Fix: delete context when patch outputs in trait (#3854)

* Fix: delete context when patch outputs in trait

Signed-off-by: FogDong <dongtianxin.tx@alibaba-inc.com>

* use patchOutputs instead of outputs in patch

Signed-off-by: FogDong <dongtianxin.tx@alibaba-inc.com>

* fix typo

Signed-off-by: FogDong <dongtianxin.tx@alibaba-inc.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -13,8 +13,8 @@ Fixes #
 
 I have:
 
-- [ ] Read and followed KubeVela's [contribution process](https://github.com/oam-dev/kubevela/blob/master/contribute/create-pull-request.md).
-- [ ] [Related Docs](https://github.com/oam-dev/kubevela.io) updated properly. In a new feature or configuration option, an update to the documentation is necessary. 
+- [ ] Read and followed KubeVela's [contribution process](https://github.com/kubevela/kubevela/blob/master/contribute/create-pull-request.md).
+- [ ] [Related Docs](https://github.com/kubevela/kubevela.io) updated properly. In a new feature or configuration option, an update to the documentation is necessary. 
 - [ ] Run `make reviewable` to ensure this PR is ready for review.
 - [ ] Added `backport release-x.y` labels to auto-backport this PR if necessary.
 

.github/bot.md

@@ -1,9 +1,9 @@
 ### GitHub & kubevela automation
 
-The bot is configured via [issue-commands.json](https://github.com/oam-dev/kubevela/blob/master/.github/workflows/issue-commands.json) 
-and some other GitHub [workflows](https://github.com/oam-dev/kubevela/blob/master/.github/workflows).
+The bot is configured via [issue-commands.json](https://github.com/kubevela/kubevela/blob/master/.github/workflows/issue-commands.json) 
+and some other GitHub [workflows](https://github.com/kubevela/kubevela/blob/master/.github/workflows).
 By default, users with write access to the repo is allowed to use the comments, 
-the [userlist](https://github.com/oam-dev/kubevela/blob/master/.github/comment.userlist) 
+the [userlist](https://github.com/kubevela/kubevela/blob/master/.github/comment.userlist) 
 file is for adding additional members who do not have access and want to contribute to the issue triage.
 
 Comment commands:
@@ -14,7 +14,7 @@ Comment commands:
 * Write the word `/area/*` in a comment, and the bot will add the corresponding label `/area/*`.
 * Write the word `/priority/*` in a comment, and the bot will add the corresponding label `/priority/*`.
 
-The `*` mention above represent a specific word. Please read the details about label category in [ISSUE_TRIAGE.md](https://github.com/oam-dev/kubevela/blob/master/ISSUE_TRIAGE.md)  
+The `*` mention above represent a specific word. Please read the details about label category in [ISSUE_TRIAGE.md](https://github.com/kubevela/kubevela/blob/master/ISSUE_TRIAGE.md)  
 
 Label commands:
 

.github/workflows/apiserver-test.yaml

@@ -6,7 +6,9 @@ on:
       - master
       - release-*
       - apiserver
-  workflow_dispatch: {}
+    tags:
+      - v*
+  workflow_dispatch: { }
   pull_request:
     branches:
       - master
@@ -18,6 +20,8 @@ env:
   GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.38'
   KIND_VERSION: 'v0.7.0'
+  KIND_IMAGE_VERSION: '[\"v1.20.7\"]'
+  KIND_IMAGE_VERSIONS: '[\"v1.18.20\",\"v1.20.7\",\"v1.22.7\"]'
 
 jobs:
 
@@ -35,10 +39,28 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
+  set-k8s-matrix:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
+    steps:
+      - id: set-k8s-matrix
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "pushing tag: ${{ github.ref_name }}"
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSIONS }}"
+          else
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSION }}"
+          fi
+
+
   apiserver-unit-tests:
     runs-on: aliyun
-    needs: detect-noop
+    needs: [ detect-noop,set-k8s-matrix ]
     if: needs.detect-noop.outputs.noop != 'true'
+    strategy:
+      matrix:
+        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
 
     steps:
       - name: Set up Go
@@ -65,7 +87,7 @@ jobs:
       - name: Setup Kind Cluster (Worker)
         run: |
           kind delete cluster --name worker
-          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca --name worker
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }} --name worker
           kubectl version
           kubectl cluster-info
           kind get kubeconfig --name worker --internal > /tmp/worker.kubeconfig
@@ -74,7 +96,7 @@ jobs:
       - name: Setup Kind Cluster (Hub)
         run: |
           kind delete cluster
-          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
           kubectl version
           kubectl cluster-info
 

.github/workflows/codeql-analysis.yml

@@ -5,30 +5,6 @@ on:
     branches: [ master, release-* ]
 
 jobs:
-  images:
-    name: Image Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Build Vela Core image from Dockerfile
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org -t docker.io/oamdev/vela-core:${{ github.sha }} .
-
-      - name: Run Trivy vulnerability scanner for vela core
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'docker.io/oamdev/vela-core:${{ github.sha }}'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
-
   analyze:
     name: Analyze
     runs-on: ubuntu-latest

.github/workflows/e2e-multicluster-test.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - master
       - release-*
+    tags:
+      - v*
   workflow_dispatch: {}
   pull_request:
     branches:
@@ -16,6 +18,8 @@ env:
   GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.38'
   KIND_VERSION: 'v0.7.0'
+  KIND_IMAGE_VERSION: '[\"v1.20.7\"]'
+  KIND_IMAGE_VERSIONS: '[\"v1.18.20\",\"v1.20.7\",\"v1.22.7\"]'
 
 jobs:
 
@@ -33,10 +37,29 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
+  set-k8s-matrix:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
+    steps:
+      - id: set-k8s-matrix
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "pushing tag: ${{ github.ref_name }}"
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSIONS }}"
+          else
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSION }}"
+          fi
+
+
   e2e-multi-cluster-tests:
     runs-on: aliyun
-    needs: detect-noop
+    needs: [ detect-noop,set-k8s-matrix ]
     if: needs.detect-noop.outputs.noop != 'true'
+    strategy:
+      matrix:
+        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+
 
     steps:
       - name: Check out code into the Go module directory
@@ -60,7 +83,7 @@ jobs:
       - name: Setup Kind Cluster (Worker)
         run: |
           kind delete cluster --name worker
-          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca --name worker
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }} --name worker
           kubectl version
           kubectl cluster-info
           kind get kubeconfig --name worker --internal > /tmp/worker.kubeconfig
@@ -69,7 +92,7 @@ jobs:
       - name: Setup Kind Cluster (Hub)
         run: |
           kind delete cluster
-          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
           kubectl version
           kubectl cluster-info
 
@@ -96,7 +119,7 @@ jobs:
         uses: codecov/codecov-action@v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out
+          files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
           flags: e2e-multicluster-test
           name: codecov-umbrella
 

.github/workflows/e2e-rollout-test.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - master
       - release-*
+    tags:
+      - v*
   workflow_dispatch: {}
   pull_request:
     branches:
@@ -16,6 +18,8 @@ env:
   GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.38'
   KIND_VERSION: 'v0.7.0'
+  KIND_IMAGE_VERSION: '[\"v1.20.7\"]'
+  KIND_IMAGE_VERSIONS: '[\"v1.18.20\",\"v1.20.7\",\"v1.22.7\"]'
 
 jobs:
 
@@ -33,10 +37,27 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
+  set-k8s-matrix:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
+    steps:
+      - id: set-k8s-matrix
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "pushing tag: ${{ github.ref_name }}"
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSIONS }}"
+          else
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSION }}"
+          fi
+
   e2e-rollout-tests:
     runs-on: aliyun
-    needs: detect-noop
+    needs: [ detect-noop,set-k8s-matrix ]
     if: needs.detect-noop.outputs.noop != 'true'
+    strategy:
+      matrix:
+        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
 
     steps:
       - name: Check out code into the Go module directory
@@ -60,7 +81,7 @@ jobs:
       - name: Setup Kind Cluster
         run: |
           kind delete cluster
-          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
           kubectl version
           kubectl cluster-info
 

.github/workflows/e2e-test.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - master
       - release-*
+    tags:
+      - v*
   workflow_dispatch: {}
   pull_request:
     branches:
@@ -16,6 +18,8 @@ env:
   GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.38'
   KIND_VERSION: 'v0.7.0'
+  KIND_IMAGE_VERSION: '[\"v1.20.7\"]'
+  KIND_IMAGE_VERSIONS: '[\"v1.18.20\",\"v1.20.7\",\"v1.22.7\"]'
 
 jobs:
 
@@ -33,10 +37,27 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
+  set-k8s-matrix:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
+    steps:
+      - id: set-k8s-matrix
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "pushing tag: ${{ github.ref_name }}"
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSIONS }}"
+          else
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSION }}"
+          fi
+
   e2e-tests:
     runs-on: aliyun
-    needs: detect-noop
+    needs: [ detect-noop,set-k8s-matrix ]
     if: needs.detect-noop.outputs.noop != 'true'
+    strategy:
+      matrix:
+        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
 
     steps:
       - name: Check out code into the Go module directory
@@ -60,7 +81,7 @@ jobs:
       - name: Setup Kind Cluster
         run: |
           kind delete cluster
-          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
           kubectl version
           kubectl cluster-info
 

.github/workflows/go.yml

@@ -57,7 +57,7 @@ jobs:
           restore-keys: ${{ runner.os }}-pkg-
 
       - name: Install StaticCheck
-        run: GO111MODULE=off go get honnef.co/go/tools/cmd/staticcheck
+        run: GO111MODULE=on go get honnef.co/go/tools/cmd/staticcheck@v0.3.0
 
       - name: Static Check
         run: staticcheck ./...

.github/workflows/release.yml

@@ -8,6 +8,10 @@ on:
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  BUCKET: ${{ secrets.CLI_OSS_BUCKET }}
+  ENDPOINT: ${{ secrets.CLI_OSS_ENDPOINT }}
+  ACCESS_KEY: ${{ secrets.CLI_OSS_ACCESS_KEY }}
+  ACCESS_KEY_SECRET: ${{ secrets.CLI_OSS_ACCESS_KEY_SECRET }}
 
 jobs:
   build:
@@ -104,6 +108,23 @@ jobs:
           name: sha256sums
           path: ./_bin/sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt
           retention-days: 1
+      - name: clear the asset
+        run: |
+          rm -rf ./_bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}
+          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
+          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
+      - name: Install ossutil
+        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
+      - name: Configure Alibaba Cloud OSSUTIL
+        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
+      - name: sync local to cloud
+        run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
+      
+      - name: sync the latest version file
+        run: |
+          echo ${{ env.VELA_VERSION }} > ./latest_version
+          ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version
+
 
   upload-plugin-homebrew:
     needs: build

.github/workflows/trivy-scan.yml

@@ -0,0 +1,30 @@
+name: "Trivy Scan"
+
+on:
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  images:
+    name: Image Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build Vela Core image from Dockerfile
+        run: |
+          docker build --build-arg GOPROXY=https://proxy.golang.org -t docker.io/oamdev/vela-core:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner for vela core
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/oamdev/vela-core:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/unit-test.yml

@@ -58,7 +58,7 @@ jobs:
           restore-keys: ${{ runner.os }}-pkg-
 
       - name: Install ginkgo
-        run:  |
+        run: |
           sudo apt-get install -y golang-ginkgo-dev
 
       - name: Setup Kind Cluster
@@ -72,7 +72,7 @@ jobs:
           version: 3.1.0
           kubebuilderOnly: false
           kubernetesVersion: v1.21.2
-      
+
       - name: Run Make test
         run: make test
 

CHANGELOG/CHANGELOG-1.0.md

@@ -30,7 +30,7 @@ This is a minor fix for release-1.0, please refer to release-1.1.x for the lates
 **Please update Application CRD to upgrade from v1.0.3 to this release**
 
 ```
-kubectl apply -f https://raw.githubusercontent.com/oam-dev/kubevela/master/charts/vela-core/crds/core.oam.dev_applications.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubevela/kubevela/master/charts/vela-core/crds/core.oam.dev_applications.yaml
 ```
 
 **Check the upgrade docs to upgrade from other release: https://kubevela.io/docs/advanced-install#upgrade**

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 ## About KubeVela
 
-KubeVela project is initialized and maintained by the cloud native community since day 0 with [bootstrapping contributors from 8+ different organizations](https://github.com/oam-dev/kubevela/graphs/contributors).
+KubeVela project is initialized and maintained by the cloud native community since day 0 with [bootstrapping contributors from 8+ different organizations](https://github.com/kubevela/kubevela/graphs/contributors).
 We intend for KubeVela to have an open governance since the very beginning and donate the project to neutral foundation as soon as it's released.
 To help us create a safe and positive community experience for all, we require all participants to adhere to the [Code of Conduct](./CODE_OF_CONDUCT.md).
 
@@ -13,7 +13,7 @@ This document is a guide to help you through the process of contributing to Kube
 You can contribute to KubeVela in several ways. Here are some examples:
 
 * Contribute to the KubeVela codebase.
-* Contribute to the [KubeVela docs](https://github.com/oam-dev/kubevela.io).
+* Contribute to the [KubeVela docs](https://github.com/kubevela/kubevela.io).
 * Report and triage bugs.
 * Develop community CRD operators as workload or trait and contribute to [catalog](https://github.com/oam-dev/catalog).
 * Write technical documentation and blog posts, for users and contributors.
@@ -26,20 +26,20 @@ For more ways to contribute, check out the [Open Source Guides](https://opensour
 ### Report bugs
 
 Before submitting a new issue, try to make sure someone hasn't already reported the problem.
-Look through the [existing issues](https://github.com/oam-dev/kubevela/issues) for similar issues.
+Look through the [existing issues](https://github.com/kubevela/kubevela/issues) for similar issues.
 
-Report a bug by submitting a [bug report](https://github.com/oam-dev/kubevela/issues/new?assignees=&labels=kind%2Fbug&template=bug_report.md&title=).
+Report a bug by submitting a [bug report](https://github.com/kubevela/kubevela/issues/new?assignees=&labels=kind%2Fbug&template=bug_report.md&title=).
 Make sure that you provide as much information as possible on how to reproduce the bug.
 
 Follow the issue template and add additional information that will help us replicate the problem.
 
 #### Security issues
 
-If you believe you've found a security vulnerability, please read our [security policy](https://github.com/oam-dev/kubevela/blob/master/SECURITY.md) for more details.
+If you believe you've found a security vulnerability, please read our [security policy](https://github.com/kubevela/kubevela/blob/master/SECURITY.md) for more details.
 
 ### Suggest enhancements
 
-If you have an idea to improve KubeVela, submit an [feature request](https://github.com/oam-dev/kubevela/issues/new?assignees=&labels=kind%2Ffeature&template=feature_request.md&title=%5BFeature%5D).
+If you have an idea to improve KubeVela, submit an [feature request](https://github.com/kubevela/kubevela/issues/new?assignees=&labels=kind%2Ffeature&template=feature_request.md&title=%5BFeature%5D).
 
 ### Triage issues
 
@@ -50,16 +50,16 @@ Read more about the ways you can [Triage issues](/contribute/triage-issues.md).
 ### Answering questions
 
 If you have a question and you can't find the answer in the [documentation](https://kubevela.io/docs/),
-the next step is to ask it on the [github discussion](https://github.com/oam-dev/kubevela/discussions).
+the next step is to ask it on the [github discussion](https://github.com/kubevela/kubevela/discussions).
 
-It's important to us to help these users, and we'd love your help. You can help other KubeVela users by answering [their questions](https://github.com/oam-dev/kubevela/discussions).
+It's important to us to help these users, and we'd love your help. You can help other KubeVela users by answering [their questions](https://github.com/kubevela/kubevela/discussions).
 
 ### Your first contribution
 
 Unsure where to begin contributing to KubeVela? Start by browsing issues labeled `good first issue` or `help wanted`.
 
-- [Good first issue](https://github.com/oam-dev/kubevela/labels/good%20first%20issue) issues are generally straightforward to complete.
-- [Help wanted](https://github.com/oam-dev/kubevela/labels/help%20wanted) issues are problems we would like the community to help us with regardless of complexity.
+- [Good first issue](https://github.com/kubevela/kubevela/labels/good%20first%20issue) issues are generally straightforward to complete.
+- [Help wanted](https://github.com/kubevela/kubevela/labels/help%20wanted) issues are problems we would like the community to help us with regardless of complexity.
 
 If you're looking to make a code change, see how to set up your environment for [local development](contribute/developer-guide.md).
 

GOVERNANCE.md

@@ -0,0 +1,16 @@
+# Governance
+
+[Project maintainers](https://github.com/kubevela/community/blob/main/OWNERS.md#maintainers) are responsible for activities around maintaining and updating KubeVela.
+Final decisions on the project reside with the project maintainers.
+
+Maintainers **MUST** remain active. If they are unresponsive for >6 months,
+they will be automatically removed unless a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the other project maintainers agrees to extend the period to be greater than 6 months.
+
+New maintainers can be added to the project by a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) vote of the existing maintainers.
+A potential maintainer may be nominated by an existing maintainer.
+A vote is conducted in private between the current maintainers over the course of a one week voting period.
+At the end of the week, votes are counted and a pull request is made on the repo adding the new maintainer to the [CODEOWNERS](https://github.com/kubevela/kubevela/blob/master/.github/CODEOWNERS) file.
+
+A maintainer may step down by submitting an [issue](https://github.com/kubevela/kubevela/issues/new/choose) stating their intent.
+
+Changes to this governance document require a pull request with approval from a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the current maintainers.

ISSUE_TRIAGE.md

@@ -71,7 +71,7 @@ To get started with issue triage and finding issues that haven't been triaged yo
 ### Browse unlabeled issues
 
 The easiest and straight forward way of getting started and finding issues that haven't been triaged is to browse
-[unlabeled issues](https://github.com/oam-dev/kubevela/issues?q=is%3Aopen+is%3Aissue+no%3Alabel) and starting from
+[unlabeled issues](https://github.com/kubevela/kubevela/issues?q=is%3Aopen+is%3Aissue+no%3Alabel) and starting from
 the bottom and working yourself to the top.
 
 ### Subscribe to all notifications
@@ -95,7 +95,7 @@ to guide contributors to provide standard information that must be included for
 
 ### Standard issue information that must be included
 
-Given a certain [issue template]([template](https://github.com/oam-dev/kubevela/issues/new/choose)) have been used
+Given a certain [issue template]([template](https://github.com/kubevela/kubevela/issues/new/choose)) have been used
 by the issue author or depending how the issue is perceived by the issue triage responsible, the following should
 help you understand what standard issue information that must be included.
 
@@ -219,7 +219,7 @@ There's a minor typo/error/lack of information that adds a lot of confusion for
 
 ### Support requests and questions
 
-1. Kindly and politely direct the issue author to the [github discussion](https://github.com/oam-dev/kubevela/discussions)
+1. Kindly and politely direct the issue author to the [github discussion](https://github.com/kubevela/kubevela/discussions)
    and explain that issue is mainly used for tracking bugs and feature requests.
    If possible, it's usually a good idea to add some pointers to the issue author's question.
 2. Close the issue and label it with `type/question`.

OWNERS

@@ -1,12 +0,0 @@
-approvers:
-- kubevela-controller
-- kubevela-devex
-- kubevela-dashboard-approver
-
-reviewers:
-- kubevela-controller
-- oam-spec
-- kubevela-dashboard-reviewer
-
-members:
-- community-collaborators

OWNERS_ALIASES

@@ -1,60 +1 @@
-Reviewers:
-- Ghostbaby
-- StevenLeiZhang
-- chwetion
-- yue9944882
-- zxbyoyoyo
-- reetasingh
-- wangwang
-- evanli18
-- devholic
-- fourierr
-- JooKS-me
-
-Approvers:
-- Somefive (Multi-Cluster)
-- chivalryq (Vela CLI)
-- sunny0826 (kubevela.io)
-- hanxie-crypto (VelaUX)
-- FogDong (Workflow)
-- wangyikewxgm (Addon)
-- yangsoon (VelaQL）
-
-Maintainers:
-- wonderflow
-- hongchaodeng
-- captainroy-hy
-- resouer
-- barnettZQG
-- leejanee
-- zzxwill
-- BinaryHB0916
-- dhiguero
-
-Emeritus Members:
-- ryanzhang-oss
-- Fei-Guo
-- szihai
-- xiaoyuaiheshui
-- wenxinnnnn
-- silenceper
-- erdun
-- mosesyou
-- artursouza
-- woshilanren11
-
-bootstrap-contributors:     # thank you for bootstrapping KubeVela at the very early stage!
-- xiaoyuaiheshui
-- Ghostbaby
-- wenxinnnnn
-- silenceper
-- erdun
-- sunny0826
-- mosesyou
-- artursouza
-- wonderflow
-- hongchaodeng
-- ryanzhang-oss
-- woshilanren11
-- hanxie-crypto
-- zzxwill
+The owner file has been migrated to the community repo, please refer to https://github.com/kubevela/community/blob/main/OWNERS.md

README.md

@@ -1,18 +1,18 @@
 <div style="text-align: center">
   <p align="center">
-    <img src="https://raw.githubusercontent.com/oam-dev/kubevela.io/main/docs/resources/KubeVela-03.png">
+    <img src="https://raw.githubusercontent.com/kubevela/kubevela.io/main/docs/resources/KubeVela-03.png">
     <br><br>
     <i>Make shipping applications more enjoyable.</i>
   </p>
 </div>
 
-![Build status](https://github.com/oam-dev/kubevela/workflows/E2E/badge.svg)
-[![Go Report Card](https://goreportcard.com/badge/github.com/oam-dev/kubevela)](https://goreportcard.com/report/github.com/oam-dev/kubevela)
+![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
-[![codecov](https://codecov.io/gh/oam-dev/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/oam-dev/kubevela)
-[![LICENSE](https://img.shields.io/github/license/oam-dev/kubevela.svg?style=flat-square)](/LICENSE)
-[![Releases](https://img.shields.io/github/release/oam-dev/kubevela/all.svg?style=flat-square)](https://github.com/oam-dev/kubevela/releases)
-[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/oam-dev/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
+[![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
+[![LICENSE](https://img.shields.io/github/license/kubevela/kubevela.svg?style=flat-square)](/LICENSE)
+[![Releases](https://img.shields.io/github/release/kubevela/kubevela/all.svg?style=flat-square)](https://github.com/kubevela/kubevela/releases)
+[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/kubevela/kubevela)](https://www.tickgit.com/browse?repo=github.com/kubevela/kubevela)
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
@@ -43,16 +43,35 @@ KubeVela practices the "render, orchestrate, deploy" workflow with below highlig
 
 Full documentation is available on the [KubeVela website](https://kubevela.io/).
 
+## Blog
+
+Official blog is available on [KubeVela blog](https://kubevela.io/blog).
+
 ## Community
 
-- Slack:  [CNCF Slack](https://slack.cncf.io/) #kubevela channel (*English*)
-- Gitter: [oam-dev](https://gitter.im/oam-dev/community) (*English*)
+We want your contributions and suggestions! 
+One of the easiest ways to contribute is to participate in discussions on the Github Issues/Discussion, chat on IM or the bi-weekly community calls.
+For more information on the community engagement, developer and contributing guidelines and more, head over to the [KubeVela community repo](https://github.com/kubevela/community).
+
+### Contact Us
+
+Reach out with any questions you may have and we'll make sure to answer them as soon as possible!
+
+- Slack:  [CNCF Slack kubevela channel](https://cloud-native.slack.com/archives/C01BLQ3HTJA) (*English*)
 - [DingTalk Group](https://page.dingtalk.com/wow/dingtalk/act/en-home): `23310022` (*Chinese*)
 - Wechat Group (*Chinese*): Broker wechat to add you into the user group.
  
   <img src="https://static.kubevela.net/images/barnett-wechat.jpg" width="200" />
-- Bi-weekly Community Call: [Meeting Notes](https://docs.google.com/document/d/1nqdFEyULekyksFHtFvgvFAYE-0AMHKoS3RMnaKsarjs).
-- Bi-weekly Chinese Community Call: [Video Records](https://space.bilibili.com/180074935/channel/seriesdetail?sid=1842207).
+
+### Community Call
+
+Every two weeks we host a community call to showcase new features, review upcoming milestones, and engage in a Q&A. All are welcome!
+
+- Bi-weekly Community Call:
+  - [Meeting Notes](https://docs.google.com/document/d/1nqdFEyULekyksFHtFvgvFAYE-0AMHKoS3RMnaKsarjs).
+  - [Video Records](https://kubevela.io/videos/meetings/en/meetings).
+- Bi-weekly Chinese Community Call:
+  - [Video Records](https://kubevela.io/videos/meetings/cn/v1.3).
 
 ## Talks and Conferences
 
@@ -62,7 +81,10 @@ Full documentation is available on the [KubeVela website](https://kubevela.io/).
 | 🌎 KubeCon | - [ [NA 2020] Standardizing Cloud Native Application Delivery Across Different Clouds](https://www.youtube.com/watch?v=0yhVuBIbHcI) <br> - [ [EU 2021] Zero Pain Microservice Development and Deployment with Dapr and KubeVela](https://sched.co/iE4S) |
 | 📺 Conferences | - [Dapr, Rudr, OAM: Mark Russinovich presents next gen app development & deployment](https://www.youtube.com/watch?v=eJCu6a-x9uo) <br> - [Mark Russinovich presents "The Future of Cloud Native Applications with OAM and Dapr"](https://myignite.techcommunity.microsoft.com/sessions/82059)|
 
+For more talks, please checkout [KubeVela Talks](https://kubevela.io/videos/talks/en/standardizing-app).
+
 ## Contributing
+
 Check out [CONTRIBUTING](./CONTRIBUTING.md) to see how to develop with KubeVela.
 
 ## Report Vulnerability
@@ -70,4 +92,5 @@ Check out [CONTRIBUTING](./CONTRIBUTING.md) to see how to develop with KubeVela.
 Security is a first priority thing for us at KubeVela. If you come across a related issue, please send email to security@mail.kubevela.io .
 
 ## Code of Conduct
+
 KubeVela adopts [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

apis/core.oam.dev/common/register.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package common
+
+const (
+	// Group api group name
+	Group = "core.oam.dev"
+)

apis/core.oam.dev/common/types.go

@@ -345,6 +345,8 @@ type WorkflowStatus struct {
 	Mode        WorkflowMode `json:"mode"`
 	Message     string       `json:"message,omitempty"`
 
+	SuspendState string `json:"suspendState,omitempty"`
+
 	Suspend    bool `json:"suspend"`
 	Terminated bool `json:"terminated"`
 	Finished   bool `json:"finished"`
@@ -496,6 +498,8 @@ const (
 	PolicyResourceCreator ResourceCreatorRole = "policy"
 	// WorkflowResourceCreator create the resource in workflow.
 	WorkflowResourceCreator ResourceCreatorRole = "workflow"
+	// DebugResourceCreator create the debug resource.
+	DebugResourceCreator ResourceCreatorRole = "debug"
 )
 
 // OAMObjectReference defines the object reference for an oam resource

apis/core.oam.dev/v1alpha1/garbagecollect_types.go

@@ -33,11 +33,22 @@ type GarbageCollectPolicySpec struct {
 	// outdated resources will be kept until resourcetracker be deleted manually
 	KeepLegacyResource bool `json:"keepLegacyResource,omitempty"`
 
+	// Order defines the order of garbage collect
+	Order GarbageCollectOrder `json:"order,omitempty"`
+
 	// Rules defines list of rules to control gc strategy at resource level
 	// if one resource is controlled by multiple rules, first rule will be used
 	Rules []GarbageCollectPolicyRule `json:"rules,omitempty"`
 }
 
+// GarbageCollectOrder is the order of garbage collect
+type GarbageCollectOrder string
+
+const (
+	// OrderDependency is the order of dependency
+	OrderDependency GarbageCollectOrder = "dependency"
+)
+
 // GarbageCollectPolicyRule defines a single garbage-collect policy rule
 type GarbageCollectPolicyRule struct {
 	Selector GarbageCollectPolicyRuleSelector `json:"selector"`
@@ -45,12 +56,13 @@ type GarbageCollectPolicyRule struct {
 }
 
 // GarbageCollectPolicyRuleSelector select the targets of the rule
-// if both traitTypes and componentTypes are specified, combination logic is OR
+// if both traitTypes, oamTypes and componentTypes are specified, combination logic is OR
 // if one resource is specified with conflict strategies, strategy as component go first.
 type GarbageCollectPolicyRuleSelector struct {
-	CompNames  []string `json:"componentNames"`
-	CompTypes  []string `json:"componentTypes"`
-	TraitTypes []string `json:"traitTypes"`
+	CompNames        []string `json:"componentNames"`
+	CompTypes        []string `json:"componentTypes"`
+	OAMResourceTypes []string `json:"oamTypes"`
+	TraitTypes       []string `json:"traitTypes"`
 }
 
 // GarbageCollectStrategy the strategy for target resource to recycle
@@ -69,10 +81,11 @@ const (
 // FindStrategy find gc strategy for target resource
 func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
 	for _, rule := range in.Rules {
-		var compName, compType, traitType string
+		var compName, compType, oamType, traitType string
 		if labels := manifest.GetLabels(); labels != nil {
 			compName = labels[oam.LabelAppComponent]
 			compType = labels[oam.WorkloadTypeLabel]
+			oamType = labels[oam.LabelOAMResourceType]
 			traitType = labels[oam.TraitTypeLabel]
 		}
 		match := func(src []string, val string) (found bool) {
@@ -83,6 +96,7 @@ func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructu
 		}
 		if match(rule.Selector.CompNames, compName) ||
 			match(rule.Selector.CompTypes, compType) ||
+			match(rule.Selector.OAMResourceTypes, oamType) ||
 			match(rule.Selector.TraitTypes, traitType) {
 			return &rule.Strategy
 		}

apis/core.oam.dev/v1alpha1/garbagecollect_types_test.go

@@ -109,6 +109,18 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyNever,
 		},
+		"resource type rule match": {
+			rules: []GarbageCollectPolicyRule{{
+				Selector: GarbageCollectPolicyRuleSelector{OAMResourceTypes: []string{"TRAIT"}},
+				Strategy: GarbageCollectStrategyNever,
+			}},
+			input: &unstructured.Unstructured{Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{oam.LabelOAMResourceType: "TRAIT"},
+				},
+			}},
+			expectStrategy: GarbageCollectStrategyNever,
+		},
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {

apis/core.oam.dev/v1alpha1/policy_types.go

@@ -21,6 +21,8 @@ const (
 	TopologyPolicyType = "topology"
 	// OverridePolicyType refers to the type of override policy
 	OverridePolicyType = "override"
+	// DebugPolicyType refers to the type of debug policy
+	DebugPolicyType = "debug"
 )
 
 // TopologyPolicySpec defines the spec of topology policy

apis/core.oam.dev/v1alpha1/register.go

@@ -19,11 +19,13 @@ package v1alpha1
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )
 
 // Package type metadata.
 const (
-	Group   = "core.oam.dev"
+	Group   = common.Group
 	Version = "v1alpha1"
 )
 

apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go

@@ -291,6 +291,11 @@ func (in *GarbageCollectPolicyRuleSelector) DeepCopyInto(out *GarbageCollectPoli
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.OAMResourceTypes != nil {
+		in, out := &in.OAMResourceTypes, &out.OAMResourceTypes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.TraitTypes != nil {
 		in, out := &in.TraitTypes, &out.TraitTypes
 		*out = make([]string, len(*in))

apis/core.oam.dev/v1alpha2/application_types.go

@@ -87,7 +87,7 @@ type ApplicationSpec struct {
 
 // Application is the Schema for the applications API
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:categories={oam},shortName=app
+// +kubebuilder:resource:categories={oam},shortName={app,velaapp}
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="COMPONENT",type=string,JSONPath=`.spec.components[*].name`
 // +kubebuilder:printcolumn:name="TYPE",type=string,JSONPath=`.spec.components[*].type`

apis/core.oam.dev/v1alpha2/register.go

@@ -21,11 +21,13 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )
 
 // Package type metadata.
 const (
-	Group   = "core.oam.dev"
+	Group   = common.Group
 	Version = "v1alpha2"
 )
 

apis/core.oam.dev/v1beta1/application_types.go

@@ -82,7 +82,7 @@ type ApplicationSpec struct {
 // Application is the Schema for the applications API
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
-// +kubebuilder:resource:categories={oam},shortName=app
+// +kubebuilder:resource:categories={oam},shortName={app,velaapp}
 // +kubebuilder:printcolumn:name="COMPONENT",type=string,JSONPath=`.spec.components[*].name`
 // +kubebuilder:printcolumn:name="TYPE",type=string,JSONPath=`.spec.components[*].type`
 // +kubebuilder:printcolumn:name="PHASE",type=string,JSONPath=`.status.status`

apis/core.oam.dev/v1beta1/core_types.go

@@ -157,6 +157,9 @@ type TraitDefinitionSpec struct {
 	// SkipRevisionAffect defines the update this trait will not generate a new application Revision
 	// +optional
 	SkipRevisionAffect bool `json:"skipRevisionAffect,omitempty"`
+	// ControlPlaneOnly defines which cluster is dispatched to
+	// +optional
+	ControlPlaneOnly bool `json:"controlPlaneOnly,omitempty"`
 }
 
 // TraitDefinitionStatus is the status of TraitDefinition

apis/core.oam.dev/v1beta1/policy_definition.go

@@ -43,6 +43,9 @@ type PolicyDefinitionStatus struct {
 	// ConditionedStatus reflects the observed status of a resource
 	condition.ConditionedStatus `json:",inline"`
 
+	// ConfigMapRef refer to a ConfigMap which contains OpenAPI V3 JSON schema of Component parameters.
+	ConfigMapRef string `json:"configMapRef,omitempty"`
+
 	// LatestRevision of the component definition
 	// +optional
 	LatestRevision *common.Revision `json:"latestRevision,omitempty"`

apis/core.oam.dev/v1beta1/register.go

@@ -21,11 +21,13 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )
 
 // Package type metadata.
 const (
-	Group   = "core.oam.dev"
+	Group   = common.Group
 	Version = "v1beta1"
 )
 

apis/core.oam.dev/v1beta1/resourcetracker_types.go

@@ -31,6 +31,7 @@ import (
 
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/interfaces"
+	velatypes "github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/utils/errors"
 )
@@ -121,7 +122,11 @@ func (in ManagedResource) NamespacedName() types.NamespacedName {
 // ResourceKey computes the key for managed resource, resources with the same key points to the same resource
 func (in ManagedResource) ResourceKey() string {
 	gv, kind := in.GroupVersionKind().ToAPIVersionAndKind()
-	return strings.Join([]string{gv, kind, in.Cluster, in.Namespace, in.Name}, "/")
+	cluster := in.Cluster
+	if cluster == "" {
+		cluster = velatypes.ClusterLocalName
+	}
+	return strings.Join([]string{gv, kind, cluster, in.Namespace, in.Name}, "/")
 }
 
 // ComponentKey computes the key for the component which managed resource belongs to
@@ -186,10 +191,9 @@ func (in *ResourceTracker) findMangedResourceIndex(mr ManagedResource) int {
 	return -1
 }
 
-// AddManagedResource add object to managed resources, if exists, update
-func (in *ResourceTracker) AddManagedResource(rsc client.Object, metaOnly bool) (updated bool) {
+func newManagedResourceFromResource(rsc client.Object) ManagedResource {
 	gvk := rsc.GetObjectKind().GroupVersionKind()
-	mr := ManagedResource{
+	return ManagedResource{
 		ClusterObjectReference: common.ClusterObjectReference{
 			ObjectReference: v1.ObjectReference{
 				APIVersion: gvk.GroupVersion().String(),
@@ -202,9 +206,23 @@ func (in *ResourceTracker) AddManagedResource(rsc client.Object, metaOnly bool)
 		OAMObjectReference: common.NewOAMObjectReferenceFromObject(rsc),
 		Deleted:            false,
 	}
+}
+
+// ContainsManagedResource check if resource exists in ResourceTracker
+func (in *ResourceTracker) ContainsManagedResource(rsc client.Object) bool {
+	mr := newManagedResourceFromResource(rsc)
+	return in.findMangedResourceIndex(mr) >= 0
+}
+
+// AddManagedResource add object to managed resources, if exists, update
+func (in *ResourceTracker) AddManagedResource(rsc client.Object, metaOnly bool, creator common.ResourceCreatorRole) (updated bool) {
+	mr := newManagedResourceFromResource(rsc)
 	if !metaOnly {
 		mr.Data = &runtime.RawExtension{Object: rsc}
 	}
+	if creator != "" {
+		mr.ClusterObjectReference.Creator = creator
+	}
 	if idx := in.findMangedResourceIndex(mr); idx >= 0 {
 		if reflect.DeepEqual(in.Spec.ManagedResources[idx], mr) {
 			return false

apis/core.oam.dev/v1beta1/resourcetracker_types_test.go

@@ -156,16 +156,16 @@ func TestResourceTracker_ManagedResource(t *testing.T) {
 	r := require.New(t)
 	input := &ResourceTracker{}
 	deploy1 := v12.Deployment{ObjectMeta: v13.ObjectMeta{Name: "deploy1"}}
-	input.AddManagedResource(&deploy1, true)
+	input.AddManagedResource(&deploy1, true, "")
 	r.Equal(1, len(input.Spec.ManagedResources))
 	cm2 := v1.ConfigMap{ObjectMeta: v13.ObjectMeta{Name: "cm2"}}
-	input.AddManagedResource(&cm2, false)
+	input.AddManagedResource(&cm2, false, "")
 	r.Equal(2, len(input.Spec.ManagedResources))
 	pod3 := v1.Pod{ObjectMeta: v13.ObjectMeta{Name: "pod3"}}
-	input.AddManagedResource(&pod3, false)
+	input.AddManagedResource(&pod3, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
 	deploy1.Spec.Replicas = pointer.Int32(5)
-	input.AddManagedResource(&deploy1, false)
+	input.AddManagedResource(&deploy1, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
 	input.DeleteManagedResource(&cm2, false)
 	r.Equal(3, len(input.Spec.ManagedResources))

apis/types/multicluster.go

@@ -16,9 +16,15 @@ limitations under the License.
 
 package types
 
-import "github.com/oam-dev/cluster-gateway/pkg/apis/cluster/v1alpha1"
+import (
+	"github.com/oam-dev/cluster-gateway/pkg/apis/cluster/v1alpha1"
+	"github.com/oam-dev/cluster-gateway/pkg/config"
+)
 
 const (
+	// ClusterLocalName the name for the hub cluster
+	ClusterLocalName = "local"
+
 	// CredentialTypeInternal identifies the virtual cluster from internal kubevela system
 	CredentialTypeInternal v1alpha1.CredentialType = "Internal"
 	// CredentialTypeOCMManagedCluster identifies the virtual cluster from ocm
@@ -29,3 +35,8 @@ const (
 	// ClustersArg indicates the argument for specific clusters to install addon
 	ClustersArg = "clusters"
 )
+
+var (
+	// AnnotationClusterAlias the annotation key for cluster alias
+	AnnotationClusterAlias = config.MetaApiGroupName + "/cluster-alias"
+)

apis/types/types.go

@@ -18,6 +18,13 @@ package types
 
 import "github.com/oam-dev/kubevela/pkg/oam"
 
+const (
+	// KubeVelaName name of kubevela
+	KubeVelaName = "kubevela"
+	// VelaCoreName name of vela-core
+	VelaCoreName = "vela-core"
+)
+
 const (
 	// DefaultKubeVelaReleaseName defines the default name of KubeVela Release
 	DefaultKubeVelaReleaseName = "kubevela"
@@ -41,6 +48,8 @@ var DefaultKubeVelaNS = "vela-system"
 const (
 	// AnnoDefinitionDescription is the annotation which describe what is the capability used for in a WorkloadDefinition/TraitDefinition Object
 	AnnoDefinitionDescription = "definition.oam.dev/description"
+	// AnnoDefinitionAlias is the annotation for definition alias
+	AnnoDefinitionAlias = "definition.oam.dev/alias"
 	// AnnoDefinitionIcon is the annotation which describe the icon url
 	AnnoDefinitionIcon = "definition.oam.dev/icon"
 	// AnnoDefinitionAppliedWorkloads is the annotation which describe what is the workloads used for in a TraitDefinition Object
@@ -71,6 +80,10 @@ const (
 	LabelConfigProject = "config.oam.dev/project"
 	// LabelConfigSyncToMultiCluster is the label to decide whether a config will be synchronized to multi-cluster
 	LabelConfigSyncToMultiCluster = "config.oam.dev/multi-cluster"
+	// LabelConfigIdentifier is the label for config identifier
+	LabelConfigIdentifier = "config.oam.dev/identifier"
+	// AnnotationConfigDescription is the annotation for config description
+	AnnotationConfigDescription = "config.oam.dev/description"
 	// AnnotationConfigAlias is the annotation for config alias
 	AnnotationConfigAlias = "config.oam.dev/alias"
 )
@@ -139,4 +152,25 @@ const (
 	TerraformProvider = "terraform-provider"
 	// DexConnector is the config type for dex connector
 	DexConnector = "config-dex-connector"
+	// ImageRegistry is the config type for image registry
+	ImageRegistry = "config-image-registry"
+	// HelmRepository is the config type for Helm chart repository
+	HelmRepository = "config-helm-repository"
+)
+
+const (
+	// TerraformComponentPrefix is the prefix of component type of terraform-xxx
+	TerraformComponentPrefix = "terraform-"
+
+	// ProviderAppPrefix is the prefix of the application to create a Terraform Provider
+	ProviderAppPrefix = "config-terraform-provider"
+	// ProviderNamespace is the namespace of Terraform Cloud Provider
+	ProviderNamespace = "default"
+	// VelaCoreConfig is to mark application, config and its secret or Terraform provider lelong to a KubeVela config
+	VelaCoreConfig = "velacore-config"
+)
+
+const (
+	// ClusterGatewayAccessorGroup the group to impersonate which allows the access to the cluster-gateway
+	ClusterGatewayAccessorGroup = "cluster-gateway-accessor"
 )

charts/oam-runtime/crds/core.oam.dev_traitdefinitions.yaml

@@ -372,6 +372,10 @@ spec:
                 items:
                   type: string
                 type: array
+              controlPlaneOnly:
+                description: ControlPlaneOnly defines which cluster is dispatched
+                  to
+                type: boolean
               definitionRef:
                 description: Reference to the CustomResourceDefinition that defines
                   this trait kind.

charts/vela-core/README.md

@@ -1,18 +1,18 @@
 <div style="text-align: center">
   <p align="center">
-    <img src="https://raw.githubusercontent.com/oam-dev/kubevela.io/main/docs/resources/KubeVela-03.png">
+    <img src="https://raw.githubusercontent.com/kubevela/kubevela.io/main/docs/resources/KubeVela-03.png">
     <br><br>
     <i>Make shipping applications more enjoyable.</i>
   </p>
 </div>
 
-![Build status](https://github.com/oam-dev/kubevela/workflows/E2E/badge.svg)
-[![Go Report Card](https://goreportcard.com/badge/github.com/oam-dev/kubevela)](https://goreportcard.com/report/github.com/oam-dev/kubevela)
+![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
-[![codecov](https://codecov.io/gh/oam-dev/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/oam-dev/kubevela)
-[![LICENSE](https://img.shields.io/github/license/oam-dev/kubevela.svg?style=flat-square)](/LICENSE)
-[![Releases](https://img.shields.io/github/release/oam-dev/kubevela/all.svg?style=flat-square)](https://github.com/oam-dev/kubevela/releases)
-[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/oam-dev/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
+[![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
+[![LICENSE](https://img.shields.io/github/license/kubevela/kubevela.svg?style=flat-square)](/LICENSE)
+[![Releases](https://img.shields.io/github/release/kubevela/kubevela/all.svg?style=flat-square)](https://github.com/kubevela/kubevela/releases)
+[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/kubevela/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
@@ -78,20 +78,38 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `healthCheck.port`          | KubeVela health check port           | `9440`             |
 
 
+### KubeVela controller optimization parameters
+
+| Name                                              | Description                                                                                                                                       | Value   |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `optimize.cachedGvks`                             | Optimize types of resources to be cached.                                                                                                         | `""`    |
+| `optimize.resourceTrackerListOp`                  | Optimize ResourceTracker List Op by adding index.                                                                                                 | `true`  |
+| `optimize.controllerReconcileLoopReduction`       | Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.                                                | `false` |
+| `optimize.markWithProb`                           | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately. | `0.1`   |
+| `optimize.disableComponentRevision`               | Optimize componentRevision by disabling the creation and gc                                                                                       | `false` |
+| `optimize.disableApplicationRevision`             | Optimize ApplicationRevision by disabling the creation and gc.                                                                                    | `false` |
+| `optimize.disableWorkflowRecorder`                | Optimize workflow recorder by disabling the creation and gc.                                                                                      | `false` |
+| `optimize.enableInMemoryWorkflowContext`          | Optimize workflow by use in-memory context.                                                                                                       | `false` |
+| `optimize.disableResourceApplyDoubleCheck`        | Optimize workflow by ignoring resource double check after apply.                                                                                  | `false` |
+| `optimize.enableResourceTrackerDeleteOnlyTrigger` | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                               | `true`  |
+
+
 ### MultiCluster parameters
 
-| Name                                                  | Description                      | Value                            |
-| ----------------------------------------------------- | -------------------------------- | -------------------------------- |
-| `multicluster.enabled`                                | Whether to enable multi-cluster  | `true`                           |
-| `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
-| `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
-| `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.3.0`                         |
-| `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
-| `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
-| `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |
-| `multicluster.clusterGateway.secureTLS.enabled`       | Whether to enable secure TLS     | `true`                           |
-| `multicluster.clusterGateway.secureTLS.certPath`      | Path to the certificate file     | `/etc/k8s-cluster-gateway-certs` |
+| Name                                                        | Description                                     | Value                            |
+| ----------------------------------------------------------- | ----------------------------------------------- | -------------------------------- |
+| `multicluster.enabled`                                      | Whether to enable multi-cluster                 | `true`                           |
+| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect | `false`                          |
+| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                    | `1`                              |
+| `multicluster.clusterGateway.port`                          | ClusterGateway port                             | `9443`                           |
+| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                 | `oamdev/cluster-gateway`         |
+| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                        | `v1.3.2`                         |
+| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                | `IfNotPresent`                   |
+| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                        | `100m`                           |
+| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                     | `200Mi`                          |
+| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                    | `true`                           |
+| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                    | `/etc/k8s-cluster-gateway-certs` |
+| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                  | `false`                          |
 
 
 ### Test parameters
@@ -106,23 +124,27 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 
 ### Common parameters
 
-| Name                         | Description                                                                                                                | Value   |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `imagePullSecrets`           | Image pull secrets                                                                                                         | `[]`    |
-| `nameOverride`               | Override name                                                                                                              | `""`    |
-| `fullnameOverride`           | Fullname override                                                                                                          | `""`    |
-| `serviceAccount.create`      | Specifies whether a service account should be created                                                                      | `true`  |
-| `serviceAccount.annotations` | Annotations to add to the service account                                                                                  | `{}`    |
-| `serviceAccount.name`        | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`   |
-| `nodeSelector`               | Node selector                                                                                                              | `{}`    |
-| `tolerations`                | Tolerations                                                                                                                | `[]`    |
-| `affinity`                   | Affinity                                                                                                                   | `{}`    |
-| `rbac.create`                | Specifies whether a RBAC role should be created                                                                            | `true`  |
-| `logDebug`                   | Enable debug logs for development purpose                                                                                  | `false` |
-| `logFilePath`                | If non-empty, write log files in this path                                                                                 | `""`    |
-| `logFileMaxSize`             | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`  |
-| `kubeClient.qps`             | The qps for reconcile clients, default is 50                                                                               | `50`    |
-| `kubeClient.burst`           | The burst for reconcile clients, default is 100                                                                            | `100`   |
+| Name                          | Description                                                                                                                | Value                |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `imagePullSecrets`            | Image pull secrets                                                                                                         | `[]`                 |
+| `nameOverride`                | Override name                                                                                                              | `""`                 |
+| `fullnameOverride`            | Fullname override                                                                                                          | `""`                 |
+| `serviceAccount.create`       | Specifies whether a service account should be created                                                                      | `true`               |
+| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                  | `{}`                 |
+| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`                |
+| `nodeSelector`                | Node selector                                                                                                              | `{}`                 |
+| `tolerations`                 | Tolerations                                                                                                                | `[]`                 |
+| `affinity`                    | Affinity                                                                                                                   | `{}`                 |
+| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                            | `true`               |
+| `logDebug`                    | Enable debug logs for development purpose                                                                                  | `false`              |
+| `logFilePath`                 | If non-empty, write log files in this path                                                                                 | `""`                 |
+| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`               |
+| `kubeClient.qps`              | The qps for reconcile clients, default is 50                                                                               | `50`                 |
+| `kubeClient.burst`            | The burst for reconcile clients, default is 100                                                                            | `100`                |
+| `authentication.enabled`      | Enable authentication for application                                                                                      | `false`              |
+| `authentication.withUser`     | Application authentication will impersonate as the request User                                                            | `false`              |
+| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                 | `kubevela:vela-core` |
+| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                  | `kubevela:*`         |
 
 
 ## Uninstallation
@@ -164,10 +186,4 @@ To uninstall the KubeVela helm release:
 $ helm uninstall -n vela-system kubevela
 ```
 
-Finally, this command will remove all the Kubernetes resources associated with KubeVela and remove this chart release.
-
-
-
-
-
-
+Finally, this command will remove all the Kubernetes resources associated with KubeVela and remove this chart release.

charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml

@@ -934,6 +934,8 @@ spec:
                             type: array
                           suspend:
                             type: boolean
+                          suspendState:
+                            type: string
                           terminated:
                             type: boolean
                         required:
@@ -2743,6 +2745,8 @@ spec:
                             type: array
                           suspend:
                             type: boolean
+                          suspendState:
+                            type: string
                           terminated:
                             type: boolean
                         required:
@@ -3386,6 +3390,10 @@ spec:
                             - type
                             type: object
                           type: array
+                        configMapRef:
+                          description: ConfigMapRef refer to a ConfigMap which contains
+                            OpenAPI V3 JSON schema of Component parameters.
+                          type: string
                         latestRevision:
                           description: LatestRevision of the component definition
                           properties:
@@ -3499,7 +3507,7 @@ spec:
               scopeGVK:
                 additionalProperties:
                   description: GroupVersionKind unambiguously identifies a kind.  It
-                    doesn't anonymously include GroupVersion to avoid automatic coersion.  It
+                    doesn't anonymously include GroupVersion to avoid automatic coercion.  It
                     doesn't use a GroupVersion to avoid custom marshalling
                   properties:
                     group:
@@ -3577,6 +3585,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        controlPlaneOnly:
+                          description: ControlPlaneOnly defines which cluster is dispatched
+                            to
+                          type: boolean
                         definitionRef:
                           description: Reference to the CustomResourceDefinition that
                             defines this trait kind.
@@ -4682,6 +4694,8 @@ spec:
                     type: array
                   suspend:
                     type: boolean
+                  suspendState:
+                    type: string
                   terminated:
                     type: boolean
                 required:

charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml

@@ -636,6 +636,10 @@ spec:
                           - type
                           type: object
                         type: array
+                      configMapRef:
+                        description: ConfigMapRef refer to a ConfigMap which contains
+                          OpenAPI V3 JSON schema of Component parameters.
+                        type: string
                       latestRevision:
                         description: LatestRevision of the component definition
                         properties:
@@ -720,6 +724,10 @@ spec:
                         items:
                           type: string
                         type: array
+                      controlPlaneOnly:
+                        description: ControlPlaneOnly defines which cluster is dispatched
+                          to
+                        type: boolean
                       definitionRef:
                         description: Reference to the CustomResourceDefinition that
                           defines this trait kind.

charts/vela-core/crds/core.oam.dev_policydefinitions.yaml

@@ -244,6 +244,10 @@ spec:
                   - type
                   type: object
                 type: array
+              configMapRef:
+                description: ConfigMapRef refer to a ConfigMap which contains OpenAPI
+                  V3 JSON schema of Component parameters.
+                type: string
               latestRevision:
                 description: LatestRevision of the component definition
                 properties:

charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml

@@ -372,6 +372,10 @@ spec:
                 items:
                   type: string
                 type: array
+              controlPlaneOnly:
+                description: ControlPlaneOnly defines which cluster is dispatched
+                  to
+                type: boolean
               definitionRef:
                 description: Reference to the CustomResourceDefinition that defines
                   this trait kind.

charts/vela-core/templates/admission-webhooks/certmanager.yaml

@@ -23,7 +23,7 @@ spec:
     name: {{ template "kubevela.fullname" . }}-self-signed-issuer
   commonName: "ca.webhook.kubevela"
   isCA: true
-  
+
 ---
 # Create an Issuer that uses the above generated CA certificate to issue certs
 apiVersion: cert-manager.io/v1

charts/vela-core/templates/admission-webhooks/mutatingWebhookConfiguration.yaml

@@ -120,6 +120,32 @@ webhooks:
           - UPDATE
         resources:
           - podspecworkloads
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /mutating-core-oam-dev-v1beta1-applications
+    {{- if .Values.admissionWebhooks.patch.enabled }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: mutating.core.oam.dev.v1beta1.applications
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    sideEffects: None
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - applications
   - clientConfig:
       caBundle: Cg==
       service:

charts/vela-core/templates/cluster-gateway.yaml

@@ -1,277 +0,0 @@
-{{ if .Values.multicluster.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ .Release.Name }}-cluster-gateway
-  namespace: {{ .Release.Namespace }}
-  labels:
-  {{- include "kubevela.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.multicluster.clusterGateway.replicaCount }}
-  selector:
-    matchLabels:
-    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-      {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
-      securityContext:
-      {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ include "kubevela.fullname" . }}-cluster-gateway
-          securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}
-          args:
-            - "apiserver"
-            - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
-            - "--secret-namespace={{ .Release.Namespace }}"
-            - "--feature-gates=APIPriorityAndFairness=false"
-            {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
-            - "--cert-dir={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}"
-            {{ end }}
-          image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }}
-          imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }}
-          resources:
-          {{- toYaml .Values.multicluster.clusterGateway.resources | nindent 12 }}
-          ports:
-            - containerPort: {{ .Values.multicluster.clusterGateway.port }}
-          {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
-          volumeMounts:
-            - mountPath: {{ .Values.multicluster.clusterGateway.secureTLS.certPath }}
-              name: tls-cert-vol
-              readOnly: true
-          {{- end }}
-      {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
-      volumes:
-        - name: tls-cert-vol
-          secret:
-            defaultMode: 420
-            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
-      {{ end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 1
-{{ end }}
----
-{{ if .Values.multicluster.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .Release.Name }}-cluster-gateway-service
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-  {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 4 }}
-  ports:
-    - protocol: TCP
-      port: {{ .Values.multicluster.clusterGateway.port }}
-      targetPort: {{ .Values.multicluster.clusterGateway.port }}
-{{ end }}
----
-{{ if .Values.multicluster.enabled }}
-# 1.  Check whether APIService ""v1alpha1.cluster.core.oam.dev" is already present in the cluster
-# 2.a If the APIService doesn't exist, create it.
-# 2.b If the APIService exists without helm-chart related annotation, skip creating it to the
-#     cluster because the APIService can be managed by an external controller.
-# 2.c If the APIService exists with valid helm-chart annotations, which means that the APIService
-#     is previously managed by helm commands, hence update the APIService consistently.
-{{ $apiSvc := (lookup "apiregistration.k8s.io/v1" "APIService" "" "v1alpha1.cluster.core.oam.dev") }}
-{{ $shouldAdopt := (not $apiSvc) }}
-{{ if not $shouldAdopt }}
-  {{ if $apiSvc.metadata.annotations }}
-    {{ $shouldAdopt = (index ($apiSvc).metadata.annotations "meta.helm.sh/release-name") }}
-  {{ end }}
-{{ end }}
-{{ if $shouldAdopt }}
-apiVersion: apiregistration.k8s.io/v1
-kind: APIService
-metadata:
-  name: v1alpha1.cluster.core.oam.dev
-  labels:
-    api: cluster-extension-apiserver
-    apiserver: "true"
-spec:
-  version: v1alpha1
-  group: cluster.core.oam.dev
-  groupPriorityMinimum: 2000
-  service:
-    name: {{ .Release.Name }}-cluster-gateway-service
-    namespace: {{ .Release.Namespace }}
-    port: {{ .Values.multicluster.clusterGateway.port }}
-  versionPriority: 10
-  insecureSkipTLSVerify: {{ not .Values.multicluster.clusterGateway.secureTLS.enabled }}
-  {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
-  caBundle: Cg==
-  {{ end }}
-{{ end }}
-{{ end }}
----
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "kubevela.name" . }}-cluster-gateway-admission
-    {{- include "kubevela.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
-{{- end }}
----
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "kubevela.name" . }}-cluster-gateway-admission
-    {{- include "kubevela.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
-    namespace: {{ .Release.Namespace }}
-{{- end }}
----
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "kubevela.name" . }}-cluster-gateway-admission
-    {{- include "kubevela.labels" . | nindent 4 }}
-{{- end }}
----
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-create
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-create
-    {{- include "kubevela.labels" . | nindent 4 }}
-spec:
-  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
-  # Alpha feature since k8s 1.12
-  ttlSecondsAfterFinished: 0
-  {{- end }}
-  template:
-    metadata:
-      name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-create
-      labels:
-        app: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-create
-        {{- include "kubevela.labels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      containers:
-      - name: create
-        image: {{ .Values.imageRegistry }}{{ .Values.admissionWebhooks.patch.image.repository }}:{{ .Values.admissionWebhooks.patch.image.tag }}
-        imagePullPolicy: {{ .Values.admissionWebhooks.patch.image.pullPolicy }}
-        args:
-          - create
-          - --host={{ .Release.Name }}-cluster-gateway-service,{{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc
-          - --namespace={{ .Release.Namespace }}
-          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
-          - --key-name=apiserver.key
-          - --cert-name=apiserver.crt
-      restartPolicy: OnFailure
-      serviceAccountName: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
-      securityContext:
-        runAsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
-{{ end }}
----
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-patch
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-patch
-    {{- include "kubevela.labels" . | nindent 4 }}
-spec:
-  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
-  # Alpha feature since k8s 1.12
-  ttlSecondsAfterFinished: 0
-  {{- end }}
-  template:
-    metadata:
-      name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-patch
-      labels:
-        app: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-patch
-        {{- include "kubevela.labels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      containers:
-      - name: patch
-        image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }}
-        imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }}
-        command:
-          - /patch
-        args:
-          - --secret-namespace={{ .Release.Namespace }}
-          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
-      restartPolicy: OnFailure
-      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
-      securityContext:
-        runAsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
-{{ end }}

charts/vela-core/templates/cluster-gateway/certmanager.yaml

@@ -0,0 +1,24 @@
+{{- if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.secureTLS.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ template "kubevela.fullname" . }}-cluster-gateway-issuer
+  dnsNames:
+    - {{ .Release.Name }}-cluster-gateway-service
+    - {{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc
+    - {{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc.cluster.local
+{{- end }}

charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml

@@ -0,0 +1,150 @@
+{{ if .Values.multicluster.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-cluster-gateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "kubevela.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.multicluster.clusterGateway.replicaCount }}
+  selector:
+    matchLabels:
+    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+      {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ include "kubevela.fullname" . }}-cluster-gateway
+          securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+          args:
+            - "apiserver"
+            - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
+            - "--secret-namespace={{ .Release.Namespace }}"
+            - "--feature-gates=APIPriorityAndFairness=false"
+            {{- if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+            - "--tls-cert-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.crt"
+            - "--tls-private-key-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.key"
+            {{- end }}
+          image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }}
+          imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }}
+          resources:
+          {{- toYaml .Values.multicluster.clusterGateway.resources | nindent 12 }}
+          ports:
+            - containerPort: {{ .Values.multicluster.clusterGateway.port }}
+          {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+          volumeMounts:
+            - mountPath: {{ .Values.multicluster.clusterGateway.secureTLS.certPath }}
+              name: tls-cert-vol
+              readOnly: true
+          {{- end }}
+      {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+      volumes:
+        - name: tls-cert-vol
+          secret:
+            defaultMode: 420
+            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+      {{ end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-cluster-gateway-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+  {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 4 }}
+  ports:
+    - protocol: TCP
+      port: {{ .Values.multicluster.clusterGateway.port }}
+      targetPort: {{ .Values.multicluster.clusterGateway.port }}
+---
+# 1.  Check whether APIService ""v1alpha1.cluster.core.oam.dev" is already present in the cluster
+# 2.a If the APIService doesn't exist, create it.
+# 2.b If the APIService exists without helm-chart related annotation, skip creating it to the
+#     cluster because the APIService can be managed by an external controller.
+# 2.c If the APIService exists with valid helm-chart annotations, which means that the APIService
+#     is previously managed by helm commands, hence update the APIService consistently.
+{{ $apiSvc := (lookup "apiregistration.k8s.io/v1" "APIService" "" "v1alpha1.cluster.core.oam.dev") }}
+{{ $shouldAdopt := (not $apiSvc) }}
+{{ if not $shouldAdopt }}
+  {{ if $apiSvc.metadata.annotations }}
+    {{ $shouldAdopt = (index ($apiSvc).metadata.annotations "meta.helm.sh/release-name") }}
+  {{ end }}
+{{ end }}
+{{ if $shouldAdopt }}
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.cluster.core.oam.dev
+  annotations:
+    {{- if and .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.secureTLS.certManager.enabled }}
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls"
+    {{- end }}
+  labels:
+    api: cluster-extension-apiserver
+    apiserver: "true"
+spec:
+  version: v1alpha1
+  group: cluster.core.oam.dev
+  groupPriorityMinimum: 2000
+  service:
+    name: {{ .Release.Name }}-cluster-gateway-service
+    namespace: {{ .Release.Namespace }}
+    port: {{ .Values.multicluster.clusterGateway.port }}
+  versionPriority: 10
+  insecureSkipTLSVerify: {{ not .Values.multicluster.clusterGateway.secureTLS.enabled }}
+  {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+  caBundle: Cg==
+  {{ end }}
+{{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+rules:
+  - apiGroups: [ "cluster.core.oam.dev" ]
+    resources: [ "clustergateways/proxy" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+subjects:
+  - kind: Group
+    name: cluster-gateway-accessor
+    apiGroup: rbac.authorization.k8s.io
+{{ end }}

charts/vela-core/templates/cluster-gateway/job-patch.yaml

@@ -0,0 +1,141 @@
+{{- if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled (not .Values.multicluster.clusterGateway.secureTLS.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-cluster-gateway-admission
+    {{- include "kubevela.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-cluster-gateway-admission
+    {{- include "kubevela.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-cluster-gateway-admission
+    {{- include "kubevela.labels" . | nindent 4 }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-create
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-create
+    {{- include "kubevela.labels" . | nindent 4 }}
+spec:
+  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+  {{- end }}
+  template:
+    metadata:
+      name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-create
+      labels:
+        app: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-create
+        {{- include "kubevela.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: create
+        image: {{ .Values.imageRegistry }}{{ .Values.admissionWebhooks.patch.image.repository }}:{{ .Values.admissionWebhooks.patch.image.tag }}
+        imagePullPolicy: {{ .Values.admissionWebhooks.patch.image.pullPolicy }}
+        args:
+          - create
+          - --host={{ .Release.Name }}-cluster-gateway-service,{{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc
+          - --namespace={{ .Release.Namespace }}
+          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
+          - --cert-name=tls.crt
+          - --key-name=tls.key
+      restartPolicy: OnFailure
+      serviceAccountName: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
+      securityContext:
+        runAsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-patch
+    {{- include "kubevela.labels" . | nindent 4 }}
+spec:
+  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+  {{- end }}
+  template:
+    metadata:
+      name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-patch
+      labels:
+        app: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-secret-patch
+        {{- include "kubevela.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: patch
+        image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }}
+        imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }}
+        command:
+          - /patch
+        args:
+          - --secret-namespace={{ .Release.Namespace }}
+          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
+      securityContext:
+        runAsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+{{ end }}

charts/vela-core/templates/defwithtemplate/config-image-registry.yaml

@@ -0,0 +1,73 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/config-image-registry.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/alias.config.oam.dev: Image Registry
+    definition.oam.dev/description: Config information to authenticate image registry
+  labels:
+    custom.definition.oam.dev/catalog.config.oam.dev: velacore-config
+    custom.definition.oam.dev/multi-cluster.config.oam.dev: "true"
+    custom.definition.oam.dev/type.config.oam.dev: image-registry
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: config-image-registry
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"encoding/base64"
+        	"encoding/json"
+        )
+
+        output: {
+        	apiVersion: "v1"
+        	kind:       "Secret"
+        	metadata: {
+        		name:      context.name
+        		namespace: context.namespace
+        		labels: {
+        			"config.oam.dev/catalog":       "velacore-config"
+        			"config.oam.dev/type":          "image-registry"
+        			"config.oam.dev/multi-cluster": "true"
+        			"config.oam.dev/identifier":    parameter.registry
+        			"config.oam.dev/sub-type":      "auth"
+        		}
+        	}
+        	if parameter.auth != _|_ {
+        		type: "kubernetes.io/dockerconfigjson"
+        	}
+        	if parameter.auth == _|_ {
+        		type: "Opaque"
+        	}
+        	if parameter.auth != _|_ {
+        		stringData: ".dockerconfigjson": json.Marshal({
+        			auths: "\(parameter.registry)": {
+        				username: parameter.auth.username
+        				password: parameter.auth.password
+        				if parameter.auth.email != _|_ {
+        					email: parameter.auth.email
+        				}
+        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
+        			}
+        		})
+        	}
+        }
+        parameter: {
+        	// +usage=Image registry FQDN
+        	registry: string
+        	// +usage=Authenticate the image registry
+        	auth?: {
+        		// +usage=Private Image registry username
+        		username: string
+        		// +usage=Private Image registry password
+        		password: string
+        		// +usage=Private Image registry email
+        		email?: string
+        	}
+        }
+  workload:
+    type: autodetects.core.oam.dev
+

charts/vela-core/templates/defwithtemplate/cron-task.yaml

@@ -24,11 +24,17 @@ spec:
         			startingDeadlineSeconds: parameter.startingDeadlineSeconds
         		}
         		jobTemplate: {
-        			if parameter.labels != _|_ {
-        				metadata: labels: parameter.labels
-        			}
-        			if parameter.annotations != _|_ {
-        				metadata: annotations: parameter.annotations
+        			metadata: {
+        				labels: {
+        					if parameter.labels != _|_ {
+        						parameter.labels
+        					}
+        					"app.oam.dev/name":      context.appName
+        					"app.oam.dev/component": context.name
+        				}
+        				if parameter.annotations != _|_ {
+        					annotations: parameter.annotations
+        				}
         			}
         			spec: {
         				parallelism: parameter.count
@@ -41,11 +47,17 @@ spec:
         				}
         				backoffLimit: parameter.backoffLimit
         				template: {
-        					if parameter.labels != _|_ {
-        						metadata: labels: parameter.labels
-        					}
-        					if parameter.annotations != _|_ {
-        						metadata: annotations: parameter.annotations
+        					metadata: {
+        						labels: {
+        							if parameter.labels != _|_ {
+        								parameter.labels
+        							}
+        							"app.oam.dev/name":      context.appName
+        							"app.oam.dev/component": context.name
+        						}
+        						if parameter.annotations != _|_ {
+        							annotations: parameter.annotations
+        						}
         					}
         					spec: {
         						restartPolicy: parameter.restart

charts/vela-core/templates/defwithtemplate/deploy.yaml

@@ -15,41 +15,9 @@ spec:
         	"vela/op"
         )
 
-        deploy: op.#Steps & {
-        	load: op.#Load @step(1)
-        	_components: [ for k, v in load.value {v}]
-        	loadPoliciesInOrder: op.#LoadPoliciesInOrder & {
-        		if parameter.policies != _|_ {
-        					input: parameter.policies
-        				}
-        	}                     @step(2)
-        	_policies:            loadPoliciesInOrder.output
-        	handleDeployPolicies: op.#HandleDeployPolicies & {
-        		inputs: {
-        			components: _components
-        			policies:   _policies
-        		}
-        	}                   @step(3)
-        	_decisions:         handleDeployPolicies.outputs.decisions
-        	_patchedComponents: handleDeployPolicies.outputs.components
-        	deploy:             op.#ApplyComponents & {
-        		parallelism: parameter.parallelism
-        		components: {
-        			for decision in _decisions {
-        				for key, comp in _patchedComponents {
-        					"\(decision.cluster)-\(decision.namespace)-\(key)": {
-        						value: comp
-        						if decision.cluster != _|_ {
-        							cluster: decision.cluster
-        						}
-        						if decision.namespace != _|_ {
-        							namespace: decision.namespace
-        						}
-        					}
-        				}
-        			}
-        		}
-        	} @step(4)
+        deploy: op.#Deploy & {
+        	policies:    parameter.policies
+        	parallelism: parameter.parallelism
         }
         parameter: {
         	auto: *true | bool

charts/vela-core/templates/defwithtemplate/env.yaml

@@ -46,7 +46,7 @@ spec:
         			}]
         		}
         		if _baseEnv != _|_ {
-        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar.value}}
+        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar}}
         			// +patchStrategy=replace
         			env: [ for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
         				name: envVar.name
@@ -54,11 +54,15 @@ spec:
         					value: _params.env[envVar.name]
         				}
         				if _params.env[envVar.name] == _|_ {
-        					value: envVar.value
+        					if envVar.value != _|_ {
+        						value: envVar.value
+        					}
+        					if envVar.valueFrom != _|_ {
+        						valueFrom: envVar.valueFrom
+        					}
         				}
         			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
-        				name:  k
-        				value: v
+        				v
         			}]
         		}
         	}

charts/vela-core/templates/defwithtemplate/init-container.yaml

@@ -35,6 +35,9 @@ spec:
         		if parameter.args != _|_ {
         			args: parameter.args
         		}
+        		if parameter["env"] != _|_ {
+        			env: parameter.env
+        		}
 
         		// +patchKey=name
         		volumeMounts: [{
@@ -61,6 +64,31 @@ spec:
         	// +usage=Specify the args run in the init container
         	args?: [...string]
 
+        	// +usage=Specify the env run in the init container
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
         	// +usage=Specify the mount name of shared volume
         	mountName: *"workdir" | string
 

charts/vela-core/templates/defwithtemplate/sidecar.yaml

@@ -27,6 +27,9 @@ spec:
         		if parameter.args != _|_ {
         			args: parameter.args
         		}
+        		if parameter["env"] != _|_ {
+        			env: parameter.env
+        		}
         		if parameter["volumes"] != _|_ {
         			volumeMounts: [ for v in parameter.volumes {
         				{
@@ -35,6 +38,13 @@ spec:
         				}
         			}]
         		}
+        		if parameter["livenessProbe"] != _|_ {
+        			livenessProbe: parameter.livenessProbe
+        		}
+
+        		if parameter["readinessProbe"] != _|_ {
+        			readinessProbe: parameter.readinessProbe
+        		}
         	}]
         }
         parameter: {
@@ -50,10 +60,82 @@ spec:
         	// +usage=Specify the args in the sidecar
         	args?: [...string]
 
+        	// +usage=Specify the env in the sidecar
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
         	// +usage=Specify the shared volume path
         	volumes?: [...{
         		name: string
         		path: string
         	}]
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+        }
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port: int
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
         }
 

charts/vela-core/templates/defwithtemplate/storage.yaml

@@ -87,6 +87,17 @@ spec:
         		}
         	},
         ] | []
+        configMountToEnvsList: *[
+        			for v in parameter.configMap if v.mountToEnvs != _|_ for k in v.mountToEnvs {
+        		{
+        			name: k.envName
+        			valueFrom: configMapKeyRef: {
+        				name: v.name
+        				key:  k.configMapKey
+        			}
+        		}
+        	},
+        ] | []
         secretVolumeMountsList: *[
         			for v in parameter.secret if v.mountPath != _|_ {
         		{
@@ -106,6 +117,17 @@ spec:
         		}
         	},
         ] | []
+        secretMountToEnvsList: *[
+        			for v in parameter.secret if v.mountToEnvs != _|_ for k in v.mountToEnvs {
+        		{
+        			name: k.envName
+        			valueFrom: secretKeyRef: {
+        				name: v.name
+        				key:  k.secretKey
+        			}
+        		}
+        	},
+        ] | []
         emptyDirVolumeMountsList: *[
         				for v in parameter.emptyDir {
         		{
@@ -128,7 +150,7 @@ spec:
 
         	containers: [{
         		// +patchKey=name
-        		env: configMapEnvMountsList + secretEnvMountsList
+        		env: configMapEnvMountsList + secretEnvMountsList + configMountToEnvsList + secretMountToEnvsList
         		// +patchKey=name
         		volumeDevices: volumeDevicesList
         		// +patchKey=name
@@ -248,6 +270,10 @@ spec:
         			envName:      string
         			configMapKey: string
         		}
+        		mountToEnvs?: [...{
+        			envName:      string
+        			configMapKey: string
+        		}]
         		mountPath?:  string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
@@ -267,6 +293,10 @@ spec:
         			envName:   string
         			secretKey: string
         		}
+        		mountToEnvs?: [...{
+        			envName:   string
+        			secretKey: string
+        		}]
         		mountPath?:  string
         		defaultMode: *420 | int
         		readOnly:    *false | bool

charts/vela-core/templates/defwithtemplate/suspend.yaml

@@ -11,6 +11,8 @@ spec:
   schematic:
     cue:
       template: |
-        // no parameters
-        parameter: {}
+        parameter: {
+        	// +usage=Specify the wait duration time to resume workflow such as "30s", "1min" or "2m15s"
+        	duration?: string
+        }
 

charts/vela-core/templates/defwithtemplate/task.yaml

@@ -18,11 +18,17 @@ spec:
         		parallelism: parameter.count
         		completions: parameter.count
         		template: {
-        			if parameter.labels != _|_ {
-        				metadata: labels: parameter.labels
-        			}
-        			if parameter.annotations != _|_ {
-        				metadata: annotations: parameter.annotations
+        			metadata: {
+        				labels: {
+        					if parameter.labels != _|_ {
+        						parameter.labels
+        					}
+        					"app.oam.dev/name":      context.appName
+        					"app.oam.dev/component": context.name
+        				}
+        				if parameter.annotations != _|_ {
+        					annotations: parameter.annotations
+        				}
         			}
         			spec: {
         				restartPolicy: parameter.restart

charts/vela-core/templates/defwithtemplate/webservice.yaml

@@ -132,10 +132,10 @@ spec:
         						parameter.labels
         					}
         					if parameter.addRevisionLabel {
-        						"app.oam.dev/appRevision": context.appRevision
+        						"app.oam.dev/revision": context.revision
         					}
+        					"app.oam.dev/name":      context.appName
         					"app.oam.dev/component": context.name
-        					"app.oam.dev/revision":  context.revision
         				}
         				if parameter.annotations != _|_ {
         					annotations: parameter.annotations
@@ -333,7 +333,7 @@ spec:
         	exposeType: *"ClusterIP" | "NodePort" | "LoadBalancer" | "ExternalName"
 
         	// +ignore
-        	// +usage=If addRevisionLabel is true, the appRevision label will be added to the underlying pods
+        	// +usage=If addRevisionLabel is true, the revision label will be added to the underlying pods
         	addRevisionLabel: *false | bool
 
         	// +usage=Commands to run in the container
@@ -455,7 +455,7 @@ spec:
         	readinessProbe?: #HealthProbe
 
         	// +usage=Specify the hostAliases to add
-        	hostAliases: [...{
+        	hostAliases?: [...{
         		ip: string
         		hostnames: [...string]
         	}]

charts/vela-core/templates/defwithtemplate/worker.yaml

@@ -124,7 +124,10 @@ spec:
         		selector: matchLabels: "app.oam.dev/component": context.name
 
         		template: {
-        			metadata: labels: "app.oam.dev/component": context.name
+        			metadata: labels: {
+        				"app.oam.dev/name":      context.appName
+        				"app.oam.dev/component": context.name
+        			}
 
         			spec: {
         				containers: [{

charts/vela-core/templates/kubevela-controller.yaml

@@ -25,6 +25,9 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "kubevela.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+  - kind: Group
+    name: core.oam.dev
+    apiGroup: rbac.authorization.k8s.io
 
 ---
 # permissions to do leader election.
@@ -121,6 +124,36 @@ spec:
             - "--webhook-port={{ .Values.webhookService.port }}"
             - "--webhook-cert-dir={{ .Values.admissionWebhooks.certificate.mountPath }}"
             {{ end }}
+            {{ if ne .Values.optimize.cachedGvks "" }}
+            - "--optimize-cached-gvks={{ .Values.optimize.cachedGvks }}"
+            {{ end }}
+            {{ if not .Values.optimize.resourceTrackerListOp }}
+            - "--optimize-resource-tracker-list-op=false"
+            {{ end }}
+            {{ if .Values.optimize.controllerReconcileLoopReduction }}
+            - "--optimize-controller-reconcile-loop-reduction"
+            {{ end }}
+            {{ if .Values.optimize.markWithProb }}
+            - "--optimize-mark-with-prob={{ .Values.optimize.markWithProb }}"
+            {{ end }}
+            {{ if .Values.optimize.disableComponentRevision }}
+            - "--optimize-disable-component-revision"
+            {{ end }}
+            {{ if .Values.optimize.disableApplicationRevision }}
+            - "--optimize-disable-application-revision"
+            {{ end }}
+            {{ if .Values.optimize.disableWorkflowRecorder }}
+            - "--optimize-disable-workflow-recorder"
+            {{ end }}
+            {{ if .Values.optimize.enableInMemoryWorkflowContext }}
+            - "--optimize-enable-in-memory-workflow-context"
+            {{ end }}
+            {{ if .Values.optimize.disableResourceApplyDoubleCheck }}
+            - "--optimize-disable-resource-apply-double-check"
+            {{ end }}
+            {{ if not .Values.optimize.enableResourceTrackerDeleteOnlyTrigger }}
+            - "--optimize-enable-resource-tracker-delete-only-trigger=false"
+            {{ end }}
             - "--health-addr=:{{ .Values.healthCheck.port }}"
             {{ if ne .Values.disableCaps "" }}
             - "--disable-caps={{ .Values.disableCaps }}"
@@ -132,6 +165,9 @@ spec:
             {{ if .Values.multicluster.enabled }}
             - "--enable-cluster-gateway"
             {{ end }}
+            {{ if .Values.multicluster.metrics.enabled }}
+            - "--enable-cluster-metrics"
+            {{ end }}
             - "--application-re-sync-period={{ .Values.controllerArgs.reSyncPeriod }}"
             - "--concurrent-reconciles={{ .Values.concurrentReconciles }}"
             - "--kube-api-qps={{ .Values.kubeClient.qps }}"
@@ -139,6 +175,14 @@ spec:
             - "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}"
             - "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}"
             - "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}"
+            - "--feature-gates=AuthenticateApplication={{- .Values.authentication.enabled | toString -}}"
+            {{ if .Values.authentication.enabled }}
+            {{ if .Values.authentication.withUser }}
+            - "--authentication-with-user"
+            {{ end }}
+            - "--authentication-default-user={{ .Values.authentication.defaultUser }}"
+            - "--authentication-group-pattern={{ .Values.authentication.groupPattern }}"
+            {{ end }}
           image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
           imagePullPolicy: {{ quote .Values.image.pullPolicy }}
           resources:
@@ -186,4 +230,4 @@ spec:
       {{- with .Values.tolerations }}
       tolerations:
     {{- toYaml . | nindent 8 }}
-  {{- end }}
+  {{- end }}

charts/vela-core/values.yaml

@@ -84,10 +84,33 @@ webhookService:
 healthCheck:
   port: 9440
 
+## @section KubeVela controller optimization parameters
+##@param optimize.cachedGvks Optimize types of resources to be cached.
+##@param optimize.resourceTrackerListOp Optimize ResourceTracker List Op by adding index.
+##@param optimize.controllerReconcileLoopReduction Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.
+##@param optimize.markWithProb Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.
+##@param optimize.disableComponentRevision Optimize componentRevision by disabling the creation and gc
+##@param optimize.disableApplicationRevision Optimize ApplicationRevision by disabling the creation and gc.
+##@param optimize.disableWorkflowRecorder Optimize workflow recorder by disabling the creation and gc.
+##@param optimize.enableInMemoryWorkflowContext Optimize workflow by use in-memory context.
+##@param optimize.disableResourceApplyDoubleCheck Optimize workflow by ignoring resource double check after apply.
+##@param optimize.enableResourceTrackerDeleteOnlyTrigger Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.
+optimize:
+  cachedGvks: ""
+  resourceTrackerListOp: true
+  controllerReconcileLoopReduction: false
+  markWithProb: 0.1
+  disableComponentRevision: false
+  disableApplicationRevision: false
+  disableWorkflowRecorder: false
+  enableInMemoryWorkflowContext: false
+  disableResourceApplyDoubleCheck: false
+  enableResourceTrackerDeleteOnlyTrigger: true
 
 ## @section MultiCluster parameters
 
 ## @param multicluster.enabled Whether to enable multi-cluster
+## @param multicluster.metrics.enabled Whether to enable multi-cluster metrics collect
 ## @param multicluster.clusterGateway.replicaCount ClusterGateway replica count
 ## @param multicluster.clusterGateway.port ClusterGateway port
 ## @param multicluster.clusterGateway.image.repository ClusterGateway image repository
@@ -97,14 +120,17 @@ healthCheck:
 ## @param multicluster.clusterGateway.resources.limits.memory ClusterGateway memory limit
 ## @param multicluster.clusterGateway.secureTLS.enabled Whether to enable secure TLS
 ## @param multicluster.clusterGateway.secureTLS.certPath Path to the certificate file
+## @param multicluster.clusterGateway.secureTLS.certManager.enabled Whether to enable cert-manager
 multicluster:
   enabled: true
+  metrics:
+    enabled: false
   clusterGateway:
     replicaCount: 1
     port: 9443
     image:
       repository: oamdev/cluster-gateway
-      tag: v1.3.0
+      tag: v1.3.2
       pullPolicy: IfNotPresent
     resources:
       limits:
@@ -112,6 +138,8 @@ multicluster:
         memory: 200Mi
     secureTLS:
       enabled: true
+      certManager:
+        enabled: false
       certPath: /etc/k8s-cluster-gateway-certs
 
 
@@ -210,3 +238,13 @@ admissionWebhooks:
 kubeClient:
   qps: 50
   burst: 100
+
+## @param authentication.enabled Enable authentication for application
+## @param authentication.withUser Application authentication will impersonate as the request User
+## @param authentication.defaultUser Application authentication will impersonate as the User if no user provided in Application
+## @param authentication.groupPattern Application authentication will impersonate as the request Group that matches the pattern
+authentication:
+  enabled: false
+  withUser: false
+  defaultUser: kubevela:vela-core
+  groupPattern: kubevela:*

charts/vela-minimal/README.md

@@ -1,18 +1,18 @@
 <div style="text-align: center">
   <p align="center">
-    <img src="https://raw.githubusercontent.com/oam-dev/kubevela.io/main/docs/resources/KubeVela-03.png">
+    <img src="https://raw.githubusercontent.com/kubevela/kubevela.io/main/docs/resources/KubeVela-03.png">
     <br><br>
     <i>Make shipping applications more enjoyable.</i>
   </p>
 </div>
 
-![Build status](https://github.com/oam-dev/kubevela/workflows/E2E/badge.svg)
-[![Go Report Card](https://goreportcard.com/badge/github.com/oam-dev/kubevela)](https://goreportcard.com/report/github.com/oam-dev/kubevela)
+![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
-[![codecov](https://codecov.io/gh/oam-dev/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/oam-dev/kubevela)
-[![LICENSE](https://img.shields.io/github/license/oam-dev/kubevela.svg?style=flat-square)](/LICENSE)
-[![Releases](https://img.shields.io/github/release/oam-dev/kubevela/all.svg?style=flat-square)](https://github.com/oam-dev/kubevela/releases)
-[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/oam-dev/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
+[![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
+[![LICENSE](https://img.shields.io/github/license/kubevela/kubevela.svg?style=flat-square)](/LICENSE)
+[![Releases](https://img.shields.io/github/release/kubevela/kubevela/all.svg?style=flat-square)](https://github.com/kubevela/kubevela/releases)
+[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/kubevela/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
@@ -56,18 +56,18 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 
 ### KubeVela core parameters
 
-| Name                          | Description                                                                                   | Value                                                        |
-| ----------------------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
-| `systemDefinitionNamespace`   | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil`                                                        |
-| `applicationRevisionLimit`    | Application revision limit                                                                    | `10`                                                         |
-| `definitionRevisionLimit`     | Definition revision limit                                                                     | `20`                                                         |
-| `concurrentReconciles`        | concurrentReconciles is the concurrent reconcile number of the controller                     | `4`                                                          |
-| `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`                                                         |
-| `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `minimal`                                                    |
-| `disableCaps`                 | Disable capability                                                                            | `manualscalertrait,containerizedwokrload,envbinding,rollout` |
-| `applyOnceOnly`               | Valid applyOnceOnly values: true/false/on/off/force                                           | `off`                                                        |
-| `enableFluxcdAddon`           | Whether to enable fluxcd addon                                                                | `false`                                                      |
-| `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`                                                        |
+| Name                          | Description                                                                                   | Value                                  |
+| ----------------------------- | --------------------------------------------------------------------------------------------- | -------------------------------------- |
+| `systemDefinitionNamespace`   | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil`                                  |
+| `applicationRevisionLimit`    | Application revision limit                                                                    | `10`                                   |
+| `definitionRevisionLimit`     | Definition revision limit                                                                     | `20`                                   |
+| `concurrentReconciles`        | concurrentReconciles is the concurrent reconcile number of the controller                     | `4`                                    |
+| `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`                                   |
+| `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `minimal`                              |
+| `disableCaps`                 | Disable capability                                                                            | `manualscalertrait,envbinding,rollout` |
+| `applyOnceOnly`               | Valid applyOnceOnly values: true/false/on/off/force                                           | `off`                                  |
+| `enableFluxcdAddon`           | Whether to enable fluxcd addon                                                                | `false`                                |
+| `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`                                  |
 
 
 ### KubeVela workflow parameters
@@ -105,7 +105,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
 | `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
 | `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.3.0`                         |
+| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.3.2`                         |
 | `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
 | `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
 | `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |
@@ -125,22 +125,26 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 
 ### Common parameters
 
-| Name                         | Description                                                                                                                | Value   |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `imagePullSecrets`           | Image pull secrets                                                                                                         | `[]`    |
-| `nameOverride`               | Override name                                                                                                              | `""`    |
-| `fullnameOverride`           | Fullname override                                                                                                          | `""`    |
-| `serviceAccount.create`      | Specifies whether a service account should be created                                                                      | `true`  |
-| `serviceAccount.annotations` | Annotations to add to the service account                                                                                  | `{}`    |
-| `serviceAccount.name`        | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`   |
-| `nodeSelector`               | Node selector                                                                                                              | `{}`    |
-| `tolerations`                | Tolerations                                                                                                                | `[]`    |
-| `affinity`                   | Affinity                                                                                                                   | `{}`    |
-| `rbac.create`                | Specifies whether a RBAC role should be created                                                                            | `true`  |
-| `logDebug`                   | Enable debug logs for development purpose                                                                                  | `false` |
-| `logFilePath`                | If non-empty, write log files in this path                                                                                 | `""`    |
-| `logFileMaxSize`             | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`  |
-| `kubeClient.qps`             | The qps for reconcile clients, default is 50                                                                               | `50`    |
-| `kubeClient.burst`           | The burst for reconcile clients, default is 100                                                                            | `100`   |
+| Name                          | Description                                                                                                                | Value                |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `imagePullSecrets`            | Image pull secrets                                                                                                         | `[]`                 |
+| `nameOverride`                | Override name                                                                                                              | `""`                 |
+| `fullnameOverride`            | Fullname override                                                                                                          | `""`                 |
+| `serviceAccount.create`       | Specifies whether a service account should be created                                                                      | `true`               |
+| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                  | `{}`                 |
+| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`                |
+| `nodeSelector`                | Node selector                                                                                                              | `{}`                 |
+| `tolerations`                 | Tolerations                                                                                                                | `[]`                 |
+| `affinity`                    | Affinity                                                                                                                   | `{}`                 |
+| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                            | `true`               |
+| `logDebug`                    | Enable debug logs for development purpose                                                                                  | `false`              |
+| `logFilePath`                 | If non-empty, write log files in this path                                                                                 | `""`                 |
+| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`               |
+| `kubeClient.qps`              | The qps for reconcile clients, default is 50                                                                               | `50`                 |
+| `kubeClient.burst`            | The burst for reconcile clients, default is 100                                                                            | `100`                |
+| `authentication.enabled`      | Enable authentication for application                                                                                      | `false`              |
+| `authentication.withUser`     | Application authentication will impersonate as the request User                                                            | `false`              |
+| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                 | `kubevela:vela-core` |
+| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                  | `kubevela:*`         |
 
 

charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml

@@ -934,6 +934,8 @@ spec:
                             type: array
                           suspend:
                             type: boolean
+                          suspendState:
+                            type: string
                           terminated:
                             type: boolean
                         required:
@@ -2743,6 +2745,8 @@ spec:
                             type: array
                           suspend:
                             type: boolean
+                          suspendState:
+                            type: string
                           terminated:
                             type: boolean
                         required:
@@ -3386,6 +3390,10 @@ spec:
                             - type
                             type: object
                           type: array
+                        configMapRef:
+                          description: ConfigMapRef refer to a ConfigMap which contains
+                            OpenAPI V3 JSON schema of Component parameters.
+                          type: string
                         latestRevision:
                           description: LatestRevision of the component definition
                           properties:
@@ -3499,7 +3507,7 @@ spec:
               scopeGVK:
                 additionalProperties:
                   description: GroupVersionKind unambiguously identifies a kind.  It
-                    doesn't anonymously include GroupVersion to avoid automatic coersion.  It
+                    doesn't anonymously include GroupVersion to avoid automatic coercion.  It
                     doesn't use a GroupVersion to avoid custom marshalling
                   properties:
                     group:
@@ -3577,6 +3585,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        controlPlaneOnly:
+                          description: ControlPlaneOnly defines which cluster is dispatched
+                            to
+                          type: boolean
                         definitionRef:
                           description: Reference to the CustomResourceDefinition that
                             defines this trait kind.
@@ -4682,6 +4694,8 @@ spec:
                     type: array
                   suspend:
                     type: boolean
+                  suspendState:
+                    type: string
                   terminated:
                     type: boolean
                 required:

charts/vela-minimal/crds/core.oam.dev_definitionrevisions.yaml

@@ -636,6 +636,10 @@ spec:
                           - type
                           type: object
                         type: array
+                      configMapRef:
+                        description: ConfigMapRef refer to a ConfigMap which contains
+                          OpenAPI V3 JSON schema of Component parameters.
+                        type: string
                       latestRevision:
                         description: LatestRevision of the component definition
                         properties:
@@ -720,6 +724,10 @@ spec:
                         items:
                           type: string
                         type: array
+                      controlPlaneOnly:
+                        description: ControlPlaneOnly defines which cluster is dispatched
+                          to
+                        type: boolean
                       definitionRef:
                         description: Reference to the CustomResourceDefinition that
                           defines this trait kind.

charts/vela-minimal/crds/core.oam.dev_policydefinitions.yaml

@@ -244,6 +244,10 @@ spec:
                   - type
                   type: object
                 type: array
+              configMapRef:
+                description: ConfigMapRef refer to a ConfigMap which contains OpenAPI
+                  V3 JSON schema of Component parameters.
+                type: string
               latestRevision:
                 description: LatestRevision of the component definition
                 properties:

charts/vela-minimal/crds/core.oam.dev_traitdefinitions.yaml

@@ -372,6 +372,10 @@ spec:
                 items:
                   type: string
                 type: array
+              controlPlaneOnly:
+                description: ControlPlaneOnly defines which cluster is dispatched
+                  to
+                type: boolean
               definitionRef:
                 description: Reference to the CustomResourceDefinition that defines
                   this trait kind.

charts/vela-minimal/templates/admission-webhooks/mutatingWebhookConfiguration.yaml

@@ -92,6 +92,32 @@ webhooks:
           - UPDATE
         resources:
           - podspecworkloads
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /mutating-core-oam-dev-v1beta1-applications
+    {{- if .Values.admissionWebhooks.patch.enabled }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: mutating.core.oam.dev.v1beta1.applications
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    sideEffects: None
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - applications
   - clientConfig:
       caBundle: Cg==
       service:

charts/vela-minimal/templates/cluster-gateway.yaml

@@ -188,4 +188,30 @@ spec:
         runAsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
-  {{ end }}
+  {{ end }}
+---
+{{ if and .Values.multicluster.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+rules:
+  - apiGroups: [ "cluster.core.oam.dev" ]
+    resources: [ "clustergateways/proxy" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+{{ end }}
+---
+{{ if and .Values.multicluster.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+subjects:
+  - kind: Group
+    name: cluster-gateway-accessor
+    apiGroup: rbac.authorization.k8s.io
+{{ end }}

charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml

@@ -0,0 +1,73 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/config-image-registry.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/alias.config.oam.dev: Image Registry
+    definition.oam.dev/description: Config information to authenticate image registry
+  labels:
+    custom.definition.oam.dev/catalog.config.oam.dev: velacore-config
+    custom.definition.oam.dev/multi-cluster.config.oam.dev: "true"
+    custom.definition.oam.dev/type.config.oam.dev: image-registry
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: config-image-registry
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"encoding/base64"
+        	"encoding/json"
+        )
+
+        output: {
+        	apiVersion: "v1"
+        	kind:       "Secret"
+        	metadata: {
+        		name:      context.name
+        		namespace: context.namespace
+        		labels: {
+        			"config.oam.dev/catalog":       "velacore-config"
+        			"config.oam.dev/type":          "image-registry"
+        			"config.oam.dev/multi-cluster": "true"
+        			"config.oam.dev/identifier":    parameter.registry
+        			"config.oam.dev/sub-type":      "auth"
+        		}
+        	}
+        	if parameter.auth != _|_ {
+        		type: "kubernetes.io/dockerconfigjson"
+        	}
+        	if parameter.auth == _|_ {
+        		type: "Opaque"
+        	}
+        	if parameter.auth != _|_ {
+        		stringData: ".dockerconfigjson": json.Marshal({
+        			auths: "\(parameter.registry)": {
+        				username: parameter.auth.username
+        				password: parameter.auth.password
+        				if parameter.auth.email != _|_ {
+        					email: parameter.auth.email
+        				}
+        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
+        			}
+        		})
+        	}
+        }
+        parameter: {
+        	// +usage=Image registry FQDN
+        	registry: string
+        	// +usage=Authenticate the image registry
+        	auth?: {
+        		// +usage=Private Image registry username
+        		username: string
+        		// +usage=Private Image registry password
+        		password: string
+        		// +usage=Private Image registry email
+        		email?: string
+        	}
+        }
+  workload:
+    type: autodetects.core.oam.dev
+

charts/vela-minimal/templates/defwithtemplate/cron-task.yaml

@@ -24,11 +24,17 @@ spec:
         			startingDeadlineSeconds: parameter.startingDeadlineSeconds
         		}
         		jobTemplate: {
-        			if parameter.labels != _|_ {
-        				metadata: labels: parameter.labels
-        			}
-        			if parameter.annotations != _|_ {
-        				metadata: annotations: parameter.annotations
+        			metadata: {
+        				labels: {
+        					if parameter.labels != _|_ {
+        						parameter.labels
+        					}
+        					"app.oam.dev/name":      context.appName
+        					"app.oam.dev/component": context.name
+        				}
+        				if parameter.annotations != _|_ {
+        					annotations: parameter.annotations
+        				}
         			}
         			spec: {
         				parallelism: parameter.count
@@ -41,11 +47,17 @@ spec:
         				}
         				backoffLimit: parameter.backoffLimit
         				template: {
-        					if parameter.labels != _|_ {
-        						metadata: labels: parameter.labels
-        					}
-        					if parameter.annotations != _|_ {
-        						metadata: annotations: parameter.annotations
+        					metadata: {
+        						labels: {
+        							if parameter.labels != _|_ {
+        								parameter.labels
+        							}
+        							"app.oam.dev/name":      context.appName
+        							"app.oam.dev/component": context.name
+        						}
+        						if parameter.annotations != _|_ {
+        							annotations: parameter.annotations
+        						}
         					}
         					spec: {
         						restartPolicy: parameter.restart

charts/vela-minimal/templates/defwithtemplate/deploy.yaml

@@ -15,41 +15,9 @@ spec:
         	"vela/op"
         )
 
-        deploy: op.#Steps & {
-        	load: op.#Load @step(1)
-        	_components: [ for k, v in load.value {v}]
-        	loadPoliciesInOrder: op.#LoadPoliciesInOrder & {
-        		if parameter.policies != _|_ {
-        					input: parameter.policies
-        				}
-        	}                     @step(2)
-        	_policies:            loadPoliciesInOrder.output
-        	handleDeployPolicies: op.#HandleDeployPolicies & {
-        		inputs: {
-        			components: _components
-        			policies:   _policies
-        		}
-        	}                   @step(3)
-        	_decisions:         handleDeployPolicies.outputs.decisions
-        	_patchedComponents: handleDeployPolicies.outputs.components
-        	deploy:             op.#ApplyComponents & {
-        		parallelism: parameter.parallelism
-        		components: {
-        			for decision in _decisions {
-        				for key, comp in _patchedComponents {
-        					"\(decision.cluster)-\(decision.namespace)-\(key)": {
-        						value: comp
-        						if decision.cluster != _|_ {
-        							cluster: decision.cluster
-        						}
-        						if decision.namespace != _|_ {
-        							namespace: decision.namespace
-        						}
-        					}
-        				}
-        			}
-        		}
-        	} @step(4)
+        deploy: op.#Deploy & {
+        	policies:    parameter.policies
+        	parallelism: parameter.parallelism
         }
         parameter: {
         	auto: *true | bool

charts/vela-minimal/templates/defwithtemplate/env.yaml

@@ -46,7 +46,7 @@ spec:
         			}]
         		}
         		if _baseEnv != _|_ {
-        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar.value}}
+        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar}}
         			// +patchStrategy=replace
         			env: [ for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
         				name: envVar.name
@@ -54,11 +54,15 @@ spec:
         					value: _params.env[envVar.name]
         				}
         				if _params.env[envVar.name] == _|_ {
-        					value: envVar.value
+        					if envVar.value != _|_ {
+        						value: envVar.value
+        					}
+        					if envVar.valueFrom != _|_ {
+        						valueFrom: envVar.valueFrom
+        					}
         				}
         			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
-        				name:  k
-        				value: v
+        				v
         			}]
         		}
         	}

charts/vela-minimal/templates/defwithtemplate/init-container.yaml

@@ -35,6 +35,9 @@ spec:
         		if parameter.args != _|_ {
         			args: parameter.args
         		}
+        		if parameter["env"] != _|_ {
+        			env: parameter.env
+        		}
 
         		// +patchKey=name
         		volumeMounts: [{
@@ -61,6 +64,31 @@ spec:
         	// +usage=Specify the args run in the init container
         	args?: [...string]
 
+        	// +usage=Specify the env run in the init container
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
         	// +usage=Specify the mount name of shared volume
         	mountName: *"workdir" | string
 

charts/vela-minimal/templates/defwithtemplate/sidecar.yaml

@@ -27,6 +27,9 @@ spec:
         		if parameter.args != _|_ {
         			args: parameter.args
         		}
+        		if parameter["env"] != _|_ {
+        			env: parameter.env
+        		}
         		if parameter["volumes"] != _|_ {
         			volumeMounts: [ for v in parameter.volumes {
         				{
@@ -35,6 +38,13 @@ spec:
         				}
         			}]
         		}
+        		if parameter["livenessProbe"] != _|_ {
+        			livenessProbe: parameter.livenessProbe
+        		}
+
+        		if parameter["readinessProbe"] != _|_ {
+        			readinessProbe: parameter.readinessProbe
+        		}
         	}]
         }
         parameter: {
@@ -50,10 +60,82 @@ spec:
         	// +usage=Specify the args in the sidecar
         	args?: [...string]
 
+        	// +usage=Specify the env in the sidecar
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
         	// +usage=Specify the shared volume path
         	volumes?: [...{
         		name: string
         		path: string
         	}]
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+        }
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port: int
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
         }
 

charts/vela-minimal/templates/defwithtemplate/storage.yaml

@@ -87,6 +87,17 @@ spec:
         		}
         	},
         ] | []
+        configMountToEnvsList: *[
+        			for v in parameter.configMap if v.mountToEnvs != _|_ for k in v.mountToEnvs {
+        		{
+        			name: k.envName
+        			valueFrom: configMapKeyRef: {
+        				name: v.name
+        				key:  k.configMapKey
+        			}
+        		}
+        	},
+        ] | []
         secretVolumeMountsList: *[
         			for v in parameter.secret if v.mountPath != _|_ {
         		{
@@ -106,6 +117,17 @@ spec:
         		}
         	},
         ] | []
+        secretMountToEnvsList: *[
+        			for v in parameter.secret if v.mountToEnvs != _|_ for k in v.mountToEnvs {
+        		{
+        			name: k.envName
+        			valueFrom: secretKeyRef: {
+        				name: v.name
+        				key:  k.secretKey
+        			}
+        		}
+        	},
+        ] | []
         emptyDirVolumeMountsList: *[
         				for v in parameter.emptyDir {
         		{
@@ -128,7 +150,7 @@ spec:
 
         	containers: [{
         		// +patchKey=name
-        		env: configMapEnvMountsList + secretEnvMountsList
+        		env: configMapEnvMountsList + secretEnvMountsList + configMountToEnvsList + secretMountToEnvsList
         		// +patchKey=name
         		volumeDevices: volumeDevicesList
         		// +patchKey=name
@@ -248,6 +270,10 @@ spec:
         			envName:      string
         			configMapKey: string
         		}
+        		mountToEnvs?: [...{
+        			envName:      string
+        			configMapKey: string
+        		}]
         		mountPath?:  string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
@@ -267,6 +293,10 @@ spec:
         			envName:   string
         			secretKey: string
         		}
+        		mountToEnvs?: [...{
+        			envName:   string
+        			secretKey: string
+        		}]
         		mountPath?:  string
         		defaultMode: *420 | int
         		readOnly:    *false | bool

charts/vela-minimal/templates/defwithtemplate/suspend.yaml

@@ -11,6 +11,8 @@ spec:
   schematic:
     cue:
       template: |
-        // no parameters
-        parameter: {}
+        parameter: {
+        	// +usage=Specify the wait duration time to resume workflow such as "30s", "1min" or "2m15s"
+        	duration?: string
+        }
 

charts/vela-minimal/templates/defwithtemplate/task.yaml

@@ -18,11 +18,17 @@ spec:
         		parallelism: parameter.count
         		completions: parameter.count
         		template: {
-        			if parameter.labels != _|_ {
-        				metadata: labels: parameter.labels
-        			}
-        			if parameter.annotations != _|_ {
-        				metadata: annotations: parameter.annotations
+        			metadata: {
+        				labels: {
+        					if parameter.labels != _|_ {
+        						parameter.labels
+        					}
+        					"app.oam.dev/name":      context.appName
+        					"app.oam.dev/component": context.name
+        				}
+        				if parameter.annotations != _|_ {
+        					annotations: parameter.annotations
+        				}
         			}
         			spec: {
         				restartPolicy: parameter.restart

charts/vela-minimal/templates/defwithtemplate/webservice.yaml

@@ -132,10 +132,10 @@ spec:
         						parameter.labels
         					}
         					if parameter.addRevisionLabel {
-        						"app.oam.dev/appRevision": context.appRevision
+        						"app.oam.dev/revision": context.revision
         					}
+        					"app.oam.dev/name":      context.appName
         					"app.oam.dev/component": context.name
-        					"app.oam.dev/revision":  context.revision
         				}
         				if parameter.annotations != _|_ {
         					annotations: parameter.annotations
@@ -333,7 +333,7 @@ spec:
         	exposeType: *"ClusterIP" | "NodePort" | "LoadBalancer" | "ExternalName"
 
         	// +ignore
-        	// +usage=If addRevisionLabel is true, the appRevision label will be added to the underlying pods
+        	// +usage=If addRevisionLabel is true, the revision label will be added to the underlying pods
         	addRevisionLabel: *false | bool
 
         	// +usage=Commands to run in the container
@@ -455,7 +455,7 @@ spec:
         	readinessProbe?: #HealthProbe
 
         	// +usage=Specify the hostAliases to add
-        	hostAliases: [...{
+        	hostAliases?: [...{
         		ip: string
         		hostnames: [...string]
         	}]

charts/vela-minimal/templates/defwithtemplate/worker.yaml

@@ -124,7 +124,10 @@ spec:
         		selector: matchLabels: "app.oam.dev/component": context.name
 
         		template: {
-        			metadata: labels: "app.oam.dev/component": context.name
+        			metadata: labels: {
+        				"app.oam.dev/name":      context.appName
+        				"app.oam.dev/component": context.name
+        			}
 
         			spec: {
         				containers: [{

charts/vela-minimal/templates/kubevela-controller.yaml

@@ -27,6 +27,9 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "kubevela.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+  - kind: Group
+    name: core.oam.dev
+    apiGroup: rbac.authorization.k8s.io
 
 ---
 # permissions to do leader election.
@@ -142,6 +145,14 @@ spec:
             - "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}"
             - "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}"
             - "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}"
+            - "--feature-gates=AuthenticateApplication={{- .Values.authentication.enabled | toString -}}"
+            {{ if .Values.authentication.enabled }}
+            {{ if .Values.authentication.withUser }}
+            - "--authentication-with-user"
+            {{ end }}
+            - "--authentication-default-user={{ .Values.authentication.defaultUser }}"
+            - "--authentication-group-pattern={{ .Values.authentication.groupPattern }}"
+            {{ end }}
           image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
           imagePullPolicy: {{ quote .Values.image.pullPolicy }}
           resources:

charts/vela-minimal/values.yaml

@@ -24,7 +24,7 @@ controllerArgs:
 OAMSpecVer: "minimal"
 
 ## @param disableCaps Disable capability
-disableCaps: "manualscalertrait,containerizedwokrload,envbinding,rollout"
+disableCaps: "manualscalertrait,envbinding,rollout"
 
 ## @param applyOnceOnly Valid applyOnceOnly values: true/false/on/off/force
 applyOnceOnly: "off"
@@ -107,7 +107,7 @@ multicluster:
     port: 9443
     image:
       repository: oamdev/cluster-gateway
-      tag: v1.3.0
+      tag: v1.3.2
       pullPolicy: IfNotPresent
     resources:
       limits:
@@ -215,3 +215,13 @@ admissionWebhooks:
 kubeClient:
   qps: 50
   burst: 100
+
+## @param authentication.enabled Enable authentication for application
+## @param authentication.withUser Application authentication will impersonate as the request User
+## @param authentication.defaultUser Application authentication will impersonate as the User if no user provided in Application
+## @param authentication.groupPattern Application authentication will impersonate as the request Group that matches the pattern
+authentication:
+  enabled: false
+  withUser: false
+  defaultUser: kubevela:vela-core
+  groupPattern: kubevela:*

cmd/apiserver/main.go

@@ -46,6 +46,7 @@ func main() {
 	flag.StringVar(&s.restCfg.LeaderConfig.LockName, "lock-name", "apiserver-lock", "the lease lock resource name")
 	flag.DurationVar(&s.restCfg.LeaderConfig.Duration, "duration", time.Second*5, "the lease lock resource name")
 	flag.DurationVar(&s.restCfg.AddonCacheTime, "addon-cache-duration", time.Minute*10, "how long between two addon cache operation")
+	flag.BoolVar(&s.restCfg.DisableStatisticCronJob, "disable-statistic-cronJob", false, "close the system statistic info calculating cronJob")
 	flag.Parse()
 
 	if len(os.Args) > 2 && os.Args[1] == "build-swagger" {

cmd/core/main.go

@@ -36,6 +36,8 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 
+	apicommon "github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+	"github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/auth"
 	ctrlClient "github.com/oam-dev/kubevela/pkg/client"
 	standardcontroller "github.com/oam-dev/kubevela/pkg/controller"
@@ -50,6 +52,7 @@ import (
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/oam/discoverymapper"
 	"github.com/oam-dev/kubevela/pkg/resourcekeeper"
+	pkgutils "github.com/oam-dev/kubevela/pkg/utils"
 	"github.com/oam-dev/kubevela/pkg/utils/common"
 	"github.com/oam-dev/kubevela/pkg/utils/system"
 	"github.com/oam-dev/kubevela/pkg/utils/util"
@@ -59,10 +62,6 @@ import (
 	"github.com/oam-dev/kubevela/version"
 )
 
-const (
-	kubevelaName = "kubevela"
-)
-
 var (
 	scheme             = common.Scheme
 	waitSecretTimeout  = 90 * time.Second
@@ -202,10 +201,22 @@ func main() {
 	klog.InfoS("Vela-Core init", "definition namespace", oam.SystemDefinitonNamespace)
 
 	restConfig := ctrl.GetConfigOrDie()
-	restConfig.UserAgent = kubevelaName + "/" + version.GitRevision
+	restConfig.UserAgent = types.KubeVelaName + "/" + version.GitRevision
 	restConfig.QPS = float32(qps)
 	restConfig.Burst = burst
 	restConfig.Wrap(auth.NewImpersonatingRoundTripper)
+	restConfig.Impersonate.UserName = types.VelaCoreName
+	if sub := pkgutils.GetServiceAccountSubjectFromConfig(restConfig); sub != "" {
+		restConfig.Impersonate.UserName = sub
+	}
+	restConfig.Impersonate.Groups = []string{apicommon.Group}
+	klog.InfoS("Kubernetes Config Loaded",
+		"UserAgent", restConfig.UserAgent,
+		"QPS", restConfig.QPS,
+		"Burst", restConfig.Burst,
+		"Impersonate-User", restConfig.Impersonate.UserName,
+		"Impersonate-Group", strings.Join(restConfig.Impersonate.Groups, ","),
+	)
 
 	// wrapper the round tripper by multi cluster rewriter
 	if enableClusterGateway {
@@ -225,7 +236,7 @@ func main() {
 	}
 	ctrl.SetLogger(klogr.New())
 
-	leaderElectionID := util.GenerateLeaderElectionID(kubevelaName, controllerArgs.IgnoreAppWithoutControllerRequirement)
+	leaderElectionID := util.GenerateLeaderElectionID(types.KubeVelaName, controllerArgs.IgnoreAppWithoutControllerRequirement)
 	mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
 		Scheme:                     scheme,
 		MetricsBindAddress:         metricsAddr,

codecov.yml

@@ -7,4 +7,5 @@ coverage:
       default:
         target: 70%
 ignore:
-  - "**/zz_generated.deepcopy.go"
+  - "**/zz_generated.deepcopy.go"
+  - "references/"

community.md

@@ -1,7 +1,3 @@
 # Community
 
-All contributors should be welcomed to the community by existing members, helped with PR workflow, and directed to relevant documentation and communication channels.
-
-Please check [community-membership.md](https://github.com/oam-dev/community/blob/main/community-membership.md) to start engaging with the community.
-
-Enjoy coding and collaboration in OSS world!
+Please refer to the [community repo](https://github.com/kubevela/community) for details.

contribute/coding-conventions.md

@@ -142,7 +142,7 @@ klog.InfoS("Reconcile application", "application", klog.KRef(req.Namespace, req.
 
 ### Logging Level
 
-[This file](https://github.com/oam-dev/kubevela/blob/master/pkg/controller/common/logs.go) contains KubeVela's log level,
+[This file](https://github.com/kubevela/kubevela/blob/master/pkg/controller/common/logs.go) contains KubeVela's log level,
 you can set the log level by `klog.V(level)`.
 
 ```golang

design/vela-core/apply-workload-and-trait.md

@@ -2,7 +2,7 @@
 
 - Owner: Yue Wang(@captainroy-hy), Jianbo Sun(@wonderflow)
 - Date: 01/21/2021
-- Status: [Implemented](https://github.com/oam-dev/kubevela/pull/857)
+- Status: [Implemented](https://github.com/kubevela/kubevela/pull/857)
 
 
 ## Intro

docs/README.md

@@ -2,5 +2,5 @@
 
 Documentation website： https://kubevela.io/
 
-All docs of KubeVela are managed in [oam-dev/kubevela.io](https://github.com/oam-dev/kubevela.io) repo. Please refer
+All docs of KubeVela are managed in [kubevela/kubevela.io](https://github.com/kubevela/kubevela.io) repo. Please refer
 to that repo for contributions.

docs/examples/app-with-policy/gc-policy/persist-resources.md

@@ -2,6 +2,8 @@
 
 By leveraging the garbage-collect policy, users can persist some resources, which skip the normal garbage-collect process when application is updated.
 
+### traitTypes
+
 Take the following app as an example, in the garbage-collect policy, a rule is added which marks all the resources created by the `expose` trait to use the `onAppDelete` strategy. This will keep those services until application is deleted.
 ```shell
 $ cat <<EOF | kubectl apply -f -
@@ -78,6 +80,8 @@ hello-world       ClusterIP   10.96.160.208   <none>        8000/TCP   5m56s
 hello-world-new   ClusterIP   10.96.20.4      <none>        8000/TCP   13s
 ```
 
+### componentTypes
+
 Users can also keep component if they are deploying job-like components. Resources dispatched by `job-like-component` type component will be kept after application is deleted.
 
 ```yaml
@@ -100,6 +104,8 @@ spec:
             strategy: never
 ```
 
+### componentNames
+
 A more straightforward way is to specify `compNames` to match specified components.
 ```yaml
 apiVersion: core.oam.dev/v1beta1
@@ -124,3 +130,74 @@ spec:
                 - example-addon-namespace
             strategy: never
 ```
+
+### oamTypes
+
+Users can also persist resources using `oamTypes`, where the values of `oamTypes` can be `TRAIT` and `WORKLOAD`.
+
+```shell
+$ cat <<EOF | kubectl apply -f -
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: garbage-collect-app
+spec:
+  components:
+    - name: hello-world
+      type: webservice
+      properties:
+        image: crccheck/hello-world
+      traits:
+        - type: expose
+          properties:
+            port: [8000]
+  policies:
+    - name: garbage-collect
+      type: garbage-collect
+      properties:
+        rules:
+          - selector:
+              oamTypes:
+                - TRAIT
+            strategy: onAppDelete
+EOF
+```
+
+And then, let's modify the component name.
+
+```shell
+$ cat <<EOF | kubectl apply -f -
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: garbage-collect-app
+spec:
+  components:
+    - name: hello-world-new
+      type: webservice
+      properties:
+        image: crccheck/hello-world
+      traits:
+        - type: expose
+          properties:
+            port: [8000]
+  policies:
+    - name: garbage-collect
+      type: garbage-collect
+      properties:
+        rules:
+          - selector:
+              oamTypes:
+                - TRAIT
+            strategy: onAppDelete
+EOF
+```
+
+List the service in cluster, you will find:
+
+```shell
+$ kubectl get service
+NAME              TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
+hello-world       ClusterIP   10.96.31.209   <none>        8000/TCP   31s
+hello-world-new   ClusterIP   10.96.17.103   <none>        8000/TCP   5s
+```

docs/examples/app-with-policy/gc-policy/reverse-dependency.md

@@ -0,0 +1,50 @@
+# How to garbage collect resources in the order of dependency
+
+If you want to garbage collect resources in the order of dependency, you can add `order: dependency` in the `garbage-collect` policy.
+
+> Notice that this order policy is only valid for the resources that are created in the components.
+
+In the following example, component `test1` depends on `test2`, and `test2` need the output from `test3`.
+
+So the order of deployment is: `test3 -> test2 -> test1`.
+
+When we add `order: dependency` in `garbage-collect` policy and delete the application, the order of garbage collect is: `test3 -> test2 -> test1`.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: gc-dependency
+  namespace: default
+spec:
+  components:
+  - name: test1
+    type: webservice
+    properties:
+      image: crccheck/hello-world
+      port: 8000
+    dependsOn:
+      - "test2"
+  - name: test2
+    type: webservice
+    properties:
+      image: crccheck/hello-world
+      port: 8000
+    inputs:
+      - from: test3-output
+        parameterKey: test
+  - name: test3
+    type: webservice
+    properties:
+      image: crccheck/hello-world
+      port: 8000
+    outputs:
+      - name: test3-output
+        valueFrom: output.metadata.name
+  
+  policies:
+    - name: gc-dependency
+      type: garbage-collect
+      properties:
+        order: dependency
+```

docs/examples/core-definitions/trait/storage.yaml

@@ -32,6 +32,9 @@ spec:
                 mountToEnv:
                   envName: TEST_ENV
                   configMapKey: key1
+                mountToEnvs:
+                  - envName: TEST_CM_ENV
+                    configMapKey: key2
                 data:
                   key1: value1
                   key2: value2
@@ -49,9 +52,15 @@ spec:
                 mountToEnv:
                   envName: TEST_SECRET
                   secretKey: key1
+                mountToEnvs:
+                  - envName: TEST_SECRET_ENV_2
+                    secretKey: key2
+                  - envName: TEST_SECRET_ENV_3
+                    secretKey: key3
                 data:
                   key1: dmFsdWUx
                   key2: dmFsdWUy
+                  key3: dmFsdWUz
             emptyDir:
               - name: test1
                 mountPath: /test/mount/emptydir

docs/examples/traits/control-plane-only-usecase/README.md

@@ -0,0 +1,55 @@
+# How to use controlPlaneOnly
+
+In this section, I'll illustrate by an example how to controlPlaneOnly.
+
+## Prerequisites
+
+1. You have installed KubeVela
+2. You can access several Kubernetes cluster(remotely or locally like `kind` or `minikube`) via `vela cluster join xxx`
+
+## Steps
+
+### Apply trait with controlPlaneOnly
+
+In [control-plane-only-usecase.cue](./control-plane-only-usecase.cue), you'll see a `controlPlaneOnly` field in `attributes`, which shows that whether resources generated by trait are dispatched to the hubcluster `local`.
+
+apply the cue file in cluster
+
+```shell
+vela def apply control-plane-only-usecase.cue
+```
+
+### Apply the application
+In [app-with-control-plane-only-usecase.yaml](./app-with-control-plane-only-usecase.yaml), you'll see a application with trait `hubcluster`
+
+Just apply the file in cluster.
+```shell
+kubectl apply -f app-with-control-plane-only-usecase.yaml
+```
+
+### Check the application
+
+the application in the cluster is rendered into resources like `pod`, `hpa`.
+
+Try to describe the pod in `cluster01`:
+```shell
+$ kubectl get pod
+NAME                                                        READY   STATUS    RESTARTS   AGE
+app-with-control-plane-only-component-01-66bd996fd7-xlwsh   1/1     Running   0          18s
+```
+
+Try to describe the pod in `cluster02`:
+```shell
+$ kubectl get pod
+NAME                                                        READY   STATUS    RESTARTS   AGE
+app-with-control-plane-only-component-01-66bd996fd7-p66rv   1/1     Running   0          18s
+```
+
+Try to describe the hpa in `local`:
+```shell
+$ kubectl get hpa
+NAME                                       READY   STATUS    RESTARTS   AGE
+app-with-control-plane-only-component-01   1/1     Running   0          18s
+```
+
+You'll see the pod is running without any errors and hpa is running in `local`.

docs/examples/traits/control-plane-only-usecase/app-with-control-plane-only-usecase.yaml

@@ -0,0 +1,44 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: app-with-control-plane-only
+  namespace: default
+spec:
+  components:
+    - name: app-with-control-plane-only-component-01
+      type: webservice
+      properties:
+        image: busybox
+        imagePullPolicy: IfNotPresent
+        cmd: [ "sleep", "10000" ]
+        cpu: "0.1"
+        mem: "100Mi"
+      traits:
+        - type: hubcpuscaler
+          properties:
+            min: 1
+            max: 10
+            cpuPercent: 60
+        - type: annotations
+          properties:
+            abc: "def"
+        - type: expose
+          properties:
+            port: [ 80 ]
+  policies:
+    - name: app-with-control-plane-only-topology-01
+      type: topology
+      properties:
+        clusters: [ "cluster01" ]
+        namespace: default
+    - name: app-with-control-plane-only-topology-02
+      type: topology
+      properties:
+        clusters: [ "cluster02" ]
+        namespace: default
+  workflow:
+    steps:
+      - type: deploy
+        name: app-with-control-plane-only-deploy-01
+        properties:
+          policies: [ "app-with-control-plane-only-topology-01","app-with-control-plane-only-topology-02" ]

docs/examples/traits/control-plane-only-usecase/control-plane-only-usecase.cue

@@ -0,0 +1,43 @@
+hubcpuscaler: {
+	type: "trait"
+	annotations: {}
+	labels: {
+		"ui-hidden": "true"
+	}
+	description: "Automatically scale the component based on CPU usage."
+	attributes: {
+		appliesToWorkloads: ["deployments.apps"]
+		controlPlaneOnly: true
+	}
+}
+
+template: {
+	outputs: hubcpuscaler: {
+		apiVersion: "autoscaling/v1"
+		kind:       "HorizontalPodAutoscaler"
+		metadata: name: context.name
+		spec: {
+			scaleTargetRef: {
+				apiVersion: parameter.targetAPIVersion
+				kind:       parameter.targetKind
+				name:       context.name
+			}
+			minReplicas:                    parameter.min
+			maxReplicas:                    parameter.max
+			targetCPUUtilizationPercentage: parameter.cpuUtil
+		}
+	}
+
+	parameter: {
+		// +usage=Specify the minimal number of replicas to which the autoscaler can scale down
+		min: *1 | int
+		// +usage=Specify the maximum number of of replicas to which the autoscaler can scale up
+		max: *10 | int
+		// +usage=Specify the average CPU utilization, for example, 50 means the CPU usage is 50%
+		cpuUtil: *50 | int
+		// +usage=Specify the apiVersion of scale target
+		targetAPIVersion: *"apps/v1" | string
+		// +usage=Specify the kind of scale target
+		targetKind: *"Deployment" | string
+	}
+}

e2e/addon/mock/testdata/mock-addon/metadata.yaml

@@ -0,0 +1,23 @@
+name: mock-addon
+version: 1.0.0
+description: Extended workload to do continuous and progressive delivery
+icon: https://raw.githubusercontent.com/fluxcd/flux/master/docs/_files/weave-flux.png
+url: https://fluxcd.io
+
+tags:
+  - extended_workload
+  - gitops
+  - only_example
+
+deployTo:
+  control_plane: true
+  runtime_cluster: false
+
+dependencies: []
+#- name: addon_name
+
+# set invisible means this won't be list and will be enabled when depended on
+# for example, terraform-alibaba depends on terraform which is invisible,
+# when terraform-alibaba is enabled, terraform will be enabled automatically
+# default: false
+invisible: false

e2e/addon/mock/testdata/mock-addon/template.yaml

@@ -0,0 +1,14 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: mock-addon
+  namespace: vela-system
+spec:
+  components:
+    - name: ns-example-system
+      type: raw
+      properties:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: mock-system

e2e/addon/mock/vela_addon_mock_server.go

@@ -20,6 +20,7 @@ import (
 	"embed"
 	"encoding/xml"
 	"fmt"
+	"html/template"
 	"io/fs"
 	"log"
 	"net/http"
@@ -67,25 +68,37 @@ var ossHandler http.HandlerFunc = func(rw http.ResponseWriter, req *http.Request
 			}
 		}
 		data, err := xml.Marshal(res)
+		error := map[string]error{"error": err}
+		// Make and parse the data
+		t, err := template.New("").Parse(string(data))
 		if err != nil {
-			_, _ = rw.Write([]byte(err.Error()))
+			// Render the data
+			t.Execute(rw, error)
 		}
-		_, _ = rw.Write(data)
+		// Render the data
+		t.Execute(rw, data)
+
 	} else {
 		found := false
 		for _, p := range paths {
 			if queryPath == p.path {
 				file, err := testData.ReadFile(path.Join("testdata", queryPath))
+				error := map[string]error{"error": err}
+				// Make and parse the data
+				t, err := template.New("").Parse(string(file))
 				if err != nil {
-					_, _ = rw.Write([]byte(err.Error()))
+					// Render the data
+					t.Execute(rw, error)
 				}
 				found = true
-				_, _ = rw.Write(file)
+				t.Execute(rw, file)
 				break
 			}
 		}
 		if !found {
-			_, _ = rw.Write([]byte("not found"))
+			nf := "not found"
+			t, _ := template.New("").Parse(nf)
+			t.Execute(rw, nf)
 		}
 	}
 }

go.mod

@@ -5,6 +5,7 @@ go 1.17
 require (
 	cuelang.org/go v0.2.2
 	github.com/AlecAivazis/survey/v2 v2.1.1
+	github.com/FogDong/uitable v0.0.5
 	github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8
 	github.com/agiledragon/gomonkey/v2 v2.4.0
 	github.com/alibabacloud-go/cs-20151215/v2 v2.4.5
@@ -13,7 +14,7 @@ require (
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
 	github.com/briandowns/spinner v1.11.1
-	github.com/containerd/containerd v1.4.13
+	github.com/containerd/containerd v1.5.10
 	github.com/coreos/go-oidc v2.1.0+incompatible
 	github.com/coreos/prometheus-operator v0.41.1
 	github.com/crossplane/crossplane-runtime v0.14.1-0.20210722005935-0b469fcc77cd
@@ -21,79 +22,94 @@ require (
 	github.com/deckarep/golang-set v1.7.1
 	github.com/emicklei/go-restful-openapi/v2 v2.3.0
 	github.com/emicklei/go-restful/v3 v3.0.0-rc2
-	github.com/evanphx/json-patch v4.11.0+incompatible
+	github.com/evanphx/json-patch v4.12.0+incompatible
 	github.com/fatih/color v1.12.0
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible
-	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/gertd/go-pluralize v0.1.7
-	github.com/getkin/kin-openapi v0.34.0
-	github.com/go-logr/logr v0.4.0
+	github.com/getkin/kin-openapi v0.94.0
+	github.com/go-logr/logr v1.2.0
 	github.com/go-openapi/spec v0.19.8
 	github.com/go-playground/validator/v10 v10.9.0
 	github.com/go-resty/resty/v2 v2.7.0
 	github.com/google/go-cmp v0.5.6
 	github.com/google/go-github/v32 v32.1.0
-	github.com/google/uuid v1.1.2
+	github.com/google/uuid v1.2.0
 	github.com/gosuri/uilive v0.0.4
 	github.com/gosuri/uitable v0.0.4
 	github.com/hashicorp/go-version v1.3.0
 	github.com/hashicorp/hcl/v2 v2.9.1
 	github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174
 	github.com/imdario/mergo v0.3.12
+	github.com/kubevela/prism v0.0.0-20220512081342-9b641aa819f3
 	github.com/kyokomi/emoji v2.2.4+incompatible
 	github.com/mitchellh/hashstructure/v2 v2.0.1
-	github.com/oam-dev/cluster-gateway v1.1.6
+	github.com/oam-dev/cluster-gateway v1.3.3-0.20220509095841-4272c540e1e9
 	github.com/oam-dev/cluster-register v1.0.4-0.20220325092210-cee4a3d3fb7d
 	github.com/oam-dev/terraform-config-inspect v0.0.0-20210418082552-fc72d929aa28
-	github.com/oam-dev/terraform-controller v0.4.2
+	github.com/oam-dev/terraform-controller v0.4.7
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/onsi/ginkgo v1.16.4
-	github.com/onsi/gomega v1.17.0
-	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/onsi/ginkgo v1.16.5
+	github.com/onsi/gomega v1.19.0
 	github.com/opencontainers/runc v1.0.3 // indirect
-	github.com/openkruise/kruise-api v0.9.0
+	github.com/openkruise/kruise-api v1.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
 	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.2.1
+	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
 	github.com/tidwall/gjson v1.9.3
 	github.com/wercker/stern v0.0.0-20190705090245-4fa46dd6987f
 	github.com/wonderflow/cert-manager-api v1.0.3
 	go.mongodb.org/mongo-driver v1.5.1
-	go.uber.org/zap v1.18.1
-	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
-	golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602
-	golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6 // indirect
-	golang.org/x/tools v0.1.6 // indirect
+	go.uber.org/zap v1.19.1
+	golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122
+	golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	golang.org/x/tools v0.1.11-0.20220316014157-77aa08bb151a // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	gotest.tools v2.2.0+incompatible
-	helm.sh/helm/v3 v3.6.1
+	helm.sh/helm/v3 v3.7.2
 	istio.io/client-go v0.0.0-20210128182905-ee2edd059e02
-	k8s.io/api v0.22.1
-	k8s.io/apiextensions-apiserver v0.22.1
-	k8s.io/apimachinery v0.22.1
-	k8s.io/apiserver v0.22.1
-	k8s.io/cli-runtime v0.21.0
-	k8s.io/client-go v0.22.1
-	k8s.io/component-base v0.22.1
+	k8s.io/api v0.23.6
+	k8s.io/apiextensions-apiserver v0.23.5
+	k8s.io/apimachinery v0.23.6
+	k8s.io/apiserver v0.23.6
+	k8s.io/cli-runtime v0.23.6
+	k8s.io/client-go v0.23.6
+	k8s.io/component-base v0.23.6
 	k8s.io/klog v1.0.0
-	k8s.io/klog/v2 v2.9.0
-	k8s.io/kube-aggregator v0.22.1
-	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
-	k8s.io/kubectl v0.21.0
-	k8s.io/metrics v0.21.0
-	k8s.io/utils v0.0.0-20210802155522-efc7438f0176
-	open-cluster-management.io/api v0.0.0-20210804091127-340467ff6239
-	rsc.io/letsencrypt v0.0.3 // indirect
-	sigs.k8s.io/controller-runtime v0.9.5
+	k8s.io/klog/v2 v2.60.1
+	k8s.io/kube-aggregator v0.23.0
+	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65
+	k8s.io/kubectl v0.22.4
+	k8s.io/metrics v0.22.4
+	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
+	open-cluster-management.io/api v0.7.0
+	sigs.k8s.io/controller-runtime v0.11.2
 	sigs.k8s.io/controller-tools v0.6.2
 	sigs.k8s.io/kind v0.9.0
-	sigs.k8s.io/yaml v1.2.0
+	sigs.k8s.io/yaml v1.3.0
+)
+
+require (
+	github.com/BurntSushi/toml v0.4.1 // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker v20.10.14+incompatible // indirect
+	github.com/fatih/camelcase v1.0.0
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/robfig/cron/v3 v3.0.1
+	github.com/xanzy/go-gitlab v0.60.0
+	github.com/xanzy/ssh-agent v0.3.0 // indirect
+	golang.org/x/net v0.0.0-20220325170049-de3da57026de // indirect
+	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.2.0
+	google.golang.org/protobuf v1.28.0 // indirect
 )
 
 require (
@@ -105,16 +121,16 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/BurntSushi/toml v0.3.1 // indirect
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
-	github.com/Masterminds/squirrel v1.5.0 // indirect
-	github.com/Microsoft/go-winio v0.4.16 // indirect
-	github.com/Microsoft/hcsshim v0.8.14 // indirect
+	github.com/Masterminds/squirrel v1.5.2 // indirect
+	github.com/Microsoft/go-winio v0.4.17 // indirect
+	github.com/Microsoft/hcsshim v0.8.23 // indirect
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/agext/levenshtein v1.2.2 // indirect
@@ -132,29 +148,28 @@ require (
 	github.com/cespare/xxhash/v2 v2.1.1 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
 	github.com/cockroachdb/apd/v2 v2.0.1 // indirect
-	github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59 // indirect
-	github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
+	github.com/containerd/continuity v0.1.0 // indirect
+	github.com/coreos/go-semver v0.3.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
 	github.com/creack/pty v1.1.11 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
-	github.com/deislabs/oras v0.11.1 // indirect
-	github.com/docker/cli v20.10.5+incompatible // indirect
-	github.com/docker/distribution v2.8.0-beta.1+incompatible // indirect
-	github.com/docker/docker v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible // indirect
+	github.com/docker/cli v20.10.7+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.6.3 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
-	github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
-	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/emicklei/proto v1.6.15 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.1.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
-	github.com/fatih/camelcase v1.0.0 // indirect
+	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-logr/zapr v0.4.0 // indirect
+	github.com/go-logr/zapr v1.2.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
@@ -168,12 +183,14 @@ require (
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/go-querystring v1.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
@@ -181,17 +198,16 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.11 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/klauspost/compress v1.11.0 // indirect
+	github.com/klauspost/compress v1.11.13 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/pty v1.1.8 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
-	github.com/lib/pq v1.10.0 // indirect
+	github.com/lib/pq v1.10.2 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
@@ -203,10 +219,11 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
@@ -214,27 +231,27 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/openshift/library-go v0.0.0-20220112153822-ac82336bd076 // indirect
 	github.com/pelletier/go-toml v1.9.3 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.26.0 // indirect
+	github.com/prometheus/common v0.28.0 // indirect
 	github.com/prometheus/procfs v0.6.0 // indirect
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
-	github.com/rubenv/sql-migrate v0.0.0-20200616145509-8d140a17f351 // indirect
+	github.com/rubenv/sql-migrate v0.0.0-20210614095031-55d5740dbbcc // indirect
 	github.com/russross/blackfriday v1.5.2 // indirect
-	github.com/russross/blackfriday/v2 v2.0.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/spf13/afero v1.6.0 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/src-d/gcfg v1.4.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tjfoc/gmsm v1.3.2 // indirect
-	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.0.2 // indirect
 	github.com/xdg-go/stringprep v1.0.2 // indirect
@@ -244,38 +261,49 @@ require (
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
 	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
 	github.com/zclconf/go-cty v1.8.0 // indirect
-	go.opencensus.io v0.23.0 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.0 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.0 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.0 // indirect
+	go.opentelemetry.io/contrib v0.20.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0 // indirect
+	go.opentelemetry.io/otel v0.20.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp v0.20.0 // indirect
+	go.opentelemetry.io/otel/metric v0.20.0 // indirect
+	go.opentelemetry.io/otel/sdk v0.20.0 // indirect
+	go.opentelemetry.io/otel/sdk/export/metric v0.20.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect
+	go.opentelemetry.io/otel/trace v0.20.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/mod v0.4.2 // indirect
-	golang.org/x/net v0.0.0-20211029224645-99673261e6eb // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
-	golang.org/x/text v0.3.6 // indirect
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 // indirect
+	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
-	google.golang.org/grpc v1.38.0 // indirect
-	google.golang.org/protobuf v1.26.0 // indirect
+	google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2 // indirect
+	google.golang.org/grpc v1.40.0 // indirect
 	gopkg.in/gorp.v1 v1.7.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.2.2 // indirect
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	istio.io/api v0.0.0-20210128181506-0c4b8e54850f // indirect
 	istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a // indirect
+	oras.land/oras-go v0.4.0 // indirect
 	sigs.k8s.io/apiserver-network-proxy v0.0.24 // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.24 // indirect
-	sigs.k8s.io/apiserver-runtime v1.0.3-0.20210913073608-0663f60bfee2 // indirect
-	sigs.k8s.io/kustomize/api v0.8.5 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.10.15 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30 // indirect
+	sigs.k8s.io/apiserver-runtime v1.1.1 // indirect
+	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	sigs.k8s.io/kustomize/api v0.10.1 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )
 
 replace (