fix: cve-2025-22871 [BE-11825] (#678)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -2,18 +2,17 @@ name: Bug Report
 description: Create a report to help us improve.
 labels: kind/bug,bug/need-confirmation
 body:
-
   - type: markdown
     attributes:
       value: |
         # Welcome!
-        
+
         The issue tracker is for reporting bugs. If you have an [idea for a new feature](https://github.com/orgs/portainer/discussions/categories/ideas) or a [general question about Portainer](https://github.com/orgs/portainer/discussions/categories/help) please post in our [GitHub Discussions](https://github.com/orgs/portainer/discussions).
-        
+
         You can also ask for help in our [community Slack channel](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA).
 
         Please note that we only provide support for current versions of Portainer. You can find a list of supported versions in our [lifecycle policy](https://docs.portainer.io/start/lifecycle).
-        
+
         **DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS**.
 
   - type: checkboxes
@@ -45,7 +44,7 @@ body:
   - type: textarea
     attributes:
       label: Problem Description
-      description: A clear and concise description of what the bug is. 
+      description: A clear and concise description of what the bug is.
     validations:
       required: true
 
@@ -71,7 +70,7 @@ body:
         1. Go to '...'
         2. Click on '....'
         3. Scroll down to '....'
-        4. See error   
+        4. See error
     validations:
       required: true
 
@@ -92,9 +91,17 @@ body:
   - type: dropdown
     attributes:
       label: Portainer version
-      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
+      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.29.0'
+        - '2.28.1'
+        - '2.28.0'
+        - '2.27.4'
+        - '2.27.3'
+        - '2.27.2'
+        - '2.27.1'
+        - '2.27.0'
         - '2.26.1'
         - '2.26.0'
         - '2.25.1'
@@ -109,20 +116,6 @@ body:
         - '2.21.2'
         - '2.21.1'
         - '2.21.0'
-        - '2.20.3'
-        - '2.20.2'
-        - '2.20.1'
-        - '2.20.0'
-        - '2.19.5'
-        - '2.19.4'
-        - '2.19.3'
-        - '2.19.2'
-        - '2.19.1'
-        - '2.19.0'
-        - '2.18.4'
-        - '2.18.3'
-        - '2.18.2'
-        - '2.18.1'
     validations:
       required: true
 
@@ -160,7 +153,7 @@ body:
   - type: input
     attributes:
       label: Browser
-      description: | 
+      description: |
         Enter your browser and version. Example: Google Chrome 114.0
     validations:
       required: false

.golangci.yaml

@@ -12,6 +12,7 @@ linters:
     - copyloopvar
     - intrange
     - perfsprint
+    - ineffassign
 
 linters-settings:
   depguard:

api/cli/cli.go

@@ -60,6 +60,7 @@ func CLIFlags() *portainer.CLIFlags {
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
 		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
+		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 	}
 }
 

api/cli/defaults.go

@@ -4,20 +4,21 @@
 package cli
 
 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "/data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "/certs/ca.pem"
-	defaultTLSCertPath         = "/certs/cert.pem"
-	defaultTLSKeyPath          = "/certs/key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "/data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "/certs/ca.pem"
+	defaultTLSCertPath            = "/certs/cert.pem"
+	defaultTLSKeyPath             = "/certs/key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )

api/cli/defaults_windows.go

@@ -1,21 +1,22 @@
 package cli
 
 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "C:\\data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
-	defaultTLSCertPath         = "C:\\certs\\cert.pem"
-	defaultTLSKeyPath          = "C:\\certs\\key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultSnapshotInterval    = "5m"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "C:\\data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "C:\\certs\\ca.pem"
+	defaultTLSCertPath            = "C:\\certs\\cert.pem"
+	defaultTLSKeyPath             = "C:\\certs\\key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultSnapshotInterval       = "5m"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )

api/cmd/portainer/main.go

@@ -39,6 +39,7 @@ import (
 	"github.com/portainer/portainer/api/kubernetes"
 	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/oauth"
 	"github.com/portainer/portainer/api/pendingactions"
 	"github.com/portainer/portainer/api/pendingactions/actions"
@@ -49,6 +50,7 @@ import (
 	"github.com/portainer/portainer/pkg/build"
 	"github.com/portainer/portainer/pkg/featureflags"
 	"github.com/portainer/portainer/pkg/libhelm"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"
 
 	"github.com/gofrs/uuid"
@@ -169,8 +171,8 @@ func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheMan
 	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, assetsPath)
 }
 
-func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, error) {
-	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
+func initHelmPackageManager() (libhelmtypes.HelmPackageManager, error) {
+	return libhelm.NewHelmPackageManager()
 }
 
 func initAPIKeyService(datastore dataservices.DataStore) apikey.APIKeyService {
@@ -238,10 +240,10 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		return err
 	}
 
-	settings.SnapshotInterval = *cmp.Or(flags.SnapshotInterval, &settings.SnapshotInterval)
-	settings.LogoURL = *cmp.Or(flags.Logo, &settings.LogoURL)
-	settings.EnableEdgeComputeFeatures = *cmp.Or(flags.EnableEdgeComputeFeatures, &settings.EnableEdgeComputeFeatures)
-	settings.TemplatesURL = *cmp.Or(flags.Templates, &settings.TemplatesURL)
+	settings.SnapshotInterval = cmp.Or(*flags.SnapshotInterval, settings.SnapshotInterval)
+	settings.LogoURL = cmp.Or(*flags.Logo, settings.LogoURL)
+	settings.EnableEdgeComputeFeatures = cmp.Or(*flags.EnableEdgeComputeFeatures, settings.EnableEdgeComputeFeatures)
+	settings.TemplatesURL = cmp.Or(*flags.Templates, settings.TemplatesURL)
 
 	if *flags.Labels != nil {
 		settings.BlackListedLabels = *flags.Labels
@@ -437,7 +439,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
 
-	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
+	helmPackageManager, err := initHelmPackageManager()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing helm package manager")
 	}
@@ -575,17 +577,18 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		AdminCreationDone:           adminCreationDone,
 		PendingActionsService:       pendingActionsService,
 		PlatformService:             platformService,
+		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
 	}
 }
 
 func main() {
-	configureLogger()
-	setLoggingMode("PRETTY")
+	logs.ConfigureLogger()
+	logs.SetLoggingMode("PRETTY")
 
 	flags := initCLI()
 
-	setLoggingLevel(*flags.LogLevel)
-	setLoggingMode(*flags.LogMode)
+	logs.SetLoggingLevel(*flags.LogLevel)
+	logs.SetLoggingMode(*flags.LogMode)
 
 	for {
 		server := buildServer(flags)

api/connection.go

@@ -6,8 +6,10 @@ import (
 
 type ReadTransaction interface {
 	GetObject(bucketName string, key []byte, object any) error
+	GetRawBytes(bucketName string, key []byte) ([]byte, error)
 	GetAll(bucketName string, obj any, append func(o any) (any, error)) error
 	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, append func(o any) (any, error)) error
+	KeyExists(bucketName string, key []byte) (bool, error)
 }
 
 type Transaction interface {

api/database/boltdb/db.go

@@ -244,6 +244,32 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object
 	})
 }
 
+func (connection *DbConnection) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	var value []byte
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		value, err = tx.GetRawBytes(bucketName, key)
+
+		return err
+	})
+
+	return value, err
+}
+
+func (connection *DbConnection) KeyExists(bucketName string, key []byte) (bool, error) {
+	var exists bool
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = tx.KeyExists(bucketName, key)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (connection *DbConnection) getEncryptionKey() []byte {
 	if !connection.isEncrypted {
 		return nil

api/database/boltdb/tx.go

@@ -6,6 +6,7 @@ import (
 
 	dserrors "github.com/portainer/portainer/api/dataservices/errors"
 
+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	bolt "go.etcd.io/bbolt"
 )
@@ -31,6 +32,33 @@ func (tx *DbTransaction) GetObject(bucketName string, key []byte, object any) er
 	return tx.conn.UnmarshalObject(value, object)
 }
 
+func (tx *DbTransaction) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+	if value == nil {
+		return nil, fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
+	}
+
+	if tx.conn.getEncryptionKey() != nil {
+		var err error
+
+		if value, err = decrypt(value, tx.conn.getEncryptionKey()); err != nil {
+			return value, errors.Wrap(err, "Failed decrypting object")
+		}
+	}
+
+	return value, nil
+}
+
+func (tx *DbTransaction) KeyExists(bucketName string, key []byte) (bool, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+
+	return value != nil, nil
+}
+
 func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object any) error {
 	data, err := tx.conn.MarshalObject(object)
 	if err != nil {

api/dataservices/base.go

@@ -9,6 +9,7 @@ import (
 type BaseCRUD[T any, I constraints.Integer] interface {
 	Create(element *T) error
 	Read(ID I) (*T, error)
+	Exists(ID I) (bool, error)
 	ReadAll() ([]T, error)
 	Update(ID I, element *T) error
 	Delete(ID I) error
@@ -42,6 +43,19 @@ func (service BaseDataService[T, I]) Read(ID I) (*T, error) {
 	})
 }
 
+func (service BaseDataService[T, I]) Exists(ID I) (bool, error) {
+	var exists bool
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = service.Tx(tx).Exists(ID)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (service BaseDataService[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)
 

api/dataservices/base_tx.go

@@ -28,6 +28,12 @@ func (service BaseDataServiceTx[T, I]) Read(ID I) (*T, error) {
 	return &element, nil
 }
 
+func (service BaseDataServiceTx[T, I]) Exists(ID I) (bool, error) {
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	return service.Tx.KeyExists(service.Bucket, identifier)
+}
+
 func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)
 

api/dataservices/endpointrelation/endpointrelation.go

@@ -22,6 +22,8 @@ type Service struct {
 	mu                     sync.Mutex
 }
 
+var _ dataservices.EndpointRelationService = &Service{}
+
 func (service *Service) BucketName() string {
 	return BucketName
 }
@@ -109,6 +111,18 @@ func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID,
 	return nil
 }
 
+func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
+func (service *Service) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).RemoveEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service *Service) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)

api/dataservices/endpointrelation/tx.go

@@ -13,6 +13,8 @@ type ServiceTx struct {
 	tx      portainer.Transaction
 }
 
+var _ dataservices.EndpointRelationService = &ServiceTx{}
+
 func (service ServiceTx) BucketName() string {
 	return BucketName
 }
@@ -74,6 +76,66 @@ func (service ServiceTx) UpdateEndpointRelation(endpointID portainer.EndpointID,
 	return nil
 }
 
+func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		rel.EdgeStacks[edgeStackID] = true
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments += len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
+func (service ServiceTx) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		delete(rel.EdgeStacks, edgeStackID)
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments -= len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service ServiceTx) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)

api/dataservices/interface.go

@@ -115,6 +115,8 @@ type (
 		EndpointRelation(EndpointID portainer.EndpointID) (*portainer.EndpointRelation, error)
 		Create(endpointRelation *portainer.EndpointRelation) error
 		UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error
+		AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
+		RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
 		DeleteEndpointRelation(EndpointID portainer.EndpointID) error
 		BucketName() string
 	}
@@ -157,6 +159,7 @@ type (
 
 	SnapshotService interface {
 		BaseCRUD[portainer.Snapshot, portainer.EndpointID]
+		ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error)
 	}
 
 	// SSLSettingsService represents a service for managing application settings

api/dataservices/snapshot/snapshot.go

@@ -38,3 +38,16 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(snapshot *portainer.Snapshot) error {
 	return service.Connection.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service *Service) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot *portainer.Snapshot
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		snapshot, err = service.Tx(tx).ReadWithoutSnapshotRaw(ID)
+
+		return err
+	})
+
+	return snapshot, err
+}

api/dataservices/snapshot/tx.go

@@ -12,3 +12,26 @@ type ServiceTx struct {
 func (service ServiceTx) Create(snapshot *portainer.Snapshot) error {
 	return service.Tx.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service ServiceTx) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot struct {
+		Docker *struct {
+			X struct{} `json:"DockerSnapshotRaw"`
+			*portainer.DockerSnapshot
+		} `json:"Docker"`
+
+		portainer.Snapshot
+	}
+
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	if err := service.Tx.GetObject(service.Bucket, identifier, &snapshot); err != nil {
+		return nil, err
+	}
+
+	if snapshot.Docker != nil {
+		snapshot.Snapshot.Docker = snapshot.Docker.DockerSnapshot
+	}
+
+	return &snapshot.Snapshot, nil
+}

api/datastore/migrator/migrate_dbversion100.go

@@ -94,6 +94,10 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 				continue
 			}
 
+			if environmentStatus.Details == nil {
+				continue
+			}
+
 			statusArray := []portainer.EdgeStackDeploymentStatus{}
 			if environmentStatus.Details.Pending {
 				statusArray = append(statusArray, portainer.EdgeStackDeploymentStatus{

api/datastore/migrator/migrate_dbversion20.go

@@ -18,8 +18,7 @@ func (m *Migrator) updateResourceControlsToDBVersion22() error {
 	for _, resourceControl := range legacyResourceControls {
 		resourceControl.AdministratorsOnly = false
 
-		err := m.resourceControlService.Update(resourceControl.ID, &resourceControl)
-		if err != nil {
+		if err := m.resourceControlService.Update(resourceControl.ID, &resourceControl); err != nil {
 			return err
 		}
 	}
@@ -42,8 +41,8 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 
 	for _, user := range legacyUsers {
 		user.PortainerAuthorizations = authorization.DefaultPortainerAuthorizations()
-		err = m.userService.Update(user.ID, &user)
-		if err != nil {
+
+		if err := m.userService.Update(user.ID, &user); err != nil {
 			return err
 		}
 	}
@@ -52,38 +51,47 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+
 	endpointAdministratorRole.Priority = 1
 	endpointAdministratorRole.Authorizations = authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
 
-	err = m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole)
+	if err := m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole); err != nil {
+		return err
+	}
 
 	helpDeskRole, err := m.roleService.Read(portainer.RoleID(2))
 	if err != nil {
 		return err
 	}
+
 	helpDeskRole.Priority = 2
 	helpDeskRole.Authorizations = authorization.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
 
-	err = m.roleService.Update(helpDeskRole.ID, helpDeskRole)
+	if err := m.roleService.Update(helpDeskRole.ID, helpDeskRole); err != nil {
+		return err
+	}
 
 	standardUserRole, err := m.roleService.Read(portainer.RoleID(3))
 	if err != nil {
 		return err
 	}
+
 	standardUserRole.Priority = 3
 	standardUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
 
-	err = m.roleService.Update(standardUserRole.ID, standardUserRole)
+	if err := m.roleService.Update(standardUserRole.ID, standardUserRole); err != nil {
+		return err
+	}
 
 	readOnlyUserRole, err := m.roleService.Read(portainer.RoleID(4))
 	if err != nil {
 		return err
 	}
+
 	readOnlyUserRole.Priority = 4
 	readOnlyUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
 
-	err = m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole)
-	if err != nil {
+	if err := m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole); err != nil {
 		return err
 	}
 

api/datastore/migrator/migrate_dbversion80.go

@@ -75,6 +75,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 
 	for _, edgeStack := range edgeStacks {
 		for endpointId, status := range edgeStack.Status {
+			if status.Details == nil {
+				status.Details = &portainer.EdgeStackStatusDetails{}
+			}
+
 			switch status.Type {
 			case portainer.EdgeStackStatusPending:
 				status.Details.Pending = true
@@ -93,10 +97,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 			edgeStack.Status[endpointId] = status
 		}
 
-		err = m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack)
-		if err != nil {
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
 			return err
 		}
 	}
+
 	return nil
 }

api/datastore/test_data/output_24_to_latest.json

@@ -610,7 +610,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.27.0-rc1",
+    "KubectlShellImage": "portainer/kubectl-shell:2.29.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.27.0-rc1\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.29.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }

api/datastore/validate/validate.go

@@ -1,15 +0,0 @@
-package validate
-
-import (
-	"github.com/go-playground/validator/v10"
-	portainer "github.com/portainer/portainer/api"
-)
-
-var validate *validator.Validate
-
-func ValidateLDAPSettings(ldp *portainer.LDAPSettings) error {
-	validate = validator.New()
-	registerValidationMethods(validate)
-
-	return validate.Struct(ldp)
-}

api/datastore/validate/validate_test.go

@@ -1,61 +0,0 @@
-package validate
-
-import (
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-func TestValidateLDAPSettings(t *testing.T) {
-
-	tests := []struct {
-		name    string
-		ldap    portainer.LDAPSettings
-		wantErr bool
-	}{
-		{
-			name:    "Empty LDAP Settings",
-			ldap:    portainer.LDAPSettings{},
-			wantErr: true,
-		},
-		{
-			name: "With URL",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: true,
-				URL:           "192.168.0.1:323",
-			},
-			wantErr: false,
-		},
-		{
-			name: "Validate URL and URLs",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: true,
-				URL:           "192.168.0.1:323",
-			},
-			wantErr: false,
-		},
-		{
-			name: "validate client ldap",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: false,
-				ReaderDN:      "CN=LDAP API Service Account",
-				Password:      "Qu**dfUUU**",
-				URL:           "aukdc15.pgc.co:389",
-				TLSConfig: portainer.TLSConfiguration{
-					TLS:           false,
-					TLSSkipVerify: false,
-				},
-			},
-			wantErr: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := ValidateLDAPSettings(&tt.ldap)
-			if (err == nil) == tt.wantErr {
-				t.Errorf("No error expected but got %s", err)
-			}
-		})
-	}
-}

api/datastore/validate/validationMethods.go

@@ -1,17 +0,0 @@
-package validate
-
-import (
-	"github.com/go-playground/validator/v10"
-)
-
-func registerValidationMethods(v *validator.Validate) {
-	v.RegisterValidation("validate_bool", ValidateBool)
-}
-
-/**
- * Validation methods below are being used for custom validation
- */
-func ValidateBool(fl validator.FieldLevel) bool {
-	_, ok := fl.Field().Interface().(bool)
-	return ok
-}

api/docker/client/client.go

@@ -3,8 +3,8 @@ package client
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
-	"maps"
 	"net/http"
 	"strings"
 	"time"
@@ -141,7 +141,6 @@ func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatu
 
 type NodeNameTransport struct {
 	*http.Transport
-	nodeNames map[string]string
 }
 
 func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -176,18 +175,19 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)
 		return resp, nil
 	}
 
-	t.nodeNames = make(map[string]string)
-	for _, r := range rs {
-		t.nodeNames[r.ID] = r.Portainer.Agent.NodeName
+	nodeNames, ok := req.Context().Value("nodeNames").(map[string]string)
+	if ok {
+		for idx, r := range rs {
+			// as there is no way to differentiate the same image available in multiple nodes only by their ID
+			// we append the index of the image in the payload response to match the node name later
+			// from the image.Summary[] list returned by docker's client.ImageList()
+			nodeNames[fmt.Sprintf("%s-%d", r.ID, idx)] = r.Portainer.Agent.NodeName
+		}
 	}
 
 	return resp, err
 }
 
-func (t *NodeNameTransport) NodeNames() map[string]string {
-	return maps.Clone(t.nodeNames)
-}
-
 func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Client, error) {
 	transport := &NodeNameTransport{
 		Transport: &http.Transport{},

api/exec/exectest/kubernetes_mocks.go

@@ -4,17 +4,11 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )
 
-type kubernetesMockDeployer struct{}
+type kubernetesMockDeployer struct {
+	portainer.KubernetesDeployer
+}
 
 // NewKubernetesDeployer creates a mock kubernetes deployer
-func NewKubernetesDeployer() portainer.KubernetesDeployer {
+func NewKubernetesDeployer() *kubernetesMockDeployer {
 	return &kubernetesMockDeployer{}
 }
-
-func (deployer *kubernetesMockDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return "", nil
-}
-
-func (deployer *kubernetesMockDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return "", nil
-}

api/exec/swarm_stack.go

@@ -127,7 +127,7 @@ func (manager *SwarmStackManager) Remove(stack *portainer.Stack, endpoint *porta
 		return err
 	}
 
-	args = append(args, "stack", "rm", stack.Name)
+	args = append(args, "stack", "rm", "--detach=false", stack.Name)
 
 	return runCommandAndCaptureStdErr(command, args, nil, "")
 }

api/filesystem/copy.go

@@ -68,7 +68,7 @@ func copyFile(src, dst string) error {
 	defer from.Close()
 
 	// has to include 'execute' bit, otherwise fails. MkdirAll follows `mkdir -m` restrictions
-	if err := os.MkdirAll(filepath.Dir(dst), 0744); err != nil {
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
 		return err
 	}
 	to, err := os.Create(dst)

api/filesystem/filesystem.go

@@ -841,11 +841,11 @@ func (service *Service) GetDefaultSSLCertsPath() (string, string) {
 }
 
 func defaultMTLSCertPathUnderFileStore() (string, string, string) {
-	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	caCertPath := JoinPaths(SSLCertPath, MTLSCACertFilename)
+	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	keyPath := JoinPaths(SSLCertPath, MTLSKeyFilename)
 
-	return certPath, caCertPath, keyPath
+	return caCertPath, certPath, keyPath
 }
 
 // GetDefaultChiselPrivateKeyPath returns the chisle private key path
@@ -1014,26 +1014,45 @@ func CreateFile(path string, r io.Reader) error {
 	return err
 }
 
-func (service *Service) StoreMTLSCertificates(cert, caCert, key []byte) (string, string, string, error) {
-	certPath, caCertPath, keyPath := defaultMTLSCertPathUnderFileStore()
+func (service *Service) StoreMTLSCertificates(caCert, cert, key []byte) (string, string, string, error) {
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()
 
-	r := bytes.NewReader(cert)
-	err := service.createFileInStore(certPath, r)
-	if err != nil {
+	r := bytes.NewReader(caCert)
+	if err := service.createFileInStore(caCertPath, r); err != nil {
 		return "", "", "", err
 	}
 
-	r = bytes.NewReader(caCert)
-	err = service.createFileInStore(caCertPath, r)
-	if err != nil {
+	r = bytes.NewReader(cert)
+	if err := service.createFileInStore(certPath, r); err != nil {
 		return "", "", "", err
 	}
 
 	r = bytes.NewReader(key)
-	err = service.createFileInStore(keyPath, r)
-	if err != nil {
+	if err := service.createFileInStore(keyPath, r); err != nil {
 		return "", "", "", err
 	}
 
-	return service.wrapFileStore(certPath), service.wrapFileStore(caCertPath), service.wrapFileStore(keyPath), nil
+	return service.wrapFileStore(caCertPath), service.wrapFileStore(certPath), service.wrapFileStore(keyPath), nil
+}
+
+func (service *Service) GetMTLSCertificates() (string, string, string, error) {
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()
+
+	caCertPath = service.wrapFileStore(caCertPath)
+	certPath = service.wrapFileStore(certPath)
+	keyPath = service.wrapFileStore(keyPath)
+
+	paths := [...]string{caCertPath, certPath, keyPath}
+	for _, path := range paths {
+		exists, err := service.FileExists(path)
+		if err != nil {
+			return "", "", "", err
+		}
+
+		if !exists {
+			return "", "", "", fmt.Errorf("file %s does not exist", path)
+		}
+	}
+
+	return caCertPath, certPath, keyPath, nil
 }

api/filesystem/serialize_per_dev_configs.go

@@ -15,15 +15,19 @@ type MultiFilterArgs []struct {
 }
 
 // MultiFilterDirForPerDevConfigs filers the given dirEntries with multiple filter args, returns the merged entries for the given device
-func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) []DirEntry {
+func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry
 
+	var envFiles []string
+
 	for _, multiFilterArg := range multiFilterArgs {
-		tmp := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
+		tmp, efs := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
 		filteredDirEntries = append(filteredDirEntries, tmp...)
+
+		envFiles = append(envFiles, efs...)
 	}
 
-	return deduplicate(filteredDirEntries)
+	return deduplicate(filteredDirEntries), envFiles
 }
 
 func deduplicate(dirEntries []DirEntry) []DirEntry {
@@ -32,8 +36,7 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 	marks := make(map[string]struct{})
 
 	for _, dirEntry := range dirEntries {
-		_, ok := marks[dirEntry.Name]
-		if !ok {
+		if _, ok := marks[dirEntry.Name]; !ok {
 			marks[dirEntry.Name] = struct{}{}
 			deduplicatedDirEntries = append(deduplicatedDirEntries, dirEntry)
 		}
@@ -44,34 +47,33 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 
 // FilterDirForPerDevConfigs filers the given dirEntries, returns entries for the given device
 // For given configPath A/B/C, return entries:
-//  1. all entries outside of dir A
-//  2. dir entries A, A/B, A/B/C
-//  3. For filterType file:
+//  1. all entries outside of dir A/B/C
+//  2. For filterType file:
 //     file entries: A/B/C/<deviceName> and A/B/C/<deviceName>.*
-//  4. For filterType dir:
+//  3. For filterType dir:
 //     dir entry:   A/B/C/<deviceName>
 //     all entries: A/B/C/<deviceName>/*
-func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) []DirEntry {
+func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry
 
+	var envFiles []string
+
 	for _, dirEntry := range dirEntries {
 		if shouldIncludeEntry(dirEntry, deviceName, configPath, filterType) {
 			filteredDirEntries = append(filteredDirEntries, dirEntry)
+
+			if shouldParseEnvVars(dirEntry, deviceName, configPath, filterType) {
+				envFiles = append(envFiles, dirEntry.Name)
+			}
 		}
 	}
 
-	return filteredDirEntries
+	return filteredDirEntries, envFiles
 }
 
 func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
-
 	// Include all entries outside of dir A
-	if !isInConfigRootDir(dirEntry, configPath) {
-		return true
-	}
-
-	// Include dir entries A, A/B, A/B/C
-	if isParentDir(dirEntry, configPath) {
+	if !isInConfigDir(dirEntry, configPath) {
 		return true
 	}
 
@@ -90,21 +92,9 @@ func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filter
 	return false
 }
 
-func isInConfigRootDir(dirEntry DirEntry, configPath string) bool {
-	// get the first element of the configPath
-	rootDir := strings.Split(configPath, string(os.PathSeparator))[0]
-
-	// return true if entry name starts with "A/"
-	return strings.HasPrefix(dirEntry.Name, appendTailSeparator(rootDir))
-}
-
-func isParentDir(dirEntry DirEntry, configPath string) bool {
-	if dirEntry.IsFile {
-		return false
-	}
-
-	// return true for dir entries A, A/B, A/B/C
-	return strings.HasPrefix(appendTailSeparator(configPath), appendTailSeparator(dirEntry.Name))
+func isInConfigDir(dirEntry DirEntry, configPath string) bool {
+	// return true if entry name starts with "A/B"
+	return strings.HasPrefix(dirEntry.Name, appendTailSeparator(configPath))
 }
 
 func shouldIncludeFile(dirEntry DirEntry, deviceName, configPath string) bool {
@@ -138,6 +128,15 @@ func shouldIncludeDir(dirEntry DirEntry, deviceName, configPath string) bool {
 	return strings.HasPrefix(dirEntry.Name, filterPrefix)
 }
 
+func shouldParseEnvVars(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
+	if !dirEntry.IsFile {
+		return false
+	}
+
+	return isInConfigDir(dirEntry, configPath) &&
+		filepath.Base(dirEntry.Name) == deviceName+".env"
+}
+
 func appendTailSeparator(path string) string {
 	return fmt.Sprintf("%s%c", path, os.PathSeparator)
 }

api/filesystem/serialize_per_dev_configs_test.go

@@ -4,14 +4,17 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
-	type args struct {
-		dirEntries      []DirEntry
-		configPath      string
-		multiFilterArgs MultiFilterArgs
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantDirEntries []DirEntry) {
+		t.Helper()
+
+		dirEntries, _ = MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantDirEntries, dirEntries)
 	}
 
 	baseDirEntries := []DirEntry{
@@ -26,67 +29,94 @@ func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
 		{"configs/folder2/config2", "", true, 420},
 	}
 
-	tests := []struct {
-		name string
-		args args
-		want []DirEntry
-	}{
-		{
-			name: "filter file1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	// Filter file1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	)
+
+	// Filter folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and file2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"file2", portainer.PerDevConfigsTypeFile},
 		},
-		{
-			name: "filter folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and file2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"file1", portainer.PerDevConfigsTypeFile},
-					{"file2", portainer.PerDevConfigsTypeFile},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
-		},
-		{
-			name: "filter folder1 and folder2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"folder1", portainer.PerDevConfigsTypeDir},
-					{"folder2", portainer.PerDevConfigsTypeDir},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
+	)
+
+	// Filter folder1 and folder2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"folder1", portainer.PerDevConfigsTypeDir},
+			{"folder2", portainer.PerDevConfigsTypeDir},
 		},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+	)
+}
+
+func TestMultiFilterDirForPerDevConfigsEnvFiles(t *testing.T) {
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantEnvFiles []string) {
+		t.Helper()
+
+		_, envFiles := MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantEnvFiles, envFiles)
 	}
 
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equalf(t, tt.want, MultiFilterDirForPerDevConfigs(tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs), "MultiFilterDirForPerDevConfigs(%v, %v, %v)", tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs)
-		})
+	baseDirEntries := []DirEntry{
+		{".env", "", true, 420},
+		{"docker-compose.yaml", "", true, 420},
+		{"configs", "", false, 420},
+		{"configs/edge-id/edge-id.env", "", true, 420},
 	}
+
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"edge-id", portainer.PerDevConfigsTypeDir}},
+		[]string{"configs/edge-id/edge-id.env"},
+	)
+
+}
+
+func TestIsInConfigDir(t *testing.T) {
+	f := func(dirEntry DirEntry, configPath string, expect bool) {
+		t.Helper()
+
+		actual := isInConfigDir(dirEntry, configPath)
+		assert.Equal(t, expect, actual)
+	}
+
+	f(DirEntry{Name: "edge-configs"}, "edge-configs", false)
+	f(DirEntry{Name: "edge-configs_backup"}, "edge-configs", false)
+	f(DirEntry{Name: "edge-configs/standalone-edge-agent-standard"}, "edge-configs", true)
+	f(DirEntry{Name: "parent/edge-configs/"}, "edge-configs", false)
+	f(DirEntry{Name: "edgestacktest"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edgeconfigs-test.yaml"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/file1.conf"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgeconfigs-test.yaml"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edge-configs"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edge-configs/standalone-edge-agent-async"}, "edgestacktest/edge-configs", true)
+	f(DirEntry{Name: "edgestacktest/edge-configs/abc.txt"}, "edgestacktest/edge-configs", true)
 }

api/http/handler/customtemplates/customtemplate_create.go

@@ -482,28 +482,3 @@ func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*po
 
 	return customTemplate, nil
 }
-
-// @id CustomTemplateCreate
-// @summary Create a custom template
-// @description Create a custom template.
-// @description **Access policy**: authenticated
-// @tags custom_templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json,multipart/form-data
-// @produce json
-// @param method query string true "method for creating template" Enums(string, file, repository)
-// @param body body object true "for body documentation see the relevant /custom_templates/{method} endpoint"
-// @success 200 {object} portainer.CustomTemplate
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @deprecated
-// @router /custom_templates [post]
-func deprecatedCustomTemplateCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method", err)
-	}
-
-	return "/custom_templates/create/" + method, nil
-}

api/http/handler/customtemplates/handler.go

@@ -7,7 +7,6 @@ import (
 	"github.com/gorilla/mux"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 )
@@ -33,7 +32,6 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 
 	h.Handle("/custom_templates/create/{method}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateCreate))).Methods(http.MethodPost)
-	h.Handle("/custom_templates", middlewares.Deprecated(h, deprecatedCustomTemplateCreateUrlParser)).Methods(http.MethodPost) // Deprecated
 	h.Handle("/custom_templates",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateList))).Methods(http.MethodGet)
 	h.Handle("/custom_templates/{id}",

api/http/handler/docker/images/images_list.go

@@ -1,10 +1,11 @@
 package images
 
 import (
+	"context"
+	"fmt"
 	"net/http"
 	"strings"
 
-	"github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/handler/docker/utils"
 	"github.com/portainer/portainer/api/set"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@@ -46,17 +47,16 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http
 		return httpErr
 	}
 
-	images, err := cli.ImageList(r.Context(), image.ListOptions{})
+	nodeNames := make(map[string]string)
+
+	// Pass the node names map to the context so the custom NodeNameTransport can use it
+	ctx := context.WithValue(r.Context(), "nodeNames", nodeNames)
+
+	images, err := cli.ImageList(ctx, image.ListOptions{})
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve Docker images", err)
 	}
 
-	// Extract the node name from the custom transport
-	nodeNames := make(map[string]string)
-	if t, ok := cli.HTTPClient().Transport.(*client.NodeNameTransport); ok {
-		nodeNames = t.NodeNames()
-	}
-
 	withUsage, err := request.RetrieveBooleanQueryParameter(r, "withUsage", true)
 	if err != nil {
 		return httperror.BadRequest("Invalid query parameter: withUsage", err)
@@ -85,8 +85,12 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http
 		}
 
 		imagesList[i] = ImageResponse{
-			Created:  image.Created,
-			NodeName: nodeNames[image.ID],
+			Created: image.Created,
+			// Only works if the order of `images` is not changed between unmarshaling the agent's response
+			// in NodeNameTransport.RoundTrip()  (api/docker/client/client.go)
+			// and docker's cli.ImageList()
+			// As both functions unmarshal the same response body, the resulting array will be ordered the same way.
+			NodeName: nodeNames[fmt.Sprintf("%s-%d", image.ID, i)],
 			ID:       image.ID,
 			Size:     image.Size,
 			Tags:     image.RepoTags,

api/http/handler/edgegroups/edgegroup_update.go

@@ -24,10 +24,6 @@ type edgeGroupUpdatePayload struct {
 }
 
 func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
-	if len(payload.Name) == 0 {
-		return errors.New("invalid Edge group name")
-	}
-
 	if payload.Dynamic && len(payload.TagIDs) == 0 {
 		return errors.New("tagIDs is mandatory for a dynamic Edge group")
 	}
@@ -35,7 +31,7 @@ func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// @id EgeGroupUpdate
+// @id EdgeGroupUpdate
 // @summary Updates an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
@@ -167,7 +163,7 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 
 func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
+	if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
 		return err
 	}
 
@@ -183,6 +179,12 @@ func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoi
 		edgeStackSet[edgeStackID] = true
 	}
 
+	if relation == nil {
+		relation = &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+			EdgeStacks: make(map[portainer.EdgeStackID]bool),
+		}
+	}
 	relation.EdgeStacks = edgeStackSet
 
 	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, relation)

api/http/handler/edgejobs/edgejob_create.go

@@ -271,26 +271,3 @@ func (handler *Handler) addAndPersistEdgeJob(tx dataservices.DataStoreTx, edgeJo
 
 	return tx.EdgeJob().CreateWithID(edgeJob.ID, edgeJob)
 }
-
-// @id EdgeJobCreate
-// @summary Create an EdgeJob
-// @description **Access policy**: administrator
-// @tags edge_jobs
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param method query string true "Creation Method" Enums(file, string)
-// @param body body object true "for body documentation see the relevant /edge_jobs/create/{method} endpoint"
-// @success 200 {object} portainer.EdgeGroup
-// @failure 503 "Edge compute features are disabled"
-// @failure 500
-// @deprecated
-// @router /edge_jobs [post]
-func deprecatedEdgeJobCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
-	}
-
-	return "/edge_jobs/create/" + method, nil
-}

api/http/handler/edgejobs/handler.go

@@ -6,7 +6,6 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -30,8 +29,6 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 
 	h.Handle("/edge_jobs",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobList)))).Methods(http.MethodGet)
-	h.Handle("/edge_jobs",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(middlewares.Deprecated(h, deprecatedEdgeJobCreateUrlParser)))).Methods(http.MethodPost)
 	h.Handle("/edge_jobs/create/{method}",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobCreate)))).Methods(http.MethodPost)
 	h.Handle("/edge_jobs/{id}",

api/http/handler/edgestacks/edgestack_create.go

@@ -55,26 +55,3 @@ func (handler *Handler) createSwarmStack(tx dataservices.DataStoreTx, method str
 
 	return nil, httperrors.NewInvalidPayloadError("Invalid value for query parameter: method. Value must be one of: string, repository or file")
 }
-
-// @id EdgeStackCreate
-// @summary Create an EdgeStack
-// @description **Access policy**: administrator
-// @tags edge_stacks
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param method query string true "Creation Method" Enums(file,string,repository)
-// @param body body object true "for body documentation see the relevant /edge_stacks/create/{method} endpoint"
-// @success 200 {object} portainer.EdgeStack
-// @failure 500
-// @failure 503 "Edge compute features are disabled"
-// @deprecated
-// @router /edge_stacks [post]
-func deprecatedEdgeStackCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
-	}
-
-	return "/edge_stacks/create/" + method, nil
-}

api/http/handler/edgestacks/edgestack_status_delete.go

@@ -1,87 +0,0 @@
-package edgestacks
-
-import (
-	"errors"
-	"net/http"
-	"time"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-)
-
-// @id EdgeStackStatusDelete
-// @summary Delete an EdgeStack status
-// @description Authorized only if the request is done by an Edge Environment(Endpoint)
-// @tags edge_stacks
-// @produce json
-// @param id path int true "EdgeStack Id"
-// @param environmentId path int true "Environment identifier"
-// @success 200 {object} portainer.EdgeStack
-// @failure 500
-// @failure 400
-// @failure 404
-// @failure 403
-// @deprecated
-// @router /edge_stacks/{id}/status/{environmentId} [delete]
-func (handler *Handler) edgeStackStatusDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return httperror.BadRequest("Invalid stack identifier route variable", err)
-	}
-
-	endpoint, err := middlewares.FetchEndpoint(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve a valid endpoint from the handler context", err)
-	}
-
-	err = handler.requestBouncer.AuthorizedEdgeEndpointOperation(r, endpoint)
-	if err != nil {
-		return httperror.Forbidden("Permission denied to access environment", err)
-	}
-
-	var stack *portainer.EdgeStack
-	err = handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
-		stack, err = handler.deleteEdgeStackStatus(tx, portainer.EdgeStackID(stackID), endpoint)
-		return err
-	})
-	if err != nil {
-		var httpErr *httperror.HandlerError
-		if errors.As(err, &httpErr) {
-			return httpErr
-		}
-
-		return httperror.InternalServerError("Unexpected error", err)
-	}
-
-	return response.JSON(w, stack)
-}
-
-func (handler *Handler) deleteEdgeStackStatus(tx dataservices.DataStoreTx, stackID portainer.EdgeStackID, endpoint *portainer.Endpoint) (*portainer.EdgeStack, error) {
-	stack, err := tx.EdgeStack().EdgeStack(stackID)
-	if err != nil {
-		return nil, handlerDBErr(err, "Unable to find a stack with the specified identifier inside the database")
-	}
-
-	environmentStatus, ok := stack.Status[endpoint.ID]
-	if !ok {
-		environmentStatus = portainer.EdgeStackStatus{}
-	}
-
-	environmentStatus.Status = append(environmentStatus.Status, portainer.EdgeStackDeploymentStatus{
-		Time: time.Now().Unix(),
-		Type: portainer.EdgeStackStatusRemoved,
-	})
-
-	stack.Status[endpoint.ID] = environmentStatus
-
-	err = tx.EdgeStack().UpdateEdgeStack(stack.ID, stack)
-	if err != nil {
-		return nil, httperror.InternalServerError("Unable to persist the stack changes inside the database", err)
-	}
-
-	return stack, nil
-}

api/http/handler/edgestacks/edgestack_status_delete_test.go

@@ -1,30 +0,0 @@
-package edgestacks
-
-import (
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-func TestDeleteStatus(t *testing.T) {
-	handler, _ := setupHandler(t)
-
-	endpoint := createEndpoint(t, handler.DataStore)
-	edgeStack := createEdgeStack(t, handler.DataStore, endpoint.ID)
-
-	req, err := http.NewRequest(http.MethodDelete, fmt.Sprintf("/edge_stacks/%d/status/%d", edgeStack.ID, endpoint.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
-
-	req.Header.Set(portainer.PortainerAgentEdgeIDHeader, endpoint.EdgeID)
-	rec := httptest.NewRecorder()
-	handler.ServeHTTP(rec, req)
-
-	if rec.Code != http.StatusOK {
-		t.Fatalf("expected a %d response, found: %d", http.StatusOK, rec.Code)
-	}
-}

api/http/handler/edgestacks/edgestack_status_update.go

@@ -79,7 +79,7 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 	}
 
 	updateFn := func(stack *portainer.EdgeStack) (*portainer.EdgeStack, error) {
-		return handler.updateEdgeStackStatus(stack, endpoint, r, stack.ID, payload)
+		return handler.updateEdgeStackStatus(stack, stack.ID, payload)
 	}
 
 	stack, err := handler.stackCoordinator.UpdateStatus(r, portainer.EdgeStackID(stackID), updateFn)
@@ -99,7 +99,7 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 	return response.JSON(w, stack)
 }
 
-func (handler *Handler) updateEdgeStackStatus(stack *portainer.EdgeStack, endpoint *portainer.Endpoint, r *http.Request, stackID portainer.EdgeStackID, payload updateStatusPayload) (*portainer.EdgeStack, error) {
+func (handler *Handler) updateEdgeStackStatus(stack *portainer.EdgeStack, stackID portainer.EdgeStackID, payload updateStatusPayload) (*portainer.EdgeStack, error) {
 	if payload.Version > 0 && payload.Version < stack.Version {
 		return stack, nil
 	}

api/http/handler/edgestacks/edgestack_status_update_coordinator.go

@@ -60,6 +60,11 @@ func (c *EdgeStackStatusUpdateCoordinator) loop() {
 			return err
 		}
 
+		// Return early when the agent tries to update the status on a deleted stack
+		if stack == nil {
+			return nil
+		}
+
 		// 2. Mutate the edge stack opportunistically until there are no more pending updates
 		for {
 			stack, err = u.updateFn(stack)

api/http/handler/edgestacks/edgestack_update.go

@@ -107,7 +107,7 @@ func (handler *Handler) updateEdgeStack(tx dataservices.DataStoreTx, stackID por
 
 	hasWrongType, err := hasWrongEnvironmentType(tx.Endpoint(), relatedEndpointIds, payload.DeploymentType)
 	if err != nil {
-		return nil, httperror.BadRequest("unable to check for existence of non fitting environments: %w", err)
+		return nil, httperror.InternalServerError("unable to check for existence of non fitting environments: %w", err)
 	}
 	if hasWrongType {
 		return nil, httperror.BadRequest("edge stack with config do not match the environment type", nil)
@@ -138,48 +138,23 @@ func (handler *Handler) handleChangeEdgeGroups(tx dataservices.DataStoreTx, edge
 		return nil, nil, errors.WithMessage(err, "Unable to retrieve edge stack related environments from database")
 	}
 
-	oldRelatedSet := set.ToSet(oldRelatedEnvironmentIDs)
-	newRelatedSet := set.ToSet(newRelatedEnvironmentIDs)
+	oldRelatedEnvironmentsSet := set.ToSet(oldRelatedEnvironmentIDs)
+	newRelatedEnvironmentsSet := set.ToSet(newRelatedEnvironmentIDs)
 
-	endpointsToRemove := set.Set[portainer.EndpointID]{}
-	for endpointID := range oldRelatedSet {
-		if !newRelatedSet[endpointID] {
-			endpointsToRemove[endpointID] = true
+	relatedEnvironmentsToAdd := newRelatedEnvironmentsSet.Difference(oldRelatedEnvironmentsSet)
+	relatedEnvironmentsToRemove := oldRelatedEnvironmentsSet.Difference(newRelatedEnvironmentsSet)
+
+	if len(relatedEnvironmentsToRemove) > 0 {
+		if err := tx.EndpointRelation().RemoveEndpointRelationsForEdgeStack(relatedEnvironmentsToRemove.Keys(), edgeStackID); err != nil {
+			return nil, nil, errors.WithMessage(err, "Unable to remove edge stack relations from the database")
 		}
 	}
 
-	for endpointID := range endpointsToRemove {
-		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to find environment relation in database")
-		}
-
-		delete(relation.EdgeStacks, edgeStackID)
-
-		if err := tx.EndpointRelation().UpdateEndpointRelation(endpointID, relation); err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to persist environment relation in database")
+	if len(relatedEnvironmentsToAdd) > 0 {
+		if err := tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEnvironmentsToAdd.Keys(), edgeStackID); err != nil {
+			return nil, nil, errors.WithMessage(err, "Unable to add edge stack relations to the database")
 		}
 	}
 
-	endpointsToAdd := set.Set[portainer.EndpointID]{}
-	for endpointID := range newRelatedSet {
-		if !oldRelatedSet[endpointID] {
-			endpointsToAdd[endpointID] = true
-		}
-	}
-
-	for endpointID := range endpointsToAdd {
-		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to find environment relation in database")
-		}
-
-		relation.EdgeStacks[edgeStackID] = true
-
-		if err := tx.EndpointRelation().UpdateEndpointRelation(endpointID, relation); err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to persist environment relation in database")
-		}
-	}
-
-	return newRelatedEnvironmentIDs, endpointsToAdd, nil
+	return newRelatedEnvironmentIDs, relatedEnvironmentsToAdd, nil
 }

api/http/handler/edgestacks/handler.go

@@ -37,8 +37,6 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 
 	h.Handle("/edge_stacks/create/{method}",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackCreate)))).Methods(http.MethodPost)
-	h.Handle("/edge_stacks",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(middlewares.Deprecated(h, deprecatedEdgeStackCreateUrlParser)))).Methods(http.MethodPost) // Deprecated
 	h.Handle("/edge_stacks",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackList)))).Methods(http.MethodGet)
 	h.Handle("/edge_stacks/{id}",
@@ -55,8 +53,6 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	edgeStackStatusRouter := h.NewRoute().Subrouter()
 	edgeStackStatusRouter.Use(middlewares.WithEndpoint(h.DataStore.Endpoint(), "endpoint_id"))
 
-	edgeStackStatusRouter.PathPrefix("/edge_stacks/{id}/status/{endpoint_id}").Handler(bouncer.PublicAccess(httperror.LoggerHandler(h.edgeStackStatusDelete))).Methods(http.MethodDelete)
-
 	return h
 }
 

api/http/handler/edgetemplates/edgetemplate_list.go

@@ -1,71 +0,0 @@
-package edgetemplates
-
-import (
-	"net/http"
-	"slices"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/client"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/segmentio/encoding/json"
-)
-
-type templateFileFormat struct {
-	Version   string               `json:"version"`
-	Templates []portainer.Template `json:"templates"`
-}
-
-// @id EdgeTemplateList
-// @deprecated
-// @summary Fetches the list of Edge Templates
-// @description **Access policy**: administrator
-// @tags edge_templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @success 200 {array} portainer.Template
-// @failure 500
-// @router /edge_templates [get]
-func (handler *Handler) edgeTemplateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve settings from the database", err)
-	}
-
-	url := portainer.DefaultTemplatesURL
-	if settings.TemplatesURL != "" {
-		url = settings.TemplatesURL
-	}
-
-	var templateData []byte
-	templateData, err = client.Get(url, 10)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve external templates", err)
-	}
-
-	var templateFile templateFileFormat
-
-	err = json.Unmarshal(templateData, &templateFile)
-	if err != nil {
-		return httperror.InternalServerError("Unable to parse template file", err)
-	}
-
-	// We only support version 3 of the template format
-	// this is only a temporary fix until we have custom edge templates
-	if templateFile.Version != "3" {
-		return httperror.InternalServerError("Unsupported template version", nil)
-	}
-
-	filteredTemplates := make([]portainer.Template, 0)
-
-	for _, template := range templateFile.Templates {
-		if slices.Contains(template.Categories, "edge") && slices.Contains([]portainer.TemplateType{portainer.ComposeStackTemplate, portainer.SwarmStackTemplate}, template.Type) {
-			filteredTemplates = append(filteredTemplates, template)
-		}
-	}
-
-	return response.JSON(w, filteredTemplates)
-}

api/http/handler/edgetemplates/handler.go

@@ -1,32 +0,0 @@
-package edgetemplates
-
-import (
-	"net/http"
-
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
-	"github.com/portainer/portainer/api/http/security"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-
-	"github.com/gorilla/mux"
-)
-
-// Handler is the HTTP handler used to handle edge environment(endpoint) operations.
-type Handler struct {
-	*mux.Router
-	requestBouncer security.BouncerService
-	DataStore      dataservices.DataStore
-}
-
-// NewHandler creates a handler to manage environment(endpoint) operations.
-func NewHandler(bouncer security.BouncerService) *Handler {
-	h := &Handler{
-		Router:         mux.NewRouter(),
-		requestBouncer: bouncer,
-	}
-
-	h.Handle("/edge_templates",
-		bouncer.AdminAccess(middlewares.Deprecated(httperror.LoggerHandler(h.edgeTemplateList), func(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) { return "", nil }))).Methods(http.MethodGet)
-
-	return h
-}

api/http/handler/endpointedge/endpointedge_status_inspect.go

@@ -264,6 +264,9 @@ func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpointID p
 func (handler *Handler) buildEdgeStacks(tx dataservices.DataStoreTx, endpointID portainer.EndpointID) ([]stackStatusResponse, *httperror.HandlerError) {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
 	if err != nil {
+		if tx.IsErrObjectNotFound(err) {
+			return nil, nil
+		}
 		return nil, httperror.InternalServerError("Unable to retrieve relation object from the database", err)
 	}
 

api/http/handler/endpointgroups/endpoints.go

@@ -21,10 +21,17 @@ func (handler *Handler) updateEndpointRelations(tx dataservices.DataStoreTx, end
 	}
 
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
+	if err != nil && !tx.IsErrObjectNotFound(err) {
 		return err
 	}
 
+	if endpointRelation == nil {
+		endpointRelation = &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+			EdgeStacks: make(map[portainer.EdgeStackID]bool),
+		}
+	}
+
 	edgeGroups, err := tx.EdgeGroup().ReadAll()
 	if err != nil {
 		return err
@@ -32,6 +39,9 @@ func (handler *Handler) updateEndpointRelations(tx dataservices.DataStoreTx, end
 
 	edgeStacks, err := tx.EdgeStack().EdgeStacks()
 	if err != nil {
+		if tx.IsErrObjectNotFound(err) {
+			return nil
+		}
 		return err
 	}
 

api/http/handler/endpoints/endpoint_delete.go

@@ -91,7 +91,7 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 403 "Unauthorized access or operation not allowed."
 // @failure 500 "Server error occurred while attempting to delete the specified environments."
-// @router /endpoints [delete]
+// @router /endpoints/delete [post]
 func (handler *Handler) endpointDeleteBatch(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var p endpointDeleteBatchPayload
 	if err := request.DecodeAndValidateJSONPayload(r, &p); err != nil {
@@ -127,6 +127,27 @@ func (handler *Handler) endpointDeleteBatch(w http.ResponseWriter, r *http.Reque
 	return response.Empty(w)
 }
 
+// @id EndpointDeleteBatchDeprecated
+// @summary Remove multiple environments
+// @deprecated
+// @description Deprecated: use the `POST` endpoint instead.
+// @description Remove multiple environments and optionally clean-up associated resources.
+// @description **Access policy**: Administrator only.
+// @tags endpoints
+// @security ApiKeyAuth || jwt
+// @accept json
+// @produce json
+// @param body body endpointDeleteBatchPayload true "List of environments to delete, with optional deleteCluster flag to clean-up associated resources (cloud environments only)"
+// @success 204 "Environment(s) successfully deleted."
+// @failure 207 {object} endpointDeleteBatchPartialResponse "Partial success. Some environments were deleted successfully, while others failed."
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 403 "Unauthorized access or operation not allowed."
+// @failure 500 "Server error occurred while attempting to delete the specified environments."
+// @router /endpoints [delete]
+func (handler *Handler) endpointDeleteBatchDeprecated(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	return handler.endpointDeleteBatch(w, r)
+}
+
 func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID portainer.EndpointID, deleteCluster bool) error {
 	endpoint, err := tx.Endpoint().Endpoint(endpointID)
 	if tx.IsErrObjectNotFound(err) {

api/http/handler/endpoints/endpoint_dockerhub_status.go

@@ -80,6 +80,13 @@ func (handler *Handler) endpointDockerhubStatus(w http.ResponseWriter, r *http.R
 		}
 	}
 
+	if handler.PullLimitCheckDisabled {
+		return response.JSON(w, &dockerhubStatusResponse{
+			Limit:     10,
+			Remaining: 10,
+		})
+	}
+
 	httpClient := client.NewHTTPClient()
 	token, err := getDockerHubToken(httpClient, registry)
 	if err != nil {

api/http/handler/endpoints/endpoint_inspect.go

@@ -19,6 +19,8 @@ import (
 // @security jwt
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"
+// @param excludeSnapshot query bool false "if true, the snapshot data won't be retrieved"
+// @param excludeSnapshotRaw query bool false "if true, the SnapshotRaw field won't be retrieved"
 // @success 200 {object} portainer.Endpoint "Success"
 // @failure 400 "Invalid request"
 // @failure 404 "Environment(Endpoint) not found"
@@ -37,8 +39,7 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unable to find an environment with the specified identifier inside the database", err)
 	}
 
-	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
-	if err != nil {
+	if err := handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint); err != nil {
 		return httperror.Forbidden("Permission denied to access environment", err)
 	}
 
@@ -51,9 +52,11 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 	endpointutils.UpdateEdgeEndpointHeartbeat(endpoint, settings)
 	endpoint.ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 
-	if !excludeSnapshot(r) {
-		err = handler.SnapshotService.FillSnapshotData(endpoint)
-		if err != nil {
+	excludeSnapshot, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshot", true)
+	excludeRaw, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshotRaw", true)
+
+	if !excludeSnapshot {
+		if err := handler.SnapshotService.FillSnapshotData(endpoint, !excludeRaw); err != nil {
 			return httperror.InternalServerError("Unable to add snapshot data", err)
 		}
 	}
@@ -83,9 +86,3 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 
 	return response.JSON(w, endpoint)
 }
-
-func excludeSnapshot(r *http.Request) bool {
-	excludeSnapshot, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshot", true)
-
-	return excludeSnapshot
-}

api/http/handler/endpoints/endpoint_list.go

@@ -38,15 +38,19 @@ const (
 // @param tagIds query []int false "search environments(endpoints) with these tags (depends on tagsPartialMatch)"
 // @param tagsPartialMatch query bool false "If true, will return environment(endpoint) which has one of tagIds, if false (or missing) will return only environments(endpoints) that has all the tags"
 // @param endpointIds query []int false "will return only these environments(endpoints)"
+// @param excludeIds query []int false "will exclude these environments(endpoints)"
 // @param provisioned query bool false "If true, will return environment(endpoint) that were provisioned"
 // @param agentVersions query []string false "will return only environments with on of these agent versions"
 // @param edgeAsync query bool false "if exists true show only edge async agents, false show only standard edge agents. if missing, will show both types (relevant only for edge agents)"
 // @param edgeDeviceUntrusted query bool false "if true, show only untrusted edge agents, if false show only trusted edge agents (relevant only for edge agents)"
 // @param edgeCheckInPassedSeconds query number false "if bigger then zero, show only edge agents that checked-in in the last provided seconds (relevant only for edge agents)"
 // @param excludeSnapshots query bool false "if true, the snapshot data won't be retrieved"
+// @param excludeSnapshotRaw query bool false "if true, the SnapshotRaw field won't be retrieved"
 // @param name query string false "will return only environments(endpoints) with this name"
 // @param edgeStackId query portainer.EdgeStackID false "will return the environements of the specified edge stack"
 // @param edgeStackStatus query string false "only applied when edgeStackId exists. Filter the returned environments based on their deployment status in the stack (not the environment status!)" Enum("Pending", "Ok", "Error", "Acknowledged", "Remove", "RemoteUpdateSuccess", "ImagesPulled")
+// @param edgeGroupIds query []int false "List environments(endpoints) of these edge groups"
+// @param excludeEdgeGroupIds query []int false "Exclude environments(endpoints) of these edge groups"
 // @success 200 {array} portainer.Endpoint "Endpoints"
 // @failure 500 "Server error"
 // @router /endpoints [get]
@@ -59,6 +63,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 	limit, _ := request.RetrieveNumericQueryParameter(r, "limit", true)
 	sortField, _ := request.RetrieveQueryParameter(r, "sort", true)
 	sortOrder, _ := request.RetrieveQueryParameter(r, "order", true)
+	excludeRaw, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshotRaw", true)
 
 	endpointGroups, err := handler.DataStore.EndpointGroup().ReadAll()
 	if err != nil {
@@ -105,14 +110,16 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 
 	for idx := range paginatedEndpoints {
 		hideFields(&paginatedEndpoints[idx])
+
 		paginatedEndpoints[idx].ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 		if paginatedEndpoints[idx].EdgeCheckinInterval == 0 {
 			paginatedEndpoints[idx].EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
 		}
+
 		endpointutils.UpdateEdgeEndpointHeartbeat(&paginatedEndpoints[idx], settings)
+
 		if !query.excludeSnapshots {
-			err = handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx])
-			if err != nil {
+			if err := handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx], !excludeRaw); err != nil {
 				return httperror.InternalServerError("Unable to add snapshot data", err)
 			}
 		}
@@ -120,6 +127,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 
 	w.Header().Set("X-Total-Count", strconv.Itoa(filteredEndpointCount))
 	w.Header().Set("X-Total-Available", strconv.Itoa(totalAvailableEndpoints))
+
 	return response.JSON(w, paginatedEndpoints)
 }
 
@@ -130,18 +138,8 @@ func paginateEndpoints(endpoints []portainer.Endpoint, start, limit int) []porta
 
 	endpointCount := len(endpoints)
 
-	if start < 0 {
-		start = 0
-	}
-
-	if start > endpointCount {
-		start = endpointCount
-	}
-
-	end := start + limit
-	if end > endpointCount {
-		end = endpointCount
-	}
+	start = min(max(start, 0), endpointCount)
+	end := min(start+limit, endpointCount)
 
 	return endpoints[start:end]
 }
@@ -151,8 +149,10 @@ func getEndpointGroup(groupID portainer.EndpointGroupID, groups []portainer.Endp
 	for _, group := range groups {
 		if group.ID == groupID {
 			endpointGroup = group
+
 			break
 		}
 	}
+
 	return endpointGroup
 }

api/http/handler/endpoints/endpoint_update.go

@@ -272,7 +272,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}
 
-	if err := handler.SnapshotService.FillSnapshotData(endpoint); err != nil {
+	if err := handler.SnapshotService.FillSnapshotData(endpoint, true); err != nil {
 		return httperror.InternalServerError("Unable to add snapshot data", err)
 	}
 

api/http/handler/endpoints/filter.go

@@ -37,6 +37,8 @@ type EnvironmentsQuery struct {
 	edgeStackId              portainer.EdgeStackID
 	edgeStackStatus          *portainer.EdgeStackStatusType
 	excludeIds               []portainer.EndpointID
+	edgeGroupIds             []portainer.EdgeGroupID
+	excludeEdgeGroupIds      []portainer.EdgeGroupID
 }
 
 func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
@@ -77,6 +79,16 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		return EnvironmentsQuery{}, err
 	}
 
+	edgeGroupIDs, err := getNumberArrayQueryParameter[portainer.EdgeGroupID](r, "edgeGroupIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
+	excludeEdgeGroupIds, err := getNumberArrayQueryParameter[portainer.EdgeGroupID](r, "excludeEdgeGroupIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
 	agentVersions := getArrayQueryParameter(r, "agentVersions")
 
 	name, _ := request.RetrieveQueryParameter(r, "name", true)
@@ -117,6 +129,8 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		edgeCheckInPassedSeconds: edgeCheckInPassedSeconds,
 		edgeStackId:              portainer.EdgeStackID(edgeStackId),
 		edgeStackStatus:          edgeStackStatus,
+		edgeGroupIds:             edgeGroupIDs,
+		excludeEdgeGroupIds:      excludeEdgeGroupIds,
 	}, nil
 }
 
@@ -143,6 +157,14 @@ func (handler *Handler) filterEndpointsByQuery(
 		filteredEndpoints = filterEndpointsByGroupIDs(filteredEndpoints, query.groupIds)
 	}
 
+	if len(query.edgeGroupIds) > 0 {
+		filteredEndpoints, edgeGroups = filterEndpointsByEdgeGroupIDs(filteredEndpoints, edgeGroups, query.edgeGroupIds)
+	}
+
+	if len(query.excludeEdgeGroupIds) > 0 {
+		filteredEndpoints, edgeGroups = filterEndpointsByExcludeEdgeGroupIDs(filteredEndpoints, edgeGroups, query.excludeEdgeGroupIds)
+	}
+
 	if query.name != "" {
 		filteredEndpoints = filterEndpointsByName(filteredEndpoints, query.name)
 	}
@@ -295,6 +317,70 @@ func filterEndpointsByGroupIDs(endpoints []portainer.Endpoint, endpointGroupIDs
 	return endpoints[:n]
 }
 
+func filterEndpointsByEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeGroupIDs []portainer.EdgeGroupID) ([]portainer.Endpoint, []portainer.EdgeGroup) {
+	edgeGroupIDFilterSet := make(map[portainer.EdgeGroupID]struct{}, len(edgeGroupIDs))
+	for _, id := range edgeGroupIDs {
+		edgeGroupIDFilterSet[id] = struct{}{}
+	}
+
+	n := 0
+	for _, edgeGroup := range edgeGroups {
+		if _, exists := edgeGroupIDFilterSet[edgeGroup.ID]; exists {
+			edgeGroups[n] = edgeGroup
+			n++
+		}
+	}
+	edgeGroups = edgeGroups[:n]
+
+	endpointIDSet := make(map[portainer.EndpointID]struct{})
+	for _, edgeGroup := range edgeGroups {
+		for _, endpointID := range edgeGroup.Endpoints {
+			endpointIDSet[endpointID] = struct{}{}
+		}
+	}
+
+	n = 0
+	for _, endpoint := range endpoints {
+		if _, exists := endpointIDSet[endpoint.ID]; exists {
+			endpoints[n] = endpoint
+			n++
+		}
+	}
+
+	return endpoints[:n], edgeGroups
+}
+
+func filterEndpointsByExcludeEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []portainer.EdgeGroup, excludeEdgeGroupIds []portainer.EdgeGroupID) ([]portainer.Endpoint, []portainer.EdgeGroup) {
+	excludeEdgeGroupIDSet := make(map[portainer.EdgeGroupID]struct{}, len(excludeEdgeGroupIds))
+	for _, id := range excludeEdgeGroupIds {
+		excludeEdgeGroupIDSet[id] = struct{}{}
+	}
+
+	n := 0
+	excludeEndpointIDSet := make(map[portainer.EndpointID]struct{})
+	for _, edgeGroup := range edgeGroups {
+		if _, ok := excludeEdgeGroupIDSet[edgeGroup.ID]; ok {
+			for _, endpointID := range edgeGroup.Endpoints {
+				excludeEndpointIDSet[endpointID] = struct{}{}
+			}
+		} else {
+			edgeGroups[n] = edgeGroup
+			n++
+		}
+	}
+	edgeGroups = edgeGroups[:n]
+
+	n = 0
+	for _, endpoint := range endpoints {
+		if _, ok := excludeEndpointIDSet[endpoint.ID]; !ok {
+			endpoints[n] = endpoint
+			n++
+		}
+	}
+
+	return endpoints[:n], edgeGroups
+}
+
 func filterEndpointsBySearchCriteria(
 	endpoints []portainer.Endpoint,
 	endpointGroups []portainer.EndpointGroup,

api/http/handler/endpoints/handler.go

@@ -26,19 +26,20 @@ func hideFields(endpoint *portainer.Endpoint) {
 // Handler is the HTTP handler used to handle environment(endpoint) operations.
 type Handler struct {
 	*mux.Router
-	requestBouncer        security.BouncerService
-	DataStore             dataservices.DataStore
-	FileService           portainer.FileService
-	ProxyManager          *proxy.Manager
-	ReverseTunnelService  portainer.ReverseTunnelService
-	SnapshotService       portainer.SnapshotService
-	K8sClientFactory      *cli.ClientFactory
-	ComposeStackManager   portainer.ComposeStackManager
-	AuthorizationService  *authorization.Service
-	DockerClientFactory   *dockerclient.ClientFactory
-	BindAddress           string
-	BindAddressHTTPS      string
-	PendingActionsService *pendingactions.PendingActionsService
+	requestBouncer         security.BouncerService
+	DataStore              dataservices.DataStore
+	FileService            portainer.FileService
+	ProxyManager           *proxy.Manager
+	ReverseTunnelService   portainer.ReverseTunnelService
+	SnapshotService        portainer.SnapshotService
+	K8sClientFactory       *cli.ClientFactory
+	ComposeStackManager    portainer.ComposeStackManager
+	AuthorizationService   *authorization.Service
+	DockerClientFactory    *dockerclient.ClientFactory
+	BindAddress            string
+	BindAddressHTTPS       string
+	PendingActionsService  *pendingactions.PendingActionsService
+	PullLimitCheckDisabled bool
 }
 
 // NewHandler creates a handler to manage environment(endpoint) operations.
@@ -68,8 +69,8 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointUpdate))).Methods(http.MethodPut)
 	h.Handle("/endpoints/{id}",
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDelete))).Methods(http.MethodDelete)
-	h.Handle("/endpoints",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatch))).Methods(http.MethodDelete)
+	h.Handle("/endpoints/delete",
+		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatch))).Methods(http.MethodPost)
 	h.Handle("/endpoints/{id}/dockerhub/{registryId}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.endpointDockerhubStatus))).Methods(http.MethodGet)
 	h.Handle("/endpoints/{id}/snapshot",
@@ -85,6 +86,7 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 
 	// DEPRECATED
 	h.Handle("/endpoints/{id}/status", bouncer.PublicAccess(httperror.LoggerHandler(h.endpointStatusInspect))).Methods(http.MethodGet)
+	h.Handle("/endpoints", bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatchDeprecated))).Methods(http.MethodDelete)
 
 	return h
 }

api/http/handler/endpoints/update_edge_relations.go

@@ -23,6 +23,7 @@ func (handler *Handler) updateEdgeRelations(tx dataservices.DataStoreTx, endpoin
 
 		relation = &portainer.EndpointRelation{
 			EndpointID: endpoint.ID,
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
 		}
 		if err := tx.EndpointRelation().Create(relation); err != nil {
 			return errors.WithMessage(err, "Unable to create environment relation inside the database")

api/http/handler/handler.go

@@ -11,7 +11,6 @@ import (
 	"github.com/portainer/portainer/api/http/handler/edgegroups"
 	"github.com/portainer/portainer/api/http/handler/edgejobs"
 	"github.com/portainer/portainer/api/http/handler/edgestacks"
-	"github.com/portainer/portainer/api/http/handler/edgetemplates"
 	"github.com/portainer/portainer/api/http/handler/endpointedge"
 	"github.com/portainer/portainer/api/http/handler/endpointgroups"
 	"github.com/portainer/portainer/api/http/handler/endpointproxy"
@@ -50,7 +49,6 @@ type Handler struct {
 	EdgeGroupsHandler      *edgegroups.Handler
 	EdgeJobsHandler        *edgejobs.Handler
 	EdgeStacksHandler      *edgestacks.Handler
-	EdgeTemplatesHandler   *edgetemplates.Handler
 	EndpointEdgeHandler    *endpointedge.Handler
 	EndpointGroupHandler   *endpointgroups.Handler
 	EndpointHandler        *endpoints.Handler
@@ -83,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.26.0
+// @version 2.29.0
 // @description.markdown api-description.md
 // @termsOfService
 
@@ -190,8 +188,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.StripPrefix("/api", h.EdgeGroupsHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/edge_jobs"):
 		http.StripPrefix("/api", h.EdgeJobsHandler).ServeHTTP(w, r)
-	case strings.HasPrefix(r.URL.Path, "/api/edge_templates"):
-		http.StripPrefix("/api", h.EdgeTemplatesHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):
 		http.StripPrefix("/api", h.EndpointGroupHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/kubernetes"):

api/http/handler/helm/handler.go

@@ -1,6 +1,7 @@
 package helm
 
 import (
+	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
@@ -8,8 +9,8 @@ import (
 	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/gorilla/mux"
@@ -23,11 +24,11 @@ type Handler struct {
 	jwtService               portainer.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
 	kubernetesDeployer       portainer.KubernetesDeployer
-	helmPackageManager       libhelm.HelmPackageManager
+	helmPackageManager       libhelmtypes.HelmPackageManager
 }
 
 // NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
+func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelmtypes.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
 	h := &Handler{
 		Router:                   mux.NewRouter(),
 		requestBouncer:           bouncer,
@@ -53,17 +54,19 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	h.Handle("/{id}/kubernetes/helm",
 		httperror.LoggerHandler(h.helmInstall)).Methods(http.MethodPost)
 
-	// Deprecated
-	h.Handle("/{id}/kubernetes/helm/repositories",
-		httperror.LoggerHandler(h.userGetHelmRepos)).Methods(http.MethodGet)
-	h.Handle("/{id}/kubernetes/helm/repositories",
-		httperror.LoggerHandler(h.userCreateHelmRepo)).Methods(http.MethodPost)
+	// `helm get all [RELEASE_NAME]`
+	h.Handle("/{id}/kubernetes/helm/{release}",
+		httperror.LoggerHandler(h.helmGet)).Methods(http.MethodGet)
+
+	// `helm history [RELEASE_NAME]`
+	h.Handle("/{id}/kubernetes/helm/{release}/history",
+		httperror.LoggerHandler(h.helmGetHistory)).Methods(http.MethodGet)
 
 	return h
 }
 
 // NewTemplateHandler creates a template handler to manage environment(endpoint) group operations.
-func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libhelm.HelmPackageManager) *Handler {
+func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libhelmtypes.HelmPackageManager) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
 		helmPackageManager: helmPackageManager,
@@ -84,7 +87,7 @@ func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libh
 
 // getHelmClusterAccess obtains the core k8s cluster access details from request.
 // The cluster access includes the cluster server url, the user's bearer token and the tls certificate.
-// The cluster access is passed in as kube config CLI params to helm binary.
+// The cluster access is passed in as kube config CLI params to helm.
 func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.KubernetesClusterAccess, *httperror.HandlerError) {
 	endpoint, err := middlewares.FetchEndpoint(r)
 	if err != nil {
@@ -113,6 +116,9 @@ func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.Kubernet
 
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(hostURL, endpoint.ID, true)
 	return &options.KubernetesClusterAccess{
+		ClusterName:              fmt.Sprintf("%s-%s", "portainer-cluster", endpoint.Name),
+		ContextName:              fmt.Sprintf("%s-%s", "portainer-ctx", endpoint.Name),
+		UserName:                 fmt.Sprintf("%s-%s", "portainer-sa-user", tokenData.Username),
 		ClusterServerURL:         kubeConfigInternal.ClusterServerURL,
 		CertificateAuthorityFile: kubeConfigInternal.CertificateAuthorityFile,
 		AuthToken:                bearerToken,

api/http/handler/helm/helm_delete_test.go

@@ -13,8 +13,8 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -34,7 +34,7 @@ func Test_helmDelete(t *testing.T) {
 	is.NoError(err, "Error initiating jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 
@@ -42,7 +42,7 @@ func Test_helmDelete(t *testing.T) {
 
 	// Install a single chart directly, to be deleted by the handler
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
-	h.helmPackageManager.Install(options)
+	h.helmPackageManager.Upgrade(options)
 
 	t.Run("helmDelete succeeds with admin user", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodDelete, "/1/kubernetes/helm/"+options.Name, nil)

api/http/handler/helm/helm_get.go

@@ -0,0 +1,67 @@
+package helm
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmGet
+// @summary Get a helm release
+// @description Get details of a helm release by release name
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param name path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @param showResources query boolean false "show resources of the release"
+// @param revision query int false "specify an optional revision"
+// @success 200 {object} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve the release."
+// @router /endpoints/{id}/kubernetes/helm/{name} [get]
+func (handler *Handler) helmGet(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	// build the get options
+	getOpts := options.GetOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+	}
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	// optional namespace.  The library defaults to "default"
+	if namespace != "" {
+		getOpts.Namespace = namespace
+	}
+	showResources, _ := request.RetrieveBooleanQueryParameter(r, "showResources", true)
+	getOpts.ShowResources = showResources
+	revision, _ := request.RetrieveNumericQueryParameter(r, "revision", true)
+	// optional revision.  The library defaults to the latest revision if not specified
+	if revision > 0 {
+		getOpts.Revision = revision
+	}
+
+	releases, err := handler.helmPackageManager.Get(getOpts)
+	if err != nil {
+		return httperror.InternalServerError("Helm returned an error", err)
+	}
+
+	return response.JSON(w, releases)
+}

api/http/handler/helm/helm_get_test.go

@@ -0,0 +1,66 @@
+package helm
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_helmGet(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{ID: 1})
+	is.NoError(err, "Error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "Error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	kubernetesDeployer := exectest.NewKubernetesDeployer()
+	helmPackageManager := test.NewMockHelmPackageManager()
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
+
+	is.NotNil(h, "Handler should not fail")
+
+	// Install a single chart, to be retrieved by the handler
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
+	h.helmPackageManager.Upgrade(options)
+
+	t.Run("helmGet sucessfuly retrieves helm release", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm/"+options.Name+"?namespace="+options.Namespace, nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		data := release.Release{}
+		body, err := io.ReadAll(rr.Body)
+		is.NoError(err, "ReadAll should not return error")
+		json.Unmarshal(body, &data)
+		is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+		is.Equal("nginx-1", data.Name)
+	})
+}

api/http/handler/helm/helm_history.go

@@ -0,0 +1,58 @@
+package helm
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmGetHistory
+// @summary Get a historical list of releases
+// @description Get a historical list of releases by release name
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param name path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @success 200 {array} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve the historical list of releases."
+// @router /endpoints/{id}/kubernetes/helm/{release}/history [get]
+func (handler *Handler) helmGetHistory(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	historyOptions := options.HistoryOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+	}
+
+	// optional namespace.  The library defaults to "default"
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	if namespace != "" {
+		historyOptions.Namespace = namespace
+	}
+
+	releases, err := handler.helmPackageManager.GetHistory(historyOptions)
+	if err != nil {
+		return httperror.InternalServerError("Helm returned an error", err)
+	}
+
+	return response.JSON(w, releases)
+}

api/http/handler/helm/helm_history_test.go

@@ -0,0 +1,67 @@
+package helm
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_helmGetHistory(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{ID: 1})
+	is.NoError(err, "Error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "Error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	kubernetesDeployer := exectest.NewKubernetesDeployer()
+	helmPackageManager := test.NewMockHelmPackageManager()
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
+
+	is.NotNil(h, "Handler should not fail")
+
+	// Install a single chart, to be retrieved by the handler
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
+	h.helmPackageManager.Upgrade(options)
+
+	t.Run("helmGetHistory sucessfuly retrieves helm release history", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm/"+options.Name+"/history?namespace="+options.Namespace, nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		data := []release.Release{}
+		body, err := io.ReadAll(rr.Body)
+		is.NoError(err, "ReadAll should not return error")
+		json.Unmarshal(body, &data)
+		is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+		is.Equal(1, len(data))
+		is.Equal("nginx-1", data[0].Name)
+	})
+}

api/http/handler/helm/helm_install.go

@@ -99,15 +99,11 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 	}
 
 	installOpts := options.InstallOptions{
-		Name:      p.Name,
-		Chart:     p.Chart,
-		Namespace: p.Namespace,
-		Repo:      p.Repo,
-		KubernetesClusterAccess: &options.KubernetesClusterAccess{
-			ClusterServerURL:         clusterAccess.ClusterServerURL,
-			CertificateAuthorityFile: clusterAccess.CertificateAuthorityFile,
-			AuthToken:                clusterAccess.AuthToken,
-		},
+		Name:                    p.Name,
+		Chart:                   p.Chart,
+		Namespace:               p.Namespace,
+		Repo:                    p.Repo,
+		KubernetesClusterAccess: clusterAccess,
 	}
 
 	if p.Values != "" {
@@ -129,7 +125,7 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		installOpts.ValuesFile = file.Name()
 	}
 
-	release, err := handler.helmPackageManager.Install(installOpts)
+	release, err := handler.helmPackageManager.Upgrade(installOpts)
 	if err != nil {
 		return nil, err
 	}

api/http/handler/helm/helm_install_test.go

@@ -15,9 +15,9 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -38,7 +38,7 @@ func Test_helmInstall(t *testing.T) {
 	is.NoError(err, "Error initiating jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 

api/http/handler/helm/helm_list_test.go

@@ -14,9 +14,9 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -37,13 +37,13 @@ func Test_helmList(t *testing.T) {
 	is.NoError(err, "Error initialising jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 
 	// Install a single chart.  We expect to get these values back
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
-	h.helmPackageManager.Install(options)
+	h.helmPackageManager.Upgrade(options)
 
 	t.Run("helmList", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm", nil)

api/http/handler/helm/helm_repo_search_test.go

@@ -8,14 +8,14 @@ import (
 	"testing"
 
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )
 
 func Test_helmRepoSearch(t *testing.T) {
 	is := assert.New(t)
 
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	h := NewTemplateHandler(helper.NewTestRequestBouncer(), helmPackageManager)
 
 	assert.NotNil(t, h, "Handler should not fail")

api/http/handler/helm/helm_show_test.go

@@ -9,14 +9,14 @@ import (
 	"testing"
 
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )
 
 func Test_helmShow(t *testing.T) {
 	is := assert.New(t)
 
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	h := NewTemplateHandler(helper.NewTestRequestBouncer(), helmPackageManager)
 
 	is.NotNil(h, "Handler should not fail")

api/http/handler/helm/user_helm_repos.go

@@ -1,127 +0,0 @@
-package helm
-
-import (
-	"net/http"
-	"strings"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/pkg/libhelm"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/pkg/errors"
-)
-
-type helmUserRepositoryResponse struct {
-	GlobalRepository string                         `json:"GlobalRepository"`
-	UserRepositories []portainer.HelmUserRepository `json:"UserRepositories"`
-}
-
-type addHelmRepoUrlPayload struct {
-	URL string `json:"url"`
-}
-
-func (p *addHelmRepoUrlPayload) Validate(_ *http.Request) error {
-	return libhelm.ValidateHelmRepositoryURL(p.URL, nil)
-}
-
-// @id HelmUserRepositoryCreateDeprecated
-// @summary Create a user helm repository
-// @description Create a user helm repository.
-// @description **Access policy**: authenticated
-// @tags helm
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @param id path int true "Environment(Endpoint) identifier"
-// @param payload body addHelmRepoUrlPayload true "Helm Repository"
-// @success 200 {object} portainer.HelmUserRepository "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 500 "Server error"
-// @deprecated
-// @router /endpoints/{id}/kubernetes/helm/repositories [post]
-func (handler *Handler) userCreateHelmRepo(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user authentication token", err)
-	}
-	userID := tokenData.ID
-
-	p := new(addHelmRepoUrlPayload)
-	err = request.DecodeAndValidateJSONPayload(r, p)
-	if err != nil {
-		return httperror.BadRequest("Invalid Helm repository URL", err)
-	}
-
-	// lowercase, remove trailing slash
-	p.URL = strings.TrimSuffix(strings.ToLower(p.URL), "/")
-
-	records, err := handler.dataStore.HelmUserRepository().HelmUserRepositoryByUserID(userID)
-	if err != nil {
-		return httperror.InternalServerError("Unable to access the DataStore", err)
-	}
-
-	// check if repo already exists - by doing case insensitive comparison
-	for _, record := range records {
-		if strings.EqualFold(record.URL, p.URL) {
-			errMsg := "Helm repo already registered for user"
-			return httperror.BadRequest(errMsg, errors.New(errMsg))
-		}
-	}
-
-	record := portainer.HelmUserRepository{
-		UserID: userID,
-		URL:    p.URL,
-	}
-
-	err = handler.dataStore.HelmUserRepository().Create(&record)
-	if err != nil {
-		return httperror.InternalServerError("Unable to save a user Helm repository URL", err)
-	}
-
-	return response.JSON(w, record)
-}
-
-// @id HelmUserRepositoriesListDeprecated
-// @summary List a users helm repositories
-// @description Inspect a user helm repositories.
-// @description **Access policy**: authenticated
-// @tags helm
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param id path int true "User identifier"
-// @success 200 {object} helmUserRepositoryResponse "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 500 "Server error"
-// @deprecated
-// @router /endpoints/{id}/kubernetes/helm/repositories [get]
-func (handler *Handler) userGetHelmRepos(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user authentication token", err)
-	}
-	userID := tokenData.ID
-
-	settings, err := handler.dataStore.Settings().Settings()
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve settings from the database", err)
-	}
-
-	userRepos, err := handler.dataStore.HelmUserRepository().HelmUserRepositoryByUserID(userID)
-	if err != nil {
-		return httperror.InternalServerError("Unable to get user Helm repositories", err)
-	}
-
-	resp := helmUserRepositoryResponse{
-		GlobalRepository: settings.HelmRepositoryURL,
-		UserRepositories: userRepos,
-	}
-
-	return response.JSON(w, resp)
-}

api/http/handler/kubernetes/application.go

@@ -69,7 +69,6 @@ func (handler *Handler) getApplicationsResources(w http.ResponseWriter, r *http.
 // @param id path int true "Environment(Endpoint) identifier"
 // @param namespace query string true "Namespace name"
 // @param nodeName query string true "Node name"
-// @param withDependencies query boolean false "Include dependencies in the response"
 // @success 200 {array} models.K8sApplication "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
@@ -117,12 +116,6 @@ func (handler *Handler) getAllKubernetesApplications(r *http.Request) ([]models.
 		return nil, httperror.BadRequest("Unable to parse the namespace query parameter", err)
 	}
 
-	withDependencies, err := request.RetrieveBooleanQueryParameter(r, "withDependencies", true)
-	if err != nil {
-		log.Error().Err(err).Str("context", "getAllKubernetesApplications").Msg("Unable to parse the withDependencies query parameter")
-		return nil, httperror.BadRequest("Unable to parse the withDependencies query parameter", err)
-	}
-
 	nodeName, err := request.RetrieveQueryParameter(r, "nodeName", true)
 	if err != nil {
 		log.Error().Err(err).Str("context", "getAllKubernetesApplications").Msg("Unable to parse the nodeName query parameter")
@@ -135,7 +128,7 @@ func (handler *Handler) getAllKubernetesApplications(r *http.Request) ([]models.
 		return nil, httperror.InternalServerError("Unable to get a Kubernetes client for the user", httpErr)
 	}
 
-	applications, err := cli.GetApplications(namespace, nodeName, withDependencies)
+	applications, err := cli.GetApplications(namespace, nodeName)
 	if err != nil {
 		if k8serrors.IsUnauthorized(err) {
 			log.Error().Err(err).Str("context", "getAllKubernetesApplications").Str("namespace", namespace).Str("nodeName", nodeName).Msg("Unable to get the list of applications")

api/http/handler/kubernetes/config.go

@@ -1,9 +1,14 @@
 package kubernetes
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
+	"os"
+	"strings"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
@@ -162,11 +167,48 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 func (handler *Handler) buildCluster(r *http.Request, endpoint portainer.Endpoint, isInternal bool) clientV1.NamedCluster {
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(r.Host, endpoint.ID, isInternal)
 
+	if isInternal {
+		return clientV1.NamedCluster{
+			Name: buildClusterName(endpoint.Name),
+			Cluster: clientV1.Cluster{
+				Server:                kubeConfigInternal.ClusterServerURL,
+				InsecureSkipTLSVerify: true,
+			},
+		}
+	}
+
+	selfSignedCert := false
+	serverUrl, err := url.Parse(kubeConfigInternal.ClusterServerURL)
+	if err != nil {
+		log.Warn().Err(err).Msg("Failed to parse server URL")
+	}
+
+	if strings.EqualFold(serverUrl.Scheme, "https") {
+		var certPem []byte
+		var err error
+
+		if kubeConfigInternal.CertificateAuthorityData != "" {
+			certPem = []byte(kubeConfigInternal.CertificateAuthorityData)
+		} else if kubeConfigInternal.CertificateAuthorityFile != "" {
+			certPem, err = os.ReadFile(kubeConfigInternal.CertificateAuthorityFile)
+			if err != nil {
+				log.Warn().Err(err).Msg("Failed to open certificate file")
+			}
+		}
+
+		if certPem != nil {
+			selfSignedCert, err = IsSelfSignedCertificate(certPem)
+			if err != nil {
+				log.Warn().Err(err).Msg("Failed to verify if certificate is self-signed")
+			}
+		}
+	}
+
 	return clientV1.NamedCluster{
 		Name: buildClusterName(endpoint.Name),
 		Cluster: clientV1.Cluster{
 			Server:                kubeConfigInternal.ClusterServerURL,
-			InsecureSkipTLSVerify: true,
+			InsecureSkipTLSVerify: selfSignedCert,
 		},
 	}
 }
@@ -215,3 +257,38 @@ func writeFileContent(w http.ResponseWriter, r *http.Request, endpoints []portai
 	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; %s.json", filenameBase))
 	return response.JSON(w, config)
 }
+
+func IsSelfSignedCertificate(certPem []byte) (bool, error) {
+	if certPem == nil {
+		return false, errors.New("certificate data is empty")
+	}
+
+	if !strings.Contains(string(certPem), "BEGIN CERTIFICATE") {
+		certPem = []byte(fmt.Sprintf("-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----", string(certPem)))
+	}
+
+	block, _ := pem.Decode(certPem)
+	if block == nil {
+		return false, errors.New("failed to decode certificate")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return false, err
+	}
+
+	if cert.Issuer.String() != cert.Subject.String() {
+		return false, nil
+	}
+
+	roots := x509.NewCertPool()
+	roots.AddCert(cert)
+
+	opts := x509.VerifyOptions{
+		Roots:       roots,
+		CurrentTime: cert.NotBefore,
+	}
+
+	_, err = cert.Verify(opts)
+	return err == nil, err
+}

api/http/handler/kubernetes/config_test.go

@@ -0,0 +1,186 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsSelfSignedCertificate(t *testing.T) {
+
+	tc := []struct {
+		name     string
+		cert     string
+		expected bool
+	}{
+		{
+			name: "portainer self-signed",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIBUTCB+KADAgECAhBB7psNiJlJd/nRCCKUPVenMAoGCCqGSM49BAMCMAAwHhcN
+MjUwMzEzMDQwODI0WhcNMzAwMzEzMDQwODI0WjAAMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAESdGCaXq0r1GDxF89yKjjLeCIixiPDdXAg+lw4NqAWeJq2AOo+8IH
+vcCq9bSlYlezK8RzTsbf9Z1m5jRqUEbSjqNUMFIwDgYDVR0PAQH/BAQDAgWgMBMG
+A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0RAQH/BBMwEYIJ
+bG9jYWxob3N0hwQAAAAAMAoGCCqGSM49BAMCA0gAMEUCIApLliukFaCZHbc/2pkH
+0VDY+fBMb12jhmVpgKh1Cqg9AiEAwFrMQLUkzATUpiHuukdUg5VsUiMIkWTPLglz
+E4+1dRc=
+-----END CERTIFICATE-----
+`,
+			expected: true,
+		},
+		{
+			name:     "portainer self-signed without header",
+			cert:     `MIIBUzCB+aADAgECAhEAjsskPzuCS5BeHjXGwYqc2jAKBggqhkjOPQQDAjAAMB4XDTI1MDMxMzA0MzQyNloXDTMwMDMxMzA0MzQyNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABITD+dNDLYQbLYDE3UMlTzD61OYRSVkVZspdp1MvZITIG4VOxtfQUqcW3P7OHQdoi52GIQ/GM6iDgxwB1BOyi3mjVDBSMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdEQEB/wQTMBGCCWxvY2FsaG9zdIcEAAAAADAKBggqhkjOPQQDAgNJADBGAiEA8SmyeYLhrnrNLAFcxZp0dk6nMN70XVAfqGnbK/s8NR8CIQDgQdqhfge8QvN2TsH4gg98a9VHDv+RlcOlJ80SS+G/Ww==`,
+			expected: true,
+		},
+		{
+			name: "custom certificate generated by openssl",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIB9TCCAZugAwIBAgIULTkNYfYHiqfOiX7mKOIGxRefx/YwCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yNTAyMjgwNjI3MDBaFw0zNTAy
+MjYwNjI3MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT3WlLvbGw7wPkQ
+3LuHFJEaNrDv3n359JMV1CkjQi3U37u0fJrjd+8o7TxPBYgt9HDD9vsURhy41DNo
+g71F2AIto4GqMIGnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+nMxx/VCE9fzrlHI
+FX9mF5SRPrkwHwYDVR0jBBgwFoAUOlUIToGwnBOqzZ1dBfOvdKbwNaAwKAYDVR0R
+AQH/BB4wHIIaZWRnZS4xNzIuMTcuMjIxLjIwOC5uaXAuaW8wCgYIKoZIzj0EAwID
+SAAwRQIgeYrkjY0z/ypMKXZbvbMi8qOK44qoISKkSErBUCBLuwoCIQDRaJA9r931
+utpXXnysVGecVXHHKOOl1YhWglmuPvcZhw==
+-----END CERTIFICATE-----`,
+			expected: false,
+		},
+		{
+			name: "google.com certificate",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIOITCCDQmgAwIBAgIQKS0IQxknY8USDjt3IYchljANBgkqhkiG9w0BAQsFADA7
+MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQww
+CgYDVQQDEwNXUjIwHhcNMjUwMjI2MTUzMjU1WhcNMjUwNTIxMTUzMjU0WjAXMRUw
+EwYDVQQDDAwqLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARx
+nMOmIG3BuO7my/BbF/rGPAMH/JbxBDufbYFQHV+6l5pF5sdT/Zov3X+qsR3IYFl7
+F2a0gAUmK1Bq7//zTb3uo4IMDjCCDAowDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFN+aEjBz3PaUtelz
+3g9rVTkGRgU0MB8GA1UdIwQYMBaAFN4bHu15FdQ+NyTDIbvsNDltQrIwMFgGCCsG
+AQUFBwEBBEwwSjAhBggrBgEFBQcwAYYVaHR0cDovL28ucGtpLmdvb2cvd3IyMCUG
+CCsGAQUFBzAChhlodHRwOi8vaS5wa2kuZ29vZy93cjIuY3J0MIIJ5AYDVR0RBIIJ
+2zCCCdeCDCouZ29vZ2xlLmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYIJKi5i
+ZG4uZGV2ghUqLm9yaWdpbi10ZXN0LmJkbi5kZXaCEiouY2xvdWQuZ29vZ2xlLmNv
+bYIYKi5jcm93ZHNvdXJjZS5nb29nbGUuY29tghgqLmRhdGFjb21wdXRlLmdvb2ds
+ZS5jb22CCyouZ29vZ2xlLmNhggsqLmdvb2dsZS5jbIIOKi5nb29nbGUuY28uaW6C
+DiouZ29vZ2xlLmNvLmpwgg4qLmdvb2dsZS5jby51a4IPKi5nb29nbGUuY29tLmFy
+gg8qLmdvb2dsZS5jb20uYXWCDyouZ29vZ2xlLmNvbS5icoIPKi5nb29nbGUuY29t
+LmNvgg8qLmdvb2dsZS5jb20ubXiCDyouZ29vZ2xlLmNvbS50coIPKi5nb29nbGUu
+Y29tLnZuggsqLmdvb2dsZS5kZYILKi5nb29nbGUuZXOCCyouZ29vZ2xlLmZyggsq
+Lmdvb2dsZS5odYILKi5nb29nbGUuaXSCCyouZ29vZ2xlLm5sggsqLmdvb2dsZS5w
+bIILKi5nb29nbGUucHSCDyouZ29vZ2xlYXBpcy5jboIRKi5nb29nbGV2aWRlby5j
+b22CDCouZ3N0YXRpYy5jboIQKi5nc3RhdGljLWNuLmNvbYIPZ29vZ2xlY25hcHBz
+LmNughEqLmdvb2dsZWNuYXBwcy5jboIRZ29vZ2xlYXBwcy1jbi5jb22CEyouZ29v
+Z2xlYXBwcy1jbi5jb22CDGdrZWNuYXBwcy5jboIOKi5na2VjbmFwcHMuY26CEmdv
+b2dsZWRvd25sb2Fkcy5jboIUKi5nb29nbGVkb3dubG9hZHMuY26CEHJlY2FwdGNo
+YS5uZXQuY26CEioucmVjYXB0Y2hhLm5ldC5jboIQcmVjYXB0Y2hhLWNuLm5ldIIS
+Ki5yZWNhcHRjaGEtY24ubmV0ggt3aWRldmluZS5jboINKi53aWRldmluZS5jboIR
+YW1wcHJvamVjdC5vcmcuY26CEyouYW1wcHJvamVjdC5vcmcuY26CEWFtcHByb2pl
+Y3QubmV0LmNughMqLmFtcHByb2plY3QubmV0LmNughdnb29nbGUtYW5hbHl0aWNz
+LWNuLmNvbYIZKi5nb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIXZ29vZ2xlYWRzZXJ2
+aWNlcy1jbi5jb22CGSouZ29vZ2xlYWRzZXJ2aWNlcy1jbi5jb22CEWdvb2dsZXZh
+ZHMtY24uY29tghMqLmdvb2dsZXZhZHMtY24uY29tghFnb29nbGVhcGlzLWNuLmNv
+bYITKi5nb29nbGVhcGlzLWNuLmNvbYIVZ29vZ2xlb3B0aW1pemUtY24uY29tghcq
+Lmdvb2dsZW9wdGltaXplLWNuLmNvbYISZG91YmxlY2xpY2stY24ubmV0ghQqLmRv
+dWJsZWNsaWNrLWNuLm5ldIIYKi5mbHMuZG91YmxlY2xpY2stY24ubmV0ghYqLmcu
+ZG91YmxlY2xpY2stY24ubmV0gg5kb3VibGVjbGljay5jboIQKi5kb3VibGVjbGlj
+ay5jboIUKi5mbHMuZG91YmxlY2xpY2suY26CEiouZy5kb3VibGVjbGljay5jboIR
+ZGFydHNlYXJjaC1jbi5uZXSCEyouZGFydHNlYXJjaC1jbi5uZXSCHWdvb2dsZXRy
+YXZlbGFkc2VydmljZXMtY24uY29tgh8qLmdvb2dsZXRyYXZlbGFkc2VydmljZXMt
+Y24uY29tghhnb29nbGV0YWdzZXJ2aWNlcy1jbi5jb22CGiouZ29vZ2xldGFnc2Vy
+dmljZXMtY24uY29tghdnb29nbGV0YWdtYW5hZ2VyLWNuLmNvbYIZKi5nb29nbGV0
+YWdtYW5hZ2VyLWNuLmNvbYIYZ29vZ2xlc3luZGljYXRpb24tY24uY29tghoqLmdv
+b2dsZXN5bmRpY2F0aW9uLWNuLmNvbYIkKi5zYWZlZnJhbWUuZ29vZ2xlc3luZGlj
+YXRpb24tY24uY29tghZhcHAtbWVhc3VyZW1lbnQtY24uY29tghgqLmFwcC1tZWFz
+dXJlbWVudC1jbi5jb22CC2d2dDEtY24uY29tgg0qLmd2dDEtY24uY29tggtndnQy
+LWNuLmNvbYINKi5ndnQyLWNuLmNvbYILMm1kbi1jbi5uZXSCDSouMm1kbi1jbi5u
+ZXSCFGdvb2dsZWZsaWdodHMtY24ubmV0ghYqLmdvb2dsZWZsaWdodHMtY24ubmV0
+ggxhZG1vYi1jbi5jb22CDiouYWRtb2ItY24uY29tghRnb29nbGVzYW5kYm94LWNu
+LmNvbYIWKi5nb29nbGVzYW5kYm94LWNuLmNvbYIeKi5zYWZlbnVwLmdvb2dsZXNh
+bmRib3gtY24uY29tgg0qLmdzdGF0aWMuY29tghQqLm1ldHJpYy5nc3RhdGljLmNv
+bYIKKi5ndnQxLmNvbYIRKi5nY3BjZG4uZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CDiou
+Z2NwLmd2dDIuY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29r
+aWUuY29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CDSouYW5kcm9pZC5jb22C
+EyouZmxhc2guYW5kcm9pZC5jb22CBGcuY26CBiouZy5jboIEZy5jb4IGKi5nLmNv
+ggZnb28uZ2yCCnd3dy5nb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29tghYqLmdv
+b2dsZS1hbmFseXRpY3MuY29tggpnb29nbGUuY29tghJnb29nbGVjb21tZXJjZS5j
+b22CFCouZ29vZ2xlY29tbWVyY2UuY29tgghnZ3BodC5jboIKKi5nZ3BodC5jboIK
+dXJjaGluLmNvbYIMKi51cmNoaW4uY29tggh5b3V0dS5iZYILeW91dHViZS5jb22C
+DSoueW91dHViZS5jb22CEW11c2ljLnlvdXR1YmUuY29tghMqLm11c2ljLnlvdXR1
+YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9u
+LmNvbYIPeW91dHViZWtpZHMuY29tghEqLnlvdXR1YmVraWRzLmNvbYIFeXQuYmWC
+ByoueXQuYmWCGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tghMqLmFuZHJvaWQu
+Z29vZ2xlLmNughIqLmNocm9tZS5nb29nbGUuY26CFiouZGV2ZWxvcGVycy5nb29n
+bGUuY26CFSouYWlzdHVkaW8uZ29vZ2xlLmNvbTATBgNVHSAEDDAKMAgGBmeBDAEC
+ATA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vYy5wa2kuZ29vZy93cjIvb0JGWVlh
+aHpnVkkuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAzxFW7tUufK/zh1vZ
+aS6b6RpxZ0qwF+ysAdJbd87MOwgAAAGVQxqxaQAABAMASDBGAiEAk6r74vfyJIaa
+hYTWqNRsjl/RpCWq/wyzzMi21zgGmfkCIQCZafyS/fl0tiutICL9aOSnDBRfPYqd
+CeNqKOy11EjvigB1AN6FgddQJHxrzcuvVjfF54HGTORu1hdjn480pybJ4r03AAAB
+lUMasUkAAAQDAEYwRAIgYfG2iyRnmn8MI86RFDxOQW1/IOBAjQxNfIQ8toZlZkoC
+IA1BHw7cqmlTP7Ks+ebX6hGfNlVsgTQS8iYyKL5/BSvTMA0GCSqGSIb3DQEBCwUA
+A4IBAQAYSNtoW72rqhPfjV5Ug1ENbbimfqmqiJS4JdzaEFRpftzachTuvx8relaY
++7FAz5y4YULu9LGNjpBRYW8yW9pgfWyc53CCHSkDODguUOMCRo3hdglxZ2d5pJ/8
+TQY4zRBd8OHzOAx2kH6jLEj9I0nDie3vowSYm7FCBRLjzfForRNQWmzPu+5hS3De
+QM0R2jWpmPcG3ffQ5qQwnAQnP9HCK9oEZ5cFqLvOQWfttj/rzKOz856iSEoRpf8S
+wVFRu3Uv2TXQ6UYF2cDfiWCe6/mO35CIynC6FVkunze/Q/2rtaCDttLRYZcLllj8
+PSl7nmLhtqDlO7da/S34BFiyyRjN
+-----END CERTIFICATE-----
+`,
+			expected: false,
+		},
+		{
+			name: "let's encrypt certificate",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIGMjCCBRqgAwIBAgISBVHH05rEMkaCuDQvABDjiam0MA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTAwHhcNMjUwMzEzMDIyMzE2WhcNMjUwNjExMDIyMzE1WjAkMSIwIAYDVQQD
+Exlvei1kZW1vLnBvcnRhaW5lcmNsb3VkLmlvMIICIjANBgkqhkiG9w0BAQEFAAOC
+Ag8AMIICCgKCAgEAwNCcr9azSaldEwgL54bQScuWBnmw3FMHgEATxDVp2MEawQkV
+I3VScUcJWBnlHlb7TUanRC/c/vJGbzc+KDuCRTZ2/Ob2yQ9G5mZjGttBAnBSQPpV
+arEEBFCClhVBn4LhLNmIsCjCy25+m0HY/dwWbKjTMT/KxpTa3L3mdmIFa7XNs6W2
+vEZGwYM+2JPMJ9DwemVrrrvRqd5vLWTZcWvWJQ7HMfw3PoELpeqyycmxDqd9PCMz
+yMp8q3UwLDur3+KfDXGtGOoubxcOuJrpemOe8JeM5cEYEhvOy8D16zmWwWYDT19D
+ElFfUbM0GGITpJ41Qie03DvmI0hDYDqTEZfKza967VsvD7K9bFgLHmHdv7gLNutB
+FConpziNqslapWwQ5j7bKircxKjRQVkOiXH48m2IUzylqWgJPVMvHukRu0YVnvbt
+Q53xNVZQEbjvZmIuz8jqo22Y/1Jr7Plnb1lUvvDznA58MHT0KA4LSZwk9tvMJJCw
+vh7AoWB6/Jnl8QVnApOdCa6M/An128rBwgrCmp0wSvhMecTkWC8/gsah0Q5wKFL3
+ziBth728Qy8RlNghRUw88e/y4pdGHN8egjK1NpdgsvTFdRNQ8qwu0lx9pO3b6TNQ
+qDG5pirXjS/DhPYvZtJRDK6SMTHJNm+0NGdWB8qpNssFrU6u2cRl0533LtECAwEA
+AaOCAk0wggJJMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUiQi/3pZamfPxRGPI8DTZ
+tej1494wHwYDVR0jBBgwFoAUu7zDR6XkvKnGw6RyDBCNojXhyOgwVwYIKwYBBQUH
+AQEESzBJMCIGCCsGAQUFBzABhhZodHRwOi8vcjEwLm8ubGVuY3Iub3JnMCMGCCsG
+AQUFBzAChhdodHRwOi8vcjEwLmkubGVuY3Iub3JnLzAkBgNVHREEHTAbghlvei1k
+ZW1vLnBvcnRhaW5lcmNsb3VkLmlvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMC4GA1Ud
+HwQnMCUwI6AhoB+GHWh0dHA6Ly9yMTAuYy5sZW5jci5vcmcvNTMuY3JsMIIBBAYK
+KwYBBAHWeQIEAgSB9QSB8gDwAHcAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5U
+wP5MDbAAAAGVjYW7/QAABAMASDBGAiEA8CjMOIj7wqQ60BX22A5pDkA23IxZPzwV
+1MF5+VSgdqgCIQCZhry5AK2VyZX/cIODEl6eHBCUWS4vHB+J8RxeclKCpAB1AKLj
+CuRF772tm3447Udnd1PXgluElNcrXhssxLlQpEfnAAABlY2Fu/QAAAQDAEYwRAIg
+bwjJgZJew/1LoL9yzDD1P4Xkd8ezFucxfU3AzlV1XEYCIH5RPyW1HP9GSr+aAx+I
+o3inVl1NagJFYiApAPvFmIEgMA0GCSqGSIb3DQEBCwUAA4IBAQATJWi1sJSBstO+
+hyH7DsrAtDhiQTOWzUZezBlgCn8hfmA3nX5uKsHyxPPPEQ/GFYOltRD/+34X9kFF
+YNzUjJOP0bGk45I1JbspxRRvtbDpk0+dj2VE2toM8vLRDz3+DB4YB2lFofYlex++
+16xFzOIE+ZW41qBs3G8InsyHADsaFY2CQ9re/kZvenptU/ax1U2a21JJ3TT2DmXW
+AHZYQ5/whVIowsebw1e28I12VhLl2BKn7v4MpCn3GUzBBQAEbJ6TIjHtFKWWnVfH
+FisaUX6N4hMzGZVJOsbH4QVBGuNwUshHiD8MSpbans2w+T4bCe11XayerqxFhTao
+w/pjiPVy
+-----END CERTIFICATE-----
+`,
+			expected: false,
+		},
+	}
+
+	for _, tt := range tc {
+		t.Run(tt.name, func(t *testing.T) {
+			actual, err := IsSelfSignedCertificate([]byte(tt.cert))
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}

api/http/handler/kubernetes/configmaps.go

@@ -146,13 +146,11 @@ func (handler *Handler) getAllKubernetesConfigMaps(r *http.Request) ([]models.K8
 	}
 
 	if isUsed {
-		configMapsWithApplications, err := cli.CombineConfigMapsWithApplications(configMaps)
+		err = cli.SetConfigMapsIsUsed(&configMaps)
 		if err != nil {
 			log.Error().Err(err).Str("context", "getAllKubernetesConfigMaps").Msg("Unable to combine configMaps with associated applications")
 			return nil, httperror.InternalServerError("Unable to combine configMaps with associated applications", err)
 		}
-
-		return configMapsWithApplications, nil
 	}
 
 	return configMaps, nil

api/http/handler/kubernetes/deprecated_routes.go

@@ -36,11 +36,14 @@ func deprecatedNamespaceParser(w http.ResponseWriter, r *http.Request) (string,
 
 	// Restore the original body for further use
 	bodyBytes, err := io.ReadAll(r.Body)
+	if err != nil {
+		return "", httperror.InternalServerError("Unable to read request body", err)
+	}
+
 	r.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
 
 	payload := models.K8sNamespaceDetails{}
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
+	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
 		return "", httperror.BadRequest("Invalid request. Unable to parse namespace payload", err)
 	}
 	namespaceName := payload.Name

api/http/handler/kubernetes/describe.go

@@ -0,0 +1,73 @@
+package kubernetes
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/libkubectl"
+	"github.com/rs/zerolog/log"
+)
+
+type describeResourceResponse struct {
+	Describe string `json:"describe"`
+}
+
+// @id DescribeResource
+// @summary Get a description of a kubernetes resource
+// @description Get a description of a kubernetes resource.
+// @description **Access policy**: Authenticated user.
+// @tags kubernetes
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment identifier"
+// @param name query string true "Resource name"
+// @param kind query string true "Resource kind"
+// @param namespace query string false "Namespace"
+// @success 200 {object} describeResourceResponse "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve resource description"
+// @router /kubernetes/{id}/describe [get]
+func (handler *Handler) describeResource(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	name, err := request.RetrieveQueryParameter(r, "name", false)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter name")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter name. Error: ", err)
+	}
+
+	kind, err := request.RetrieveQueryParameter(r, "kind", false)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter kind")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter kind. Error: ", err)
+	}
+
+	namespace, err := request.RetrieveQueryParameter(r, "namespace", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter namespace")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter namespace. Error: ", err)
+	}
+
+	// fetches the token and the correct server URL for the endpoint, similar to getHelmClusterAccess
+	libKubectlAccess, err := handler.getLibKubectlAccess(r)
+	if err != nil {
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to get libKubectlAccess. Error: ", err)
+	}
+
+	client, err := libkubectl.NewClient(libKubectlAccess, namespace, "", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Failed to create kubernetes client")
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to create kubernetes client. Error: ", err)
+	}
+
+	out, err := client.Describe(namespace, name, kind)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Failed to describe kubernetes resource")
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to describe kubernetes resource. Error: ", err)
+	}
+
+	return response.JSON(w, describeResourceResponse{Describe: out})
+}

api/http/handler/kubernetes/handler.go

@@ -15,6 +15,7 @@ import (
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libkubectl"
 	"github.com/rs/zerolog/log"
 
 	"github.com/gorilla/mux"
@@ -102,6 +103,7 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 	endpointRouter.Handle("/cluster_roles/delete", httperror.LoggerHandler(h.deleteClusterRoles)).Methods(http.MethodPost)
 	endpointRouter.Handle("/cluster_role_bindings", httperror.LoggerHandler(h.getAllKubernetesClusterRoleBindings)).Methods(http.MethodGet)
 	endpointRouter.Handle("/cluster_role_bindings/delete", httperror.LoggerHandler(h.deleteClusterRoleBindings)).Methods(http.MethodPost)
+	endpointRouter.Handle("/describe", httperror.LoggerHandler(h.describeResource)).Methods(http.MethodGet)
 
 	// namespaces
 	// in the future this piece of code might be in another package (or a few different packages - namespaces/namespace?)
@@ -269,3 +271,36 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func (handler *Handler) getLibKubectlAccess(r *http.Request) (*libkubectl.ClientAccess, error) {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve user authentication token", err)
+	}
+
+	bearerToken, _, err := handler.JwtService.GenerateToken(tokenData)
+	if err != nil {
+		return nil, httperror.Unauthorized("Unauthorized", err)
+	}
+
+	endpoint, err := middlewares.FetchEndpoint(r)
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to find the Kubernetes endpoint associated to the request.", err)
+	}
+
+	sslSettings, err := handler.DataStore.SSLSettings().Settings()
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve settings from the database", err)
+	}
+
+	hostURL := "localhost"
+	if !sslSettings.SelfSigned {
+		hostURL = r.Host
+	}
+
+	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(hostURL, endpoint.ID, true)
+	return &libkubectl.ClientAccess{
+		Token:     bearerToken,
+		ServerUrl: kubeConfigInternal.ClusterServerURL,
+	}, nil
+}

api/http/handler/kubernetes/secrets.go

@@ -130,13 +130,11 @@ func (handler *Handler) getAllKubernetesSecrets(r *http.Request) ([]models.K8sSe
 	}
 
 	if isUsed {
-		secretsWithApplications, err := cli.CombineSecretsWithApplications(secrets)
+		err = cli.SetSecretsIsUsed(&secrets)
 		if err != nil {
 			log.Error().Err(err).Str("context", "GetAllKubernetesSecrets").Msg("Unable to combine secrets with associated applications")
 			return nil, httperror.InternalServerError("unable to combine secrets with associated applications. Error: ", err)
 		}
-
-		return secretsWithApplications, nil
 	}
 
 	return secrets, nil

api/http/handler/stacks/handler.go

@@ -11,7 +11,6 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/docker/consts"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/endpointutils"
@@ -62,8 +61,6 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 
 	h.Handle("/stacks/create/{type}/{method}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackCreate))).Methods(http.MethodPost)
-	h.Handle("/stacks",
-		bouncer.AuthenticatedAccess(middlewares.Deprecated(h, deprecatedStackCreateUrlParser))).Methods(http.MethodPost) // Deprecated
 	h.Handle("/stacks",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackList))).Methods(http.MethodGet)
 	h.Handle("/stacks/{id}",

api/http/handler/stacks/stack_create.go

@@ -1,7 +1,6 @@
 package stacks
 
 import (
-	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
@@ -141,53 +140,3 @@ func (handler *Handler) decorateStackResponse(w http.ResponseWriter, stack *port
 
 	return response.JSON(w, stack)
 }
-
-func getStackTypeFromQueryParameter(r *http.Request) (string, error) {
-	stackType, err := request.RetrieveNumericQueryParameter(r, "type", false)
-	if err != nil {
-		return "", err
-	}
-
-	switch stackType {
-	case 1:
-		return "swarm", nil
-	case 2:
-		return "standalone", nil
-	case 3:
-		return "kubernetes", nil
-	}
-
-	return "", errors.New(request.ErrInvalidQueryParameter)
-}
-
-// @id StackCreate
-// @summary Deploy a new stack
-// @description Deploy a new stack into a Docker environment(endpoint) specified via the environment(endpoint) identifier.
-// @description **Access policy**: authenticated
-// @tags stacks
-// @security ApiKeyAuth
-// @security jwt
-// @accept json,multipart/form-data
-// @produce json
-// @param type query int true "Stack deployment type. Possible values: 1 (Swarm stack), 2 (Compose stack) or 3 (Kubernetes stack)." Enums(1,2,3)
-// @param method query string true "Stack deployment method. Possible values: file, string, repository or url." Enums(string, file, repository, url)
-// @param endpointId query int true "Identifier of the environment(endpoint) that will be used to deploy the stack"
-// @param body body object true "for body documentation see the relevant /stacks/create/{type}/{method} endpoint"
-// @success 200 {object} portainer.Stack
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @deprecated
-// @router /stacks [post]
-func deprecatedStackCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
-	}
-
-	stackType, err := getStackTypeFromQueryParameter(r)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: type", err)
-	}
-
-	return fmt.Sprintf("/stacks/create/%s/%s", stackType, method), nil
-}

api/http/handler/system/handler.go

@@ -59,10 +59,6 @@ func NewHandler(bouncer security.BouncerService,
 	// Deprecated /status endpoint, will be removed in the future.
 	h.Handle("/status",
 		bouncer.PublicAccess(httperror.LoggerHandler(h.statusInspectDeprecated))).Methods(http.MethodGet)
-	h.Handle("/status/version",
-		bouncer.AuthenticatedAccess(http.HandlerFunc(h.versionDeprecated))).Methods(http.MethodGet)
-	h.Handle("/status/nodes",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.statusNodesCountDeprecated))).Methods(http.MethodGet)
 
 	return h
 }

api/http/handler/system/nodes_count.go

@@ -8,8 +8,6 @@ import (
 	"github.com/portainer/portainer/api/internal/snapshot"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/rs/zerolog/log"
 )
 
 type nodesCountResponse struct {
@@ -35,7 +33,7 @@ func (handler *Handler) systemNodesCount(w http.ResponseWriter, r *http.Request)
 	var nodes int
 
 	for _, endpoint := range endpoints {
-		if err := snapshot.FillSnapshotData(handler.dataStore, &endpoint); err != nil {
+		if err := snapshot.FillSnapshotData(handler.dataStore, &endpoint, false); err != nil {
 			return httperror.InternalServerError("Unable to add snapshot data", err)
 		}
 
@@ -44,21 +42,3 @@ func (handler *Handler) systemNodesCount(w http.ResponseWriter, r *http.Request)
 
 	return response.JSON(w, &nodesCountResponse{Nodes: nodes})
 }
-
-// @id statusNodesCount
-// @summary Retrieve the count of nodes
-// @deprecated
-// @description Deprecated: use the `/system/nodes` endpoint instead.
-// @description **Access policy**: authenticated
-// @security ApiKeyAuth
-// @security jwt
-// @tags status
-// @produce json
-// @success 200 {object} nodesCountResponse "Success"
-// @failure 500 "Server error"
-// @router /status/nodes [get]
-func (handler *Handler) statusNodesCountDeprecated(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	log.Warn().Msg("The /status/nodes endpoint is deprecated, please use the /system/nodes endpoint instead")
-
-	return handler.systemNodesCount(w, r)
-}

api/http/handler/system/system_info.go

@@ -3,6 +3,7 @@ package system
 import (
 	"net/http"
 
+	"github.com/pkg/errors"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	plf "github.com/portainer/portainer/api/platform"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@@ -46,7 +47,12 @@ func (handler *Handler) systemInfo(w http.ResponseWriter, r *http.Request) *http
 
 	platform, err := handler.platformService.GetPlatform()
 	if err != nil {
-		return httperror.InternalServerError("Failed to get platform", err)
+		if !errors.Is(err, plf.ErrNoLocalEnvironment) {
+			return httperror.InternalServerError("Failed to get platform", err)
+		}
+		// If no local environment is detected, we assume the platform is Docker
+		// UI will stop showing the upgrade banner
+		platform = plf.PlatformDocker
 	}
 
 	return response.JSON(w, &systemInfoResponse{

api/http/handler/system/system_upgrade.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"regexp"
 
+	ceplf "github.com/portainer/portainer/api/platform"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -45,6 +46,9 @@ func (handler *Handler) systemUpgrade(w http.ResponseWriter, r *http.Request) *h
 
 	environment, err := handler.platformService.GetLocalEnvironment()
 	if err != nil {
+		if errors.Is(err, ceplf.ErrNoLocalEnvironment) {
+			return httperror.NotFound("The system upgrade feature is disabled because no local environment was detected.", err)
+		}
 		return httperror.InternalServerError("Failed to get local environment", err)
 	}
 
@@ -53,8 +57,7 @@ func (handler *Handler) systemUpgrade(w http.ResponseWriter, r *http.Request) *h
 		return httperror.InternalServerError("Failed to get platform", err)
 	}
 
-	err = handler.upgradeService.Upgrade(platform, environment, payload.License)
-	if err != nil {
+	if err := handler.upgradeService.Upgrade(platform, environment, payload.License); err != nil {
 		return httperror.InternalServerError("Failed to upgrade Portainer", err)
 	}
 

api/http/handler/system/version.go

@@ -106,21 +106,3 @@ func HasNewerVersion(currentVersion, latestVersion string) bool {
 
 	return currentVersionSemver.LessThan(*latestVersionSemver)
 }
-
-// @id Version
-// @summary Check for portainer updates
-// @deprecated
-// @description Deprecated: use the `/system/version` endpoint instead.
-// @description Check if portainer has an update available
-// @description **Access policy**: authenticated
-// @security ApiKeyAuth
-// @security jwt
-// @tags status
-// @produce json
-// @success 200 {object} versionResponse "Success"
-// @router /status/version [get]
-func (handler *Handler) versionDeprecated(w http.ResponseWriter, r *http.Request) {
-	log.Warn().Msg("The /status/version endpoint is deprecated, please use the /system/version endpoint instead")
-
-	handler.version(w, r)
-}

api/http/handler/tags/tag_delete.go

@@ -133,10 +133,17 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 
 func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
+	if err != nil && !tx.IsErrObjectNotFound(err) {
 		return err
 	}
 
+	if endpointRelation == nil {
+		endpointRelation = &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+			EdgeStacks: make(map[portainer.EdgeStackID]bool),
+		}
+	}
+
 	endpointGroup, err := tx.EndpointGroup().Read(endpoint.GroupID)
 	if err != nil {
 		return err
@@ -147,6 +154,7 @@ func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.End
 	for _, edgeStackID := range endpointStacks {
 		stacksSet[edgeStackID] = true
 	}
+
 	endpointRelation.EdgeStacks = stacksSet
 
 	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, endpointRelation)

api/http/handler/teammemberships/teammembership_create.go

@@ -45,7 +45,6 @@ func (payload *teamMembershipCreatePayload) Validate(r *http.Request) error {
 // @produce json
 // @param body body teamMembershipCreatePayload true "Team membership details"
 // @success 200 {object} portainer.TeamMembership "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied to manage memberships"
 // @failure 409 "Team membership already registered"

api/http/handler/teams/team_inspect.go

@@ -21,7 +21,6 @@ import (
 // @produce json
 // @param id path int true "Team identifier"
 // @success 200 {object} portainer.Team "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied"
 // @failure 404 "Team not found"

api/http/handler/teams/team_update.go

@@ -30,7 +30,6 @@ func (payload *teamUpdatePayload) Validate(r *http.Request) error {
 // @param id path int true "Team identifier"
 // @param body body teamUpdatePayload true "Team details"
 // @success 200 {object} portainer.Team "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied"
 // @failure 404 "Team not found"

api/http/handler/templates/handler.go

@@ -29,7 +29,5 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateList))).Methods(http.MethodGet)
 	h.Handle("/templates/{id}/file",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateFile))).Methods(http.MethodPost)
-	h.Handle("/templates/file",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateFileOld))).Methods(http.MethodPost)
 	return h
 }

api/http/handler/templates/template_file_old.go

@@ -1,93 +0,0 @@
-package templates
-
-import (
-	"errors"
-	"net/http"
-
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-	"github.com/rs/zerolog/log"
-)
-
-type filePayload struct {
-	// URL of a git repository where the file is stored
-	RepositoryURL string `example:"https://github.com/portainer/portainer-compose" validate:"required"`
-	// Path to the file inside the git repository
-	ComposeFilePathInRepository string `example:"./subfolder/docker-compose.yml" validate:"required"`
-}
-
-func (payload *filePayload) Validate(r *http.Request) error {
-	if len(payload.RepositoryURL) == 0 {
-		return errors.New("Invalid repository url")
-	}
-
-	if len(payload.ComposeFilePathInRepository) == 0 {
-		return errors.New("Invalid file path")
-	}
-
-	return nil
-}
-
-func (handler *Handler) ifRequestedTemplateExists(payload *filePayload) *httperror.HandlerError {
-	response, httpErr := handler.fetchTemplates()
-	if httpErr != nil {
-		return httpErr
-	}
-
-	for _, t := range response.Templates {
-		if t.Repository.URL == payload.RepositoryURL && t.Repository.StackFile == payload.ComposeFilePathInRepository {
-			return nil
-		}
-	}
-	return httperror.InternalServerError("Invalid template", errors.New("requested template does not exist"))
-}
-
-// @id TemplateFileOld
-// @summary Get a template's file
-// @deprecated
-// @description Get a template's file
-// @description **Access policy**: authenticated
-// @tags templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @param body body filePayload true "File details"
-// @success 200 {object} fileResponse "Success"
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @router /templates/file [post]
-func (handler *Handler) templateFileOld(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	log.Warn().Msg("This api is deprecated. Please use /templates/{id}/file instead")
-
-	var payload filePayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return httperror.BadRequest("Invalid request payload", err)
-	}
-
-	if err := handler.ifRequestedTemplateExists(&payload); err != nil {
-		return err
-	}
-
-	projectPath, err := handler.FileService.GetTemporaryPath()
-	if err != nil {
-		return httperror.InternalServerError("Unable to create temporary folder", err)
-	}
-
-	defer handler.cleanUp(projectPath)
-
-	err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, "", "", "", false)
-	if err != nil {
-		return httperror.InternalServerError("Unable to clone git repository", err)
-	}
-
-	fileContent, err := handler.FileService.GetFileContent(projectPath, payload.ComposeFilePathInRepository)
-	if err != nil {
-		return httperror.InternalServerError("Failed loading file content", err)
-	}
-
-	return response.JSON(w, fileResponse{FileContent: string(fileContent)})
-
-}

api/http/handler/users/handler.go

@@ -52,12 +52,12 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	teamLeaderRouter := h.NewRoute().Subrouter()
 	teamLeaderRouter.Use(bouncer.TeamLeaderAccess)
 
-	restrictedRouter := h.NewRoute().Subrouter()
-	restrictedRouter.Use(bouncer.RestrictedAccess)
-
 	authenticatedRouter := h.NewRoute().Subrouter()
 	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
 
+	restrictedRouter := h.NewRoute().Subrouter()
+	restrictedRouter.Use(bouncer.RestrictedAccess)
+
 	publicRouter := h.NewRoute().Subrouter()
 	publicRouter.Use(bouncer.PublicAccess)
 
@@ -65,7 +65,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	restrictedRouter.Handle("/users", httperror.LoggerHandler(h.userList)).Methods(http.MethodGet)
 
 	authenticatedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
-	restrictedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
 	restrictedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userInspect)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userUpdate)).Methods(http.MethodPut)
 	adminRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userDelete)).Methods(http.MethodDelete)

api/http/handler/users/user_create_access_token.go

@@ -50,7 +50,7 @@ type accessTokenResponse struct {
 // @produce json
 // @param id path int true "User identifier"
 // @param body body userAccessTokenCreatePayload true "details"
-// @success 200 {object} accessTokenResponse "Created"
+// @success 200 {object} accessTokenResponse "Success"
 // @failure 400 "Invalid request"
 // @failure 401 "Unauthorized"
 // @failure 403 "Permission denied"
@@ -115,7 +115,7 @@ func (handler *Handler) userCreateAccessToken(w http.ResponseWriter, r *http.Req
 		return httperror.InternalServerError("Internal Server Error", err)
 	}
 
-	return response.JSONWithStatus(w, accessTokenResponse{rawAPIKey, *apiKey}, http.StatusCreated)
+	return response.JSONWithStatus(w, accessTokenResponse{rawAPIKey, *apiKey}, http.StatusOK)
 }
 
 func (handler *Handler) usesInternalAuthentication(userid portainer.UserID) (bool, error) {

api/http/handler/users/user_create_access_token_test.go

@@ -60,7 +60,7 @@ func Test_userCreateAccessToken(t *testing.T) {
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
 
-		is.Equal(http.StatusCreated, rr.Code)
+		is.Equal(http.StatusOK, rr.Code)
 
 		body, err := io.ReadAll(rr.Body)
 		is.NoError(err, "ReadAll should not return error")

api/http/middlewares/panic_logger.go

@@ -0,0 +1,25 @@
+package middlewares
+
+import (
+	"net/http"
+	"runtime/debug"
+
+	"github.com/rs/zerolog/log"
+)
+
+func WithPanicLogger(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		defer func() {
+			if err := recover(); err != nil {
+				log.Error().
+					Any("panic", err).
+					Str("method", req.Method).
+					Str("url", req.URL.String()).
+					Str("stack", string(debug.Stack())).
+					Msg("Panic in request handler")
+			}
+		}()
+
+		next.ServeHTTP(w, req)
+	})
+}

api/http/middlewares/withitem.go

@@ -45,7 +45,7 @@ func WithItem[TId ~int, TObject any](getter ItemGetter[TId, TObject], idParam st
 	}
 }
 
-func FetchItem[T any](request *http.Request, contextKey string) (*T, error) {
+func FetchItem[T any](request *http.Request, contextKey ItemContextKey) (*T, error) {
 	contextData := request.Context().Value(contextKey)
 	if contextData == nil {
 		return nil, errors.New("unable to find item in request context")

api/http/models/kubernetes/services.go

@@ -35,8 +35,8 @@ type (
 	}
 
 	K8sServiceIngress struct {
-		IP   string `json:"IP"`
-		Host string `json:"Host"`
+		IP       string `json:"IP"`
+		Hostname string `json:"Hostname"`
 	}
 
 	// K8sServiceDeleteRequests is a mapping of namespace names to a slice of

api/http/proxy/factory/agent.go

@@ -52,7 +52,7 @@ func (factory *ProxyFactory) NewAgentProxy(endpoint *portainer.Endpoint) (*Proxy
 		endpointURL.Scheme = "https"
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(endpointURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(endpointURL)
 
 	proxy.Transport = agent.NewTransport(factory.signatureService, httpTransport)
 
@@ -63,8 +63,7 @@ func (factory *ProxyFactory) NewAgentProxy(endpoint *portainer.Endpoint) (*Proxy
 		Port: 0,
 	}
 
-	err = proxyServer.start()
-	if err != nil {
+	if err := proxyServer.start(); err != nil {
 		return nil, errors.Wrap(err, "failed starting proxy server")
 	}
 

api/http/proxy/factory/azure.go

@@ -15,7 +15,7 @@ func newAzureProxy(endpoint *portainer.Endpoint, dataStore dataservices.DataStor
 		return nil, err
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(remoteURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(remoteURL)
 	proxy.Transport = azure.NewTransport(&endpoint.AzureCredentials, dataStore, endpoint)
 	return proxy, nil
 }

api/http/proxy/factory/docker.go

@@ -72,7 +72,7 @@ func (factory *ProxyFactory) newDockerHTTPProxy(endpoint *portainer.Endpoint) (h
 		return nil, err
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(endpointURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(endpointURL)
 	proxy.Transport = dockerTransport
 	return proxy, nil
 }

api/http/proxy/factory/docker/volumes.go

@@ -224,7 +224,7 @@ func (transport *Transport) getDockerID() (string, error) {
 	if transport.snapshotService != nil {
 		endpoint := portainer.Endpoint{ID: transport.endpoint.ID}
 
-		if err := transport.snapshotService.FillSnapshotData(&endpoint); err == nil && len(endpoint.Snapshots) > 0 {
+		if err := transport.snapshotService.FillSnapshotData(&endpoint, true); err == nil && len(endpoint.Snapshots) > 0 {
 			if dockerID, err := snapshot.FetchDockerID(endpoint.Snapshots[0]); err == nil {
 				transport.dockerID = dockerID
 				return dockerID, nil

api/http/proxy/factory/gitlab.go

@@ -13,7 +13,7 @@ func newGitlabProxy(uri string) (http.Handler, error) {
 		return nil, err
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(url)
+	proxy := NewSingleHostReverseProxyWithHostHeader(url)
 	proxy.Transport = gitlab.NewTransport()
 	return proxy, nil
 }