Fix: delete context when patch outputs in trait (#3854)

* Fix: delete context when patch outputs in trait

Signed-off-by: FogDong <dongtianxin.tx@alibaba-inc.com>

* use patchOutputs instead of outputs in patch

Signed-off-by: FogDong <dongtianxin.tx@alibaba-inc.com>

* fix typo

Signed-off-by: FogDong <dongtianxin.tx@alibaba-inc.com>

.github/CODEOWNERS

@@ -1,7 +1,7 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file
 
-*                                  @hongchaodeng @wonderflow @leejanee
-design/                            @hongchaodeng @resouer @wonderflow
+*                                  @barnettZQG @wonderflow @leejanee
+design/                            @barnettZQG @leejanee @wonderflow
 
 # Owner of CUE
 pkg/cue                            @leejanee @FogDong

.github/PULL_REQUEST_TEMPLATE.md

@@ -13,8 +13,8 @@ Fixes #
 
 I have:
 
-- [ ] Read and followed KubeVela's [contribution process](https://github.com/oam-dev/kubevela/blob/master/contribute/create-pull-request.md).
-- [ ] [Related Docs](https://github.com/oam-dev/kubevela.io) updated properly. In a new feature or configuration option, an update to the documentation is necessary. 
+- [ ] Read and followed KubeVela's [contribution process](https://github.com/kubevela/kubevela/blob/master/contribute/create-pull-request.md).
+- [ ] [Related Docs](https://github.com/kubevela/kubevela.io) updated properly. In a new feature or configuration option, an update to the documentation is necessary. 
 - [ ] Run `make reviewable` to ensure this PR is ready for review.
 - [ ] Added `backport release-x.y` labels to auto-backport this PR if necessary.
 

.github/bot.md

@@ -1,9 +1,9 @@
 ### GitHub & kubevela automation
 
-The bot is configured via [issue-commands.json](https://github.com/oam-dev/kubevela/blob/master/.github/workflows/issue-commands.json) 
-and some other GitHub [workflows](https://github.com/oam-dev/kubevela/blob/master/.github/workflows).
+The bot is configured via [issue-commands.json](https://github.com/kubevela/kubevela/blob/master/.github/workflows/issue-commands.json) 
+and some other GitHub [workflows](https://github.com/kubevela/kubevela/blob/master/.github/workflows).
 By default, users with write access to the repo is allowed to use the comments, 
-the [userlist](https://github.com/oam-dev/kubevela/blob/master/.github/comment.userlist) 
+the [userlist](https://github.com/kubevela/kubevela/blob/master/.github/comment.userlist) 
 file is for adding additional members who do not have access and want to contribute to the issue triage.
 
 Comment commands:
@@ -14,7 +14,7 @@ Comment commands:
 * Write the word `/area/*` in a comment, and the bot will add the corresponding label `/area/*`.
 * Write the word `/priority/*` in a comment, and the bot will add the corresponding label `/priority/*`.
 
-The `*` mention above represent a specific word. Please read the details about label category in [ISSUE_TRIAGE.md](https://github.com/oam-dev/kubevela/blob/master/ISSUE_TRIAGE.md)  
+The `*` mention above represent a specific word. Please read the details about label category in [ISSUE_TRIAGE.md](https://github.com/kubevela/kubevela/blob/master/ISSUE_TRIAGE.md)  
 
 Label commands:
 

.github/workflows/apiserver-test.yaml

@@ -6,7 +6,9 @@ on:
       - master
       - release-*
       - apiserver
-  workflow_dispatch: {}
+    tags:
+      - v*
+  workflow_dispatch: { }
   pull_request:
     branches:
       - master
@@ -18,6 +20,8 @@ env:
   GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.38'
   KIND_VERSION: 'v0.7.0'
+  KIND_IMAGE_VERSION: '[\"v1.20.7\"]'
+  KIND_IMAGE_VERSIONS: '[\"v1.18.20\",\"v1.20.7\",\"v1.22.7\"]'
 
 jobs:
 
@@ -35,10 +39,28 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
+  set-k8s-matrix:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
+    steps:
+      - id: set-k8s-matrix
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "pushing tag: ${{ github.ref_name }}"
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSIONS }}"
+          else
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSION }}"
+          fi
+
+
   apiserver-unit-tests:
     runs-on: aliyun
-    needs: detect-noop
+    needs: [ detect-noop,set-k8s-matrix ]
     if: needs.detect-noop.outputs.noop != 'true'
+    strategy:
+      matrix:
+        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
 
     steps:
       - name: Set up Go
@@ -65,7 +87,7 @@ jobs:
       - name: Setup Kind Cluster (Worker)
         run: |
           kind delete cluster --name worker
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4 --name worker
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }} --name worker
           kubectl version
           kubectl cluster-info
           kind get kubeconfig --name worker --internal > /tmp/worker.kubeconfig
@@ -74,7 +96,7 @@ jobs:
       - name: Setup Kind Cluster (Hub)
         run: |
           kind delete cluster
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
           kubectl version
           kubectl cluster-info
 
@@ -92,10 +114,10 @@ jobs:
           kubectl wait --for=condition=Ready pod -l app=source-controller -n flux-system --timeout=600s
           kubectl wait --for=condition=Ready pod -l app=helm-controller -n flux-system --timeout=600s
 
-      - name: Run apiserver unit test
+      - name: Run api server unit test
         run: make unit-test-apiserver
 
-      - name: Run apiserver e2e test
+      - name: Run api server e2e test
         run: |
           export ALIYUN_ACCESS_KEY_ID=${{ secrets.ALIYUN_ACCESS_KEY_ID }}
           export ALIYUN_ACCESS_KEY_SECRET=${{ secrets.ALIYUN_ACCESS_KEY_SECRET }}

.github/workflows/codeql-analysis.yml

@@ -5,30 +5,6 @@ on:
     branches: [ master, release-* ]
 
 jobs:
-  images:
-    name: Image Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Build Vela Core image from Dockerfile
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org -t docker.io/oamdev/vela-core:${{ github.sha }} .
-
-      - name: Run Trivy vulnerability scanner for vela core
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'docker.io/oamdev/vela-core:${{ github.sha }}'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
-
   analyze:
     name: Analyze
     runs-on: ubuntu-latest

.github/workflows/e2e-multicluster-test.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - master
       - release-*
+    tags:
+      - v*
   workflow_dispatch: {}
   pull_request:
     branches:
@@ -16,6 +18,8 @@ env:
   GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.38'
   KIND_VERSION: 'v0.7.0'
+  KIND_IMAGE_VERSION: '[\"v1.20.7\"]'
+  KIND_IMAGE_VERSIONS: '[\"v1.18.20\",\"v1.20.7\",\"v1.22.7\"]'
 
 jobs:
 
@@ -33,10 +37,29 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
+  set-k8s-matrix:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
+    steps:
+      - id: set-k8s-matrix
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "pushing tag: ${{ github.ref_name }}"
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSIONS }}"
+          else
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSION }}"
+          fi
+
+
   e2e-multi-cluster-tests:
     runs-on: aliyun
-    needs: detect-noop
+    needs: [ detect-noop,set-k8s-matrix ]
     if: needs.detect-noop.outputs.noop != 'true'
+    strategy:
+      matrix:
+        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+
 
     steps:
       - name: Check out code into the Go module directory
@@ -60,7 +83,7 @@ jobs:
       - name: Setup Kind Cluster (Worker)
         run: |
           kind delete cluster --name worker
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4 --name worker
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }} --name worker
           kubectl version
           kubectl cluster-info
           kind get kubeconfig --name worker --internal > /tmp/worker.kubeconfig
@@ -69,7 +92,7 @@ jobs:
       - name: Setup Kind Cluster (Hub)
         run: |
           kind delete cluster
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
           kubectl version
           kubectl cluster-info
 
@@ -96,7 +119,7 @@ jobs:
         uses: codecov/codecov-action@v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out
+          files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
           flags: e2e-multicluster-test
           name: codecov-umbrella
 

.github/workflows/e2e-rollout-test.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - master
       - release-*
+    tags:
+      - v*
   workflow_dispatch: {}
   pull_request:
     branches:
@@ -16,6 +18,8 @@ env:
   GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.38'
   KIND_VERSION: 'v0.7.0'
+  KIND_IMAGE_VERSION: '[\"v1.20.7\"]'
+  KIND_IMAGE_VERSIONS: '[\"v1.18.20\",\"v1.20.7\",\"v1.22.7\"]'
 
 jobs:
 
@@ -33,10 +37,27 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
+  set-k8s-matrix:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
+    steps:
+      - id: set-k8s-matrix
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "pushing tag: ${{ github.ref_name }}"
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSIONS }}"
+          else
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSION }}"
+          fi
+
   e2e-rollout-tests:
     runs-on: aliyun
-    needs: detect-noop
+    needs: [ detect-noop,set-k8s-matrix ]
     if: needs.detect-noop.outputs.noop != 'true'
+    strategy:
+      matrix:
+        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
 
     steps:
       - name: Check out code into the Go module directory
@@ -60,7 +81,7 @@ jobs:
       - name: Setup Kind Cluster
         run: |
           kind delete cluster
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
           kubectl version
           kubectl cluster-info
 

.github/workflows/e2e-test.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - master
       - release-*
+    tags:
+      - v*
   workflow_dispatch: {}
   pull_request:
     branches:
@@ -16,6 +18,8 @@ env:
   GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.38'
   KIND_VERSION: 'v0.7.0'
+  KIND_IMAGE_VERSION: '[\"v1.20.7\"]'
+  KIND_IMAGE_VERSIONS: '[\"v1.18.20\",\"v1.20.7\",\"v1.22.7\"]'
 
 jobs:
 
@@ -33,10 +37,27 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
+  set-k8s-matrix:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
+    steps:
+      - id: set-k8s-matrix
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "pushing tag: ${{ github.ref_name }}"
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSIONS }}"
+          else
+            echo "::set-output name=matrix::${{ env.KIND_IMAGE_VERSION }}"
+          fi
+
   e2e-tests:
     runs-on: aliyun
-    needs: detect-noop
+    needs: [ detect-noop,set-k8s-matrix ]
     if: needs.detect-noop.outputs.noop != 'true'
+    strategy:
+      matrix:
+        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
 
     steps:
       - name: Check out code into the Go module directory
@@ -60,7 +81,7 @@ jobs:
       - name: Setup Kind Cluster
         run: |
           kind delete cluster
-          kind create cluster --image kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
+          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
           kubectl version
           kubectl cluster-info
 

.github/workflows/go.yml

@@ -57,7 +57,7 @@ jobs:
           restore-keys: ${{ runner.os }}-pkg-
 
       - name: Install StaticCheck
-        run: GO111MODULE=off go get honnef.co/go/tools/cmd/staticcheck
+        run: GO111MODULE=on go get honnef.co/go/tools/cmd/staticcheck@v0.3.0
 
       - name: Static Check
         run: staticcheck ./...
@@ -71,6 +71,11 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
 
     steps:
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
       - name: Checkout
         uses: actions/checkout@v2
         with:
@@ -88,7 +93,7 @@ jobs:
       # version, but we prefer this action because it leaves 'annotations' (i.e.
       # it comments on PRs to point out linter violations).
       - name: Lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
         with:
           version: ${{ env.GOLANGCI_VERSION }}
 

.github/workflows/issue-commands.yml

@@ -14,9 +14,9 @@ jobs:
         with:
           repository: "oam-dev/kubevela-github-actions"
           path: ./actions
-          ref: v0.4.1
+          ref: v0.4.2
       - name: Install Actions
-        run: npm install --production --prefix ./actions
+        run: npm ci --production --prefix ./actions
       - name: Run Commands
         uses: ./actions/commands
         with:
@@ -66,4 +66,4 @@ jobs:
         uses: zeebe-io/backport-action@v0.0.6
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          github_workspace: ${{ github.workspace }}
+          github_workspace: ${{ github.workspace }}

.github/workflows/release.yml

@@ -8,6 +8,10 @@ on:
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  BUCKET: ${{ secrets.CLI_OSS_BUCKET }}
+  ENDPOINT: ${{ secrets.CLI_OSS_ENDPOINT }}
+  ACCESS_KEY: ${{ secrets.CLI_OSS_ACCESS_KEY }}
+  ACCESS_KEY_SECRET: ${{ secrets.CLI_OSS_ACCESS_KEY_SECRET }}
 
 jobs:
   build:
@@ -104,6 +108,23 @@ jobs:
           name: sha256sums
           path: ./_bin/sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt
           retention-days: 1
+      - name: clear the asset
+        run: |
+          rm -rf ./_bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}
+          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
+          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
+      - name: Install ossutil
+        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
+      - name: Configure Alibaba Cloud OSSUTIL
+        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
+      - name: sync local to cloud
+        run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
+      
+      - name: sync the latest version file
+        run: |
+          echo ${{ env.VELA_VERSION }} > ./latest_version
+          ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version
+
 
   upload-plugin-homebrew:
     needs: build

.github/workflows/trivy-scan.yml

@@ -0,0 +1,30 @@
+name: "Trivy Scan"
+
+on:
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  images:
+    name: Image Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build Vela Core image from Dockerfile
+        run: |
+          docker build --build-arg GOPROXY=https://proxy.golang.org -t docker.io/oamdev/vela-core:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner for vela core
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/oamdev/vela-core:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/unit-test.yml

@@ -58,7 +58,7 @@ jobs:
           restore-keys: ${{ runner.os }}-pkg-
 
       - name: Install ginkgo
-        run:  |
+        run: |
           sudo apt-get install -y golang-ginkgo-dev
 
       - name: Setup Kind Cluster
@@ -72,7 +72,7 @@ jobs:
           version: 3.1.0
           kubebuilderOnly: false
           kubernetesVersion: v1.21.2
-      
+
       - name: Run Make test
         run: make test
 

CHANGELOG/CHANGELOG-1.0.md

@@ -30,7 +30,7 @@ This is a minor fix for release-1.0, please refer to release-1.1.x for the lates
 **Please update Application CRD to upgrade from v1.0.3 to this release**
 
 ```
-kubectl apply -f https://raw.githubusercontent.com/oam-dev/kubevela/master/charts/vela-core/crds/core.oam.dev_applications.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubevela/kubevela/master/charts/vela-core/crds/core.oam.dev_applications.yaml
 ```
 
 **Check the upgrade docs to upgrade from other release: https://kubevela.io/docs/advanced-install#upgrade**

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 ## About KubeVela
 
-KubeVela project is initialized and maintained by the cloud native community since day 0 with [bootstrapping contributors from 8+ different organizations](https://github.com/oam-dev/kubevela/graphs/contributors).
+KubeVela project is initialized and maintained by the cloud native community since day 0 with [bootstrapping contributors from 8+ different organizations](https://github.com/kubevela/kubevela/graphs/contributors).
 We intend for KubeVela to have an open governance since the very beginning and donate the project to neutral foundation as soon as it's released.
 To help us create a safe and positive community experience for all, we require all participants to adhere to the [Code of Conduct](./CODE_OF_CONDUCT.md).
 
@@ -13,7 +13,7 @@ This document is a guide to help you through the process of contributing to Kube
 You can contribute to KubeVela in several ways. Here are some examples:
 
 * Contribute to the KubeVela codebase.
-* Contribute to the [KubeVela docs](https://github.com/oam-dev/kubevela.io).
+* Contribute to the [KubeVela docs](https://github.com/kubevela/kubevela.io).
 * Report and triage bugs.
 * Develop community CRD operators as workload or trait and contribute to [catalog](https://github.com/oam-dev/catalog).
 * Write technical documentation and blog posts, for users and contributors.
@@ -26,20 +26,20 @@ For more ways to contribute, check out the [Open Source Guides](https://opensour
 ### Report bugs
 
 Before submitting a new issue, try to make sure someone hasn't already reported the problem.
-Look through the [existing issues](https://github.com/oam-dev/kubevela/issues) for similar issues.
+Look through the [existing issues](https://github.com/kubevela/kubevela/issues) for similar issues.
 
-Report a bug by submitting a [bug report](https://github.com/oam-dev/kubevela/issues/new?assignees=&labels=kind%2Fbug&template=bug_report.md&title=).
+Report a bug by submitting a [bug report](https://github.com/kubevela/kubevela/issues/new?assignees=&labels=kind%2Fbug&template=bug_report.md&title=).
 Make sure that you provide as much information as possible on how to reproduce the bug.
 
 Follow the issue template and add additional information that will help us replicate the problem.
 
 #### Security issues
 
-If you believe you've found a security vulnerability, please read our [security policy](https://github.com/oam-dev/kubevela/blob/master/SECURITY.md) for more details.
+If you believe you've found a security vulnerability, please read our [security policy](https://github.com/kubevela/kubevela/blob/master/SECURITY.md) for more details.
 
 ### Suggest enhancements
 
-If you have an idea to improve KubeVela, submit an [feature request](https://github.com/oam-dev/kubevela/issues/new?assignees=&labels=kind%2Ffeature&template=feature_request.md&title=%5BFeature%5D).
+If you have an idea to improve KubeVela, submit an [feature request](https://github.com/kubevela/kubevela/issues/new?assignees=&labels=kind%2Ffeature&template=feature_request.md&title=%5BFeature%5D).
 
 ### Triage issues
 
@@ -50,16 +50,16 @@ Read more about the ways you can [Triage issues](/contribute/triage-issues.md).
 ### Answering questions
 
 If you have a question and you can't find the answer in the [documentation](https://kubevela.io/docs/),
-the next step is to ask it on the [github discussion](https://github.com/oam-dev/kubevela/discussions).
+the next step is to ask it on the [github discussion](https://github.com/kubevela/kubevela/discussions).
 
-It's important to us to help these users, and we'd love your help. You can help other KubeVela users by answering [their questions](https://github.com/oam-dev/kubevela/discussions).
+It's important to us to help these users, and we'd love your help. You can help other KubeVela users by answering [their questions](https://github.com/kubevela/kubevela/discussions).
 
 ### Your first contribution
 
 Unsure where to begin contributing to KubeVela? Start by browsing issues labeled `good first issue` or `help wanted`.
 
-- [Good first issue](https://github.com/oam-dev/kubevela/labels/good%20first%20issue) issues are generally straightforward to complete.
-- [Help wanted](https://github.com/oam-dev/kubevela/labels/help%20wanted) issues are problems we would like the community to help us with regardless of complexity.
+- [Good first issue](https://github.com/kubevela/kubevela/labels/good%20first%20issue) issues are generally straightforward to complete.
+- [Help wanted](https://github.com/kubevela/kubevela/labels/help%20wanted) issues are problems we would like the community to help us with regardless of complexity.
 
 If you're looking to make a code change, see how to set up your environment for [local development](contribute/developer-guide.md).
 

GOVERNANCE.md

@@ -0,0 +1,16 @@
+# Governance
+
+[Project maintainers](https://github.com/kubevela/community/blob/main/OWNERS.md#maintainers) are responsible for activities around maintaining and updating KubeVela.
+Final decisions on the project reside with the project maintainers.
+
+Maintainers **MUST** remain active. If they are unresponsive for >6 months,
+they will be automatically removed unless a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the other project maintainers agrees to extend the period to be greater than 6 months.
+
+New maintainers can be added to the project by a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) vote of the existing maintainers.
+A potential maintainer may be nominated by an existing maintainer.
+A vote is conducted in private between the current maintainers over the course of a one week voting period.
+At the end of the week, votes are counted and a pull request is made on the repo adding the new maintainer to the [CODEOWNERS](https://github.com/kubevela/kubevela/blob/master/.github/CODEOWNERS) file.
+
+A maintainer may step down by submitting an [issue](https://github.com/kubevela/kubevela/issues/new/choose) stating their intent.
+
+Changes to this governance document require a pull request with approval from a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the current maintainers.

ISSUE_TRIAGE.md

@@ -71,7 +71,7 @@ To get started with issue triage and finding issues that haven't been triaged yo
 ### Browse unlabeled issues
 
 The easiest and straight forward way of getting started and finding issues that haven't been triaged is to browse
-[unlabeled issues](https://github.com/oam-dev/kubevela/issues?q=is%3Aopen+is%3Aissue+no%3Alabel) and starting from
+[unlabeled issues](https://github.com/kubevela/kubevela/issues?q=is%3Aopen+is%3Aissue+no%3Alabel) and starting from
 the bottom and working yourself to the top.
 
 ### Subscribe to all notifications
@@ -95,7 +95,7 @@ to guide contributors to provide standard information that must be included for
 
 ### Standard issue information that must be included
 
-Given a certain [issue template]([template](https://github.com/oam-dev/kubevela/issues/new/choose)) have been used
+Given a certain [issue template]([template](https://github.com/kubevela/kubevela/issues/new/choose)) have been used
 by the issue author or depending how the issue is perceived by the issue triage responsible, the following should
 help you understand what standard issue information that must be included.
 
@@ -219,7 +219,7 @@ There's a minor typo/error/lack of information that adds a lot of confusion for
 
 ### Support requests and questions
 
-1. Kindly and politely direct the issue author to the [github discussion](https://github.com/oam-dev/kubevela/discussions)
+1. Kindly and politely direct the issue author to the [github discussion](https://github.com/kubevela/kubevela/discussions)
    and explain that issue is mainly used for tracking bugs and feature requests.
    If possible, it's usually a good idea to add some pointers to the issue author's question.
 2. Close the issue and label it with `type/question`.

Makefile

@@ -19,7 +19,7 @@ unit-test-core:
 	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver)
 	go test $(shell go list ./references/... | grep -v apiserver)
 unit-test-apiserver:
-	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/...  | grep -E 'apiserver|velaql')
+	go test -gcflags=all=-l -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/...  | grep -E 'apiserver|velaql')
 
 # Build vela cli binary
 build: fmt vet lint staticcheck vela-cli kubectl-vela
@@ -132,5 +132,4 @@ def-install:
 
 helm-doc-gen: helmdoc
 	readme-generator -v charts/vela-core/values.yaml -r charts/vela-core/README.md
-	cat charts/vela-core/README.md
 	readme-generator -v charts/vela-minimal/values.yaml -r charts/vela-minimal/README.md

OWNERS

@@ -1,12 +0,0 @@
-approvers:
-- kubevela-controller
-- kubevela-devex
-- kubevela-dashboard-approver
-
-reviewers:
-- kubevela-controller
-- oam-spec
-- kubevela-dashboard-reviewer
-
-members:
-- community-collaborators

OWNERS_ALIASES

@@ -1,56 +1 @@
-Reviewers:
-- Ghostbaby
-- StevenLeiZhang
-- chwetion
-- yue9944882
-- zxbyoyoyo
-- reetasingh
-- wangwang
-- evanli18
-
-Approvers:
-- Somefive (Multi-Cluster)
-- chivalryq (Vela CLI)
-- sunny0826 (kubevela.io)
-- hanxie-crypto (VelaUX)
-- FogDong (Workflow)
-- wangyikewxgm (Addon)
-- yangsoon (VelaQL）
-
-Maintainers:
-- wonderflow
-- hongchaodeng
-- captainroy-hy
-- resouer
-- barnettZQG
-- leejanee
-- zzxwill
-- BinaryHB0916
-
-Emeritus Members:
-- ryanzhang-oss
-- Fei-Guo
-- szihai
-- xiaoyuaiheshui
-- wenxinnnnn
-- silenceper
-- erdun
-- mosesyou
-- artursouza
-- woshilanren11
-
-bootstrap-contributors:     # thank you for bootstrapping KubeVela at the very early stage!
-- xiaoyuaiheshui
-- Ghostbaby
-- wenxinnnnn
-- silenceper
-- erdun
-- sunny0826
-- mosesyou
-- artursouza
-- wonderflow
-- hongchaodeng
-- ryanzhang-oss
-- woshilanren11
-- hanxie-crypto
-- zzxwill
+The owner file has been migrated to the community repo, please refer to https://github.com/kubevela/community/blob/main/OWNERS.md

README.md

@@ -1,18 +1,18 @@
 <div style="text-align: center">
   <p align="center">
-    <img src="https://raw.githubusercontent.com/oam-dev/kubevela.io/main/docs/resources/KubeVela-03.png">
+    <img src="https://raw.githubusercontent.com/kubevela/kubevela.io/main/docs/resources/KubeVela-03.png">
     <br><br>
     <i>Make shipping applications more enjoyable.</i>
   </p>
 </div>
 
-![Build status](https://github.com/oam-dev/kubevela/workflows/E2E/badge.svg)
-[![Go Report Card](https://goreportcard.com/badge/github.com/oam-dev/kubevela)](https://goreportcard.com/report/github.com/oam-dev/kubevela)
+![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
-[![codecov](https://codecov.io/gh/oam-dev/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/oam-dev/kubevela)
-[![LICENSE](https://img.shields.io/github/license/oam-dev/kubevela.svg?style=flat-square)](/LICENSE)
-[![Releases](https://img.shields.io/github/release/oam-dev/kubevela/all.svg?style=flat-square)](https://github.com/oam-dev/kubevela/releases)
-[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/oam-dev/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
+[![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
+[![LICENSE](https://img.shields.io/github/license/kubevela/kubevela.svg?style=flat-square)](/LICENSE)
+[![Releases](https://img.shields.io/github/release/kubevela/kubevela/all.svg?style=flat-square)](https://github.com/kubevela/kubevela/releases)
+[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/kubevela/kubevela)](https://www.tickgit.com/browse?repo=github.com/kubevela/kubevela)
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
@@ -43,15 +43,35 @@ KubeVela practices the "render, orchestrate, deploy" workflow with below highlig
 
 Full documentation is available on the [KubeVela website](https://kubevela.io/).
 
+## Blog
+
+Official blog is available on [KubeVela blog](https://kubevela.io/blog).
+
 ## Community
 
-- Slack:  [CNCF Slack](https://slack.cncf.io/) #kubevela channel (*English*)
-- Gitter: [oam-dev](https://gitter.im/oam-dev/community) (*English*)
+We want your contributions and suggestions! 
+One of the easiest ways to contribute is to participate in discussions on the Github Issues/Discussion, chat on IM or the bi-weekly community calls.
+For more information on the community engagement, developer and contributing guidelines and more, head over to the [KubeVela community repo](https://github.com/kubevela/community).
+
+### Contact Us
+
+Reach out with any questions you may have and we'll make sure to answer them as soon as possible!
+
+- Slack:  [CNCF Slack kubevela channel](https://cloud-native.slack.com/archives/C01BLQ3HTJA) (*English*)
 - [DingTalk Group](https://page.dingtalk.com/wow/dingtalk/act/en-home): `23310022` (*Chinese*)
 - Wechat Group (*Chinese*): Broker wechat to add you into the user group.
  
   <img src="https://static.kubevela.net/images/barnett-wechat.jpg" width="200" />
-- Bi-weekly Community Call: [Meeting Notes](https://docs.google.com/document/d/1nqdFEyULekyksFHtFvgvFAYE-0AMHKoS3RMnaKsarjs)
+
+### Community Call
+
+Every two weeks we host a community call to showcase new features, review upcoming milestones, and engage in a Q&A. All are welcome!
+
+- Bi-weekly Community Call:
+  - [Meeting Notes](https://docs.google.com/document/d/1nqdFEyULekyksFHtFvgvFAYE-0AMHKoS3RMnaKsarjs).
+  - [Video Records](https://kubevela.io/videos/meetings/en/meetings).
+- Bi-weekly Chinese Community Call:
+  - [Video Records](https://kubevela.io/videos/meetings/cn/v1.3).
 
 ## Talks and Conferences
 
@@ -61,7 +81,10 @@ Full documentation is available on the [KubeVela website](https://kubevela.io/).
 | 🌎 KubeCon | - [ [NA 2020] Standardizing Cloud Native Application Delivery Across Different Clouds](https://www.youtube.com/watch?v=0yhVuBIbHcI) <br> - [ [EU 2021] Zero Pain Microservice Development and Deployment with Dapr and KubeVela](https://sched.co/iE4S) |
 | 📺 Conferences | - [Dapr, Rudr, OAM: Mark Russinovich presents next gen app development & deployment](https://www.youtube.com/watch?v=eJCu6a-x9uo) <br> - [Mark Russinovich presents "The Future of Cloud Native Applications with OAM and Dapr"](https://myignite.techcommunity.microsoft.com/sessions/82059)|
 
+For more talks, please checkout [KubeVela Talks](https://kubevela.io/videos/talks/en/standardizing-app).
+
 ## Contributing
+
 Check out [CONTRIBUTING](./CONTRIBUTING.md) to see how to develop with KubeVela.
 
 ## Report Vulnerability
@@ -69,4 +92,5 @@ Check out [CONTRIBUTING](./CONTRIBUTING.md) to see how to develop with KubeVela.
 Security is a first priority thing for us at KubeVela. If you come across a related issue, please send email to security@mail.kubevela.io .
 
 ## Code of Conduct
+
 KubeVela adopts [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

apis/core.oam.dev/common/register.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package common
+
+const (
+	// Group api group name
+	Group = "core.oam.dev"
+)

apis/core.oam.dev/common/types.go

@@ -322,12 +322,31 @@ type PolicyStatus struct {
 	Status *runtime.RawExtension `json:"status,omitempty"`
 }
 
+// WorkflowStep defines how to execute a workflow step.
+type WorkflowStep struct {
+	// Name is the unique name of the workflow step.
+	Name string `json:"name"`
+
+	Type string `json:"type"`
+
+	// +kubebuilder:pruning:PreserveUnknownFields
+	Properties *runtime.RawExtension `json:"properties,omitempty"`
+
+	DependsOn []string `json:"dependsOn,omitempty"`
+
+	Inputs StepInputs `json:"inputs,omitempty"`
+
+	Outputs StepOutputs `json:"outputs,omitempty"`
+}
+
 // WorkflowStatus record the status of workflow
 type WorkflowStatus struct {
 	AppRevision string       `json:"appRevision,omitempty"`
 	Mode        WorkflowMode `json:"mode"`
 	Message     string       `json:"message,omitempty"`
 
+	SuspendState string `json:"suspendState,omitempty"`
+
 	Suspend    bool `json:"suspend"`
 	Terminated bool `json:"terminated"`
 	Finished   bool `json:"finished"`
@@ -479,6 +498,8 @@ const (
 	PolicyResourceCreator ResourceCreatorRole = "policy"
 	// WorkflowResourceCreator create the resource in workflow.
 	WorkflowResourceCreator ResourceCreatorRole = "workflow"
+	// DebugResourceCreator create the debug resource.
+	DebugResourceCreator ResourceCreatorRole = "debug"
 )
 
 // OAMObjectReference defines the object reference for an oam resource
@@ -605,3 +626,17 @@ func ParseApplicationConditionType(s string) (ApplicationConditionType, error) {
 	}
 	return -1, errors.New("unknown condition type")
 }
+
+// ReferredObject the referred Kubernetes object
+type ReferredObject struct {
+	// +kubebuilder:validation:EmbeddedResource
+	// +kubebuilder:pruning:PreserveUnknownFields
+	runtime.RawExtension `json:",inline"`
+}
+
+// ReferredObjectList a list of referred Kubernetes objects
+type ReferredObjectList struct {
+	// Objects a list of Kubernetes objects.
+	// +optional
+	Objects []ReferredObject `json:"objects,omitempty"`
+}

apis/core.oam.dev/common/zz_generated.deepcopy.go

@@ -469,6 +469,44 @@ func (in *RawExtensionPointer) DeepCopy() *RawExtensionPointer {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReferredObject) DeepCopyInto(out *ReferredObject) {
+	*out = *in
+	in.RawExtension.DeepCopyInto(&out.RawExtension)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferredObject.
+func (in *ReferredObject) DeepCopy() *ReferredObject {
+	if in == nil {
+		return nil
+	}
+	out := new(ReferredObject)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReferredObjectList) DeepCopyInto(out *ReferredObjectList) {
+	*out = *in
+	if in.Objects != nil {
+		in, out := &in.Objects, &out.Objects
+		*out = make([]ReferredObject, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferredObjectList.
+func (in *ReferredObjectList) DeepCopy() *ReferredObjectList {
+	if in == nil {
+		return nil
+	}
+	out := new(ReferredObjectList)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Revision) DeepCopyInto(out *Revision) {
 	*out = *in
@@ -636,6 +674,41 @@ func (in *WorkflowStatus) DeepCopy() *WorkflowStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkflowStep) DeepCopyInto(out *WorkflowStep) {
+	*out = *in
+	if in.Properties != nil {
+		in, out := &in.Properties, &out.Properties
+		*out = new(runtime.RawExtension)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Inputs != nil {
+		in, out := &in.Inputs, &out.Inputs
+		*out = make(StepInputs, len(*in))
+		copy(*out, *in)
+	}
+	if in.Outputs != nil {
+		in, out := &in.Outputs, &out.Outputs
+		*out = make(StepOutputs, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowStep.
+func (in *WorkflowStep) DeepCopy() *WorkflowStep {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkflowStep)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkflowStepStatus) DeepCopyInto(out *WorkflowStepStatus) {
 	*out = *in

apis/core.oam.dev/v1alpha1/component_types.go

@@ -0,0 +1,74 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+const (
+	// RefObjectsComponentType refers to the type of ref-objects
+	RefObjectsComponentType = "ref-objects"
+)
+
+// RefObjectsComponentSpec defines the spec of ref-objects component
+type RefObjectsComponentSpec struct {
+	// Objects the referrers to the Kubernetes objects
+	Objects []ObjectReferrer `json:"objects,omitempty"`
+}
+
+// ObjectReferrer selects Kubernetes objects
+type ObjectReferrer struct {
+	// ObjectTypeIdentifier identifies the type of referred objects
+	ObjectTypeIdentifier `json:",inline"`
+	// ObjectSelector select object by name or labelSelector
+	ObjectSelector `json:",inline"`
+}
+
+// ObjectTypeIdentifier identifies the scheme of Kubernetes object
+type ObjectTypeIdentifier struct {
+	// Resource is the resource name of the Kubernetes object.
+	Resource string `json:"resource"`
+	// Group is the API Group of the Kubernetes object.
+	Group string `json:"group"`
+	// LegacyObjectTypeIdentifier is the legacy identifier
+	// Deprecated: use resource/group instead
+	LegacyObjectTypeIdentifier `json:",inline"`
+}
+
+// LegacyObjectTypeIdentifier legacy object type identifier
+type LegacyObjectTypeIdentifier struct {
+	// APIVersion is the APIVersion of the Kubernetes object.
+	APIVersion string `json:"apiVersion"`
+	// APIVersion is the Kind of the Kubernetes object.
+	Kind string `json:"kind"`
+}
+
+// ObjectSelector selector for Kubernetes object
+type ObjectSelector struct {
+	// Name is the name of the Kubernetes object.
+	// If empty, it will inherit the application component's name.
+	Name string `json:"name,omitempty"`
+	// Namespace is the namespace for selecting Kubernetes objects.
+	// If empty, it will inherit the application's namespace.
+	Namespace string `json:"namespace,omitempty"`
+	// Cluster is the cluster for selecting Kubernetes objects.
+	// If empty, it will use the local cluster
+	Cluster string `json:"cluster,omitempty"`
+	// LabelSelector selects Kubernetes objects by labels
+	// Exclusive to "name"
+	LabelSelector map[string]string `json:"labelSelector,omitempty"`
+	// DeprecatedLabelSelector a deprecated alias to LabelSelector
+	// Deprecated: use labelSelector instead.
+	DeprecatedLabelSelector map[string]string `json:"selector,omitempty"`
+}

apis/core.oam.dev/v1alpha1/external_types.go

@@ -20,7 +20,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )
 
 // +kubebuilder:object:root=true
@@ -61,7 +61,7 @@ type Workflow struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Steps []v1beta1.WorkflowStep `json:"steps,omitempty"`
+	Steps []common.WorkflowStep `json:"steps,omitempty"`
 }
 
 // +kubebuilder:object:root=true

apis/core.oam.dev/v1alpha1/garbagecollect_types.go

@@ -33,11 +33,22 @@ type GarbageCollectPolicySpec struct {
 	// outdated resources will be kept until resourcetracker be deleted manually
 	KeepLegacyResource bool `json:"keepLegacyResource,omitempty"`
 
+	// Order defines the order of garbage collect
+	Order GarbageCollectOrder `json:"order,omitempty"`
+
 	// Rules defines list of rules to control gc strategy at resource level
 	// if one resource is controlled by multiple rules, first rule will be used
 	Rules []GarbageCollectPolicyRule `json:"rules,omitempty"`
 }
 
+// GarbageCollectOrder is the order of garbage collect
+type GarbageCollectOrder string
+
+const (
+	// OrderDependency is the order of dependency
+	OrderDependency GarbageCollectOrder = "dependency"
+)
+
 // GarbageCollectPolicyRule defines a single garbage-collect policy rule
 type GarbageCollectPolicyRule struct {
 	Selector GarbageCollectPolicyRuleSelector `json:"selector"`
@@ -45,11 +56,13 @@ type GarbageCollectPolicyRule struct {
 }
 
 // GarbageCollectPolicyRuleSelector select the targets of the rule
-// if both traitTypes and componentTypes are specified, combination logic is OR
-// if one resources are specified with conflict strategy, strategy as component go first.
+// if both traitTypes, oamTypes and componentTypes are specified, combination logic is OR
+// if one resource is specified with conflict strategies, strategy as component go first.
 type GarbageCollectPolicyRuleSelector struct {
-	TraitTypes []string `json:"traitTypes"`
-	CompTypes  []string `json:"componentTypes"`
+	CompNames        []string `json:"componentNames"`
+	CompTypes        []string `json:"componentTypes"`
+	OAMResourceTypes []string `json:"oamTypes"`
+	TraitTypes       []string `json:"traitTypes"`
 }
 
 // GarbageCollectStrategy the strategy for target resource to recycle
@@ -68,27 +81,24 @@ const (
 // FindStrategy find gc strategy for target resource
 func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
 	for _, rule := range in.Rules {
-		var (
-			compType  string
-			traitType string
-		)
-		if manifest.GetLabels() != nil {
-			traitType = manifest.GetLabels()[oam.TraitTypeLabel]
-			compType = manifest.GetLabels()[oam.WorkloadTypeLabel]
+		var compName, compType, oamType, traitType string
+		if labels := manifest.GetLabels(); labels != nil {
+			compName = labels[oam.LabelAppComponent]
+			compType = labels[oam.WorkloadTypeLabel]
+			oamType = labels[oam.LabelOAMResourceType]
+			traitType = labels[oam.TraitTypeLabel]
 		}
-		if compType != "" {
-			for _, _compType := range rule.Selector.CompTypes {
-				if _compType == compType {
-					return &rule.Strategy
-				}
+		match := func(src []string, val string) (found bool) {
+			for _, _val := range src {
+				found = found || _val == val
 			}
+			return val != "" && found
 		}
-		if traitType != "" {
-			for _, _traitType := range rule.Selector.TraitTypes {
-				if _traitType == traitType {
-					return &rule.Strategy
-				}
-			}
+		if match(rule.Selector.CompNames, compName) ||
+			match(rule.Selector.CompTypes, compType) ||
+			match(rule.Selector.OAMResourceTypes, oamType) ||
+			match(rule.Selector.TraitTypes, traitType) {
+			return &rule.Strategy
 		}
 	}
 	return nil

apis/core.oam.dev/v1alpha1/garbagecollect_types_test.go

@@ -32,7 +32,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 		notFound       bool
 		expectStrategy GarbageCollectStrategy
 	}{
-		"trait rule match": {
+		"trait type rule match": {
 			rules: []GarbageCollectPolicyRule{{
 				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyNever,
@@ -44,7 +44,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyNever,
 		},
-		"trait rule mismatch": {
+		"trait type rule mismatch": {
 			rules: []GarbageCollectPolicyRule{{
 				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyNever,
@@ -52,7 +52,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			input:    &unstructured.Unstructured{Object: map[string]interface{}{}},
 			notFound: true,
 		},
-		"trait rule multiple match": {
+		"trait type rule multiple match": {
 			rules: []GarbageCollectPolicyRule{{
 				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyOnAppDelete,
@@ -67,7 +67,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyOnAppDelete,
 		},
-		"component rule match": {
+		"component type rule match": {
 			rules: []GarbageCollectPolicyRule{{
 				Selector: GarbageCollectPolicyRuleSelector{CompTypes: []string{"comp"}},
 				Strategy: GarbageCollectStrategyNever,
@@ -79,7 +79,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyNever,
 		},
-		"rule match both component and trait, component first": {
+		"rule match both component type and trait type, component type first": {
 			rules: []GarbageCollectPolicyRule{
 				{
 					Selector: GarbageCollectPolicyRuleSelector{CompTypes: []string{"comp"}},
@@ -97,6 +97,30 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 			}},
 			expectStrategy: GarbageCollectStrategyNever,
 		},
+		"component name rule match": {
+			rules: []GarbageCollectPolicyRule{{
+				Selector: GarbageCollectPolicyRuleSelector{CompNames: []string{"comp-name"}},
+				Strategy: GarbageCollectStrategyNever,
+			}},
+			input: &unstructured.Unstructured{Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{oam.LabelAppComponent: "comp-name"},
+				},
+			}},
+			expectStrategy: GarbageCollectStrategyNever,
+		},
+		"resource type rule match": {
+			rules: []GarbageCollectPolicyRule{{
+				Selector: GarbageCollectPolicyRuleSelector{OAMResourceTypes: []string{"TRAIT"}},
+				Strategy: GarbageCollectStrategyNever,
+			}},
+			input: &unstructured.Unstructured{Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"labels": map[string]interface{}{oam.LabelOAMResourceType: "TRAIT"},
+				},
+			}},
+			expectStrategy: GarbageCollectStrategyNever,
+		},
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {

apis/core.oam.dev/v1alpha1/policy_types.go

@@ -21,12 +21,31 @@ const (
 	TopologyPolicyType = "topology"
 	// OverridePolicyType refers to the type of override policy
 	OverridePolicyType = "override"
+	// DebugPolicyType refers to the type of debug policy
+	DebugPolicyType = "debug"
 )
 
 // TopologyPolicySpec defines the spec of topology policy
 type TopologyPolicySpec struct {
-	Clusters        []string          `json:"clusters,omitempty"`
-	ClusterSelector map[string]string `json:"clusterSelector,omitempty"`
+	// Placement embeds the selectors for choosing cluster
+	Placement `json:",inline"`
+	// Namespace is the target namespace to deploy in the selected clusters.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// Placement describes which clusters to be selected in this topology
+type Placement struct {
+	// Clusters is the names of the clusters to select.
+	Clusters []string `json:"clusters,omitempty"`
+
+	// ClusterLabelSelector is the label selector for clusters.
+	// Exclusive to "clusters"
+	ClusterLabelSelector map[string]string `json:"clusterLabelSelector,omitempty"`
+
+	// DeprecatedClusterSelector is a depreciated alias for ClusterLabelSelector.
+	// Deprecated: Use clusterLabelSelector instead.
+	DeprecatedClusterSelector map[string]string `json:"clusterSelector,omitempty"`
 }
 
 // OverridePolicySpec defines the spec of override policy

apis/core.oam.dev/v1alpha1/register.go

@@ -19,11 +19,13 @@ package v1alpha1
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )
 
 // Package type metadata.
 const (
-	Group   = "core.oam.dev"
+	Group   = common.Group
 	Version = "v1alpha1"
 )
 
@@ -38,6 +40,18 @@ var (
 	AddToScheme = SchemeBuilder.AddToScheme
 )
 
+// Policy meta
+var (
+	PolicyKind             = "Policy"
+	PolicyGroupVersionKind = SchemeGroupVersion.WithKind(PolicyKind)
+)
+
+// Workflow meta
+var (
+	WorkflowKind             = "Workflow"
+	WorkflowGroupVersionKind = SchemeGroupVersion.WithKind(WorkflowKind)
+)
+
 func init() {
 	SchemeBuilder.Register(&Policy{}, &PolicyList{})
 	SchemeBuilder.Register(&Workflow{}, &WorkflowList{})

apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go

@@ -25,7 +25,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -282,8 +281,8 @@ func (in *GarbageCollectPolicyRule) DeepCopy() *GarbageCollectPolicyRule {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GarbageCollectPolicyRuleSelector) DeepCopyInto(out *GarbageCollectPolicyRuleSelector) {
 	*out = *in
-	if in.TraitTypes != nil {
-		in, out := &in.TraitTypes, &out.TraitTypes
+	if in.CompNames != nil {
+		in, out := &in.CompNames, &out.CompNames
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
@@ -292,6 +291,16 @@ func (in *GarbageCollectPolicyRuleSelector) DeepCopyInto(out *GarbageCollectPoli
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.OAMResourceTypes != nil {
+		in, out := &in.OAMResourceTypes, &out.OAMResourceTypes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.TraitTypes != nil {
+		in, out := &in.TraitTypes, &out.TraitTypes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GarbageCollectPolicyRuleSelector.
@@ -326,6 +335,21 @@ func (in *GarbageCollectPolicySpec) DeepCopy() *GarbageCollectPolicySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LegacyObjectTypeIdentifier) DeepCopyInto(out *LegacyObjectTypeIdentifier) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LegacyObjectTypeIdentifier.
+func (in *LegacyObjectTypeIdentifier) DeepCopy() *LegacyObjectTypeIdentifier {
+	if in == nil {
+		return nil
+	}
+	out := new(LegacyObjectTypeIdentifier)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NamespaceSelector) DeepCopyInto(out *NamespaceSelector) {
 	*out = *in
@@ -348,6 +372,68 @@ func (in *NamespaceSelector) DeepCopy() *NamespaceSelector {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectReferrer) DeepCopyInto(out *ObjectReferrer) {
+	*out = *in
+	out.ObjectTypeIdentifier = in.ObjectTypeIdentifier
+	in.ObjectSelector.DeepCopyInto(&out.ObjectSelector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReferrer.
+func (in *ObjectReferrer) DeepCopy() *ObjectReferrer {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectReferrer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectSelector) DeepCopyInto(out *ObjectSelector) {
+	*out = *in
+	if in.LabelSelector != nil {
+		in, out := &in.LabelSelector, &out.LabelSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.DeprecatedLabelSelector != nil {
+		in, out := &in.DeprecatedLabelSelector, &out.DeprecatedLabelSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectSelector.
+func (in *ObjectSelector) DeepCopy() *ObjectSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectTypeIdentifier) DeepCopyInto(out *ObjectTypeIdentifier) {
+	*out = *in
+	out.LegacyObjectTypeIdentifier = in.LegacyObjectTypeIdentifier
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectTypeIdentifier.
+func (in *ObjectTypeIdentifier) DeepCopy() *ObjectTypeIdentifier {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectTypeIdentifier)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverridePolicySpec) DeepCopyInto(out *OverridePolicySpec) {
 	*out = *in
@@ -375,6 +461,40 @@ func (in *OverridePolicySpec) DeepCopy() *OverridePolicySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Placement) DeepCopyInto(out *Placement) {
+	*out = *in
+	if in.Clusters != nil {
+		in, out := &in.Clusters, &out.Clusters
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ClusterLabelSelector != nil {
+		in, out := &in.ClusterLabelSelector, &out.ClusterLabelSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.DeprecatedClusterSelector != nil {
+		in, out := &in.DeprecatedClusterSelector, &out.DeprecatedClusterSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Placement.
+func (in *Placement) DeepCopy() *Placement {
+	if in == nil {
+		return nil
+	}
+	out := new(Placement)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlacementDecision) DeepCopyInto(out *PlacementDecision) {
 	*out = *in
@@ -453,22 +573,33 @@ func (in *PolicyList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TopologyPolicySpec) DeepCopyInto(out *TopologyPolicySpec) {
+func (in *RefObjectsComponentSpec) DeepCopyInto(out *RefObjectsComponentSpec) {
 	*out = *in
-	if in.Clusters != nil {
-		in, out := &in.Clusters, &out.Clusters
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.ClusterSelector != nil {
-		in, out := &in.ClusterSelector, &out.ClusterSelector
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
+	if in.Objects != nil {
+		in, out := &in.Objects, &out.Objects
+		*out = make([]ObjectReferrer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RefObjectsComponentSpec.
+func (in *RefObjectsComponentSpec) DeepCopy() *RefObjectsComponentSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RefObjectsComponentSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TopologyPolicySpec) DeepCopyInto(out *TopologyPolicySpec) {
+	*out = *in
+	in.Placement.DeepCopyInto(&out.Placement)
+}
+
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopologyPolicySpec.
 func (in *TopologyPolicySpec) DeepCopy() *TopologyPolicySpec {
 	if in == nil {
@@ -486,7 +617,7 @@ func (in *Workflow) DeepCopyInto(out *Workflow) {
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	if in.Steps != nil {
 		in, out := &in.Steps, &out.Steps
-		*out = make([]v1beta1.WorkflowStep, len(*in))
+		*out = make([]common.WorkflowStep, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}

apis/core.oam.dev/v1alpha2/application_types.go

@@ -87,7 +87,7 @@ type ApplicationSpec struct {
 
 // Application is the Schema for the applications API
 // +kubebuilder:object:root=true
-// +kubebuilder:resource:categories={oam},shortName=app
+// +kubebuilder:resource:categories={oam},shortName={app,velaapp}
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="COMPONENT",type=string,JSONPath=`.spec.components[*].name`
 // +kubebuilder:printcolumn:name="TYPE",type=string,JSONPath=`.spec.components[*].type`

apis/core.oam.dev/v1alpha2/register.go

@@ -21,11 +21,13 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )
 
 // Package type metadata.
 const (
-	Group   = "core.oam.dev"
+	Group   = common.Group
 	Version = "v1alpha2"
 )
 

apis/core.oam.dev/v1beta1/application_types.go

@@ -50,21 +50,7 @@ type AppPolicy struct {
 }
 
 // WorkflowStep defines how to execute a workflow step.
-type WorkflowStep struct {
-	// Name is the unique name of the workflow step.
-	Name string `json:"name"`
-
-	Type string `json:"type"`
-
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Properties *runtime.RawExtension `json:"properties,omitempty"`
-
-	DependsOn []string `json:"dependsOn,omitempty"`
-
-	Inputs common.StepInputs `json:"inputs,omitempty"`
-
-	Outputs common.StepOutputs `json:"outputs,omitempty"`
-}
+type WorkflowStep common.WorkflowStep
 
 // Workflow defines workflow steps and other attributes
 type Workflow struct {
@@ -96,7 +82,7 @@ type ApplicationSpec struct {
 // Application is the Schema for the applications API
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
-// +kubebuilder:resource:categories={oam},shortName=app
+// +kubebuilder:resource:categories={oam},shortName={app,velaapp}
 // +kubebuilder:printcolumn:name="COMPONENT",type=string,JSONPath=`.spec.components[*].name`
 // +kubebuilder:printcolumn:name="TYPE",type=string,JSONPath=`.spec.components[*].type`
 // +kubebuilder:printcolumn:name="PHASE",type=string,JSONPath=`.status.status`

apis/core.oam.dev/v1beta1/applicationrevision_types.go

@@ -17,11 +17,10 @@
 package v1beta1
 
 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
 )
 
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
@@ -52,19 +51,23 @@ type ApplicationRevisionSpec struct {
 	// ScopeGVK records the apiVersion to GVK mapping
 	ScopeGVK map[string]metav1.GroupVersionKind `json:"scopeGVK,omitempty"`
 
-	// Components records the rendered components from Application, it will contains the whole K8s CR of workload in it.
-	// +deprecated
-	Components []common.RawComponent `json:"components,omitempty"`
+	// Policies records the external policies
+	Policies map[string]v1alpha1.Policy `json:"policies,omitempty"`
 
-	// ApplicationConfiguration records the rendered applicationConfiguration from Application,
-	// it will contains the whole K8s CR of trait and the reference component in it.
-	// +kubebuilder:validation:EmbeddedResource
+	// Workflow records the external workflow
+	Workflow *v1alpha1.Workflow `json:"workflow,omitempty"`
+
+	// ReferredObjects records the referred objects used in the ref-object typed components
 	// +kubebuilder:pruning:PreserveUnknownFields
-	// +deprecated
-	ApplicationConfiguration runtime.RawExtension `json:"applicationConfiguration,omitempty"`
+	ReferredObjects []common.ReferredObject `json:"referredObjects,omitempty"`
+}
 
-	// ResourcesConfigMap references the ConfigMap that's generated to contain all final rendered resources.
-	ResourcesConfigMap corev1.LocalObjectReference `json:"resourcesConfigMap,omitempty"`
+// ApplicationRevisionStatus is the status of ApplicationRevision
+type ApplicationRevisionStatus struct {
+	// Succeeded records if the workflow finished running with success
+	Succeeded bool `json:"succeeded"`
+	// Workflow the running status of the workflow
+	Workflow *common.WorkflowStatus `json:"workflow,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -72,14 +75,18 @@ type ApplicationRevisionSpec struct {
 // ApplicationRevision is the Schema for the ApplicationRevision API
 // +kubebuilder:storageversion
 // +kubebuilder:resource:categories={oam},shortName=apprev
+// +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="AGE",type=date,JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="PUBLISH_VERSION",type=string,JSONPath=`.metadata.annotations['app\.oam\.dev\/publishVersion']`
+// +kubebuilder:printcolumn:name="SUCCEEDED",type=string,JSONPath=`.status.succeeded`
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type ApplicationRevision struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec ApplicationRevisionSpec `json:"spec,omitempty"`
+	Spec   ApplicationRevisionSpec   `json:"spec,omitempty"`
+	Status ApplicationRevisionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true

apis/core.oam.dev/v1beta1/core_types.go

@@ -157,6 +157,9 @@ type TraitDefinitionSpec struct {
 	// SkipRevisionAffect defines the update this trait will not generate a new application Revision
 	// +optional
 	SkipRevisionAffect bool `json:"skipRevisionAffect,omitempty"`
+	// ControlPlaneOnly defines which cluster is dispatched to
+	// +optional
+	ControlPlaneOnly bool `json:"controlPlaneOnly,omitempty"`
 }
 
 // TraitDefinitionStatus is the status of TraitDefinition

apis/core.oam.dev/v1beta1/policy_definition.go

@@ -43,6 +43,9 @@ type PolicyDefinitionStatus struct {
 	// ConditionedStatus reflects the observed status of a resource
 	condition.ConditionedStatus `json:",inline"`
 
+	// ConfigMapRef refer to a ConfigMap which contains OpenAPI V3 JSON schema of Component parameters.
+	ConfigMapRef string `json:"configMapRef,omitempty"`
+
 	// LatestRevision of the component definition
 	// +optional
 	LatestRevision *common.Revision `json:"latestRevision,omitempty"`

apis/core.oam.dev/v1beta1/register.go

@@ -21,11 +21,13 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )
 
 // Package type metadata.
 const (
-	Group   = "core.oam.dev"
+	Group   = common.Group
 	Version = "v1beta1"
 )
 

apis/core.oam.dev/v1beta1/resourcetracker_types.go

@@ -31,6 +31,7 @@ import (
 
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/interfaces"
+	velatypes "github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/utils/errors"
 )
@@ -121,7 +122,11 @@ func (in ManagedResource) NamespacedName() types.NamespacedName {
 // ResourceKey computes the key for managed resource, resources with the same key points to the same resource
 func (in ManagedResource) ResourceKey() string {
 	gv, kind := in.GroupVersionKind().ToAPIVersionAndKind()
-	return strings.Join([]string{gv, kind, in.Cluster, in.Namespace, in.Name}, "/")
+	cluster := in.Cluster
+	if cluster == "" {
+		cluster = velatypes.ClusterLocalName
+	}
+	return strings.Join([]string{gv, kind, cluster, in.Namespace, in.Name}, "/")
 }
 
 // ComponentKey computes the key for the component which managed resource belongs to
@@ -186,10 +191,9 @@ func (in *ResourceTracker) findMangedResourceIndex(mr ManagedResource) int {
 	return -1
 }
 
-// AddManagedResource add object to managed resources, if exists, update
-func (in *ResourceTracker) AddManagedResource(rsc client.Object, metaOnly bool) (updated bool) {
+func newManagedResourceFromResource(rsc client.Object) ManagedResource {
 	gvk := rsc.GetObjectKind().GroupVersionKind()
-	mr := ManagedResource{
+	return ManagedResource{
 		ClusterObjectReference: common.ClusterObjectReference{
 			ObjectReference: v1.ObjectReference{
 				APIVersion: gvk.GroupVersion().String(),
@@ -202,9 +206,23 @@ func (in *ResourceTracker) AddManagedResource(rsc client.Object, metaOnly bool)
 		OAMObjectReference: common.NewOAMObjectReferenceFromObject(rsc),
 		Deleted:            false,
 	}
+}
+
+// ContainsManagedResource check if resource exists in ResourceTracker
+func (in *ResourceTracker) ContainsManagedResource(rsc client.Object) bool {
+	mr := newManagedResourceFromResource(rsc)
+	return in.findMangedResourceIndex(mr) >= 0
+}
+
+// AddManagedResource add object to managed resources, if exists, update
+func (in *ResourceTracker) AddManagedResource(rsc client.Object, metaOnly bool, creator common.ResourceCreatorRole) (updated bool) {
+	mr := newManagedResourceFromResource(rsc)
 	if !metaOnly {
 		mr.Data = &runtime.RawExtension{Object: rsc}
 	}
+	if creator != "" {
+		mr.ClusterObjectReference.Creator = creator
+	}
 	if idx := in.findMangedResourceIndex(mr); idx >= 0 {
 		if reflect.DeepEqual(in.Spec.ManagedResources[idx], mr) {
 			return false

apis/core.oam.dev/v1beta1/resourcetracker_types_test.go

@@ -156,16 +156,16 @@ func TestResourceTracker_ManagedResource(t *testing.T) {
 	r := require.New(t)
 	input := &ResourceTracker{}
 	deploy1 := v12.Deployment{ObjectMeta: v13.ObjectMeta{Name: "deploy1"}}
-	input.AddManagedResource(&deploy1, true)
+	input.AddManagedResource(&deploy1, true, "")
 	r.Equal(1, len(input.Spec.ManagedResources))
 	cm2 := v1.ConfigMap{ObjectMeta: v13.ObjectMeta{Name: "cm2"}}
-	input.AddManagedResource(&cm2, false)
+	input.AddManagedResource(&cm2, false, "")
 	r.Equal(2, len(input.Spec.ManagedResources))
 	pod3 := v1.Pod{ObjectMeta: v13.ObjectMeta{Name: "pod3"}}
-	input.AddManagedResource(&pod3, false)
+	input.AddManagedResource(&pod3, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
 	deploy1.Spec.Replicas = pointer.Int32(5)
-	input.AddManagedResource(&deploy1, false)
+	input.AddManagedResource(&deploy1, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
 	input.DeleteManagedResource(&cm2, false)
 	r.Equal(3, len(input.Spec.ManagedResources))

apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go

@@ -26,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -113,6 +114,7 @@ func (in *ApplicationRevision) DeepCopyInto(out *ApplicationRevision) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevision.
@@ -218,15 +220,25 @@ func (in *ApplicationRevisionSpec) DeepCopyInto(out *ApplicationRevisionSpec) {
 			(*out)[key] = val
 		}
 	}
-	if in.Components != nil {
-		in, out := &in.Components, &out.Components
-		*out = make([]common.RawComponent, len(*in))
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make(map[string]v1alpha1.Policy, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	if in.Workflow != nil {
+		in, out := &in.Workflow, &out.Workflow
+		*out = new(v1alpha1.Workflow)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ReferredObjects != nil {
+		in, out := &in.ReferredObjects, &out.ReferredObjects
+		*out = make([]common.ReferredObject, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	in.ApplicationConfiguration.DeepCopyInto(&out.ApplicationConfiguration)
-	out.ResourcesConfigMap = in.ResourcesConfigMap
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionSpec.
@@ -239,6 +251,26 @@ func (in *ApplicationRevisionSpec) DeepCopy() *ApplicationRevisionSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationRevisionStatus) DeepCopyInto(out *ApplicationRevisionStatus) {
+	*out = *in
+	if in.Workflow != nil {
+		in, out := &in.Workflow, &out.Workflow
+		*out = new(common.WorkflowStatus)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionStatus.
+func (in *ApplicationRevisionStatus) DeepCopy() *ApplicationRevisionStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationRevisionStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationSpec) DeepCopyInto(out *ApplicationSpec) {
 	*out = *in

apis/types/multicluster.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+import (
+	"github.com/oam-dev/cluster-gateway/pkg/apis/cluster/v1alpha1"
+	"github.com/oam-dev/cluster-gateway/pkg/config"
+)
+
+const (
+	// ClusterLocalName the name for the hub cluster
+	ClusterLocalName = "local"
+
+	// CredentialTypeInternal identifies the virtual cluster from internal kubevela system
+	CredentialTypeInternal v1alpha1.CredentialType = "Internal"
+	// CredentialTypeOCMManagedCluster identifies the virtual cluster from ocm
+	CredentialTypeOCMManagedCluster v1alpha1.CredentialType = "ManagedCluster"
+	// ClusterBlankEndpoint identifies the endpoint of a cluster as blank (not available)
+	ClusterBlankEndpoint = "-"
+
+	// ClustersArg indicates the argument for specific clusters to install addon
+	ClustersArg = "clusters"
+)
+
+var (
+	// AnnotationClusterAlias the annotation key for cluster alias
+	AnnotationClusterAlias = config.MetaApiGroupName + "/cluster-alias"
+)

apis/types/types.go

@@ -18,6 +18,13 @@ package types
 
 import "github.com/oam-dev/kubevela/pkg/oam"
 
+const (
+	// KubeVelaName name of kubevela
+	KubeVelaName = "kubevela"
+	// VelaCoreName name of vela-core
+	VelaCoreName = "vela-core"
+)
+
 const (
 	// DefaultKubeVelaReleaseName defines the default name of KubeVela Release
 	DefaultKubeVelaReleaseName = "kubevela"
@@ -41,6 +48,10 @@ var DefaultKubeVelaNS = "vela-system"
 const (
 	// AnnoDefinitionDescription is the annotation which describe what is the capability used for in a WorkloadDefinition/TraitDefinition Object
 	AnnoDefinitionDescription = "definition.oam.dev/description"
+	// AnnoDefinitionAlias is the annotation for definition alias
+	AnnoDefinitionAlias = "definition.oam.dev/alias"
+	// AnnoDefinitionIcon is the annotation which describe the icon url
+	AnnoDefinitionIcon = "definition.oam.dev/icon"
 	// AnnoDefinitionAppliedWorkloads is the annotation which describe what is the workloads used for in a TraitDefinition Object
 	AnnoDefinitionAppliedWorkloads = "definition.oam.dev/appliedWorkloads"
 	// LabelDefinition is the label for definition
@@ -59,6 +70,22 @@ const (
 	AnnoIngressControllerHTTPSPort = "ingress.controller/https-port"
 	// AnnoIngressControllerHTTPPort define ingress controller listen port for http
 	AnnoIngressControllerHTTPPort = "ingress.controller/http-port"
+	// LabelConfigType is the label for config type
+	LabelConfigType = "config.oam.dev/type"
+	// LabelConfigCatalog is the label for config catalog
+	LabelConfigCatalog = "config.oam.dev/catalog"
+	// LabelConfigSubType is the sub-type for a config type
+	LabelConfigSubType = "config.oam.dev/sub-type"
+	// LabelConfigProject is the label for config project
+	LabelConfigProject = "config.oam.dev/project"
+	// LabelConfigSyncToMultiCluster is the label to decide whether a config will be synchronized to multi-cluster
+	LabelConfigSyncToMultiCluster = "config.oam.dev/multi-cluster"
+	// LabelConfigIdentifier is the label for config identifier
+	LabelConfigIdentifier = "config.oam.dev/identifier"
+	// AnnotationConfigDescription is the annotation for config description
+	AnnotationConfigDescription = "config.oam.dev/description"
+	// AnnotationConfigAlias is the annotation for config alias
+	AnnotationConfigAlias = "config.oam.dev/alias"
 )
 
 const (
@@ -116,3 +143,34 @@ var DefaultFilterAnnots = []string{
 	oam.AnnotationFilterAnnotationKeys,
 	oam.AnnotationLastAppliedConfiguration,
 }
+
+// ConfigType is the type of config
+type ConfigType string
+
+const (
+	// TerraformProvider is the config type for terraform provider
+	TerraformProvider = "terraform-provider"
+	// DexConnector is the config type for dex connector
+	DexConnector = "config-dex-connector"
+	// ImageRegistry is the config type for image registry
+	ImageRegistry = "config-image-registry"
+	// HelmRepository is the config type for Helm chart repository
+	HelmRepository = "config-helm-repository"
+)
+
+const (
+	// TerraformComponentPrefix is the prefix of component type of terraform-xxx
+	TerraformComponentPrefix = "terraform-"
+
+	// ProviderAppPrefix is the prefix of the application to create a Terraform Provider
+	ProviderAppPrefix = "config-terraform-provider"
+	// ProviderNamespace is the namespace of Terraform Cloud Provider
+	ProviderNamespace = "default"
+	// VelaCoreConfig is to mark application, config and its secret or Terraform provider lelong to a KubeVela config
+	VelaCoreConfig = "velacore-config"
+)
+
+const (
+	// ClusterGatewayAccessorGroup the group to impersonate which allows the access to the cluster-gateway
+	ClusterGatewayAccessorGroup = "cluster-gateway-accessor"
+)

charts/oam-runtime/crds/core.oam.dev_traitdefinitions.yaml

@@ -372,6 +372,10 @@ spec:
                 items:
                   type: string
                 type: array
+              controlPlaneOnly:
+                description: ControlPlaneOnly defines which cluster is dispatched
+                  to
+                type: boolean
               definitionRef:
                 description: Reference to the CustomResourceDefinition that defines
                   this trait kind.

charts/vela-core/README.md

@@ -1,18 +1,18 @@
 <div style="text-align: center">
   <p align="center">
-    <img src="https://raw.githubusercontent.com/oam-dev/kubevela.io/main/docs/resources/KubeVela-03.png">
+    <img src="https://raw.githubusercontent.com/kubevela/kubevela.io/main/docs/resources/KubeVela-03.png">
     <br><br>
     <i>Make shipping applications more enjoyable.</i>
   </p>
 </div>
 
-![Build status](https://github.com/oam-dev/kubevela/workflows/E2E/badge.svg)
-[![Go Report Card](https://goreportcard.com/badge/github.com/oam-dev/kubevela)](https://goreportcard.com/report/github.com/oam-dev/kubevela)
+![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
-[![codecov](https://codecov.io/gh/oam-dev/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/oam-dev/kubevela)
-[![LICENSE](https://img.shields.io/github/license/oam-dev/kubevela.svg?style=flat-square)](/LICENSE)
-[![Releases](https://img.shields.io/github/release/oam-dev/kubevela/all.svg?style=flat-square)](https://github.com/oam-dev/kubevela/releases)
-[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/oam-dev/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
+[![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
+[![LICENSE](https://img.shields.io/github/license/kubevela/kubevela.svg?style=flat-square)](/LICENSE)
+[![Releases](https://img.shields.io/github/release/kubevela/kubevela/all.svg?style=flat-square)](https://github.com/kubevela/kubevela/releases)
+[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/kubevela/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
@@ -78,20 +78,38 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `healthCheck.port`          | KubeVela health check port           | `9440`             |
 
 
+### KubeVela controller optimization parameters
+
+| Name                                              | Description                                                                                                                                       | Value   |
+| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `optimize.cachedGvks`                             | Optimize types of resources to be cached.                                                                                                         | `""`    |
+| `optimize.resourceTrackerListOp`                  | Optimize ResourceTracker List Op by adding index.                                                                                                 | `true`  |
+| `optimize.controllerReconcileLoopReduction`       | Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.                                                | `false` |
+| `optimize.markWithProb`                           | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately. | `0.1`   |
+| `optimize.disableComponentRevision`               | Optimize componentRevision by disabling the creation and gc                                                                                       | `false` |
+| `optimize.disableApplicationRevision`             | Optimize ApplicationRevision by disabling the creation and gc.                                                                                    | `false` |
+| `optimize.disableWorkflowRecorder`                | Optimize workflow recorder by disabling the creation and gc.                                                                                      | `false` |
+| `optimize.enableInMemoryWorkflowContext`          | Optimize workflow by use in-memory context.                                                                                                       | `false` |
+| `optimize.disableResourceApplyDoubleCheck`        | Optimize workflow by ignoring resource double check after apply.                                                                                  | `false` |
+| `optimize.enableResourceTrackerDeleteOnlyTrigger` | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                               | `true`  |
+
+
 ### MultiCluster parameters
 
-| Name                                                  | Description                      | Value                            |
-| ----------------------------------------------------- | -------------------------------- | -------------------------------- |
-| `multicluster.enabled`                                | Whether to enable multi-cluster  | `true`                           |
-| `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
-| `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
-| `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.1.7`                         |
-| `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
-| `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
-| `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |
-| `multicluster.clusterGateway.secureTLS.enabled`       | Whether to enable secure TLS     | `true`                           |
-| `multicluster.clusterGateway.secureTLS.certPath`      | Path to the certificate file     | `/etc/k8s-cluster-gateway-certs` |
+| Name                                                        | Description                                     | Value                            |
+| ----------------------------------------------------------- | ----------------------------------------------- | -------------------------------- |
+| `multicluster.enabled`                                      | Whether to enable multi-cluster                 | `true`                           |
+| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect | `false`                          |
+| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                    | `1`                              |
+| `multicluster.clusterGateway.port`                          | ClusterGateway port                             | `9443`                           |
+| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                 | `oamdev/cluster-gateway`         |
+| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                        | `v1.3.2`                         |
+| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                | `IfNotPresent`                   |
+| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                        | `100m`                           |
+| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                     | `200Mi`                          |
+| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                    | `true`                           |
+| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                    | `/etc/k8s-cluster-gateway-certs` |
+| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                  | `false`                          |
 
 
 ### Test parameters
@@ -106,37 +124,43 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 
 ### Common parameters
 
-| Name                         | Description                                                                                                                | Value   |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `imagePullSecrets`           | Image pull secrets                                                                                                         | `[]`    |
-| `nameOverride`               | Override name                                                                                                              | `""`    |
-| `fullnameOverride`           | Fullname override                                                                                                          | `""`    |
-| `serviceAccount.create`      | Specifies whether a service account should be created                                                                      | `true`  |
-| `serviceAccount.annotations` | Annotations to add to the service account                                                                                  | `{}`    |
-| `serviceAccount.name`        | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`   |
-| `nodeSelector`               | Node selector                                                                                                              | `{}`    |
-| `tolerations`                | Tolerations                                                                                                                | `[]`    |
-| `affinity`                   | Affinity                                                                                                                   | `{}`    |
-| `rbac.create`                | Specifies whether a RBAC role should be created                                                                            | `true`  |
-| `logDebug`                   | Enable debug logs for development purpose                                                                                  | `false` |
-| `logFilePath`                | If non-empty, write log files in this path                                                                                 | `""`    |
-| `logFileMaxSize`             | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`  |
-| `kubeClient.qps`             | The qps for reconcile clients, default is 50                                                                               | `50`    |
-| `kubeClient.burst`           | The burst for reconcile clients, default is 100                                                                            | `100`   |
+| Name                          | Description                                                                                                                | Value                |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `imagePullSecrets`            | Image pull secrets                                                                                                         | `[]`                 |
+| `nameOverride`                | Override name                                                                                                              | `""`                 |
+| `fullnameOverride`            | Fullname override                                                                                                          | `""`                 |
+| `serviceAccount.create`       | Specifies whether a service account should be created                                                                      | `true`               |
+| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                  | `{}`                 |
+| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`                |
+| `nodeSelector`                | Node selector                                                                                                              | `{}`                 |
+| `tolerations`                 | Tolerations                                                                                                                | `[]`                 |
+| `affinity`                    | Affinity                                                                                                                   | `{}`                 |
+| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                            | `true`               |
+| `logDebug`                    | Enable debug logs for development purpose                                                                                  | `false`              |
+| `logFilePath`                 | If non-empty, write log files in this path                                                                                 | `""`                 |
+| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`               |
+| `kubeClient.qps`              | The qps for reconcile clients, default is 50                                                                               | `50`                 |
+| `kubeClient.burst`            | The burst for reconcile clients, default is 100                                                                            | `100`                |
+| `authentication.enabled`      | Enable authentication for application                                                                                      | `false`              |
+| `authentication.withUser`     | Application authentication will impersonate as the request User                                                            | `false`              |
+| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                 | `kubevela:vela-core` |
+| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                  | `kubevela:*`         |
 
 
-## Uninstalling the Chart
+## Uninstallation
 
-To uninstall/delete the KubeVela helm release
+### Vela CLI 
+
+To uninstall KubeVela, you can just run the following command by vela CLI:
 
 ```shell
-$ helm uninstall -n vela-system kubevela
+vela uninstall --force
 ```
 
-The command removes all the Kubernetes components associated with kubevela and deletes the release.
+### Helm CLI
+
+**Notice**: You must disable all the addons before uninstallation, this is a script for convenience. 
 
-**Notice**: If you enable fluxcd addon  when install the chart by set `enableFluxcdAddon=true` .Uninstall wouldn't disable the fluxcd addon ,and it will be kept in the cluster.Please guarantee there is no application in cluster use this addon and disable it firstly before uninstall the helm chart. 
-You can use this script to disable all addons.
 ```shell
 #! /bin/sh
 addon=$(vela addon list|grep enabled|awk {'print $1'})
@@ -156,7 +180,10 @@ if [ $fluxcd ]; then
 fi
 ```
 
+To uninstall the KubeVela helm release:
 
+```shell
+$ helm uninstall -n vela-system kubevela
+```
 
-
-
+Finally, this command will remove all the Kubernetes resources associated with KubeVela and remove this chart release.

charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml

@@ -934,6 +934,8 @@ spec:
                             type: array
                           suspend:
                             type: boolean
+                          suspendState:
+                            type: string
                           terminated:
                             type: boolean
                         required:
@@ -2025,6 +2027,12 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: AGE
       type: date
+    - jsonPath: .metadata.annotations['app\.oam\.dev\/publishVersion']
+      name: PUBLISH_VERSION
+      type: string
+    - jsonPath: .status.succeeded
+      name: SUCCEEDED
+      type: string
     name: v1beta1
     schema:
       openAPIV3Schema:
@@ -2737,6 +2745,8 @@ spec:
                             type: array
                           suspend:
                             type: boolean
+                          suspendState:
+                            type: string
                           terminated:
                             type: boolean
                         required:
@@ -2747,13 +2757,6 @@ spec:
                         type: object
                     type: object
                 type: object
-              applicationConfiguration:
-                description: ApplicationConfiguration records the rendered applicationConfiguration
-                  from Application, it will contains the whole K8s CR of trait and
-                  the reference component in it.
-                type: object
-                x-kubernetes-embedded-resource: true
-                x-kubernetes-preserve-unknown-fields: true
               componentDefinitions:
                 additionalProperties:
                   description: ComponentDefinition is the Schema for the componentdefinitions
@@ -3087,20 +3090,51 @@ spec:
                 description: ComponentDefinitions records the snapshot of the componentDefinitions
                   related with the created/modified Application
                 type: object
-              components:
-                description: Components records the rendered components from Application,
-                  it will contains the whole K8s CR of workload in it.
-                items:
-                  description: RawComponent record raw component
+              policies:
+                additionalProperties:
+                  description: Policy is the Schema for the policy API
                   properties:
-                    raw:
+                    apiVersion:
+                      description: 'APIVersion defines the versioned schema of this
+                        representation of an object. Servers should convert recognized
+                        schemas to the latest internal value, and may reject unrecognized
+                        values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                      type: string
+                    kind:
+                      description: 'Kind is a string value representing the REST resource
+                        this object represents. Servers may infer this from the endpoint
+                        the client submits requests to. Cannot be updated. In CamelCase.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      type: string
+                    metadata:
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        finalizers:
+                          items:
+                            type: string
+                          type: array
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    properties:
                       type: object
-                      x-kubernetes-embedded-resource: true
                       x-kubernetes-preserve-unknown-fields: true
+                    type:
+                      type: string
                   required:
-                  - raw
+                  - type
                   type: object
-                type: array
+                description: Policies records the external policies
+                type: object
               policyDefinitions:
                 additionalProperties:
                   description: PolicyDefinition is the Schema for the policydefinitions
@@ -3356,6 +3390,10 @@ spec:
                             - type
                             type: object
                           type: array
+                        configMapRef:
+                          description: ConfigMapRef refer to a ConfigMap which contains
+                            OpenAPI V3 JSON schema of Component parameters.
+                          type: string
                         latestRevision:
                           description: LatestRevision of the component definition
                           properties:
@@ -3377,15 +3415,16 @@ spec:
                 description: PolicyDefinitions records the snapshot of the PolicyDefinitions
                   related with the created/modified Application
                 type: object
-              resourcesConfigMap:
-                description: ResourcesConfigMap references the ConfigMap that's generated
-                  to contain all final rendered resources.
-                properties:
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                      TODO: Add other useful fields. apiVersion, kind, uid?'
-                    type: string
-                type: object
+              referredObjects:
+                description: ReferredObjects records the referred objects used in
+                  the ref-object typed components
+                items:
+                  description: ReferredObject the referred Kubernetes object
+                  type: object
+                  x-kubernetes-embedded-resource: true
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+                x-kubernetes-preserve-unknown-fields: true
               scopeDefinitions:
                 additionalProperties:
                   description: A ScopeDefinition registers a kind of Kubernetes custom
@@ -3468,7 +3507,7 @@ spec:
               scopeGVK:
                 additionalProperties:
                   description: GroupVersionKind unambiguously identifies a kind.  It
-                    doesn't anonymously include GroupVersion to avoid automatic coersion.  It
+                    doesn't anonymously include GroupVersion to avoid automatic coercion.  It
                     doesn't use a GroupVersion to avoid custom marshalling
                   properties:
                     group:
@@ -3546,6 +3585,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        controlPlaneOnly:
+                          description: ControlPlaneOnly defines which cluster is dispatched
+                            to
+                          type: boolean
                         definitionRef:
                           description: Reference to the CustomResourceDefinition that
                             defines this trait kind.
@@ -3819,6 +3862,89 @@ spec:
                 description: TraitDefinitions records the snapshot of the traitDefinitions
                   related with the created/modified Application
                 type: object
+              workflow:
+                description: Workflow records the external workflow
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  metadata:
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      finalizers:
+                        items:
+                          type: string
+                        type: array
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                    type: object
+                  steps:
+                    items:
+                      description: WorkflowStep defines how to execute a workflow
+                        step.
+                      properties:
+                        dependsOn:
+                          items:
+                            type: string
+                          type: array
+                        inputs:
+                          description: StepInputs defines variable input of WorkflowStep
+                          items:
+                            properties:
+                              from:
+                                type: string
+                              parameterKey:
+                                type: string
+                            required:
+                            - from
+                            - parameterKey
+                            type: object
+                          type: array
+                        name:
+                          description: Name is the unique name of the workflow step.
+                          type: string
+                        outputs:
+                          description: StepOutputs defines output variable of WorkflowStep
+                          items:
+                            properties:
+                              name:
+                                type: string
+                              valueFrom:
+                                type: string
+                            required:
+                            - name
+                            - valueFrom
+                            type: object
+                          type: array
+                        properties:
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        type:
+                          type: string
+                      required:
+                      - name
+                      - type
+                      type: object
+                    type: array
+                type: object
               workflowStepDefinitions:
                 additionalProperties:
                   description: WorkflowStepDefinition is the Schema for the workflowstepdefinitions
@@ -4408,10 +4534,184 @@ spec:
             required:
             - application
             type: object
+          status:
+            description: ApplicationRevisionStatus is the status of ApplicationRevision
+            properties:
+              succeeded:
+                description: Succeeded records if the workflow finished running with
+                  success
+                type: boolean
+              workflow:
+                description: Workflow the running status of the workflow
+                properties:
+                  appRevision:
+                    type: string
+                  contextBackend:
+                    description: 'ObjectReference contains enough information to let
+                      you inspect or modify the referred object. --- New uses of this
+                      type are discouraged because of difficulty describing its usage
+                      when embedded in APIs.  1. Ignored fields.  It includes many
+                      fields which are not generally honored.  For instance, ResourceVersion
+                      and FieldPath are both very rarely valid in actual usage.  2.
+                      Invalid usage help.  It is impossible to add specific help for
+                      individual usage.  In most embedded usages, there are particular     restrictions
+                      like, "must refer only to types A and B" or "UID not honored"
+                      or "name must be restricted".     Those cannot be well described
+                      when embedded.  3. Inconsistent validation.  Because the usages
+                      are different, the validation rules are different by usage,
+                      which makes it hard for users to predict what will happen.  4.
+                      The fields are both imprecise and overly precise.  Kind is not
+                      a precise mapping to a URL. This can produce ambiguity     during
+                      interpretation and require a REST mapping.  In most cases, the
+                      dependency is on the group,resource tuple     and the version
+                      of the actual struct is irrelevant.  5. We cannot easily change
+                      it.  Because this type is embedded in many locations, updates
+                      to this type     will affect numerous schemas.  Don''t make
+                      new APIs embed an underspecified API type they do not control.
+                      Instead of using this type, create a locally provided and used
+                      type that is well-focused on your reference. For example, ServiceReferences
+                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                      .'
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  finished:
+                    type: boolean
+                  message:
+                    type: string
+                  mode:
+                    description: WorkflowMode describes the mode of workflow
+                    type: string
+                  startTime:
+                    format: date-time
+                    type: string
+                  steps:
+                    items:
+                      description: WorkflowStepStatus record the status of a workflow
+                        step
+                      properties:
+                        firstExecuteTime:
+                          description: FirstExecuteTime is the first time this step
+                            execution.
+                          format: date-time
+                          type: string
+                        id:
+                          type: string
+                        lastExecuteTime:
+                          description: LastExecuteTime is the last time this step
+                            execution.
+                          format: date-time
+                          type: string
+                        message:
+                          description: A human readable message indicating details
+                            about why the workflowStep is in this state.
+                          type: string
+                        name:
+                          type: string
+                        phase:
+                          description: WorkflowStepPhase describes the phase of a
+                            workflow step.
+                          type: string
+                        reason:
+                          description: A brief CamelCase message indicating details
+                            about why the workflowStep is in this state.
+                          type: string
+                        subSteps:
+                          description: SubStepsStatus record the status of workflow
+                            steps.
+                          properties:
+                            mode:
+                              description: WorkflowMode describes the mode of workflow
+                              type: string
+                            stepIndex:
+                              type: integer
+                            steps:
+                              items:
+                                description: WorkflowSubStepStatus record the status
+                                  of a workflow step
+                                properties:
+                                  id:
+                                    type: string
+                                  message:
+                                    description: A human readable message indicating
+                                      details about why the workflowStep is in this
+                                      state.
+                                    type: string
+                                  name:
+                                    type: string
+                                  phase:
+                                    description: WorkflowStepPhase describes the phase
+                                      of a workflow step.
+                                    type: string
+                                  reason:
+                                    description: A brief CamelCase message indicating
+                                      details about why the workflowStep is in this
+                                      state.
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - id
+                                type: object
+                              type: array
+                          type: object
+                        type:
+                          type: string
+                      required:
+                      - id
+                      type: object
+                    type: array
+                  suspend:
+                    type: boolean
+                  suspendState:
+                    type: string
+                  terminated:
+                    type: boolean
+                required:
+                - finished
+                - mode
+                - suspend
+                - terminated
+                type: object
+            required:
+            - succeeded
+            type: object
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml

@@ -636,6 +636,10 @@ spec:
                           - type
                           type: object
                         type: array
+                      configMapRef:
+                        description: ConfigMapRef refer to a ConfigMap which contains
+                          OpenAPI V3 JSON schema of Component parameters.
+                        type: string
                       latestRevision:
                         description: LatestRevision of the component definition
                         properties:
@@ -720,6 +724,10 @@ spec:
                         items:
                           type: string
                         type: array
+                      controlPlaneOnly:
+                        description: ControlPlaneOnly defines which cluster is dispatched
+                          to
+                        type: boolean
                       definitionRef:
                         description: Reference to the CustomResourceDefinition that
                           defines this trait kind.

charts/vela-core/crds/core.oam.dev_policydefinitions.yaml

@@ -244,6 +244,10 @@ spec:
                   - type
                   type: object
                 type: array
+              configMapRef:
+                description: ConfigMapRef refer to a ConfigMap which contains OpenAPI
+                  V3 JSON schema of Component parameters.
+                type: string
               latestRevision:
                 description: LatestRevision of the component definition
                 properties:

charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml

@@ -372,6 +372,10 @@ spec:
                 items:
                   type: string
                 type: array
+              controlPlaneOnly:
+                description: ControlPlaneOnly defines which cluster is dispatched
+                  to
+                type: boolean
               definitionRef:
                 description: Reference to the CustomResourceDefinition that defines
                   this trait kind.

charts/vela-core/templates/NOTES.txt

@@ -27,9 +27,5 @@ Welcome to use the KubeVela! Enjoy your shipping application journey!
       | . \| |_| || |_) ||  __/ \ V /|  __/| || (_| |
       |_|\_\\__,_||_.__/  \___|  \_/  \___||_| \__,_|
 
-** Please note before uninstalling **
 
-If you enable fluxcd addon when install the chart by set `enableFluxcdAddon=true` .
-Uninstall wouldn't disable the fluxcd addon ,and it will be kept in the cluster.
-Please guarantee there is no application in cluster using this addon and disable it firstly before uninstall the helm chart.
-And you can find the script of one-short disable all addons from the uninstalling section of https://github.com/oam-dev/kubevela/blob/master/charts/vela-core/README.md.
+You can refer to https://kubevela.io for more details.

charts/vela-core/templates/addon_registry.yaml

@@ -7,10 +7,8 @@ data:
   registries: '{
   "KubeVela":{
     "name": "KubeVela",
-    "oss": {
-      "end_point": "https://addons.kubevela.net",
-      "bucket": "",
-      "path": ""
+    "helm": {
+      "url": "https://addons.kubevela.net"
     }
   }
 }'

charts/vela-core/templates/admission-webhooks/certmanager.yaml

@@ -23,7 +23,7 @@ spec:
     name: {{ template "kubevela.fullname" . }}-self-signed-issuer
   commonName: "ca.webhook.kubevela"
   isCA: true
-  
+
 ---
 # Create an Issuer that uses the above generated CA certificate to issue certs
 apiVersion: cert-manager.io/v1

charts/vela-core/templates/admission-webhooks/mutatingWebhookConfiguration.yaml

@@ -120,6 +120,32 @@ webhooks:
           - UPDATE
         resources:
           - podspecworkloads
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /mutating-core-oam-dev-v1beta1-applications
+    {{- if .Values.admissionWebhooks.patch.enabled }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: mutating.core.oam.dev.v1beta1.applications
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    sideEffects: None
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - applications
   - clientConfig:
       caBundle: Cg==
       service:

charts/vela-core/templates/cluster-gateway/certmanager.yaml

@@ -0,0 +1,24 @@
+{{- if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.secureTLS.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ template "kubevela.fullname" . }}-cluster-gateway-issuer
+  dnsNames:
+    - {{ .Release.Name }}-cluster-gateway-service
+    - {{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc
+    - {{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc.cluster.local
+{{- end }}

charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml

@@ -0,0 +1,150 @@
+{{ if .Values.multicluster.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-cluster-gateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "kubevela.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.multicluster.clusterGateway.replicaCount }}
+  selector:
+    matchLabels:
+    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+      {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ include "kubevela.fullname" . }}-cluster-gateway
+          securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+          args:
+            - "apiserver"
+            - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
+            - "--secret-namespace={{ .Release.Namespace }}"
+            - "--feature-gates=APIPriorityAndFairness=false"
+            {{- if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+            - "--tls-cert-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.crt"
+            - "--tls-private-key-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.key"
+            {{- end }}
+          image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }}
+          imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }}
+          resources:
+          {{- toYaml .Values.multicluster.clusterGateway.resources | nindent 12 }}
+          ports:
+            - containerPort: {{ .Values.multicluster.clusterGateway.port }}
+          {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+          volumeMounts:
+            - mountPath: {{ .Values.multicluster.clusterGateway.secureTLS.certPath }}
+              name: tls-cert-vol
+              readOnly: true
+          {{- end }}
+      {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+      volumes:
+        - name: tls-cert-vol
+          secret:
+            defaultMode: 420
+            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+      {{ end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-cluster-gateway-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+  {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 4 }}
+  ports:
+    - protocol: TCP
+      port: {{ .Values.multicluster.clusterGateway.port }}
+      targetPort: {{ .Values.multicluster.clusterGateway.port }}
+---
+# 1.  Check whether APIService ""v1alpha1.cluster.core.oam.dev" is already present in the cluster
+# 2.a If the APIService doesn't exist, create it.
+# 2.b If the APIService exists without helm-chart related annotation, skip creating it to the
+#     cluster because the APIService can be managed by an external controller.
+# 2.c If the APIService exists with valid helm-chart annotations, which means that the APIService
+#     is previously managed by helm commands, hence update the APIService consistently.
+{{ $apiSvc := (lookup "apiregistration.k8s.io/v1" "APIService" "" "v1alpha1.cluster.core.oam.dev") }}
+{{ $shouldAdopt := (not $apiSvc) }}
+{{ if not $shouldAdopt }}
+  {{ if $apiSvc.metadata.annotations }}
+    {{ $shouldAdopt = (index ($apiSvc).metadata.annotations "meta.helm.sh/release-name") }}
+  {{ end }}
+{{ end }}
+{{ if $shouldAdopt }}
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.cluster.core.oam.dev
+  annotations:
+    {{- if and .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.secureTLS.certManager.enabled }}
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls"
+    {{- end }}
+  labels:
+    api: cluster-extension-apiserver
+    apiserver: "true"
+spec:
+  version: v1alpha1
+  group: cluster.core.oam.dev
+  groupPriorityMinimum: 2000
+  service:
+    name: {{ .Release.Name }}-cluster-gateway-service
+    namespace: {{ .Release.Namespace }}
+    port: {{ .Values.multicluster.clusterGateway.port }}
+  versionPriority: 10
+  insecureSkipTLSVerify: {{ not .Values.multicluster.clusterGateway.secureTLS.enabled }}
+  {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+  caBundle: Cg==
+  {{ end }}
+{{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+rules:
+  - apiGroups: [ "cluster.core.oam.dev" ]
+    resources: [ "clustergateways/proxy" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+subjects:
+  - kind: Group
+    name: cluster-gateway-accessor
+    apiGroup: rbac.authorization.k8s.io
+{{ end }}

charts/vela-core/templates/cluster-gateway/job-patch.yaml

@@ -1,122 +1,4 @@
-{{ if .Values.multicluster.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ .Release.Name }}-cluster-gateway
-  namespace: {{ .Release.Namespace }}
-  labels:
-  {{- include "kubevela.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.multicluster.clusterGateway.replicaCount }}
-  selector:
-    matchLabels:
-    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-      {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
-      securityContext:
-      {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ include "kubevela.fullname" . }}-cluster-gateway
-          securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}
-          args:
-            - "apiserver"
-            - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
-            - "--secret-namespace={{ .Release.Namespace }}"
-            - "--feature-gates=APIPriorityAndFairness=false"
-            {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
-            - "--cert-dir={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}"
-            {{ end }}
-          image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }}
-          imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }}
-          resources:
-          {{- toYaml .Values.multicluster.clusterGateway.resources | nindent 12 }}
-          ports:
-            - containerPort: {{ .Values.multicluster.clusterGateway.port }}
-          {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
-          volumeMounts:
-            - mountPath: {{ .Values.multicluster.clusterGateway.secureTLS.certPath }}
-              name: tls-cert-vol
-              readOnly: true
-          {{- end }}
-      {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
-      volumes:
-        - name: tls-cert-vol
-          secret:
-            defaultMode: 420
-            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
-      {{ end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 1
-{{ end }}
----
-{{ if .Values.multicluster.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .Release.Name }}-cluster-gateway-service
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-  {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 4 }}
-  ports:
-    - protocol: TCP
-      port: {{ .Values.multicluster.clusterGateway.port }}
-      targetPort: {{ .Values.multicluster.clusterGateway.port }}
-{{ end }}
----
-{{ if .Values.multicluster.enabled }}
-{{ $apiSvc := (lookup "apiregistration.k8s.io/v1" "APIService" "" "v1alpha1.cluster.core.oam.dev") }}
-{{ $shouldAdopt := (not $apiSvc) }}
-{{ if not $shouldAdopt }}{{ $shouldAdopt = (index ($apiSvc).metadata.annotations "meta.helm.sh/release-name") }}{{ end }}
-{{ if $shouldAdopt }}
-apiVersion: apiregistration.k8s.io/v1
-kind: APIService
-metadata:
-  name: v1alpha1.cluster.core.oam.dev
-  labels:
-    api: cluster-extension-apiserver
-    apiserver: "true"
-spec:
-  version: v1alpha1
-  group: cluster.core.oam.dev
-  groupPriorityMinimum: 2000
-  service:
-    name: {{ .Release.Name }}-cluster-gateway-service
-    namespace: {{ .Release.Namespace }}
-    port: {{ .Values.multicluster.clusterGateway.port }}
-  versionPriority: 10
-  insecureSkipTLSVerify: {{ not .Values.multicluster.clusterGateway.secureTLS.enabled }}
-  {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
-  caBundle: Cg==
-  {{ end }}
-{{ end }}
-{{ end }}
----
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
+{{- if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled (not .Values.multicluster.clusterGateway.secureTLS.certManager.enabled) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -136,9 +18,7 @@ rules:
     verbs:
       - get
       - create
-{{- end }}
 ---
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -158,9 +38,7 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
     namespace: {{ .Release.Namespace }}
-{{- end }}
 ---
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -172,9 +50,7 @@ metadata:
   labels:
     app: {{ template "kubevela.name" . }}-cluster-gateway-admission
     {{- include "kubevela.labels" . | nindent 4 }}
-{{- end }}
 ---
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -211,17 +87,15 @@ spec:
           - --host={{ .Release.Name }}-cluster-gateway-service,{{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc
           - --namespace={{ .Release.Namespace }}
           - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
-          - --key-name=apiserver.key
-          - --cert-name=apiserver.crt
+          - --cert-name=tls.crt
+          - --key-name=tls.key
       restartPolicy: OnFailure
       serviceAccountName: {{ template "kubevela.fullname" . }}-cluster-gateway-admission
       securityContext:
         runAsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
-{{ end }}
 ---
-{{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:

charts/vela-core/templates/defwithtemplate/annotations.yaml

@@ -16,17 +16,20 @@ spec:
   schematic:
     cue:
       template: |
+        // +patchStrategy=jsonMergePatch
         patch: {
         	metadata: annotations: {
         		for k, v in parameter {
         			"\(k)": v
         		}
         	}
-        	spec: template: metadata: annotations: {
-        		for k, v in parameter {
-        			"\(k)": v
+        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
+        		spec: template: metadata: annotations: {
+        			for k, v in parameter {
+        				"\(k)": v
+        			}
         		}
         	}
         }
-        parameter: [string]: string
+        parameter: [string]: string | null
 

charts/vela-core/templates/defwithtemplate/config-image-registry.yaml

@@ -0,0 +1,73 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/config-image-registry.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/alias.config.oam.dev: Image Registry
+    definition.oam.dev/description: Config information to authenticate image registry
+  labels:
+    custom.definition.oam.dev/catalog.config.oam.dev: velacore-config
+    custom.definition.oam.dev/multi-cluster.config.oam.dev: "true"
+    custom.definition.oam.dev/type.config.oam.dev: image-registry
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: config-image-registry
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"encoding/base64"
+        	"encoding/json"
+        )
+
+        output: {
+        	apiVersion: "v1"
+        	kind:       "Secret"
+        	metadata: {
+        		name:      context.name
+        		namespace: context.namespace
+        		labels: {
+        			"config.oam.dev/catalog":       "velacore-config"
+        			"config.oam.dev/type":          "image-registry"
+        			"config.oam.dev/multi-cluster": "true"
+        			"config.oam.dev/identifier":    parameter.registry
+        			"config.oam.dev/sub-type":      "auth"
+        		}
+        	}
+        	if parameter.auth != _|_ {
+        		type: "kubernetes.io/dockerconfigjson"
+        	}
+        	if parameter.auth == _|_ {
+        		type: "Opaque"
+        	}
+        	if parameter.auth != _|_ {
+        		stringData: ".dockerconfigjson": json.Marshal({
+        			auths: "\(parameter.registry)": {
+        				username: parameter.auth.username
+        				password: parameter.auth.password
+        				if parameter.auth.email != _|_ {
+        					email: parameter.auth.email
+        				}
+        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
+        			}
+        		})
+        	}
+        }
+        parameter: {
+        	// +usage=Image registry FQDN
+        	registry: string
+        	// +usage=Authenticate the image registry
+        	auth?: {
+        		// +usage=Private Image registry username
+        		username: string
+        		// +usage=Private Image registry password
+        		password: string
+        		// +usage=Private Image registry email
+        		email?: string
+        	}
+        }
+  workload:
+    type: autodetects.core.oam.dev
+

charts/vela-core/templates/defwithtemplate/cron-task.yaml

@@ -0,0 +1,320 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/cron-task.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Describes cron jobs that run code or a script to completion.
+  name: cron-task
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        output: {
+        	apiVersion: "batch/v1beta1"
+        	kind:       "CronJob"
+        	spec: {
+        		schedule:                   parameter.schedule
+        		concurrencyPolicy:          parameter.concurrencyPolicy
+        		suspend:                    parameter.suspend
+        		successfulJobsHistoryLimit: parameter.successfulJobsHistoryLimit
+        		failedJobsHistoryLimit:     parameter.failedJobsHistoryLimit
+        		if parameter.startingDeadlineSeconds != _|_ {
+        			startingDeadlineSeconds: parameter.startingDeadlineSeconds
+        		}
+        		jobTemplate: {
+        			metadata: {
+        				labels: {
+        					if parameter.labels != _|_ {
+        						parameter.labels
+        					}
+        					"app.oam.dev/name":      context.appName
+        					"app.oam.dev/component": context.name
+        				}
+        				if parameter.annotations != _|_ {
+        					annotations: parameter.annotations
+        				}
+        			}
+        			spec: {
+        				parallelism: parameter.count
+        				completions: parameter.count
+        				if parameter.ttlSecondsAfterFinished != _|_ {
+        					ttlSecondsAfterFinished: parameter.ttlSecondsAfterFinished
+        				}
+        				if parameter.activeDeadlineSeconds != _|_ {
+        					activeDeadlineSeconds: parameter.activeDeadlineSeconds
+        				}
+        				backoffLimit: parameter.backoffLimit
+        				template: {
+        					metadata: {
+        						labels: {
+        							if parameter.labels != _|_ {
+        								parameter.labels
+        							}
+        							"app.oam.dev/name":      context.appName
+        							"app.oam.dev/component": context.name
+        						}
+        						if parameter.annotations != _|_ {
+        							annotations: parameter.annotations
+        						}
+        					}
+        					spec: {
+        						restartPolicy: parameter.restart
+        						containers: [{
+        							name:  context.name
+        							image: parameter.image
+        							if parameter["imagePullPolicy"] != _|_ {
+        								imagePullPolicy: parameter.imagePullPolicy
+        							}
+        							if parameter["cmd"] != _|_ {
+        								command: parameter.cmd
+        							}
+        							if parameter["env"] != _|_ {
+        								env: parameter.env
+        							}
+        							if parameter["cpu"] != _|_ {
+        								resources: {
+        									limits: cpu:   parameter.cpu
+        									requests: cpu: parameter.cpu
+        								}
+        							}
+        							if parameter["memory"] != _|_ {
+        								resources: {
+        									limits: memory:   parameter.memory
+        									requests: memory: parameter.memory
+        								}
+        							}
+        							if parameter["volumes"] != _|_ {
+        								volumeMounts: [ for v in parameter.volumes {
+        									{
+        										mountPath: v.mountPath
+        										name:      v.name
+        									}}]
+        							}
+        						}]
+        						if parameter["volumes"] != _|_ {
+        							volumes: [ for v in parameter.volumes {
+        								{
+        									name: v.name
+        									if v.type == "pvc" {
+        										persistentVolumeClaim: claimName: v.claimName
+        									}
+        									if v.type == "configMap" {
+        										configMap: {
+        											defaultMode: v.defaultMode
+        											name:        v.cmName
+        											if v.items != _|_ {
+        												items: v.items
+        											}
+        										}
+        									}
+        									if v.type == "secret" {
+        										secret: {
+        											defaultMode: v.defaultMode
+        											secretName:  v.secretName
+        											if v.items != _|_ {
+        												items: v.items
+        											}
+        										}
+        									}
+        									if v.type == "emptyDir" {
+        										emptyDir: medium: v.medium
+        									}
+        								}}]
+        						}
+        						if parameter["imagePullSecrets"] != _|_ {
+        							imagePullSecrets: [ for v in parameter.imagePullSecrets {
+        								name: v
+        							},
+        							]
+        						}
+        						if parameter.hostAliases != _|_ {
+        							hostAliases: [ for v in parameter.hostAliases {
+        								ip:        v.ip
+        								hostnames: v.hostnames
+        							},
+        							]
+        						}
+        					}
+        				}
+        			}
+        		}
+        	}
+        }
+        parameter: {
+        	// +usage=Specify the labels in the workload
+        	labels?: [string]: string
+
+        	// +usage=Specify the annotations in the workload
+        	annotations?: [string]: string
+
+        	// +usage=Specify the schedule in Cron format, see https://en.wikipedia.org/wiki/Cron
+        	schedule: string
+
+        	// +usage=Specify deadline in seconds for starting the job if it misses scheduled
+        	startingDeadlineSeconds?: int
+
+        	// +usage=suspend subsequent executions
+        	suspend: *false | bool
+
+        	// +usage=Specifies how to treat concurrent executions of a Job
+        	concurrencyPolicy: *"Allow" | "Allow" | "Forbid" | "Replace"
+
+        	// +usage=The number of successful finished jobs to retain
+        	successfulJobsHistoryLimit: *3 | int
+
+        	// +usage=The number of failed finished jobs to retain
+        	failedJobsHistoryLimit: *1 | int
+
+        	// +usage=Specify number of tasks to run in parallel
+        	// +short=c
+        	count: *1 | int
+
+        	// +usage=Which image would you like to use for your service
+        	// +short=i
+        	image: string
+
+        	// +usage=Specify image pull policy for your service
+        	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+        	// +usage=Specify image pull secrets for your service
+        	imagePullSecrets?: [...string]
+
+        	// +usage=Define the job restart policy, the value can only be Never or OnFailure. By default, it's Never.
+        	restart: *"Never" | string
+
+        	// +usage=Commands to run in the container
+        	cmd?: [...string]
+
+        	// +usage=Define arguments by using environment variables
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
+        	// +usage=Number of CPU units for the service, like `0.5` (0.5 CPU core), `1` (1 CPU core)
+        	cpu?: string
+
+        	// +usage=Specifies the attributes of the memory resource required for the container.
+        	memory?: string
+
+        	// +usage=Declare volumes and volumeMounts
+        	volumes?: [...{
+        		name:      string
+        		mountPath: string
+        		// +usage=Specify volume type, options: "pvc","configMap","secret","emptyDir"
+        		type: "pvc" | "configMap" | "secret" | "emptyDir"
+        		if type == "pvc" {
+        			claimName: string
+        		}
+        		if type == "configMap" {
+        			defaultMode: *420 | int
+        			cmName:      string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "secret" {
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "emptyDir" {
+        			medium: *"" | "Memory"
+        		}
+        	}]
+
+        	// +usage=An optional list of hosts and IPs that will be injected into the pod's hosts file
+        	hostAliases?: [...{
+        		ip: string
+        		hostnames: [...string]
+        	}]
+
+        	// +usage=Limits the lifetime of a Job that has finished
+        	ttlSecondsAfterFinished?: int
+
+        	// +usage=The duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it
+        	activeDeadlineSeconds?: int
+
+        	// +usage=The number of retries before marking this job failed
+        	backoffLimit: *6 | int
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+        }
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port: int
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
+        }
+  workload:
+    definition:
+      apiVersion: batch/v1beta1
+      kind: CronJob
+    type: cronjobs.batch
+

charts/vela-core/templates/defwithtemplate/deploy.yaml

@@ -15,41 +15,9 @@ spec:
         	"vela/op"
         )
 
-        deploy: op.#Steps & {
-        	load: op.#Load @step(1)
-        	_components: [ for k, v in load.value {v}]
-        	loadPoliciesInOrder: op.#LoadPoliciesInOrder & {
-        		if parameter.policies != _|_ {
-        					input: parameter.policies
-        				}
-        	}                     @step(2)
-        	_policies:            loadPoliciesInOrder.output
-        	handleDeployPolicies: op.#HandleDeployPolicies & {
-        		inputs: {
-        			components: _components
-        			policies:   _policies
-        		}
-        	}                   @step(3)
-        	_decisions:         handleDeployPolicies.outputs.decisions
-        	_patchedComponents: handleDeployPolicies.outputs.components
-        	deploy:             op.#ApplyComponents & {
-        		parallelism: parameter.parallelism
-        		components: {
-        			for decision in _decisions {
-        				for key, comp in _patchedComponents {
-        					"\(decision.cluster)-\(decision.namespace)-\(key)": {
-        						value: comp
-        						if decision.cluster != _|_ {
-        							cluster: decision.cluster
-        						}
-        						if decision.namespace != _|_ {
-        							namespace: decision.namespace
-        						}
-        					}
-        				}
-        			}
-        		}
-        	} @step(4)
+        deploy: op.#Deploy & {
+        	policies:    parameter.policies
+        	parallelism: parameter.parallelism
         }
         parameter: {
         	auto: *true | bool

charts/vela-core/templates/defwithtemplate/env.yaml

@@ -46,7 +46,7 @@ spec:
         			}]
         		}
         		if _baseEnv != _|_ {
-        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar.value}}
+        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar}}
         			// +patchStrategy=replace
         			env: [ for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
         				name: envVar.name
@@ -54,11 +54,15 @@ spec:
         					value: _params.env[envVar.name]
         				}
         				if _params.env[envVar.name] == _|_ {
-        					value: envVar.value
+        					if envVar.value != _|_ {
+        						value: envVar.value
+        					}
+        					if envVar.valueFrom != _|_ {
+        						valueFrom: envVar.valueFrom
+        					}
         				}
         			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
-        				name:  k
-        				value: v
+        				v
         			}]
         		}
         	}

charts/vela-core/templates/defwithtemplate/gateway.yaml

@@ -8,6 +8,8 @@ metadata:
   name: gateway
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
+  appliesToWorkloads:
+    - '*'
   podDisruptive: false
   schematic:
     cue:

charts/vela-core/templates/defwithtemplate/generate-jdbc-connection.yaml

@@ -0,0 +1,49 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/generate-jdbc-connection.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Generate a JDBC connection based on Component of alibaba-rds
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: generate-jdbc-connection
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/base64"
+        )
+
+        output: op.#Read & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Secret"
+        		metadata: {
+        			name: parameter.name
+        			if parameter.namespace != _|_ {
+        				namespace: parameter.namespace
+        			}
+        		}
+        	}
+        }
+        dbHost:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_HOST"])}
+        dbPort:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PORT"])}
+        dbName:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_NAME"])}
+        username: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_USER"])}
+        password: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PASSWORD"])}
+        env: [
+        	{name: "url", value:      "jdbc://" + dbHost.str + ":" + dbPort.str + "/" + dbName.str + "?characterEncoding=utf8&useSSL=false"},
+        	{name: "username", value: username.str},
+        	{name: "password", value: password.str},
+        ]
+        parameter: {
+        	// +usage=Specify the name of the secret generated by database component
+        	name: string
+        	// +usage=Specify the namespace of the secret generated by database component
+        	namespace?: string
+        }
+

charts/vela-core/templates/defwithtemplate/init-container.yaml

@@ -35,6 +35,9 @@ spec:
         		if parameter.args != _|_ {
         			args: parameter.args
         		}
+        		if parameter["env"] != _|_ {
+        			env: parameter.env
+        		}
 
         		// +patchKey=name
         		volumeMounts: [{
@@ -61,6 +64,31 @@ spec:
         	// +usage=Specify the args run in the init container
         	args?: [...string]
 
+        	// +usage=Specify the env run in the init container
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
         	// +usage=Specify the mount name of shared volume
         	mountName: *"workdir" | string
 

charts/vela-core/templates/defwithtemplate/labels.yaml

@@ -16,17 +16,20 @@ spec:
   schematic:
     cue:
       template: |
+        // +patchStrategy=jsonMergePatch
         patch: {
         	metadata: labels: {
         		for k, v in parameter {
         			"\(k)": v
         		}
         	}
-        	spec: template: metadata: labels: {
-        		for k, v in parameter {
-        			"\(k)": v
+        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
+        		spec: template: metadata: labels: {
+        			for k, v in parameter {
+        				"\(k)": v
+        			}
         		}
         	}
         }
-        parameter: [string]: string
+        parameter: [string]: string | null
 

charts/vela-core/templates/defwithtemplate/notification.yaml

@@ -291,8 +291,10 @@ spec:
         		if parameter.email.from.password.value != _|_ {
         			email1: op.#SendEmail & {
         				from: {
-        					address:  parameter.email.from.value
-        					alias:    parameter.email.from.alias
+        					address: parameter.email.from.address
+        					if parameter.email.from.alias != _|_ {
+        						alias: parameter.email.from.alias
+        					}
         					password: parameter.email.from.password.value
         					host:     parameter.email.from.host
         					port:     parameter.email.from.port
@@ -318,8 +320,10 @@ spec:
         			stringValue: op.#ConvertString & {bt: decoded}
         			email2:      op.#SendEmail & {
         				from: {
-        					address:  parameter.email.from.value
-        					alias:    parameter.email.from.alias
+        					address: parameter.email.from.address
+        					if parameter.email.from.alias != _|_ {
+        						alias: parameter.email.from.alias
+        					}
         					password: stringValue.str
         					host:     parameter.email.from.host
         					port:     parameter.email.from.port

charts/vela-core/templates/defwithtemplate/ref-objects.yaml

@@ -29,6 +29,47 @@ spec:
         	}
         }
         parameter: objects: [...#K8sObject]
+  status:
+    customStatus: |-
+      if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {
+      	ready: {
+      		readyReplicas: *0 | int
+      	} & {
+      		if context.output.status.readyReplicas != _|_ {
+      			readyReplicas: context.output.status.readyReplicas
+      		}
+      	}
+      	message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
+      }
+      if context.output.apiVersion != "apps/v1" || context.output.kind != "Deployment" {
+      	message: ""
+      }
+    healthPolicy: |-
+      if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {
+      	ready: {
+      		updatedReplicas:    *0 | int
+      		readyReplicas:      *0 | int
+      		replicas:           *0 | int
+      		observedGeneration: *0 | int
+      	} & {
+      		if context.output.status.updatedReplicas != _|_ {
+      			updatedReplicas: context.output.status.updatedReplicas
+      		}
+      		if context.output.status.readyReplicas != _|_ {
+      			readyReplicas: context.output.status.readyReplicas
+      		}
+      		if context.output.status.replicas != _|_ {
+      			replicas: context.output.status.replicas
+      		}
+      		if context.output.status.observedGeneration != _|_ {
+      			observedGeneration: context.output.status.observedGeneration
+      		}
+      	}
+      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      }
+      if context.output.apiVersion != "apps/v1" || context.output.kind != "Deployment" {
+      	isHealth: true
+      }
   workload:
     type: autodetects.core.oam.dev
 

charts/vela-core/templates/defwithtemplate/sidecar.yaml

@@ -27,6 +27,9 @@ spec:
         		if parameter.args != _|_ {
         			args: parameter.args
         		}
+        		if parameter["env"] != _|_ {
+        			env: parameter.env
+        		}
         		if parameter["volumes"] != _|_ {
         			volumeMounts: [ for v in parameter.volumes {
         				{
@@ -35,6 +38,13 @@ spec:
         				}
         			}]
         		}
+        		if parameter["livenessProbe"] != _|_ {
+        			livenessProbe: parameter.livenessProbe
+        		}
+
+        		if parameter["readinessProbe"] != _|_ {
+        			readinessProbe: parameter.readinessProbe
+        		}
         	}]
         }
         parameter: {
@@ -50,10 +60,82 @@ spec:
         	// +usage=Specify the args in the sidecar
         	args?: [...string]
 
+        	// +usage=Specify the env in the sidecar
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
         	// +usage=Specify the shared volume path
         	volumes?: [...{
         		name: string
         		path: string
         	}]
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+        }
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port: int
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
         }
 

charts/vela-core/templates/defwithtemplate/storage.yaml

@@ -23,7 +23,7 @@ spec:
         	},
         ] | []
         configMapVolumesList: *[
-        			for v in parameter.configMap {
+        			for v in parameter.configMap if v.mountPath != _|_ {
         		{
         			name: "configmap-" + v.name
         			configMap: {
@@ -37,7 +37,7 @@ spec:
         	},
         ] | []
         secretVolumesList: *[
-        			for v in parameter.secret {
+        			for v in parameter.secret if v.mountPath != _|_ {
         		{
         			name: "secret-" + v.name
         			secret: {
@@ -69,7 +69,7 @@ spec:
         	},
         ] | []
         configMapVolumeMountsList: *[
-        				for v in parameter.configMap {
+        				for v in parameter.configMap if v.mountPath != _|_ {
         		{
         			name:      "configmap-" + v.name
         			mountPath: v.mountPath
@@ -87,8 +87,19 @@ spec:
         		}
         	},
         ] | []
+        configMountToEnvsList: *[
+        			for v in parameter.configMap if v.mountToEnvs != _|_ for k in v.mountToEnvs {
+        		{
+        			name: k.envName
+        			valueFrom: configMapKeyRef: {
+        				name: v.name
+        				key:  k.configMapKey
+        			}
+        		}
+        	},
+        ] | []
         secretVolumeMountsList: *[
-        			for v in parameter.secret {
+        			for v in parameter.secret if v.mountPath != _|_ {
         		{
         			name:      "secret-" + v.name
         			mountPath: v.mountPath
@@ -106,6 +117,17 @@ spec:
         		}
         	},
         ] | []
+        secretMountToEnvsList: *[
+        			for v in parameter.secret if v.mountToEnvs != _|_ for k in v.mountToEnvs {
+        		{
+        			name: k.envName
+        			valueFrom: secretKeyRef: {
+        				name: v.name
+        				key:  k.secretKey
+        			}
+        		}
+        	},
+        ] | []
         emptyDirVolumeMountsList: *[
         				for v in parameter.emptyDir {
         		{
@@ -126,14 +148,14 @@ spec:
         	// +patchKey=name
         	volumes: pvcVolumesList + configMapVolumesList + secretVolumesList + emptyDirVolumesList
 
-        	containers: [...{
+        	containers: [{
         		// +patchKey=name
-        		env: configMapEnvMountsList + secretEnvMountsList
+        		env: configMapEnvMountsList + secretEnvMountsList + configMountToEnvsList + secretMountToEnvsList
         		// +patchKey=name
         		volumeDevices: volumeDevicesList
         		// +patchKey=name
         		volumeMounts: pvcVolumeMountsList + configMapVolumeMountsList + secretVolumeMountsList + emptyDirVolumeMountsList
-        	}]
+        	}, ...]
 
         }
         outputs: {
@@ -248,7 +270,11 @@ spec:
         			envName:      string
         			configMapKey: string
         		}
-        		mountPath:   string
+        		mountToEnvs?: [...{
+        			envName:      string
+        			configMapKey: string
+        		}]
+        		mountPath?:  string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
         		data?: {...}
@@ -267,7 +293,11 @@ spec:
         			envName:   string
         			secretKey: string
         		}
-        		mountPath:   string
+        		mountToEnvs?: [...{
+        			envName:   string
+        			secretKey: string
+        		}]
+        		mountPath?:  string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
         		stringData?: {...}

charts/vela-core/templates/defwithtemplate/suspend.yaml

@@ -11,6 +11,8 @@ spec:
   schematic:
     cue:
       template: |
-        // no parameters
-        parameter: {}
+        parameter: {
+        	// +usage=Specify the wait duration time to resume workflow such as "30s", "1min" or "2m15s"
+        	duration?: string
+        }
 

charts/vela-core/templates/defwithtemplate/task.yaml

@@ -18,11 +18,17 @@ spec:
         		parallelism: parameter.count
         		completions: parameter.count
         		template: {
-        			if parameter.labels != _|_ {
-        				metadata: labels: parameter.labels
-        			}
-        			if parameter.annotations != _|_ {
-        				metadata: annotations: parameter.annotations
+        			metadata: {
+        				labels: {
+        					if parameter.labels != _|_ {
+        						parameter.labels
+        					}
+        					"app.oam.dev/name":      context.appName
+        					"app.oam.dev/component": context.name
+        				}
+        				if parameter.annotations != _|_ {
+        					annotations: parameter.annotations
+        				}
         			}
         			spec: {
         				restartPolicy: parameter.restart
@@ -244,6 +250,30 @@ spec:
         	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
         	failureThreshold: *3 | int
         }
+  status:
+    customStatus: |-
+      status: {
+      	active:    *0 | int
+      	failed:    *0 | int
+      	succeeded: *0 | int
+      } & {
+      	if context.output.status.active != _|_ {
+      		active: context.output.status.active
+      	}
+      	if context.output.status.failed != _|_ {
+      		failed: context.output.status.failed
+      	}
+      	if context.output.status.succeeded != _|_ {
+      		succeeded: context.output.status.succeeded
+      	}
+      }
+      message: "Active/Failed/Succeeded:\(status.active)/\(status.failed)/\(status.succeeded)"
+    healthPolicy: |-
+      succeeded: *0 | int
+      if context.output.status.succeeded != _|_ {
+      	succeeded: context.output.status.succeeded
+      }
+      isHealth: succeeded == context.output.spec.parallelism
   workload:
     definition:
       apiVersion: batch/v1

charts/vela-core/templates/defwithtemplate/webservice.yaml

@@ -132,10 +132,10 @@ spec:
         						parameter.labels
         					}
         					if parameter.addRevisionLabel {
-        						"app.oam.dev/appRevision": context.appRevision
+        						"app.oam.dev/revision": context.revision
         					}
+        					"app.oam.dev/name":      context.appName
         					"app.oam.dev/component": context.name
-        					"app.oam.dev/revision":  context.revision
         				}
         				if parameter.annotations != _|_ {
         					annotations: parameter.annotations
@@ -333,7 +333,7 @@ spec:
         	exposeType: *"ClusterIP" | "NodePort" | "LoadBalancer" | "ExternalName"
 
         	// +ignore
-        	// +usage=If addRevisionLabel is true, the appRevision label will be added to the underlying pods
+        	// +usage=If addRevisionLabel is true, the revision label will be added to the underlying pods
         	addRevisionLabel: *false | bool
 
         	// +usage=Commands to run in the container
@@ -453,6 +453,12 @@ spec:
 
         	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
         	readinessProbe?: #HealthProbe
+
+        	// +usage=Specify the hostAliases to add
+        	hostAliases?: [...{
+        		ip: string
+        		hostnames: [...string]
+        	}]
         }
         #HealthProbe: {
 
@@ -494,61 +500,38 @@ spec:
 
         	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
         	failureThreshold: *3 | int
-
-        	// +usage=Specify the hostAliases to add
-        	hostAliases: [...{
-        		ip: string
-        		hostnames: [...string]
-        	}]
         }
   status:
     customStatus: |-
-      import "strconv"
       ready: {
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
+      	readyReplicas: *0 | int
+      } & {
       	if context.output.status.readyReplicas != _|_ {
       		readyReplicas: context.output.status.readyReplicas
       	}
       }
-
-      message: "Ready:" + strconv.FormatInt(ready.readyReplicas, 10) + "/" + strconv.FormatInt(context.output.spec.replicas, 10)
+      message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
     healthPolicy: |-
       ready: {
-      	if context.output.status.updatedReplicas == _|_  {
-      		updatedReplicas : 0
+      	updatedReplicas:    *0 | int
+      	readyReplicas:      *0 | int
+      	replicas:           *0 | int
+      	observedGeneration: *0 | int
+      } & {
+      	if context.output.status.updatedReplicas != _|_ {
+      		updatedReplicas: context.output.status.updatedReplicas
       	}
-
-      	if context.output.status.updatedReplicas != _|_  {
-      		updatedReplicas : context.output.status.updatedReplicas
-      	}
-
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
       	if context.output.status.readyReplicas != _|_ {
       		readyReplicas: context.output.status.readyReplicas
       	}
-
-      	if context.output.status.replicas == _|_ {
-      		replicas: 0
-      	}
       	if context.output.status.replicas != _|_ {
       		replicas: context.output.status.replicas
       	}
-
       	if context.output.status.observedGeneration != _|_ {
       		observedGeneration: context.output.status.observedGeneration
       	}
-
-      	if context.output.status.observedGeneration == _|_ {
-      		observedGeneration: 0
-      	}
       }
-      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
   workload:
     definition:
       apiVersion: apps/v1

charts/vela-core/templates/defwithtemplate/worker.yaml

@@ -124,7 +124,10 @@ spec:
         		selector: matchLabels: "app.oam.dev/component": context.name
 
         		template: {
-        			metadata: labels: "app.oam.dev/component": context.name
+        			metadata: labels: {
+        				"app.oam.dev/name":      context.appName
+        				"app.oam.dev/component": context.name
+        			}
 
         			spec: {
         				containers: [{
@@ -396,52 +399,35 @@ spec:
         }
   status:
     customStatus: |-
-      import "strconv"
       ready: {
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
+      	readyReplicas: *0 | int
+      } & {
       	if context.output.status.readyReplicas != _|_ {
       		readyReplicas: context.output.status.readyReplicas
       	}
       }
-
-      message: "Ready:" + strconv.FormatInt(ready.readyReplicas, 10) + "/" + strconv.FormatInt(context.output.spec.replicas, 10)
+      message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
     healthPolicy: |-
       ready: {
-      	if context.output.status.updatedReplicas == _|_  {
-      		updatedReplicas : 0
+      	updatedReplicas:    *0 | int
+      	readyReplicas:      *0 | int
+      	replicas:           *0 | int
+      	observedGeneration: *0 | int
+      } & {
+      	if context.output.status.updatedReplicas != _|_ {
+      		updatedReplicas: context.output.status.updatedReplicas
       	}
-
-      	if context.output.status.updatedReplicas != _|_  {
-      		updatedReplicas : context.output.status.updatedReplicas
-      	}
-
-      	if context.output.status.readyReplicas == _|_ {
-      		readyReplicas: 0
-      	}
-
       	if context.output.status.readyReplicas != _|_ {
       		readyReplicas: context.output.status.readyReplicas
       	}
-
-      	if context.output.status.replicas == _|_ {
-      		replicas: 0
-      	}
       	if context.output.status.replicas != _|_ {
       		replicas: context.output.status.replicas
       	}
-
       	if context.output.status.observedGeneration != _|_ {
       		observedGeneration: context.output.status.observedGeneration
       	}
-
-      	if context.output.status.observedGeneration == _|_ {
-      		observedGeneration: 0
-      	}
       }
-      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
   workload:
     definition:
       apiVersion: apps/v1

charts/vela-core/templates/kubevela-controller.yaml

@@ -25,6 +25,9 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "kubevela.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+  - kind: Group
+    name: core.oam.dev
+    apiGroup: rbac.authorization.k8s.io
 
 ---
 # permissions to do leader election.
@@ -121,6 +124,36 @@ spec:
             - "--webhook-port={{ .Values.webhookService.port }}"
             - "--webhook-cert-dir={{ .Values.admissionWebhooks.certificate.mountPath }}"
             {{ end }}
+            {{ if ne .Values.optimize.cachedGvks "" }}
+            - "--optimize-cached-gvks={{ .Values.optimize.cachedGvks }}"
+            {{ end }}
+            {{ if not .Values.optimize.resourceTrackerListOp }}
+            - "--optimize-resource-tracker-list-op=false"
+            {{ end }}
+            {{ if .Values.optimize.controllerReconcileLoopReduction }}
+            - "--optimize-controller-reconcile-loop-reduction"
+            {{ end }}
+            {{ if .Values.optimize.markWithProb }}
+            - "--optimize-mark-with-prob={{ .Values.optimize.markWithProb }}"
+            {{ end }}
+            {{ if .Values.optimize.disableComponentRevision }}
+            - "--optimize-disable-component-revision"
+            {{ end }}
+            {{ if .Values.optimize.disableApplicationRevision }}
+            - "--optimize-disable-application-revision"
+            {{ end }}
+            {{ if .Values.optimize.disableWorkflowRecorder }}
+            - "--optimize-disable-workflow-recorder"
+            {{ end }}
+            {{ if .Values.optimize.enableInMemoryWorkflowContext }}
+            - "--optimize-enable-in-memory-workflow-context"
+            {{ end }}
+            {{ if .Values.optimize.disableResourceApplyDoubleCheck }}
+            - "--optimize-disable-resource-apply-double-check"
+            {{ end }}
+            {{ if not .Values.optimize.enableResourceTrackerDeleteOnlyTrigger }}
+            - "--optimize-enable-resource-tracker-delete-only-trigger=false"
+            {{ end }}
             - "--health-addr=:{{ .Values.healthCheck.port }}"
             {{ if ne .Values.disableCaps "" }}
             - "--disable-caps={{ .Values.disableCaps }}"
@@ -132,6 +165,9 @@ spec:
             {{ if .Values.multicluster.enabled }}
             - "--enable-cluster-gateway"
             {{ end }}
+            {{ if .Values.multicluster.metrics.enabled }}
+            - "--enable-cluster-metrics"
+            {{ end }}
             - "--application-re-sync-period={{ .Values.controllerArgs.reSyncPeriod }}"
             - "--concurrent-reconciles={{ .Values.concurrentReconciles }}"
             - "--kube-api-qps={{ .Values.kubeClient.qps }}"
@@ -139,6 +175,14 @@ spec:
             - "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}"
             - "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}"
             - "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}"
+            - "--feature-gates=AuthenticateApplication={{- .Values.authentication.enabled | toString -}}"
+            {{ if .Values.authentication.enabled }}
+            {{ if .Values.authentication.withUser }}
+            - "--authentication-with-user"
+            {{ end }}
+            - "--authentication-default-user={{ .Values.authentication.defaultUser }}"
+            - "--authentication-group-pattern={{ .Values.authentication.groupPattern }}"
+            {{ end }}
           image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
           imagePullPolicy: {{ quote .Values.image.pullPolicy }}
           resources:
@@ -186,4 +230,4 @@ spec:
       {{- with .Values.tolerations }}
       tolerations:
     {{- toYaml . | nindent 8 }}
-  {{- end }}
+  {{- end }}

charts/vela-core/templates/velaql/applied-resources.yaml

@@ -0,0 +1,44 @@
+apiVersion: "v1"
+kind:       "ConfigMap"
+metadata: 
+  name:      "service-applied-resources-view"
+  namespace: {{ include "systemDefinitionNamespace" . }}
+data:
+  template: |
+      import (
+          "vela/ql"
+      )
+      parameter: {
+          appName:    string
+          appNs:      string
+          name?:      string
+          cluster?:   string
+          clusterNs?: string
+      }
+      response: ql.#ListAppliedResources & {
+          app: {
+              name:      parameter.appName
+              namespace: parameter.appNs
+              filter: {
+                  if parameter.cluster != _|_ {
+                      cluster: parameter.cluster
+                  }
+                  if parameter.clusterNs != _|_ {
+                      clusterNamespace: parameter.clusterNs
+                  }
+                  if parameter.name != _|_ {
+                      components: [parameter.name]
+                  }
+              }
+          }
+      }
+      if response.err == _|_ {
+          status: {
+              resources: response.list
+          }
+      }
+      if response.err != _|_ {
+          status: {
+              error: response.err
+          }
+      }

charts/vela-core/templates/velaql/endpoints.yaml

@@ -11,6 +11,7 @@ data:
       parameter: {
           appName:    string
           appNs:      string
+          name?:      string
           cluster?:   string
           clusterNs?: string
       }
@@ -25,6 +26,9 @@ data:
                   if parameter.clusterNs != _|_ {
                       clusterNamespace: parameter.clusterNs
                   }
+                  if parameter.name != _|_ {
+                      components: [parameter.name]
+                  }
               }
           }
       }

charts/vela-core/values.yaml

@@ -84,10 +84,33 @@ webhookService:
 healthCheck:
   port: 9440
 
+## @section KubeVela controller optimization parameters
+##@param optimize.cachedGvks Optimize types of resources to be cached.
+##@param optimize.resourceTrackerListOp Optimize ResourceTracker List Op by adding index.
+##@param optimize.controllerReconcileLoopReduction Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.
+##@param optimize.markWithProb Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.
+##@param optimize.disableComponentRevision Optimize componentRevision by disabling the creation and gc
+##@param optimize.disableApplicationRevision Optimize ApplicationRevision by disabling the creation and gc.
+##@param optimize.disableWorkflowRecorder Optimize workflow recorder by disabling the creation and gc.
+##@param optimize.enableInMemoryWorkflowContext Optimize workflow by use in-memory context.
+##@param optimize.disableResourceApplyDoubleCheck Optimize workflow by ignoring resource double check after apply.
+##@param optimize.enableResourceTrackerDeleteOnlyTrigger Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.
+optimize:
+  cachedGvks: ""
+  resourceTrackerListOp: true
+  controllerReconcileLoopReduction: false
+  markWithProb: 0.1
+  disableComponentRevision: false
+  disableApplicationRevision: false
+  disableWorkflowRecorder: false
+  enableInMemoryWorkflowContext: false
+  disableResourceApplyDoubleCheck: false
+  enableResourceTrackerDeleteOnlyTrigger: true
 
 ## @section MultiCluster parameters
 
 ## @param multicluster.enabled Whether to enable multi-cluster
+## @param multicluster.metrics.enabled Whether to enable multi-cluster metrics collect
 ## @param multicluster.clusterGateway.replicaCount ClusterGateway replica count
 ## @param multicluster.clusterGateway.port ClusterGateway port
 ## @param multicluster.clusterGateway.image.repository ClusterGateway image repository
@@ -97,14 +120,17 @@ healthCheck:
 ## @param multicluster.clusterGateway.resources.limits.memory ClusterGateway memory limit
 ## @param multicluster.clusterGateway.secureTLS.enabled Whether to enable secure TLS
 ## @param multicluster.clusterGateway.secureTLS.certPath Path to the certificate file
+## @param multicluster.clusterGateway.secureTLS.certManager.enabled Whether to enable cert-manager
 multicluster:
   enabled: true
+  metrics:
+    enabled: false
   clusterGateway:
     replicaCount: 1
     port: 9443
     image:
       repository: oamdev/cluster-gateway
-      tag: v1.1.7
+      tag: v1.3.2
       pullPolicy: IfNotPresent
     resources:
       limits:
@@ -112,6 +138,8 @@ multicluster:
         memory: 200Mi
     secureTLS:
       enabled: true
+      certManager:
+        enabled: false
       certPath: /etc/k8s-cluster-gateway-certs
 
 
@@ -210,3 +238,13 @@ admissionWebhooks:
 kubeClient:
   qps: 50
   burst: 100
+
+## @param authentication.enabled Enable authentication for application
+## @param authentication.withUser Application authentication will impersonate as the request User
+## @param authentication.defaultUser Application authentication will impersonate as the User if no user provided in Application
+## @param authentication.groupPattern Application authentication will impersonate as the request Group that matches the pattern
+authentication:
+  enabled: false
+  withUser: false
+  defaultUser: kubevela:vela-core
+  groupPattern: kubevela:*

charts/vela-minimal/README.md

@@ -1,18 +1,18 @@
 <div style="text-align: center">
   <p align="center">
-    <img src="https://raw.githubusercontent.com/oam-dev/kubevela.io/main/docs/resources/KubeVela-03.png">
+    <img src="https://raw.githubusercontent.com/kubevela/kubevela.io/main/docs/resources/KubeVela-03.png">
     <br><br>
     <i>Make shipping applications more enjoyable.</i>
   </p>
 </div>
 
-![Build status](https://github.com/oam-dev/kubevela/workflows/E2E/badge.svg)
-[![Go Report Card](https://goreportcard.com/badge/github.com/oam-dev/kubevela)](https://goreportcard.com/report/github.com/oam-dev/kubevela)
+![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
-[![codecov](https://codecov.io/gh/oam-dev/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/oam-dev/kubevela)
-[![LICENSE](https://img.shields.io/github/license/oam-dev/kubevela.svg?style=flat-square)](/LICENSE)
-[![Releases](https://img.shields.io/github/release/oam-dev/kubevela/all.svg?style=flat-square)](https://github.com/oam-dev/kubevela/releases)
-[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/oam-dev/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
+[![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
+[![LICENSE](https://img.shields.io/github/license/kubevela/kubevela.svg?style=flat-square)](/LICENSE)
+[![Releases](https://img.shields.io/github/release/kubevela/kubevela/all.svg?style=flat-square)](https://github.com/kubevela/kubevela/releases)
+[![TODOs](https://img.shields.io/endpoint?url=https://api.tickgit.com/badge?repo=github.com/kubevela/kubevela)](https://www.tickgit.com/browse?repo=github.com/oam-dev/kubevela)
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
@@ -56,18 +56,18 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 
 ### KubeVela core parameters
 
-| Name                          | Description                                                                                   | Value                                                        |
-| ----------------------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
-| `systemDefinitionNamespace`   | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil`                                                        |
-| `applicationRevisionLimit`    | Application revision limit                                                                    | `10`                                                         |
-| `definitionRevisionLimit`     | Definition revision limit                                                                     | `20`                                                         |
-| `concurrentReconciles`        | concurrentReconciles is the concurrent reconcile number of the controller                     | `4`                                                          |
-| `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`                                                         |
-| `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `minimal`                                                    |
-| `disableCaps`                 | Disable capability                                                                            | `manualscalertrait,containerizedwokrload,envbinding,rollout` |
-| `applyOnceOnly`               | Valid applyOnceOnly values: true/false/on/off/force                                           | `off`                                                        |
-| `enableFluxcdAddon`           | Whether to enable fluxcd addon                                                                | `false`                                                      |
-| `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`                                                        |
+| Name                          | Description                                                                                   | Value                                  |
+| ----------------------------- | --------------------------------------------------------------------------------------------- | -------------------------------------- |
+| `systemDefinitionNamespace`   | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil`                                  |
+| `applicationRevisionLimit`    | Application revision limit                                                                    | `10`                                   |
+| `definitionRevisionLimit`     | Definition revision limit                                                                     | `20`                                   |
+| `concurrentReconciles`        | concurrentReconciles is the concurrent reconcile number of the controller                     | `4`                                    |
+| `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`                                   |
+| `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `minimal`                              |
+| `disableCaps`                 | Disable capability                                                                            | `manualscalertrait,envbinding,rollout` |
+| `applyOnceOnly`               | Valid applyOnceOnly values: true/false/on/off/force                                           | `off`                                  |
+| `enableFluxcdAddon`           | Whether to enable fluxcd addon                                                                | `false`                                |
+| `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`                                  |
 
 
 ### KubeVela workflow parameters
@@ -105,7 +105,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
 | `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
 | `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.1.7`                         |
+| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.3.2`                         |
 | `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
 | `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
 | `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |
@@ -125,22 +125,26 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 
 ### Common parameters
 
-| Name                         | Description                                                                                                                | Value   |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `imagePullSecrets`           | Image pull secrets                                                                                                         | `[]`    |
-| `nameOverride`               | Override name                                                                                                              | `""`    |
-| `fullnameOverride`           | Fullname override                                                                                                          | `""`    |
-| `serviceAccount.create`      | Specifies whether a service account should be created                                                                      | `true`  |
-| `serviceAccount.annotations` | Annotations to add to the service account                                                                                  | `{}`    |
-| `serviceAccount.name`        | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`   |
-| `nodeSelector`               | Node selector                                                                                                              | `{}`    |
-| `tolerations`                | Tolerations                                                                                                                | `[]`    |
-| `affinity`                   | Affinity                                                                                                                   | `{}`    |
-| `rbac.create`                | Specifies whether a RBAC role should be created                                                                            | `true`  |
-| `logDebug`                   | Enable debug logs for development purpose                                                                                  | `false` |
-| `logFilePath`                | If non-empty, write log files in this path                                                                                 | `""`    |
-| `logFileMaxSize`             | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`  |
-| `kubeClient.qps`             | The qps for reconcile clients, default is 50                                                                               | `50`    |
-| `kubeClient.burst`           | The burst for reconcile clients, default is 100                                                                            | `100`   |
+| Name                          | Description                                                                                                                | Value                |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `imagePullSecrets`            | Image pull secrets                                                                                                         | `[]`                 |
+| `nameOverride`                | Override name                                                                                                              | `""`                 |
+| `fullnameOverride`            | Fullname override                                                                                                          | `""`                 |
+| `serviceAccount.create`       | Specifies whether a service account should be created                                                                      | `true`               |
+| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                  | `{}`                 |
+| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`                |
+| `nodeSelector`                | Node selector                                                                                                              | `{}`                 |
+| `tolerations`                 | Tolerations                                                                                                                | `[]`                 |
+| `affinity`                    | Affinity                                                                                                                   | `{}`                 |
+| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                            | `true`               |
+| `logDebug`                    | Enable debug logs for development purpose                                                                                  | `false`              |
+| `logFilePath`                 | If non-empty, write log files in this path                                                                                 | `""`                 |
+| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`               |
+| `kubeClient.qps`              | The qps for reconcile clients, default is 50                                                                               | `50`                 |
+| `kubeClient.burst`            | The burst for reconcile clients, default is 100                                                                            | `100`                |
+| `authentication.enabled`      | Enable authentication for application                                                                                      | `false`              |
+| `authentication.withUser`     | Application authentication will impersonate as the request User                                                            | `false`              |
+| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                 | `kubevela:vela-core` |
+| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                  | `kubevela:*`         |
 
 

charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml

@@ -934,6 +934,8 @@ spec:
                             type: array
                           suspend:
                             type: boolean
+                          suspendState:
+                            type: string
                           terminated:
                             type: boolean
                         required:
@@ -2025,6 +2027,12 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: AGE
       type: date
+    - jsonPath: .metadata.annotations['app\.oam\.dev\/publishVersion']
+      name: PUBLISH_VERSION
+      type: string
+    - jsonPath: .status.succeeded
+      name: SUCCEEDED
+      type: string
     name: v1beta1
     schema:
       openAPIV3Schema:
@@ -2737,6 +2745,8 @@ spec:
                             type: array
                           suspend:
                             type: boolean
+                          suspendState:
+                            type: string
                           terminated:
                             type: boolean
                         required:
@@ -2747,13 +2757,6 @@ spec:
                         type: object
                     type: object
                 type: object
-              applicationConfiguration:
-                description: ApplicationConfiguration records the rendered applicationConfiguration
-                  from Application, it will contains the whole K8s CR of trait and
-                  the reference component in it.
-                type: object
-                x-kubernetes-embedded-resource: true
-                x-kubernetes-preserve-unknown-fields: true
               componentDefinitions:
                 additionalProperties:
                   description: ComponentDefinition is the Schema for the componentdefinitions
@@ -3087,20 +3090,51 @@ spec:
                 description: ComponentDefinitions records the snapshot of the componentDefinitions
                   related with the created/modified Application
                 type: object
-              components:
-                description: Components records the rendered components from Application,
-                  it will contains the whole K8s CR of workload in it.
-                items:
-                  description: RawComponent record raw component
+              policies:
+                additionalProperties:
+                  description: Policy is the Schema for the policy API
                   properties:
-                    raw:
+                    apiVersion:
+                      description: 'APIVersion defines the versioned schema of this
+                        representation of an object. Servers should convert recognized
+                        schemas to the latest internal value, and may reject unrecognized
+                        values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                      type: string
+                    kind:
+                      description: 'Kind is a string value representing the REST resource
+                        this object represents. Servers may infer this from the endpoint
+                        the client submits requests to. Cannot be updated. In CamelCase.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      type: string
+                    metadata:
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        finalizers:
+                          items:
+                            type: string
+                          type: array
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    properties:
                       type: object
-                      x-kubernetes-embedded-resource: true
                       x-kubernetes-preserve-unknown-fields: true
+                    type:
+                      type: string
                   required:
-                  - raw
+                  - type
                   type: object
-                type: array
+                description: Policies records the external policies
+                type: object
               policyDefinitions:
                 additionalProperties:
                   description: PolicyDefinition is the Schema for the policydefinitions
@@ -3356,6 +3390,10 @@ spec:
                             - type
                             type: object
                           type: array
+                        configMapRef:
+                          description: ConfigMapRef refer to a ConfigMap which contains
+                            OpenAPI V3 JSON schema of Component parameters.
+                          type: string
                         latestRevision:
                           description: LatestRevision of the component definition
                           properties:
@@ -3377,15 +3415,16 @@ spec:
                 description: PolicyDefinitions records the snapshot of the PolicyDefinitions
                   related with the created/modified Application
                 type: object
-              resourcesConfigMap:
-                description: ResourcesConfigMap references the ConfigMap that's generated
-                  to contain all final rendered resources.
-                properties:
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                      TODO: Add other useful fields. apiVersion, kind, uid?'
-                    type: string
-                type: object
+              referredObjects:
+                description: ReferredObjects records the referred objects used in
+                  the ref-object typed components
+                items:
+                  description: ReferredObject the referred Kubernetes object
+                  type: object
+                  x-kubernetes-embedded-resource: true
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+                x-kubernetes-preserve-unknown-fields: true
               scopeDefinitions:
                 additionalProperties:
                   description: A ScopeDefinition registers a kind of Kubernetes custom
@@ -3468,7 +3507,7 @@ spec:
               scopeGVK:
                 additionalProperties:
                   description: GroupVersionKind unambiguously identifies a kind.  It
-                    doesn't anonymously include GroupVersion to avoid automatic coersion.  It
+                    doesn't anonymously include GroupVersion to avoid automatic coercion.  It
                     doesn't use a GroupVersion to avoid custom marshalling
                   properties:
                     group:
@@ -3546,6 +3585,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        controlPlaneOnly:
+                          description: ControlPlaneOnly defines which cluster is dispatched
+                            to
+                          type: boolean
                         definitionRef:
                           description: Reference to the CustomResourceDefinition that
                             defines this trait kind.
@@ -3819,6 +3862,89 @@ spec:
                 description: TraitDefinitions records the snapshot of the traitDefinitions
                   related with the created/modified Application
                 type: object
+              workflow:
+                description: Workflow records the external workflow
+                properties:
+                  apiVersion:
+                    description: 'APIVersion defines the versioned schema of this
+                      representation of an object. Servers should convert recognized
+                      schemas to the latest internal value, and may reject unrecognized
+                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    type: string
+                  kind:
+                    description: 'Kind is a string value representing the REST resource
+                      this object represents. Servers may infer this from the endpoint
+                      the client submits requests to. Cannot be updated. In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  metadata:
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      finalizers:
+                        items:
+                          type: string
+                        type: array
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                    type: object
+                  steps:
+                    items:
+                      description: WorkflowStep defines how to execute a workflow
+                        step.
+                      properties:
+                        dependsOn:
+                          items:
+                            type: string
+                          type: array
+                        inputs:
+                          description: StepInputs defines variable input of WorkflowStep
+                          items:
+                            properties:
+                              from:
+                                type: string
+                              parameterKey:
+                                type: string
+                            required:
+                            - from
+                            - parameterKey
+                            type: object
+                          type: array
+                        name:
+                          description: Name is the unique name of the workflow step.
+                          type: string
+                        outputs:
+                          description: StepOutputs defines output variable of WorkflowStep
+                          items:
+                            properties:
+                              name:
+                                type: string
+                              valueFrom:
+                                type: string
+                            required:
+                            - name
+                            - valueFrom
+                            type: object
+                          type: array
+                        properties:
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        type:
+                          type: string
+                      required:
+                      - name
+                      - type
+                      type: object
+                    type: array
+                type: object
               workflowStepDefinitions:
                 additionalProperties:
                   description: WorkflowStepDefinition is the Schema for the workflowstepdefinitions
@@ -4408,10 +4534,184 @@ spec:
             required:
             - application
             type: object
+          status:
+            description: ApplicationRevisionStatus is the status of ApplicationRevision
+            properties:
+              succeeded:
+                description: Succeeded records if the workflow finished running with
+                  success
+                type: boolean
+              workflow:
+                description: Workflow the running status of the workflow
+                properties:
+                  appRevision:
+                    type: string
+                  contextBackend:
+                    description: 'ObjectReference contains enough information to let
+                      you inspect or modify the referred object. --- New uses of this
+                      type are discouraged because of difficulty describing its usage
+                      when embedded in APIs.  1. Ignored fields.  It includes many
+                      fields which are not generally honored.  For instance, ResourceVersion
+                      and FieldPath are both very rarely valid in actual usage.  2.
+                      Invalid usage help.  It is impossible to add specific help for
+                      individual usage.  In most embedded usages, there are particular     restrictions
+                      like, "must refer only to types A and B" or "UID not honored"
+                      or "name must be restricted".     Those cannot be well described
+                      when embedded.  3. Inconsistent validation.  Because the usages
+                      are different, the validation rules are different by usage,
+                      which makes it hard for users to predict what will happen.  4.
+                      The fields are both imprecise and overly precise.  Kind is not
+                      a precise mapping to a URL. This can produce ambiguity     during
+                      interpretation and require a REST mapping.  In most cases, the
+                      dependency is on the group,resource tuple     and the version
+                      of the actual struct is irrelevant.  5. We cannot easily change
+                      it.  Because this type is embedded in many locations, updates
+                      to this type     will affect numerous schemas.  Don''t make
+                      new APIs embed an underspecified API type they do not control.
+                      Instead of using this type, create a locally provided and used
+                      type that is well-focused on your reference. For example, ServiceReferences
+                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                      .'
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: 'If referring to a piece of an object instead
+                          of an entire object, this string should contain a valid
+                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within
+                          a pod, this would take on a value like: "spec.containers{name}"
+                          (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]"
+                          (container with index 2 in this pod). This syntax is chosen
+                          only to have some well-defined way of referencing a part
+                          of an object. TODO: this design is not final and this field
+                          is subject to change in the future.'
+                        type: string
+                      kind:
+                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        type: string
+                      namespace:
+                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        type: string
+                      resourceVersion:
+                        description: 'Specific resourceVersion to which this reference
+                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        type: string
+                      uid:
+                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        type: string
+                    type: object
+                  finished:
+                    type: boolean
+                  message:
+                    type: string
+                  mode:
+                    description: WorkflowMode describes the mode of workflow
+                    type: string
+                  startTime:
+                    format: date-time
+                    type: string
+                  steps:
+                    items:
+                      description: WorkflowStepStatus record the status of a workflow
+                        step
+                      properties:
+                        firstExecuteTime:
+                          description: FirstExecuteTime is the first time this step
+                            execution.
+                          format: date-time
+                          type: string
+                        id:
+                          type: string
+                        lastExecuteTime:
+                          description: LastExecuteTime is the last time this step
+                            execution.
+                          format: date-time
+                          type: string
+                        message:
+                          description: A human readable message indicating details
+                            about why the workflowStep is in this state.
+                          type: string
+                        name:
+                          type: string
+                        phase:
+                          description: WorkflowStepPhase describes the phase of a
+                            workflow step.
+                          type: string
+                        reason:
+                          description: A brief CamelCase message indicating details
+                            about why the workflowStep is in this state.
+                          type: string
+                        subSteps:
+                          description: SubStepsStatus record the status of workflow
+                            steps.
+                          properties:
+                            mode:
+                              description: WorkflowMode describes the mode of workflow
+                              type: string
+                            stepIndex:
+                              type: integer
+                            steps:
+                              items:
+                                description: WorkflowSubStepStatus record the status
+                                  of a workflow step
+                                properties:
+                                  id:
+                                    type: string
+                                  message:
+                                    description: A human readable message indicating
+                                      details about why the workflowStep is in this
+                                      state.
+                                    type: string
+                                  name:
+                                    type: string
+                                  phase:
+                                    description: WorkflowStepPhase describes the phase
+                                      of a workflow step.
+                                    type: string
+                                  reason:
+                                    description: A brief CamelCase message indicating
+                                      details about why the workflowStep is in this
+                                      state.
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - id
+                                type: object
+                              type: array
+                          type: object
+                        type:
+                          type: string
+                      required:
+                      - id
+                      type: object
+                    type: array
+                  suspend:
+                    type: boolean
+                  suspendState:
+                    type: string
+                  terminated:
+                    type: boolean
+                required:
+                - finished
+                - mode
+                - suspend
+                - terminated
+                type: object
+            required:
+            - succeeded
+            type: object
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

charts/vela-minimal/crds/core.oam.dev_definitionrevisions.yaml

@@ -636,6 +636,10 @@ spec:
                           - type
                           type: object
                         type: array
+                      configMapRef:
+                        description: ConfigMapRef refer to a ConfigMap which contains
+                          OpenAPI V3 JSON schema of Component parameters.
+                        type: string
                       latestRevision:
                         description: LatestRevision of the component definition
                         properties:
@@ -720,6 +724,10 @@ spec:
                         items:
                           type: string
                         type: array
+                      controlPlaneOnly:
+                        description: ControlPlaneOnly defines which cluster is dispatched
+                          to
+                        type: boolean
                       definitionRef:
                         description: Reference to the CustomResourceDefinition that
                           defines this trait kind.

charts/vela-minimal/crds/core.oam.dev_policydefinitions.yaml

@@ -244,6 +244,10 @@ spec:
                   - type
                   type: object
                 type: array
+              configMapRef:
+                description: ConfigMapRef refer to a ConfigMap which contains OpenAPI
+                  V3 JSON schema of Component parameters.
+                type: string
               latestRevision:
                 description: LatestRevision of the component definition
                 properties:

charts/vela-minimal/crds/core.oam.dev_traitdefinitions.yaml

@@ -372,6 +372,10 @@ spec:
                 items:
                   type: string
                 type: array
+              controlPlaneOnly:
+                description: ControlPlaneOnly defines which cluster is dispatched
+                  to
+                type: boolean
               definitionRef:
                 description: Reference to the CustomResourceDefinition that defines
                   this trait kind.

charts/vela-minimal/templates/admission-webhooks/mutatingWebhookConfiguration.yaml

@@ -92,6 +92,32 @@ webhooks:
           - UPDATE
         resources:
           - podspecworkloads
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /mutating-core-oam-dev-v1beta1-applications
+    {{- if .Values.admissionWebhooks.patch.enabled }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: mutating.core.oam.dev.v1beta1.applications
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    sideEffects: None
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - applications
   - clientConfig:
       caBundle: Cg==
       service:

charts/vela-minimal/templates/cluster-gateway.yaml

@@ -188,4 +188,30 @@ spec:
         runAsGroup: 2000
         runAsNonRoot: true
         runAsUser: 2000
-  {{ end }}
+  {{ end }}
+---
+{{ if and .Values.multicluster.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+rules:
+  - apiGroups: [ "cluster.core.oam.dev" ]
+    resources: [ "clustergateways/proxy" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+{{ end }}
+---
+{{ if and .Values.multicluster.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+subjects:
+  - kind: Group
+    name: cluster-gateway-accessor
+    apiGroup: rbac.authorization.k8s.io
+{{ end }}

charts/vela-minimal/templates/defwithtemplate/annotations.yaml

@@ -16,17 +16,20 @@ spec:
   schematic:
     cue:
       template: |
+        // +patchStrategy=jsonMergePatch
         patch: {
         	metadata: annotations: {
         		for k, v in parameter {
         			"\(k)": v
         		}
         	}
-        	spec: template: metadata: annotations: {
-        		for k, v in parameter {
-        			"\(k)": v
+        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
+        		spec: template: metadata: annotations: {
+        			for k, v in parameter {
+        				"\(k)": v
+        			}
         		}
         	}
         }
-        parameter: [string]: string
+        parameter: [string]: string | null
 

charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml

@@ -0,0 +1,73 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/config-image-registry.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/alias.config.oam.dev: Image Registry
+    definition.oam.dev/description: Config information to authenticate image registry
+  labels:
+    custom.definition.oam.dev/catalog.config.oam.dev: velacore-config
+    custom.definition.oam.dev/multi-cluster.config.oam.dev: "true"
+    custom.definition.oam.dev/type.config.oam.dev: image-registry
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: config-image-registry
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"encoding/base64"
+        	"encoding/json"
+        )
+
+        output: {
+        	apiVersion: "v1"
+        	kind:       "Secret"
+        	metadata: {
+        		name:      context.name
+        		namespace: context.namespace
+        		labels: {
+        			"config.oam.dev/catalog":       "velacore-config"
+        			"config.oam.dev/type":          "image-registry"
+        			"config.oam.dev/multi-cluster": "true"
+        			"config.oam.dev/identifier":    parameter.registry
+        			"config.oam.dev/sub-type":      "auth"
+        		}
+        	}
+        	if parameter.auth != _|_ {
+        		type: "kubernetes.io/dockerconfigjson"
+        	}
+        	if parameter.auth == _|_ {
+        		type: "Opaque"
+        	}
+        	if parameter.auth != _|_ {
+        		stringData: ".dockerconfigjson": json.Marshal({
+        			auths: "\(parameter.registry)": {
+        				username: parameter.auth.username
+        				password: parameter.auth.password
+        				if parameter.auth.email != _|_ {
+        					email: parameter.auth.email
+        				}
+        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
+        			}
+        		})
+        	}
+        }
+        parameter: {
+        	// +usage=Image registry FQDN
+        	registry: string
+        	// +usage=Authenticate the image registry
+        	auth?: {
+        		// +usage=Private Image registry username
+        		username: string
+        		// +usage=Private Image registry password
+        		password: string
+        		// +usage=Private Image registry email
+        		email?: string
+        	}
+        }
+  workload:
+    type: autodetects.core.oam.dev
+

charts/vela-minimal/templates/defwithtemplate/cron-task.yaml

@@ -0,0 +1,320 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/cron-task.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Describes cron jobs that run code or a script to completion.
+  name: cron-task
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        output: {
+        	apiVersion: "batch/v1beta1"
+        	kind:       "CronJob"
+        	spec: {
+        		schedule:                   parameter.schedule
+        		concurrencyPolicy:          parameter.concurrencyPolicy
+        		suspend:                    parameter.suspend
+        		successfulJobsHistoryLimit: parameter.successfulJobsHistoryLimit
+        		failedJobsHistoryLimit:     parameter.failedJobsHistoryLimit
+        		if parameter.startingDeadlineSeconds != _|_ {
+        			startingDeadlineSeconds: parameter.startingDeadlineSeconds
+        		}
+        		jobTemplate: {
+        			metadata: {
+        				labels: {
+        					if parameter.labels != _|_ {
+        						parameter.labels
+        					}
+        					"app.oam.dev/name":      context.appName
+        					"app.oam.dev/component": context.name
+        				}
+        				if parameter.annotations != _|_ {
+        					annotations: parameter.annotations
+        				}
+        			}
+        			spec: {
+        				parallelism: parameter.count
+        				completions: parameter.count
+        				if parameter.ttlSecondsAfterFinished != _|_ {
+        					ttlSecondsAfterFinished: parameter.ttlSecondsAfterFinished
+        				}
+        				if parameter.activeDeadlineSeconds != _|_ {
+        					activeDeadlineSeconds: parameter.activeDeadlineSeconds
+        				}
+        				backoffLimit: parameter.backoffLimit
+        				template: {
+        					metadata: {
+        						labels: {
+        							if parameter.labels != _|_ {
+        								parameter.labels
+        							}
+        							"app.oam.dev/name":      context.appName
+        							"app.oam.dev/component": context.name
+        						}
+        						if parameter.annotations != _|_ {
+        							annotations: parameter.annotations
+        						}
+        					}
+        					spec: {
+        						restartPolicy: parameter.restart
+        						containers: [{
+        							name:  context.name
+        							image: parameter.image
+        							if parameter["imagePullPolicy"] != _|_ {
+        								imagePullPolicy: parameter.imagePullPolicy
+        							}
+        							if parameter["cmd"] != _|_ {
+        								command: parameter.cmd
+        							}
+        							if parameter["env"] != _|_ {
+        								env: parameter.env
+        							}
+        							if parameter["cpu"] != _|_ {
+        								resources: {
+        									limits: cpu:   parameter.cpu
+        									requests: cpu: parameter.cpu
+        								}
+        							}
+        							if parameter["memory"] != _|_ {
+        								resources: {
+        									limits: memory:   parameter.memory
+        									requests: memory: parameter.memory
+        								}
+        							}
+        							if parameter["volumes"] != _|_ {
+        								volumeMounts: [ for v in parameter.volumes {
+        									{
+        										mountPath: v.mountPath
+        										name:      v.name
+        									}}]
+        							}
+        						}]
+        						if parameter["volumes"] != _|_ {
+        							volumes: [ for v in parameter.volumes {
+        								{
+        									name: v.name
+        									if v.type == "pvc" {
+        										persistentVolumeClaim: claimName: v.claimName
+        									}
+        									if v.type == "configMap" {
+        										configMap: {
+        											defaultMode: v.defaultMode
+        											name:        v.cmName
+        											if v.items != _|_ {
+        												items: v.items
+        											}
+        										}
+        									}
+        									if v.type == "secret" {
+        										secret: {
+        											defaultMode: v.defaultMode
+        											secretName:  v.secretName
+        											if v.items != _|_ {
+        												items: v.items
+        											}
+        										}
+        									}
+        									if v.type == "emptyDir" {
+        										emptyDir: medium: v.medium
+        									}
+        								}}]
+        						}
+        						if parameter["imagePullSecrets"] != _|_ {
+        							imagePullSecrets: [ for v in parameter.imagePullSecrets {
+        								name: v
+        							},
+        							]
+        						}
+        						if parameter.hostAliases != _|_ {
+        							hostAliases: [ for v in parameter.hostAliases {
+        								ip:        v.ip
+        								hostnames: v.hostnames
+        							},
+        							]
+        						}
+        					}
+        				}
+        			}
+        		}
+        	}
+        }
+        parameter: {
+        	// +usage=Specify the labels in the workload
+        	labels?: [string]: string
+
+        	// +usage=Specify the annotations in the workload
+        	annotations?: [string]: string
+
+        	// +usage=Specify the schedule in Cron format, see https://en.wikipedia.org/wiki/Cron
+        	schedule: string
+
+        	// +usage=Specify deadline in seconds for starting the job if it misses scheduled
+        	startingDeadlineSeconds?: int
+
+        	// +usage=suspend subsequent executions
+        	suspend: *false | bool
+
+        	// +usage=Specifies how to treat concurrent executions of a Job
+        	concurrencyPolicy: *"Allow" | "Allow" | "Forbid" | "Replace"
+
+        	// +usage=The number of successful finished jobs to retain
+        	successfulJobsHistoryLimit: *3 | int
+
+        	// +usage=The number of failed finished jobs to retain
+        	failedJobsHistoryLimit: *1 | int
+
+        	// +usage=Specify number of tasks to run in parallel
+        	// +short=c
+        	count: *1 | int
+
+        	// +usage=Which image would you like to use for your service
+        	// +short=i
+        	image: string
+
+        	// +usage=Specify image pull policy for your service
+        	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+        	// +usage=Specify image pull secrets for your service
+        	imagePullSecrets?: [...string]
+
+        	// +usage=Define the job restart policy, the value can only be Never or OnFailure. By default, it's Never.
+        	restart: *"Never" | string
+
+        	// +usage=Commands to run in the container
+        	cmd?: [...string]
+
+        	// +usage=Define arguments by using environment variables
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
+        	// +usage=Number of CPU units for the service, like `0.5` (0.5 CPU core), `1` (1 CPU core)
+        	cpu?: string
+
+        	// +usage=Specifies the attributes of the memory resource required for the container.
+        	memory?: string
+
+        	// +usage=Declare volumes and volumeMounts
+        	volumes?: [...{
+        		name:      string
+        		mountPath: string
+        		// +usage=Specify volume type, options: "pvc","configMap","secret","emptyDir"
+        		type: "pvc" | "configMap" | "secret" | "emptyDir"
+        		if type == "pvc" {
+        			claimName: string
+        		}
+        		if type == "configMap" {
+        			defaultMode: *420 | int
+        			cmName:      string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "secret" {
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "emptyDir" {
+        			medium: *"" | "Memory"
+        		}
+        	}]
+
+        	// +usage=An optional list of hosts and IPs that will be injected into the pod's hosts file
+        	hostAliases?: [...{
+        		ip: string
+        		hostnames: [...string]
+        	}]
+
+        	// +usage=Limits the lifetime of a Job that has finished
+        	ttlSecondsAfterFinished?: int
+
+        	// +usage=The duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it
+        	activeDeadlineSeconds?: int
+
+        	// +usage=The number of retries before marking this job failed
+        	backoffLimit: *6 | int
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+        }
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port: int
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
+        }
+  workload:
+    definition:
+      apiVersion: batch/v1beta1
+      kind: CronJob
+    type: cronjobs.batch
+

charts/vela-minimal/templates/defwithtemplate/deploy.yaml

@@ -15,41 +15,9 @@ spec:
         	"vela/op"
         )
 
-        deploy: op.#Steps & {
-        	load: op.#Load @step(1)
-        	_components: [ for k, v in load.value {v}]
-        	loadPoliciesInOrder: op.#LoadPoliciesInOrder & {
-        		if parameter.policies != _|_ {
-        					input: parameter.policies
-        				}
-        	}                     @step(2)
-        	_policies:            loadPoliciesInOrder.output
-        	handleDeployPolicies: op.#HandleDeployPolicies & {
-        		inputs: {
-        			components: _components
-        			policies:   _policies
-        		}
-        	}                   @step(3)
-        	_decisions:         handleDeployPolicies.outputs.decisions
-        	_patchedComponents: handleDeployPolicies.outputs.components
-        	deploy:             op.#ApplyComponents & {
-        		parallelism: parameter.parallelism
-        		components: {
-        			for decision in _decisions {
-        				for key, comp in _patchedComponents {
-        					"\(decision.cluster)-\(decision.namespace)-\(key)": {
-        						value: comp
-        						if decision.cluster != _|_ {
-        							cluster: decision.cluster
-        						}
-        						if decision.namespace != _|_ {
-        							namespace: decision.namespace
-        						}
-        					}
-        				}
-        			}
-        		}
-        	} @step(4)
+        deploy: op.#Deploy & {
+        	policies:    parameter.policies
+        	parallelism: parameter.parallelism
         }
         parameter: {
         	auto: *true | bool

charts/vela-minimal/templates/defwithtemplate/env.yaml

@@ -46,7 +46,7 @@ spec:
         			}]
         		}
         		if _baseEnv != _|_ {
-        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar.value}}
+        			_baseEnvMap: {for envVar in _baseEnv {"\(envVar.name)": envVar}}
         			// +patchStrategy=replace
         			env: [ for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
         				name: envVar.name
@@ -54,11 +54,15 @@ spec:
         					value: _params.env[envVar.name]
         				}
         				if _params.env[envVar.name] == _|_ {
-        					value: envVar.value
+        					if envVar.value != _|_ {
+        						value: envVar.value
+        					}
+        					if envVar.valueFrom != _|_ {
+        						valueFrom: envVar.valueFrom
+        					}
         				}
         			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
-        				name:  k
-        				value: v
+        				v
         			}]
         		}
         	}

charts/vela-minimal/templates/defwithtemplate/gateway.yaml

@@ -8,6 +8,8 @@ metadata:
   name: gateway
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
+  appliesToWorkloads:
+    - '*'
   podDisruptive: false
   schematic:
     cue:

charts/vela-minimal/templates/defwithtemplate/generate-jdbc-connection.yaml

@@ -0,0 +1,49 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/generate-jdbc-connection.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Generate a JDBC connection based on Component of alibaba-rds
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: generate-jdbc-connection
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/base64"
+        )
+
+        output: op.#Read & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Secret"
+        		metadata: {
+        			name: parameter.name
+        			if parameter.namespace != _|_ {
+        				namespace: parameter.namespace
+        			}
+        		}
+        	}
+        }
+        dbHost:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_HOST"])}
+        dbPort:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PORT"])}
+        dbName:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_NAME"])}
+        username: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_USER"])}
+        password: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PASSWORD"])}
+        env: [
+        	{name: "url", value:      "jdbc://" + dbHost.str + ":" + dbPort.str + "/" + dbName.str + "?characterEncoding=utf8&useSSL=false"},
+        	{name: "username", value: username.str},
+        	{name: "password", value: password.str},
+        ]
+        parameter: {
+        	// +usage=Specify the name of the secret generated by database component
+        	name: string
+        	// +usage=Specify the namespace of the secret generated by database component
+        	namespace?: string
+        }
+

charts/vela-minimal/templates/defwithtemplate/init-container.yaml

@@ -35,6 +35,9 @@ spec:
         		if parameter.args != _|_ {
         			args: parameter.args
         		}
+        		if parameter["env"] != _|_ {
+        			env: parameter.env
+        		}
 
         		// +patchKey=name
         		volumeMounts: [{
@@ -61,6 +64,31 @@ spec:
         	// +usage=Specify the args run in the init container
         	args?: [...string]
 
+        	// +usage=Specify the env run in the init container
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
         	// +usage=Specify the mount name of shared volume
         	mountName: *"workdir" | string
 

charts/vela-minimal/templates/defwithtemplate/labels.yaml

@@ -16,17 +16,20 @@ spec:
   schematic:
     cue:
       template: |
+        // +patchStrategy=jsonMergePatch
         patch: {
         	metadata: labels: {
         		for k, v in parameter {
         			"\(k)": v
         		}
         	}
-        	spec: template: metadata: labels: {
-        		for k, v in parameter {
-        			"\(k)": v
+        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
+        		spec: template: metadata: labels: {
+        			for k, v in parameter {
+        				"\(k)": v
+        			}
         		}
         	}
         }
-        parameter: [string]: string
+        parameter: [string]: string | null
 

charts/vela-minimal/templates/defwithtemplate/notification.yaml

@@ -291,8 +291,10 @@ spec:
         		if parameter.email.from.password.value != _|_ {
         			email1: op.#SendEmail & {
         				from: {
-        					address:  parameter.email.from.value
-        					alias:    parameter.email.from.alias
+        					address: parameter.email.from.address
+        					if parameter.email.from.alias != _|_ {
+        						alias: parameter.email.from.alias
+        					}
         					password: parameter.email.from.password.value
         					host:     parameter.email.from.host
         					port:     parameter.email.from.port
@@ -318,8 +320,10 @@ spec:
         			stringValue: op.#ConvertString & {bt: decoded}
         			email2:      op.#SendEmail & {
         				from: {
-        					address:  parameter.email.from.value
-        					alias:    parameter.email.from.alias
+        					address: parameter.email.from.address
+        					if parameter.email.from.alias != _|_ {
+        						alias: parameter.email.from.alias
+        					}
         					password: stringValue.str
         					host:     parameter.email.from.host
         					port:     parameter.email.from.port

charts/vela-minimal/templates/defwithtemplate/ref-objects.yaml

@@ -29,6 +29,47 @@ spec:
         	}
         }
         parameter: objects: [...#K8sObject]
+  status:
+    customStatus: |-
+      if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {
+      	ready: {
+      		readyReplicas: *0 | int
+      	} & {
+      		if context.output.status.readyReplicas != _|_ {
+      			readyReplicas: context.output.status.readyReplicas
+      		}
+      	}
+      	message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
+      }
+      if context.output.apiVersion != "apps/v1" || context.output.kind != "Deployment" {
+      	message: ""
+      }
+    healthPolicy: |-
+      if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {
+      	ready: {
+      		updatedReplicas:    *0 | int
+      		readyReplicas:      *0 | int
+      		replicas:           *0 | int
+      		observedGeneration: *0 | int
+      	} & {
+      		if context.output.status.updatedReplicas != _|_ {
+      			updatedReplicas: context.output.status.updatedReplicas
+      		}
+      		if context.output.status.readyReplicas != _|_ {
+      			readyReplicas: context.output.status.readyReplicas
+      		}
+      		if context.output.status.replicas != _|_ {
+      			replicas: context.output.status.replicas
+      		}
+      		if context.output.status.observedGeneration != _|_ {
+      			observedGeneration: context.output.status.observedGeneration
+      		}
+      	}
+      	isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      }
+      if context.output.apiVersion != "apps/v1" || context.output.kind != "Deployment" {
+      	isHealth: true
+      }
   workload:
     type: autodetects.core.oam.dev
 

charts/vela-minimal/templates/defwithtemplate/sidecar.yaml

@@ -27,6 +27,9 @@ spec:
         		if parameter.args != _|_ {
         			args: parameter.args
         		}
+        		if parameter["env"] != _|_ {
+        			env: parameter.env
+        		}
         		if parameter["volumes"] != _|_ {
         			volumeMounts: [ for v in parameter.volumes {
         				{
@@ -35,6 +38,13 @@ spec:
         				}
         			}]
         		}
+        		if parameter["livenessProbe"] != _|_ {
+        			livenessProbe: parameter.livenessProbe
+        		}
+
+        		if parameter["readinessProbe"] != _|_ {
+        			readinessProbe: parameter.readinessProbe
+        		}
         	}]
         }
         parameter: {
@@ -50,10 +60,82 @@ spec:
         	// +usage=Specify the args in the sidecar
         	args?: [...string]
 
+        	// +usage=Specify the env in the sidecar
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
         	// +usage=Specify the shared volume path
         	volumes?: [...{
         		name: string
         		path: string
         	}]
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+        }
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port: int
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
         }
 

charts/vela-minimal/templates/defwithtemplate/storage.yaml

@@ -23,7 +23,7 @@ spec:
         	},
         ] | []
         configMapVolumesList: *[
-        			for v in parameter.configMap {
+        			for v in parameter.configMap if v.mountPath != _|_ {
         		{
         			name: "configmap-" + v.name
         			configMap: {
@@ -37,7 +37,7 @@ spec:
         	},
         ] | []
         secretVolumesList: *[
-        			for v in parameter.secret {
+        			for v in parameter.secret if v.mountPath != _|_ {
         		{
         			name: "secret-" + v.name
         			secret: {
@@ -69,7 +69,7 @@ spec:
         	},
         ] | []
         configMapVolumeMountsList: *[
-        				for v in parameter.configMap {
+        				for v in parameter.configMap if v.mountPath != _|_ {
         		{
         			name:      "configmap-" + v.name
         			mountPath: v.mountPath
@@ -87,8 +87,19 @@ spec:
         		}
         	},
         ] | []
+        configMountToEnvsList: *[
+        			for v in parameter.configMap if v.mountToEnvs != _|_ for k in v.mountToEnvs {
+        		{
+        			name: k.envName
+        			valueFrom: configMapKeyRef: {
+        				name: v.name
+        				key:  k.configMapKey
+        			}
+        		}
+        	},
+        ] | []
         secretVolumeMountsList: *[
-        			for v in parameter.secret {
+        			for v in parameter.secret if v.mountPath != _|_ {
         		{
         			name:      "secret-" + v.name
         			mountPath: v.mountPath
@@ -106,6 +117,17 @@ spec:
         		}
         	},
         ] | []
+        secretMountToEnvsList: *[
+        			for v in parameter.secret if v.mountToEnvs != _|_ for k in v.mountToEnvs {
+        		{
+        			name: k.envName
+        			valueFrom: secretKeyRef: {
+        				name: v.name
+        				key:  k.secretKey
+        			}
+        		}
+        	},
+        ] | []
         emptyDirVolumeMountsList: *[
         				for v in parameter.emptyDir {
         		{
@@ -126,14 +148,14 @@ spec:
         	// +patchKey=name
         	volumes: pvcVolumesList + configMapVolumesList + secretVolumesList + emptyDirVolumesList
 
-        	containers: [...{
+        	containers: [{
         		// +patchKey=name
-        		env: configMapEnvMountsList + secretEnvMountsList
+        		env: configMapEnvMountsList + secretEnvMountsList + configMountToEnvsList + secretMountToEnvsList
         		// +patchKey=name
         		volumeDevices: volumeDevicesList
         		// +patchKey=name
         		volumeMounts: pvcVolumeMountsList + configMapVolumeMountsList + secretVolumeMountsList + emptyDirVolumeMountsList
-        	}]
+        	}, ...]
 
         }
         outputs: {
@@ -248,7 +270,11 @@ spec:
         			envName:      string
         			configMapKey: string
         		}
-        		mountPath:   string
+        		mountToEnvs?: [...{
+        			envName:      string
+        			configMapKey: string
+        		}]
+        		mountPath?:  string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
         		data?: {...}
@@ -267,7 +293,11 @@ spec:
         			envName:   string
         			secretKey: string
         		}
-        		mountPath:   string
+        		mountToEnvs?: [...{
+        			envName:   string
+        			secretKey: string
+        		}]
+        		mountPath?:  string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
         		stringData?: {...}

charts/vela-minimal/templates/defwithtemplate/suspend.yaml

@@ -11,6 +11,8 @@ spec:
   schematic:
     cue:
       template: |
-        // no parameters
-        parameter: {}
+        parameter: {
+        	// +usage=Specify the wait duration time to resume workflow such as "30s", "1min" or "2m15s"
+        	duration?: string
+        }