Fix: fix uninstallation continues when answer is no (#4710 )

Signed-off-by: Charlie Chiang <charlie_c_0129@outlook.com> (cherry picked from commit 81115ef6ff) Co-authored-by: Charlie Chiang <charlie_c_0129@outlook.com>
Feat: definition support controller requirement (#4577 )
2026-03-01 09:10:43 +00:00 · 2022-09-13 10:24:25 +08:00 · 2022-08-08 16:07:27 +08:00 · 2022-08-02 16:23:41 +08:00 · 2022-07-27 01:13:33 +08:00 · 2022-07-25 22:17:53 +08:00
461 changed files with 33722 additions and 4167 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,7 +1,7 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file

-*                                  @hongchaodeng @wonderflow @leejanee
-design/                            @hongchaodeng @resouer @wonderflow
+*                                  @barnettZQG @wonderflow @leejanee
+design/                            @barnettZQG @leejanee @wonderflow

 # Owner of CUE
 pkg/cue                            @leejanee @FogDong
--- a/.github/workflows/apiserver-test.yaml
+++ b/.github/workflows/apiserver-test.yaml
@@ -65,7 +65,7 @@ jobs:
      - name: Setup Kind Cluster (Worker)
        run: |
          kind delete cluster --name worker
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4 --name worker
+          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca --name worker
          kubectl version
          kubectl cluster-info
          kind get kubeconfig --name worker --internal > /tmp/worker.kubeconfig
@@ -74,7 +74,7 @@ jobs:
      - name: Setup Kind Cluster (Hub)
        run: |
          kind delete cluster
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
+          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
          kubectl version
          kubectl cluster-info

@@ -92,10 +92,10 @@ jobs:
          kubectl wait --for=condition=Ready pod -l app=source-controller -n flux-system --timeout=600s
          kubectl wait --for=condition=Ready pod -l app=helm-controller -n flux-system --timeout=600s

-      - name: Run apiserver unit test
+      - name: Run api server unit test
        run: make unit-test-apiserver

-      - name: Run apiserver e2e test
+      - name: Run api server e2e test
        run: |
          export ALIYUN_ACCESS_KEY_ID=${{ secrets.ALIYUN_ACCESS_KEY_ID }}
          export ALIYUN_ACCESS_KEY_SECRET=${{ secrets.ALIYUN_ACCESS_KEY_SECRET }}
--- a/.github/workflows/chart.yaml
+++ b/.github/workflows/chart.yaml
@@ -0,0 +1,89 @@
+name: Publish Chart
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch: { }
+
+env:
+  BUCKET: ${{ secrets.OSS_BUCKET }}
+  ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
+  ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
+  ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
+  ARTIFACT_HUB_REPOSITORY_ID: ${{ secrets.ARTIFACT_HUB_REPOSITORY_ID }}
+
+jobs:
+  publish-charts:
+    env:
+      HELM_CHARTS_DIR: charts
+      HELM_CHART: charts/vela-core
+      MINIMAL_HELM_CHART: charts/vela-minimal
+      LEGACY_HELM_CHART: legacy/charts/vela-core-legacy
+      VELA_ROLLOUT_HELM_CHART: runtime/rollout/charts
+      LOCAL_OSS_DIRECTORY: .oss/
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@master
+      - name: Get git revision
+        id: vars
+        shell: bash
+        run: |
+          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+      - name: Setup node
+        uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+      - name: Generate helm doc
+        run: |
+          make helm-doc-gen
+      - name: Prepare legacy chart
+        run: |
+          rsync -r $LEGACY_HELM_CHART $HELM_CHARTS_DIR
+          rsync -r $HELM_CHART/* $LEGACY_HELM_CHART --exclude=Chart.yaml --exclude=crds
+      - name: Prepare vela chart
+        run: |
+          rsync -r $VELA_ROLLOUT_HELM_CHART $HELM_CHARTS_DIR
+      - name: Get the version
+        id: get_version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Tag helm chart image
+        run: |
+          image_tag=${{ steps.get_version.outputs.VERSION }}
+          chart_version=${{ steps.get_version.outputs.VERSION }}
+          sed -i "s/latest/${image_tag}/g" $HELM_CHART/values.yaml
+          sed -i "s/latest/${image_tag}/g" $MINIMAL_HELM_CHART/values.yaml
+          sed -i "s/latest/${image_tag}/g" $LEGACY_HELM_CHART/values.yaml
+          sed -i "s/latest/${image_tag}/g" $VELA_ROLLOUT_HELM_CHART/values.yaml
+          chart_smever=${chart_version#"v"}
+          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml
+          sed -i "s/0.1.0/$chart_smever/g" $MINIMAL_HELM_CHART/Chart.yaml
+          sed -i "s/0.1.0/$chart_smever/g" $LEGACY_HELM_CHART/Chart.yaml
+          sed -i "s/0.1.0/$chart_smever/g" $VELA_ROLLOUT_HELM_CHART/Chart.yaml
+      - name: Install ossutil
+        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
+      - name: Configure Alibaba Cloud OSSUTIL
+        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
+      - name: sync cloud to local
+        run: ./ossutil --config-file .ossutilconfig sync oss://$BUCKET/core $LOCAL_OSS_DIRECTORY
+      - name: add artifacthub stuff to the repo
+        run: |
+          rsync $HELM_CHART/README.md $LEGACY_HELM_CHART/README.md
+          rsync $HELM_CHART/README.md $VELA_ROLLOUT_HELM_CHART/README.md
+          sed -i "s/ARTIFACT_HUB_REPOSITORY_ID/$ARTIFACT_HUB_REPOSITORY_ID/g" hack/artifacthub/artifacthub-repo.yml
+          rsync hack/artifacthub/artifacthub-repo.yml $LOCAL_OSS_DIRECTORY
+      - name: Package helm charts
+        run: |
+          helm package $HELM_CHART --destination $LOCAL_OSS_DIRECTORY
+          helm package $MINIMAL_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
+          helm package $LEGACY_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
+          helm package $VELA_ROLLOUT_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
+          helm repo index --url https://$BUCKET.$ENDPOINT/core $LOCAL_OSS_DIRECTORY
+      - name: sync local to cloud
+        run: ./ossutil --config-file .ossutilconfig sync $LOCAL_OSS_DIRECTORY oss://$BUCKET/core -f -u
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -60,7 +60,7 @@ jobs:
      - name: Setup Kind Cluster (Worker)
        run: |
          kind delete cluster --name worker
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4 --name worker
+          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca --name worker
          kubectl version
          kubectl cluster-info
          kind get kubeconfig --name worker --internal > /tmp/worker.kubeconfig
@@ -69,7 +69,7 @@ jobs:
      - name: Setup Kind Cluster (Hub)
        run: |
          kind delete cluster
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
+          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
          kubectl version
          kubectl cluster-info

@@ -96,7 +96,7 @@ jobs:
        uses: codecov/codecov-action@v1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out
+          files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
          flags: e2e-multicluster-test
          name: codecov-umbrella

--- a/.github/workflows/e2e-rollout-test.yml
+++ b/.github/workflows/e2e-rollout-test.yml
@@ -60,7 +60,7 @@ jobs:
      - name: Setup Kind Cluster
        run: |
          kind delete cluster
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
+          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
          kubectl version
          kubectl cluster-info

--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -60,7 +60,7 @@ jobs:
      - name: Setup Kind Cluster
        run: |
          kind delete cluster
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
+          kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca
          kubectl version
          kubectl cluster-info

--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -57,7 +57,7 @@ jobs:
          restore-keys: ${{ runner.os }}-pkg-

      - name: Install StaticCheck
-        run: GO111MODULE=off go get honnef.co/go/tools/cmd/staticcheck
+        run: GO111MODULE=on go get honnef.co/go/tools/cmd/staticcheck@v0.3.0

      - name: Static Check
        run: staticcheck ./...
@@ -71,6 +71,11 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
      - name: Checkout
        uses: actions/checkout@v2
        with:
@@ -88,7 +93,7 @@ jobs:
      # version, but we prefer this action because it leaves 'annotations' (i.e.
      # it comments on PRs to point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
        with:
          version: ${{ env.GOLANGCI_VERSION }}

--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -14,9 +14,9 @@ jobs:
        with:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
-          ref: v0.4.1
+          ref: v0.4.2
      - name: Install Actions
-        run: npm install --production --prefix ./actions
+        run: npm ci --production --prefix ./actions
      - name: Run Commands
        uses: ./actions/commands
        with:
@@ -66,4 +66,4 @@ jobs:
        uses: zeebe-io/backport-action@v0.0.6
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
-          github_workspace: ${{ github.workspace }}
+          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -8,14 +8,11 @@ on:
  workflow_dispatch: {}

 env:
-  BUCKET: ${{ secrets.OSS_BUCKET }}
-  ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
  ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
  ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
-  ARTIFACT_HUB_REPOSITORY_ID: ${{ secrets.ARTIFACT_HUB_REPOSITORY_ID }}

 jobs:
-  publish-images:
+  publish-core-images:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
@@ -47,20 +44,16 @@ jobs:
      - name: Login Alibaba Cloud ACR
        uses: docker/login-action@v1
        with:
-          registry: kubevela-registry.cn-hangzhou.cr.aliyuncs.com
-          username: ${{ secrets.ACR_USERNAME }}@aliyun-inner.com
+          registry: ${{ secrets.ACR_DOMAIN }}
+          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}
      - uses: docker/setup-qemu-action@v1
      - uses: docker/setup-buildx-action@v1
        with:
          driver-opts: image=moby/buildkit:master

-      - name: Build & Pushing vela-core for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }} .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-core for Dockerhub and GHCR
+        name: Build & Pushing vela-core for Dockerhub, GHCR and ACR
        with:
          context: .
          file: Dockerfile
@@ -75,14 +68,51 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-core:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - name: Build & Pushing vela-apiserver for ACR
+  publish-addon-images:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Get the version
+        id: get_version
        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }} -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }} -f Dockerfile.apiserver .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+          VERSION=${GITHUB_REF#refs/tags/}
+          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
+            VERSION=latest
+          fi
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Get git revision
+        id: vars
+        shell: bash
+        run: |
+          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+      - name: Login ghcr.io
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login docker.io
+        uses: docker/login-action@v1
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login Alibaba Cloud ACR
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.ACR_DOMAIN }}
+          username: ${{ secrets.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+        with:
+          driver-opts: image=moby/buildkit:master
+
      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-apiserver for Dockerhub and GHCR
+        name: Build & Pushing vela-apiserver for Dockerhub, GHCR and ACR
        with:
          context: .
          file: Dockerfile.apiserver
@@ -97,14 +127,10 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-
-      - name: Build & Pushing vela runtime rollout for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }} .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
      - uses: docker/build-push-action@v2
-        name: Build & Pushing runtime rollout for Dockerhub and GHCR
+        name: Build & Pushing runtime rollout Dockerhub, GHCR and ACR
        with:
          context: .
          file: runtime/rollout/Dockerfile
@@ -119,96 +145,8 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-rollout:${{ steps.get_version.outputs.VERSION }}
-
-  publish-charts:
-    env:
-      HELM_CHARTS_DIR: charts
-      HELM_CHART: charts/vela-core
-      MINIMAL_HELM_CHART: charts/vela-minimal
-      LEGACY_HELM_CHART: legacy/charts/vela-core-legacy
-      OAM_RUNTIME_HELM_CHART: charts/oam-runtime
-      VELA_ROLLOUT_HELM_CHART: runtime/rollout/charts
-      LOCAL_OSS_DIRECTORY: .oss/
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@master
-      - name: Get git revision
-        id: vars
-        shell: bash
-        run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
-      - name: Install Helm
-        uses: azure/setup-helm@v1
-        with:
-          version: v3.4.0
-      - name: Setup node
-        uses: actions/setup-node@v2
-        with:
-          node-version: '14'
-      - name: Generate helm doc
-        run: |
-          make helm-doc-gen
-      - name: Prepare legacy chart
-        run: |
-          rsync -r $LEGACY_HELM_CHART $HELM_CHARTS_DIR
-          rsync -r $HELM_CHART/* $LEGACY_HELM_CHART --exclude=Chart.yaml --exclude=crds
-      - name: Prepare vela chart
-        run: |
-          rsync -r $VELA_ROLLOUT_HELM_CHART $HELM_CHARTS_DIR
-      - uses: oprypin/find-latest-tag@v1
-        with:
-          repository: oam-dev/kubevela
-          releases-only: true
-        id: latest_tag
-      - name: Tag helm chart image
-        run: |
-          latest_repo_tag=${{ steps.latest_tag.outputs.tag }}
-          sub="."
-          major="$(cut -d"$sub" -f1 <<<"$latest_repo_tag")"
-          minor="$(cut -d"$sub" -f2 <<<"$latest_repo_tag")"
-          patch="0"
-          current_repo_tag="$major.$minor.$patch"
-          image_tag=${GITHUB_REF#refs/tags/}
-          chart_version=$latest_repo_tag
-          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
-            image_tag=latest
-            chart_version=${current_repo_tag}-nightly-build
-          fi
-          sed -i "s/latest/${image_tag}/g" $HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $MINIMAL_HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $LEGACY_HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $OAM_RUNTIME_HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $VELA_ROLLOUT_HELM_CHART/values.yaml
-          chart_smever=${chart_version#"v"}
-          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $MINIMAL_HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $LEGACY_HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $OAM_RUNTIME_HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $VELA_ROLLOUT_HELM_CHART/Chart.yaml
-      - name: Install ossutil
-        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
-      - name: Configure Alibaba Cloud OSSUTIL
-        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
-      - name: sync cloud to local
-        run: ./ossutil --config-file .ossutilconfig sync oss://$BUCKET/core $LOCAL_OSS_DIRECTORY
-      - name: add artifacthub stuff to the repo
-        run: |
-          rsync $HELM_CHART/README.md $LEGACY_HELM_CHART/README.md
-          rsync $HELM_CHART/README.md $OAM_RUNTIME_HELM_CHART/README.md
-          rsync $HELM_CHART/README.md $VELA_ROLLOUT_HELM_CHART/README.md
-          sed -i "s/ARTIFACT_HUB_REPOSITORY_ID/$ARTIFACT_HUB_REPOSITORY_ID/g" hack/artifacthub/artifacthub-repo.yml
-          rsync hack/artifacthub/artifacthub-repo.yml $LOCAL_OSS_DIRECTORY
-      - name: Package helm charts
-        run: |
-          helm package $HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $MINIMAL_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $LEGACY_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $OAM_RUNTIME_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $VELA_ROLLOUT_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm repo index --url https://$BUCKET.$ENDPOINT/core $LOCAL_OSS_DIRECTORY
-      - name: sync local to cloud
-        run: ./ossutil --config-file .ossutilconfig sync $LOCAL_OSS_DIRECTORY oss://$BUCKET/core -f
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}

  publish-capabilities:
    env:
@@ -227,4 +165,4 @@ jobs:
      - name: rsync all capabilites
        run: rsync vela-templates/registry/auto-gen/* $CAPABILITY_DIR
      - name: sync local to cloud
-        run: ./ossutil --config-file .ossutilconfig sync $CAPABILITY_DIR oss://$CAPABILITY_BUCKET -f
+        run: ./ossutil --config-file .ossutilconfig sync $CAPABILITY_DIR oss://$CAPABILITY_BUCKET -f -u
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,10 @@ on:

 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  BUCKET: ${{ secrets.CLI_OSS_BUCKET }}
+  ENDPOINT: ${{ secrets.CLI_OSS_ENDPOINT }}
+  ACCESS_KEY: ${{ secrets.CLI_OSS_ACCESS_KEY }}
+  ACCESS_KEY_SECRET: ${{ secrets.CLI_OSS_ACCESS_KEY_SECRET }}

 jobs:
  build:
@@ -104,6 +108,23 @@ jobs:
          name: sha256sums
          path: ./_bin/sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt
          retention-days: 1
+      - name: clear the asset
+        run: |
+          rm -rf ./_bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}
+          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
+          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
+      - name: Install ossutil
+        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
+      - name: Configure Alibaba Cloud OSSUTIL
+        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
+      - name: sync local to cloud
+        run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
+      
+      - name: sync the latest version file
+        run: |
+          echo ${{ env.VELA_VERSION }} > ./latest_version
+          ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version
+

  upload-plugin-homebrew:
    needs: build
--- a/3
+++ b/3
@@ -19,7 +19,7 @@ unit-test-core:
 	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver)
 	go test $(shell go list ./references/... | grep -v apiserver)
 unit-test-apiserver:
-	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/...  | grep -E 'apiserver|velaql')
+	go test -gcflags=all=-l -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/...  | grep -E 'apiserver|velaql')

 # Build vela cli binary
 build: fmt vet lint staticcheck vela-cli kubectl-vela
@@ -132,5 +132,4 @@ def-install:

 helm-doc-gen: helmdoc
 	readme-generator -v charts/vela-core/values.yaml -r charts/vela-core/README.md
-	cat charts/vela-core/README.md
 	readme-generator -v charts/vela-minimal/values.yaml -r charts/vela-minimal/README.md
--- a/4
+++ b/4
@@ -7,6 +7,9 @@ Reviewers:
 - reetasingh
 - wangwang
 - evanli18
+- devholic
+- fourierr
+- JooKS-me

 Approvers:
 - Somefive (Multi-Cluster)
@@ -26,6 +29,7 @@ Maintainers:
 - leejanee
 - zzxwill
 - BinaryHB0916
+- dhiguero

 Emeritus Members:
 - ryanzhang-oss
--- a/README.md
+++ b/README.md
@@ -51,7 +51,8 @@ Full documentation is available on the [KubeVela website](https://kubevela.io/).
 - Wechat Group (*Chinese*): Broker wechat to add you into the user group.
 
  <img src="https://static.kubevela.net/images/barnett-wechat.jpg" width="200" />
- Bi-weekly Community Call: [Meeting Notes](https://docs.google.com/document/d/1nqdFEyULekyksFHtFvgvFAYE-0AMHKoS3RMnaKsarjs)
+- Bi-weekly Community Call: [Meeting Notes](https://docs.google.com/document/d/1nqdFEyULekyksFHtFvgvFAYE-0AMHKoS3RMnaKsarjs).
+- Bi-weekly Chinese Community Call: [Video Records](https://space.bilibili.com/180074935/channel/seriesdetail?sid=1842207).

 ## Talks and Conferences

--- a/apis/core.oam.dev/common/types.go
+++ b/apis/core.oam.dev/common/types.go
@@ -322,6 +322,23 @@ type PolicyStatus struct {
 	Status *runtime.RawExtension `json:"status,omitempty"`
 }

+// WorkflowStep defines how to execute a workflow step.
+type WorkflowStep struct {
+	// Name is the unique name of the workflow step.
+	Name string `json:"name"`
+
+	Type string `json:"type"`
+
+	// +kubebuilder:pruning:PreserveUnknownFields
+	Properties *runtime.RawExtension `json:"properties,omitempty"`
+
+	DependsOn []string `json:"dependsOn,omitempty"`
+
+	Inputs StepInputs `json:"inputs,omitempty"`
+
+	Outputs StepOutputs `json:"outputs,omitempty"`
+}
+
 // WorkflowStatus record the status of workflow
 type WorkflowStatus struct {
 	AppRevision string       `json:"appRevision,omitempty"`
@@ -605,3 +622,17 @@ func ParseApplicationConditionType(s string) (ApplicationConditionType, error) {
 	}
 	return -1, errors.New("unknown condition type")
 }
+
+// ReferredObject the referred Kubernetes object
+type ReferredObject struct {
+	// +kubebuilder:validation:EmbeddedResource
+	// +kubebuilder:pruning:PreserveUnknownFields
+	runtime.RawExtension `json:",inline"`
+}
+
+// ReferredObjectList a list of referred Kubernetes objects
+type ReferredObjectList struct {
+	// Objects a list of Kubernetes objects.
+	// +optional
+	Objects []ReferredObject `json:"objects,omitempty"`
+}
--- a/apis/core.oam.dev/common/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/common/zz_generated.deepcopy.go
@@ -469,6 +469,44 @@ func (in *RawExtensionPointer) DeepCopy() *RawExtensionPointer {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReferredObject) DeepCopyInto(out *ReferredObject) {
+	*out = *in
+	in.RawExtension.DeepCopyInto(&out.RawExtension)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferredObject.
+func (in *ReferredObject) DeepCopy() *ReferredObject {
+	if in == nil {
+		return nil
+	}
+	out := new(ReferredObject)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReferredObjectList) DeepCopyInto(out *ReferredObjectList) {
+	*out = *in
+	if in.Objects != nil {
+		in, out := &in.Objects, &out.Objects
+		*out = make([]ReferredObject, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferredObjectList.
+func (in *ReferredObjectList) DeepCopy() *ReferredObjectList {
+	if in == nil {
+		return nil
+	}
+	out := new(ReferredObjectList)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Revision) DeepCopyInto(out *Revision) {
 	*out = *in
@@ -636,6 +674,41 @@ func (in *WorkflowStatus) DeepCopy() *WorkflowStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkflowStep) DeepCopyInto(out *WorkflowStep) {
+	*out = *in
+	if in.Properties != nil {
+		in, out := &in.Properties, &out.Properties
+		*out = new(runtime.RawExtension)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Inputs != nil {
+		in, out := &in.Inputs, &out.Inputs
+		*out = make(StepInputs, len(*in))
+		copy(*out, *in)
+	}
+	if in.Outputs != nil {
+		in, out := &in.Outputs, &out.Outputs
+		*out = make(StepOutputs, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowStep.
+func (in *WorkflowStep) DeepCopy() *WorkflowStep {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkflowStep)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkflowStepStatus) DeepCopyInto(out *WorkflowStepStatus) {
 	*out = *in
--- a/apis/core.oam.dev/v1alpha1/component_types.go
+++ b/apis/core.oam.dev/v1alpha1/component_types.go
@@ -0,0 +1,74 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+const (
+	// RefObjectsComponentType refers to the type of ref-objects
+	RefObjectsComponentType = "ref-objects"
+)
+
+// RefObjectsComponentSpec defines the spec of ref-objects component
+type RefObjectsComponentSpec struct {
+	// Objects the referrers to the Kubernetes objects
+	Objects []ObjectReferrer `json:"objects,omitempty"`
+}
+
+// ObjectReferrer selects Kubernetes objects
+type ObjectReferrer struct {
+	// ObjectTypeIdentifier identifies the type of referred objects
+	ObjectTypeIdentifier `json:",inline"`
+	// ObjectSelector select object by name or labelSelector
+	ObjectSelector `json:",inline"`
+}
+
+// ObjectTypeIdentifier identifies the scheme of Kubernetes object
+type ObjectTypeIdentifier struct {
+	// Resource is the resource name of the Kubernetes object.
+	Resource string `json:"resource"`
+	// Group is the API Group of the Kubernetes object.
+	Group string `json:"group"`
+	// LegacyObjectTypeIdentifier is the legacy identifier
+	// Deprecated: use resource/group instead
+	LegacyObjectTypeIdentifier `json:",inline"`
+}
+
+// LegacyObjectTypeIdentifier legacy object type identifier
+type LegacyObjectTypeIdentifier struct {
+	// APIVersion is the APIVersion of the Kubernetes object.
+	APIVersion string `json:"apiVersion"`
+	// APIVersion is the Kind of the Kubernetes object.
+	Kind string `json:"kind"`
+}
+
+// ObjectSelector selector for Kubernetes object
+type ObjectSelector struct {
+	// Name is the name of the Kubernetes object.
+	// If empty, it will inherit the application component's name.
+	Name string `json:"name,omitempty"`
+	// Namespace is the namespace for selecting Kubernetes objects.
+	// If empty, it will inherit the application's namespace.
+	Namespace string `json:"namespace,omitempty"`
+	// Cluster is the cluster for selecting Kubernetes objects.
+	// If empty, it will use the local cluster
+	Cluster string `json:"cluster,omitempty"`
+	// LabelSelector selects Kubernetes objects by labels
+	// Exclusive to "name"
+	LabelSelector map[string]string `json:"labelSelector,omitempty"`
+	// DeprecatedLabelSelector a deprecated alias to LabelSelector
+	// Deprecated: use labelSelector instead.
+	DeprecatedLabelSelector map[string]string `json:"selector,omitempty"`
+}
--- a/apis/core.oam.dev/v1alpha1/external_types.go
+++ b/apis/core.oam.dev/v1alpha1/external_types.go
@@ -20,7 +20,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )

 // +kubebuilder:object:root=true
@@ -61,7 +61,7 @@ type Workflow struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

-	Steps []v1beta1.WorkflowStep `json:"steps,omitempty"`
+	Steps []common.WorkflowStep `json:"steps,omitempty"`
 }

 // +kubebuilder:object:root=true
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_types.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_types.go
@@ -46,10 +46,11 @@ type GarbageCollectPolicyRule struct {

 // GarbageCollectPolicyRuleSelector select the targets of the rule
 // if both traitTypes and componentTypes are specified, combination logic is OR
-// if one resources are specified with conflict strategy, strategy as component go first.
+// if one resource is specified with conflict strategies, strategy as component go first.
 type GarbageCollectPolicyRuleSelector struct {
-	TraitTypes []string `json:"traitTypes"`
+	CompNames  []string `json:"componentNames"`
 	CompTypes  []string `json:"componentTypes"`
+	TraitTypes []string `json:"traitTypes"`
 }

 // GarbageCollectStrategy the strategy for target resource to recycle
@@ -68,27 +69,22 @@ const (
 // FindStrategy find gc strategy for target resource
 func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
 	for _, rule := range in.Rules {
-		var (
-			compType  string
-			traitType string
-		)
-		if manifest.GetLabels() != nil {
-			traitType = manifest.GetLabels()[oam.TraitTypeLabel]
-			compType = manifest.GetLabels()[oam.WorkloadTypeLabel]
+		var compName, compType, traitType string
+		if labels := manifest.GetLabels(); labels != nil {
+			compName = labels[oam.LabelAppComponent]
+			compType = labels[oam.WorkloadTypeLabel]
+			traitType = labels[oam.TraitTypeLabel]
 		}
-		if compType != "" {
-			for _, _compType := range rule.Selector.CompTypes {
-				if _compType == compType {
-					return &rule.Strategy
-				}
+		match := func(src []string, val string) (found bool) {
+			for _, _val := range src {
+				found = found || _val == val
 			}
+			return val != "" && found
 		}
-		if traitType != "" {
-			for _, _traitType := range rule.Selector.TraitTypes {
-				if _traitType == traitType {
-					return &rule.Strategy
-				}
-			}
+		if match(rule.Selector.CompNames, compName) ||
+			match(rule.Selector.CompTypes, compType) ||
+			match(rule.Selector.TraitTypes, traitType) {
+			return &rule.Strategy
 		}
 	}
 	return nil
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_types_test.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_types_test.go
@@ -32,7 +32,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 		notFound       bool
 		expectStrategy GarbageCollectStrategy
 	}{
-		"trait rule match": {
+		"trait type rule match": {
 			rules: []GarbageCollectPolicyRule{{
 				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyNever,
@@ -44,7 +44,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyNever,
 		},
-		"trait rule mismatch": {
+		"trait type rule mismatch": {
 			rules: []GarbageCollectPolicyRule{{
 				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyNever,
@@ -52,7 +52,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			input:    &unstructured.Unstructured{Object: map[string]interface{}{}},
 			notFound: true,
 		},
-		"trait rule multiple match": {
+		"trait type rule multiple match": {
 			rules: []GarbageCollectPolicyRule{{
 				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyOnAppDelete,
@@ -67,7 +67,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyOnAppDelete,
 		},
-		"component rule match": {
+		"component type rule match": {
 			rules: []GarbageCollectPolicyRule{{
 				Selector: GarbageCollectPolicyRuleSelector{CompTypes: []string{"comp"}},
 				Strategy: GarbageCollectStrategyNever,
@@ -79,7 +79,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyNever,
 		},
-		"rule match both component and trait, component first": {
+		"rule match both component type and trait type, component type first": {
 			rules: []GarbageCollectPolicyRule{
 				{
 					Selector: GarbageCollectPolicyRuleSelector{CompTypes: []string{"comp"}},
@@ -97,6 +97,18 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyNever,
 		},
+		"component name rule match": {
+			rules: []GarbageCollectPolicyRule{{
+				Selector: GarbageCollectPolicyRuleSelector{CompNames: []string{"comp-name"}},
+				Strategy: GarbageCollectStrategyNever,
+			}},
+			input: &unstructured.Unstructured{Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{oam.LabelAppComponent: "comp-name"},
+				},
+			}},
+			expectStrategy: GarbageCollectStrategyNever,
+		},
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
--- a/apis/core.oam.dev/v1alpha1/policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/policy_types.go
@@ -25,8 +25,25 @@ const (

 // TopologyPolicySpec defines the spec of topology policy
 type TopologyPolicySpec struct {
-	Clusters        []string          `json:"clusters,omitempty"`
-	ClusterSelector map[string]string `json:"clusterSelector,omitempty"`
+	// Placement embeds the selectors for choosing cluster
+	Placement `json:",inline"`
+	// Namespace is the target namespace to deploy in the selected clusters.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// Placement describes which clusters to be selected in this topology
+type Placement struct {
+	// Clusters is the names of the clusters to select.
+	Clusters []string `json:"clusters,omitempty"`
+
+	// ClusterLabelSelector is the label selector for clusters.
+	// Exclusive to "clusters"
+	ClusterLabelSelector map[string]string `json:"clusterLabelSelector,omitempty"`
+
+	// DeprecatedClusterSelector is a depreciated alias for ClusterLabelSelector.
+	// Deprecated: Use clusterLabelSelector instead.
+	DeprecatedClusterSelector map[string]string `json:"clusterSelector,omitempty"`
 }

 // OverridePolicySpec defines the spec of override policy
--- a/apis/core.oam.dev/v1alpha1/register.go
+++ b/apis/core.oam.dev/v1alpha1/register.go
@@ -38,6 +38,18 @@ var (
 	AddToScheme = SchemeBuilder.AddToScheme
 )

+// Policy meta
+var (
+	PolicyKind             = "Policy"
+	PolicyGroupVersionKind = SchemeGroupVersion.WithKind(PolicyKind)
+)
+
+// Workflow meta
+var (
+	WorkflowKind             = "Workflow"
+	WorkflowGroupVersionKind = SchemeGroupVersion.WithKind(WorkflowKind)
+)
+
 func init() {
 	SchemeBuilder.Register(&Policy{}, &PolicyList{})
 	SchemeBuilder.Register(&Workflow{}, &WorkflowList{})
--- a/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
@@ -25,7 +25,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 )

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -282,8 +281,8 @@ func (in *GarbageCollectPolicyRule) DeepCopy() *GarbageCollectPolicyRule {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GarbageCollectPolicyRuleSelector) DeepCopyInto(out *GarbageCollectPolicyRuleSelector) {
 	*out = *in
-	if in.TraitTypes != nil {
-		in, out := &in.TraitTypes, &out.TraitTypes
+	if in.CompNames != nil {
+		in, out := &in.CompNames, &out.CompNames
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
@@ -292,6 +291,11 @@ func (in *GarbageCollectPolicyRuleSelector) DeepCopyInto(out *GarbageCollectPoli
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.TraitTypes != nil {
+		in, out := &in.TraitTypes, &out.TraitTypes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GarbageCollectPolicyRuleSelector.
@@ -326,6 +330,21 @@ func (in *GarbageCollectPolicySpec) DeepCopy() *GarbageCollectPolicySpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LegacyObjectTypeIdentifier) DeepCopyInto(out *LegacyObjectTypeIdentifier) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LegacyObjectTypeIdentifier.
+func (in *LegacyObjectTypeIdentifier) DeepCopy() *LegacyObjectTypeIdentifier {
+	if in == nil {
+		return nil
+	}
+	out := new(LegacyObjectTypeIdentifier)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NamespaceSelector) DeepCopyInto(out *NamespaceSelector) {
 	*out = *in
@@ -348,6 +367,68 @@ func (in *NamespaceSelector) DeepCopy() *NamespaceSelector {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectReferrer) DeepCopyInto(out *ObjectReferrer) {
+	*out = *in
+	out.ObjectTypeIdentifier = in.ObjectTypeIdentifier
+	in.ObjectSelector.DeepCopyInto(&out.ObjectSelector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReferrer.
+func (in *ObjectReferrer) DeepCopy() *ObjectReferrer {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectReferrer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectSelector) DeepCopyInto(out *ObjectSelector) {
+	*out = *in
+	if in.LabelSelector != nil {
+		in, out := &in.LabelSelector, &out.LabelSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.DeprecatedLabelSelector != nil {
+		in, out := &in.DeprecatedLabelSelector, &out.DeprecatedLabelSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectSelector.
+func (in *ObjectSelector) DeepCopy() *ObjectSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectTypeIdentifier) DeepCopyInto(out *ObjectTypeIdentifier) {
+	*out = *in
+	out.LegacyObjectTypeIdentifier = in.LegacyObjectTypeIdentifier
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectTypeIdentifier.
+func (in *ObjectTypeIdentifier) DeepCopy() *ObjectTypeIdentifier {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectTypeIdentifier)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverridePolicySpec) DeepCopyInto(out *OverridePolicySpec) {
 	*out = *in
@@ -375,6 +456,40 @@ func (in *OverridePolicySpec) DeepCopy() *OverridePolicySpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Placement) DeepCopyInto(out *Placement) {
+	*out = *in
+	if in.Clusters != nil {
+		in, out := &in.Clusters, &out.Clusters
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ClusterLabelSelector != nil {
+		in, out := &in.ClusterLabelSelector, &out.ClusterLabelSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.DeprecatedClusterSelector != nil {
+		in, out := &in.DeprecatedClusterSelector, &out.DeprecatedClusterSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Placement.
+func (in *Placement) DeepCopy() *Placement {
+	if in == nil {
+		return nil
+	}
+	out := new(Placement)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlacementDecision) DeepCopyInto(out *PlacementDecision) {
 	*out = *in
@@ -453,22 +568,33 @@ func (in *PolicyList) DeepCopyObject() runtime.Object {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TopologyPolicySpec) DeepCopyInto(out *TopologyPolicySpec) {
+func (in *RefObjectsComponentSpec) DeepCopyInto(out *RefObjectsComponentSpec) {
 	*out = *in
-	if in.Clusters != nil {
-		in, out := &in.Clusters, &out.Clusters
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.ClusterSelector != nil {
-		in, out := &in.ClusterSelector, &out.ClusterSelector
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
+	if in.Objects != nil {
+		in, out := &in.Objects, &out.Objects
+		*out = make([]ObjectReferrer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }

+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RefObjectsComponentSpec.
+func (in *RefObjectsComponentSpec) DeepCopy() *RefObjectsComponentSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RefObjectsComponentSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TopologyPolicySpec) DeepCopyInto(out *TopologyPolicySpec) {
+	*out = *in
+	in.Placement.DeepCopyInto(&out.Placement)
+}
+
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopologyPolicySpec.
 func (in *TopologyPolicySpec) DeepCopy() *TopologyPolicySpec {
 	if in == nil {
@@ -486,7 +612,7 @@ func (in *Workflow) DeepCopyInto(out *Workflow) {
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	if in.Steps != nil {
 		in, out := &in.Steps, &out.Steps
-		*out = make([]v1beta1.WorkflowStep, len(*in))
+		*out = make([]common.WorkflowStep, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
--- a/apis/core.oam.dev/v1beta1/application_types.go
+++ b/apis/core.oam.dev/v1beta1/application_types.go
@@ -50,21 +50,7 @@ type AppPolicy struct {
 }

 // WorkflowStep defines how to execute a workflow step.
-type WorkflowStep struct {
-	// Name is the unique name of the workflow step.
-	Name string `json:"name"`
-
-	Type string `json:"type"`
-
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Properties *runtime.RawExtension `json:"properties,omitempty"`
-
-	DependsOn []string `json:"dependsOn,omitempty"`
-
-	Inputs common.StepInputs `json:"inputs,omitempty"`
-
-	Outputs common.StepOutputs `json:"outputs,omitempty"`
-}
+type WorkflowStep common.WorkflowStep

 // Workflow defines workflow steps and other attributes
 type Workflow struct {
--- a/apis/core.oam.dev/v1beta1/applicationrevision_types.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types.go
@@ -17,11 +17,10 @@
 package v1beta1

 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
 )

 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
@@ -52,19 +51,23 @@ type ApplicationRevisionSpec struct {
 	// ScopeGVK records the apiVersion to GVK mapping
 	ScopeGVK map[string]metav1.GroupVersionKind `json:"scopeGVK,omitempty"`

-	// Components records the rendered components from Application, it will contains the whole K8s CR of workload in it.
-	// +deprecated
-	Components []common.RawComponent `json:"components,omitempty"`
+	// Policies records the external policies
+	Policies map[string]v1alpha1.Policy `json:"policies,omitempty"`

-	// ApplicationConfiguration records the rendered applicationConfiguration from Application,
-	// it will contains the whole K8s CR of trait and the reference component in it.
-	// +kubebuilder:validation:EmbeddedResource
+	// Workflow records the external workflow
+	Workflow *v1alpha1.Workflow `json:"workflow,omitempty"`
+
+	// ReferredObjects records the referred objects used in the ref-object typed components
 	// +kubebuilder:pruning:PreserveUnknownFields
-	// +deprecated
-	ApplicationConfiguration runtime.RawExtension `json:"applicationConfiguration,omitempty"`
+	ReferredObjects []common.ReferredObject `json:"referredObjects,omitempty"`
+}

-	// ResourcesConfigMap references the ConfigMap that's generated to contain all final rendered resources.
-	ResourcesConfigMap corev1.LocalObjectReference `json:"resourcesConfigMap,omitempty"`
+// ApplicationRevisionStatus is the status of ApplicationRevision
+type ApplicationRevisionStatus struct {
+	// Succeeded records if the workflow finished running with success
+	Succeeded bool `json:"succeeded"`
+	// Workflow the running status of the workflow
+	Workflow *common.WorkflowStatus `json:"workflow,omitempty"`
 }

 // +kubebuilder:object:root=true
@@ -72,14 +75,18 @@ type ApplicationRevisionSpec struct {
 // ApplicationRevision is the Schema for the ApplicationRevision API
 // +kubebuilder:storageversion
 // +kubebuilder:resource:categories={oam},shortName=apprev
+// +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="AGE",type=date,JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="PUBLISH_VERSION",type=string,JSONPath=`.metadata.annotations['app\.oam\.dev\/publishVersion']`
+// +kubebuilder:printcolumn:name="SUCCEEDED",type=string,JSONPath=`.status.succeeded`
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type ApplicationRevision struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

-	Spec ApplicationRevisionSpec `json:"spec,omitempty"`
+	Spec   ApplicationRevisionSpec   `json:"spec,omitempty"`
+	Status ApplicationRevisionStatus `json:"status,omitempty"`
 }

 // +kubebuilder:object:root=true
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types.go
@@ -31,6 +31,7 @@ import (

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/interfaces"
+	velatypes "github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/utils/errors"
 )
@@ -121,7 +122,11 @@ func (in ManagedResource) NamespacedName() types.NamespacedName {
 // ResourceKey computes the key for managed resource, resources with the same key points to the same resource
 func (in ManagedResource) ResourceKey() string {
 	gv, kind := in.GroupVersionKind().ToAPIVersionAndKind()
-	return strings.Join([]string{gv, kind, in.Cluster, in.Namespace, in.Name}, "/")
+	cluster := in.Cluster
+	if cluster == "" {
+		cluster = velatypes.ClusterLocalName
+	}
+	return strings.Join([]string{gv, kind, cluster, in.Namespace, in.Name}, "/")
 }

 // ComponentKey computes the key for the component which managed resource belongs to
--- a/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
 )

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -113,6 +114,7 @@ func (in *ApplicationRevision) DeepCopyInto(out *ApplicationRevision) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevision.
@@ -218,15 +220,25 @@ func (in *ApplicationRevisionSpec) DeepCopyInto(out *ApplicationRevisionSpec) {
 			(*out)[key] = val
 		}
 	}
-	if in.Components != nil {
-		in, out := &in.Components, &out.Components
-		*out = make([]common.RawComponent, len(*in))
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make(map[string]v1alpha1.Policy, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	if in.Workflow != nil {
+		in, out := &in.Workflow, &out.Workflow
+		*out = new(v1alpha1.Workflow)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ReferredObjects != nil {
+		in, out := &in.ReferredObjects, &out.ReferredObjects
+		*out = make([]common.ReferredObject, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	in.ApplicationConfiguration.DeepCopyInto(&out.ApplicationConfiguration)
-	out.ResourcesConfigMap = in.ResourcesConfigMap
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionSpec.
@@ -239,6 +251,26 @@ func (in *ApplicationRevisionSpec) DeepCopy() *ApplicationRevisionSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationRevisionStatus) DeepCopyInto(out *ApplicationRevisionStatus) {
+	*out = *in
+	if in.Workflow != nil {
+		in, out := &in.Workflow, &out.Workflow
+		*out = new(common.WorkflowStatus)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionStatus.
+func (in *ApplicationRevisionStatus) DeepCopy() *ApplicationRevisionStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationRevisionStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationSpec) DeepCopyInto(out *ApplicationSpec) {
 	*out = *in
--- a/apis/types/multicluster.go
+++ b/apis/types/multicluster.go
@@ -0,0 +1,42 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+import (
+	"github.com/oam-dev/cluster-gateway/pkg/apis/cluster/v1alpha1"
+	"github.com/oam-dev/cluster-gateway/pkg/config"
+)
+
+const (
+	// ClusterLocalName the name for the hub cluster
+	ClusterLocalName = "local"
+
+	// CredentialTypeInternal identifies the virtual cluster from internal kubevela system
+	CredentialTypeInternal v1alpha1.CredentialType = "Internal"
+	// CredentialTypeOCMManagedCluster identifies the virtual cluster from ocm
+	CredentialTypeOCMManagedCluster v1alpha1.CredentialType = "ManagedCluster"
+	// ClusterBlankEndpoint identifies the endpoint of a cluster as blank (not available)
+	ClusterBlankEndpoint = "-"
+
+	// ClustersArg indicates the argument for specific clusters to install addon
+	ClustersArg = "clusters"
+)
+
+var (
+	// AnnotationClusterAlias the annotation key for cluster alias
+	AnnotationClusterAlias = config.MetaApiGroupName + "/cluster-alias"
+)
--- a/apis/types/types.go
+++ b/apis/types/types.go
@@ -41,6 +41,8 @@ var DefaultKubeVelaNS = "vela-system"
 const (
 	// AnnoDefinitionDescription is the annotation which describe what is the capability used for in a WorkloadDefinition/TraitDefinition Object
 	AnnoDefinitionDescription = "definition.oam.dev/description"
+	// AnnoDefinitionIcon is the annotation which describe the icon url
+	AnnoDefinitionIcon = "definition.oam.dev/icon"
 	// AnnoDefinitionAppliedWorkloads is the annotation which describe what is the workloads used for in a TraitDefinition Object
 	AnnoDefinitionAppliedWorkloads = "definition.oam.dev/appliedWorkloads"
 	// LabelDefinition is the label for definition
@@ -59,6 +61,22 @@ const (
 	AnnoIngressControllerHTTPSPort = "ingress.controller/https-port"
 	// AnnoIngressControllerHTTPPort define ingress controller listen port for http
 	AnnoIngressControllerHTTPPort = "ingress.controller/http-port"
+	// LabelConfigType is the label for config type
+	LabelConfigType = "config.oam.dev/type"
+	// LabelConfigCatalog is the label for config catalog
+	LabelConfigCatalog = "config.oam.dev/catalog"
+	// LabelConfigSubType is the sub-type for a config type
+	LabelConfigSubType = "config.oam.dev/sub-type"
+	// LabelConfigProject is the label for config project
+	LabelConfigProject = "config.oam.dev/project"
+	// LabelConfigSyncToMultiCluster is the label to decide whether a config will be synchronized to multi-cluster
+	LabelConfigSyncToMultiCluster = "config.oam.dev/multi-cluster"
+	// LabelConfigIdentifier is the label for config identifier
+	LabelConfigIdentifier = "config.oam.dev/identifier"
+	// AnnotationConfigDescription is the annotation for config description
+	AnnotationConfigDescription = "config.oam.dev/description"
+	// AnnotationConfigAlias is the annotation for config alias
+	AnnotationConfigAlias = "config.oam.dev/alias"
 )

 const (
@@ -116,3 +134,29 @@ var DefaultFilterAnnots = []string{
 	oam.AnnotationFilterAnnotationKeys,
 	oam.AnnotationLastAppliedConfiguration,
 }
+
+// ConfigType is the type of config
+type ConfigType string
+
+const (
+	// TerraformProvider is the config type for terraform provider
+	TerraformProvider = "terraform-provider"
+	// DexConnector is the config type for dex connector
+	DexConnector = "config-dex-connector"
+	// ImageRegistry is the config type for image registry
+	ImageRegistry = "config-image-registry"
+	// HelmRepository is the config type for Helm chart repository
+	HelmRepository = "config-helm-repository"
+)
+
+const (
+	// TerraformComponentPrefix is the prefix of component type of terraform-xxx
+	TerraformComponentPrefix = "terraform-"
+
+	// ProviderAppPrefix is the prefix of the application to create a Terraform Provider
+	ProviderAppPrefix = "config-terraform-provider"
+	// ProviderNamespace is the namespace of Terraform Cloud Provider
+	ProviderNamespace = "default"
+	// VelaCoreConfig is to mark application, config and its secret or Terraform provider lelong to a KubeVela config
+	VelaCoreConfig = "velacore-config"
+)
--- a/charts/vela-core/README.md
+++ b/charts/vela-core/README.md
@@ -86,7 +86,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
 | `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
 | `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.1.7`                         |
+| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.3.2`                         |
 | `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
 | `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
 | `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |
@@ -125,18 +125,20 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `kubeClient.burst`           | The burst for reconcile clients, default is 100                                                                            | `100`   |


-## Uninstalling the Chart
+## Uninstallation

-To uninstall/delete the KubeVela helm release
+### Vela CLI 
+
+To uninstall KubeVela, you can just run the following command by vela CLI:

 ```shell
-$ helm uninstall -n vela-system kubevela
+vela uninstall --force
 ```

-The command removes all the Kubernetes components associated with kubevela and deletes the release.
+### Helm CLI
+
+**Notice**: You must disable all the addons before uninstallation, this is a script for convenience. 

-**Notice**: If you enable fluxcd addon  when install the chart by set `enableFluxcdAddon=true` .Uninstall wouldn't disable the fluxcd addon ,and it will be kept in the cluster.Please guarantee there is no application in cluster use this addon and disable it firstly before uninstall the helm chart. 
-You can use this script to disable all addons.
 ```shell
 #! /bin/sh
 addon=$(vela addon list|grep enabled|awk {'print $1'})
@@ -156,6 +158,15 @@ if [ $fluxcd ]; then
 fi
 ```

+To uninstall the KubeVela helm release:
+
+```shell
+$ helm uninstall -n vela-system kubevela
+```
+
+Finally, this command will remove all the Kubernetes resources associated with KubeVela and remove this chart release.
+
+



--- a/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
@@ -2025,6 +2025,12 @@ spec:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
+    - jsonPath: .metadata.annotations['app\.oam\.dev\/publishVersion']
+      name: PUBLISH_VERSION
+      type: string
+    - jsonPath: .status.succeeded
+      name: SUCCEEDED
+      type: string
    name: v1beta1
    schema:
      openAPIV3Schema:
@@ -2747,13 +2753,6 @@ spec:
                        type: object
                    type: object
                type: object
-              applicationConfiguration:
-                description: ApplicationConfiguration records the rendered applicationConfiguration
-                  from Application, it will contains the whole K8s CR of trait and
-                  the reference component in it.
-                type: object
-                x-kubernetes-embedded-resource: true
-                x-kubernetes-preserve-unknown-fields: true
              componentDefinitions:
                additionalProperties:
                  description: ComponentDefinition is the Schema for the componentdefinitions
@@ -3087,20 +3086,51 @@ spec:
                description: ComponentDefinitions records the snapshot of the componentDefinitions
                  related with the created/modified Application
                type: object
-              components:
-                description: Components records the rendered components from Application,
-                  it will contains the whole K8s CR of workload in it.
-                items:
-                  description: RawComponent record raw component
+              policies:
+                additionalProperties:
+                  description: Policy is the Schema for the policy API
                  properties:
-                    raw:
+                    apiVersion:
+                      description: 'APIVersion defines the versioned schema of this
+                        representation of an object. Servers should convert recognized
+                        schemas to the latest internal value, and may reject unrecognized
+                        values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                      type: string
+                    kind:
+                      description: 'Kind is a string value representing the REST resource
+                        this object represents. Servers may infer this from the endpoint
+                        the client submits requests to. Cannot be updated. In CamelCase.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      type: string
+                    metadata:
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        finalizers:
+                          items:
+                            type: string
+                          type: array
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    properties:
                      type: object
-                      x-kubernetes-embedded-resource: true
                      x-kubernetes-preserve-unknown-fields: true
+                    type:
+                      type: string
                  required:
-                  - raw
+                  - type
                  type: object
-                type: array
+                description: Policies records the external policies
+                type: object
              policyDefinitions:
                additionalProperties:
                  description: PolicyDefinition is the Schema for the policydefinitions
@@ -3377,15 +3407,16 @@ spec:
                description: PolicyDefinitions records the snapshot of the PolicyDefinitions
                  related with the created/modified Application
                type: object
-              resourcesConfigMap:
-                description: ResourcesConfigMap references the ConfigMap that's generated
-                  to contain all final rendered resources.
-                properties:
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                      TODO: Add other useful fields. apiVersion, kind, uid?'
-                    type: string
-                type: object
+              referredObjects:
+                description: ReferredObjects records the referred objects used in
+                  the ref-object typed components
+                items:
+                  description: ReferredObject the referred Kubernetes object
+                  type: object
+                  x-kubernetes-embedded-resource: true
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+                x-kubernetes-preserve-unknown-fields: true
              scopeDefinitions:
                additionalProperties:
                  description: A ScopeDefinition registers a kind of Kubernetes custom
@@ -3819,6 +3850,89 @@ spec:
                description: TraitDefinitions records the snapshot of the traitDefinitions
                  related with the created/modified Application
                type: object
+              workflow:
+                description: Workflow records the external workflow
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  metadata:
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      finalizers:
+                        items:
+                          type: string
+                        type: array
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                    type: object
+                  steps:
+                    items:
+                      description: WorkflowStep defines how to execute a workflow
+                        step.
+                      properties:
+                        dependsOn:
+                          items:
+                            type: string
+                          type: array
+                        inputs:
+                          description: StepInputs defines variable input of WorkflowStep
+                          items:
+                            properties:
+                              from:
+                                type: string
+                              parameterKey:
+                                type: string
+                            required:
+                            - from
+                            - parameterKey
+                            type: object
+                          type: array
+                        name:
+                          description: Name is the unique name of the workflow step.
+                          type: string
+                        outputs:
+                          description: StepOutputs defines output variable of WorkflowStep
+                          items:
+                            properties:
+                              name:
+                                type: string
+                              valueFrom:
+                                type: string
+                            required:
+                            - name
+                            - valueFrom
+                            type: object
+                          type: array
+                        properties:
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        type:
+                          type: string
+                      required:
+                      - name
+                      - type
+                      type: object
+                    type: array
+                type: object
              workflowStepDefinitions:
                additionalProperties:
                  description: WorkflowStepDefinition is the Schema for the workflowstepdefinitions
@@ -4408,10 +4522,182 @@ spec:
            required:
            - application
            type: object
+          status:
+            description: ApplicationRevisionStatus is the status of ApplicationRevision
+            properties:
+              succeeded:
+                description: Succeeded records if the workflow finished running with
+                  success
+                type: boolean
+              workflow:
+                description: Workflow the running status of the workflow
+                properties:
+                  appRevision:
+                    type: string
+                  contextBackend:
+                    description: 'ObjectReference contains enough information to let
+                      you inspect or modify the referred object. --- New uses of this
+                      type are discouraged because of difficulty describing its usage
+                      when embedded in APIs.  1. Ignored fields.  It includes many
+                      fields which are not generally honored.  For instance, ResourceVersion
+                      and FieldPath are both very rarely valid in actual usage.  2.
+                      Invalid usage help.  It is impossible to add specific help for
+                      individual usage.  In most embedded usages, there are particular     restrictions
+                      like, "must refer only to types A and B" or "UID not honored"
+                      or "name must be restricted".     Those cannot be well described
+                      when embedded.  3. Inconsistent validation.  Because the usages
+                      are different, the validation rules are different by usage,
+                      which makes it hard for users to predict what will happen.  4.
+                      The fields are both imprecise and overly precise.  Kind is not
+                      a precise mapping to a URL. This can produce ambiguity     during
+                      interpretation and require a REST mapping.  In most cases, the
+                      dependency is on the group,resource tuple     and the version
+                      of the actual struct is irrelevant.  5. We cannot easily change
+                      it.  Because this type is embedded in many locations, updates
+                      to this type     will affect numerous schemas.  Don''t make
+                      new APIs embed an underspecified API type they do not control.
+                      Instead of using this type, create a locally provided and used
+                      type that is well-focused on your reference. For example, ServiceReferences
+                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                      .'
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  finished:
+                    type: boolean
+                  message:
+                    type: string
+                  mode:
+                    description: WorkflowMode describes the mode of workflow
+                    type: string
+                  startTime:
+                    format: date-time
+                    type: string
+                  steps:
+                    items:
+                      description: WorkflowStepStatus record the status of a workflow
+                        step
+                      properties:
+                        firstExecuteTime:
+                          description: FirstExecuteTime is the first time this step
+                            execution.
+                          format: date-time
+                          type: string
+                        id:
+                          type: string
+                        lastExecuteTime:
+                          description: LastExecuteTime is the last time this step
+                            execution.
+                          format: date-time
+                          type: string
+                        message:
+                          description: A human readable message indicating details
+                            about why the workflowStep is in this state.
+                          type: string
+                        name:
+                          type: string
+                        phase:
+                          description: WorkflowStepPhase describes the phase of a
+                            workflow step.
+                          type: string
+                        reason:
+                          description: A brief CamelCase message indicating details
+                            about why the workflowStep is in this state.
+                          type: string
+                        subSteps:
+                          description: SubStepsStatus record the status of workflow
+                            steps.
+                          properties:
+                            mode:
+                              description: WorkflowMode describes the mode of workflow
+                              type: string
+                            stepIndex:
+                              type: integer
+                            steps:
+                              items:
+                                description: WorkflowSubStepStatus record the status
+                                  of a workflow step
+                                properties:
+                                  id:
+                                    type: string
+                                  message:
+                                    description: A human readable message indicating
+                                      details about why the workflowStep is in this
+                                      state.
+                                    type: string
+                                  name:
+                                    type: string
+                                  phase:
+                                    description: WorkflowStepPhase describes the phase
+                                      of a workflow step.
+                                    type: string
+                                  reason:
+                                    description: A brief CamelCase message indicating
+                                      details about why the workflowStep is in this
+                                      state.
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - id
+                                type: object
+                              type: array
+                          type: object
+                        type:
+                          type: string
+                      required:
+                      - id
+                      type: object
+                    type: array
+                  suspend:
+                    type: boolean
+                  terminated:
+                    type: boolean
+                required:
+                - finished
+                - mode
+                - suspend
+                - terminated
+                type: object
+            required:
+            - succeeded
+            type: object
        type: object
    served: true
    storage: true
-    subresources: {}
+    subresources:
+      status: {}
 status:
  acceptedNames:
    kind: ""
--- a/charts/vela-core/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applications.yaml
--- a/charts/vela-core/templates/NOTES.txt
+++ b/charts/vela-core/templates/NOTES.txt
@@ -27,9 +27,5 @@ Welcome to use the KubeVela! Enjoy your shipping application journey!
      | . \| |_| || |_) ||  __/ \ V /|  __/| || (_| |
      |_|\_\\__,_||_.__/  \___|  \_/  \___||_| \__,_|

-** Please note before uninstalling **

-If you enable fluxcd addon when install the chart by set `enableFluxcdAddon=true` .
-Uninstall wouldn't disable the fluxcd addon ,and it will be kept in the cluster.
-Please guarantee there is no application in cluster using this addon and disable it firstly before uninstall the helm chart.
-And you can find the script of one-short disable all addons from the uninstalling section of https://github.com/oam-dev/kubevela/blob/master/charts/vela-core/README.md.
+You can refer to https://kubevela.io for more details.
--- a/charts/vela-core/templates/addon_registry.yaml
+++ b/charts/vela-core/templates/addon_registry.yaml
@@ -7,10 +7,8 @@ data:
  registries: '{
  "KubeVela":{
    "name": "KubeVela",
-    "oss": {
-      "end_point": "https://addons.kubevela.net",
-      "bucket": "",
-      "path": ""
+    "helm": {
+      "url": "https://addons.kubevela.net"
    }
  }
 }'
--- a/charts/vela-core/templates/cluster-gateway.yaml
+++ b/charts/vela-core/templates/cluster-gateway.yaml
@@ -89,9 +89,19 @@ spec:
 {{ end }}
 ---
 {{ if .Values.multicluster.enabled }}
+# 1.  Check whether APIService ""v1alpha1.cluster.core.oam.dev" is already present in the cluster
+# 2.a If the APIService doesn't exist, create it.
+# 2.b If the APIService exists without helm-chart related annotation, skip creating it to the
+#     cluster because the APIService can be managed by an external controller.
+# 2.c If the APIService exists with valid helm-chart annotations, which means that the APIService
+#     is previously managed by helm commands, hence update the APIService consistently.
 {{ $apiSvc := (lookup "apiregistration.k8s.io/v1" "APIService" "" "v1alpha1.cluster.core.oam.dev") }}
 {{ $shouldAdopt := (not $apiSvc) }}
-{{ if not $shouldAdopt }}{{ $shouldAdopt = (index ($apiSvc).metadata.annotations "meta.helm.sh/release-name") }}{{ end }}
+{{ if not $shouldAdopt }}
+  {{ if $apiSvc.metadata.annotations }}
+    {{ $shouldAdopt = (index ($apiSvc).metadata.annotations "meta.helm.sh/release-name") }}
+  {{ end }}
+{{ end }}
 {{ if $shouldAdopt }}
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
--- a/charts/vela-core/templates/defwithtemplate/annotations.yaml
+++ b/charts/vela-core/templates/defwithtemplate/annotations.yaml
@@ -16,17 +16,20 @@ spec:
  schematic:
    cue:
      template: |
+        // +patchStrategy=jsonMergePatch
        patch: {
        	metadata: annotations: {
        		for k, v in parameter {
        			"\(k)": v
        		}
        	}
-        	spec: template: metadata: annotations: {
-        		for k, v in parameter {
-        			"\(k)": v
+        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
+        		spec: template: metadata: annotations: {
+        			for k, v in parameter {
+        				"\(k)": v
+        			}
        		}
        	}
        }
-        parameter: [string]: string
+        parameter: [string]: string | null

--- a/charts/vela-core/templates/defwithtemplate/command.yaml
+++ b/charts/vela-core/templates/defwithtemplate/command.yaml
@@ -106,7 +106,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the commands for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-core/templates/defwithtemplate/config-image-registry.yaml
+++ b/charts/vela-core/templates/defwithtemplate/config-image-registry.yaml
@@ -0,0 +1,73 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/config-image-registry.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/alias.config.oam.dev: Image Registry
+    definition.oam.dev/description: Config information to authenticate image registry
+  labels:
+    custom.definition.oam.dev/catalog.config.oam.dev: velacore-config
+    custom.definition.oam.dev/multi-cluster.config.oam.dev: "true"
+    custom.definition.oam.dev/type.config.oam.dev: image-registry
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: config-image-registry
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"encoding/base64"
+        	"encoding/json"
+        )
+
+        output: {
+        	apiVersion: "v1"
+        	kind:       "Secret"
+        	metadata: {
+        		name:      context.name
+        		namespace: context.namespace
+        		labels: {
+        			"config.oam.dev/catalog":       "velacore-config"
+        			"config.oam.dev/type":          "image-registry"
+        			"config.oam.dev/multi-cluster": "true"
+        			"config.oam.dev/identifier":    parameter.registry
+        			"config.oam.dev/sub-type":      "auth"
+        		}
+        	}
+        	if parameter.auth != _|_ {
+        		type: "kubernetes.io/dockerconfigjson"
+        	}
+        	if parameter.auth == _|_ {
+        		type: "Opaque"
+        	}
+        	if parameter.auth != _|_ {
+        		stringData: ".dockerconfigjson": json.Marshal({
+        			auths: "\(parameter.registry)": {
+        				username: parameter.auth.username
+        				password: parameter.auth.password
+        				if parameter.auth.email != _|_ {
+        					email: parameter.auth.email
+        				}
+        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
+        			}
+        		})
+        	}
+        }
+        parameter: {
+        	// +usage=Image registry FQDN
+        	registry: string
+        	// +usage=Authenticate the image registry
+        	auth?: {
+        		// +usage=Private Image registry username
+        		username: string
+        		// +usage=Private Image registry password
+        		password: string
+        		// +usage=Private Image registry email
+        		email?: string
+        	}
+        }
+  workload:
+    type: autodetects.core.oam.dev
+
--- a/charts/vela-core/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/container-image.yaml
@@ -69,7 +69,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the container image for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-core/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/cron-task.yaml
@@ -0,0 +1,308 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/cron-task.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Describes cron jobs that run code or a script to completion.
+  name: cron-task
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        output: {
+        	apiVersion: "batch/v1beta1"
+        	kind:       "CronJob"
+        	spec: {
+        		schedule:                   parameter.schedule
+        		concurrencyPolicy:          parameter.concurrencyPolicy
+        		suspend:                    parameter.suspend
+        		successfulJobsHistoryLimit: parameter.successfulJobsHistoryLimit
+        		failedJobsHistoryLimit:     parameter.failedJobsHistoryLimit
+        		if parameter.startingDeadlineSeconds != _|_ {
+        			startingDeadlineSeconds: parameter.startingDeadlineSeconds
+        		}
+        		jobTemplate: {
+        			if parameter.labels != _|_ {
+        				metadata: labels: parameter.labels
+        			}
+        			if parameter.annotations != _|_ {
+        				metadata: annotations: parameter.annotations
+        			}
+        			spec: {
+        				parallelism: parameter.count
+        				completions: parameter.count
+        				if parameter.ttlSecondsAfterFinished != _|_ {
+        					ttlSecondsAfterFinished: parameter.ttlSecondsAfterFinished
+        				}
+        				if parameter.activeDeadlineSeconds != _|_ {
+        					activeDeadlineSeconds: parameter.activeDeadlineSeconds
+        				}
+        				backoffLimit: parameter.backoffLimit
+        				template: {
+        					if parameter.labels != _|_ {
+        						metadata: labels: parameter.labels
+        					}
+        					if parameter.annotations != _|_ {
+        						metadata: annotations: parameter.annotations
+        					}
+        					spec: {
+        						restartPolicy: parameter.restart
+        						containers: [{
+        							name:  context.name
+        							image: parameter.image
+        							if parameter["imagePullPolicy"] != _|_ {
+        								imagePullPolicy: parameter.imagePullPolicy
+        							}
+        							if parameter["cmd"] != _|_ {
+        								command: parameter.cmd
+        							}
+        							if parameter["env"] != _|_ {
+        								env: parameter.env
+        							}
+        							if parameter["cpu"] != _|_ {
+        								resources: {
+        									limits: cpu:   parameter.cpu
+        									requests: cpu: parameter.cpu
+        								}
+        							}
+        							if parameter["memory"] != _|_ {
+        								resources: {
+        									limits: memory:   parameter.memory
+        									requests: memory: parameter.memory
+        								}
+        							}
+        							if parameter["volumes"] != _|_ {
+        								volumeMounts: [ for v in parameter.volumes {
+        									{
+        										mountPath: v.mountPath
+        										name:      v.name
+        									}}]
+        							}
+        						}]
+        						if parameter["volumes"] != _|_ {
+        							volumes: [ for v in parameter.volumes {
+        								{
+        									name: v.name
+        									if v.type == "pvc" {
+        										persistentVolumeClaim: claimName: v.claimName
+        									}
+        									if v.type == "configMap" {
+        										configMap: {
+        											defaultMode: v.defaultMode
+        											name:        v.cmName
+        											if v.items != _|_ {
+        												items: v.items
+        											}
+        										}
+        									}
+        									if v.type == "secret" {
+        										secret: {
+        											defaultMode: v.defaultMode
+        											secretName:  v.secretName
+        											if v.items != _|_ {
+        												items: v.items
+        											}
+        										}
+        									}
+        									if v.type == "emptyDir" {
+        										emptyDir: medium: v.medium
+        									}
+        								}}]
+        						}
+        						if parameter["imagePullSecrets"] != _|_ {
+        							imagePullSecrets: [ for v in parameter.imagePullSecrets {
+        								name: v
+        							},
+        							]
+        						}
+        						if parameter.hostAliases != _|_ {
+        							hostAliases: [ for v in parameter.hostAliases {
+        								ip:        v.ip
+        								hostnames: v.hostnames
+        							},
+        							]
+        						}
+        					}
+        				}
+        			}
+        		}
+        	}
+        }
+        parameter: {
+        	// +usage=Specify the labels in the workload
+        	labels?: [string]: string
+
+        	// +usage=Specify the annotations in the workload
+        	annotations?: [string]: string
+
+        	// +usage=Specify the schedule in Cron format, see https://en.wikipedia.org/wiki/Cron
+        	schedule: string
+
+        	// +usage=Specify deadline in seconds for starting the job if it misses scheduled
+        	startingDeadlineSeconds?: int
+
+        	// +usage=suspend subsequent executions
+        	suspend: *false | bool
+
+        	// +usage=Specifies how to treat concurrent executions of a Job
+        	concurrencyPolicy: *"Allow" | "Allow" | "Forbid" | "Replace"
+
+        	// +usage=The number of successful finished jobs to retain
+        	successfulJobsHistoryLimit: *3 | int
+
+        	// +usage=The number of failed finished jobs to retain
+        	failedJobsHistoryLimit: *1 | int
+
+        	// +usage=Specify number of tasks to run in parallel
+        	// +short=c
+        	count: *1 | int
+
+        	// +usage=Which image would you like to use for your service
+        	// +short=i
+        	image: string
+
+        	// +usage=Specify image pull policy for your service
+        	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+        	// +usage=Specify image pull secrets for your service
+        	imagePullSecrets?: [...string]
+
+        	// +usage=Define the job restart policy, the value can only be Never or OnFailure. By default, it's Never.
+        	restart: *"Never" | string
+
+        	// +usage=Commands to run in the container
+        	cmd?: [...string]
+
+        	// +usage=Define arguments by using environment variables
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
+        	// +usage=Number of CPU units for the service, like `0.5` (0.5 CPU core), `1` (1 CPU core)
+        	cpu?: string
+
+        	// +usage=Specifies the attributes of the memory resource required for the container.
+        	memory?: string
+
+        	// +usage=Declare volumes and volumeMounts
+        	volumes?: [...{
+        		name:      string
+        		mountPath: string
+        		// +usage=Specify volume type, options: "pvc","configMap","secret","emptyDir"
+        		type: "pvc" | "configMap" | "secret" | "emptyDir"
+        		if type == "pvc" {
+        			claimName: string
+        		}
+        		if type == "configMap" {
+        			defaultMode: *420 | int
+        			cmName:      string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "secret" {
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "emptyDir" {
+        			medium: *"" | "Memory"
+        		}
+        	}]
+
+        	// +usage=An optional list of hosts and IPs that will be injected into the pod's hosts file
+        	hostAliases?: [...{
+        		ip: string
+        		hostnames: [...string]
+        	}]
+
+        	// +usage=Limits the lifetime of a Job that has finished
+        	ttlSecondsAfterFinished?: int
+
+        	// +usage=The duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it
+        	activeDeadlineSeconds?: int
+
+        	// +usage=The number of retries before marking this job failed
+        	backoffLimit: *6 | int
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+        }
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port: int
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
+        }
+  workload:
+    definition:
+      apiVersion: batch/v1beta1
+      kind: CronJob
+    type: cronjobs.batch
+
--- a/charts/vela-core/templates/defwithtemplate/env.yaml
+++ b/charts/vela-core/templates/defwithtemplate/env.yaml
@@ -46,7 +46,7 @@ spec:
        			}]
        		}
        		if _baseEnv != _|_ {
-        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar.value}}
+        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar}}
        			// +patchStrategy=replace
        			env: [ for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
        				name: envVar.name
@@ -54,7 +54,12 @@ spec:
        					value: _params.env[envVar.name]
        				}
        				if _params.env[envVar.name] == _|_ {
-        					value: envVar.value
+        					if envVar.value != _|_ {
+        						value: envVar.value
+        					}
+        					if envVar.valueFrom != _|_ {
+        						valueFrom: envVar.valueFrom
+        					}
        				}
        			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
        				name:  k
@@ -92,7 +97,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the environment variables for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-core/templates/defwithtemplate/gateway.yaml
+++ b/charts/vela-core/templates/defwithtemplate/gateway.yaml
@@ -8,6 +8,8 @@ metadata:
  name: gateway
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
+  appliesToWorkloads:
+    - '*'
  podDisruptive: false
  schematic:
    cue:
--- a/charts/vela-core/templates/defwithtemplate/generate-jdbc-connection.yaml
+++ b/charts/vela-core/templates/defwithtemplate/generate-jdbc-connection.yaml
@@ -0,0 +1,49 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/generate-jdbc-connection.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Generate a JDBC connection based on Component of alibaba-rds
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: generate-jdbc-connection
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/base64"
+        )
+
+        output: op.#Read & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Secret"
+        		metadata: {
+        			name: parameter.name
+        			if parameter.namespace != _|_ {
+        				namespace: parameter.namespace
+        			}
+        		}
+        	}
+        }
+        dbHost:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_HOST"])}
+        dbPort:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PORT"])}
+        dbName:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_NAME"])}
+        username: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_USER"])}
+        password: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PASSWORD"])}
+        env: [
+        	{name: "url", value:      "jdbc://" + dbHost.str + ":" + dbPort.str + "/" + dbName.str + "?characterEncoding=utf8&useSSL=false"},
+        	{name: "username", value: username.str},
+        	{name: "password", value: password.str},
+        ]
+        parameter: {
+        	// +usage=Specify the name of the secret generated by database component
+        	name: string
+        	// +usage=Specify the namespace of the secret generated by database component
+        	namespace?: string
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/labels.yaml
+++ b/charts/vela-core/templates/defwithtemplate/labels.yaml
@@ -16,17 +16,20 @@ spec:
  schematic:
    cue:
      template: |
+        // +patchStrategy=jsonMergePatch
        patch: {
        	metadata: labels: {
        		for k, v in parameter {
        			"\(k)": v
        		}
        	}
-        	spec: template: metadata: labels: {
-        		for k, v in parameter {
-        			"\(k)": v
+        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
+        		spec: template: metadata: labels: {
+        			for k, v in parameter {
+        				"\(k)": v
+        			}
        		}
        	}
        }
-        parameter: [string]: string
+        parameter: [string]: string | null

--- a/charts/vela-core/templates/defwithtemplate/notification.yaml
+++ b/charts/vela-core/templates/defwithtemplate/notification.yaml
@@ -291,8 +291,10 @@ spec:
        		if parameter.email.from.password.value != _|_ {
        			email1: op.#SendEmail & {
        				from: {
-        					address:  parameter.email.from.value
-        					alias:    parameter.email.from.alias
+        					address: parameter.email.from.address
+        					if parameter.email.from.alias != _|_ {
+        						alias: parameter.email.from.alias
+        					}
        					password: parameter.email.from.password.value
        					host:     parameter.email.from.host
        					port:     parameter.email.from.port
@@ -318,8 +320,10 @@ spec:
        			stringValue: op.#ConvertString & {bt: decoded}
        			email2:      op.#SendEmail & {
        				from: {
-        					address:  parameter.email.from.value
-        					alias:    parameter.email.from.alias
+        					address: parameter.email.from.address
+        					if parameter.email.from.alias != _|_ {
+        						alias: parameter.email.from.alias
+        					}
        					password: stringValue.str
        					host:     parameter.email.from.host
        					port:     parameter.email.from.port
--- a/charts/vela-core/templates/defwithtemplate/ref-objects.yaml
+++ b/charts/vela-core/templates/defwithtemplate/ref-objects.yaml
@@ -29,6 +29,47 @@ spec:
        	}
        }
        parameter: objects: [...#K8sObject]
+  status:
+    customStatus: |-
+      if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {
+      	ready: {
+      		readyReplicas: *0 | int
+      	} & {
+      		if context.output.status.readyReplicas != _|_ {
+      			readyReplicas: context.output.status.readyReplicas
+      		}
+      	}
+      	message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
+      }
+      if context.output.apiVersion != "apps/v1" || context.output.kind != "Deployment" {
+      	message: ""
+      }
+    healthPolicy: |-
+      if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {
+      	ready: {
+      		updatedReplicas:    *0 | int
+      		readyReplicas:      *0 | int
+      		replicas:           *0 | int
+      		observedGeneration: *0 | int
+      	} & {
+      		if context.output.status.updatedReplicas != _|_ {
+      			updatedReplicas: context.output.status.updatedReplicas
+      		}
+      		if context.output.status.readyReplicas != _|_ {
+      			readyReplicas: context.output.status.readyReplicas
+      		}
+      		if context.output.status.replicas != _|_ {
+      			replicas: context.output.status.replicas
+      		}
+      		if context.output.status.observedGeneration != _|_ {
+      			observedGeneration: context.output.status.observedGeneration
+      		}
+      	}
+      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      }
+      if context.output.apiVersion != "apps/v1" || context.output.kind != "Deployment" {
+      	isHealth: true
+      }
  workload:
    type: autodetects.core.oam.dev

--- a/charts/vela-core/templates/defwithtemplate/storage.yaml
+++ b/charts/vela-core/templates/defwithtemplate/storage.yaml
@@ -23,7 +23,7 @@ spec:
        	},
        ] | []
        configMapVolumesList: *[
-        			for v in parameter.configMap {
+        			for v in parameter.configMap if v.mountPath != _|_ {
        		{
        			name: "configmap-" + v.name
        			configMap: {
@@ -37,7 +37,7 @@ spec:
        	},
        ] | []
        secretVolumesList: *[
-        			for v in parameter.secret {
+        			for v in parameter.secret if v.mountPath != _|_ {
        		{
        			name: "secret-" + v.name
        			secret: {
@@ -69,7 +69,7 @@ spec:
        	},
        ] | []
        configMapVolumeMountsList: *[
-        				for v in parameter.configMap {
+        				for v in parameter.configMap if v.mountPath != _|_ {
        		{
        			name:      "configmap-" + v.name
        			mountPath: v.mountPath
@@ -88,7 +88,7 @@ spec:
        	},
        ] | []
        secretVolumeMountsList: *[
-        			for v in parameter.secret {
+        			for v in parameter.secret if v.mountPath != _|_ {
        		{
        			name:      "secret-" + v.name
        			mountPath: v.mountPath
@@ -126,14 +126,14 @@ spec:
        	// +patchKey=name
        	volumes: pvcVolumesList + configMapVolumesList + secretVolumesList + emptyDirVolumesList

-        	containers: [...{
+        	containers: [{
        		// +patchKey=name
        		env: configMapEnvMountsList + secretEnvMountsList
        		// +patchKey=name
        		volumeDevices: volumeDevicesList
        		// +patchKey=name
        		volumeMounts: pvcVolumeMountsList + configMapVolumeMountsList + secretVolumeMountsList + emptyDirVolumeMountsList
-        	}]
+        	}, ...]

        }
        outputs: {
@@ -248,7 +248,7 @@ spec:
        			envName:      string
        			configMapKey: string
        		}
-        		mountPath:   string
+        		mountPath?:  string
        		defaultMode: *420 | int
        		readOnly:    *false | bool
        		data?: {...}
@@ -267,7 +267,7 @@ spec:
        			envName:   string
        			secretKey: string
        		}
-        		mountPath:   string
+        		mountPath?:  string
        		defaultMode: *420 | int
        		readOnly:    *false | bool
        		stringData?: {...}
--- a/charts/vela-core/templates/defwithtemplate/task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/task.yaml
@@ -244,6 +244,30 @@ spec:
        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
        	failureThreshold: *3 | int
        }
+  status:
+    customStatus: |-
+      status: {
+      	active:    *0 | int
+      	failed:    *0 | int
+      	succeeded: *0 | int
+      } & {
+      	if context.output.status.active != _|_ {
+      		active: context.output.status.active
+      	}
+      	if context.output.status.failed != _|_ {
+      		failed: context.output.status.failed
+      	}
+      	if context.output.status.succeeded != _|_ {
+      		succeeded: context.output.status.succeeded
+      	}
+      }
+      message: "Active/Failed/Succeeded:\(status.active)/\(status.failed)/\(status.succeeded)"
+    healthPolicy: |-
+      succeeded: *0 | int
+      if context.output.status.succeeded != _|_ {
+      	succeeded: context.output.status.succeeded
+      }
+      isHealth: succeeded == context.output.spec.parallelism
  workload:
    definition:
      apiVersion: batch/v1
--- a/charts/vela-core/templates/defwithtemplate/webservice.yaml
+++ b/charts/vela-core/templates/defwithtemplate/webservice.yaml
@@ -132,10 +132,9 @@ spec:
        						parameter.labels
        					}
        					if parameter.addRevisionLabel {
-        						"app.oam.dev/appRevision": context.appRevision
+        						"app.oam.dev/revision": context.revision
        					}
        					"app.oam.dev/component": context.name
-        					"app.oam.dev/revision":  context.revision
        				}
        				if parameter.annotations != _|_ {
        					annotations: parameter.annotations
@@ -333,7 +332,7 @@ spec:
        	exposeType: *"ClusterIP" | "NodePort" | "LoadBalancer" | "ExternalName"

        	// +ignore
-        	// +usage=If addRevisionLabel is true, the appRevision label will be added to the underlying pods
+        	// +usage=If addRevisionLabel is true, the revision label will be added to the underlying pods
        	addRevisionLabel: *false | bool

        	// +usage=Commands to run in the container
@@ -453,6 +452,12 @@ spec:

        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
        	readinessProbe?: #HealthProbe
+
+        	// +usage=Specify the hostAliases to add
+        	hostAliases?: [...{
+        		ip: string
+        		hostnames: [...string]
+        	}]
        }
        #HealthProbe: {

@@ -494,61 +499,38 @@ spec:

        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
        	failureThreshold: *3 | int
-
-        	// +usage=Specify the hostAliases to add
-        	hostAliases: [...{
-        		ip: string
-        		hostnames: [...string]
-        	}]
        }
  status:
    customStatus: |-
-      import "strconv"
      ready: {
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
+      	readyReplicas: *0 | int
+      } & {
      	if context.output.status.readyReplicas != _|_ {
      		readyReplicas: context.output.status.readyReplicas
      	}
      }
-
-      message: "Ready:" + strconv.FormatInt(ready.readyReplicas, 10) + "/" + strconv.FormatInt(context.output.spec.replicas, 10)
+      message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
    healthPolicy: |-
      ready: {
-      	if context.output.status.updatedReplicas == _|_  {
-      		updatedReplicas : 0
+      	updatedReplicas:    *0 | int
+      	readyReplicas:      *0 | int
+      	replicas:           *0 | int
+      	observedGeneration: *0 | int
+      } & {
+      	if context.output.status.updatedReplicas != _|_ {
+      		updatedReplicas: context.output.status.updatedReplicas
      	}
-
-      	if context.output.status.updatedReplicas != _|_  {
-      		updatedReplicas : context.output.status.updatedReplicas
-      	}
-
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
      	if context.output.status.readyReplicas != _|_ {
      		readyReplicas: context.output.status.readyReplicas
      	}
-
-      	if context.output.status.replicas == _|_ {
-      		replicas: 0
-      	}
      	if context.output.status.replicas != _|_ {
      		replicas: context.output.status.replicas
      	}
-
      	if context.output.status.observedGeneration != _|_ {
      		observedGeneration: context.output.status.observedGeneration
      	}
-
-      	if context.output.status.observedGeneration == _|_ {
-      		observedGeneration: 0
-      	}
      }
-      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
  workload:
    definition:
      apiVersion: apps/v1
--- a/charts/vela-core/templates/defwithtemplate/worker.yaml
+++ b/charts/vela-core/templates/defwithtemplate/worker.yaml
@@ -396,52 +396,35 @@ spec:
        }
  status:
    customStatus: |-
-      import "strconv"
      ready: {
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
+      	readyReplicas: *0 | int
+      } & {
      	if context.output.status.readyReplicas != _|_ {
      		readyReplicas: context.output.status.readyReplicas
      	}
      }
-
-      message: "Ready:" + strconv.FormatInt(ready.readyReplicas, 10) + "/" + strconv.FormatInt(context.output.spec.replicas, 10)
+      message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
    healthPolicy: |-
      ready: {
-      	if context.output.status.updatedReplicas == _|_  {
-      		updatedReplicas : 0
+      	updatedReplicas:    *0 | int
+      	readyReplicas:      *0 | int
+      	replicas:           *0 | int
+      	observedGeneration: *0 | int
+      } & {
+      	if context.output.status.updatedReplicas != _|_ {
+      		updatedReplicas: context.output.status.updatedReplicas
      	}
-
-      	if context.output.status.updatedReplicas != _|_  {
-      		updatedReplicas : context.output.status.updatedReplicas
-      	}
-
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
      	if context.output.status.readyReplicas != _|_ {
      		readyReplicas: context.output.status.readyReplicas
      	}
-
-      	if context.output.status.replicas == _|_ {
-      		replicas: 0
-      	}
      	if context.output.status.replicas != _|_ {
      		replicas: context.output.status.replicas
      	}
-
      	if context.output.status.observedGeneration != _|_ {
      		observedGeneration: context.output.status.observedGeneration
      	}
-
-      	if context.output.status.observedGeneration == _|_ {
-      		observedGeneration: 0
-      	}
      }
-      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
  workload:
    definition:
      apiVersion: apps/v1
--- a/charts/vela-core/templates/velaql/applied-resources.yaml
+++ b/charts/vela-core/templates/velaql/applied-resources.yaml
@@ -0,0 +1,44 @@
+apiVersion: "v1"
+kind:       "ConfigMap"
+metadata: 
+  name:      "service-applied-resources-view"
+  namespace: {{ include "systemDefinitionNamespace" . }}
+data:
+  template: |
+      import (
+          "vela/ql"
+      )
+      parameter: {
+          appName:    string
+          appNs:      string
+          name?:      string
+          cluster?:   string
+          clusterNs?: string
+      }
+      response: ql.#ListAppliedResources & {
+          app: {
+              name:      parameter.appName
+              namespace: parameter.appNs
+              filter: {
+                  if parameter.cluster != _|_ {
+                      cluster: parameter.cluster
+                  }
+                  if parameter.clusterNs != _|_ {
+                      clusterNamespace: parameter.clusterNs
+                  }
+                  if parameter.name != _|_ {
+                      components: [parameter.name]
+                  }
+              }
+          }
+      }
+      if response.err == _|_ {
+          status: {
+              resources: response.list
+          }
+      }
+      if response.err != _|_ {
+          status: {
+              error: response.err
+          }
+      }
--- a/charts/vela-core/templates/velaql/endpoints.yaml
+++ b/charts/vela-core/templates/velaql/endpoints.yaml
@@ -11,6 +11,7 @@ data:
      parameter: {
          appName:    string
          appNs:      string
+          name?:      string
          cluster?:   string
          clusterNs?: string
      }
@@ -25,6 +26,9 @@ data:
                  if parameter.clusterNs != _|_ {
                      clusterNamespace: parameter.clusterNs
                  }
+                  if parameter.name != _|_ {
+                      components: [parameter.name]
+                  }
              }
          }
      }
--- a/charts/vela-core/values.yaml
+++ b/charts/vela-core/values.yaml
@@ -104,7 +104,7 @@ multicluster:
    port: 9443
    image:
      repository: oamdev/cluster-gateway
-      tag: v1.1.7
+      tag: v1.3.2
      pullPolicy: IfNotPresent
    resources:
      limits:
--- a/charts/vela-minimal/README.md
+++ b/charts/vela-minimal/README.md
@@ -105,7 +105,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
 | `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
 | `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.1.7`                         |
+| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.3.2`                         |
 | `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
 | `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
 | `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |
--- a/charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml
@@ -2025,6 +2025,12 @@ spec:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
+    - jsonPath: .metadata.annotations['app\.oam\.dev\/publishVersion']
+      name: PUBLISH_VERSION
+      type: string
+    - jsonPath: .status.succeeded
+      name: SUCCEEDED
+      type: string
    name: v1beta1
    schema:
      openAPIV3Schema:
@@ -2747,13 +2753,6 @@ spec:
                        type: object
                    type: object
                type: object
-              applicationConfiguration:
-                description: ApplicationConfiguration records the rendered applicationConfiguration
-                  from Application, it will contains the whole K8s CR of trait and
-                  the reference component in it.
-                type: object
-                x-kubernetes-embedded-resource: true
-                x-kubernetes-preserve-unknown-fields: true
              componentDefinitions:
                additionalProperties:
                  description: ComponentDefinition is the Schema for the componentdefinitions
@@ -3087,20 +3086,51 @@ spec:
                description: ComponentDefinitions records the snapshot of the componentDefinitions
                  related with the created/modified Application
                type: object
-              components:
-                description: Components records the rendered components from Application,
-                  it will contains the whole K8s CR of workload in it.
-                items:
-                  description: RawComponent record raw component
+              policies:
+                additionalProperties:
+                  description: Policy is the Schema for the policy API
                  properties:
-                    raw:
+                    apiVersion:
+                      description: 'APIVersion defines the versioned schema of this
+                        representation of an object. Servers should convert recognized
+                        schemas to the latest internal value, and may reject unrecognized
+                        values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                      type: string
+                    kind:
+                      description: 'Kind is a string value representing the REST resource
+                        this object represents. Servers may infer this from the endpoint
+                        the client submits requests to. Cannot be updated. In CamelCase.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      type: string
+                    metadata:
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        finalizers:
+                          items:
+                            type: string
+                          type: array
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    properties:
                      type: object
-                      x-kubernetes-embedded-resource: true
                      x-kubernetes-preserve-unknown-fields: true
+                    type:
+                      type: string
                  required:
-                  - raw
+                  - type
                  type: object
-                type: array
+                description: Policies records the external policies
+                type: object
              policyDefinitions:
                additionalProperties:
                  description: PolicyDefinition is the Schema for the policydefinitions
@@ -3377,15 +3407,16 @@ spec:
                description: PolicyDefinitions records the snapshot of the PolicyDefinitions
                  related with the created/modified Application
                type: object
-              resourcesConfigMap:
-                description: ResourcesConfigMap references the ConfigMap that's generated
-                  to contain all final rendered resources.
-                properties:
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                      TODO: Add other useful fields. apiVersion, kind, uid?'
-                    type: string
-                type: object
+              referredObjects:
+                description: ReferredObjects records the referred objects used in
+                  the ref-object typed components
+                items:
+                  description: ReferredObject the referred Kubernetes object
+                  type: object
+                  x-kubernetes-embedded-resource: true
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+                x-kubernetes-preserve-unknown-fields: true
              scopeDefinitions:
                additionalProperties:
                  description: A ScopeDefinition registers a kind of Kubernetes custom
@@ -3819,6 +3850,89 @@ spec:
                description: TraitDefinitions records the snapshot of the traitDefinitions
                  related with the created/modified Application
                type: object
+              workflow:
+                description: Workflow records the external workflow
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  metadata:
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      finalizers:
+                        items:
+                          type: string
+                        type: array
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                    type: object
+                  steps:
+                    items:
+                      description: WorkflowStep defines how to execute a workflow
+                        step.
+                      properties:
+                        dependsOn:
+                          items:
+                            type: string
+                          type: array
+                        inputs:
+                          description: StepInputs defines variable input of WorkflowStep
+                          items:
+                            properties:
+                              from:
+                                type: string
+                              parameterKey:
+                                type: string
+                            required:
+                            - from
+                            - parameterKey
+                            type: object
+                          type: array
+                        name:
+                          description: Name is the unique name of the workflow step.
+                          type: string
+                        outputs:
+                          description: StepOutputs defines output variable of WorkflowStep
+                          items:
+                            properties:
+                              name:
+                                type: string
+                              valueFrom:
+                                type: string
+                            required:
+                            - name
+                            - valueFrom
+                            type: object
+                          type: array
+                        properties:
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        type:
+                          type: string
+                      required:
+                      - name
+                      - type
+                      type: object
+                    type: array
+                type: object
              workflowStepDefinitions:
                additionalProperties:
                  description: WorkflowStepDefinition is the Schema for the workflowstepdefinitions
@@ -4408,10 +4522,182 @@ spec:
            required:
            - application
            type: object
+          status:
+            description: ApplicationRevisionStatus is the status of ApplicationRevision
+            properties:
+              succeeded:
+                description: Succeeded records if the workflow finished running with
+                  success
+                type: boolean
+              workflow:
+                description: Workflow the running status of the workflow
+                properties:
+                  appRevision:
+                    type: string
+                  contextBackend:
+                    description: 'ObjectReference contains enough information to let
+                      you inspect or modify the referred object. --- New uses of this
+                      type are discouraged because of difficulty describing its usage
+                      when embedded in APIs.  1. Ignored fields.  It includes many
+                      fields which are not generally honored.  For instance, ResourceVersion
+                      and FieldPath are both very rarely valid in actual usage.  2.
+                      Invalid usage help.  It is impossible to add specific help for
+                      individual usage.  In most embedded usages, there are particular     restrictions
+                      like, "must refer only to types A and B" or "UID not honored"
+                      or "name must be restricted".     Those cannot be well described
+                      when embedded.  3. Inconsistent validation.  Because the usages
+                      are different, the validation rules are different by usage,
+                      which makes it hard for users to predict what will happen.  4.
+                      The fields are both imprecise and overly precise.  Kind is not
+                      a precise mapping to a URL. This can produce ambiguity     during
+                      interpretation and require a REST mapping.  In most cases, the
+                      dependency is on the group,resource tuple     and the version
+                      of the actual struct is irrelevant.  5. We cannot easily change
+                      it.  Because this type is embedded in many locations, updates
+                      to this type     will affect numerous schemas.  Don''t make
+                      new APIs embed an underspecified API type they do not control.
+                      Instead of using this type, create a locally provided and used
+                      type that is well-focused on your reference. For example, ServiceReferences
+                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                      .'
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  finished:
+                    type: boolean
+                  message:
+                    type: string
+                  mode:
+                    description: WorkflowMode describes the mode of workflow
+                    type: string
+                  startTime:
+                    format: date-time
+                    type: string
+                  steps:
+                    items:
+                      description: WorkflowStepStatus record the status of a workflow
+                        step
+                      properties:
+                        firstExecuteTime:
+                          description: FirstExecuteTime is the first time this step
+                            execution.
+                          format: date-time
+                          type: string
+                        id:
+                          type: string
+                        lastExecuteTime:
+                          description: LastExecuteTime is the last time this step
+                            execution.
+                          format: date-time
+                          type: string
+                        message:
+                          description: A human readable message indicating details
+                            about why the workflowStep is in this state.
+                          type: string
+                        name:
+                          type: string
+                        phase:
+                          description: WorkflowStepPhase describes the phase of a
+                            workflow step.
+                          type: string
+                        reason:
+                          description: A brief CamelCase message indicating details
+                            about why the workflowStep is in this state.
+                          type: string
+                        subSteps:
+                          description: SubStepsStatus record the status of workflow
+                            steps.
+                          properties:
+                            mode:
+                              description: WorkflowMode describes the mode of workflow
+                              type: string
+                            stepIndex:
+                              type: integer
+                            steps:
+                              items:
+                                description: WorkflowSubStepStatus record the status
+                                  of a workflow step
+                                properties:
+                                  id:
+                                    type: string
+                                  message:
+                                    description: A human readable message indicating
+                                      details about why the workflowStep is in this
+                                      state.
+                                    type: string
+                                  name:
+                                    type: string
+                                  phase:
+                                    description: WorkflowStepPhase describes the phase
+                                      of a workflow step.
+                                    type: string
+                                  reason:
+                                    description: A brief CamelCase message indicating
+                                      details about why the workflowStep is in this
+                                      state.
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - id
+                                type: object
+                              type: array
+                          type: object
+                        type:
+                          type: string
+                      required:
+                      - id
+                      type: object
+                    type: array
+                  suspend:
+                    type: boolean
+                  terminated:
+                    type: boolean
+                required:
+                - finished
+                - mode
+                - suspend
+                - terminated
+                type: object
+            required:
+            - succeeded
+            type: object
        type: object
    served: true
    storage: true
-    subresources: {}
+    subresources:
+      status: {}
 status:
  acceptedNames:
    kind: ""
--- a/charts/vela-minimal/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-minimal/crds/core.oam.dev_applications.yaml
--- a/charts/vela-minimal/templates/defwithtemplate/annotations.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/annotations.yaml
@@ -16,17 +16,20 @@ spec:
  schematic:
    cue:
      template: |
+        // +patchStrategy=jsonMergePatch
        patch: {
        	metadata: annotations: {
        		for k, v in parameter {
        			"\(k)": v
        		}
        	}
-        	spec: template: metadata: annotations: {
-        		for k, v in parameter {
-        			"\(k)": v
+        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
+        		spec: template: metadata: annotations: {
+        			for k, v in parameter {
+        				"\(k)": v
+        			}
        		}
        	}
        }
-        parameter: [string]: string
+        parameter: [string]: string | null

--- a/charts/vela-minimal/templates/defwithtemplate/command.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/command.yaml
@@ -106,7 +106,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the commands for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml
@@ -0,0 +1,73 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/config-image-registry.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/alias.config.oam.dev: Image Registry
+    definition.oam.dev/description: Config information to authenticate image registry
+  labels:
+    custom.definition.oam.dev/catalog.config.oam.dev: velacore-config
+    custom.definition.oam.dev/multi-cluster.config.oam.dev: "true"
+    custom.definition.oam.dev/type.config.oam.dev: image-registry
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: config-image-registry
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"encoding/base64"
+        	"encoding/json"
+        )
+
+        output: {
+        	apiVersion: "v1"
+        	kind:       "Secret"
+        	metadata: {
+        		name:      context.name
+        		namespace: context.namespace
+        		labels: {
+        			"config.oam.dev/catalog":       "velacore-config"
+        			"config.oam.dev/type":          "image-registry"
+        			"config.oam.dev/multi-cluster": "true"
+        			"config.oam.dev/identifier":    parameter.registry
+        			"config.oam.dev/sub-type":      "auth"
+        		}
+        	}
+        	if parameter.auth != _|_ {
+        		type: "kubernetes.io/dockerconfigjson"
+        	}
+        	if parameter.auth == _|_ {
+        		type: "Opaque"
+        	}
+        	if parameter.auth != _|_ {
+        		stringData: ".dockerconfigjson": json.Marshal({
+        			auths: "\(parameter.registry)": {
+        				username: parameter.auth.username
+        				password: parameter.auth.password
+        				if parameter.auth.email != _|_ {
+        					email: parameter.auth.email
+        				}
+        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
+        			}
+        		})
+        	}
+        }
+        parameter: {
+        	// +usage=Image registry FQDN
+        	registry: string
+        	// +usage=Authenticate the image registry
+        	auth?: {
+        		// +usage=Private Image registry username
+        		username: string
+        		// +usage=Private Image registry password
+        		password: string
+        		// +usage=Private Image registry email
+        		email?: string
+        	}
+        }
+  workload:
+    type: autodetects.core.oam.dev
+
--- a/charts/vela-minimal/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/container-image.yaml
@@ -69,7 +69,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the container image for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-minimal/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/cron-task.yaml
@@ -0,0 +1,308 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/cron-task.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Describes cron jobs that run code or a script to completion.
+  name: cron-task
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        output: {
+        	apiVersion: "batch/v1beta1"
+        	kind:       "CronJob"
+        	spec: {
+        		schedule:                   parameter.schedule
+        		concurrencyPolicy:          parameter.concurrencyPolicy
+        		suspend:                    parameter.suspend
+        		successfulJobsHistoryLimit: parameter.successfulJobsHistoryLimit
+        		failedJobsHistoryLimit:     parameter.failedJobsHistoryLimit
+        		if parameter.startingDeadlineSeconds != _|_ {
+        			startingDeadlineSeconds: parameter.startingDeadlineSeconds
+        		}
+        		jobTemplate: {
+        			if parameter.labels != _|_ {
+        				metadata: labels: parameter.labels
+        			}
+        			if parameter.annotations != _|_ {
+        				metadata: annotations: parameter.annotations
+        			}
+        			spec: {
+        				parallelism: parameter.count
+        				completions: parameter.count
+        				if parameter.ttlSecondsAfterFinished != _|_ {
+        					ttlSecondsAfterFinished: parameter.ttlSecondsAfterFinished
+        				}
+        				if parameter.activeDeadlineSeconds != _|_ {
+        					activeDeadlineSeconds: parameter.activeDeadlineSeconds
+        				}
+        				backoffLimit: parameter.backoffLimit
+        				template: {
+        					if parameter.labels != _|_ {
+        						metadata: labels: parameter.labels
+        					}
+        					if parameter.annotations != _|_ {
+        						metadata: annotations: parameter.annotations
+        					}
+        					spec: {
+        						restartPolicy: parameter.restart
+        						containers: [{
+        							name:  context.name
+        							image: parameter.image
+        							if parameter["imagePullPolicy"] != _|_ {
+        								imagePullPolicy: parameter.imagePullPolicy
+        							}
+        							if parameter["cmd"] != _|_ {
+        								command: parameter.cmd
+        							}
+        							if parameter["env"] != _|_ {
+        								env: parameter.env
+        							}
+        							if parameter["cpu"] != _|_ {
+        								resources: {
+        									limits: cpu:   parameter.cpu
+        									requests: cpu: parameter.cpu
+        								}
+        							}
+        							if parameter["memory"] != _|_ {
+        								resources: {
+        									limits: memory:   parameter.memory
+        									requests: memory: parameter.memory
+        								}
+        							}
+        							if parameter["volumes"] != _|_ {
+        								volumeMounts: [ for v in parameter.volumes {
+        									{
+        										mountPath: v.mountPath
+        										name:      v.name
+        									}}]
+        							}
+        						}]
+        						if parameter["volumes"] != _|_ {
+        							volumes: [ for v in parameter.volumes {
+        								{
+        									name: v.name
+        									if v.type == "pvc" {
+        										persistentVolumeClaim: claimName: v.claimName
+        									}
+        									if v.type == "configMap" {
+        										configMap: {
+        											defaultMode: v.defaultMode
+        											name:        v.cmName
+        											if v.items != _|_ {
+        												items: v.items
+        											}
+        										}
+        									}
+        									if v.type == "secret" {
+        										secret: {
+        											defaultMode: v.defaultMode
+        											secretName:  v.secretName
+        											if v.items != _|_ {
+        												items: v.items
+        											}
+        										}
+        									}
+        									if v.type == "emptyDir" {
+        										emptyDir: medium: v.medium
+        									}
+        								}}]
+        						}
+        						if parameter["imagePullSecrets"] != _|_ {
+        							imagePullSecrets: [ for v in parameter.imagePullSecrets {
+        								name: v
+        							},
+        							]
+        						}
+        						if parameter.hostAliases != _|_ {
+        							hostAliases: [ for v in parameter.hostAliases {
+        								ip:        v.ip
+        								hostnames: v.hostnames
+        							},
+        							]
+        						}
+        					}
+        				}
+        			}
+        		}
+        	}
+        }
+        parameter: {
+        	// +usage=Specify the labels in the workload
+        	labels?: [string]: string
+
+        	// +usage=Specify the annotations in the workload
+        	annotations?: [string]: string
+
+        	// +usage=Specify the schedule in Cron format, see https://en.wikipedia.org/wiki/Cron
+        	schedule: string
+
+        	// +usage=Specify deadline in seconds for starting the job if it misses scheduled
+        	startingDeadlineSeconds?: int
+
+        	// +usage=suspend subsequent executions
+        	suspend: *false | bool
+
+        	// +usage=Specifies how to treat concurrent executions of a Job
+        	concurrencyPolicy: *"Allow" | "Allow" | "Forbid" | "Replace"
+
+        	// +usage=The number of successful finished jobs to retain
+        	successfulJobsHistoryLimit: *3 | int
+
+        	// +usage=The number of failed finished jobs to retain
+        	failedJobsHistoryLimit: *1 | int
+
+        	// +usage=Specify number of tasks to run in parallel
+        	// +short=c
+        	count: *1 | int
+
+        	// +usage=Which image would you like to use for your service
+        	// +short=i
+        	image: string
+
+        	// +usage=Specify image pull policy for your service
+        	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+        	// +usage=Specify image pull secrets for your service
+        	imagePullSecrets?: [...string]
+
+        	// +usage=Define the job restart policy, the value can only be Never or OnFailure. By default, it's Never.
+        	restart: *"Never" | string
+
+        	// +usage=Commands to run in the container
+        	cmd?: [...string]
+
+        	// +usage=Define arguments by using environment variables
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
+        	// +usage=Number of CPU units for the service, like `0.5` (0.5 CPU core), `1` (1 CPU core)
+        	cpu?: string
+
+        	// +usage=Specifies the attributes of the memory resource required for the container.
+        	memory?: string
+
+        	// +usage=Declare volumes and volumeMounts
+        	volumes?: [...{
+        		name:      string
+        		mountPath: string
+        		// +usage=Specify volume type, options: "pvc","configMap","secret","emptyDir"
+        		type: "pvc" | "configMap" | "secret" | "emptyDir"
+        		if type == "pvc" {
+        			claimName: string
+        		}
+        		if type == "configMap" {
+        			defaultMode: *420 | int
+        			cmName:      string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "secret" {
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "emptyDir" {
+        			medium: *"" | "Memory"
+        		}
+        	}]
+
+        	// +usage=An optional list of hosts and IPs that will be injected into the pod's hosts file
+        	hostAliases?: [...{
+        		ip: string
+        		hostnames: [...string]
+        	}]
+
+        	// +usage=Limits the lifetime of a Job that has finished
+        	ttlSecondsAfterFinished?: int
+
+        	// +usage=The duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it
+        	activeDeadlineSeconds?: int
+
+        	// +usage=The number of retries before marking this job failed
+        	backoffLimit: *6 | int
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+        }
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port: int
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
+        }
+  workload:
+    definition:
+      apiVersion: batch/v1beta1
+      kind: CronJob
+    type: cronjobs.batch
+
--- a/charts/vela-minimal/templates/defwithtemplate/env.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/env.yaml
@@ -46,7 +46,7 @@ spec:
        			}]
        		}
        		if _baseEnv != _|_ {
-        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar.value}}
+        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar}}
        			// +patchStrategy=replace
        			env: [ for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
        				name: envVar.name
@@ -54,7 +54,12 @@ spec:
        					value: _params.env[envVar.name]
        				}
        				if _params.env[envVar.name] == _|_ {
-        					value: envVar.value
+        					if envVar.value != _|_ {
+        						value: envVar.value
+        					}
+        					if envVar.valueFrom != _|_ {
+        						valueFrom: envVar.valueFrom
+        					}
        				}
        			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
        				name:  k
@@ -92,7 +97,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the environment variables for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-minimal/templates/defwithtemplate/gateway.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/gateway.yaml
@@ -8,6 +8,8 @@ metadata:
  name: gateway
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
+  appliesToWorkloads:
+    - '*'
  podDisruptive: false
  schematic:
    cue:
--- a/charts/vela-minimal/templates/defwithtemplate/generate-jdbc-connection.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/generate-jdbc-connection.yaml
@@ -0,0 +1,49 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/generate-jdbc-connection.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Generate a JDBC connection based on Component of alibaba-rds
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: generate-jdbc-connection
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/base64"
+        )
+
+        output: op.#Read & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Secret"
+        		metadata: {
+        			name: parameter.name
+        			if parameter.namespace != _|_ {
+        				namespace: parameter.namespace
+        			}
+        		}
+        	}
+        }
+        dbHost:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_HOST"])}
+        dbPort:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PORT"])}
+        dbName:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_NAME"])}
+        username: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_USER"])}
+        password: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PASSWORD"])}
+        env: [
+        	{name: "url", value:      "jdbc://" + dbHost.str + ":" + dbPort.str + "/" + dbName.str + "?characterEncoding=utf8&useSSL=false"},
+        	{name: "username", value: username.str},
+        	{name: "password", value: password.str},
+        ]
+        parameter: {
+        	// +usage=Specify the name of the secret generated by database component
+        	name: string
+        	// +usage=Specify the namespace of the secret generated by database component
+        	namespace?: string
+        }
+
--- a/charts/vela-minimal/templates/defwithtemplate/labels.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/labels.yaml
@@ -16,17 +16,20 @@ spec:
  schematic:
    cue:
      template: |
+        // +patchStrategy=jsonMergePatch
        patch: {
        	metadata: labels: {
        		for k, v in parameter {
        			"\(k)": v
        		}
        	}
-        	spec: template: metadata: labels: {
-        		for k, v in parameter {
-        			"\(k)": v
+        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
+        		spec: template: metadata: labels: {
+        			for k, v in parameter {
+        				"\(k)": v
+        			}
        		}
        	}
        }
-        parameter: [string]: string
+        parameter: [string]: string | null

--- a/charts/vela-minimal/templates/defwithtemplate/notification.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/notification.yaml
@@ -291,8 +291,10 @@ spec:
        		if parameter.email.from.password.value != _|_ {
        			email1: op.#SendEmail & {
        				from: {
-        					address:  parameter.email.from.value
-        					alias:    parameter.email.from.alias
+        					address: parameter.email.from.address
+        					if parameter.email.from.alias != _|_ {
+        						alias: parameter.email.from.alias
+        					}
        					password: parameter.email.from.password.value
        					host:     parameter.email.from.host
        					port:     parameter.email.from.port
@@ -318,8 +320,10 @@ spec:
        			stringValue: op.#ConvertString & {bt: decoded}
        			email2:      op.#SendEmail & {
        				from: {
-        					address:  parameter.email.from.value
-        					alias:    parameter.email.from.alias
+        					address: parameter.email.from.address
+        					if parameter.email.from.alias != _|_ {
+        						alias: parameter.email.from.alias
+        					}
        					password: stringValue.str
        					host:     parameter.email.from.host
        					port:     parameter.email.from.port
--- a/charts/vela-minimal/templates/defwithtemplate/ref-objects.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/ref-objects.yaml
@@ -29,6 +29,47 @@ spec:
        	}
        }
        parameter: objects: [...#K8sObject]
+  status:
+    customStatus: |-
+      if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {
+      	ready: {
+      		readyReplicas: *0 | int
+      	} & {
+      		if context.output.status.readyReplicas != _|_ {
+      			readyReplicas: context.output.status.readyReplicas
+      		}
+      	}
+      	message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
+      }
+      if context.output.apiVersion != "apps/v1" || context.output.kind != "Deployment" {
+      	message: ""
+      }
+    healthPolicy: |-
+      if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {
+      	ready: {
+      		updatedReplicas:    *0 | int
+      		readyReplicas:      *0 | int
+      		replicas:           *0 | int
+      		observedGeneration: *0 | int
+      	} & {
+      		if context.output.status.updatedReplicas != _|_ {
+      			updatedReplicas: context.output.status.updatedReplicas
+      		}
+      		if context.output.status.readyReplicas != _|_ {
+      			readyReplicas: context.output.status.readyReplicas
+      		}
+      		if context.output.status.replicas != _|_ {
+      			replicas: context.output.status.replicas
+      		}
+      		if context.output.status.observedGeneration != _|_ {
+      			observedGeneration: context.output.status.observedGeneration
+      		}
+      	}
+      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      }
+      if context.output.apiVersion != "apps/v1" || context.output.kind != "Deployment" {
+      	isHealth: true
+      }
  workload:
    type: autodetects.core.oam.dev

--- a/charts/vela-minimal/templates/defwithtemplate/storage.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/storage.yaml
@@ -23,7 +23,7 @@ spec:
        	},
        ] | []
        configMapVolumesList: *[
-        			for v in parameter.configMap {
+        			for v in parameter.configMap if v.mountPath != _|_ {
        		{
        			name: "configmap-" + v.name
        			configMap: {
@@ -37,7 +37,7 @@ spec:
        	},
        ] | []
        secretVolumesList: *[
-        			for v in parameter.secret {
+        			for v in parameter.secret if v.mountPath != _|_ {
        		{
        			name: "secret-" + v.name
        			secret: {
@@ -69,7 +69,7 @@ spec:
        	},
        ] | []
        configMapVolumeMountsList: *[
-        				for v in parameter.configMap {
+        				for v in parameter.configMap if v.mountPath != _|_ {
        		{
        			name:      "configmap-" + v.name
        			mountPath: v.mountPath
@@ -88,7 +88,7 @@ spec:
        	},
        ] | []
        secretVolumeMountsList: *[
-        			for v in parameter.secret {
+        			for v in parameter.secret if v.mountPath != _|_ {
        		{
        			name:      "secret-" + v.name
        			mountPath: v.mountPath
@@ -126,14 +126,14 @@ spec:
        	// +patchKey=name
        	volumes: pvcVolumesList + configMapVolumesList + secretVolumesList + emptyDirVolumesList

-        	containers: [...{
+        	containers: [{
        		// +patchKey=name
        		env: configMapEnvMountsList + secretEnvMountsList
        		// +patchKey=name
        		volumeDevices: volumeDevicesList
        		// +patchKey=name
        		volumeMounts: pvcVolumeMountsList + configMapVolumeMountsList + secretVolumeMountsList + emptyDirVolumeMountsList
-        	}]
+        	}, ...]

        }
        outputs: {
@@ -248,7 +248,7 @@ spec:
        			envName:      string
        			configMapKey: string
        		}
-        		mountPath:   string
+        		mountPath?:  string
        		defaultMode: *420 | int
        		readOnly:    *false | bool
        		data?: {...}
@@ -267,7 +267,7 @@ spec:
        			envName:   string
        			secretKey: string
        		}
-        		mountPath:   string
+        		mountPath?:  string
        		defaultMode: *420 | int
        		readOnly:    *false | bool
        		stringData?: {...}
--- a/charts/vela-minimal/templates/defwithtemplate/task.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/task.yaml
@@ -244,6 +244,30 @@ spec:
        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
        	failureThreshold: *3 | int
        }
+  status:
+    customStatus: |-
+      status: {
+      	active:    *0 | int
+      	failed:    *0 | int
+      	succeeded: *0 | int
+      } & {
+      	if context.output.status.active != _|_ {
+      		active: context.output.status.active
+      	}
+      	if context.output.status.failed != _|_ {
+      		failed: context.output.status.failed
+      	}
+      	if context.output.status.succeeded != _|_ {
+      		succeeded: context.output.status.succeeded
+      	}
+      }
+      message: "Active/Failed/Succeeded:\(status.active)/\(status.failed)/\(status.succeeded)"
+    healthPolicy: |-
+      succeeded: *0 | int
+      if context.output.status.succeeded != _|_ {
+      	succeeded: context.output.status.succeeded
+      }
+      isHealth: succeeded == context.output.spec.parallelism
  workload:
    definition:
      apiVersion: batch/v1
--- a/charts/vela-minimal/templates/defwithtemplate/webservice.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/webservice.yaml
@@ -132,10 +132,9 @@ spec:
        						parameter.labels
        					}
        					if parameter.addRevisionLabel {
-        						"app.oam.dev/appRevision": context.appRevision
+        						"app.oam.dev/revision": context.revision
        					}
        					"app.oam.dev/component": context.name
-        					"app.oam.dev/revision":  context.revision
        				}
        				if parameter.annotations != _|_ {
        					annotations: parameter.annotations
@@ -333,7 +332,7 @@ spec:
        	exposeType: *"ClusterIP" | "NodePort" | "LoadBalancer" | "ExternalName"

        	// +ignore
-        	// +usage=If addRevisionLabel is true, the appRevision label will be added to the underlying pods
+        	// +usage=If addRevisionLabel is true, the revision label will be added to the underlying pods
        	addRevisionLabel: *false | bool

        	// +usage=Commands to run in the container
@@ -453,6 +452,12 @@ spec:

        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
        	readinessProbe?: #HealthProbe
+
+        	// +usage=Specify the hostAliases to add
+        	hostAliases?: [...{
+        		ip: string
+        		hostnames: [...string]
+        	}]
        }
        #HealthProbe: {

@@ -494,61 +499,38 @@ spec:

        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
        	failureThreshold: *3 | int
-
-        	// +usage=Specify the hostAliases to add
-        	hostAliases: [...{
-        		ip: string
-        		hostnames: [...string]
-        	}]
        }
  status:
    customStatus: |-
-      import "strconv"
      ready: {
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
+      	readyReplicas: *0 | int
+      } & {
      	if context.output.status.readyReplicas != _|_ {
      		readyReplicas: context.output.status.readyReplicas
      	}
      }
-
-      message: "Ready:" + strconv.FormatInt(ready.readyReplicas, 10) + "/" + strconv.FormatInt(context.output.spec.replicas, 10)
+      message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
    healthPolicy: |-
      ready: {
-      	if context.output.status.updatedReplicas == _|_  {
-      		updatedReplicas : 0
+      	updatedReplicas:    *0 | int
+      	readyReplicas:      *0 | int
+      	replicas:           *0 | int
+      	observedGeneration: *0 | int
+      } & {
+      	if context.output.status.updatedReplicas != _|_ {
+      		updatedReplicas: context.output.status.updatedReplicas
      	}
-
-      	if context.output.status.updatedReplicas != _|_  {
-      		updatedReplicas : context.output.status.updatedReplicas
-      	}
-
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
      	if context.output.status.readyReplicas != _|_ {
      		readyReplicas: context.output.status.readyReplicas
      	}
-
-      	if context.output.status.replicas == _|_ {
-      		replicas: 0
-      	}
      	if context.output.status.replicas != _|_ {
      		replicas: context.output.status.replicas
      	}
-
      	if context.output.status.observedGeneration != _|_ {
      		observedGeneration: context.output.status.observedGeneration
      	}
-
-      	if context.output.status.observedGeneration == _|_ {
-      		observedGeneration: 0
-      	}
      }
-      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
  workload:
    definition:
      apiVersion: apps/v1
--- a/charts/vela-minimal/templates/defwithtemplate/worker.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/worker.yaml
@@ -396,52 +396,35 @@ spec:
        }
  status:
    customStatus: |-
-      import "strconv"
      ready: {
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
+      	readyReplicas: *0 | int
+      } & {
      	if context.output.status.readyReplicas != _|_ {
      		readyReplicas: context.output.status.readyReplicas
      	}
      }
-
-      message: "Ready:" + strconv.FormatInt(ready.readyReplicas, 10) + "/" + strconv.FormatInt(context.output.spec.replicas, 10)
+      message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
    healthPolicy: |-
      ready: {
-      	if context.output.status.updatedReplicas == _|_  {
-      		updatedReplicas : 0
+      	updatedReplicas:    *0 | int
+      	readyReplicas:      *0 | int
+      	replicas:           *0 | int
+      	observedGeneration: *0 | int
+      } & {
+      	if context.output.status.updatedReplicas != _|_ {
+      		updatedReplicas: context.output.status.updatedReplicas
      	}
-
-      	if context.output.status.updatedReplicas != _|_  {
-      		updatedReplicas : context.output.status.updatedReplicas
-      	}
-
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
      	if context.output.status.readyReplicas != _|_ {
      		readyReplicas: context.output.status.readyReplicas
      	}
-
-      	if context.output.status.replicas == _|_ {
-      		replicas: 0
-      	}
      	if context.output.status.replicas != _|_ {
      		replicas: context.output.status.replicas
      	}
-
      	if context.output.status.observedGeneration != _|_ {
      		observedGeneration: context.output.status.observedGeneration
      	}
-
-      	if context.output.status.observedGeneration == _|_ {
-      		observedGeneration: 0
-      	}
      }
-      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
  workload:
    definition:
      apiVersion: apps/v1
--- a/charts/vela-minimal/values.yaml
+++ b/charts/vela-minimal/values.yaml
@@ -107,7 +107,7 @@ multicluster:
    port: 9443
    image:
      repository: oamdev/cluster-gateway
-      tag: v1.1.7
+      tag: v1.3.2
      pullPolicy: IfNotPresent
    resources:
      limits:
--- a/cmd/apiserver/main.go
+++ b/cmd/apiserver/main.go
@@ -120,5 +120,5 @@ func (s *Server) buildSwagger() (*spec.Swagger, error) {
 	if err != nil {
 		return nil, fmt.Errorf("create apiserver failed : %w ", err)
 	}
-	return restfulspec.BuildSwagger(server.RegisterServices()), nil
+	return restfulspec.BuildSwagger(server.RegisterServices(context.Background(), false)), nil
 }
--- a/cmd/core/main.go
+++ b/cmd/core/main.go
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"errors"
-	"flag"
 	"fmt"
 	"io"
 	"net/http"
@@ -30,11 +29,14 @@ import (
 	"strings"
 	"time"

+	flag "github.com/spf13/pflag"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/klogr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"

+	"github.com/oam-dev/kubevela/pkg/auth"
 	ctrlClient "github.com/oam-dev/kubevela/pkg/client"
 	standardcontroller "github.com/oam-dev/kubevela/pkg/controller"
 	commonconfig "github.com/oam-dev/kubevela/pkg/controller/common"
@@ -42,6 +44,7 @@ import (
 	oamv1alpha2 "github.com/oam-dev/kubevela/pkg/controller/core.oam.dev/v1alpha2"
 	"github.com/oam-dev/kubevela/pkg/controller/utils"
 	"github.com/oam-dev/kubevela/pkg/cue/packages"
+	_ "github.com/oam-dev/kubevela/pkg/features"
 	_ "github.com/oam-dev/kubevela/pkg/monitor/metrics"
 	"github.com/oam-dev/kubevela/pkg/multicluster"
 	"github.com/oam-dev/kubevela/pkg/oam"
@@ -86,6 +89,8 @@ func main() {
 	var renewDeadline time.Duration
 	var retryPeriod time.Duration
 	var enableClusterGateway bool
+	var enableClusterMetrics bool
+	var clusterMetricsInterval time.Duration

 	flag.BoolVar(&useWebhook, "use-webhook", false, "Enable Admission Webhook")
 	flag.StringVar(&certDir, "webhook-cert-dir", "/k8s-webhook-server/serving-certs", "Admission webhook cert/key dir.")
@@ -133,14 +138,18 @@ func main() {
 	flag.DurationVar(&retryPeriod, "leader-election-retry-period", 2*time.Second,
 		"The duration the LeaderElector clients should wait between tries of actions")
 	flag.BoolVar(&enableClusterGateway, "enable-cluster-gateway", false, "Enable cluster-gateway to use multicluster, disabled by default.")
+	flag.BoolVar(&enableClusterMetrics, "enable-cluster-metrics", false, "Enable cluster-metrics-management to collect metrics from clusters with cluster-gateway, disabled by default. When this param is enabled, enable-cluster-gateway should be enabled")
+	flag.DurationVar(&clusterMetricsInterval, "cluster-metrics-interval", 15*time.Second, "The interval that ClusterMetricsMgr will collect metrics from clusters, default value is 15 seconds.")
 	flag.BoolVar(&controllerArgs.EnableCompatibility, "enable-asi-compatibility", false, "enable compatibility for asi")
 	flag.BoolVar(&controllerArgs.IgnoreAppWithoutControllerRequirement, "ignore-app-without-controller-version", false, "If true, application controller will not process the app without 'app.oam.dev/controller-version-require' annotation")
+	flag.BoolVar(&controllerArgs.IgnoreDefinitionWithoutControllerRequirement, "ignore-definition-without-controller-version", false, "If true, trait/component/workflowstep definition controller will not process the definition without 'definition.oam.dev/controller-version-require' annotation")
 	standardcontroller.AddOptimizeFlags()
 	standardcontroller.AddAdmissionFlags()
 	flag.IntVar(&resourcekeeper.MaxDispatchConcurrent, "max-dispatch-concurrent", 10, "Set the max dispatch concurrent number, default is 10")
 	flag.IntVar(&workflow.MaxWorkflowWaitBackoffTime, "max-workflow-wait-backoff-time", 60, "Set the max workflow wait backoff time, default is 60")
 	flag.IntVar(&workflow.MaxWorkflowFailedBackoffTime, "max-workflow-failed-backoff-time", 300, "Set the max workflow wait backoff time, default is 300")
 	flag.IntVar(&custom.MaxWorkflowStepErrorRetryTimes, "max-workflow-step-error-retry-times", 10, "Set the max workflow step error retry times, default is 10")
+	utilfeature.DefaultMutableFeatureGate.AddFlag(flag.CommandLine)

 	flag.Parse()
 	// setup logging
@@ -197,13 +206,23 @@ func main() {
 	restConfig.UserAgent = kubevelaName + "/" + version.GitRevision
 	restConfig.QPS = float32(qps)
 	restConfig.Burst = burst
+	restConfig.Wrap(auth.NewImpersonatingRoundTripper)

 	// wrapper the round tripper by multi cluster rewriter
 	if enableClusterGateway {
-		if _, err := multicluster.Initialize(restConfig, true); err != nil {
+		client, err := multicluster.Initialize(restConfig, true)
+		if err != nil {
 			klog.ErrorS(err, "failed to enable multi-cluster capability")
 			os.Exit(1)
 		}
+
+		if enableClusterMetrics {
+			_, err := multicluster.NewClusterMetricsMgr(context.Background(), client, clusterMetricsInterval)
+			if err != nil {
+				klog.ErrorS(err, "failed to enable multi-cluster-metrics capability")
+				os.Exit(1)
+			}
+		}
 	}
 	ctrl.SetLogger(klogr.New())

--- a/codecov.yml
+++ b/codecov.yml
@@ -6,3 +6,6 @@ coverage:
    patch:
      default:
        target: 70%
+ignore:
+  - "**/zz_generated.deepcopy.go"
+  - "references/"
--- a/contribute/README.md
+++ b/contribute/README.md
@@ -6,3 +6,4 @@ This directory contains guides for contributors to the KubeVela project.
 * [Developer guide](./developer-guide.md)
 * [Triage issues](./triage-issues.md)
 * [Code conventions](./coding-conventions.md)
+* [Develop Code Flow](./develop-code-flow.pdf)
--- a/contribute/develop-code-flow.pdf
+++ b/contribute/develop-code-flow.pdf
--- a/contribute/developer-guide.md
+++ b/contribute/developer-guide.md
@@ -5,7 +5,7 @@ This guide helps you get started developing KubeVela.
 ## Prerequisites

 1. Golang version 1.17+
-2. Kubernetes version v1.18+ with `~/.kube/config` configured.
+2. Kubernetes version v1.20+ with `~/.kube/config` configured.
 3. ginkgo 1.14.0+ (just for [E2E test](./developer-guide.md#e2e-test))
 4. golangci-lint 1.38.0+, it will install automatically if you run `make`, you can [install it manually](https://golangci-lint.run/usage/install/#local-installation) if the installation is too slow.
 5. kubebuilder v3.1.0+ and you need to manually install the dependency tools for unit test.
@@ -177,7 +177,7 @@ To execute the e2e test of the API module, the mongodb service needs to exist lo
 # save your config
 mv ~/.kube/config  ~/.kube/config.save

-kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4 --name worker
+kind create cluster --image kindest/node:v1.20.7@sha256:688fba5ce6b825be62a7c7fe1415b35da2bdfbb5a69227c499ea4cc0008661ca --name worker
 kind get kubeconfig --name worker --internal > /tmp/worker.kubeconfig
 kind get kubeconfig --name worker > /tmp/worker.client.kubeconfig

--- a/docs/apidoc/swagger.json
+++ b/docs/apidoc/swagger.json
--- a/docs/examples/app-with-policy/gc-policy/persist-resources.md
+++ b/docs/examples/app-with-policy/gc-policy/persist-resources.md
@@ -95,7 +95,32 @@ spec:
      properties:
        rules:
          - selector:
-             componentTypes:
-               - webservice
-           strategy: never
+              componentTypes:
+                - webservice
+            strategy: never
+```
+
+A more straightforward way is to specify `compNames` to match specified components.
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: create-ns-app
+spec:
+  components:
+    - name: example-addon-namespace
+      type: k8s-objects
+      properties:
+        objects:
+          - apiVersion: v1
+            kind: Namespace
+  policies:
+    - name: garbage-collect
+      type: garbage-collect
+      properties:
+        rules:
+          - selector:
+              componentNames:
+                - example-addon-namespace
+            strategy: never
 ```
--- a/docs/examples/application/application-revision-arch.jpg
+++ b/docs/examples/application/application-revision-arch.jpg
--- a/docs/examples/application/versioning.md
+++ b/docs/examples/application/versioning.md
@@ -0,0 +1,139 @@
+# Managing KubeVela Application Versions
+
+![overall-arch](./application-revision-arch.jpg)
+
+In KubeVela, ApplicationRevision keeps the snapshot of application and all its runtime dependencies such as ComponentRevision, external Policy or referred objects.
+This revision can be used review the application changes and rollback to past configurations.
+
+In KubeVela v1.3, for application which uses the `PublishVersion` feature, we support viewing the history revisions, checking the differences across revisions, and rolling back to the latest succeeded revision.
+
+For application with the `app.oam.dev/publishVersion` annotation, the workflow runs are strictly controlled.
+The annotation, which is noted as *publishVersion* in the following paragraphs, is used to identify a static version of the application and its dependencies.
+
+When the annotation is updated to a new value, the application will generate a new revision no matter if the application spec or the dependencies are changed. 
+It will then trigger a fresh new run of workflow after terminating the previous run.
+
+During the running of workflow, all related data are retrieved from the ApplicationRevision, which means the changes to the application spec or the dependencies will not take effects until a newer `publishVerison` is annotated.
+
+Fo example, let's start with an application with has referred objects, external workflow and policies.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: nginx-publish-version
+  namespace: examples
+  annotations:
+    app.oam.dev/publishVersion: alpha1
+spec:
+  components:
+    - name: nginx-publish-version
+      type: ref-objects
+      properties:
+        objects:
+          - resource: deployment
+  workflow:
+    ref: make-release-in-hangzhou
+---
+apiVersion: core.oam.dev/v1alpha1
+kind: Policy
+metadata:
+  name: topology-hangzhou-clusters
+  namespace: examples
+type: topology
+properties:
+  clusterLabelSelector:
+    region: hangzhou
+---
+apiVersion: core.oam.dev/v1alpha1
+kind: Workflow
+metadata:
+  name: make-release-in-hangzhou
+  namespace: examples
+steps:
+  - name: deploy-hangzhou
+    type: deploy
+    properties:
+      policies: ["topology-hangzhou-clusters"]
+```
+
+This application should be successful after a while. 
+Now if we edit the referred deployment and set its image to an invalid value, such as `nginx:1.200`. 
+The application will not re-run the workflow to make this change take effect automatically.
+But since the dependencies of this application changes, it means the next workflow run will update the deployment image.
+
+Now let's run `vela live-diff nginx-publish-version -n examples` to check this diff
+```bash
+$ vela live-diff nginx-publish-version -n examples
+* Application (nginx-publish-version) has no change
+* External Policy (topology-hangzhou-clusters) has no change
+* External Workflow (make-release-in-hangzhou) has no change
+* Referred Object (apps/v1 Deployment examples/nginx-publish-version) has been modified(*)
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    annotations:
+-     deployment.kubernetes.io/revision: "1"
+     deployment.kubernetes.io/revision: "2"
+    labels:
+      app: nginx-publish-version
+    name: nginx-publish-version
+    namespace: examples
+  spec:
+    progressDeadlineSeconds: 600
+    replicas: 1
+    revisionHistoryLimit: 10
+    selector:
+      matchLabels:
+        app: nginx-publish-version
+    strategy:
+      rollingUpdate:
+        maxSurge: 25%
+        maxUnavailable: 25%
+      type: RollingUpdate
+    template:
+      metadata:
+        creationTimestamp: null
+        labels:
+          app: nginx-publish-version
+      spec:
+        containers:
+-       - image: nginx
+       - image: nginx:1.200
+          imagePullPolicy: Always
+          name: nginx
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+        dnsPolicy: ClusterFirst
+        restartPolicy: Always
+        schedulerName: default-scheduler
+        securityContext: {}
+        terminationGracePeriodSeconds: 30
+```
+
+We can see all the changes of the application spec and the dependencies. 
+Now let's make this change take effects. 
+Update the `publishVersion` annotation in the application to `alpha2` to trigger the re-run of workflow.
+We will find the application stuck at `runningWorkflow` as the deployment cannot finish the update progress due to the invalid image.
+
+Now we can run `vela revision list nginx-publish-version -n examples` to list all the available revisions.
+```bash
+$ vela revision list nginx-publish-version -n examples
+NAME                            PUBLISH_VERSION SUCCEEDED       HASH                    BEGIN_TIME              STATUS          SIZE   
+nginx-publish-version-v1        alpha1          true            d428eff1f0a7918         2022-03-28 20:54:25     Succeeded       8.1 KiB
+nginx-publish-version-v2        alpha2          false           4f04da8827d87922        2022-03-28 21:01:25     Executing       8.1 KiB
+```
+
+Before rolling back, we need to suspend the workflow of the application first. Run `vela workflow suspend nginx-publish-version -n examples`. 
+After the application workflow is suspended, run `vela workflow rollback nginx-publish-version -n examples`, the workflow will be rolled back and the application resources will restore to the succeeded state.
+```bash
+$ vela workflow suspend nginx-publish-version -n examples 
+Successfully suspend workflow: nginx-publish-version
+$ vela workflow rollback nginx-publish-version -n examples
+Find succeeded application revision nginx-publish-version-v1 (PublishVersion: alpha1) to rollback.
+Application spec rollback successfully.
+Application status rollback successfully.
+Application rollback completed.
+Application outdated revision cleaned up.
+```
--- a/docs/examples/config/dex-connector/app-config-dex-connector-github.yaml
+++ b/docs/examples/config/dex-connector/app-config-dex-connector-github.yaml
@@ -0,0 +1,21 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: config-dex-connector-dev
+  namespace: vela-system
+  labels:
+    "app.oam.dev/source-of-truth": "from-inner-system"
+    "config.oam.dev/catalog": "velacore-config"
+    "config.oam.dev/type": "config-dex-connector"
+    "config.oam.dev/sub-type": "github"
+    project: abc
+spec:
+  components:
+    - name: dev
+      type: config-dex-connector
+      properties:
+        type: github
+        github:
+          clientID: "aa"
+          clientSecret: "bb"
+          redirectURI: "http://localhost:8080/callback"
--- a/docs/examples/config/image-registry/README.md
+++ b/docs/examples/config/image-registry/README.md
@@ -0,0 +1,102 @@
+# How to store and use configurations
+
+## General
+
+- list all configuration types
+```shell
+$ vela components --label custom.definition.oam.dev/catalog.config.oam.dev=velacore-config
+NAME                  	DEFINITION
+config-dex-connector  	autodetects.core.oam.dev
+config-helm-repository	autodetects.core.oam.dev
+config-image-registry 	autodetects.core.oam.dev
+terraform-azure       	autodetects.core.oam.dev
+terraform-baidu       	autodetects.core.oam.dev
+```
+
+```json
+# Get http://127.0.0.1:8000/api/v1/configs
+
+[
+ {
+  "definitions": [
+   "config-dex-connector"
+  ],
+  "name": "Dex Connectors",
+  "type": "dex-connector"
+ },
+ {
+  "definitions": [
+   "config-helm-repository"
+  ],
+  "name": "Helm Repository",
+  "type": "helm-repository"
+ },
+ {
+  "definitions": [
+   "config-image-registry"
+  ],
+  "name": "Image Registry",
+  "type": "image-registry"
+ },
+ null,
+ {
+  "definitions": [
+   "terraform-baidu"
+  ],
+  "name": "Terraform Cloud Provider",
+  "type": "terraform-provider"
+ }
+]
+```
+
+- list all configurations
+
+```shell
+$ kubectl get secret -n vela-system -l=config.oam.dev/catalog=velacore-config
+NAME                 TYPE                             DATA   AGE
+image-registry-dev   kubernetes.io/dockerconfigjson   1      3h51m
+```
+
+## Image registry
+
+- Create a config for an image registry
+
+```shell
+$ vela up -f app-config-image-registry-account-auth.yaml
+Applying an application in vela K8s object format...
+I0323 10:45:25.347102   85930 apply.go:107] "creating object" name="config-image-registry-account-auth-dev" resource="core.oam.dev/v1beta1, Kind=Application"
+✅ App has been deployed 🚀🚀🚀
+    Port forward: vela port-forward config-image-registry-account-auth-dev
+             SSH: vela exec config-image-registry-account-auth-dev
+         Logging: vela logs config-image-registry-account-auth-dev
+      App status: vela status config-image-registry-account-auth-dev
+        Endpoint: vela status config-image-registry-account-auth-dev
+ --endpoint%
+ 
+ 
+$ kubectl get secret -n vela-system -l=config.oam.dev/catalog=velacore-config
+NAME                 TYPE                             DATA   AGE
+image-registry-dev   kubernetes.io/dockerconfigjson   1      77s
+```
+
+- Deliver the config secret to working cluster
+
+```shell
+$ vela cluster list
+CLUSTER	TYPE           	ENDPOINT                  	ACCEPTED	LABELS
+local  	Internal       	-                         	true
+bj     	X509Certificate	https://123.57.73.107:6443	true
+
+$ vela up -f app-deliever-secret.yaml
+```
+
+- Deploy an application who needs to pull images from the private image registry
+
+```shell
+$ export KUBECONFIG=~/.kube/config-bj
+$ kubectl get secret -n vela-system -l=config.oam.dev/catalog=velacore-config
+NAME                 TYPE                             DATA   AGE
+image-registry-dev   kubernetes.io/dockerconfigjson   1      120s
+
+$ vela up -f app-validate-imagePullSecret.yaml
+```
--- a/docs/examples/config/image-registry/app-config-image-registry-account-auth.yaml
+++ b/docs/examples/config/image-registry/app-config-image-registry-account-auth.yaml
@@ -0,0 +1,20 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: image-dev
+  namespace: vela-system
+  labels:
+    "app.oam.dev/source-of-truth": "from-inner-system"
+    "config.oam.dev/catalog": "velacore-config"
+    "config.oam.dev/type": "config-image-registry"
+    project: abc
+spec:
+  components:
+    - name: image-dev
+      type: config-image-registry
+      properties:
+        registry: "registry.cn-beijing.aliyuncs.com"
+        auth:
+          username: "xxx"
+          password: "PfwrjwifjFaked"
+          email: "a@gmail.com"
--- a/docs/examples/config/image-registry/app-deliever-secret.yaml
+++ b/docs/examples/config/image-registry/app-deliever-secret.yaml
@@ -0,0 +1,22 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: config-project1
+  namespace: vela-system
+  labels:
+    config.oam.dev/catalog: "velacore-config"
+    config.oam.dev/type: "helm-repository"
+spec:
+  components:
+    - name: deliver-secret
+      type: ref-objects
+      properties:
+        objects:
+          - name: reg-demo
+            resource: secret
+  policies:
+    - type: topology
+      name: dev
+      properties:
+        clusters: ["bj"]
+        namespace: default
--- a/docs/examples/config/image-registry/app-sample.yaml
+++ b/docs/examples/config/image-registry/app-sample.yaml
@@ -0,0 +1,14 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: app-sample
+  namespace: ns1
+spec:
+  components:
+    - name: sample
+      type: webservice
+      properties:
+        image: registry.cn-beijing.aliyuncs.com/vela/nginx:latest
+        imagePullPolicy: Always
+        imagePullSecrets:
+          - image-registry-dev
--- a/docs/examples/config/image-registry/app-validate-imagePullSecret.yaml
+++ b/docs/examples/config/image-registry/app-validate-imagePullSecret.yaml
@@ -0,0 +1,14 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: app-validate-image-pull-secret
+  namespace: vela-system
+spec:
+  components:
+    - name: validate
+      type: webservice
+      properties:
+        image: registry.cn-beijing.aliyuncs.com/vela/nginx:latest
+        imagePullPolicy: Always
+        imagePullSecrets:
+          - image-registry-dev
--- a/docs/examples/custom-trait/README.md
+++ b/docs/examples/custom-trait/README.md
@@ -0,0 +1,103 @@
+# How to use
+
+1. define a stateful component with StatefulSet as output
+
+```shell
+$ vela def apply stateful.cue
+ComponentDefinition test-stateful created in namespace vela-system.
+```
+
+2. define a custom trait with patch volume
+
+```shell
+$ vela def apply volume-trait.cue
+TraitDefinition storageclass created in namespace vela-system.
+```
+
+3. You can validate it by:
+```
+$ vela def vet volume-trait.cue 
+Validation succeed.
+```
+
+
+
+4. try dry run your app:
+```
+vela dry-run -f app.yaml 
+```
+
+```yaml
+# Application(website) -- Component(custom-component)
+---
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  annotations: {}
+  labels:
+    app.oam.dev/appRevision: ""
+    app.oam.dev/component: custom-component
+    app.oam.dev/name: website
+    app.oam.dev/namespace: default
+    app.oam.dev/resourceType: WORKLOAD
+    workload.oam.dev/type: test-stateful
+  name: custom-component
+  namespace: default
+spec:
+  minReadySeconds: 10
+  replicas: 1
+  selector:
+    matchLabels:
+      app: custom-component
+  serviceName: custom-component
+  template:
+    metadata:
+      labels:
+        app: custom-component
+    spec:
+      containers:
+      - image: nginx:latest
+        name: nginx
+        ports:
+        - containerPort: 80
+          name: web
+        volumeMounts:
+        - mountPath: /usr/share/nginx/html
+          name: test
+      terminationGracePeriodSeconds: 10
+  volumeClaimTemplates:
+  - metadata:
+      name: test
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 10Gi
+      storageClassName: cbs
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: {}
+  labels:
+    app: custom-component
+    app.oam.dev/appRevision: ""
+    app.oam.dev/component: custom-component
+    app.oam.dev/name: website
+    app.oam.dev/namespace: default
+    app.oam.dev/resourceType: TRAIT
+    trait.oam.dev/resource: web
+    trait.oam.dev/type: AuxiliaryWorkload
+  name: custom-component
+  namespace: default
+spec:
+  clusterIP: None
+  ports:
+  - name: web
+    port: 80
+  selector:
+    app: custom-component
+```
--- a/docs/examples/custom-trait/app.yaml
+++ b/docs/examples/custom-trait/app.yaml
@@ -0,0 +1,20 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: website
+  namespace: default
+spec:
+  components:
+    - name: custom-component
+      type: test-stateful
+      properties:
+        image: nginx:latest
+        replicas: 1
+      traits:
+        - type: storageclass
+          properties:
+            volumeClaimTemplates:
+              - name: test
+                requests: 10Gi
+                storageClassName: cbs
+                mountPath: /usr/share/nginx/html
--- a/docs/examples/custom-trait/stateful.cue
+++ b/docs/examples/custom-trait/stateful.cue
@@ -0,0 +1,58 @@
+"test-stateful": {
+	annotations: {}
+	attributes: workload: definition: {
+		apiVersion: "apps/v1"
+		kind:       "StatefulSet"
+	}
+	description: "StatefulSet component."
+	labels: {}
+	type: "component"
+}
+
+template: {
+	output: {
+		apiVersion: "apps/v1"
+		kind:       "StatefulSet"
+		metadata: name: context.name
+		spec: {
+			selector: matchLabels: app: context.name
+			minReadySeconds: 10
+			replicas:        parameter.replicas
+			serviceName:     context.name
+			template: {
+				metadata: labels: app: context.name
+				spec: {
+					containers: [{
+						name: "nginx"
+						ports: [{
+							name:          "web"
+							containerPort: 80
+						}]
+						image: parameter.image
+					}]
+					terminationGracePeriodSeconds: 10
+				}
+			}
+		}
+	}
+	outputs: web: {
+		apiVersion: "v1"
+		kind:       "Service"
+		metadata: {
+			name: context.name
+			labels: app: context.name
+		}
+		spec: {
+			clusterIP: "None"
+			ports: [{
+				name: "web"
+				port: 80
+			}]
+			selector: app: context.name
+		}
+	}
+	parameter: {
+		image:    string
+		replicas: int
+	}
+}
--- a/docs/examples/custom-trait/volume-trait.cue
+++ b/docs/examples/custom-trait/volume-trait.cue
@@ -0,0 +1,56 @@
+storageclass: {
+	type: "trait"
+	annotations: {}
+	labels: {}
+	description: "Add storageclass on K8s pod for your workload which follows the pod spec in path 'spec.template'."
+	attributes: {
+		appliesToWorkloads: ["*"]
+	}
+}
+template: {
+
+	volumeClaimTemplatesList: *[
+					for v in parameter.volumeClaimTemplates {
+			{
+				metadata: name: v.name
+				spec: {
+					accessModes: ["ReadWriteOnce"]
+					resources: requests: storage: v.requests
+					storageClassName: v.storageClassName
+				}
+			}
+		},
+	] | []
+
+	volumeClaimTemplateVolumeMountsList: *[
+						for v in parameter.volumeClaimTemplates {
+			{
+				name:      v.name
+				mountPath: v.mountPath
+			}
+		},
+	] | []
+
+	patch: {
+		// +patchKey=name
+		spec: {
+			template: spec: {
+				containers: [...{
+					// +patchKey=name
+					volumeMounts: volumeClaimTemplateVolumeMountsList
+				}]
+			}
+			// +patchKey=name
+			volumeClaimTemplates: volumeClaimTemplatesList
+		}
+	}
+
+	parameter: {
+		volumeClaimTemplates?: [...{
+			name:             string
+			requests:         string
+			storageClassName: string
+			mountPath:        string
+		}]
+	}
+}
--- a/docs/examples/multicluster/deploy.md
+++ b/docs/examples/multicluster/deploy.md
@@ -0,0 +1,433 @@
+# Advanced examples for multi-cluster deployment
+
+The below features are introduced in KubeVela v1.3.
+
+![overall-arch](./ref-arch.jpg)
+
+## Topology Policy
+
+Topology policy is a policy used to describe the location where application component should be deployed and managed.
+
+The most straight forward way is directly specifying the names of clusters to be deployed.
+In the following example, the nginx webservice will be deployed to the `examples` namespace in both `hangzhou-1` and `hangzhou-2` clusters concurrently.
+After nginx in both clusters are ready, the application will finish running workflow and becomes healthy. 
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: basic-topology
+  namespace: examples
+spec:
+  components:
+    - name: nginx-basic
+      type: webservice
+      properties:
+        image: nginx
+  policies:
+    - name: topology-hangzhou-clusters
+      type: topology
+      properties:
+        clusters: ["hangzhou-1", "hangzhou-2"]
+```
+
+The clusters in the topology can also be selected by labels instead of names.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: label-selector-topology
+  namespace: examples
+spec:
+  components:
+    - name: nginx-label-selector
+      type: webservice
+      properties:
+        image: nginx
+  policies:
+    - name: topology-hangzhou-clusters
+      type: topology
+      properties:
+        clusterLabelSelector:
+          region: hangzhou
+```
+
+If you want to deploy application components into the control plane cluster, you can use the `local` cluster.
+Besides, you can also deploy your application components in another namespace other than the application's namespace.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: local-ns-topology
+  namespace: examples
+spec:
+  components:
+    - name: nginx-local-ns
+      type: webservice
+      properties:
+        image: nginx
+  policies:
+    - name: topology-local
+      type: topology
+      properties:
+        clusters: ["local"]
+        namespace: examples-alternative
+```
+
+## Deploy WorkflowStep
+
+By default, if you declare multiple topology policies in the application, the application components will be deployed in all destinations following the order of the policies.
+
+If you want to manipulate the process of deploying them, for example, changing the order or adding manual-approval, you can use the `deploy` workflow step explicitly in the workflow to achieve that.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: deploy-workflowstep
+  namespace: examples
+spec:
+  components:
+    - name: nginx-deploy-workflowstep
+      type: webservice
+      properties:
+        image: nginx
+  policies:
+    - name: topology-hangzhou-clusters
+      type: topology
+      properties:
+        clusterLabelSelector:
+          region: hangzhou
+    - name: topology-local
+      type: topology
+      properties:
+        clusters: ["local"]
+        namespace: examples-alternative
+  workflow:
+    steps:
+      - type: deploy
+        name: deploy-local
+        properties:
+          policies: ["topology-local"]
+      - type: deploy
+        name: deploy-hangzhou
+        properties:
+          # require manual approval before running this step
+          auto: false
+          policies: ["topology-hangzhou-clusters"]
+```
+
+You can also deploy application components with different topology policies concurrently, by filling these topology policies in on `deploy` step.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: deploy-concurrently
+  namespace: examples
+spec:
+  components:
+    - name: nginx-deploy-concurrently
+      type: webservice
+      properties:
+        image: nginx
+  policies:
+    - name: topology-hangzhou-clusters
+      type: topology
+      properties:
+        clusterLabelSelector:
+          region: hangzhou
+    - name: topology-local
+      type: topology
+      properties:
+        clusters: ["local"]
+        namespace: examples-alternative
+  workflow:
+    steps:
+      - type: deploy
+        name: deploy-all
+        properties:
+          policies: ["topology-local", "topology-hangzhou-clusters"]
+```
+
+## Override Policy
+
+Override policy helps you to customize the application components in different clusters. For example, using a different container image or changing the default number of replicas. The override policy should be used together with the topology policy in the `deploy` workflow step.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: deploy-with-override
+  namespace: examples
+spec:
+  components:
+    - name: nginx-with-override
+      type: webservice
+      properties:
+        image: nginx
+  policies:
+    - name: topology-hangzhou-clusters
+      type: topology
+      properties:
+        clusterLabelSelector:
+          region: hangzhou
+    - name: topology-local
+      type: topology
+      properties:
+        clusters: ["local"]
+        namespace: examples-alternative
+    - name: override-nginx-legacy-image
+      type: override
+      properties:
+        components:
+          - name: nginx-with-override
+            properties:
+              image: nginx:1.20
+    - name: override-high-availability
+      type: override
+      properties:
+        components:
+          - type: webservice
+            traits:
+              - type: scaler
+                properties:
+                  replicas: 3
+  workflow:
+    steps:
+      - type: deploy
+        name: deploy-local
+        properties:
+          policies: ["topology-local"]
+      - type: deploy
+        name: deploy-hangzhou
+        properties:
+          policies: ["topology-hangzhou-clusters", "override-nginx-legacy-image", "override-high-availability"]
+```
+
+The override policy has many advanced capabilities, such as adding new component or selecting components to use.
+The following example will deploy `nginx:1.20` to local cluster. `nginx` and `nginx:stable` will be deployed to hangzhou clusters.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: advance-override
+  namespace: examples
+spec:
+  components:
+    - name: nginx-advance-override-legacy
+      type: webservice
+      properties:
+        image: nginx:1.20
+    - name: nginx-advance-override-latest
+      type: webservice
+      properties:
+        image: nginx
+  policies:
+    - name: topology-hangzhou-clusters
+      type: topology
+      properties:
+        clusterLabelSelector:
+          region: hangzhou
+    - name: topology-local
+      type: topology
+      properties:
+        clusters: ["local"]
+        namespace: examples-alternative
+    - name: override-nginx-legacy
+      type: override
+      properties:
+        selector: ["nginx-advance-override-legacy"]
+    - name: override-nginx-latest
+      type: override
+      properties:
+        selector: ["nginx-advance-override-latest", "nginx-advance-override-stable"]
+        components:
+          - name: nginx-advance-override-stable
+            type: webservice
+            properties:
+              image: nginx:stable
+  workflow:
+    steps:
+      - type: deploy
+        name: deploy-local
+        properties:
+          policies: ["topology-local", "override-nginx-legacy"]
+      - type: deploy
+        name: deploy-hangzhou
+        properties:
+          policies: ["topology-hangzhou-clusters", "override-nginx-latest"]
+```
+
+## Ref-object Component
+
+Sometimes, you may want to copy resources from one place to other places, such as copying secrets from the control plane cluster into managed clusters.
+You can use the `ref-object` typed component to achieve that.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: ref-objects-example
+  namespace: examples
+spec:
+  components:
+    - name: image-pull-secrets
+      type: ref-objects
+      properties:
+        objects:
+          - resource: secret
+            name: image-credential-to-copy
+  policies:
+    - name: topology-hangzhou-clusters
+      type: topology
+      properties:
+        clusterLabelSelector:
+          region: hangzhou
+```
+
+You can also select resources by labels and duplicate them from one cluster into another cluster.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: ref-objects-duplicate-deployments
+  namespace: examples
+spec:
+  components:
+    - name: duplicate-deployment
+      type: ref-objects
+      properties:
+        objects:
+          - resource: deployment
+            cluster: hangzhou-1
+            # select all deployment in the `examples` namespace in cluster `hangzhou-1` that matches the labelSelector
+            labelSelector:
+              need-duplicate: "true"
+  policies:
+    - name: topology-hangzhou-2
+      type: topology
+      properties:
+        clusters: ["hangzhou-2"]
+```
+
+You can also form a component by multiple referenced resources and even attach traits to the main workload.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: ref-objects-multiple-resources
+  namespace: examples
+spec:
+  components:
+    - name: nginx-ref-multiple-resources
+      type: ref-objects
+      properties:
+        objects:
+          - resource: deployment
+          - resource: service
+      traits:
+        - type: scaler
+          properties:
+            replicas: 3
+  policies:
+    - name: topology-hangzhou-clusters
+      type: topology
+      properties:
+        clusterLabelSelector:
+          region: hangzhou
+```
+
+## External Policies and Workflow
+
+Sometimes, you may want to use the same policy across multiple applications or reuse previous workflow to deploy different resources.
+To reduce the repeated code, you can leverage the external policies and workflow and refer to them in your applications.
+
+> NOTE: you can only refer to Policy and Workflow within your application's namespace.
+
+```yaml
+apiVersion: core.oam.dev/v1alpha1
+kind: Policy
+metadata:
+  name: topology-hangzhou-clusters
+  namespace: examples
+type: topology
+properties:
+  clusterLabelSelector:
+    region: hangzhou
+---
+apiVersion: core.oam.dev/v1alpha1
+kind: Policy
+metadata:
+  name: override-high-availability-webservice
+  namespace: examples
+type: override
+properties:
+  components:
+    - type: webservice
+      traits:
+        - type: scaler
+          properties:
+            replicas: 3
+---
+apiVersion: core.oam.dev/v1alpha1
+kind: Workflow
+metadata:
+  name: make-release-in-hangzhou
+  namespace: examples
+steps:
+  - type: deploy
+    name: deploy-hangzhou
+    properties:
+      auto: false
+      policies: ["override-high-availability-webservice", "topology-hangzhou-clusters"]
+```
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: external-policies-and-workflow
+  namespace: examples
+spec:
+  components:
+    - name: nginx-external-policies-and-workflow
+      type: webservice
+      properties:
+        image: nginx
+  workflow:
+    ref: make-release-in-hangzhou
+```
+
+> NOTE: The internal policies will be loaded first. External policies will only be used when there is no corresponding policy inside the application. In the following example, we can reuse `tology-hangzhou-clusters` policy and `make-release-in-hangzhou` workflow but modify the `override-high-availability-webservice` by injecting the same-named policy inside the new application.
+
+```yaml
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: nginx-stable-ultra
+  namespace: examples
+spec:
+  components:
+    - name: nginx-stable-ultra
+      type: webservice
+      properties:
+        image: nginx:stable
+  policies:
+    - name: override-high-availability-webservice
+      type: override
+      properties:
+        components:
+          - type: webservice
+            traits:
+              - type: scaler
+                properties:
+                  replicas: 5
+  workflow:
+    ref: make-release-in-hangzhou
+```
--- a/docs/examples/multicluster/ref-arch.jpg
+++ b/docs/examples/multicluster/ref-arch.jpg
--- a/docs/examples/rbac/rbac.md
+++ b/docs/examples/rbac/rbac.md
@@ -0,0 +1,107 @@
+# RBAC
+
+User:
+
+```yaml
+name: user
+userRoles: ["app-developer"]
+...
+```
+
+ProjectUser:
+
+```yaml
+username: user
+project: demo
+userRoles: ["app-developer"]
+```
+
+Role:
+
+```yaml
+name: app-developer
+project: demo
+permissions: ["app-manage"]
+```
+
+```yaml
+name: admin
+permissions: ["all"]
+```
+
+Permission:
+
+```yaml
+name: app-manage
+project: demo
+resource: ["project:demo/application:*"]
+actions: ["*"]
+effect: Allow
+principal: {}
+condition: {}
+```
+
+```yaml
+name: app1-manage
+project: demo
+resource: ["project:demo/application:app1/*"]
+actions: ["*"]
+effect: Allow
+principal: {}
+condition: {}
+
+name: app2-manage
+project: demo
+resource: ["project:demo/application:app2/*"]
+actions: ["*"]
+effect: Allow
+principal: {}
+condition: {}
+```
+
+```yaml
+name: cluster-manage
+resource: ["cluster:*"]
+actions: ["*"]
+effect: Allow
+principal: {}
+condition: {}
+```
+
+```yaml
+name: cluster-beijing-manage
+resource: ["cluster:beijing"]
+actions: ["*"]
+effect: Allow
+principal: {}
+condition: {}
+```
+
+```yaml
+name: all
+resource: ["*"]
+actions: ["*"]
+effect: Allow
+principal: {}
+condition: {}
+```
+
+PermissionTemplate:
+
+```yaml
+name: app-manage
+resource: ["project:${projectName}/application:*"]
+actions: ["*"]
+level: project
+effect: Allow
+principal: {}
+condition: {}
+```
+
+```yaml
+name: deny-delete-cluster
+resource: ["cluster:*"]
+actions: ["delete"]
+level: platform
+effect: Deny
+```
--- a/docs/examples/rollout-trait/README.md
+++ b/docs/examples/rollout-trait/README.md
@@ -29,5 +29,5 @@ kubectl apply -f ./docs/examples/rollout-trait/app-v3.yaml

 6. modify targetSize as 7 to scale
 ```shell
-kubectl apply -f ./docs/examples/rollout-trait/app-sacle.yaml
+kubectl apply -f ./docs/examples/rollout-trait/app-scale.yaml
 ```
--- a/docs/examples/rollout-trait/app-scale.yaml
+++ b/docs/examples/rollout-trait/app-scale.yaml
--- a/docs/examples/terraform/app-jdbc.yaml
+++ b/docs/examples/terraform/app-jdbc.yaml
@@ -0,0 +1,40 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: jdbc
+spec:
+  components:
+    - name: db
+      type: alibaba-rds
+      properties:
+        instance_name: favorite-links
+        database_name: db1
+        account_name: oamtest
+        password: U34rfwefwefffaked
+        security_ips: [ "0.0.0.0/0" ]
+        privilege: ReadWrite
+        writeConnectionSecretToRef:
+          name: db-conn
+    - name: express-server
+      type: webservice
+      properties:
+        image: crccheck/hello-world
+        port: 8000
+
+  workflow:
+    steps:
+      - name: jdbc
+        type: generate-jdbc-connection
+        outputs:
+          - name: jdbc
+            valueFrom: jdbc
+        properties:
+          name: db-conn
+          namespace: default
+      - name: apply
+        type: apply-component
+        inputs:
+          - from: jdbc
+            parameterKey: env
+        properties:
+          component: express-server
--- a/docs/examples/traits/annotations/example.yaml
+++ b/docs/examples/traits/annotations/example.yaml
@@ -0,0 +1,25 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: busybox
+spec:
+  components:
+    - name: busybox
+      type: webservice
+      properties:
+        image: busybox
+        cmd: ["sleep", "86400"]
+        annotations:
+          annotation-key: annotation-value
+          to-delete-annotation-key: to-delete-annotation-value
+      traits:
+        # the `annotations` trait will add/delete annotation key/value pair to the
+        # labels of the workload and the template inside the spec of the workload (if exists)
+        # 1. if original annotations contains the key, value will be overridden
+        # 2. if original annotations do not contain the key, value will be added
+        # 3. if original annotations contains the key and the value is null, the key will be removed
+        - type: annotations
+          properties:
+            added-annotation-key: added-annotation-value
+            annotation-key: modified-annotation-value
+            to-delete-annotation-key: null
--- a/docs/examples/traits/json-patch/example.yaml
+++ b/docs/examples/traits/json-patch/example.yaml
@@ -23,11 +23,6 @@ spec:
        - type: json-patch
          properties:
            operations:
-              - op: add
-                path: "/metadata"
-                value:
-                  labels:
-                    deploy-label-key: deploy-label-added-value
              - op: add
                path: "/spec/replicas"
                value: 3
--- a/docs/examples/traits/labels/example.yaml
+++ b/docs/examples/traits/labels/example.yaml
@@ -0,0 +1,25 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: busybox
+spec:
+  components:
+    - name: busybox
+      type: webservice
+      properties:
+        image: busybox
+        cmd: ["sleep", "86400"]
+        labels:
+          label-key: label-value
+          to-delete-label-key: to-delete-label-value
+      traits:
+        # the `labels` trait will add/delete label key/value pair to the
+        # labels of the workload and the template inside the spec of the workload (if exists)
+        # 1. if original labels contains the key, value will be overridden
+        # 2. if original labels do not contain the key, value will be added
+        # 3. if original labels contains the key and the value is null, the key will be removed
+        - type: labels
+          properties:
+            added-label-key: added-label-value
+            label-key: modified-label-value
+            to-delete-label-key: null
--- a/Show More
+++ b/Show More