSets, err := kcl.cli.AppsV1().StatefulSets(namespace).List(context.Background(), metav1.ListOptions{})
 		if err != nil && !k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list stateful sets across the cluster: %w", err)
+			return PortainerApplicationResources{}, fmt.Errorf("unable to list stateful sets across the cluster: %w", err)
 		}
+		portainerApplicationResources.StatefulSets = statefulSets.Items
 	}
 
-	daemonSets := &appsv1.DaemonSetList{}
-	if includeDaemonSets && containsDaemonSetOwnerReference(pods) {
-		daemonSets, err = kcl.cli.AppsV1().DaemonSets(namespace).List(context.Background(), metav1.ListOptions{})
+	if includeDaemonSets {
+		daemonSets, err := kcl.cli.AppsV1().DaemonSets(namespace).List(context.Background(), metav1.ListOptions{})
 		if err != nil && !k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list daemon sets across the cluster: %w", err)
+			return PortainerApplicationResources{}, fmt.Errorf("unable to list daemon sets across the cluster: %w", err)
 		}
+		portainerApplicationResources.DaemonSets = daemonSets.Items
 	}
 
 	services, err := kcl.cli.CoreV1().Services(namespace).List(context.Background(), metav1.ListOptions{})
 	if err != nil && !k8serrors.IsNotFound(err) {
-		return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list services across the cluster: %w", err)
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list services across the cluster: %w", err)
 	}
+	portainerApplicationResources.Services = services.Items
 
 	hpas, err := kcl.cli.AutoscalingV2().HorizontalPodAutoscalers(namespace).List(context.Background(), metav1.ListOptions{})
 	if err != nil && !k8serrors.IsNotFound(err) {
-		return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list horizontal pod autoscalers across the cluster: %w", err)
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list horizontal pod autoscalers across the cluster: %w", err)
 	}
+	portainerApplicationResources.HorizontalPodAutoscalers = hpas.Items
 
-	return pods.Items, replicaSets.Items, deployments.Items, statefulSets.Items, daemonSets.Items, services.Items, hpas.Items, nil
+	return portainerApplicationResources, nil
 }
 
 // isPodUsingConfigMap checks if a pod is using a specific ConfigMap
-func isPodUsingConfigMap(pod *corev1.Pod, configMapName string) bool {
+func isPodUsingConfigMap(pod *corev1.Pod, configMap models.K8sConfigMap) bool {
+	if pod.Namespace != configMap.Namespace {
+		return false
+	}
+
 	for _, volume := range pod.Spec.Volumes {
-		if volume.ConfigMap != nil && volume.ConfigMap.Name == configMapName {
+		if volume.ConfigMap != nil && volume.ConfigMap.Name == configMap.Name {
 			return true
 		}
 	}
 
 	for _, container := range pod.Spec.Containers {
 		for _, env := range container.Env {
-			if env.ValueFrom != nil && env.ValueFrom.ConfigMapKeyRef != nil && env.ValueFrom.ConfigMapKeyRef.Name == configMapName {
+			if env.ValueFrom != nil && env.ValueFrom.ConfigMapKeyRef != nil && env.ValueFrom.ConfigMapKeyRef.Name == configMap.Name {
 				return true
 			}
 		}
@@ -258,16 +259,20 @@ func isPodUsingConfigMap(pod *corev1.Pod, configMapName string) bool {
 }
 
 // isPodUsingSecret checks if a pod is using a specific Secret
-func isPodUsingSecret(pod *corev1.Pod, secretName string) bool {
+func isPodUsingSecret(pod *corev1.Pod, secret models.K8sSecret) bool {
+	if pod.Namespace != secret.Namespace {
+		return false
+	}
+
 	for _, volume := range pod.Spec.Volumes {
-		if volume.Secret != nil && volume.Secret.SecretName == secretName {
+		if volume.Secret != nil && volume.Secret.SecretName == secret.Name {
 			return true
 		}
 	}
 
 	for _, container := range pod.Spec.Containers {
 		for _, env := range container.Env {
-			if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil && env.ValueFrom.SecretKeyRef.Name == secretName {
+			if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil && env.ValueFrom.SecretKeyRef.Name == secret.Name {
 				return true
 			}
 		}

api/kubernetes/cli/role.go

@@ -10,7 +10,6 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // GetRoles gets all the roles for either at the cluster level or a given namespace in a k8s endpoint.
@@ -137,7 +136,7 @@ func (kcl *KubeClient) DeleteRoles(reqs models.K8sRoleDeleteRequests) error {
 		for _, name := range reqs[namespace] {
 			client := kcl.cli.RbacV1().Roles(namespace)
 
-			role, err := client.Get(context.Background(), name, v1.GetOptions{})
+			role, err := client.Get(context.Background(), name, metav1.GetOptions{})
 			if err != nil {
 				if k8serrors.IsNotFound(err) {
 					continue

api/kubernetes/cli/role_binding.go

@@ -7,11 +7,9 @@ import (
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/portainer/portainer/api/internal/errorlist"
 	"github.com/rs/zerolog/log"
-	corev1 "k8s.io/api/rbac/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // GetRoleBindings gets all the roleBindings for either at the cluster level or a given namespace in a k8s endpoint.
@@ -98,7 +96,7 @@ func (kcl *KubeClient) isSystemRoleBinding(rb *rbacv1.RoleBinding) bool {
 	return false
 }
 
-func (kcl *KubeClient) getRole(namespace, name string) (*corev1.Role, error) {
+func (kcl *KubeClient) getRole(namespace, name string) (*rbacv1.Role, error) {
 	client := kcl.cli.RbacV1().Roles(namespace)
 	return client.Get(context.Background(), name, metav1.GetOptions{})
 }
@@ -111,7 +109,7 @@ func (kcl *KubeClient) DeleteRoleBindings(reqs models.K8sRoleBindingDeleteReques
 		for _, name := range reqs[namespace] {
 			client := kcl.cli.RbacV1().RoleBindings(namespace)
 
-			roleBinding, err := client.Get(context.Background(), name, v1.GetOptions{})
+			roleBinding, err := client.Get(context.Background(), name, metav1.GetOptions{})
 			if err != nil {
 				if k8serrors.IsNotFound(err) {
 					continue
@@ -125,7 +123,7 @@ func (kcl *KubeClient) DeleteRoleBindings(reqs models.K8sRoleBindingDeleteReques
 				log.Error().Str("role_name", name).Msg("ignoring delete of 'system' role binding, not allowed")
 			}
 
-			if err := client.Delete(context.Background(), name, v1.DeleteOptions{}); err != nil {
+			if err := client.Delete(context.Background(), name, metav1.DeleteOptions{}); err != nil {
 				errors = append(errors, err)
 			}
 		}

api/kubernetes/cli/secret.go

@@ -8,6 +8,7 @@ import (
 
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/rs/zerolog/log"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,7 +32,7 @@ func (kcl *KubeClient) GetSecrets(namespace string) ([]models.K8sSecret, error)
 // getSecretsForNonAdmin fetches the secrets in the namespaces the user has access to.
 // This function is called when the user is not an admin.
 func (kcl *KubeClient) getSecretsForNonAdmin(namespace string) ([]models.K8sSecret, error) {
-	log.Debug().Msgf("Fetching volumes for non-admin user: %v", kcl.NonAdminNamespaces)
+	log.Debug().Msgf("Fetching secrets for non-admin user: %v", kcl.NonAdminNamespaces)
 
 	if len(kcl.NonAdminNamespaces) == 0 {
 		return nil, nil
@@ -111,34 +112,28 @@ func parseSecret(secret *corev1.Secret, withData bool) models.K8sSecret {
 	return result
 }
 
-// CombineSecretsWithApplications combines the secrets with the applications that use them.
+// SetSecretsIsUsed combines the secrets with the applications that use them.
 // the function fetches all the pods and replica sets in the cluster and checks if the secret is used by any of the pods.
 // if the secret is used by a pod, the application that uses the pod is added to the secret.
 // otherwise, the secret is returned as is.
-func (kcl *KubeClient) CombineSecretsWithApplications(secrets []models.K8sSecret) ([]models.K8sSecret, error) {
-	updatedSecrets := make([]models.K8sSecret, len(secrets))
-
-	pods, replicaSets, _, _, _, _, _, err := kcl.fetchAllPodsAndReplicaSets("", metav1.ListOptions{})
+func (kcl *KubeClient) SetSecretsIsUsed(secrets *[]models.K8sSecret) error {
+	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources("", metav1.ListOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("an error occurred during the CombineSecretsWithApplications operation, unable to fetch pods and replica sets. Error: %w", err)
+		return fmt.Errorf("an error occurred during the SetSecretsIsUsed operation, unable to fetch Portainer application resources. Error: %w", err)
 	}
 
-	for index, secret := range secrets {
-		updatedSecret := secret
+	for i := range *secrets {
+		secret := &(*secrets)[i]
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromSecret(secret, pods, replicaSets)
-		if err != nil {
-			return nil, fmt.Errorf("an error occurred during the CombineSecretsWithApplications operation, unable to get applications from secret. Error: %w", err)
+		for _, pod := range portainerApplicationResources.Pods {
+			if isPodUsingSecret(&pod, *secret) {
+				secret.IsUsed = true
+				break
+			}
 		}
-
-		if len(applicationConfigurationOwners) > 0 {
-			updatedSecret.ConfigurationOwnerResources = applicationConfigurationOwners
-		}
-
-		updatedSecrets[index] = updatedSecret
 	}
 
-	return updatedSecrets, nil
+	return nil
 }
 
 // CombineSecretWithApplications combines the secret with the applications that use it.
@@ -156,20 +151,22 @@ func (kcl *KubeClient) CombineSecretWithApplications(secret models.K8sSecret) (m
 		break
 	}
 
+	var replicaSets *appsv1.ReplicaSetList
 	if containsReplicaSetOwner {
-		replicaSets, err := kcl.cli.AppsV1().ReplicaSets(secret.Namespace).List(context.Background(), metav1.ListOptions{})
+		replicaSets, err = kcl.cli.AppsV1().ReplicaSets(secret.Namespace).List(context.Background(), metav1.ListOptions{})
 		if err != nil {
 			return models.K8sSecret{}, fmt.Errorf("an error occurred during the CombineSecretWithApplications operation, unable to get replica sets. Error: %w", err)
 		}
+	}
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromSecret(secret, pods.Items, replicaSets.Items)
-		if err != nil {
-			return models.K8sSecret{}, fmt.Errorf("an error occurred during the CombineSecretWithApplications operation, unable to get applications from secret. Error: %w", err)
-		}
+	applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromSecret(secret, pods.Items, replicaSets.Items)
+	if err != nil {
+		return models.K8sSecret{}, fmt.Errorf("an error occurred during the CombineSecretWithApplications operation, unable to get applications from secret. Error: %w", err)
+	}
 
-		if len(applicationConfigurationOwners) > 0 {
-			secret.ConfigurationOwnerResources = applicationConfigurationOwners
-		}
+	if len(applicationConfigurationOwners) > 0 {
+		secret.ConfigurationOwnerResources = applicationConfigurationOwners
+		secret.IsUsed = true
 	}
 
 	return secret, nil

api/kubernetes/cli/service.go

@@ -81,8 +81,8 @@ func parseService(service corev1.Service) models.K8sServiceInfo {
 	ingressStatus := make([]models.K8sServiceIngress, 0)
 	for _, status := range service.Status.LoadBalancer.Ingress {
 		ingressStatus = append(ingressStatus, models.K8sServiceIngress{
-			IP:   status.IP,
-			Host: status.Hostname,
+			IP:       status.IP,
+			Hostname: status.Hostname,
 		})
 	}
 
@@ -130,7 +130,7 @@ func (kcl *KubeClient) convertToK8sService(info models.K8sServiceInfo) corev1.Se
 	for _, i := range info.IngressStatus {
 		service.Status.LoadBalancer.Ingress = append(
 			service.Status.LoadBalancer.Ingress,
-			corev1.LoadBalancerIngress{IP: i.IP, Hostname: i.Host},
+			corev1.LoadBalancerIngress{IP: i.IP, Hostname: i.Hostname},
 		)
 	}
 
@@ -174,7 +174,7 @@ func (kcl *KubeClient) UpdateService(namespace string, info models.K8sServiceInf
 func (kcl *KubeClient) CombineServicesWithApplications(services []models.K8sServiceInfo) ([]models.K8sServiceInfo, error) {
 	if containsServiceWithSelector(services) {
 		updatedServices := make([]models.K8sServiceInfo, len(services))
-		pods, replicaSets, _, _, _, _, _, err := kcl.fetchAllPodsAndReplicaSets("", metav1.ListOptions{})
+		portainerApplicationResources, err := kcl.fetchAllApplicationsListResources("", metav1.ListOptions{})
 		if err != nil {
 			return nil, fmt.Errorf("an error occurred during the CombineServicesWithApplications operation, unable to fetch pods and replica sets. Error: %w", err)
 		}
@@ -182,7 +182,7 @@ func (kcl *KubeClient) CombineServicesWithApplications(services []models.K8sServ
 		for index, service := range services {
 			updatedService := service
 
-			application, err := kcl.GetApplicationFromServiceSelector(pods, service, replicaSets)
+			application, err := kcl.GetApplicationFromServiceSelector(portainerApplicationResources.Pods, service, portainerApplicationResources.ReplicaSets)
 			if err != nil {
 				return services, fmt.Errorf("an error occurred during the CombineServicesWithApplications operation, unable to get application from service. Error: %w", err)
 			}

api/kubernetes/cli/service_account.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/models/kubernetes"
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/portainer/portainer/api/internal/errorlist"
 	corev1 "k8s.io/api/core/v1"
@@ -92,7 +91,7 @@ func (kcl *KubeClient) isSystemServiceAccount(namespace string) bool {
 
 // DeleteServices processes a K8sServiceDeleteRequest by deleting each service
 // in its given namespace.
-func (kcl *KubeClient) DeleteServiceAccounts(reqs kubernetes.K8sServiceAccountDeleteRequests) error {
+func (kcl *KubeClient) DeleteServiceAccounts(reqs models.K8sServiceAccountDeleteRequests) error {
 	var errors []error
 	for namespace := range reqs {
 		for _, serviceName := range reqs[namespace] {

api/kubernetes/cli/volumes.go

@@ -7,7 +7,6 @@ import (
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/rs/zerolog/log"
 	appsv1 "k8s.io/api/apps/v1"
-	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -265,7 +264,12 @@ func (kcl *KubeClient) updateVolumesWithOwningApplications(volumes *[]models.K8s
 			if pod.Spec.Volumes != nil {
 				for _, podVolume := range pod.Spec.Volumes {
 					if podVolume.VolumeSource.PersistentVolumeClaim != nil && podVolume.VolumeSource.PersistentVolumeClaim.ClaimName == volume.PersistentVolumeClaim.Name && pod.Namespace == volume.PersistentVolumeClaim.Namespace {
-						application, err := kcl.ConvertPodToApplication(pod, replicaSetItems, deploymentItems, statefulSetItems, daemonSetItems, []corev1.Service{}, []autoscalingv2.HorizontalPodAutoscaler{}, false)
+						application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
+							ReplicaSets:  replicaSetItems,
+							Deployments:  deploymentItems,
+							StatefulSets: statefulSetItems,
+							DaemonSets:   daemonSetItems,
+						}, false)
 						if err != nil {
 							log.Error().Err(err).Msg("Failed to convert pod to application")
 							return nil, fmt.Errorf("an error occurred during the CombineServicesWithApplications operation, unable to convert pod to application. Error: %w", err)

api/kubernetes/kubeclusteraccess_service.go

@@ -109,6 +109,7 @@ func (service *kubeClusterAccessService) GetClusterDetails(hostURL string, endpo
 		Str("host_URL", hostURL).
 		Str("HTTPS_bind_address", service.httpsBindAddr).
 		Str("base_URL", baseURL).
+		Bool("is_internal", isInternal).
 		Msg("kubeconfig")
 
 	clusterServerURL, err := url.JoinPath("https://", hostURL, baseURL, "/api/endpoints/", strconv.Itoa(int(endpointID)), "/kubernetes")

api/portainer.go

@@ -134,6 +134,7 @@ type (
 		LogLevel                  *string
 		LogMode                   *string
 		KubectlShellImage         *string
+		PullLimitCheckDisabled    *bool
 	}
 
 	// CustomTemplateVariableDefinition
@@ -309,7 +310,7 @@ type (
 		// FileVersion is the version of the stack file, used to detect changes
 		FileVersion int `json:"FileVersion"`
 		// ConfigHash is the commit hash of the git repository used for deploying the stack
-		ConfigHash string `json:"ConfigHash"`
+		ConfigHash string `json:"ConfigHash,omitempty"`
 	}
 
 	// EdgeStack represents an edge stack
@@ -353,24 +354,24 @@ type (
 		// EE only feature
 		DeploymentInfo StackDeploymentInfo
 		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
-		ReadyRePullImage bool
+		ReadyRePullImage bool `json:"ReadyRePullImage,omitempty"`
 
 		// Deprecated
-		Details EdgeStackStatusDetails
+		Details *EdgeStackStatusDetails `json:"Details,omitempty"`
 		// Deprecated
-		Error string
+		Error string `json:"Error,omitempty"`
 		// Deprecated
-		Type EdgeStackStatusType `json:"Type"`
+		Type EdgeStackStatusType `json:"Type,omitempty"`
 	}
 
 	// EdgeStackDeploymentStatus represents an edge stack deployment status
 	EdgeStackDeploymentStatus struct {
 		Time  int64
 		Type  EdgeStackStatusType
-		Error string
+		Error string `json:"Error,omitempty"`
 		// EE only feature
-		RollbackTo *int
-		Version    int `json:"Version,omitempty"`
+		RollbackTo *int `json:"RollbackTo,omitempty"`
+		Version    int  `json:"Version,omitempty"`
 	}
 
 	// EdgeStackStatusType represents an edge stack status type
@@ -588,7 +589,7 @@ type (
 		// User identifier
 		UserID UserID `json:"UserId" example:"1"`
 		// Helm repository URL
-		URL string `json:"URL" example:"https://kubernetes.github.io/ingress-nginx"`
+		URL string `json:"URL" example:"https://charts.bitnami.com/bitnami"`
 	}
 
 	// QuayRegistryData represents data required for Quay registry to work
@@ -984,8 +985,8 @@ type (
 		KubeconfigExpiry string `json:"KubeconfigExpiry" example:"24h"`
 		// Whether telemetry is enabled
 		EnableTelemetry bool `json:"EnableTelemetry" example:"false"`
-		// Helm repository URL, defaults to ""
-		HelmRepositoryURL string `json:"HelmRepositoryURL"`
+		// Helm repository URL, defaults to "https://charts.bitnami.com/bitnami"
+		HelmRepositoryURL string `json:"HelmRepositoryURL" example:"https://charts.bitnami.com/bitnami"`
 		// KubectlImage, defaults to portainer/kubectl-shell
 		KubectlShellImage string `json:"KubectlShellImage" example:"portainer/kubectl-shell"`
 		// TrustOnFirstConnect makes Portainer accepting edge agent connection by default
@@ -1544,7 +1545,7 @@ type (
 		GetConfigMaps(namespace string) ([]models.K8sConfigMap, error)
 		GetSecrets(namespace string) ([]models.K8sSecret, error)
 		GetIngressControllers() (models.K8sIngressControllers, error)
-		GetApplications(namespace, nodename string, withDependencies bool) ([]models.K8sApplication, error)
+		GetApplications(namespace, nodename string) ([]models.K8sApplication, error)
 		GetMetrics() (models.K8sMetrics, error)
 		GetStorage() ([]KubernetesStorageClassConfig, error)
 		CreateIngress(namespace string, info models.K8sIngressInfo, owner string) error
@@ -1622,7 +1623,7 @@ type (
 		Start()
 		SetSnapshotInterval(snapshotInterval string) error
 		SnapshotEndpoint(endpoint *Endpoint) error
-		FillSnapshotData(endpoint *Endpoint) error
+		FillSnapshotData(endpoint *Endpoint, includeRaw bool) error
 	}
 
 	// SwarmStackManager represents a service to manage Swarm stacks
@@ -1637,9 +1638,9 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.27.1"
+	APIVersion = "2.29.2"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
-	APIVersionSupport = "LTS"
+	APIVersionSupport = "STS"
 	// Edition is what this edition of Portainer is called
 	Edition = PortainerCE
 	// ComposeSyntaxMaxVersion is a maximum supported version of the docker compose syntax
@@ -1673,8 +1674,8 @@ const (
 	DefaultEdgeAgentCheckinIntervalInSeconds = 5
 	// DefaultTemplatesURL represents the URL to the official templates supported by Portainer
 	DefaultTemplatesURL = "https://raw.githubusercontent.com/portainer/templates/v3/templates.json"
-	// DefaultHelmrepositoryURL set to empty string until oci support is added
-	DefaultHelmRepositoryURL = ""
+	// DefaultHelmrepositoryURL represents the URL to the official templates supported by Bitnami
+	DefaultHelmRepositoryURL = "https://charts.bitnami.com/bitnami"
 	// DefaultUserSessionTimeout represents the default timeout after which the user session is cleared
 	DefaultUserSessionTimeout = "8h"
 	// DefaultUserSessionTimeout represents the default timeout after which the user session is cleared
@@ -1689,6 +1690,8 @@ const (
 	PortainerCacheHeader = "X-Portainer-Cache"
 	// KubectlShellImageEnvVar is the environment variable used to override the default kubectl shell image
 	KubectlShellImageEnvVar = "KUBECTL_SHELL_IMAGE"
+	// PullLimitCheckDisabledEnvVar is the environment variable used to disable the pull limit check
+	PullLimitCheckDisabledEnvVar = "PULL_LIMIT_CHECK_DISABLED"
 )
 
 // List of supported features

app/docker/views/docker-features-configuration/docker-features-configuration.html

@@ -67,7 +67,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableBindMountsForRegularUsers"
                 name="'disableBindMountsForRegularUsers'"
-                label="'Disable bind mounts for non-administrators'"
+                label="'Hide bind mounts for non-administrators'"
                 tooltip="'When enabled, regular users will not be able to use bind mounts when creating containers.'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableBindMountsForRegularUsers)"
@@ -79,7 +79,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disablePrivilegedModeForRegularUsers"
                 name="'disablePrivilegedModeForRegularUsers'"
-                label="'Disable privileged mode for non-administrators'"
+                label="'Hide privileged mode for non-administrators'"
                 tooltip="'When enabled, regular users will not be able to use privileged mode when creating containers.'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisablePrivilegedModeForRegularUsers)"
@@ -91,7 +91,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableHostNamespaceForRegularUsers"
                 name="'disableHostNamespaceForRegularUsers'"
-                label="'Disable the use of host PID 1 for non-administrators'"
+                label="'Hide the use of host PID 1 for non-administrators'"
                 tooltip="'Prevent users from accessing the host filesystem through the host PID namespace.'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableHostNamespaceForRegularUsers)"
@@ -103,7 +103,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableStackManagementForRegularUsers"
                 name="'disableStackManagementForRegularUsers'"
-                label="'Disable the use of Stacks for non-administrators'"
+                label="'Hide the use of Stacks for non-administrators'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableStackManagementForRegularUsers)"
               ></por-switch-field>
@@ -114,7 +114,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableDeviceMappingForRegularUsers"
                 name="'disableDeviceMappingForRegularUsers'"
-                label="'Disable device mappings for non-administrators'"
+                label="'Hide device mappings for non-administrators'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableDeviceMappingForRegularUsers)"
               ></por-switch-field>
@@ -125,7 +125,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableContainerCapabilitiesForRegularUsers"
                 name="'disableContainerCapabilitiesForRegularUsers'"
-                label="'Disable container capabilities for non-administrators'"
+                label="'Hide container capabilities for non-administrators'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableContainerCapabilitiesForRegularUsers)"
               ></por-switch-field>
@@ -136,7 +136,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableSysctlSettingForRegularUsers"
                 name="'disableSysctlSettingForRegularUsers'"
-                label="'Disable sysctl settings for non-administrators'"
+                label="'Hide sysctl settings for non-administrators'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableSysctlSettingForRegularUsers)"
               ></por-switch-field>
@@ -146,7 +146,7 @@
           <div class="form-group" ng-if="$ctrl.isContainerEditDisabled()">
             <span class="col-sm-12 text-muted small">
               <pr-icon icon="'info'" mode="'primary'" class-name="'mr-0.5'"></pr-icon>
-              Note: The recreate/duplicate/edit feature is currently disabled (for non-admin users) by one or more security settings.
+              Note: The recreate/duplicate/edit feature is currently hidden (for non-admin users) by one or more security settings.
             </span>
           </div>
           <!-- !security -->

app/edge/react/components/index.ts

@@ -8,6 +8,7 @@ import { EdgeAsyncIntervalsForm } from '@/react/edge/components/EdgeAsyncInterva
 import { EdgeCheckinIntervalField } from '@/react/edge/components/EdgeCheckInIntervalField';
 import { EdgeScriptForm } from '@/react/edge/components/EdgeScriptForm';
 import { EdgeGroupsSelector } from '@/react/edge/edge-stacks/components/EdgeGroupsSelector';
+import { AssociatedEdgeGroupEnvironmentsSelector } from '@/react/edge/components/AssociatedEdgeGroupEnvironmentsSelector';
 
 const ngModule = angular
   .module('portainer.edge.react.components', [])
@@ -61,6 +62,15 @@ const ngModule = angular
       'value',
       'error',
     ])
+  )
+  .component(
+    'associatedEdgeGroupEnvironmentsSelector',
+    r2a(withReactQuery(AssociatedEdgeGroupEnvironmentsSelector), [
+      'onChange',
+      'value',
+      'error',
+      'edgeGroupId',
+    ])
   );
 
 export const componentsModule = ngModule.name;

app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.css

@@ -1,9 +0,0 @@
-.helm-template-item-details {
-  display: flex;
-  justify-content: space-between;
-  flex-wrap: wrap;
-}
-
-.helm-template-item-details .helm-template-item-details-sub {
-  width: 100%;
-}

app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.html

@@ -1,40 +0,0 @@
-<!-- helm chart -->
-<div ng-class="{ 'blocklist-item--selected': $ctrl.model.Selected }" class="blocklist-item template-item mx-0" ng-click="$ctrl.onSelect($ctrl.model)" role="listitem">
-  <div class="blocklist-item-box">
-    <!-- helmchart-image -->
-    <span class="shrink-0">
-      <fallback-image src="$ctrl.model.icon" fallback-icon="$ctrl.fallbackIcon" class-name="'blocklist-item-logo h-16 w-auto'" size="'3xl'"></fallback-image>
-    </span>
-    <!-- helmchart-details -->
-    <div class="col-sm-12 helm-template-item-details">
-      <!-- blocklist-item-line1 -->
-      <div class="blocklist-item-line">
-        <span>
-          <span class="blocklist-item-title">
-            {{ $ctrl.model.name }}
-          </span>
-          <span class="space-left blocklist-item-subtitle">
-            <span class="vertical-center">
-              <pr-icon icon="'svg-helm'" mode="'primary'"></pr-icon>
-            </span>
-            <span> Helm </span>
-          </span>
-        </span>
-      </div>
-      <!-- !blocklist-item-line1 -->
-      <span class="blocklist-item-actions" ng-transclude="actions"></span>
-      <!-- blocklist-item-line2 -->
-      <div class="blocklist-item-line helm-template-item-details-sub">
-        <span class="blocklist-item-desc">
-          {{ $ctrl.model.description }}
-        </span>
-        <span class="small text-muted" ng-if="$ctrl.model.annotations.category">
-          {{ $ctrl.model.annotations.category }}
-        </span>
-      </div>
-      <!-- !blocklist-item-line2 -->
-    </div>
-    <!-- !helmchart-details -->
-  </div>
-  <!-- !helm chart -->
-</div>

app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.js

@@ -1,17 +0,0 @@
-import angular from 'angular';
-import './helm-templates-list-item.css';
-import { HelmIcon } from '../../HelmIcon';
-
-angular.module('portainer.kubernetes').component('helmTemplatesListItem', {
-  templateUrl: './helm-templates-list-item.html',
-  bindings: {
-    model: '<',
-    onSelect: '<',
-  },
-  transclude: {
-    actions: '?templateItemActions',
-  },
-  controller() {
-    this.fallbackIcon = HelmIcon;
-  },
-});

app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.controller.js

@@ -1,43 +0,0 @@
-export default class HelmTemplatesListController {
-  /* @ngInject */
-  constructor($async, $scope, HelmService, Notifications) {
-    this.$async = $async;
-    this.$scope = $scope;
-    this.HelmService = HelmService;
-    this.Notifications = Notifications;
-
-    this.state = {
-      textFilter: '',
-      selectedCategory: '',
-      categories: [],
-    };
-
-    this.updateCategories = this.updateCategories.bind(this);
-    this.onCategoryChange = this.onCategoryChange.bind(this);
-  }
-
-  async updateCategories() {
-    try {
-      const annotationCategories = this.charts
-        .map((t) => t.annotations) // get annotations
-        .filter((a) => a) // filter out undefined/nulls
-        .map((c) => c.category); // get annotation category
-      const availableCategories = [...new Set(annotationCategories)].sort(); // unique and sort
-      this.state.categories = availableCategories.map((cat) => ({ label: cat, value: cat }));
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm charts categories');
-    }
-  }
-
-  onCategoryChange(value) {
-    return this.$scope.$evalAsync(() => {
-      this.state.selectedCategory = value || '';
-    });
-  }
-
-  $onChanges() {
-    if (this.charts.length > 0) {
-      this.updateCategories();
-    }
-  }
-}

app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html

@@ -1,79 +0,0 @@
-<section class="datatable" aria-label="Helm charts">
-  <div class="toolBar vertical-center relative w-full flex-wrap !gap-x-5 !gap-y-1 !px-0">
-    <div class="toolBarTitle vertical-center"> {{ $ctrl.titleText }} </div>
-
-    <div class="searchBar vertical-center !mr-0">
-      <pr-icon icon="'search'" class="searchIcon"></pr-icon>
-      <input
-        type="text"
-        data-cy="helm-templates-search"
-        class="searchInput"
-        ng-model="$ctrl.state.textFilter"
-        placeholder="Search..."
-        auto-focus
-        ng-model-options="{ debounce: 300 }"
-        aria-label="Search input"
-      />
-    </div>
-    <div class="w-1/5">
-      <por-select
-        placeholder="'Select a category'"
-        value="$ctrl.state.selectedCategory"
-        options="$ctrl.state.categories"
-        on-change="($ctrl.onCategoryChange)"
-        is-clearable="true"
-        bind-to-body="true"
-      ></por-select>
-    </div>
-  </div>
-  <div class="w-full">
-    <div class="small text-muted mb-2"
-      >Select the Helm chart to use. Bring further Helm charts into your selection list via
-      <a ui-sref="portainer.account({'#': 'helm-repositories'})">User settings - Helm repositories</a>.</div
-    >
-    <div class="relative flex w-fit gap-1 rounded-lg bg-gray-modern-3 p-4 text-sm th-highcontrast:bg-legacy-grey-3 th-dark:bg-legacy-grey-3 mt-2">
-      <div class="mt-0.5 shrink-0">
-        <svg
-          xmlns="http://www.w3.org/2000/svg"
-          width="24"
-          height="24"
-          viewBox="0 0 24 24"
-          fill="none"
-          stroke="currentColor"
-          stroke-width="2"
-          stroke-linecap="round"
-          stroke-linejoin="round"
-          class="lucide lucide-lightbulb h-4 text-warning-7 th-highcontrast:text-warning-6 th-dark:text-warning-6"
-        >
-          <path d="M15 14c.2-1 .7-1.7 1.5-2.5 1-.9 1.5-2.2 1.5-3.5A6 6 0 0 0 6 8c0 1 .2 2.2 1.5 3.5.7.7 1.3 1.5 1.5 2.5"></path>
-          <path d="M9 18h6"></path>
-          <path d="M10 22h4"></path>
-        </svg>
-      </div>
-      <div>
-        <p class="align-middle text-[0.9em] font-medium pr-10 mb-2">Disclaimer</p>
-        <div class="small">
-          At present Portainer does not support OCI format Helm charts. Support for OCI charts will be available in a future release.<br />
-          If you would like to provide feedback on OCI support or get access to early releases to test this functionality,
-          <a href="https://bit.ly/3WVkayl" target="_blank" rel="noopener noreferrer">please get in touch</a>.
-        </div>
-      </div>
-    </div>
-  </div>
-
-  <div class="blocklist !px-0" role="list">
-    <helm-templates-list-item
-      ng-repeat="chart in allCharts = ($ctrl.charts | filter:$ctrl.state.textFilter | filter: $ctrl.state.selectedCategory)"
-      model="chart"
-      type-label="helm"
-      on-select="($ctrl.selectAction)"
-    >
-    </helm-templates-list-item>
-    <div ng-if="!$ctrl.loading && !allCharts.length && $ctrl.charts.length !== 0" class="text-muted small mt-4"> No Helm charts found </div>
-    <div ng-if="$ctrl.loading" class="text-muted text-center">
-      Loading...
-      <div class="text-muted text-center"> Initial download of Helm charts can take a few minutes </div>
-    </div>
-    <div ng-if="!$ctrl.loading && $ctrl.charts.length === 0" class="text-muted text-center"> No helm charts available. </div>
-  </div>
-</section>

app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.js

@@ -1,14 +0,0 @@
-import angular from 'angular';
-import controller from './helm-templates-list.controller';
-
-angular.module('portainer.kubernetes').component('helmTemplatesList', {
-  templateUrl: './helm-templates-list.html',
-  controller,
-  bindings: {
-    loading: '<',
-    titleText: '@',
-    charts: '<',
-    tableKey: '@',
-    selectAction: '<',
-  },
-});

app/kubernetes/components/helm/helm-templates/helm-templates.controller.js

@@ -1,207 +0,0 @@
-import _ from 'lodash-es';
-import KubernetesNamespaceHelper from 'Kubernetes/helpers/namespaceHelper';
-import { confirmWebEditorDiscard } from '@@/modals/confirm';
-import { HelmIcon } from './HelmIcon';
-export default class HelmTemplatesController {
-  /* @ngInject */
-  constructor($analytics, $async, $state, $window, $anchorScroll, Authentication, HelmService, KubernetesResourcePoolService, Notifications) {
-    this.$analytics = $analytics;
-    this.$async = $async;
-    this.$window = $window;
-    this.$state = $state;
-    this.$anchorScroll = $anchorScroll;
-    this.Authentication = Authentication;
-    this.HelmService = HelmService;
-    this.KubernetesResourcePoolService = KubernetesResourcePoolService;
-    this.Notifications = Notifications;
-
-    this.fallbackIcon = HelmIcon;
-
-    this.editorUpdate = this.editorUpdate.bind(this);
-    this.uiCanExit = this.uiCanExit.bind(this);
-    this.installHelmchart = this.installHelmchart.bind(this);
-    this.getHelmValues = this.getHelmValues.bind(this);
-    this.selectHelmChart = this.selectHelmChart.bind(this);
-    this.getHelmRepoURLs = this.getHelmRepoURLs.bind(this);
-    this.getLatestCharts = this.getLatestCharts.bind(this);
-    this.getResourcePools = this.getResourcePools.bind(this);
-    this.clearHelmChart = this.clearHelmChart.bind(this);
-
-    $window.onbeforeunload = () => {
-      if (this.state.isEditorDirty) {
-        return '';
-      }
-    };
-  }
-
-  clearHelmChart() {
-    this.state.chart = null;
-    this.onSelectHelmChart('');
-  }
-
-  editorUpdate(contentvalues) {
-    if (this.state.originalvalues === contentvalues) {
-      this.state.isEditorDirty = false;
-    } else {
-      this.state.values = contentvalues;
-      this.state.isEditorDirty = true;
-    }
-  }
-
-  async uiCanExit() {
-    if (this.state.isEditorDirty) {
-      return confirmWebEditorDiscard();
-    }
-  }
-
-  async installHelmchart() {
-    this.state.actionInProgress = true;
-    try {
-      const payload = {
-        Name: this.name,
-        Repo: this.state.chart.repo,
-        Chart: this.state.chart.name,
-        Values: this.state.values,
-        Namespace: this.namespace,
-      };
-      await this.HelmService.install(this.endpoint.Id, payload);
-      this.Notifications.success('Success', 'Helm chart successfully installed');
-      this.$analytics.eventTrack('kubernetes-helm-install', { category: 'kubernetes', metadata: { 'chart-name': this.state.chart.name } });
-      this.state.isEditorDirty = false;
-      this.$state.go('kubernetes.applications');
-    } catch (err) {
-      this.Notifications.error('Installation error', err);
-    } finally {
-      this.state.actionInProgress = false;
-    }
-  }
-
-  async getHelmValues() {
-    this.state.loadingValues = true;
-    try {
-      const { values } = await this.HelmService.values(this.state.chart.repo, this.state.chart.name);
-      this.state.values = values;
-      this.state.originalvalues = values;
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm chart values.');
-    } finally {
-      this.state.loadingValues = false;
-    }
-  }
-
-  async selectHelmChart(chart) {
-    window.scrollTo(0, 0);
-    this.state.showCustomValues = false;
-    this.state.chart = chart;
-    this.onSelectHelmChart(chart.name);
-    await this.getHelmValues();
-  }
-
-  /**
-   * @description This function is used to get the helm repo urls for the endpoint and user
-   * @returns {Promise<string[]>} list of helm repo urls
-   */
-  async getHelmRepoURLs() {
-    this.state.reposLoading = true;
-    try {
-      // fetch globally set helm repo and user helm repos (parallel)
-      const { GlobalRepository, UserRepositories } = await this.HelmService.getHelmRepositories(this.user.ID);
-      this.state.globalRepository = GlobalRepository;
-      const userHelmReposUrls = UserRepositories.map((repo) => repo.URL);
-      const uniqueHelmRepos = [...new Set([GlobalRepository, ...userHelmReposUrls])].map((url) => url.toLowerCase()).filter((url) => url); // remove duplicates and blank, to lowercase
-      this.state.repos = uniqueHelmRepos;
-      return uniqueHelmRepos;
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm repo urls.');
-    } finally {
-      this.state.reposLoading = false;
-    }
-  }
-
-  /**
-   * @description This function is used to fetch the respective index.yaml files for the provided helm repo urls
-   * @param {string[]} helmRepos list of helm repositories
-   * @param {bool} append append charts returned from repo to existing list of helm charts
-   */
-  async getLatestCharts(helmRepos) {
-    this.state.chartsLoading = true;
-    try {
-      const promiseList = helmRepos.map((repo) => this.HelmService.search(repo));
-      // fetch helm charts from all the provided helm repositories (parallel)
-      // Promise.allSettled is used to account for promise failure(s) - in cases the  user has provided invalid helm repo
-      const chartPromises = await Promise.allSettled(promiseList);
-      const latestCharts = chartPromises
-        .filter((tp) => tp.status === 'fulfilled') // remove failed promises
-        .map((tp) => ({ entries: tp.value.entries, repo: helmRepos[chartPromises.indexOf(tp)] })) // extract chart entries with respective repo data
-        .flatMap(
-          ({ entries, repo }) => Object.values(entries).map((charts) => ({ ...charts[0], repo })) // flatten chart entries to single array with respective repo
-        );
-
-      this.state.charts = latestCharts;
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm repo charts.');
-    } finally {
-      this.state.chartsLoading = false;
-    }
-  }
-
-  async getResourcePools() {
-    this.state.resourcePoolsLoading = true;
-    try {
-      const resourcePools = await this.KubernetesResourcePoolService.get();
-
-      const nonSystemNamespaces = resourcePools.filter(
-        (resourcePool) => !KubernetesNamespaceHelper.isSystemNamespace(resourcePool.Namespace.Name) && resourcePool.Namespace.Status === 'Active'
-      );
-      this.state.resourcePools = _.sortBy(nonSystemNamespaces, ({ Namespace }) => (Namespace.Name === 'default' ? 0 : 1));
-      this.state.resourcePool = this.state.resourcePools[0];
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve initial helm data.');
-    } finally {
-      this.state.resourcePoolsLoading = false;
-    }
-  }
-
-  $onInit() {
-    return this.$async(async () => {
-      this.user = this.Authentication.getUserDetails();
-
-      this.state = {
-        appName: '',
-        chart: null,
-        showCustomValues: false,
-        actionInProgress: false,
-        resourcePools: [],
-        resourcePool: '',
-        values: null,
-        originalvalues: null,
-        repos: [],
-        charts: [],
-        loadingValues: false,
-        isEditorDirty: false,
-        chartsLoading: false,
-        resourcePoolsLoading: false,
-        viewReady: false,
-        isAdmin: this.Authentication.isAdmin(),
-        globalRepository: undefined,
-      };
-
-      const helmRepos = await this.getHelmRepoURLs();
-      if (helmRepos) {
-        await Promise.all([this.getLatestCharts(helmRepos), this.getResourcePools()]);
-      }
-      if (this.state.charts.length > 0 && this.$state.params.chartName) {
-        const chart = this.state.charts.find((chart) => chart.name === this.$state.params.chartName);
-        if (chart) {
-          this.selectHelmChart(chart);
-        }
-      }
-
-      this.state.viewReady = true;
-    });
-  }
-
-  $onDestroy() {
-    this.state.isEditorDirty = false;
-  }
-}

app/kubernetes/components/helm/helm-templates/helm-templates.html

@@ -1,113 +0,0 @@
-<div class="row">
-  <!-- helmchart-form -->
-  <div class="col-sm-12 p-0" ng-if="$ctrl.state.chart">
-    <rd-widget>
-      <div class="flex">
-        <div class="basis-3/4 rounded-[8px] m-2 bg-gray-4 th-highcontrast:bg-black th-highcontrast:text-white th-dark:bg-gray-iron-10 th-dark:text-white">
-          <div class="vertical-center p-5">
-            <fallback-image src="$ctrl.state.chart.icon" fallback-icon="$ctrl.fallbackIcon" class-name="'h-16 w-16'" size="'lg'"></fallback-image>
-            <div class="font-medium ml-4">
-              <div class="toolBarTitle text-[24px] mb-2">
-                {{ $ctrl.state.chart.name }}
-                <span class="space-left text-[14px] vertical-center font-normal">
-                  <pr-icon icon="'svg-helm'" mode="'primary'"></pr-icon>
-                  Helm
-                </span>
-              </div>
-              <div class="text-muted text-xs" ng-bind-html="$ctrl.state.chart.description"></div>
-            </div>
-          </div>
-        </div>
-        <div class="basis-1/4">
-          <div class="h-full w-full vertical-center justify-end pr-5">
-            <button type="button" class="btn btn-sm btn-link !text-gray-8 hover:no-underline th-highcontrast:!text-white th-dark:!text-white" ng-click="$ctrl.clearHelmChart()">
-              Clear selection
-              <pr-icon icon="'x'" class="ml-1"></pr-icon>
-            </button>
-          </div>
-        </div>
-      </div>
-    </rd-widget>
-
-    <form class="form-horizontal" name="$ctrl.helmTemplateCreationForm">
-      <div class="form-group mt-4">
-        <div class="col-sm-12">
-          <button
-            ng-if="!$ctrl.state.showCustomValues && !$ctrl.state.loadingValues"
-            class="btn btn-xs btn-default vertical-center !ml-0 mr-2"
-            ng-click="$ctrl.state.showCustomValues = true;"
-          >
-            <pr-icon icon="'plus'" class="vertical-center"></pr-icon>
-            Show custom values
-          </button>
-          <span class="small interactive vertical-center" ng-if="$ctrl.state.loadingValues" role="status">
-            <inline-loader children="'Loading values.yaml...'" />
-          </span>
-          <button ng-if="$ctrl.state.showCustomValues" class="btn btn-xs btn-default vertical-center !ml-0 mr-2" ng-click="$ctrl.state.showCustomValues = false;">
-            <pr-icon icon="'minus'" class="vertical-center"></pr-icon>
-            Hide custom values
-          </button>
-        </div>
-      </div>
-      <!-- values override -->
-      <div ng-if="$ctrl.state.showCustomValues">
-        <!-- web-editor -->
-        <div class="form-group">
-          <div class="col-sm-12">
-            <web-editor-form
-              identifier="helm-app-creation-editor"
-              value="$ctrl.state.values"
-              on-change="($ctrl.editorUpdate)"
-              yml="true"
-              placeholder="Define or paste the content of your values yaml file here"
-            >
-              <editor-description class="vertical-center">
-                <pr-icon icon="'info'" mode="'primary'"></pr-icon>
-                <span>
-                  You can get more information about Helm values file format in the
-                  <a href="https://helm.sh/docs/chart_template_guide/values_files/" target="_blank" class="hyperlink">official documentation</a>.
-                </span>
-              </editor-description>
-            </web-editor-form>
-          </div>
-        </div>
-        <!-- !web-editor -->
-      </div>
-      <!-- !values override -->
-      <!-- helm actions -->
-      <div class="col-sm-12 form-section-title"> Actions </div>
-      <div class="form-group">
-        <div class="col-sm-12">
-          <button
-            type="button"
-            class="btn btn-primary btn-sm !ml-0"
-            ng-disabled="!$ctrl.state.resourcePool || $ctrl.state.loadingValues || $ctrl.state.actionInProgress || !$ctrl.name"
-            ng-click="$ctrl.installHelmchart()"
-            button-spinner="$ctrl.state.actionInProgress"
-            data-cy="helm-install"
-          >
-            <span ng-hide="$ctrl.state.actionInProgress">Install</span>
-            <span ng-hide="!$ctrl.state.actionInProgress">Installing Helm chart</span>
-          </button>
-        </div>
-      </div>
-      <!-- !helm actions -->
-    </form>
-  </div>
-  <!-- helmchart-form -->
-</div>
-
-<!-- Helm Charts Component -->
-<div class="row" ng-if="!$ctrl.state.chart">
-  <div class="col-sm-12 p-0">
-    <helm-templates-list
-      title-text="Helm chart"
-      charts="$ctrl.state.charts"
-      table-key="$ctrl.state.charts"
-      select-action="$ctrl.selectHelmChart"
-      loading="$ctrl.state.chartsLoading || $ctrl.state.resourcePoolsLoading"
-    >
-    </helm-templates-list>
-  </div>
-</div>
-<!-- !Helm Charts Component -->

app/kubernetes/components/helm/helm-templates/helm-templates.js

@@ -1,14 +0,0 @@
-import angular from 'angular';
-import controller from './helm-templates.controller';
-
-angular.module('portainer.kubernetes').component('helmTemplatesView', {
-  templateUrl: './helm-templates.html',
-  controller,
-  bindings: {
-    endpoint: '<',
-    namespace: '<',
-    stackName: '<',
-    onSelectHelmChart: '<',
-    name: '<',
-  },
-});

app/kubernetes/react/components/index.ts

@@ -58,6 +58,7 @@ import { AppDeploymentTypeFormSection } from '@/react/kubernetes/applications/co
 import { EnvironmentVariablesFormSection } from '@/react/kubernetes/applications/components/EnvironmentVariablesFormSection/EnvironmentVariablesFormSection';
 import { kubeEnvVarValidationSchema } from '@/react/kubernetes/applications/components/EnvironmentVariablesFormSection/kubeEnvVarValidationSchema';
 import { IntegratedAppsDatatable } from '@/react/kubernetes/components/IntegratedAppsDatatable/IntegratedAppsDatatable';
+import { HelmTemplates } from '@/react/kubernetes/helm/HelmTemplates/HelmTemplates';
 
 import { namespacesModule } from './namespaces';
 import { clusterManagementModule } from './clusterManagement';
@@ -205,6 +206,14 @@ export const ngModule = angular
       'tableTitle',
       'dataCy',
     ])
+  )
+  .component(
+    'helmTemplatesView',
+    r2a(withUIRouter(withCurrentUser(HelmTemplates)), [
+      'onSelectHelmChart',
+      'namespace',
+      'name',
+    ])
   );
 
 export const componentsModule = ngModule.name;

app/kubernetes/services/resourcePoolService.js

@@ -3,6 +3,7 @@ import _ from 'lodash-es';
 import angular from 'angular';
 import KubernetesResourcePoolConverter from 'Kubernetes/converters/resourcePool';
 import KubernetesResourceQuotaHelper from 'Kubernetes/helpers/resourceQuotaHelper';
+import { getNamespaces } from '@/react/kubernetes/namespaces/queries/useNamespacesQuery';
 
 /* @ngInject */
 export function KubernetesResourcePoolService(
@@ -11,7 +12,8 @@ export function KubernetesResourcePoolService(
   KubernetesNamespaceService,
   KubernetesResourceQuotaService,
   KubernetesIngressService,
-  KubernetesPortainerNamespaces
+  KubernetesPortainerNamespaces,
+  EndpointProvider
 ) {
   return {
     get,
@@ -37,9 +39,14 @@ export function KubernetesResourcePoolService(
 
   // getting the quota for all namespaces is costly by default, so disable getting it by default
   async function getAll({ getQuota = false }) {
-    const namespaces = await KubernetesNamespaceService.get();
+    const namespaces = await getNamespaces(EndpointProvider.endpointID());
+    // there is a lot of downstream logic using the angular namespace type with a '.Status' field (not '.Status.phase'), so format the status here to match this logic
+    const namespacesFormattedStatus = namespaces.map((namespace) => ({
+      ...namespace,
+      Status: namespace.Status.phase,
+    }));
     const pools = await Promise.all(
-      _.map(namespaces, async (namespace) => {
+      _.map(namespacesFormattedStatus, async (namespace) => {
         const name = namespace.Name;
         const pool = KubernetesResourcePoolConverter.apiToResourcePool(namespace);
         if (getQuota) {

app/kubernetes/views/deploy/deploy.html

@@ -187,13 +187,7 @@
                 <!-- Helm -->
                 <div ng-show="ctrl.state.BuildMethod === ctrl.BuildMethods.HELM">
                   <div class="col-sm-12 form-section-title" ng-if="ctrl.state.selectedHelmChart">Selected Helm chart</div>
-                  <helm-templates-view
-                    on-select-helm-chart="(ctrl.onSelectHelmChart)"
-                    endpoint="ctrl.endpoint"
-                    namespace="ctrl.formValues.Namespace"
-                    stack-name="ctrl.formValues.StackName"
-                    name="ctrl.formValues.Name"
-                  ></helm-templates-view>
+                  <helm-templates-view on-select-helm-chart="(ctrl.onSelectHelmChart)" namespace="ctrl.formValues.Namespace" name="ctrl.formValues.Name" />
                 </div>
                 <!-- !Helm -->
 

app/kubernetes/views/deploy/deployController.js

@@ -6,17 +6,18 @@ import PortainerError from '@/portainer/error';
 import { KubernetesDeployManifestTypes, KubernetesDeployBuildMethods, KubernetesDeployRequestMethods, RepositoryMechanismTypes } from 'Kubernetes/models/deploy';
 import { isTemplateVariablesEnabled, renderTemplate } from '@/react/portainer/custom-templates/components/utils';
 import { getDeploymentOptions } from '@/react/portainer/environments/environment.service';
-import { kubernetes } from '@@/BoxSelector/common-options/deployment-methods';
-import { editor, git, customTemplate, url, helm } from '@@/BoxSelector/common-options/build-methods';
 import { parseAutoUpdateResponse, transformAutoUpdateViewModel } from '@/react/portainer/gitops/AutoUpdateFieldset/utils';
 import { baseStackWebhookUrl, createWebhookId } from '@/portainer/helpers/webhookHelper';
-import { confirmWebEditorDiscard } from '@@/modals/confirm';
 import { getVariablesFieldDefaultValues } from '@/react/portainer/custom-templates/components/CustomTemplatesVariablesField';
 import { KUBE_STACK_NAME_VALIDATION_REGEX } from '@/react/kubernetes/DeployView/StackName/constants';
+import { confirmWebEditorDiscard } from '@@/modals/confirm';
+import { editor, git, customTemplate, url, helm } from '@@/BoxSelector/common-options/build-methods';
+import { kubernetes } from '@@/BoxSelector/common-options/deployment-methods';
 
 class KubernetesDeployController {
   /* @ngInject */
-  constructor($async, $state, $window, Authentication, Notifications, KubernetesResourcePoolService, StackService, CustomTemplateService, KubernetesApplicationService) {
+  constructor($scope, $async, $state, $window, Authentication, Notifications, KubernetesResourcePoolService, StackService, CustomTemplateService, KubernetesApplicationService) {
+    this.$scope = $scope;
     this.$async = $async;
     this.$state = $state;
     this.$window = $window;
@@ -110,6 +111,9 @@ class KubernetesDeployController {
 
   onSelectHelmChart(chart) {
     this.state.selectedHelmChart = chart;
+
+    // Force a digest cycle to ensure the change is reflected in the UI
+    this.$scope.$apply();
   }
 
   onChangeTemplateVariables(value) {

app/portainer/components/code-editor/code-editor.html

@@ -6,4 +6,5 @@
   on-change="($ctrl.handleChange)"
   value="$ctrl.value"
   height="$ctrl.height || undefined"
+  schema="$ctrl.schema"
 ></react-code-editor>

app/portainer/components/code-editor/code-editor.js

@@ -13,5 +13,6 @@ angular.module('portainer.app').component('codeEditor', {
     onChange: '<',
     value: '<',
     height: '@',
+    schema: '<',
   },
 });

app/portainer/components/form-components/web-editor-form/index.js

@@ -13,6 +13,7 @@ export const webEditorForm = {
     onChange: '<',
     hideTitle: '<',
     height: '@',
+    schema: '<',
   },
 
   transclude: {

app/portainer/components/form-components/web-editor-form/web-editor-form.html

@@ -48,6 +48,7 @@
           value="$ctrl.value"
           on-change="($ctrl.onChange)"
           height="{{ $ctrl.height }}"
+          schema="$ctrl.schema"
         ></code-editor>
       </div>
     </div>

app/portainer/components/forms/git-form/index.ts

@@ -7,7 +7,7 @@ import { gitFormRefField } from './git-form-ref-field';
 
 export const gitFormModule = angular
   .module('portainer.app.components.git-form', [])
-  .component('gitForm', gitForm)
+  .component('gitForm', gitForm) // kube deploy + docker stack create
   .component('gitFormAuthFieldset', gitFormAuthFieldset)
   .component('gitFormAutoUpdateFieldset', gitFormAutoUpdate)
   .component('gitFormRefField', gitFormRefField).name;

app/portainer/react/components/git-form.ts

@@ -29,6 +29,7 @@ export const gitFormModule = angular
       'webhookId',
       'webhooksDocs',
       'createdFromCustomTemplateId',
+      'isAutoUpdateVisible',
     ])
   )
   .component(

app/portainer/react/components/index.ts

@@ -232,6 +232,7 @@ export const ngModule = angular
       'data-cy',
       'versions',
       'onVersionChange',
+      'schema',
     ])
   )
   .component(