chore: version bump 2.33.1 (#188)

adjusting workflow permissions - pull-requests: write

.github/workflows/on-push-lint-charts.yml

@@ -4,22 +4,27 @@ on:
   push:
     paths:
       - 'charts/**' 
-      - '.github/**'            
+      - '.github/**'
+  pull_request:
+    branches:
+      - master
   workflow_dispatch:
 
 env:
   KUBE_SCORE_VERSION: 1.10.0
-  HELM_VERSION: v3.4.1
+  HELM_VERSION: v3.10.1
 
 jobs:
   lint-test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
           
       - name: Set up Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v4.2.0
         with:
           version: ${{ env.HELM_VERSION }}
 
@@ -40,12 +45,14 @@ jobs:
               --enable-optional-test container-security-context-privileged
 
       # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5.3.0
         with:
-          python-version: 3.7
+          python-version: 3.13.1
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.0.1
+        uses: helm/chart-testing-action@v2.6.1
+        with:
+          version: v3.10.1
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -59,32 +66,42 @@ jobs:
         run: ct lint --config .ci/ct-config.yaml
 
       # Refer to https://github.com/kubernetes-sigs/kind/releases when updating the node_images
-      - name: Create 1.20 kind cluster
-        uses: helm/kind-action@v1.1.0
+      - name: Create 1.29 kind cluster
+        uses: helm/kind-action@v1.12.0
         with:
-          node_image: kindest/node:v1.20.2@sha256:8f7ea6e7642c0da54f04a7ee10431549c0257315b3a634f6ef2fecaaedb19bab
-          cluster_name: kubernetes-1.20
+          node_image: kindest/node:v1.29.14@sha256:8703bd94ee24e51b778d5556ae310c6c0fa67d761fae6379c8e0bb480e6fea29
+          cluster_name: kubernetes-1.29
         if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Run chart-testing (install) against 1.20
+      - name: Run chart-testing (install) against 1.29
         run: ct install --config .ci/ct-config.yaml
 
-      - name: Create 1.19 kind cluster
-        uses: helm/kind-action@v1.1.0
+      - name: Create 1.30 kind cluster
+        uses: helm/kind-action@v1.12.0
         with:
-          node_image: kindest/node:v1.19.7@sha256:a70639454e97a4b733f9d9b67e12c01f6b0297449d5b9cbbef87473458e26dca
-          cluster_name: kubernetes-1.19
+          node_image: kindest/node:v1.30.10@sha256:4de75d0e82481ea846c0ed1de86328d821c1e6a6a91ac37bf804e5313670e507
+          cluster_name: kubernetes-1.30
         if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Run chart-testing (install) against 1.19
+      - name: Run chart-testing (install) against 1.30
         run: ct install --config .ci/ct-config.yaml
 
-      - name: Create 1.18 kind cluster
-        uses: helm/kind-action@v1.1.0
+      - name: Create 1.31 kind cluster
+        uses: helm/kind-action@v1.12.0
         with:
-          node_image: kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
-          cluster_name: kubernetes-1.18
+          node_image: kindest/node:v1.31.6@sha256:28b7cbb993dfe093c76641a0c95807637213c9109b761f1d422c2400e22b8e87
+          cluster_name: kubernetes-1.31
         if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Run chart-testing (install) against 1.18
+      - name: Run chart-testing (install) against 1.31
         run: ct install --config .ci/ct-config.yaml
+
+      - name: Create 1.32 kind cluster
+        uses: helm/kind-action@v1.12.0
+        with:
+          node_image: kindest/node:v1.32.2@sha256:f226345927d7e348497136874b6d207e0b32cc52154ad8323129352923a3142f
+          cluster_name: kubernetes-1.32
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install) against 1.32
+        run: ct install --config .ci/ct-config.yaml

.github/workflows/on-push-master-publish-chart.yml

@@ -11,9 +11,11 @@ on:
       
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pages: write
+      pull-requests: write
     steps:
     - uses: actions/checkout@v2
 
@@ -35,4 +37,4 @@ jobs:
       with:
         destination_branch: "gh-pages"
         github_token: "${{ secrets.GITHUB_TOKEN }}"
-        pr_allow_empty: false        
+        pr_allow_empty: false

charts/portainer/Chart.yaml

@@ -16,16 +16,16 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 1.0.10
 
+version: 2.33.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: ce-latest-ee-2.0.0
+appVersion: ce-latest-ee-2.33.1
 
 sources:
     - https://github.com/portainer/k8s
 
 maintainers:
-    - name: funkypenguin
-      email: davidy@funkypenguin.co.nz
-      url: https://www.funkypenguin.co.nz
+    - name: Portainer
+      email: platform-team@portainer.io
+      url: https://www.portainer.io

charts/portainer/README.md

@@ -64,25 +64,30 @@ The following table lists the configurable parameters of the Portainer chart and
 | `nodeSelector` | Used to apply a nodeSelector to the deployment | `{}` |
 | `serviceAccount.annotations` | Annotations to add to the service account | `null` |
 | `serviceAccount.name` | The name of the service account to use | `portainer-sa-clusteradmin` |
+| `localMgmt` | Enables or disables the creation of SA, Roles in local cluster where Portainer runs, only change when you don't need to manage the local cluster through this Portainer instance  | `true` |
 | `service.type` | Service Type for the main Portainer Service; ClusterIP, NodePort and LoadBalancer | `LoadBalancer` |
 | `service.httpPort` | HTTP port for accessing Portainer Web | `9000` |
 | `service.httpNodePort` | Static NodePort for accessing Portainer Web. Specify only if the type is NodePort | `30777` |
 | `service.edgePort` | TCP port for accessing Portainer Edge | `8000` |
 | `service.edgeNodePort` | Static NodePort for accessing Portainer Edge. Specify only if the type is NodePort | `30776` |
 | `service.annotations` | Annotations to add to the service | `{}` |
+| `feature.flags` | Enable one or more features separated by spaces. For instance, `--feat=open-amt` | `nil` |
 | `ingress.enabled` | Create an ingress for Portainer | `false` |
+| `ingress.ingressClassName` | For Kubernetes >= 1.18 you should specify the ingress-controller via the field `ingressClassName`. For instance, `nginx` | `nil` |
 | `ingress.annotations` | Annotations to add to the ingress. For instane, `kubernetes.io/ingress.class: nginx` | `{}` |
 | `ingress.hosts.host` | URL for Portainer Web. For instance, `portainer.example.io` | `nil` |
 | `ingress.hosts.paths.path` | Path for the Portainer Web. | `/` |
 | `ingress.hosts.paths.port` | Port for the Portainer Web. | `9000` |
 | `ingress.tls` | TLS support on ingress. Must create a secret with TLS certificates in advance | `[]` |
 | `resources` | Portainer resource requests and limits | `{}` |
+| `tls.force` | Force Portainer to be configured to use TLS only | `false` |
+| `tls.existingSecret` | Mount the existing TLS secret into the pod | `""` |
+| `mtls.enable` | Option to specicy mtls Certs to be used by Portainer | `false` |
+| `mtls.existingSecret` | Mount the existing mtls secret into the pod | `""` |
 | `persistence.enabled` | Whether to enable data persistence | `true` |
 | `persistence.existingClaim` | Name of an existing PVC to use for data persistence | `nil` |
 | `persistence.size` | Size of the PVC used for persistence | `10Gi` |
 | `persistence.annotations` | Annotations to apply to PVC used for persistence | `{}` |
 | `persistence.storageClass` | StorageClass to apply to PVC used for persistence | `default` |
 | `persistence.accessMode` | AccessMode for persistence | `ReadWriteOnce` |
-| `persistence.selector` | Selector for persistence | `nil` |
-
-
+| `persistence.selector` | Selector for persistence | `nil` |

charts/portainer/templates/NOTES.txt

@@ -1,21 +1,27 @@
-1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
   {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ if .port }}:{{ .port }}{{ else }}:9000{{ end }}{{.path}}
+  Use the URL below to access the application
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ if .port }}:{{ .port }}{{ else }}{{ end }}{{.path}}
   {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "portainer.fullname" . }})
+  Get the application URL by running these commands:
+  {{- if .Values.tls.force }}
+    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "portainer.fullname" . }})
+  {{- else }}
+    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[1].nodePort}" services {{ include "portainer.fullname" . }})  
+  {{- end}}
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
+  echo https://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
+  Get the application URL by running these commands:
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
            You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "portainer.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "portainer.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.httpPort }}
+  echo https://$SERVICE_IP:{{ .Values.service.httpsPort }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "portainer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:9000 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9000:9000
+  Get the application URL by running these commands:
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "portainer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].me$  echo "Visit http://127.0.0.1:9443 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9443:9443
 {{- end }}

charts/portainer/templates/_helpers.tpl

@@ -71,4 +71,17 @@ Provide a pre-defined claim or a claim based on the Release
 {{- else -}}
 {{- template "portainer.fullname" . }}
 {{- end -}}
+{{- end -}}
+
+{{/*
+Generate a right Ingress apiVersion
+*/}}
+{{- define "ingress.apiVersion" -}}
+{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion -}}
+networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+networking.k8s.io/v1beta1
+{{- else -}}
+extensions/v1
+{{- end }}
 {{- end -}}

charts/portainer/templates/deployment.yaml

@@ -18,16 +18,31 @@ spec:
       labels:
         {{- include "portainer.selectorLabels" . | nindent 8 }}
     spec:
-      nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 -}}      
-    {{- with .Values.imagePullSecrets }}
+      nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }}
+      tolerations: {{- toYaml .Values.tolerations | nindent 8 -}}
+      {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
+      {{- if .Values.localMgmt }}
       serviceAccountName: {{ include "portainer.serviceAccountName" . }}
+      {{- end }}
       volumes:
-         - name: "data"
-           persistentVolumeClaim:
-             claimName: {{ template "portainer.pvcName" . }}      
+        {{- if .Values.persistence.enabled }}
+        - name: "data"
+          persistentVolumeClaim:
+            claimName: {{ template "portainer.pvcName" . }}
+        {{- end }}
+        {{- if .Values.tls.existingSecret }}
+        - name: certs
+          secret:
+            secretName: {{ .Values.tls.existingSecret }}
+        {{- end }}
+        {{- if .Values.mtls.existingSecret }}
+        - name: mtlscerts
+          secret:
+            secretName: {{ .Values.mtls.existingSecret }}
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           {{- if .Values.enterpriseEdition.enabled }}
@@ -37,26 +52,150 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- end }}
-      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }}
-          args:  [ '--tunnel-port','{{ .Values.service.edgeNodePort }}' ]
-      {{- end }}          
+          args: 
+          {{- if .Values.tls.force }}
+          - --http-disabled
+          {{- end }}
+          {{- if .Values.tls.existingSecret }}
+          - --sslcert=/certs/tls.crt
+          - --sslkey=/certs/tls.key
+          {{- end }}
+          {{- if .Values.mtls.existingSecret }}
+          - --mtlscacert=/certs/mtls/mtlsca.crt
+          - --mtlscert=/certs/mtls/mtlscert.crt
+          - --mtlskey=/certs/mtls/mtlskey.key
+          {{- end }}          
+          {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }}
+          - '--tunnel-port={{ .Values.service.edgeNodePort }}'
+          {{- end }}
+          {{- if and .Values.trusted_origins.enabled (not (empty .Values.trusted_origins.domains)) }}
+          - '--trusted-origins={{ .Values.trusted_origins.domains | trim | quote }}'
+          {{- end }}
+          {{- range .Values.feature.flags }}
+          - {{ . | squote }}
+          {{- end }}
           volumeMounts:
+            {{- if .Values.persistence.enabled }}
             - name: data
               mountPath: /data
+            {{- end }}
+            {{- if .Values.tls.existingSecret }}
+            - name: certs
+              mountPath: /certs
+              readOnly: true
+            {{- end }}
+            {{- if .Values.mtls.existingSecret }}
+            - name: mtlscerts
+              mountPath: /certs/mtls
+              readOnly: true
+            {{- end }}
           ports:
+            {{- if not .Values.tls.force }}
             - name: http
               containerPort: 9000
               protocol: TCP
+            {{- end }}
+            - name: https
+              containerPort: 9443
+              protocol: TCP
             - name: tcp-edge
               containerPort: 8000
-              protocol: TCP              
+              protocol: TCP
           livenessProbe:
+            failureThreshold: 5
+            initialDelaySeconds: 45
+            periodSeconds: 30
             httpGet:
               path: /
+              {{- if .Values.tls.force }}
+              port: 9443
+              scheme: HTTPS
+              {{- else }}
+                {{- if .Values.enterpriseEdition.enabled }}
+                  {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.enterpriseEdition.image.tag }}
+                    {{- if eq (semver .Values.enterpriseEdition.image.tag | (semver "2.7.0").Compare) -1 }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
               port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- else }}
+                    {{- if eq .Values.enterpriseEdition.image.tag "latest" }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- end}}
+                {{- else }}
+                  {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.image.tag }}
+                    {{- if eq (semver .Values.image.tag | (semver "2.6.0").Compare) -1 }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end}}
+                  {{- else }}
+                    {{- if eq .Values.image.tag "latest" }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
           readinessProbe:
+            failureThreshold: 5
+            initialDelaySeconds: 45
+            periodSeconds: 30
             httpGet:
               path: /
+              {{- if .Values.tls.force }}
+              port: 9443
+              scheme: HTTPS
+              {{- else }}
+                {{- if .Values.enterpriseEdition.enabled }}
+                  {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.enterpriseEdition.image.tag }}
+                    {{- if eq (semver .Values.enterpriseEdition.image.tag | (semver "2.7.0").Compare) -1 }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
               port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- else }}
+                    {{- if eq .Values.enterpriseEdition.image.tag "latest" }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- end}}
+                {{- else }}
+                  {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.image.tag }}
+                    {{- if eq (semver .Values.image.tag | (semver "2.6.0").Compare) -1 }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end}}
+                  {{- else }}
+                    {{- if eq .Values.image.tag "latest" }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

charts/portainer/templates/ingress.yaml

@@ -1,10 +1,8 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "portainer.fullname" . -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
+{{- $tlsforced := .Values.tls.force -}}
+{{- $apiVersion := include "ingress.apiVersion" . -}}
+apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -16,6 +14,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+{{- with .Values.ingress.ingressClassName }}
+  ingressClassName: {{ . }}
+{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -33,9 +34,27 @@ spec:
         paths:
         {{- range .paths }}
           - path: {{ .path | default "/" }}
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
+            pathType: Prefix
+            {{- end }}
             backend:
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
+              service:
+                name: {{ $fullName }}
+                port:
+                {{- if $tlsforced }}
+                  number: {{ .port | default 9443 }}
+                {{- else }}
+                  number: {{ .port | default 9000 }}
+                {{- end }}
+            {{- else }}
               serviceName: {{ $fullName }}
+              {{- if $tlsforced }}
+              servicePort: {{ .port | default 9443 }}
+              {{- else }}
               servicePort: {{ .port | default 9000 }}
+              {{- end }}
+            {{- end }}
         {{- end }}
   {{- end }}
-{{- end }}
+{{- end }}

charts/portainer/templates/namespace.yaml

@@ -3,4 +3,6 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: portainer
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
 {{ end }}

charts/portainer/templates/pvc.yaml

@@ -1,30 +1,30 @@
+{{- if .Values.persistence.enabled -}}
 {{- if not .Values.persistence.existingClaim -}}
 ---
 kind: "PersistentVolumeClaim"
 apiVersion: "v1"
 metadata:
   name: {{ template "portainer.fullname" . }}
-  namespace: {{ .Release.Namespace }}  
+  namespace: {{ .Release.Namespace }}
   annotations:
-  {{- if .Values.persistence.storageClass }}
-    volume.beta.kubernetes.io/storage-class: {{ .Values.persistence.storageClass | quote }}
-  {{- else }}
-    volume.alpha.kubernetes.io/storage-class: "generic"
-  {{- end }}
   {{- if .Values.persistence.annotations }}
   {{ toYaml .Values.persistence.annotations | indent 2 }}  
   {{ end }}
   labels:
     io.portainer.kubernetes.application.stack: portainer
-    {{- include "portainer.labels" . | nindent 4 }}  
+    {{- include "portainer.labels" . | nindent 4 }}
 spec:
   accessModes:
     - {{ default "ReadWriteOnce" .Values.persistence.accessMode | quote }}
   resources:
     requests:
       storage: {{ .Values.persistence.size | quote }}
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{ end }}
   {{- if .Values.persistence.selector }}
   selector:
 {{ toYaml .Values.persistence.selector | indent 4 }}
   {{ end }}
 {{- end }}
+{{- end }}

charts/portainer/templates/rbac.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.localMgmt }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -11,4 +12,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: {{ include "portainer.serviceAccountName" . }}
+  name: {{ include "portainer.serviceAccountName" . }}
+{{- end }}

charts/portainer/templates/service.yaml

@@ -15,6 +15,7 @@ metadata:
 spec:
   type: {{ .Values.service.type }}
   ports:
+    {{- if not .Values.tls.force }}
     - port: {{ .Values.service.httpPort }}
       targetPort: 9000
       protocol: TCP
@@ -22,7 +23,15 @@ spec:
       {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.httpNodePort))) }}
       nodePort: {{ .Values.service.httpNodePort}}
       {{- end }}
-      {{- if (eq .Values.service.type "NodePort") }}
+    {{- end }}
+    - port: {{ .Values.service.httpsPort }}
+      targetPort: 9443
+      protocol: TCP
+      name: https
+      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.httpsNodePort))) }}
+      nodePort: {{ .Values.service.httpsNodePort}}
+      {{- end }}
+    {{- if (eq .Values.service.type "NodePort") }}
     - port: {{ .Values.service.edgeNodePort }}
       targetPort: {{ .Values.service.edgeNodePort }}
       {{- else }}
@@ -33,6 +42,6 @@ spec:
       name: edge
       {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }}
       nodePort: {{ .Values.service.edgeNodePort }}
-      {{- end }}
+    {{- end }}
   selector:
     {{- include "portainer.selectorLabels" . | nindent 4 }}

charts/portainer/templates/serviceaccount.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.localMgmt }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -9,3 +10,4 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+{{- end }}

charts/portainer/values.yaml

@@ -9,44 +9,81 @@ enterpriseEdition:
   enabled: false
   image:
     repository: portainer/portainer-ee
-    tag: 2.0.0
+    tag: 2.33.1
     pullPolicy: Always
 
 image:
   repository: portainer/portainer-ce
-  tag: latest
+  tag: 2.33.1
   pullPolicy: Always
 
 imagePullSecrets: []
 
 nodeSelector: {}
+tolerations: []
 
 serviceAccount:
   annotations: {}
   name: portainer-sa-clusteradmin
 
+# This flag provides the ability to enable or disable RBAC-related resources during the deployment of the Portainer application
+# If you are using Portainer to manage the K8s cluster it is deployed to, this flag must be set to true 
+localMgmt: true
+
 service:
   # Set the httpNodePort and edgeNodePort only if the type is NodePort
   # For Ingress, set the type to be ClusterIP and set ingress.enabled to true
   # For Cloud Providers, set the type to be LoadBalancer
   type: NodePort
   httpPort: 9000
+  httpsPort: 9443
   httpNodePort: 30777
+  httpsNodePort: 30779
   edgePort: 8000
   edgeNodePort: 30776
   annotations: {}
 
+tls:
+  # If set, Portainer will be configured to use TLS only
+  force: false
+  # If set, will mount the existing secret into the pod
+  existingSecret: ""
+
+trusted_origins:
+  # If set, Portainer will be configured to trust the domains specified in domains
+    enabled: false
+      # specify (in a comma-separated list) the domain(s) used to access Portainer when it is behind a reverse proxy
+        # example: portainer.mydomain.com,portainer.example.com
+    domains: ""
+
+mtls:
+  # If set, Portainer will be configured to use mTLS only
+  enable: false
+  # If set, will mount the existing secret into the pod
+  existingSecret: ""
+
+feature:
+  flags: []
+
 ingress:
   enabled: false
+  ingressClassName: ""
   annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # Only use below if tls.force=true
+    # nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+  # Note: Hosts and paths are of type array
   hosts:
     - host:
       paths: []
+      # - path: "/"
   tls: []
 
 resources: {}
 
 persistence:
+  enabled: true
   size: "10Gi"
   annotations: {}
   storageClass:
+  existingClaim:

deploy/manifests/agent/ee/agent-stack-ee20-windows.yml

@@ -0,0 +1,25 @@
+version: '3.3'
+services:
+  agent:
+    image: portainer/agent:2.0.0
+    ports:
+      - target: 9001
+        published: 9001
+        protocol: tcp
+    volumes:
+      - type: npipe
+        source: \\.\pipe\docker_engine
+        target: \\.\pipe\docker_engine
+      - type: bind
+        source: C:\ProgramData\docker\volumes
+        target: C:\ProgramData\docker\volumes
+    networks:
+      - agent_network
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == windows]
+
+networks:
+  agent_network:
+    driver: overlay

deploy/manifests/agent/ee/agent-stack-ee20.yml

@@ -0,0 +1,24 @@
+version: '3.2'
+
+services:
+  agent:
+    image: portainer/agent:2.0.0
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+    ports:
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host
+    networks:
+      - portainer_agent
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == linux]
+
+networks:
+  portainer_agent:
+    driver: overlay
+    attachable: true

deploy/manifests/agent/ee/agent-stack-ee24-windows.yml

@@ -0,0 +1,25 @@
+version: '3.3'
+services:
+  agent:
+    image: portainer/agent:2.4.0
+    ports:
+      - target: 9001
+        published: 9001
+        protocol: tcp
+    volumes:
+      - type: npipe
+        source: \\.\pipe\docker_engine
+        target: \\.\pipe\docker_engine
+      - type: bind
+        source: C:\ProgramData\docker\volumes
+        target: C:\ProgramData\docker\volumes
+    networks:
+      - agent_network
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == windows]
+
+networks:
+  agent_network:
+    driver: overlay

deploy/manifests/agent/ee/agent-stack-ee24.yml

@@ -0,0 +1,24 @@
+version: '3.2'
+
+services:
+  agent:
+    image: portainer/agent:2.4.0
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+    ports:
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host
+    networks:
+      - portainer_agent
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == linux]
+
+networks:
+  portainer_agent:
+    driver: overlay
+    attachable: true

deploy/manifests/agent/ee/agent-stack-windows.yml

@@ -0,0 +1,25 @@
+version: '3.3'
+services:
+  agent:
+    image: portainer/agent:2.33.1
+    ports:
+      - target: 9001
+        published: 9001
+        protocol: tcp
+    volumes:
+      - type: npipe
+        source: \\.\pipe\docker_engine
+        target: \\.\pipe\docker_engine
+      - type: bind
+        source: C:\ProgramData\docker\volumes
+        target: C:\ProgramData\docker\volumes
+    networks:
+      - agent_network
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == windows]
+
+networks:
+  agent_network:
+    driver: overlay

deploy/manifests/agent/ee/agent-stack.yml

@@ -0,0 +1,24 @@
+version: '3.2'
+
+services:
+  agent:
+    image: portainer/agent:2.33.1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+    ports:
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host
+    networks:
+      - portainer_agent
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == linux]
+
+networks:
+  portainer_agent:
+    driver: overlay
+    attachable: true

deploy/manifests/agent/ee/portainer-agent-edge-k8s.yaml

@@ -65,7 +65,7 @@ spec:
       serviceAccountName: portainer-sa-clusteradmin
       containers:
       - name: portainer-agent
-        image: portainer/agent:2.0.0
+        image: portainer/agent:2.33.1
         imagePullPolicy: Always
         env:
         - name: LOG_LEVEL

deploy/manifests/agent/ee/portainer-agent-ee20-edge-k8s.yaml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+# Optional: can be added to expose the agent port 80 to associate an Edge key.
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: portainer-agent
+#   namespace: portainer
+# spec:
+#   type: LoadBalancer
+#   selector:
+#     app: portainer-agent
+#   ports:
+#     - name: http
+#       protocol: TCP
+#       port: 80
+#       targetPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+      - name: portainer-agent
+        image: portainer/agent:2.0.0
+        imagePullPolicy: Always
+        env:
+        - name: LOG_LEVEL
+          value: INFO
+        - name: KUBERNETES_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: EDGE
+          value: "1"
+        - name: AGENT_CLUSTER_ADDR
+          value: "portainer-agent"
+        - name: EDGE_ID
+          valueFrom:
+            configMapKeyRef:
+              name: portainer-agent-edge-id
+              key: edge.id
+        - name: EDGE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: portainer-agent-edge-key
+              key: edge.key
+        ports:
+        - containerPort: 9001
+          protocol: TCP
+        - containerPort: 80
+          protocol: TCP

deploy/manifests/agent/ee/portainer-agent-ee20-k8s-lb.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  type: LoadBalancer
+  selector:
+    app: portainer-agent
+  ports:
+    - name: http
+      protocol: TCP
+      port: 9001
+      targetPort: 9001
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent-headless
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+      - name: portainer-agent
+        image: portainer/agent:2.0.0
+        imagePullPolicy: Always
+        env:
+        - name: LOG_LEVEL
+          value: DEBUG
+        - name: AGENT_CLUSTER_ADDR
+          value: "portainer-agent-headless"
+        - name: KUBERNETES_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - containerPort: 9001
+          protocol: TCP

deploy/manifests/agent/ee/portainer-agent-ee20-k8s-nodeport.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  type: NodePort
+  selector:
+    app: portainer-agent
+  ports:
+    - name: http
+      protocol: TCP
+      port: 9001
+      targetPort: 9001
+      nodePort: 30778
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent-headless
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+      - name: portainer-agent
+        image: portainer/agent:2.0.0
+        imagePullPolicy: Always
+        env:
+        - name: LOG_LEVEL
+          value: DEBUG
+        - name: AGENT_CLUSTER_ADDR
+          value: "portainer-agent-headless"
+        - name: KUBERNETES_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - containerPort: 9001
+          protocol: TCP

deploy/manifests/agent/ee/portainer-agent-ee210-edge-k8s.yaml

@@ -0,0 +1,100 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: portainer-sa-clusteradmin
+    namespace: portainer
+# Optional: can be added to expose the agent port 80 to associate an Edge key.
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: portainer-agent
+#   namespace: portainer
+# spec:
+#   type: LoadBalancer
+#   selector:
+#     app: portainer-agent
+#   ports:
+#     - name: http
+#       protocol: TCP
+#       port: 80
+#       targetPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+        - name: portainer-agent
+          image: portainer/agent:2.10.0
+          imagePullPolicy: Always
+          env:
+            - name: LOG_LEVEL
+              value: INFO
+            - name: KUBERNETES_POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: EDGE
+              value: "1"
+            - name: AGENT_CLUSTER_ADDR
+              value: "portainer-agent"
+            - name: EDGE_ID
+              valueFrom:
+                configMapKeyRef:
+                  name: portainer-agent-edge
+                  key: edge.id
+            - name: EDGE_INSECURE_POLL
+              valueFrom:
+                configMapKeyRef:
+                  name: portainer-agent-edge
+                  key: edge.insecure_poll
+            - name: EDGE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: portainer-agent-edge-key
+                  key: edge.key
+          ports:
+            - containerPort: 9001
+              protocol: TCP
+            - containerPort: 80
+              protocol: TCP

deploy/manifests/agent/ee/portainer-agent-ee210-k8s-lb.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  type: LoadBalancer
+  selector:
+    app: portainer-agent
+  ports:
+    - name: http
+      protocol: TCP
+      port: 9001
+      targetPort: 9001
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent-headless
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+      - name: portainer-agent
+        image: portainer/agent:2.10.0
+        imagePullPolicy: Always
+        env:
+        - name: LOG_LEVEL
+          value: INFO
+        - name: AGENT_CLUSTER_ADDR
+          value: "portainer-agent-headless"
+        - name: KUBERNETES_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - containerPort: 9001
+          protocol: TCP

deploy/manifests/agent/ee/portainer-agent-ee210-k8s-nodeport.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  type: NodePort
+  selector:
+    app: portainer-agent
+  ports:
+    - name: http
+      protocol: TCP
+      port: 9001
+      targetPort: 9001
+      nodePort: 30778
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent-headless
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+      - name: portainer-agent
+        image: portainer/agent:2.4.0
+        imagePullPolicy: Always
+        env:
+        - name: LOG_LEVEL
+          value: INFO
+        - name: AGENT_CLUSTER_ADDR
+          value: "portainer-agent-headless"
+        - name: KUBERNETES_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - containerPort: 9001
+          protocol: TCP

deploy/manifests/agent/ee/portainer-agent-ee24-edge-k8s.yaml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+# Optional: can be added to expose the agent port 80 to associate an Edge key.
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: portainer-agent
+#   namespace: portainer
+# spec:
+#   type: LoadBalancer
+#   selector:
+#     app: portainer-agent
+#   ports:
+#     - name: http
+#       protocol: TCP
+#       port: 80
+#       targetPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+      - name: portainer-agent
+        image: portainer/agent:2.4.0
+        imagePullPolicy: Always
+        env:
+        - name: LOG_LEVEL
+          value: INFO
+        - name: KUBERNETES_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: EDGE
+          value: "1"
+        - name: AGENT_CLUSTER_ADDR
+          value: "portainer-agent"
+        - name: EDGE_ID
+          valueFrom:
+            configMapKeyRef:
+              name: portainer-agent-edge-id
+              key: edge.id
+        - name: EDGE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: portainer-agent-edge-key
+              key: edge.key
+        ports:
+        - containerPort: 9001
+          protocol: TCP
+        - containerPort: 80
+          protocol: TCP

deploy/manifests/agent/ee/portainer-agent-ee24-k8s-lb.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  type: LoadBalancer
+  selector:
+    app: portainer-agent
+  ports:
+    - name: http
+      protocol: TCP
+      port: 9001
+      targetPort: 9001
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent-headless
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+      - name: portainer-agent
+        image: portainer/agent:2.4.0
+        imagePullPolicy: Always
+        env:
+        - name: LOG_LEVEL
+          value: INFO
+        - name: AGENT_CLUSTER_ADDR
+          value: "portainer-agent-headless"
+        - name: KUBERNETES_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - containerPort: 9001
+          protocol: TCP

deploy/manifests/agent/ee/portainer-agent-ee24-k8s-nodeport.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portainer-crb-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: portainer-sa-clusteradmin
+  namespace: portainer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  type: NodePort
+  selector:
+    app: portainer-agent
+  ports:
+    - name: http
+      protocol: TCP
+      port: 9001
+      targetPort: 9001
+      nodePort: 30778
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer-agent-headless
+  namespace: portainer
+spec:
+  clusterIP: None
+  selector:
+    app: portainer-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portainer-agent
+  namespace: portainer
+spec:
+  selector:
+    matchLabels:
+      app: portainer-agent
+  template:
+    metadata:
+      labels:
+        app: portainer-agent
+    spec:
+      serviceAccountName: portainer-sa-clusteradmin
+      containers:
+      - name: portainer-agent
+        image: portainer/agent:2.4.0
+        imagePullPolicy: Always
+        env:
+        - name: LOG_LEVEL
+          value: INFO
+        - name: AGENT_CLUSTER_ADDR
+          value: "portainer-agent-headless"
+        - name: KUBERNETES_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - containerPort: 9001
+          protocol: TCP

deploy/manifests/agent/ee/portainer-agent-k8s-lb.yaml

@@ -64,7 +64,7 @@ spec:
       serviceAccountName: portainer-sa-clusteradmin
       containers:
       - name: portainer-agent
-        image: portainer/agent:2.0.0
+        image: portainer/agent:2.33.1
         imagePullPolicy: Always
         env:
         - name: LOG_LEVEL

deploy/manifests/agent/ee/portainer-agent-k8s-nodeport.yaml

@@ -65,7 +65,7 @@ spec:
       serviceAccountName: portainer-sa-clusteradmin
       containers:
       - name: portainer-agent
-        image: portainer/agent:2.0.0
+        image: portainer/agent:2.33.1
         imagePullPolicy: Always
         env:
         - name: LOG_LEVEL

deploy/manifests/agent/ee/portainer-ee20-edge-agent-setup.sh

@@ -55,7 +55,7 @@ main() {
   [[ "$(command -v kubectl)" ]] || errorAndExit "Unable to find kubectl binary. Please ensure kubectl is installed before running this script."
 
   info "Downloading agent manifest..."
-  curl -L https://portainer.github.io/k8s/deploy/manifests/agent/portainer-agent-edge-k8s.yaml -o portainer-agent-edge-k8s.yaml || errorAndExit "Unable to download agent manifest"
+  curl -L https://portainer.github.io/k8s/deploy/manifests/agent/ee/portainer-agent-ee20-edge-k8s.yaml -o portainer-agent-edge-k8s.yaml || errorAndExit "Unable to download agent manifest"
 
   info "Creating Portainer namespace..."
   kubectl create namespace portainer

deploy/manifests/agent/ee/portainer-ee210-edge-agent-setup.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+# Script used to deploy the Portainer Edge agent inside a Kubernetes cluster.
+
+# Requires:
+# curl
+# kubectl
+
+### COLOR OUTPUT ###
+
+ESeq="\x1b["
+RCol="$ESeq"'0m'    # Text Reset
+
+# Regular               Bold                    Underline               High Intensity          BoldHigh Intens         Background              High Intensity Backgrounds
+Bla="$ESeq"'0;30m';     BBla="$ESeq"'1;30m';    UBla="$ESeq"'4;30m';    IBla="$ESeq"'0;90m';    BIBla="$ESeq"'1;90m';   On_Bla="$ESeq"'40m';    On_IBla="$ESeq"'0;100m';
+Red="$ESeq"'0;31m';     BRed="$ESeq"'1;31m';    URed="$ESeq"'4;31m';    IRed="$ESeq"'0;91m';    BIRed="$ESeq"'1;91m';   On_Red="$ESeq"'41m';    On_IRed="$ESeq"'0;101m';
+Gre="$ESeq"'0;32m';     BGre="$ESeq"'1;32m';    UGre="$ESeq"'4;32m';    IGre="$ESeq"'0;92m';    BIGre="$ESeq"'1;92m';   On_Gre="$ESeq"'42m';    On_IGre="$ESeq"'0;102m';
+Yel="$ESeq"'0;33m';     BYel="$ESeq"'1;33m';    UYel="$ESeq"'4;33m';    IYel="$ESeq"'0;93m';    BIYel="$ESeq"'1;93m';   On_Yel="$ESeq"'43m';    On_IYel="$ESeq"'0;103m';
+Blu="$ESeq"'0;34m';     BBlu="$ESeq"'1;34m';    UBlu="$ESeq"'4;34m';    IBlu="$ESeq"'0;94m';    BIBlu="$ESeq"'1;94m';   On_Blu="$ESeq"'44m';    On_IBlu="$ESeq"'0;104m';
+Pur="$ESeq"'0;35m';     BPur="$ESeq"'1;35m';    UPur="$ESeq"'4;35m';    IPur="$ESeq"'0;95m';    BIPur="$ESeq"'1;95m';   On_Pur="$ESeq"'45m';    On_IPur="$ESeq"'0;105m';
+Cya="$ESeq"'0;36m';     BCya="$ESeq"'1;36m';    UCya="$ESeq"'4;36m';    ICya="$ESeq"'0;96m';    BICya="$ESeq"'1;96m';   On_Cya="$ESeq"'46m';    On_ICya="$ESeq"'0;106m';
+Whi="$ESeq"'0;37m';     BWhi="$ESeq"'1;37m';    UWhi="$ESeq"'4;37m';    IWhi="$ESeq"'0;97m';    BIWhi="$ESeq"'1;97m';   On_Whi="$ESeq"'47m';    On_IWhi="$ESeq"'0;107m';
+
+printSection() {
+  echo -e "${BIYel}>>>> ${BIWhi}${1}${RCol}"
+}
+
+info() {
+  echo -e "${BIWhi}${1}${RCol}"
+}
+
+success() {
+  echo -e "${BIGre}${1}${RCol}"
+}
+
+error() {
+  echo -e "${BIRed}${1}${RCol}"
+}
+
+errorAndExit() {
+  echo -e "${BIRed}${1}${RCol}"
+  exit 1
+}
+
+### !COLOR OUTPUT ###
+
+main() {
+  if [[ $# -lt 2 ]]; then
+    error "Not enough arguments"
+    error "Usage: ${0} <EDGE_ID> <EDGE_KEY> <EDGE_INSECURE_POLL:optional>"
+    exit 1
+  fi
+
+  local EDGE_ID="$1"
+  local EDGE_KEY="$2"
+  local EDGE_INSECURE_POLL="$3"
+
+  [[ "$(command -v curl)" ]] || errorAndExit "Unable to find curl binary. Please ensure curl is installed before running this script."
+  [[ "$(command -v kubectl)" ]] || errorAndExit "Unable to find kubectl binary. Please ensure kubectl is installed before running this script."
+
+  info "Downloading agent manifest..."
+  curl -L https://portainer.github.io/k8s/deploy/manifests/agent/ee/portainer-agent-ee210-edge-k8s.yaml -o portainer-agent-edge-k8s.yaml || errorAndExit "Unable to download agent manifest"
+
+  info "Creating Portainer namespace..."
+  kubectl create namespace portainer
+
+  info "Creating agent configuration..."
+  kubectl create configmap portainer-agent-edge --from-literal="edge.id=$EDGE_ID" --from-literal="edge.insecure_poll=$EDGE_INSECURE_POLL"  -n portainer
+
+  info "Creating agent secret..."
+  kubectl create secret generic portainer-agent-edge-key "--from-literal=edge.key=$EDGE_KEY" -n portainer
+
+  info "Deploying agent..."
+  kubectl apply -f portainer-agent-edge-k8s.yaml || errorAndExit "Unable to deploy agent manifest"
+
+  success "Portainer Edge agent successfully deployed"
+  exit 0
+}
+
+main "$@"

deploy/manifests/agent/ee/portainer-ee24-edge-agent-setup.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+# Script used to deploy the Portainer Edge agent inside a Kubernetes cluster.
+
+# Requires:
+# curl
+# kubectl
+
+### COLOR OUTPUT ###
+
+ESeq="\x1b["
+RCol="$ESeq"'0m'    # Text Reset
+
+# Regular               Bold                    Underline               High Intensity          BoldHigh Intens         Background              High Intensity Backgrounds
+Bla="$ESeq"'0;30m';     BBla="$ESeq"'1;30m';    UBla="$ESeq"'4;30m';    IBla="$ESeq"'0;90m';    BIBla="$ESeq"'1;90m';   On_Bla="$ESeq"'40m';    On_IBla="$ESeq"'0;100m';
+Red="$ESeq"'0;31m';     BRed="$ESeq"'1;31m';    URed="$ESeq"'4;31m';    IRed="$ESeq"'0;91m';    BIRed="$ESeq"'1;91m';   On_Red="$ESeq"'41m';    On_IRed="$ESeq"'0;101m';
+Gre="$ESeq"'0;32m';     BGre="$ESeq"'1;32m';    UGre="$ESeq"'4;32m';    IGre="$ESeq"'0;92m';    BIGre="$ESeq"'1;92m';   On_Gre="$ESeq"'42m';    On_IGre="$ESeq"'0;102m';
+Yel="$ESeq"'0;33m';     BYel="$ESeq"'1;33m';    UYel="$ESeq"'4;33m';    IYel="$ESeq"'0;93m';    BIYel="$ESeq"'1;93m';   On_Yel="$ESeq"'43m';    On_IYel="$ESeq"'0;103m';
+Blu="$ESeq"'0;34m';     BBlu="$ESeq"'1;34m';    UBlu="$ESeq"'4;34m';    IBlu="$ESeq"'0;94m';    BIBlu="$ESeq"'1;94m';   On_Blu="$ESeq"'44m';    On_IBlu="$ESeq"'0;104m';
+Pur="$ESeq"'0;35m';     BPur="$ESeq"'1;35m';    UPur="$ESeq"'4;35m';    IPur="$ESeq"'0;95m';    BIPur="$ESeq"'1;95m';   On_Pur="$ESeq"'45m';    On_IPur="$ESeq"'0;105m';
+Cya="$ESeq"'0;36m';     BCya="$ESeq"'1;36m';    UCya="$ESeq"'4;36m';    ICya="$ESeq"'0;96m';    BICya="$ESeq"'1;96m';   On_Cya="$ESeq"'46m';    On_ICya="$ESeq"'0;106m';
+Whi="$ESeq"'0;37m';     BWhi="$ESeq"'1;37m';    UWhi="$ESeq"'4;37m';    IWhi="$ESeq"'0;97m';    BIWhi="$ESeq"'1;97m';   On_Whi="$ESeq"'47m';    On_IWhi="$ESeq"'0;107m';
+
+printSection() {
+  echo -e "${BIYel}>>>> ${BIWhi}${1}${RCol}"
+}
+
+info() {
+  echo -e "${BIWhi}${1}${RCol}"
+}
+
+success() {
+  echo -e "${BIGre}${1}${RCol}"
+}
+
+error() {
+  echo -e "${BIRed}${1}${RCol}"
+}
+
+errorAndExit() {
+  echo -e "${BIRed}${1}${RCol}"
+  exit 1
+}
+
+### !COLOR OUTPUT ###
+
+main() {
+  if [[ $# -ne 2 ]]; then
+    error "Not enough arguments"
+    error "Usage: ${0} <EDGE_ID> <EDGE_KEY>"
+    exit 1
+  fi
+
+  [[ "$(command -v curl)" ]] || errorAndExit "Unable to find curl binary. Please ensure curl is installed before running this script."
+  [[ "$(command -v kubectl)" ]] || errorAndExit "Unable to find kubectl binary. Please ensure kubectl is installed before running this script."
+
+  info "Downloading agent manifest..."
+  curl -L https://portainer.github.io/k8s/deploy/manifests/agent/ee/portainer-agent-ee24-edge-k8s.yaml -o portainer-agent-edge-k8s.yaml || errorAndExit "Unable to download agent manifest"
+
+  info "Creating Portainer namespace..."
+  kubectl create namespace portainer
+
+  info "Creating agent configuration..."
+  kubectl create configmap portainer-agent-edge-id "--from-literal=edge.id=$1" -n portainer
+
+  info "Creating agent secret..."
+  kubectl create secret generic portainer-agent-edge-key "--from-literal=edge.key=$2" -n portainer
+
+  info "Deploying agent..."
+  kubectl apply -f portainer-agent-edge-k8s.yaml || errorAndExit "Unable to deploy agent manifest"
+
+  success "Portainer Edge agent successfully deployed"
+  exit 0
+}
+
+main "$@"

deploy/manifests/agent/portainer-agent-edge-k8s.yaml

@@ -65,7 +65,7 @@ spec:
       serviceAccountName: portainer-sa-clusteradmin
       containers:
       - name: portainer-agent
-        image: portainer/agent:2.0.0
+        image: portainer/agent:2.33.1
         imagePullPolicy: Always
         env:
         - name: LOG_LEVEL

deploy/manifests/agent/portainer-agent-k8s-lb.yaml

@@ -64,7 +64,7 @@ spec:
       serviceAccountName: portainer-sa-clusteradmin
       containers:
       - name: portainer-agent
-        image: portainer/agent:2.0.0
+        image: portainer/agent:2.33.1
         imagePullPolicy: Always
         env:
         - name: LOG_LEVEL

deploy/manifests/agent/portainer-agent-k8s-nodeport.yaml

@@ -65,7 +65,7 @@ spec:
       serviceAccountName: portainer-sa-clusteradmin
       containers:
       - name: portainer-agent
-        image: portainer/agent:2.0.0
+        image: portainer/agent:2.33.1
         imagePullPolicy: Always
         env:
         - name: LOG_LEVEL

deploy/manifests/portainer/portainer-ee.yaml

@@ -14,21 +14,21 @@ metadata:
   labels:
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 ---
 # Source: portainer/templates/pvc.yaml
 kind: "PersistentVolumeClaim"
 apiVersion: "v1"
 metadata:
   name: portainer
-  namespace: portainer  
+  namespace: portainer
   annotations:
     volume.alpha.kubernetes.io/storage-class: "generic"
   labels:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   accessModes:
     - "ReadWriteOnce"
@@ -44,15 +44,15 @@ metadata:
   labels:
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
 subjects:
-- kind: ServiceAccount
-  namespace: portainer
-  name: portainer-sa-clusteradmin
+  - kind: ServiceAccount
+    namespace: portainer
+    name: portainer-sa-clusteradmin
 ---
 # Source: portainer/templates/service.yaml
 apiVersion: v1
@@ -64,7 +64,7 @@ metadata:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   type: NodePort
   ports:
@@ -73,6 +73,11 @@ spec:
       protocol: TCP
       name: http
       nodePort: 30777
+    - port: 9443
+      targetPort: 9443
+      protocol: TCP
+      name: https
+      nodePort: 30779
     - port: 30776
       targetPort: 30776
       protocol: TCP
@@ -92,7 +97,7 @@ metadata:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   replicas: 1
   strategy:
@@ -111,14 +116,15 @@ spec:
         {}
       serviceAccountName: portainer-sa-clusteradmin
       volumes:
-         - name: "data"
-           persistentVolumeClaim:
-             claimName: portainer      
+        - name: "data"
+          persistentVolumeClaim:
+            claimName: portainer
       containers:
         - name: portainer
-          image: "portainer/portainer-ee:2.0.0"
+          image: "portainer/portainer-ee:2.33.1"
           imagePullPolicy: Always
-          args:  [ '--tunnel-port','30776' ]          
+          args:
+            - '--tunnel-port=30776'
           volumeMounts:
             - name: data
               mountPath: /data
@@ -126,17 +132,21 @@ spec:
             - name: http
               containerPort: 9000
               protocol: TCP
+            - name: https
+              containerPort: 9443
+              protocol: TCP
             - name: tcp-edge
               containerPort: 8000
-              protocol: TCP              
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /
-              port: 9000
+              port: 9443
+              scheme: HTTPS
           readinessProbe:
             httpGet:
               path: /
-              port: 9000
+              port: 9443
+              scheme: HTTPS
           resources:
             {}
-

deploy/manifests/portainer/portainer-lb-ee.yaml

@@ -14,21 +14,21 @@ metadata:
   labels:
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 ---
 # Source: portainer/templates/pvc.yaml
 kind: "PersistentVolumeClaim"
 apiVersion: "v1"
 metadata:
   name: portainer
-  namespace: portainer  
+  namespace: portainer
   annotations:
     volume.alpha.kubernetes.io/storage-class: "generic"
   labels:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   accessModes:
     - "ReadWriteOnce"
@@ -44,15 +44,15 @@ metadata:
   labels:
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
 subjects:
-- kind: ServiceAccount
-  namespace: portainer
-  name: portainer-sa-clusteradmin
+  - kind: ServiceAccount
+    namespace: portainer
+    name: portainer-sa-clusteradmin
 ---
 # Source: portainer/templates/service.yaml
 apiVersion: v1
@@ -64,7 +64,7 @@ metadata:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   type: LoadBalancer
   ports:
@@ -72,6 +72,10 @@ spec:
       targetPort: 9000
       protocol: TCP
       name: http
+    - port: 9443
+      targetPort: 9443
+      protocol: TCP
+      name: https
     - port: 8000
       targetPort: 8000
       protocol: TCP
@@ -90,7 +94,7 @@ metadata:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   replicas: 1
   strategy:
@@ -109,13 +113,14 @@ spec:
         {}
       serviceAccountName: portainer-sa-clusteradmin
       volumes:
-         - name: "data"
-           persistentVolumeClaim:
-             claimName: portainer      
+        - name: "data"
+          persistentVolumeClaim:
+            claimName: portainer
       containers:
         - name: portainer
-          image: "portainer/portainer-ee:2.0.0"
-          imagePullPolicy: Always          
+          image: "portainer/portainer-ee:2.33.1"
+          imagePullPolicy: Always
+          args:
           volumeMounts:
             - name: data
               mountPath: /data
@@ -123,17 +128,21 @@ spec:
             - name: http
               containerPort: 9000
               protocol: TCP
+            - name: https
+              containerPort: 9443
+              protocol: TCP
             - name: tcp-edge
               containerPort: 8000
-              protocol: TCP              
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /
-              port: 9000
+              port: 9443
+              scheme: HTTPS
           readinessProbe:
             httpGet:
               path: /
-              port: 9000
+              port: 9443
+              scheme: HTTPS
           resources:
             {}
-

deploy/manifests/portainer/portainer-lb.yaml

@@ -14,21 +14,21 @@ metadata:
   labels:
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 ---
 # Source: portainer/templates/pvc.yaml
 kind: "PersistentVolumeClaim"
 apiVersion: "v1"
 metadata:
   name: portainer
-  namespace: portainer  
+  namespace: portainer
   annotations:
     volume.alpha.kubernetes.io/storage-class: "generic"
   labels:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   accessModes:
     - "ReadWriteOnce"
@@ -44,15 +44,15 @@ metadata:
   labels:
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
 subjects:
-- kind: ServiceAccount
-  namespace: portainer
-  name: portainer-sa-clusteradmin
+  - kind: ServiceAccount
+    namespace: portainer
+    name: portainer-sa-clusteradmin
 ---
 # Source: portainer/templates/service.yaml
 apiVersion: v1
@@ -64,7 +64,7 @@ metadata:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   type: LoadBalancer
   ports:
@@ -72,6 +72,10 @@ spec:
       targetPort: 9000
       protocol: TCP
       name: http
+    - port: 9443
+      targetPort: 9443
+      protocol: TCP
+      name: https
     - port: 8000
       targetPort: 8000
       protocol: TCP
@@ -90,7 +94,7 @@ metadata:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   replicas: 1
   strategy:
@@ -109,13 +113,14 @@ spec:
         {}
       serviceAccountName: portainer-sa-clusteradmin
       volumes:
-         - name: "data"
-           persistentVolumeClaim:
-             claimName: portainer      
+        - name: "data"
+          persistentVolumeClaim:
+            claimName: portainer
       containers:
         - name: portainer
-          image: "portainer/portainer-ce:latest"
-          imagePullPolicy: Always          
+          image: "portainer/portainer-ce:2.33.1"
+          imagePullPolicy: Always
+          args:
           volumeMounts:
             - name: data
               mountPath: /data
@@ -123,17 +128,21 @@ spec:
             - name: http
               containerPort: 9000
               protocol: TCP
+            - name: https
+              containerPort: 9443
+              protocol: TCP
             - name: tcp-edge
               containerPort: 8000
-              protocol: TCP              
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /
-              port: 9000
+              port: 9443
+              scheme: HTTPS
           readinessProbe:
             httpGet:
               path: /
-              port: 9000
+              port: 9443
+              scheme: HTTPS
           resources:
             {}
-

deploy/manifests/portainer/portainer.yaml

@@ -14,21 +14,21 @@ metadata:
   labels:
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 ---
 # Source: portainer/templates/pvc.yaml
 kind: "PersistentVolumeClaim"
 apiVersion: "v1"
 metadata:
   name: portainer
-  namespace: portainer  
+  namespace: portainer
   annotations:
     volume.alpha.kubernetes.io/storage-class: "generic"
   labels:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   accessModes:
     - "ReadWriteOnce"
@@ -44,15 +44,15 @@ metadata:
   labels:
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
 subjects:
-- kind: ServiceAccount
-  namespace: portainer
-  name: portainer-sa-clusteradmin
+  - kind: ServiceAccount
+    namespace: portainer
+    name: portainer-sa-clusteradmin
 ---
 # Source: portainer/templates/service.yaml
 apiVersion: v1
@@ -64,7 +64,7 @@ metadata:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   type: NodePort
   ports:
@@ -73,6 +73,11 @@ spec:
       protocol: TCP
       name: http
       nodePort: 30777
+    - port: 9443
+      targetPort: 9443
+      protocol: TCP
+      name: https
+      nodePort: 30779
     - port: 30776
       targetPort: 30776
       protocol: TCP
@@ -92,7 +97,7 @@ metadata:
     io.portainer.kubernetes.application.stack: portainer
     app.kubernetes.io/name: portainer
     app.kubernetes.io/instance: portainer
-    app.kubernetes.io/version: "ce-latest-ee-2.0.0"
+    app.kubernetes.io/version: "ce-latest-ee-2.33.1"
 spec:
   replicas: 1
   strategy:
@@ -111,14 +116,15 @@ spec:
         {}
       serviceAccountName: portainer-sa-clusteradmin
       volumes:
-         - name: "data"
-           persistentVolumeClaim:
-             claimName: portainer      
+        - name: "data"
+          persistentVolumeClaim:
+            claimName: portainer
       containers:
         - name: portainer
-          image: "portainer/portainer-ce:latest"
+          image: "portainer/portainer-ce:2.33.1"
           imagePullPolicy: Always
-          args:  [ '--tunnel-port','30776' ]          
+          args:
+            - '--tunnel-port=30776'
           volumeMounts:
             - name: data
               mountPath: /data
@@ -126,17 +132,21 @@ spec:
             - name: http
               containerPort: 9000
               protocol: TCP
+            - name: https
+              containerPort: 9443
+              protocol: TCP
             - name: tcp-edge
               containerPort: 8000
-              protocol: TCP              
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /
-              port: 9000
+              port: 9443
+              scheme: HTTPS
           readinessProbe:
             httpGet:
               path: /
-              port: 9000
+              port: 9443
+              scheme: HTTPS
           resources:
             {}
-