Feat: add the CloudShell feature (#4280 )

* Feat: add the CloudShell feature Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Fix: unit test bug Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: handle the error Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: change the auth package Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Fix: change the CSR name Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Fix: change the generate function Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Fix: unit test Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Fix: e2e test Signed-off-by: barnettZQG <barnett.zqg@gmail.com>
Fix: fail to query the application logs with the special characters (#4305 )
2026-03-02 17:50:58 +00:00 · 2022-07-01 23:31:15 +08:00 · 2022-07-01 20:14:05 +08:00 · 2022-07-01 20:04:50 +08:00 · 2022-07-01 17:52:54 +08:00 · 2022-07-01 17:30:55 +08:00
613 changed files with 36657 additions and 13087 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,14 +1,14 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file

-*                                  @barnettZQG @wonderflow @leejanee
-design/                            @barnettZQG @leejanee @wonderflow
+*                                  @barnettZQG @wonderflow @leejanee @Somefive
+design/                            @barnettZQG @leejanee @wonderflow @Somefive

 # Owner of CUE
-pkg/cue                            @leejanee @FogDong
-pkg/stdlib                         @leejanee @FogDong
+pkg/cue                            @leejanee @FogDong @Somefive
+pkg/stdlib                         @leejanee @FogDong @Somefive

 # Owner of Workflow
-pkg/workflow                       @leejanee @FogDong
+pkg/workflow                       @leejanee @FogDong @Somefive

 # Owner of rollout
 pkg/controller/common/rollout/                              @wangyikewxgm @wonderflow
@@ -17,20 +17,20 @@ pkg/controller/standard.oam.dev/v1alpha1/rollout            @wangyikewxgm @wonde
 runtime/rollout                                             @wangyikewxgm @wonderflow

 # Owner of definition controller
-pkg/controller/core.oam.dev/v1alpha2/core/workflow/workflowstepdefinition  @yangsoon @Somefive
-pkg/controller/core.oam.dev/v1alpha2/core/policies/policydefinition        @yangsoon @Somefive
-pkg/controller/core.oam.dev/v1alpha2/core/components/componentdefinition   @yangsoon @zzxwill
-pkg/controller/core.oam.dev/v1alpha2/core/traits/traitdefinition           @yangsoon @zzxwill
+pkg/controller/core.oam.dev/v1alpha2/core/workflow/workflowstepdefinition  @yangsoon @Somefive @FogDong
+pkg/controller/core.oam.dev/v1alpha2/core/policies/policydefinition        @yangsoon @Somefive @FogDong
+pkg/controller/core.oam.dev/v1alpha2/core/components/componentdefinition   @yangsoon @zzxwill @Somefive
+pkg/controller/core.oam.dev/v1alpha2/core/traits/traitdefinition           @yangsoon @zzxwill @Somefive

 # Owner of health scope controller
-pkg/controller/core.oam.dev/v1alpha2/core/scopes/healthscope     @captainroy-hy @zzxwill
+pkg/controller/core.oam.dev/v1alpha2/core/scopes/healthscope     @captainroy-hy @zzxwill @yangsoon

 # Owner of vela templates
 vela-templates/                     @Somefive @barnettZQG @wonderflow

 # Owner of vela CLI
-references/cli/                     @Somefive @zzxwill 
+references/cli/                     @Somefive @zzxwill @StevenLeiZhang

 # Owner of vela APIServer
-pkg/apiserver/                     @barnettZQG @yangsoon
+pkg/apiserver/                     @barnettZQG @yangsoon @FogDong

--- a/.github/workflows/apiserver-test.yaml
+++ b/.github/workflows/apiserver-test.yaml
@@ -99,6 +99,9 @@ jobs:
          kind create cluster --image kindest/node:${{ matrix.k8s-version }}
          kubectl version
          kubectl cluster-info
+      
+      - name: Run api server unit test
+        run: make unit-test-apiserver

      - name: Load Image to kind cluster
        run: make kind-load
@@ -114,9 +117,6 @@ jobs:
          kubectl wait --for=condition=Ready pod -l app=source-controller -n flux-system --timeout=600s
          kubectl wait --for=condition=Ready pod -l app=helm-controller -n flux-system --timeout=600s

-      - name: Run api server unit test
-        run: make unit-test-apiserver
-
      - name: Run api server e2e test
        run: |
          export ALIYUN_ACCESS_KEY_ID=${{ secrets.ALIYUN_ACCESS_KEY_ID }}
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -103,7 +103,7 @@ jobs:
        run: |
          make e2e-cleanup
          make vela-cli
-          make e2e-setup-core
+          make e2e-setup-core-auth
          make
          make setup-runtime-e2e-cluster

--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -7,7 +7,7 @@ on:

 jobs:
  bot:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
    steps:
      - name: Checkout Actions
        uses: actions/checkout@v2
@@ -15,7 +15,13 @@ jobs:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
          ref: v0.4.2
-      - name: Install Actions
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '14'
+          cache: 'npm'
+          cache-dependency-path: ./actions/package-lock.json
+      - name: Install Dependencies
        run: npm ci --production --prefix ./actions
      - name: Run Commands
        uses: ./actions/commands
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -15,7 +15,7 @@ env:
  ARTIFACT_HUB_REPOSITORY_ID: ${{ secrets.ARTIFACT_HUB_REPOSITORY_ID }}

 jobs:
-  publish-images:
+  publish-core-images:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
@@ -47,20 +47,16 @@ jobs:
      - name: Login Alibaba Cloud ACR
        uses: docker/login-action@v1
        with:
-          registry: kubevela-registry.cn-hangzhou.cr.aliyuncs.com
-          username: ${{ secrets.ACR_USERNAME }}@aliyun-inner.com
+          registry: ${{ secrets.ACR_DOMAIN }}
+          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}
      - uses: docker/setup-qemu-action@v1
      - uses: docker/setup-buildx-action@v1
        with:
          driver-opts: image=moby/buildkit:master

-      - name: Build & Pushing vela-core for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }} .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-core for Dockerhub and GHCR
+        name: Build & Pushing vela-core for Dockerhub, GHCR and ACR
        with:
          context: .
          file: Dockerfile
@@ -75,14 +71,70 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-core:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - name: Build & Pushing vela-apiserver for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }} -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }} -f Dockerfile.apiserver .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-apiserver for Dockerhub and GHCR
+        name: Build & Pushing CLI for Dockerhub, GHCR and ACR
+        with:
+          context: .
+          file: Dockerfile.cli
+          labels: |-
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          build-args: |
+            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
+            VERSION=${{ steps.get_version.outputs.VERSION }}
+            GOPROXY=https://proxy.golang.org
+          tags: |-
+            docker.io/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+
+  publish-addon-images:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Get the version
+        id: get_version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
+            VERSION=latest
+          fi
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Get git revision
+        id: vars
+        shell: bash
+        run: |
+          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+      - name: Login ghcr.io
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login docker.io
+        uses: docker/login-action@v1
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login Alibaba Cloud ACR
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.ACR_DOMAIN }}
+          username: ${{ secrets.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+        with:
+          driver-opts: image=moby/buildkit:master
+
+      - uses: docker/build-push-action@v2
+        name: Build & Pushing vela-apiserver for Dockerhub, GHCR and ACR
        with:
          context: .
          file: Dockerfile.apiserver
@@ -97,14 +149,11 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}

-      - name: Build & Pushing vela runtime rollout for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }} .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
      - uses: docker/build-push-action@v2
-        name: Build & Pushing runtime rollout for Dockerhub and GHCR
+        name: Build & Pushing runtime rollout Dockerhub, GHCR and ACR
        with:
          context: .
          file: runtime/rollout/Dockerfile
@@ -119,7 +168,27 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+      
+      - uses: docker/build-push-action@v2
+        name: Build & Pushing CloudShell for Dockerhub, GHCR and ACR
+        with:
+          context: .
+          file: Dockerfile.cloudshell
+          labels: |-
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          build-args: |
+            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
+            VERSION=${{ steps.get_version.outputs.VERSION }}
+            GOPROXY=https://proxy.golang.org
+          tags: |-
+            docker.io/oamdev/cloudshell:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/cloudshell:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/cloudshell:${{ steps.get_version.outputs.VERSION }}

  publish-charts:
    env:
@@ -127,7 +196,6 @@ jobs:
      HELM_CHART: charts/vela-core
      MINIMAL_HELM_CHART: charts/vela-minimal
      LEGACY_HELM_CHART: legacy/charts/vela-core-legacy
-      OAM_RUNTIME_HELM_CHART: charts/oam-runtime
      VELA_ROLLOUT_HELM_CHART: runtime/rollout/charts
      LOCAL_OSS_DIRECTORY: .oss/
    runs-on: ubuntu-20.04
@@ -178,13 +246,11 @@ jobs:
          sed -i "s/latest/${image_tag}/g" $HELM_CHART/values.yaml
          sed -i "s/latest/${image_tag}/g" $MINIMAL_HELM_CHART/values.yaml
          sed -i "s/latest/${image_tag}/g" $LEGACY_HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $OAM_RUNTIME_HELM_CHART/values.yaml
          sed -i "s/latest/${image_tag}/g" $VELA_ROLLOUT_HELM_CHART/values.yaml
          chart_smever=${chart_version#"v"}
          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml
          sed -i "s/0.1.0/$chart_smever/g" $MINIMAL_HELM_CHART/Chart.yaml
          sed -i "s/0.1.0/$chart_smever/g" $LEGACY_HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $OAM_RUNTIME_HELM_CHART/Chart.yaml
          sed -i "s/0.1.0/$chart_smever/g" $VELA_ROLLOUT_HELM_CHART/Chart.yaml
      - name: Install ossutil
        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
@@ -195,7 +261,6 @@ jobs:
      - name: add artifacthub stuff to the repo
        run: |
          rsync $HELM_CHART/README.md $LEGACY_HELM_CHART/README.md
-          rsync $HELM_CHART/README.md $OAM_RUNTIME_HELM_CHART/README.md
          rsync $HELM_CHART/README.md $VELA_ROLLOUT_HELM_CHART/README.md
          sed -i "s/ARTIFACT_HUB_REPOSITORY_ID/$ARTIFACT_HUB_REPOSITORY_ID/g" hack/artifacthub/artifacthub-repo.yml
          rsync hack/artifacthub/artifacthub-repo.yml $LOCAL_OSS_DIRECTORY
@@ -204,7 +269,6 @@ jobs:
          helm package $HELM_CHART --destination $LOCAL_OSS_DIRECTORY
          helm package $MINIMAL_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
          helm package $LEGACY_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $OAM_RUNTIME_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
          helm package $VELA_ROLLOUT_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
          helm repo index --url https://$BUCKET.$ENDPOINT/core $LOCAL_OSS_DIRECTORY
      - name: sync local to cloud
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,7 +121,13 @@ jobs:
        run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
      
      - name: sync the latest version file
+        if: ${{ !contains(env.VELA_VERSION,'alpha') && !contains(env.VELA_VERSION,'beta') }}
        run: |
+          LATEST_VERSION=$(curl -fsSl https://static.kubevela.net/binary/vela/latest_version)
+          verlte() {
+            [  "$1" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
+          }
+          verlte ${{ env.VELA_VERSION }} $LATEST_VERSION && echo "${{ env.VELA_VERSION }} <= $LATEST_VERSION, skip update" && exit 0
          echo ${{ env.VELA_VERSION }} > ./latest_version
          ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version

--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 bin
 _bin
 e2e/vela
+vela

 # Test binary, build with `go test -c`
 *.test
@@ -49,4 +50,4 @@ tmp/
 git-page/

 # e2e rollout runtime image build
-runtime/rollout/e2e/tmp
+runtime/rollout/e2e/tmp
--- a/CHANGELOG/CHANGELOG-1.0.md
+++ b/CHANGELOG/CHANGELOG-1.0.md
@@ -15,7 +15,7 @@ This is a minor fix for release-1.0, please refer to release-1.1.x for the lates
 # v1.0.5

 1. Fix Terraform application status issue (#1611)
-2. applicaiton supports specifying different versions of Definition (#1597)
+2. application supports specifying different versions of Definition (#1597)
 3. Enable Dynamic Admission Control for Application (#1619)
 4. Update inner samples for "vela show xxx --web" (#1616)
 5. fix empty rolloutBatch will panic whole controller bug (#1646)
--- a/CHANGELOG/CHANGELOG-1.2.md
+++ b/CHANGELOG/CHANGELOG-1.2.md
@@ -31,7 +31,7 @@
 ## What's Changed

 * Fix: can't query data from the MongoDB by @barnettZQG in https://github.com/oam-dev/kubevela/pull/3095
-* Fix: use personel token of vela-bot instead of github token for homebrew update by @wonderflow in https://github.com/oam-dev/kubevela/pull/3096
+* Fix: use personal token of vela-bot instead of github token for homebrew update by @wonderflow in https://github.com/oam-dev/kubevela/pull/3096
 * Fix: acr image no version by @wangyikewxgm in https://github.com/oam-dev/kubevela/pull/3100
 * Fix: support generate cloud resource docs in Chinese by @zzxwill in https://github.com/oam-dev/kubevela/pull/3079
 * Fix: clear old data in mongodb unit test case by @barnettZQG in https://github.com/oam-dev/kubevela/pull/3103
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,66 +1,3 @@
 # CONTRIBUTING Guide

-## About KubeVela
-
-KubeVela project is initialized and maintained by the cloud native community since day 0 with [bootstrapping contributors from 8+ different organizations](https://github.com/kubevela/kubevela/graphs/contributors).
-We intend for KubeVela to have an open governance since the very beginning and donate the project to neutral foundation as soon as it's released.
-To help us create a safe and positive community experience for all, we require all participants to adhere to the [Code of Conduct](./CODE_OF_CONDUCT.md).
-
-This document is a guide to help you through the process of contributing to KubeVela.
-
-## Become a contributor
-
-You can contribute to KubeVela in several ways. Here are some examples:
-
-* Contribute to the KubeVela codebase.
-* Contribute to the [KubeVela docs](https://github.com/kubevela/kubevela.io).
-* Report and triage bugs.
-* Develop community CRD operators as workload or trait and contribute to [catalog](https://github.com/oam-dev/catalog).
-* Write technical documentation and blog posts, for users and contributors.
-* Organize meetups and user groups in your local area.
-* Help others by answering questions about KubeVela.
-
-For more ways to contribute, check out the [Open Source Guides](https://opensource.guide/how-to-contribute/).
-
-
-### Report bugs
-
-Before submitting a new issue, try to make sure someone hasn't already reported the problem.
-Look through the [existing issues](https://github.com/kubevela/kubevela/issues) for similar issues.
-
-Report a bug by submitting a [bug report](https://github.com/kubevela/kubevela/issues/new?assignees=&labels=kind%2Fbug&template=bug_report.md&title=).
-Make sure that you provide as much information as possible on how to reproduce the bug.
-
-Follow the issue template and add additional information that will help us replicate the problem.
-
-#### Security issues
-
-If you believe you've found a security vulnerability, please read our [security policy](https://github.com/kubevela/kubevela/blob/master/SECURITY.md) for more details.
-
-### Suggest enhancements
-
-If you have an idea to improve KubeVela, submit an [feature request](https://github.com/kubevela/kubevela/issues/new?assignees=&labels=kind%2Ffeature&template=feature_request.md&title=%5BFeature%5D).
-
-### Triage issues
-
-If you don't have the knowledge or time to code, consider helping with _issue triage_. The community will thank you for saving them time by spending some of yours.
-
-Read more about the ways you can [Triage issues](/contribute/triage-issues.md).
-
-### Answering questions
-
-If you have a question and you can't find the answer in the [documentation](https://kubevela.io/docs/),
-the next step is to ask it on the [github discussion](https://github.com/kubevela/kubevela/discussions).
-
-It's important to us to help these users, and we'd love your help. You can help other KubeVela users by answering [their questions](https://github.com/kubevela/kubevela/discussions).
-
-### Your first contribution
-
-Unsure where to begin contributing to KubeVela? Start by browsing issues labeled `good first issue` or `help wanted`.
-
- [Good first issue](https://github.com/kubevela/kubevela/labels/good%20first%20issue) issues are generally straightforward to complete.
- [Help wanted](https://github.com/kubevela/kubevela/labels/help%20wanted) issues are problems we would like the community to help us with regardless of complexity.
-
-If you're looking to make a code change, see how to set up your environment for [local development](contribute/developer-guide.md).
-
-When you're ready to contribute, it's time to [Create a pull request](/contribute/create-pull-request.md).
+Please refer to https://kubevela.io/docs/contributor/overview for details.
--- a/2
+++ b/2
@@ -36,7 +36,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
 FROM ${BASE_IMAGE:-alpine:3.15}
-# This is required by daemon connnecting with cri
+# This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

 WORKDIR /
--- a/Dockerfile.apiserver
+++ b/Dockerfile.apiserver
@@ -34,7 +34,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`

 FROM ${BASE_IMAGE:-alpine:3.15}
-# This is required by daemon connnecting with cri
+# This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

 WORKDIR /
--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@@ -0,0 +1,43 @@
+ARG BASE_IMAGE
+# Build the cli binary
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.17-alpine as builder
+ARG GOPROXY
+ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY apis/ apis/
+COPY pkg/ pkg/
+COPY version/ version/
+COPY references/ references/
+
+# Build
+ARG TARGETARCH
+ARG VERSION
+ARG GITVERSION
+
+RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH:-amd64} \
+    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
+    -o vela-${TARGETARCH} ./references/cmd/cli/main.go
+
+
+# Use alpine as base image due to the discussion in issue #1448
+# You can replace distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+# Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
+
+FROM ${BASE_IMAGE:-alpine:3.15}
+# This is required by daemon connecting with cri
+RUN apk add --no-cache ca-certificates bash expat
+
+WORKDIR /
+
+ARG TARGETARCH
+COPY --from=builder /workspace/vela-${TARGETARCH} /vela
+ENTRYPOINT ["/vela"]
--- a/Dockerfile.cloudshell
+++ b/Dockerfile.cloudshell
@@ -0,0 +1,31 @@
+ARG BASE_IMAGE
+# Build the cli binary
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.17-alpine as builder
+ARG GOPROXY
+ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY apis/ apis/
+COPY pkg/ pkg/
+COPY version/ version/
+COPY references/ references/
+
+# Build
+ARG VERSION
+ARG GITVERSION
+
+RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
+    -o vela ./references/cmd/cli/main.go
+
+FROM ghcr.io/cloudtty/cloudshell:v0.2.0
+RUN apt-get install -y vim
+ENV API_TOKEN_PATH=/usr/local/kubeconfig/token
+COPY --from=builder /workspace/vela  /usr/local/bin/vela
--- a/Dockerfile.e2e
+++ b/Dockerfile.e2e
@@ -39,7 +39,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`

 FROM ${BASE_IMAGE:-alpine:3.15}
-# This is required by daemon connnecting with cri
+# This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

 WORKDIR /
--- a/4
+++ b/4
@@ -16,7 +16,7 @@ test-cli-gen:
 	mkdir -p ./bin/doc
 	go run ./hack/docgen/gen.go ./bin/doc
 unit-test-core:
-	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver)
+	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
 	go test $(shell go list ./references/... | grep -v apiserver)
 unit-test-apiserver:
 	go test -gcflags=all=-l -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/...  | grep -E 'apiserver|velaql')
@@ -112,7 +112,7 @@ manifests: installcue kustomize
 	# TODO(yangsoon): kustomize will merge all CRD into a whole file, it may not work if we want patch more than one CRD in this way
 	$(KUSTOMIZE) build config/crd -o config/crd/base/core.oam.dev_applications.yaml
 	./hack/crd/cleanup.sh
-	go run ./hack/crd/dispatch/dispatch.go config/crd/base charts/vela-core/crds charts/oam-runtime/crds runtime/ charts/vela-minimal/crds
+	go run ./hack/crd/dispatch/dispatch.go config/crd/base charts/vela-core/crds runtime/ charts/vela-minimal/crds
 	rm -f config/crd/base/*
 	./vela-templates/gen_definitions.sh

--- a/README.md
+++ b/README.md
@@ -21,23 +21,29 @@

 KubeVela is a modern application delivery platform that makes deploying and operating applications across today's hybrid, multi-cloud environments easier, faster and more reliable.

-![](docs/resources/what-is-kubevela.png)
+![kubevela](docs/resources/what-is-kubevela.png)

 ## Highlights

 KubeVela practices the "render, orchestrate, deploy" workflow with below highlighted values added to existing ecosystem:

- *Application Centric* - KubeVela introduces [Open Application Model (OAM)](https://oam.dev/) as the consistent yet higher level API to capture and render a full deployment of microservices on top of hybrid environments. Placement strategy, traffic shifting and rolling update are declared at application level. No infrastructure level concern, simply deploy.
+* Deployment as Code

- *Programmable Workflow* - KubeVela models application delivery as DAG (Directed Acyclic Graph) and expresses it with [CUE](https://cuelang.org/) - a modern data configuration language. This allows you to design application deployment steps per needs and orchestrate them in programmable approach. No restrictions, natively extensible.
+Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with CUE. No add-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by [Open Application Model](https://oam.dev/).

- *Infrastructure Agnostic* - KubeVela works as an application delivery control plane that is fully decoupled from runtime infrastructure. It can deploy any workload types including containers, cloud services, databases, or even VM instances to any cloud or Kubernetes cluster, following the workflow designed by you.
+* Built-in security and compliance building blocks
+
+Choose from the wide range of LDAP integrations we provided out-of-box, enjoy multi-cluster authorization that is fully automated, pick and apply fine-grained RBAC modules and customize them per your own supply chain requirements.
+
+* Multi-cloud/hybrid-environments app delivery as first-class citizen
+
+Progressive rollout across test/staging/production environments, automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds, fully managed cloud environments provision.

 ## Getting Started

- [Introduction](https://kubevela.io/docs)
- [Installation](https://kubevela.io/docs/install)
- [Design Your First Deployment Plan](https://kubevela.io/docs/quick-start)
+* [Introduction](https://kubevela.io/docs)
+* [Installation](https://kubevela.io/docs/install)
+* [Deploy Your Application](https://kubevela.io/docs/quick-start)

 ## Documentation

@@ -49,7 +55,7 @@ Official blog is available on [KubeVela blog](https://kubevela.io/blog).

 ## Community

-We want your contributions and suggestions! 
+We want your contributions and suggestions!
 One of the easiest ways to contribute is to participate in discussions on the Github Issues/Discussion, chat on IM or the bi-weekly community calls.
 For more information on the community engagement, developer and contributing guidelines and more, head over to the [KubeVela community repo](https://github.com/kubevela/community).

@@ -69,23 +75,17 @@ Every two weeks we host a community call to showcase new features, review upcomi

 - Bi-weekly Community Call:
  - [Meeting Notes](https://docs.google.com/document/d/1nqdFEyULekyksFHtFvgvFAYE-0AMHKoS3RMnaKsarjs).
-  - [Video Records](https://kubevela.io/videos/meetings/en/meetings).
+  - [Video Records](https://www.youtube.com/channel/UCSCTHhGI5XJ0SEhDHVakPAA/videos).
 - Bi-weekly Chinese Community Call:
-  - [Video Records](https://kubevela.io/videos/meetings/cn/v1.3).
+  - [Video Records](https://space.bilibili.com/180074935/channel/seriesdetail?sid=1842207).

 ## Talks and Conferences

-| Engagement | Link        |
-|:-----------|:------------|
-| 🎤  Talks | - [KubeVela - The Modern App Delivery System in Alibaba](https://docs.google.com/presentation/d/1CWCLcsKpDQB3bBDTfdv2BZ8ilGGJv2E8L-iOA5HMrV0/edit?usp=sharing) |
-| 🌎 KubeCon | - [ [NA 2020] Standardizing Cloud Native Application Delivery Across Different Clouds](https://www.youtube.com/watch?v=0yhVuBIbHcI) <br> - [ [EU 2021] Zero Pain Microservice Development and Deployment with Dapr and KubeVela](https://sched.co/iE4S) |
-| 📺 Conferences | - [Dapr, Rudr, OAM: Mark Russinovich presents next gen app development & deployment](https://www.youtube.com/watch?v=eJCu6a-x9uo) <br> - [Mark Russinovich presents "The Future of Cloud Native Applications with OAM and Dapr"](https://myignite.techcommunity.microsoft.com/sessions/82059)|
-
-For more talks, please checkout [KubeVela Talks](https://kubevela.io/videos/talks/en/standardizing-app).
+Check out [KubeVela videos](https://kubevela.io/videos/talks/en/oam-dapr) for these talks and conferences.

 ## Contributing

-Check out [CONTRIBUTING](./CONTRIBUTING.md) to see how to develop with KubeVela.
+Check out [CONTRIBUTING](https://kubevela.io/docs/contributor/overview) to see how to develop with KubeVela.

 ## Report Vulnerability

--- a/apis/core.oam.dev/common/types.go
+++ b/apis/core.oam.dev/common/types.go
@@ -20,7 +20,7 @@ import (
 	"encoding/json"
 	"errors"

-	"github.com/oam-dev/terraform-controller/api/v1beta2"
+	types "github.com/oam-dev/terraform-controller/api/types/crossplane-runtime"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -119,7 +119,22 @@ type Terraform struct {
 	// Path is the sub-directory of remote git repository. It's valid when remote is set
 	Path string `json:"path,omitempty"`

-	v1beta2.BaseConfigurationSpec `json:",inline"`
+	// WriteConnectionSecretToReference specifies the namespace and name of a
+	// Secret to which any connection details for this managed resource should
+	// be written. Connection details frequently include the endpoint, username,
+	// and password required to connect to the managed resource.
+	// +optional
+	WriteConnectionSecretToReference *types.SecretReference `json:"writeConnectionSecretToRef,omitempty"`
+
+	// ProviderReference specifies the reference to Provider
+	ProviderReference *types.Reference `json:"providerRef,omitempty"`
+
+	// DeleteResource will determine whether provisioned cloud resources will be deleted when CR is deleted
+	// +kubebuilder:default:=true
+	DeleteResource bool `json:"deleteResource,omitempty"`
+
+	// Region is cloud provider's region. It will override the region in the region field of ProviderReference
+	Region string `json:"customRegion,omitempty"`
 }

 // A WorkloadTypeDescriptor refer to a Workload Type
@@ -201,19 +216,19 @@ type WorkflowState string

 const (
 	// WorkflowStateInitializing means the workflow is in initial state
-	WorkflowStateInitializing WorkflowState = "initializing"
+	WorkflowStateInitializing WorkflowState = "Initializing"
 	// WorkflowStateTerminated means workflow is terminated manually, and it won't be started unless the spec changed.
-	WorkflowStateTerminated WorkflowState = "terminated"
+	WorkflowStateTerminated WorkflowState = "Terminated"
 	// WorkflowStateSuspended means workflow is suspended manually, and it can be resumed.
-	WorkflowStateSuspended WorkflowState = "suspended"
+	WorkflowStateSuspended WorkflowState = "Suspended"
 	// WorkflowStateSucceeded means workflow is running successfully, all steps finished.
 	WorkflowStateSucceeded WorkflowState = "Succeeded"
 	// WorkflowStateFinished means workflow is end.
-	WorkflowStateFinished WorkflowState = "finished"
+	WorkflowStateFinished WorkflowState = "Finished"
 	// WorkflowStateExecuting means workflow is still running or waiting some steps.
-	WorkflowStateExecuting WorkflowState = "executing"
+	WorkflowStateExecuting WorkflowState = "Executing"
 	// WorkflowStateSkipping means it will skip this reconcile and let next reconcile to handle it.
-	WorkflowStateSkipping WorkflowState = "skipping"
+	WorkflowStateSkipping WorkflowState = "Skipping"
 )

 // ApplicationComponentStatus record the health status of App component
@@ -253,25 +268,8 @@ type RawComponent struct {
 	Raw runtime.RawExtension `json:"raw"`
 }

-// WorkflowStepStatus record the status of a workflow step
-type WorkflowStepStatus struct {
-	ID    string            `json:"id"`
-	Name  string            `json:"name,omitempty"`
-	Type  string            `json:"type,omitempty"`
-	Phase WorkflowStepPhase `json:"phase,omitempty"`
-	// A human readable message indicating details about why the workflowStep is in this state.
-	Message string `json:"message,omitempty"`
-	// A brief CamelCase message indicating details about why the workflowStep is in this state.
-	Reason   string          `json:"reason,omitempty"`
-	SubSteps *SubStepsStatus `json:"subSteps,omitempty"`
-	// FirstExecuteTime is the first time this step execution.
-	FirstExecuteTime metav1.Time `json:"firstExecuteTime,omitempty"`
-	// LastExecuteTime is the last time this step execution.
-	LastExecuteTime metav1.Time `json:"lastExecuteTime,omitempty"`
-}
-
-// WorkflowSubStepStatus record the status of a workflow step
-type WorkflowSubStepStatus struct {
+// StepStatus record the base status of workflow step, which could be workflow step or subStep
+type StepStatus struct {
 	ID    string            `json:"id"`
 	Name  string            `json:"name,omitempty"`
 	Type  string            `json:"type,omitempty"`
@@ -280,6 +278,21 @@ type WorkflowSubStepStatus struct {
 	Message string `json:"message,omitempty"`
 	// A brief CamelCase message indicating details about why the workflowStep is in this state.
 	Reason string `json:"reason,omitempty"`
+	// FirstExecuteTime is the first time this step execution.
+	FirstExecuteTime metav1.Time `json:"firstExecuteTime,omitempty"`
+	// LastExecuteTime is the last time this step execution.
+	LastExecuteTime metav1.Time `json:"lastExecuteTime,omitempty"`
+}
+
+// WorkflowStepStatus record the status of a workflow step, include step status and subStep status
+type WorkflowStepStatus struct {
+	StepStatus     `json:",inline"`
+	SubStepsStatus []WorkflowSubStepStatus `json:"subSteps,omitempty"`
+}
+
+// WorkflowSubStepStatus record the status of a workflow subStep
+type WorkflowSubStepStatus struct {
+	StepStatus `json:",inline"`
 }

 // AppStatus defines the observed state of Application
@@ -329,9 +342,45 @@ type WorkflowStep struct {

 	Type string `json:"type"`

+	Meta *WorkflowStepMeta `json:"meta,omitempty"`
+
 	// +kubebuilder:pruning:PreserveUnknownFields
 	Properties *runtime.RawExtension `json:"properties,omitempty"`

+	SubSteps []WorkflowSubStep `json:"subSteps,omitempty"`
+
+	If string `json:"if,omitempty"`
+
+	Timeout string `json:"timeout,omitempty"`
+
+	DependsOn []string `json:"dependsOn,omitempty"`
+
+	Inputs StepInputs `json:"inputs,omitempty"`
+
+	Outputs StepOutputs `json:"outputs,omitempty"`
+}
+
+// WorkflowStepMeta contains the meta data of a workflow step
+type WorkflowStepMeta struct {
+	Alias string `json:"alias,omitempty"`
+}
+
+// WorkflowSubStep defines how to execute a workflow subStep.
+type WorkflowSubStep struct {
+	// Name is the unique name of the workflow step.
+	Name string `json:"name"`
+
+	Type string `json:"type"`
+
+	Meta *WorkflowStepMeta `json:"meta,omitempty"`
+
+	// +kubebuilder:pruning:PreserveUnknownFields
+	Properties *runtime.RawExtension `json:"properties,omitempty"`
+
+	If string `json:"if,omitempty"`
+
+	Timeout string `json:"timeout,omitempty"`
+
 	DependsOn []string `json:"dependsOn,omitempty"`

 	Inputs StepInputs `json:"inputs,omitempty"`
@@ -357,13 +406,6 @@ type WorkflowStatus struct {
 	StartTime metav1.Time `json:"startTime,omitempty"`
 }

-// SubStepsStatus record the status of workflow steps.
-type SubStepsStatus struct {
-	StepIndex int                     `json:"stepIndex,omitempty"`
-	Mode      WorkflowMode            `json:"mode,omitempty"`
-	Steps     []WorkflowSubStepStatus `json:"steps,omitempty"`
-}
-
 // WorkflowStepPhase describes the phase of a workflow step.
 type WorkflowStepPhase string

@@ -372,6 +414,8 @@ const (
 	WorkflowStepPhaseSucceeded WorkflowStepPhase = "succeeded"
 	// WorkflowStepPhaseFailed will report error in `message`.
 	WorkflowStepPhaseFailed WorkflowStepPhase = "failed"
+	// WorkflowStepPhaseSkipped will make the controller skip the step.
+	WorkflowStepPhaseSkipped WorkflowStepPhase = "skipped"
 	// WorkflowStepPhaseStopped will make the controller stop the workflow.
 	WorkflowStepPhaseStopped WorkflowStepPhase = "stopped"
 	// WorkflowStepPhaseRunning will make the controller continue the workflow.
--- a/apis/core.oam.dev/common/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/common/zz_generated.deepcopy.go
@@ -22,6 +22,7 @@ limitations under the License.
 package common

 import (
+	crossplane_runtime "github.com/oam-dev/terraform-controller/api/types/crossplane-runtime"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -611,21 +612,18 @@ func (in StepOutputs) DeepCopy() StepOutputs {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SubStepsStatus) DeepCopyInto(out *SubStepsStatus) {
+func (in *StepStatus) DeepCopyInto(out *StepStatus) {
 	*out = *in
-	if in.Steps != nil {
-		in, out := &in.Steps, &out.Steps
-		*out = make([]WorkflowSubStepStatus, len(*in))
-		copy(*out, *in)
-	}
+	in.FirstExecuteTime.DeepCopyInto(&out.FirstExecuteTime)
+	in.LastExecuteTime.DeepCopyInto(&out.LastExecuteTime)
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubStepsStatus.
-func (in *SubStepsStatus) DeepCopy() *SubStepsStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepStatus.
+func (in *StepStatus) DeepCopy() *StepStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(SubStepsStatus)
+	out := new(StepStatus)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -633,7 +631,16 @@ func (in *SubStepsStatus) DeepCopy() *SubStepsStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Terraform) DeepCopyInto(out *Terraform) {
 	*out = *in
-	in.BaseConfigurationSpec.DeepCopyInto(&out.BaseConfigurationSpec)
+	if in.WriteConnectionSecretToReference != nil {
+		in, out := &in.WriteConnectionSecretToReference, &out.WriteConnectionSecretToReference
+		*out = new(crossplane_runtime.SecretReference)
+		**out = **in
+	}
+	if in.ProviderReference != nil {
+		in, out := &in.ProviderReference, &out.ProviderReference
+		*out = new(crossplane_runtime.Reference)
+		**out = **in
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Terraform.
@@ -677,11 +684,23 @@ func (in *WorkflowStatus) DeepCopy() *WorkflowStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkflowStep) DeepCopyInto(out *WorkflowStep) {
 	*out = *in
+	if in.Meta != nil {
+		in, out := &in.Meta, &out.Meta
+		*out = new(WorkflowStepMeta)
+		**out = **in
+	}
 	if in.Properties != nil {
 		in, out := &in.Properties, &out.Properties
 		*out = new(runtime.RawExtension)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.SubSteps != nil {
+		in, out := &in.SubSteps, &out.SubSteps
+		*out = make([]WorkflowSubStep, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DependsOn != nil {
 		in, out := &in.DependsOn, &out.DependsOn
 		*out = make([]string, len(*in))
@@ -709,16 +728,32 @@ func (in *WorkflowStep) DeepCopy() *WorkflowStep {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkflowStepMeta) DeepCopyInto(out *WorkflowStepMeta) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowStepMeta.
+func (in *WorkflowStepMeta) DeepCopy() *WorkflowStepMeta {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkflowStepMeta)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkflowStepStatus) DeepCopyInto(out *WorkflowStepStatus) {
 	*out = *in
-	if in.SubSteps != nil {
-		in, out := &in.SubSteps, &out.SubSteps
-		*out = new(SubStepsStatus)
-		(*in).DeepCopyInto(*out)
+	in.StepStatus.DeepCopyInto(&out.StepStatus)
+	if in.SubStepsStatus != nil {
+		in, out := &in.SubStepsStatus, &out.SubStepsStatus
+		*out = make([]WorkflowSubStepStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	in.FirstExecuteTime.DeepCopyInto(&out.FirstExecuteTime)
-	in.LastExecuteTime.DeepCopyInto(&out.LastExecuteTime)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowStepStatus.
@@ -731,9 +766,50 @@ func (in *WorkflowStepStatus) DeepCopy() *WorkflowStepStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkflowSubStep) DeepCopyInto(out *WorkflowSubStep) {
+	*out = *in
+	if in.Meta != nil {
+		in, out := &in.Meta, &out.Meta
+		*out = new(WorkflowStepMeta)
+		**out = **in
+	}
+	if in.Properties != nil {
+		in, out := &in.Properties, &out.Properties
+		*out = new(runtime.RawExtension)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Inputs != nil {
+		in, out := &in.Inputs, &out.Inputs
+		*out = make(StepInputs, len(*in))
+		copy(*out, *in)
+	}
+	if in.Outputs != nil {
+		in, out := &in.Outputs, &out.Outputs
+		*out = make(StepOutputs, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowSubStep.
+func (in *WorkflowSubStep) DeepCopy() *WorkflowSubStep {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkflowSubStep)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkflowSubStepStatus) DeepCopyInto(out *WorkflowSubStepStatus) {
 	*out = *in
+	in.StepStatus.DeepCopyInto(&out.StepStatus)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowSubStepStatus.
--- a/apis/core.oam.dev/v1alpha1/applyonce_types.go
+++ b/apis/core.oam.dev/v1alpha1/applyonce_types.go
@@ -16,6 +16,10 @@ limitations under the License.

 package v1alpha1

+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
 const (
 	// ApplyOncePolicyType refers to the type of configuration drift policy
 	ApplyOncePolicyType = "apply-once"
@@ -24,4 +28,42 @@ const (
 // ApplyOncePolicySpec defines the spec of preventing configuration drift
 type ApplyOncePolicySpec struct {
 	Enable bool `json:"enable"`
+	// +optional
+	Rules []ApplyOncePolicyRule `json:"rules,omitempty"`
+}
+
+// ApplyOncePolicyRule defines a single apply-once policy rule
+type ApplyOncePolicyRule struct {
+	// +optional
+	Selector ResourcePolicyRuleSelector `json:"selector,omitempty"`
+	// +optional
+	Strategy *ApplyOnceStrategy `json:"strategy,omitempty"`
+}
+
+// ApplyOnceStrategy the strategy for resource path to allow configuration drift
+type ApplyOnceStrategy struct {
+	// Path the specified path that allow configuration drift
+	// like 'spec.template.spec.containers[0].resources' and '*' means the whole target allow configuration drift
+	Path []string `json:"path"`
+}
+
+// FindStrategy find apply-once strategy for target resource
+func (in ApplyOncePolicySpec) FindStrategy(manifest *unstructured.Unstructured) *ApplyOnceStrategy {
+	if !in.Enable {
+		return nil
+	}
+	for _, rule := range in.Rules {
+		match := func(src []string, val string) (found bool) {
+			for _, _val := range src {
+				found = found || _val == val
+			}
+			return val != "" && found
+		}
+		if (match(rule.Selector.CompNames, manifest.GetName()) && match(rule.Selector.ResourceTypes, manifest.GetKind())) ||
+			(rule.Selector.CompNames == nil && match(rule.Selector.ResourceTypes, manifest.GetKind()) ||
+				(rule.Selector.ResourceTypes == nil && match(rule.Selector.CompNames, manifest.GetName()))) {
+			return rule.Strategy
+		}
+	}
+	return nil
 }
--- a/apis/core.oam.dev/v1alpha1/component_types.go
+++ b/apis/core.oam.dev/v1alpha1/component_types.go
@@ -25,6 +25,8 @@ const (
 type RefObjectsComponentSpec struct {
 	// Objects the referrers to the Kubernetes objects
 	Objects []ObjectReferrer `json:"objects,omitempty"`
+	// URLs are the links that stores the referred objects
+	URLs []string `json:"urls,omitempty"`
 }

 // ObjectReferrer selects Kubernetes objects
--- a/apis/core.oam.dev/v1alpha1/envbinding_types.go
+++ b/apis/core.oam.dev/v1alpha1/envbinding_types.go
@@ -117,6 +117,9 @@ type PlacementDecision struct {

 // String encode placement decision
 func (in PlacementDecision) String() string {
+	if in.Namespace == "" {
+		return in.Cluster
+	}
 	return in.Cluster + "/" + in.Namespace
 }

--- a/apis/core.oam.dev/v1alpha1/garbagecollect_types.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_types.go
@@ -18,6 +18,7 @@ package v1alpha1

 import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/utils/strings/slices"

 	"github.com/oam-dev/kubevela/pkg/oam"
 )
@@ -51,18 +52,44 @@ const (

 // GarbageCollectPolicyRule defines a single garbage-collect policy rule
 type GarbageCollectPolicyRule struct {
-	Selector GarbageCollectPolicyRuleSelector `json:"selector"`
-	Strategy GarbageCollectStrategy           `json:"strategy"`
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+	Strategy GarbageCollectStrategy     `json:"strategy"`
 }

-// GarbageCollectPolicyRuleSelector select the targets of the rule
+// ResourcePolicyRuleSelector select the targets of the rule
+// 1) for GarbageCollectPolicyRule
 // if both traitTypes, oamTypes and componentTypes are specified, combination logic is OR
 // if one resource is specified with conflict strategies, strategy as component go first.
-type GarbageCollectPolicyRuleSelector struct {
+// 2) for ApplyOncePolicyRule only CompNames and ResourceTypes are used
+type ResourcePolicyRuleSelector struct {
 	CompNames        []string `json:"componentNames"`
 	CompTypes        []string `json:"componentTypes"`
 	OAMResourceTypes []string `json:"oamTypes"`
 	TraitTypes       []string `json:"traitTypes"`
+	ResourceTypes    []string `json:"resourceTypes"`
+	ResourceNames    []string `json:"resourceNames"`
+}
+
+// Match check if current rule selector match the target resource
+func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured) bool {
+	var compName, compType, oamType, traitType, resourceType, resourceName string
+	if labels := manifest.GetLabels(); labels != nil {
+		compName = labels[oam.LabelAppComponent]
+		compType = labels[oam.WorkloadTypeLabel]
+		oamType = labels[oam.LabelOAMResourceType]
+		traitType = labels[oam.TraitTypeLabel]
+	}
+	resourceType = manifest.GetKind()
+	resourceName = manifest.GetName()
+	match := func(src []string, val string) (found bool) {
+		return val != "" && slices.Contains(src, val)
+	}
+	return match(in.CompNames, compName) ||
+		match(in.CompTypes, compType) ||
+		match(in.OAMResourceTypes, oamType) ||
+		match(in.TraitTypes, traitType) ||
+		match(in.ResourceTypes, resourceType) ||
+		match(in.ResourceNames, resourceName)
 }

 // GarbageCollectStrategy the strategy for target resource to recycle
@@ -81,23 +108,7 @@ const (
 // FindStrategy find gc strategy for target resource
 func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
 	for _, rule := range in.Rules {
-		var compName, compType, oamType, traitType string
-		if labels := manifest.GetLabels(); labels != nil {
-			compName = labels[oam.LabelAppComponent]
-			compType = labels[oam.WorkloadTypeLabel]
-			oamType = labels[oam.LabelOAMResourceType]
-			traitType = labels[oam.TraitTypeLabel]
-		}
-		match := func(src []string, val string) (found bool) {
-			for _, _val := range src {
-				found = found || _val == val
-			}
-			return val != "" && found
-		}
-		if match(rule.Selector.CompNames, compName) ||
-			match(rule.Selector.CompTypes, compType) ||
-			match(rule.Selector.OAMResourceTypes, oamType) ||
-			match(rule.Selector.TraitTypes, traitType) {
+		if rule.Selector.Match(manifest) {
 			return &rule.Strategy
 		}
 	}
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_types_test.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_types_test.go
@@ -34,7 +34,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 	}{
 		"trait type rule match": {
 			rules: []GarbageCollectPolicyRule{{
-				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
+				Selector: ResourcePolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyNever,
 			}},
 			input: &unstructured.Unstructured{Object: map[string]interface{}{
@@ -46,7 +46,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 		},
 		"trait type rule mismatch": {
 			rules: []GarbageCollectPolicyRule{{
-				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
+				Selector: ResourcePolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyNever,
 			}},
 			input:    &unstructured.Unstructured{Object: map[string]interface{}{}},
@@ -54,10 +54,10 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 		},
 		"trait type rule multiple match": {
 			rules: []GarbageCollectPolicyRule{{
-				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
+				Selector: ResourcePolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyOnAppDelete,
 			}, {
-				Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"a"}},
+				Selector: ResourcePolicyRuleSelector{TraitTypes: []string{"a"}},
 				Strategy: GarbageCollectStrategyNever,
 			}},
 			input: &unstructured.Unstructured{Object: map[string]interface{}{
@@ -69,7 +69,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 		},
 		"component type rule match": {
 			rules: []GarbageCollectPolicyRule{{
-				Selector: GarbageCollectPolicyRuleSelector{CompTypes: []string{"comp"}},
+				Selector: ResourcePolicyRuleSelector{CompTypes: []string{"comp"}},
 				Strategy: GarbageCollectStrategyNever,
 			}},
 			input: &unstructured.Unstructured{Object: map[string]interface{}{
@@ -82,11 +82,11 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 		"rule match both component type and trait type, component type first": {
 			rules: []GarbageCollectPolicyRule{
 				{
-					Selector: GarbageCollectPolicyRuleSelector{CompTypes: []string{"comp"}},
+					Selector: ResourcePolicyRuleSelector{CompTypes: []string{"comp"}},
 					Strategy: GarbageCollectStrategyNever,
 				},
 				{
-					Selector: GarbageCollectPolicyRuleSelector{TraitTypes: []string{"trait"}},
+					Selector: ResourcePolicyRuleSelector{TraitTypes: []string{"trait"}},
 					Strategy: GarbageCollectStrategyOnAppDelete,
 				},
 			},
@@ -99,7 +99,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 		},
 		"component name rule match": {
 			rules: []GarbageCollectPolicyRule{{
-				Selector: GarbageCollectPolicyRuleSelector{CompNames: []string{"comp-name"}},
+				Selector: ResourcePolicyRuleSelector{CompNames: []string{"comp-name"}},
 				Strategy: GarbageCollectStrategyNever,
 			}},
 			input: &unstructured.Unstructured{Object: map[string]interface{}{
@@ -111,7 +111,7 @@ func TestGarbageCollectPolicySpec_FindStrategy(t *testing.T) {
 		},
 		"resource type rule match": {
 			rules: []GarbageCollectPolicyRule{{
-				Selector: GarbageCollectPolicyRuleSelector{OAMResourceTypes: []string{"TRAIT"}},
+				Selector: ResourcePolicyRuleSelector{OAMResourceTypes: []string{"TRAIT"}},
 				Strategy: GarbageCollectStrategyNever,
 			}},
 			input: &unstructured.Unstructured{Object: map[string]interface{}{
--- a/apis/core.oam.dev/v1alpha1/policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/policy_types.go
@@ -16,6 +16,8 @@ limitations under the License.

 package v1alpha1

+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
 const (
 	// TopologyPolicyType refers to the type of topology policy
 	TopologyPolicyType = "topology"
@@ -23,6 +25,8 @@ const (
 	OverridePolicyType = "override"
 	// DebugPolicyType refers to the type of debug policy
 	DebugPolicyType = "debug"
+	// SharedResourcePolicyType refers to the type of shared resource policy
+	SharedResourcePolicyType = "shared-resource"
 )

 // TopologyPolicySpec defines the spec of topology policy
@@ -53,3 +57,23 @@ type OverridePolicySpec struct {
 	Components []EnvComponentPatch `json:"components,omitempty"`
 	Selector   []string            `json:"selector,omitempty"`
 }
+
+// SharedResourcePolicySpec defines the spec of shared-resource policy
+type SharedResourcePolicySpec struct {
+	Rules []SharedResourcePolicyRule `json:"rules"`
+}
+
+// SharedResourcePolicyRule defines the rule for sharing resources
+type SharedResourcePolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource should be shared
+func (in SharedResourcePolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}
--- a/apis/core.oam.dev/v1alpha1/policy_types_test.go
+++ b/apis/core.oam.dev/v1alpha1/policy_types_test.go
@@ -0,0 +1,69 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func TestSharedResourcePolicySpec_FindStrategy(t *testing.T) {
+	testCases := map[string]struct {
+		rules   []SharedResourcePolicyRule
+		input   *unstructured.Unstructured
+		matched bool
+	}{
+		"shared resource rule resourceName match": {
+			rules: []SharedResourcePolicyRule{{
+				Selector: ResourcePolicyRuleSelector{ResourceNames: []string{"example"}},
+			}},
+			input: &unstructured.Unstructured{Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "example",
+				},
+			}},
+			matched: true,
+		},
+		"shared resource rule resourceType match": {
+			rules: []SharedResourcePolicyRule{{
+				Selector: ResourcePolicyRuleSelector{ResourceTypes: []string{"ConfigMap", "Namespace"}},
+			}},
+			input: &unstructured.Unstructured{Object: map[string]interface{}{
+				"kind": "Namespace",
+			}},
+			matched: true,
+		},
+		"shared resource rule mismatch": {
+			rules: []SharedResourcePolicyRule{{
+				Selector: ResourcePolicyRuleSelector{ResourceNames: []string{"mismatch"}},
+			}},
+			input: &unstructured.Unstructured{Object: map[string]interface{}{
+				"kind": "Namespace",
+			}},
+			matched: false,
+		},
+	}
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			r := require.New(t)
+			spec := SharedResourcePolicySpec{Rules: tc.rules}
+			r.Equal(tc.matched, spec.FindStrategy(tc.input))
+		})
+	}
+}
--- a/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
@@ -27,9 +27,37 @@ import (
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplyOncePolicyRule) DeepCopyInto(out *ApplyOncePolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+	if in.Strategy != nil {
+		in, out := &in.Strategy, &out.Strategy
+		*out = new(ApplyOnceStrategy)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplyOncePolicyRule.
+func (in *ApplyOncePolicyRule) DeepCopy() *ApplyOncePolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplyOncePolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplyOncePolicySpec) DeepCopyInto(out *ApplyOncePolicySpec) {
 	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]ApplyOncePolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplyOncePolicySpec.
@@ -42,6 +70,26 @@ func (in *ApplyOncePolicySpec) DeepCopy() *ApplyOncePolicySpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplyOnceStrategy) DeepCopyInto(out *ApplyOnceStrategy) {
+	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplyOnceStrategy.
+func (in *ApplyOnceStrategy) DeepCopy() *ApplyOnceStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplyOnceStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterConnection) DeepCopyInto(out *ClusterConnection) {
 	*out = *in
@@ -278,41 +326,6 @@ func (in *GarbageCollectPolicyRule) DeepCopy() *GarbageCollectPolicyRule {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GarbageCollectPolicyRuleSelector) DeepCopyInto(out *GarbageCollectPolicyRuleSelector) {
-	*out = *in
-	if in.CompNames != nil {
-		in, out := &in.CompNames, &out.CompNames
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.CompTypes != nil {
-		in, out := &in.CompTypes, &out.CompTypes
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.OAMResourceTypes != nil {
-		in, out := &in.OAMResourceTypes, &out.OAMResourceTypes
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.TraitTypes != nil {
-		in, out := &in.TraitTypes, &out.TraitTypes
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GarbageCollectPolicyRuleSelector.
-func (in *GarbageCollectPolicyRuleSelector) DeepCopy() *GarbageCollectPolicyRuleSelector {
-	if in == nil {
-		return nil
-	}
-	out := new(GarbageCollectPolicyRuleSelector)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GarbageCollectPolicySpec) DeepCopyInto(out *GarbageCollectPolicySpec) {
 	*out = *in
@@ -582,6 +595,11 @@ func (in *RefObjectsComponentSpec) DeepCopyInto(out *RefObjectsComponentSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.URLs != nil {
+		in, out := &in.URLs, &out.URLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RefObjectsComponentSpec.
@@ -594,6 +612,89 @@ func (in *RefObjectsComponentSpec) DeepCopy() *RefObjectsComponentSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourcePolicyRuleSelector) DeepCopyInto(out *ResourcePolicyRuleSelector) {
+	*out = *in
+	if in.CompNames != nil {
+		in, out := &in.CompNames, &out.CompNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.CompTypes != nil {
+		in, out := &in.CompTypes, &out.CompTypes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.OAMResourceTypes != nil {
+		in, out := &in.OAMResourceTypes, &out.OAMResourceTypes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.TraitTypes != nil {
+		in, out := &in.TraitTypes, &out.TraitTypes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceTypes != nil {
+		in, out := &in.ResourceTypes, &out.ResourceTypes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceNames != nil {
+		in, out := &in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicyRuleSelector.
+func (in *ResourcePolicyRuleSelector) DeepCopy() *ResourcePolicyRuleSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourcePolicyRuleSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SharedResourcePolicyRule) DeepCopyInto(out *SharedResourcePolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SharedResourcePolicyRule.
+func (in *SharedResourcePolicyRule) DeepCopy() *SharedResourcePolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(SharedResourcePolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SharedResourcePolicySpec) DeepCopyInto(out *SharedResourcePolicySpec) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]SharedResourcePolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SharedResourcePolicySpec.
+func (in *SharedResourcePolicySpec) DeepCopy() *SharedResourcePolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SharedResourcePolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopologyPolicySpec) DeepCopyInto(out *TopologyPolicySpec) {
 	*out = *in
--- a/apis/core.oam.dev/v1beta1/application_types.go
+++ b/apis/core.oam.dev/v1beta1/application_types.go
@@ -54,8 +54,15 @@ type WorkflowStep common.WorkflowStep

 // Workflow defines workflow steps and other attributes
 type Workflow struct {
-	Ref   string         `json:"ref,omitempty"`
-	Steps []WorkflowStep `json:"steps,omitempty"`
+	Ref   string               `json:"ref,omitempty"`
+	Mode  *WorkflowExecuteMode `json:"mode,omitempty"`
+	Steps []WorkflowStep       `json:"steps,omitempty"`
+}
+
+// WorkflowExecuteMode defines the mode of workflow execution
+type WorkflowExecuteMode struct {
+	Steps    common.WorkflowMode `json:"steps,omitempty"`
+	SubSteps common.WorkflowMode `json:"subSteps,omitempty"`
 }

 // ApplicationSpec is the spec of Application
--- a/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
@@ -927,6 +927,11 @@ func (in *TraitDefinitionStatus) DeepCopy() *TraitDefinitionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Workflow) DeepCopyInto(out *Workflow) {
 	*out = *in
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(WorkflowExecuteMode)
+		**out = **in
+	}
 	if in.Steps != nil {
 		in, out := &in.Steps, &out.Steps
 		*out = make([]WorkflowStep, len(*in))
@@ -946,14 +951,41 @@ func (in *Workflow) DeepCopy() *Workflow {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkflowExecuteMode) DeepCopyInto(out *WorkflowExecuteMode) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowExecuteMode.
+func (in *WorkflowExecuteMode) DeepCopy() *WorkflowExecuteMode {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkflowExecuteMode)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkflowStep) DeepCopyInto(out *WorkflowStep) {
 	*out = *in
+	if in.Meta != nil {
+		in, out := &in.Meta, &out.Meta
+		*out = new(common.WorkflowStepMeta)
+		**out = **in
+	}
 	if in.Properties != nil {
 		in, out := &in.Properties, &out.Properties
 		*out = new(runtime.RawExtension)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.SubSteps != nil {
+		in, out := &in.SubSteps, &out.SubSteps
+		*out = make([]common.WorkflowSubStep, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DependsOn != nil {
 		in, out := &in.DependsOn, &out.DependsOn
 		*out = make([]string, len(*in))
--- a/apis/types/capability.go
+++ b/apis/types/capability.go
@@ -80,6 +80,8 @@ const (
 	OpenapiV3JSONSchema string = "openapi-v3-json-schema"
 	// UISchema is the key to store ui custom schema
 	UISchema string = "ui-schema"
+	// VelaQLConfigmapKey is the key to store velaql view
+	VelaQLConfigmapKey string = "template"
 )

 // CapabilityCategory defines the category of a capability
--- a/apis/types/types.go
+++ b/apis/types/types.go
@@ -169,8 +169,3 @@ const (
 	// VelaCoreConfig is to mark application, config and its secret or Terraform provider lelong to a KubeVela config
 	VelaCoreConfig = "velacore-config"
 )
-
-const (
-	// ClusterGatewayAccessorGroup the group to impersonate which allows the access to the cluster-gateway
-	ClusterGatewayAccessorGroup = "cluster-gateway-accessor"
-)
--- a/charts/oam-runtime/Chart.yaml
+++ b/charts/oam-runtime/Chart.yaml
@@ -1,21 +0,0 @@
-apiVersion: v2
-name: oam-runtime
-description: A Helm chart for oam-runtime aligns with OAM spec v0.2
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
-appVersion: 0.1.0
--- a/charts/oam-runtime/crds/core.oam.dev_applicationconfigurations.yaml
+++ b/charts/oam-runtime/crds/core.oam.dev_applicationconfigurations.yaml
--- a/charts/oam-runtime/crds/core.oam.dev_components.yaml
+++ b/charts/oam-runtime/crds/core.oam.dev_components.yaml
@@ -1,178 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  name: components.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: Component
-    listKind: ComponentList
-    plural: components
-    singular: component
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.workload.kind
-      name: WORKLOAD-KIND
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: age
-      type: date
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: A Component describes how an OAM workload kind may be instantiated.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A ComponentSpec defines the desired state of a Component.
-            properties:
-              helm:
-                description: HelmRelease records a Helm release used by a Helm module
-                  workload.
-                properties:
-                  release:
-                    description: Release records a Helm release used by a Helm module
-                      workload.
-                    type: object
-                    x-kubernetes-preserve-unknown-fields: true
-                  repository:
-                    description: HelmRelease records a Helm repository used by a Helm
-                      module workload.
-                    type: object
-                    x-kubernetes-preserve-unknown-fields: true
-                required:
-                - release
-                - repository
-                type: object
-              parameters:
-                description: Parameters exposed by this component. ApplicationConfigurations
-                  that reference this component may specify values for these parameters,
-                  which will in turn be injected into the embedded workload.
-                items:
-                  description: A ComponentParameter defines a configurable parameter
-                    of a component.
-                  properties:
-                    description:
-                      description: Description of this parameter.
-                      type: string
-                    fieldPaths:
-                      description: FieldPaths specifies an array of fields within
-                        this Component's workload that will be overwritten by the
-                        value of this parameter. The type of the parameter (e.g. int,
-                        string) is inferred from the type of these fields; All fields
-                        must be of the same type. Fields are specified as JSON field
-                        paths without a leading dot, for example 'spec.replicas'.
-                      items:
-                        type: string
-                      type: array
-                    name:
-                      description: Name of this parameter. OAM ApplicationConfigurations
-                        will specify parameter values using this name.
-                      type: string
-                    required:
-                      default: false
-                      description: Required specifies whether or not a value for this
-                        parameter must be supplied when authoring an ApplicationConfiguration.
-                      type: boolean
-                  required:
-                  - fieldPaths
-                  - name
-                  type: object
-                type: array
-              workload:
-                description: A Workload that will be created for each ApplicationConfiguration
-                  that includes this Component. Workload is an instance of a workloadDefinition.
-                  We either use the GVK info or a special "type" field in the workload
-                  to associate the content of the workload with its workloadDefinition
-                type: object
-                x-kubernetes-embedded-resource: true
-                x-kubernetes-preserve-unknown-fields: true
-            required:
-            - workload
-            type: object
-          status:
-            description: A ComponentStatus represents the observed state of a Component.
-            properties:
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              latestRevision:
-                description: LatestRevision of component
-                properties:
-                  name:
-                    type: string
-                  revision:
-                    format: int64
-                    type: integer
-                  revisionHash:
-                    description: RevisionHash record the hash value of the spec of
-                      ApplicationRevision object.
-                    type: string
-                required:
-                - name
-                - revision
-                type: object
-              observedGeneration:
-                description: The generation observed by the component controller.
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/oam-runtime/crds/core.oam.dev_healthscopes.yaml
+++ b/charts/oam-runtime/crds/core.oam.dev_healthscopes.yaml
@@ -1,590 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  name: healthscopes.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: HealthScope
-    listKind: HealthScopeList
-    plural: healthscopes
-    singular: healthscope
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.health
-      name: HEALTH
-      type: string
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: A HealthScope determines an aggregate health status based of
-          the health of components.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A HealthScopeSpec defines the desired state of a HealthScope.
-            properties:
-              appReferences:
-                description: AppRefs records references of applications' components
-                items:
-                  description: AppReference records references of an application's
-                    components
-                  properties:
-                    appName:
-                      type: string
-                    compReferences:
-                      items:
-                        description: CompReference records references of a component's
-                          resources
-                        properties:
-                          compName:
-                            type: string
-                          traits:
-                            items:
-                              description: 'ObjectReference contains enough information
-                                to let you inspect or modify the referred object.
-                                --- New uses of this type are discouraged because
-                                of difficulty describing its usage when embedded in
-                                APIs.  1. Ignored fields.  It includes many fields
-                                which are not generally honored.  For instance, ResourceVersion
-                                and FieldPath are both very rarely valid in actual
-                                usage.  2. Invalid usage help.  It is impossible to
-                                add specific help for individual usage.  In most embedded
-                                usages, there are particular     restrictions like,
-                                "must refer only to types A and B" or "UID not honored"
-                                or "name must be restricted".     Those cannot be
-                                well described when embedded.  3. Inconsistent validation.  Because
-                                the usages are different, the validation rules are
-                                different by usage, which makes it hard for users
-                                to predict what will happen.  4. The fields are both
-                                imprecise and overly precise.  Kind is not a precise
-                                mapping to a URL. This can produce ambiguity     during
-                                interpretation and require a REST mapping.  In most
-                                cases, the dependency is on the group,resource tuple     and
-                                the version of the actual struct is irrelevant.  5.
-                                We cannot easily change it.  Because this type is
-                                embedded in many locations, updates to this type     will
-                                affect numerous schemas.  Don''t make new APIs embed
-                                an underspecified API type they do not control. Instead
-                                of using this type, create a locally provided and
-                                used type that is well-focused on your reference.
-                                For example, ServiceReferences for admission registration:
-                                https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                                .'
-                              properties:
-                                apiVersion:
-                                  description: API version of the referent.
-                                  type: string
-                                fieldPath:
-                                  description: 'If referring to a piece of an object
-                                    instead of an entire object, this string should
-                                    contain a valid JSON/Go field access statement,
-                                    such as desiredState.manifest.containers[2]. For
-                                    example, if the object reference is to a container
-                                    within a pod, this would take on a value like:
-                                    "spec.containers{name}" (where "name" refers to
-                                    the name of the container that triggered the event)
-                                    or if no container name is specified "spec.containers[2]"
-                                    (container with index 2 in this pod). This syntax
-                                    is chosen only to have some well-defined way of
-                                    referencing a part of an object. TODO: this design
-                                    is not final and this field is subject to change
-                                    in the future.'
-                                  type: string
-                                kind:
-                                  description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                                  type: string
-                                name:
-                                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                                  type: string
-                                namespace:
-                                  description: 'Namespace of the referent. More info:
-                                    https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                                  type: string
-                                resourceVersion:
-                                  description: 'Specific resourceVersion to which
-                                    this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                                  type: string
-                                uid:
-                                  description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                                  type: string
-                              type: object
-                            type: array
-                          workload:
-                            description: 'ObjectReference contains enough information
-                              to let you inspect or modify the referred object. ---
-                              New uses of this type are discouraged because of difficulty
-                              describing its usage when embedded in APIs.  1. Ignored
-                              fields.  It includes many fields which are not generally
-                              honored.  For instance, ResourceVersion and FieldPath
-                              are both very rarely valid in actual usage.  2. Invalid
-                              usage help.  It is impossible to add specific help for
-                              individual usage.  In most embedded usages, there are
-                              particular     restrictions like, "must refer only to
-                              types A and B" or "UID not honored" or "name must be
-                              restricted".     Those cannot be well described when
-                              embedded.  3. Inconsistent validation.  Because the
-                              usages are different, the validation rules are different
-                              by usage, which makes it hard for users to predict what
-                              will happen.  4. The fields are both imprecise and overly
-                              precise.  Kind is not a precise mapping to a URL. This
-                              can produce ambiguity     during interpretation and
-                              require a REST mapping.  In most cases, the dependency
-                              is on the group,resource tuple     and the version of
-                              the actual struct is irrelevant.  5. We cannot easily
-                              change it.  Because this type is embedded in many locations,
-                              updates to this type     will affect numerous schemas.  Don''t
-                              make new APIs embed an underspecified API type they
-                              do not control. Instead of using this type, create a
-                              locally provided and used type that is well-focused
-                              on your reference. For example, ServiceReferences for
-                              admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                              .'
-                            properties:
-                              apiVersion:
-                                description: API version of the referent.
-                                type: string
-                              fieldPath:
-                                description: 'If referring to a piece of an object
-                                  instead of an entire object, this string should
-                                  contain a valid JSON/Go field access statement,
-                                  such as desiredState.manifest.containers[2]. For
-                                  example, if the object reference is to a container
-                                  within a pod, this would take on a value like: "spec.containers{name}"
-                                  (where "name" refers to the name of the container
-                                  that triggered the event) or if no container name
-                                  is specified "spec.containers[2]" (container with
-                                  index 2 in this pod). This syntax is chosen only
-                                  to have some well-defined way of referencing a part
-                                  of an object. TODO: this design is not final and
-                                  this field is subject to change in the future.'
-                                type: string
-                              kind:
-                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                                type: string
-                              name:
-                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                                type: string
-                              namespace:
-                                description: 'Namespace of the referent. More info:
-                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                                type: string
-                              resourceVersion:
-                                description: 'Specific resourceVersion to which this
-                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                                type: string
-                              uid:
-                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                                type: string
-                            type: object
-                        type: object
-                      type: array
-                  type: object
-                type: array
-              probe-interval:
-                description: ProbeInterval is the amount of time in seconds between
-                  probing tries.
-                format: int32
-                type: integer
-              probe-timeout:
-                description: ProbeTimeout is the amount of time in seconds to wait
-                  when receiving a response before marked failure.
-                format: int32
-                type: integer
-              workloadRefs:
-                description: WorkloadReferences to the workloads that are in this
-                  scope.
-                items:
-                  description: 'ObjectReference contains enough information to let
-                    you inspect or modify the referred object. --- New uses of this
-                    type are discouraged because of difficulty describing its usage
-                    when embedded in APIs.  1. Ignored fields.  It includes many fields
-                    which are not generally honored.  For instance, ResourceVersion
-                    and FieldPath are both very rarely valid in actual usage.  2.
-                    Invalid usage help.  It is impossible to add specific help for
-                    individual usage.  In most embedded usages, there are particular     restrictions
-                    like, "must refer only to types A and B" or "UID not honored"
-                    or "name must be restricted".     Those cannot be well described
-                    when embedded.  3. Inconsistent validation.  Because the usages
-                    are different, the validation rules are different by usage, which
-                    makes it hard for users to predict what will happen.  4. The fields
-                    are both imprecise and overly precise.  Kind is not a precise
-                    mapping to a URL. This can produce ambiguity     during interpretation
-                    and require a REST mapping.  In most cases, the dependency is
-                    on the group,resource tuple     and the version of the actual
-                    struct is irrelevant.  5. We cannot easily change it.  Because
-                    this type is embedded in many locations, updates to this type     will
-                    affect numerous schemas.  Don''t make new APIs embed an underspecified
-                    API type they do not control. Instead of using this type, create
-                    a locally provided and used type that is well-focused on your
-                    reference. For example, ServiceReferences for admission registration:
-                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                    .'
-                  properties:
-                    apiVersion:
-                      description: API version of the referent.
-                      type: string
-                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
-                      type: string
-                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                      type: string
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                      type: string
-                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                      type: string
-                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                      type: string
-                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                      type: string
-                  type: object
-                type: array
-            required:
-            - workloadRefs
-            type: object
-          status:
-            description: A HealthScopeStatus represents the observed state of a HealthScope.
-            properties:
-              appHealthConditions:
-                description: AppHealthConditions represents health condition of applications
-                  in the scope
-                items:
-                  description: AppHealthCondition represents health condition of an
-                    application
-                  properties:
-                    appName:
-                      type: string
-                    components:
-                      items:
-                        description: WorkloadHealthCondition represents informative
-                          health condition of a workload.
-                        properties:
-                          componentName:
-                            description: ComponentName represents the component name
-                              if target is a workload
-                            type: string
-                          customStatusMsg:
-                            type: string
-                          diagnosis:
-                            type: string
-                          healthStatus:
-                            description: HealthStatus represents health status strings.
-                            type: string
-                          targetWorkload:
-                            description: 'ObjectReference contains enough information
-                              to let you inspect or modify the referred object. ---
-                              New uses of this type are discouraged because of difficulty
-                              describing its usage when embedded in APIs.  1. Ignored
-                              fields.  It includes many fields which are not generally
-                              honored.  For instance, ResourceVersion and FieldPath
-                              are both very rarely valid in actual usage.  2. Invalid
-                              usage help.  It is impossible to add specific help for
-                              individual usage.  In most embedded usages, there are
-                              particular     restrictions like, "must refer only to
-                              types A and B" or "UID not honored" or "name must be
-                              restricted".     Those cannot be well described when
-                              embedded.  3. Inconsistent validation.  Because the
-                              usages are different, the validation rules are different
-                              by usage, which makes it hard for users to predict what
-                              will happen.  4. The fields are both imprecise and overly
-                              precise.  Kind is not a precise mapping to a URL. This
-                              can produce ambiguity     during interpretation and
-                              require a REST mapping.  In most cases, the dependency
-                              is on the group,resource tuple     and the version of
-                              the actual struct is irrelevant.  5. We cannot easily
-                              change it.  Because this type is embedded in many locations,
-                              updates to this type     will affect numerous schemas.  Don''t
-                              make new APIs embed an underspecified API type they
-                              do not control. Instead of using this type, create a
-                              locally provided and used type that is well-focused
-                              on your reference. For example, ServiceReferences for
-                              admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                              .'
-                            properties:
-                              apiVersion:
-                                description: API version of the referent.
-                                type: string
-                              fieldPath:
-                                description: 'If referring to a piece of an object
-                                  instead of an entire object, this string should
-                                  contain a valid JSON/Go field access statement,
-                                  such as desiredState.manifest.containers[2]. For
-                                  example, if the object reference is to a container
-                                  within a pod, this would take on a value like: "spec.containers{name}"
-                                  (where "name" refers to the name of the container
-                                  that triggered the event) or if no container name
-                                  is specified "spec.containers[2]" (container with
-                                  index 2 in this pod). This syntax is chosen only
-                                  to have some well-defined way of referencing a part
-                                  of an object. TODO: this design is not final and
-                                  this field is subject to change in the future.'
-                                type: string
-                              kind:
-                                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                                type: string
-                              name:
-                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                                type: string
-                              namespace:
-                                description: 'Namespace of the referent. More info:
-                                  https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                                type: string
-                              resourceVersion:
-                                description: 'Specific resourceVersion to which this
-                                  reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                                type: string
-                              uid:
-                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                                type: string
-                            type: object
-                          traits:
-                            items:
-                              description: TraitHealthCondition represents informative
-                                health condition of a trait.
-                              properties:
-                                customStatusMsg:
-                                  type: string
-                                diagnosis:
-                                  type: string
-                                healthStatus:
-                                  description: HealthStatus represents health status
-                                    strings.
-                                  type: string
-                                resource:
-                                  type: string
-                                type:
-                                  type: string
-                              required:
-                              - healthStatus
-                              - resource
-                              - type
-                              type: object
-                            type: array
-                          workloadStatus:
-                            description: WorkloadStatus represents status of workloads
-                              whose HealthStatus is UNKNOWN.
-                            type: string
-                        required:
-                        - healthStatus
-                        type: object
-                      type: array
-                    envName:
-                      type: string
-                  required:
-                  - appName
-                  type: object
-                type: array
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              healthConditions:
-                description: WorkloadHealthConditions represents health condition
-                  of workloads in the scope Use AppHealthConditions to provide app
-                  level status
-                items:
-                  description: WorkloadHealthCondition represents informative health
-                    condition of a workload.
-                  properties:
-                    componentName:
-                      description: ComponentName represents the component name if
-                        target is a workload
-                      type: string
-                    customStatusMsg:
-                      type: string
-                    diagnosis:
-                      type: string
-                    healthStatus:
-                      description: HealthStatus represents health status strings.
-                      type: string
-                    targetWorkload:
-                      description: 'ObjectReference contains enough information to
-                        let you inspect or modify the referred object. --- New uses
-                        of this type are discouraged because of difficulty describing
-                        its usage when embedded in APIs.  1. Ignored fields.  It includes
-                        many fields which are not generally honored.  For instance,
-                        ResourceVersion and FieldPath are both very rarely valid in
-                        actual usage.  2. Invalid usage help.  It is impossible to
-                        add specific help for individual usage.  In most embedded
-                        usages, there are particular     restrictions like, "must
-                        refer only to types A and B" or "UID not honored" or "name
-                        must be restricted".     Those cannot be well described when
-                        embedded.  3. Inconsistent validation.  Because the usages
-                        are different, the validation rules are different by usage,
-                        which makes it hard for users to predict what will happen.  4.
-                        The fields are both imprecise and overly precise.  Kind is
-                        not a precise mapping to a URL. This can produce ambiguity     during
-                        interpretation and require a REST mapping.  In most cases,
-                        the dependency is on the group,resource tuple     and the
-                        version of the actual struct is irrelevant.  5. We cannot
-                        easily change it.  Because this type is embedded in many locations,
-                        updates to this type     will affect numerous schemas.  Don''t
-                        make new APIs embed an underspecified API type they do not
-                        control. Instead of using this type, create a locally provided
-                        and used type that is well-focused on your reference. For
-                        example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                        .'
-                      properties:
-                        apiVersion:
-                          description: API version of the referent.
-                          type: string
-                        fieldPath:
-                          description: 'If referring to a piece of an object instead
-                            of an entire object, this string should contain a valid
-                            JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                            For example, if the object reference is to a container
-                            within a pod, this would take on a value like: "spec.containers{name}"
-                            (where "name" refers to the name of the container that
-                            triggered the event) or if no container name is specified
-                            "spec.containers[2]" (container with index 2 in this pod).
-                            This syntax is chosen only to have some well-defined way
-                            of referencing a part of an object. TODO: this design
-                            is not final and this field is subject to change in the
-                            future.'
-                          type: string
-                        kind:
-                          description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                          type: string
-                        name:
-                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                          type: string
-                        namespace:
-                          description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                          type: string
-                        resourceVersion:
-                          description: 'Specific resourceVersion to which this reference
-                            is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                          type: string
-                        uid:
-                          description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                          type: string
-                      type: object
-                    traits:
-                      items:
-                        description: TraitHealthCondition represents informative health
-                          condition of a trait.
-                        properties:
-                          customStatusMsg:
-                            type: string
-                          diagnosis:
-                            type: string
-                          healthStatus:
-                            description: HealthStatus represents health status strings.
-                            type: string
-                          resource:
-                            type: string
-                          type:
-                            type: string
-                        required:
-                        - healthStatus
-                        - resource
-                        - type
-                        type: object
-                      type: array
-                    workloadStatus:
-                      description: WorkloadStatus represents status of workloads whose
-                        HealthStatus is UNKNOWN.
-                      type: string
-                  required:
-                  - healthStatus
-                  type: object
-                type: array
-              scopeHealthCondition:
-                description: ScopeHealthCondition represents health condition summary
-                  of the scope
-                properties:
-                  healthStatus:
-                    description: HealthStatus represents health status strings.
-                    type: string
-                  healthyWorkloads:
-                    format: int64
-                    type: integer
-                  total:
-                    format: int64
-                    type: integer
-                  unhealthyWorkloads:
-                    format: int64
-                    type: integer
-                  unknownWorkloads:
-                    format: int64
-                    type: integer
-                required:
-                - healthStatus
-                type: object
-            required:
-            - scopeHealthCondition
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/oam-runtime/crds/core.oam.dev_manualscalertraits.yaml
+++ b/charts/oam-runtime/crds/core.oam.dev_manualscalertraits.yaml
@@ -1,134 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  name: manualscalertraits.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: ManualScalerTrait
-    listKind: ManualScalerTraitList
-    plural: manualscalertraits
-    singular: manualscalertrait
-  scope: Namespaced
-  versions:
-  - name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: A ManualScalerTrait determines how many replicas a workload should
-          have.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A ManualScalerTraitSpec defines the desired state of a ManualScalerTrait.
-            properties:
-              replicaCount:
-                description: ReplicaCount of the workload this trait applies to.
-                format: int32
-                type: integer
-              workloadRef:
-                description: WorkloadReference to the workload this trait applies
-                  to.
-                properties:
-                  apiVersion:
-                    description: API version of the referent.
-                    type: string
-                  fieldPath:
-                    description: 'If referring to a piece of an object instead of
-                      an entire object, this string should contain a valid JSON/Go
-                      field access statement, such as desiredState.manifest.containers[2].
-                      For example, if the object reference is to a container within
-                      a pod, this would take on a value like: "spec.containers{name}"
-                      (where "name" refers to the name of the container that triggered
-                      the event) or if no container name is specified "spec.containers[2]"
-                      (container with index 2 in this pod). This syntax is chosen
-                      only to have some well-defined way of referencing a part of
-                      an object. TODO: this design is not final and this field is
-                      subject to change in the future.'
-                    type: string
-                  kind:
-                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                    type: string
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                    type: string
-                  namespace:
-                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                    type: string
-                  resourceVersion:
-                    description: 'Specific resourceVersion to which this reference
-                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                    type: string
-                  uid:
-                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                    type: string
-                type: object
-            required:
-            - replicaCount
-            - workloadRef
-            type: object
-          status:
-            description: A ManualScalerTraitStatus represents the observed state of
-              a ManualScalerTrait.
-            properties:
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/oam-runtime/crds/core.oam.dev_scopedefinitions.yaml
+++ b/charts/oam-runtime/crds/core.oam.dev_scopedefinitions.yaml
@@ -1,153 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  name: scopedefinitions.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: ScopeDefinition
-    listKind: ScopeDefinitionList
-    plural: scopedefinitions
-    shortNames:
-    - scope
-    singular: scopedefinition
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.definitionRef.name
-      name: DEFINITION-NAME
-      type: string
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: A ScopeDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM scope kind by referencing its CustomResourceDefinition. The
-          CRD is used to validate the schema of the scope when it is embedded in an
-          OAM ApplicationConfiguration.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A ScopeDefinitionSpec defines the desired state of a ScopeDefinition.
-            properties:
-              allowComponentOverlap:
-                description: AllowComponentOverlap specifies whether an OAM component
-                  may exist in multiple instances of this kind of scope.
-                type: boolean
-              definitionRef:
-                description: Reference to the CustomResourceDefinition that defines
-                  this scope kind.
-                properties:
-                  name:
-                    description: Name of the referenced CustomResourceDefinition.
-                    type: string
-                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
-                    type: string
-                required:
-                - name
-                type: object
-              extension:
-                description: Extension is used for extension needs by OAM platform
-                  builders
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              workloadRefsPath:
-                description: WorkloadRefsPath indicates if/where a scope accepts workloadRef
-                  objects
-                type: string
-            required:
-            - allowComponentOverlap
-            - definitionRef
-            type: object
-        type: object
-    served: true
-    storage: false
-    subresources: {}
-  - additionalPrinterColumns:
-    - jsonPath: .spec.definitionRef.name
-      name: DEFINITION-NAME
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: A ScopeDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM scope kind by referencing its CustomResourceDefinition. The
-          CRD is used to validate the schema of the scope when it is embedded in an
-          OAM ApplicationConfiguration.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A ScopeDefinitionSpec defines the desired state of a ScopeDefinition.
-            properties:
-              allowComponentOverlap:
-                description: AllowComponentOverlap specifies whether an OAM component
-                  may exist in multiple instances of this kind of scope.
-                type: boolean
-              definitionRef:
-                description: Reference to the CustomResourceDefinition that defines
-                  this scope kind.
-                properties:
-                  name:
-                    description: Name of the referenced CustomResourceDefinition.
-                    type: string
-                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
-                    type: string
-                required:
-                - name
-                type: object
-              extension:
-                description: Extension is used for extension needs by OAM platform
-                  builders
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              workloadRefsPath:
-                description: WorkloadRefsPath indicates if/where a scope accepts workloadRef
-                  objects
-                type: string
-            required:
-            - allowComponentOverlap
-            - definitionRef
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/oam-runtime/crds/core.oam.dev_traitdefinitions.yaml
+++ b/charts/oam-runtime/crds/core.oam.dev_traitdefinitions.yaml
@@ -1,649 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  name: traitdefinitions.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: TraitDefinition
-    listKind: TraitDefinitionList
-    plural: traitdefinitions
-    shortNames:
-    - trait
-    singular: traitdefinition
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.appliesToWorkloads
-      name: APPLIES-TO
-      type: string
-    - jsonPath: .metadata.annotations.definition\.oam\.dev/description
-      name: DESCRIPTION
-      type: string
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: A TraitDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM trait kind by referencing its CustomResourceDefinition. The
-          CRD is used to validate the schema of the trait when it is embedded in an
-          OAM ApplicationConfiguration.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A TraitDefinitionSpec defines the desired state of a TraitDefinition.
-            properties:
-              appliesToWorkloads:
-                description: AppliesToWorkloads specifies the list of workload kinds
-                  this trait applies to. Workload kinds are specified in kind.group/version
-                  format, e.g. server.core.oam.dev/v1alpha2. Traits that omit this
-                  field apply to all workload kinds.
-                items:
-                  type: string
-                type: array
-              conflictsWith:
-                description: 'ConflictsWith specifies the list of traits(CRD name,
-                  Definition name, CRD group) which could not apply to the same workloads
-                  with this trait. Traits that omit this field can work with any other
-                  traits. Example rules: "service" # Trait definition name "services.k8s.io"
-                  # API resource/crd name "*.networking.k8s.io" # API group "labelSelector:foo=bar"
-                  # label selector labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse'
-                items:
-                  type: string
-                type: array
-              definitionRef:
-                description: Reference to the CustomResourceDefinition that defines
-                  this trait kind.
-                properties:
-                  name:
-                    description: Name of the referenced CustomResourceDefinition.
-                    type: string
-                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
-                    type: string
-                required:
-                - name
-                type: object
-              extension:
-                description: Extension is used for extension needs by OAM platform
-                  builders
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              podDisruptive:
-                description: PodDisruptive specifies whether using the trait will
-                  cause the pod to restart or not.
-                type: boolean
-              revisionEnabled:
-                description: Revision indicates whether a trait is aware of component
-                  revision
-                type: boolean
-              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the trait
-                properties:
-                  cue:
-                    description: CUE defines the encapsulation in CUE format
-                    properties:
-                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
-                        type: string
-                    required:
-                    - template
-                    type: object
-                  helm:
-                    description: A Helm represents resources used by a Helm module
-                    properties:
-                      release:
-                        description: Release records a Helm release used by a Helm
-                          module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                      repository:
-                        description: HelmRelease records a Helm repository used by
-                          a Helm module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - release
-                    - repository
-                    type: object
-                  kube:
-                    description: Kube defines the encapsulation in raw Kubernetes
-                      resource format
-                    properties:
-                      parameters:
-                        description: Parameters defines configurable parameters
-                        items:
-                          description: A KubeParameter defines a configurable parameter
-                            of a component.
-                          properties:
-                            description:
-                              description: Description of this parameter.
-                              type: string
-                            fieldPaths:
-                              description: "FieldPaths specifies an array of fields
-                                within this workload that will be overwritten by the
-                                value of this parameter. \tAll fields must be of the
-                                same type. Fields are specified as JSON field paths
-                                without a leading dot, for example 'spec.replicas'."
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: Name of this parameter
-                              type: string
-                            required:
-                              default: false
-                              description: Required specifies whether or not a value
-                                for this parameter must be supplied when authoring
-                                an Application.
-                              type: boolean
-                            type:
-                              description: 'ValueType indicates the type of the parameter
-                                value, and only supports basic data types: string,
-                                number, boolean.'
-                              enum:
-                              - string
-                              - number
-                              - boolean
-                              type: string
-                          required:
-                          - fieldPaths
-                          - name
-                          - type
-                          type: object
-                        type: array
-                      template:
-                        description: Template defines the raw Kubernetes resource
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - template
-                    type: object
-                  terraform:
-                    description: Terraform is the struct to describe cloud resources
-                      managed by Hashicorp Terraform
-                    properties:
-                      configuration:
-                        description: Configuration is Terraform Configuration
-                        type: string
-                      customRegion:
-                        description: Region is cloud provider's region. It will override
-                          the region in the region field of ProviderReference
-                        type: string
-                      deleteResource:
-                        default: true
-                        description: DeleteResource will determine whether provisioned
-                          cloud resources will be deleted when CR is deleted
-                        type: boolean
-                      path:
-                        description: Path is the sub-directory of remote git repository.
-                          It's valid when remote is set
-                        type: string
-                      providerRef:
-                        description: ProviderReference specifies the reference to
-                          Provider
-                        properties:
-                          name:
-                            description: Name of the referenced object.
-                            type: string
-                          namespace:
-                            default: default
-                            description: Namespace of the referenced object.
-                            type: string
-                        required:
-                        - name
-                        type: object
-                      type:
-                        default: hcl
-                        description: Type specifies which Terraform configuration
-                          it is, HCL or JSON syntax
-                        enum:
-                        - hcl
-                        - json
-                        - remote
-                        type: string
-                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
-                        properties:
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: Namespace of the secret.
-                            type: string
-                        required:
-                        - name
-                        type: object
-                    required:
-                    - configuration
-                    type: object
-                type: object
-              status:
-                description: Status defines the custom health policy and status message
-                  for trait
-                properties:
-                  customStatus:
-                    description: CustomStatus defines the custom status message that
-                      could display to user
-                    type: string
-                  healthPolicy:
-                    description: HealthPolicy defines the health check policy for
-                      the abstraction
-                    type: string
-                type: object
-              workloadRefPath:
-                description: WorkloadRefPath indicates where/if a trait accepts a
-                  workloadRef object
-                type: string
-            type: object
-          status:
-            description: TraitDefinitionStatus is the status of TraitDefinition
-            properties:
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              configMapRef:
-                description: ConfigMapRef refer to a ConfigMap which contains OpenAPI
-                  V3 JSON schema of Component parameters.
-                type: string
-              latestRevision:
-                description: LatestRevision of the trait definition
-                properties:
-                  name:
-                    type: string
-                  revision:
-                    format: int64
-                    type: integer
-                  revisionHash:
-                    description: RevisionHash record the hash value of the spec of
-                      ApplicationRevision object.
-                    type: string
-                required:
-                - name
-                - revision
-                type: object
-            type: object
-        type: object
-    served: true
-    storage: false
-    subresources:
-      status: {}
-  - additionalPrinterColumns:
-    - jsonPath: .spec.appliesToWorkloads
-      name: APPLIES-TO
-      type: string
-    - jsonPath: .metadata.annotations.definition\.oam\.dev/description
-      name: DESCRIPTION
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: A TraitDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM trait kind by referencing its CustomResourceDefinition. The
-          CRD is used to validate the schema of the trait when it is embedded in an
-          OAM ApplicationConfiguration.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A TraitDefinitionSpec defines the desired state of a TraitDefinition.
-            properties:
-              appliesToWorkloads:
-                description: AppliesToWorkloads specifies the list of workload kinds
-                  this trait applies to. Workload kinds are specified in kind.group/version
-                  format, e.g. server.core.oam.dev/v1alpha2. Traits that omit this
-                  field apply to all workload kinds.
-                items:
-                  type: string
-                type: array
-              conflictsWith:
-                description: 'ConflictsWith specifies the list of traits(CRD name,
-                  Definition name, CRD group) which could not apply to the same workloads
-                  with this trait. Traits that omit this field can work with any other
-                  traits. Example rules: "service" # Trait definition name "services.k8s.io"
-                  # API resource/crd name "*.networking.k8s.io" # API group "labelSelector:foo=bar"
-                  # label selector labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse'
-                items:
-                  type: string
-                type: array
-              controlPlaneOnly:
-                description: ControlPlaneOnly defines which cluster is dispatched
-                  to
-                type: boolean
-              definitionRef:
-                description: Reference to the CustomResourceDefinition that defines
-                  this trait kind.
-                properties:
-                  name:
-                    description: Name of the referenced CustomResourceDefinition.
-                    type: string
-                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
-                    type: string
-                required:
-                - name
-                type: object
-              extension:
-                description: Extension is used for extension needs by OAM platform
-                  builders
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              manageWorkload:
-                description: ManageWorkload defines the trait would be responsible
-                  for creating the workload
-                type: boolean
-              podDisruptive:
-                description: PodDisruptive specifies whether using the trait will
-                  cause the pod to restart or not.
-                type: boolean
-              revisionEnabled:
-                description: Revision indicates whether a trait is aware of component
-                  revision
-                type: boolean
-              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the trait
-                properties:
-                  cue:
-                    description: CUE defines the encapsulation in CUE format
-                    properties:
-                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
-                        type: string
-                    required:
-                    - template
-                    type: object
-                  helm:
-                    description: A Helm represents resources used by a Helm module
-                    properties:
-                      release:
-                        description: Release records a Helm release used by a Helm
-                          module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                      repository:
-                        description: HelmRelease records a Helm repository used by
-                          a Helm module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - release
-                    - repository
-                    type: object
-                  kube:
-                    description: Kube defines the encapsulation in raw Kubernetes
-                      resource format
-                    properties:
-                      parameters:
-                        description: Parameters defines configurable parameters
-                        items:
-                          description: A KubeParameter defines a configurable parameter
-                            of a component.
-                          properties:
-                            description:
-                              description: Description of this parameter.
-                              type: string
-                            fieldPaths:
-                              description: "FieldPaths specifies an array of fields
-                                within this workload that will be overwritten by the
-                                value of this parameter. \tAll fields must be of the
-                                same type. Fields are specified as JSON field paths
-                                without a leading dot, for example 'spec.replicas'."
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: Name of this parameter
-                              type: string
-                            required:
-                              default: false
-                              description: Required specifies whether or not a value
-                                for this parameter must be supplied when authoring
-                                an Application.
-                              type: boolean
-                            type:
-                              description: 'ValueType indicates the type of the parameter
-                                value, and only supports basic data types: string,
-                                number, boolean.'
-                              enum:
-                              - string
-                              - number
-                              - boolean
-                              type: string
-                          required:
-                          - fieldPaths
-                          - name
-                          - type
-                          type: object
-                        type: array
-                      template:
-                        description: Template defines the raw Kubernetes resource
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - template
-                    type: object
-                  terraform:
-                    description: Terraform is the struct to describe cloud resources
-                      managed by Hashicorp Terraform
-                    properties:
-                      configuration:
-                        description: Configuration is Terraform Configuration
-                        type: string
-                      customRegion:
-                        description: Region is cloud provider's region. It will override
-                          the region in the region field of ProviderReference
-                        type: string
-                      deleteResource:
-                        default: true
-                        description: DeleteResource will determine whether provisioned
-                          cloud resources will be deleted when CR is deleted
-                        type: boolean
-                      path:
-                        description: Path is the sub-directory of remote git repository.
-                          It's valid when remote is set
-                        type: string
-                      providerRef:
-                        description: ProviderReference specifies the reference to
-                          Provider
-                        properties:
-                          name:
-                            description: Name of the referenced object.
-                            type: string
-                          namespace:
-                            default: default
-                            description: Namespace of the referenced object.
-                            type: string
-                        required:
-                        - name
-                        type: object
-                      type:
-                        default: hcl
-                        description: Type specifies which Terraform configuration
-                          it is, HCL or JSON syntax
-                        enum:
-                        - hcl
-                        - json
-                        - remote
-                        type: string
-                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
-                        properties:
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: Namespace of the secret.
-                            type: string
-                        required:
-                        - name
-                        type: object
-                    required:
-                    - configuration
-                    type: object
-                type: object
-              skipRevisionAffect:
-                description: SkipRevisionAffect defines the update this trait will
-                  not generate a new application Revision
-                type: boolean
-              status:
-                description: Status defines the custom health policy and status message
-                  for trait
-                properties:
-                  customStatus:
-                    description: CustomStatus defines the custom status message that
-                      could display to user
-                    type: string
-                  healthPolicy:
-                    description: HealthPolicy defines the health check policy for
-                      the abstraction
-                    type: string
-                type: object
-              workloadRefPath:
-                description: WorkloadRefPath indicates where/if a trait accepts a
-                  workloadRef object
-                type: string
-            type: object
-          status:
-            description: TraitDefinitionStatus is the status of TraitDefinition
-            properties:
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              configMapRef:
-                description: ConfigMapRef refer to a ConfigMap which contains OpenAPI
-                  V3 JSON schema of Component parameters.
-                type: string
-              latestRevision:
-                description: LatestRevision of the component definition
-                properties:
-                  name:
-                    type: string
-                  revision:
-                    format: int64
-                    type: integer
-                  revisionHash:
-                    description: RevisionHash record the hash value of the spec of
-                      ApplicationRevision object.
-                    type: string
-                required:
-                - name
-                - revision
-                type: object
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/oam-runtime/crds/core.oam.dev_workloaddefinitions.yaml
+++ b/charts/oam-runtime/crds/core.oam.dev_workloaddefinitions.yaml
@@ -1,604 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  name: workloaddefinitions.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: WorkloadDefinition
-    listKind: WorkloadDefinitionList
-    plural: workloaddefinitions
-    shortNames:
-    - workload
-    singular: workloaddefinition
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.definitionRef.name
-      name: DEFINITION-NAME
-      type: string
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: A WorkloadDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM workload kind by referencing its CustomResourceDefinition.
-          The CRD is used to validate the schema of the workload when it is embedded
-          in an OAM Component.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A WorkloadDefinitionSpec defines the desired state of a WorkloadDefinition.
-            properties:
-              childResourceKinds:
-                description: ChildResourceKinds are the list of GVK of the child resources
-                  this workload generates
-                items:
-                  description: A ChildResourceKind defines a child Kubernetes resource
-                    kind with a selector
-                  properties:
-                    apiVersion:
-                      description: APIVersion of the child resource
-                      type: string
-                    kind:
-                      description: Kind of the child resource
-                      type: string
-                    selector:
-                      additionalProperties:
-                        type: string
-                      description: Selector to select the child resources that the
-                        workload wants to expose to traits
-                      type: object
-                  required:
-                  - apiVersion
-                  - kind
-                  type: object
-                type: array
-              definitionRef:
-                description: Reference to the CustomResourceDefinition that defines
-                  this workload kind.
-                properties:
-                  name:
-                    description: Name of the referenced CustomResourceDefinition.
-                    type: string
-                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
-                    type: string
-                required:
-                - name
-                type: object
-              extension:
-                description: Extension is used for extension needs by OAM platform
-                  builders
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              podSpecPath:
-                description: PodSpecPath indicates where/if this workload has K8s
-                  podSpec field if one workload has podSpec, trait can do lot's of
-                  assumption such as port, env, volume fields.
-                type: string
-              revisionLabel:
-                description: RevisionLabel indicates which label for underlying resources(e.g.
-                  pods) of this workload can be used by trait to create resource selectors(e.g.
-                  label selector for pods).
-                type: string
-              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the workload
-                properties:
-                  cue:
-                    description: CUE defines the encapsulation in CUE format
-                    properties:
-                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
-                        type: string
-                    required:
-                    - template
-                    type: object
-                  helm:
-                    description: A Helm represents resources used by a Helm module
-                    properties:
-                      release:
-                        description: Release records a Helm release used by a Helm
-                          module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                      repository:
-                        description: HelmRelease records a Helm repository used by
-                          a Helm module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - release
-                    - repository
-                    type: object
-                  kube:
-                    description: Kube defines the encapsulation in raw Kubernetes
-                      resource format
-                    properties:
-                      parameters:
-                        description: Parameters defines configurable parameters
-                        items:
-                          description: A KubeParameter defines a configurable parameter
-                            of a component.
-                          properties:
-                            description:
-                              description: Description of this parameter.
-                              type: string
-                            fieldPaths:
-                              description: "FieldPaths specifies an array of fields
-                                within this workload that will be overwritten by the
-                                value of this parameter. \tAll fields must be of the
-                                same type. Fields are specified as JSON field paths
-                                without a leading dot, for example 'spec.replicas'."
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: Name of this parameter
-                              type: string
-                            required:
-                              default: false
-                              description: Required specifies whether or not a value
-                                for this parameter must be supplied when authoring
-                                an Application.
-                              type: boolean
-                            type:
-                              description: 'ValueType indicates the type of the parameter
-                                value, and only supports basic data types: string,
-                                number, boolean.'
-                              enum:
-                              - string
-                              - number
-                              - boolean
-                              type: string
-                          required:
-                          - fieldPaths
-                          - name
-                          - type
-                          type: object
-                        type: array
-                      template:
-                        description: Template defines the raw Kubernetes resource
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - template
-                    type: object
-                  terraform:
-                    description: Terraform is the struct to describe cloud resources
-                      managed by Hashicorp Terraform
-                    properties:
-                      configuration:
-                        description: Configuration is Terraform Configuration
-                        type: string
-                      customRegion:
-                        description: Region is cloud provider's region. It will override
-                          the region in the region field of ProviderReference
-                        type: string
-                      deleteResource:
-                        default: true
-                        description: DeleteResource will determine whether provisioned
-                          cloud resources will be deleted when CR is deleted
-                        type: boolean
-                      path:
-                        description: Path is the sub-directory of remote git repository.
-                          It's valid when remote is set
-                        type: string
-                      providerRef:
-                        description: ProviderReference specifies the reference to
-                          Provider
-                        properties:
-                          name:
-                            description: Name of the referenced object.
-                            type: string
-                          namespace:
-                            default: default
-                            description: Namespace of the referenced object.
-                            type: string
-                        required:
-                        - name
-                        type: object
-                      type:
-                        default: hcl
-                        description: Type specifies which Terraform configuration
-                          it is, HCL or JSON syntax
-                        enum:
-                        - hcl
-                        - json
-                        - remote
-                        type: string
-                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
-                        properties:
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: Namespace of the secret.
-                            type: string
-                        required:
-                        - name
-                        type: object
-                    required:
-                    - configuration
-                    type: object
-                type: object
-              status:
-                description: Status defines the custom health policy and status message
-                  for workload
-                properties:
-                  customStatus:
-                    description: CustomStatus defines the custom status message that
-                      could display to user
-                    type: string
-                  healthPolicy:
-                    description: HealthPolicy defines the health check policy for
-                      the abstraction
-                    type: string
-                type: object
-            required:
-            - definitionRef
-            type: object
-          status:
-            description: WorkloadDefinitionStatus is the status of WorkloadDefinition
-            properties:
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-            type: object
-        type: object
-    served: true
-    storage: false
-    subresources: {}
-  - additionalPrinterColumns:
-    - jsonPath: .spec.definitionRef.name
-      name: DEFINITION-NAME
-      type: string
-    - jsonPath: .metadata.annotations.definition\.oam\.dev/description
-      name: DESCRIPTION
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: A WorkloadDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM workload kind by referencing its CustomResourceDefinition.
-          The CRD is used to validate the schema of the workload when it is embedded
-          in an OAM Component.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A WorkloadDefinitionSpec defines the desired state of a WorkloadDefinition.
-            properties:
-              childResourceKinds:
-                description: ChildResourceKinds are the list of GVK of the child resources
-                  this workload generates
-                items:
-                  description: A ChildResourceKind defines a child Kubernetes resource
-                    kind with a selector
-                  properties:
-                    apiVersion:
-                      description: APIVersion of the child resource
-                      type: string
-                    kind:
-                      description: Kind of the child resource
-                      type: string
-                    selector:
-                      additionalProperties:
-                        type: string
-                      description: Selector to select the child resources that the
-                        workload wants to expose to traits
-                      type: object
-                  required:
-                  - apiVersion
-                  - kind
-                  type: object
-                type: array
-              definitionRef:
-                description: Reference to the CustomResourceDefinition that defines
-                  this workload kind.
-                properties:
-                  name:
-                    description: Name of the referenced CustomResourceDefinition.
-                    type: string
-                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
-                    type: string
-                required:
-                - name
-                type: object
-              extension:
-                description: Extension is used for extension needs by OAM platform
-                  builders
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              podSpecPath:
-                description: PodSpecPath indicates where/if this workload has K8s
-                  podSpec field if one workload has podSpec, trait can do lot's of
-                  assumption such as port, env, volume fields.
-                type: string
-              revisionLabel:
-                description: RevisionLabel indicates which label for underlying resources(e.g.
-                  pods) of this workload can be used by trait to create resource selectors(e.g.
-                  label selector for pods).
-                type: string
-              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the workload
-                properties:
-                  cue:
-                    description: CUE defines the encapsulation in CUE format
-                    properties:
-                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
-                        type: string
-                    required:
-                    - template
-                    type: object
-                  helm:
-                    description: A Helm represents resources used by a Helm module
-                    properties:
-                      release:
-                        description: Release records a Helm release used by a Helm
-                          module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                      repository:
-                        description: HelmRelease records a Helm repository used by
-                          a Helm module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - release
-                    - repository
-                    type: object
-                  kube:
-                    description: Kube defines the encapsulation in raw Kubernetes
-                      resource format
-                    properties:
-                      parameters:
-                        description: Parameters defines configurable parameters
-                        items:
-                          description: A KubeParameter defines a configurable parameter
-                            of a component.
-                          properties:
-                            description:
-                              description: Description of this parameter.
-                              type: string
-                            fieldPaths:
-                              description: "FieldPaths specifies an array of fields
-                                within this workload that will be overwritten by the
-                                value of this parameter. \tAll fields must be of the
-                                same type. Fields are specified as JSON field paths
-                                without a leading dot, for example 'spec.replicas'."
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: Name of this parameter
-                              type: string
-                            required:
-                              default: false
-                              description: Required specifies whether or not a value
-                                for this parameter must be supplied when authoring
-                                an Application.
-                              type: boolean
-                            type:
-                              description: 'ValueType indicates the type of the parameter
-                                value, and only supports basic data types: string,
-                                number, boolean.'
-                              enum:
-                              - string
-                              - number
-                              - boolean
-                              type: string
-                          required:
-                          - fieldPaths
-                          - name
-                          - type
-                          type: object
-                        type: array
-                      template:
-                        description: Template defines the raw Kubernetes resource
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - template
-                    type: object
-                  terraform:
-                    description: Terraform is the struct to describe cloud resources
-                      managed by Hashicorp Terraform
-                    properties:
-                      configuration:
-                        description: Configuration is Terraform Configuration
-                        type: string
-                      customRegion:
-                        description: Region is cloud provider's region. It will override
-                          the region in the region field of ProviderReference
-                        type: string
-                      deleteResource:
-                        default: true
-                        description: DeleteResource will determine whether provisioned
-                          cloud resources will be deleted when CR is deleted
-                        type: boolean
-                      path:
-                        description: Path is the sub-directory of remote git repository.
-                          It's valid when remote is set
-                        type: string
-                      providerRef:
-                        description: ProviderReference specifies the reference to
-                          Provider
-                        properties:
-                          name:
-                            description: Name of the referenced object.
-                            type: string
-                          namespace:
-                            default: default
-                            description: Namespace of the referenced object.
-                            type: string
-                        required:
-                        - name
-                        type: object
-                      type:
-                        default: hcl
-                        description: Type specifies which Terraform configuration
-                          it is, HCL or JSON syntax
-                        enum:
-                        - hcl
-                        - json
-                        - remote
-                        type: string
-                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
-                        properties:
-                          name:
-                            description: Name of the secret.
-                            type: string
-                          namespace:
-                            description: Namespace of the secret.
-                            type: string
-                        required:
-                        - name
-                        type: object
-                    required:
-                    - configuration
-                    type: object
-                type: object
-              status:
-                description: Status defines the custom health policy and status message
-                  for workload
-                properties:
-                  customStatus:
-                    description: CustomStatus defines the custom status message that
-                      could display to user
-                    type: string
-                  healthPolicy:
-                    description: HealthPolicy defines the health check policy for
-                      the abstraction
-                    type: string
-                type: object
-            required:
-            - definitionRef
-            type: object
-          status:
-            description: WorkloadDefinitionStatus is the status of WorkloadDefinition
-            properties:
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/oam-runtime/templates/NOTES.txt
+++ b/charts/oam-runtime/templates/NOTES.txt
@@ -1 +0,0 @@
-Welcome to use the oam-runtime follows OAM spec v0.2! Enjoy your shipping application journey!
--- a/charts/oam-runtime/templates/_helpers.tpl
+++ b/charts/oam-runtime/templates/_helpers.tpl
@@ -1,63 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "oam-runtime.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "oam-runtime.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "oam-runtime.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Common labels
-*/}}
-{{- define "oam-runtime.labels" -}}
-helm.sh/chart: {{ include "oam-runtime.chart" . }}
-{{ include "oam-runtime.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
-
-{{/*
-Selector labels
-*/}}
-{{- define "oam-runtime.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "oam-runtime.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end -}}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "oam-runtime.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create -}}
-    {{ default (include "oam-runtime.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
--- a/charts/oam-runtime/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/job-patch/clusterrole.yaml
@@ -1,28 +0,0 @@
-{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name:  {{ template "oam-runtime.fullname" . }}-admission
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "oam-runtime.name" . }}-admission
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-      - mutatingwebhookconfigurations
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - apiextensions.k8s.io
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - get
-      - update
-{{- end }}
--- a/charts/oam-runtime/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
@@ -1,20 +0,0 @@
-{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name:  {{ template "oam-runtime.fullname" . }}-admission
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "oam-runtime.name" . }}-admission
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ template "oam-runtime.fullname" . }}-admission
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "oam-runtime.fullname" . }}-admission
-    namespace: {{ .Release.Namespace }}
-{{- end }}
--- a/charts/oam-runtime/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -1,54 +0,0 @@
-{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled (not .Values.admissionWebhooks.certManager.enabled) }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name:  {{ template "oam-runtime.fullname" . }}-admission-create
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "oam-runtime.name" . }}-admission-create
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-spec:
-  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
-  # Alpha feature since k8s 1.12
-  ttlSecondsAfterFinished: 0
-  {{- end }}
-  template:
-    metadata:
-      name:  {{ template "oam-runtime.fullname" . }}-admission-create
-      labels:
-        app: {{ template "oam-runtime.name" . }}-admission-create
-        {{- include "oam-runtime.labels" . | nindent 8 }}
-    spec:
-      containers:
-        - name: create
-          image: {{ .Values.imageRegistry }}{{ .Values.admissionWebhooks.patch.image.repository }}:{{ .Values.admissionWebhooks.patch.image.tag }}
-          imagePullPolicy: {{ .Values.admissionWebhooks.patch.image.pullPolicy }}
-          args:
-            - create
-            - --host={{ template "oam-runtime.name" . }}-webhook,{{ template "oam-runtime.name" . }}-webhook.{{ .Release.Namespace }}.svc
-            - --namespace={{ .Release.Namespace }}
-            - --secret-name={{ template "oam-runtime.fullname" . }}-admission
-            - --key-name=tls.key
-            - --cert-name=tls.crt
-      restartPolicy: OnFailure
-      serviceAccountName: {{ template "oam-runtime.fullname" . }}-admission
-      {{- with .Values.admissionWebhooks.patch.nodeSelector }}
-      nodeSelector:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-      {{- end }}
-      securityContext:
-        runAsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
-{{- end }}
--- a/charts/oam-runtime/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -1,53 +0,0 @@
-{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled (not .Values.admissionWebhooks.certManager.enabled) }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name:  {{ template "oam-runtime.fullname" . }}-admission-patch
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "oam-runtime.name" . }}-admission-patch
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-spec:
-  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
-  # Alpha feature since k8s 1.12
-  ttlSecondsAfterFinished: 0
-  {{- end }}
-  template:
-    metadata:
-      name:  {{ template "oam-runtime.fullname" . }}-admission-patch
-      labels:
-        app: {{ template "oam-runtime.name" . }}-admission-patch
-        {{- include "oam-runtime.labels" . | nindent 8 }}
-    spec:
-      containers:
-        - name: patch
-          image: {{ .Values.imageRegistry }}{{ .Values.admissionWebhooks.patch.image.repository }}:{{ .Values.admissionWebhooks.patch.image.tag }}
-          imagePullPolicy: {{ .Values.admissionWebhooks.patch.image.pullPolicy }}
-          args:
-            - patch
-            - --webhook-name={{ template "oam-runtime.fullname" . }}-admission
-            - --namespace={{ .Release.Namespace }}
-            - --secret-name={{ template "oam-runtime.fullname" . }}-admission
-            - --patch-failure-policy={{ .Values.admissionWebhooks.failurePolicy }}
-      restartPolicy: OnFailure
-      serviceAccountName: {{ template "oam-runtime.fullname" . }}-admission
-      {{- with .Values.admissionWebhooks.patch.nodeSelector }}
-      nodeSelector:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.affinity }}
-      affinity:
-      {{ toYaml . | indent 8 }}
-      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.tolerations }}
-      tolerations:
-      {{ toYaml . | indent 8 }}
-      {{- end }}
-      securityContext:
-        runAsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
-{{- end }}
--- a/charts/oam-runtime/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/job-patch/role.yaml
@@ -1,21 +0,0 @@
-{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name:  {{ template "oam-runtime.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "oam-runtime.name" . }}-admission
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
-{{- end }}
--- a/charts/oam-runtime/templates/admission-webhooks/job-patch/rolebinding.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/job-patch/rolebinding.yaml
@@ -1,21 +0,0 @@
-{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name:  {{ template "oam-runtime.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "oam-runtime.name" . }}-admission
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ template "oam-runtime.fullname" . }}-admission
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "oam-runtime.fullname" . }}-admission
-    namespace: {{ .Release.Namespace }}
-{{- end }}
--- a/charts/oam-runtime/templates/admission-webhooks/job-patch/serviceaccount.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/job-patch/serviceaccount.yaml
@@ -1,13 +0,0 @@
-{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name:  {{ template "oam-runtime.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  labels:
-    app: {{ template "oam-runtime.name" . }}-admission
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-{{- end }}
--- a/charts/oam-runtime/templates/admission-webhooks/mutatingWebhookConfiguration.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/mutatingWebhookConfiguration.yaml
@@ -1,69 +0,0 @@
-{{- if .Values.admissionWebhooks.enabled -}}
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: {{ template "oam-runtime.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
-  {{- if .Values.admissionWebhooks.certManager.enabled }}
-  annotations:
-    cert-manager.io/inject-ca-from: {{ printf "%s/%s-root-cert" .Release.Namespace (include "oam-runtime.fullname" .) | quote }}
-  {{- end }}
-webhooks:
-  - clientConfig:
-      caBundle: Cg==
-      service:
-        name: {{ template "oam-runtime.name" . }}-webhook
-        namespace: {{ .Release.Namespace }}
-        path: /mutating-core-oam-dev-v1alpha2-applicationconfigurations
-    {{- if .Values.admissionWebhooks.patch.enabled  }}
-    failurePolicy: Ignore
-    {{- else }}
-    failurePolicy: Fail
-    {{- end }}
-    name: mutating.core.oam.dev.v1alpha2.applicationconfigurations
-    sideEffects: None
-    rules:
-      - apiGroups:
-          - core.oam.dev
-        apiVersions:
-          - v1alpha2
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - applicationconfigurations
-        scope: Namespaced
-    admissionReviewVersions:
-      - v1beta1
-      - v1
-    timeoutSeconds: 5
-  - clientConfig:
-      caBundle: Cg==
-      service:
-        name: {{ template "oam-runtime.name" . }}-webhook
-        namespace: {{ .Release.Namespace }}
-        path: /mutating-core-oam-dev-v1alpha2-components
-    {{- if .Values.admissionWebhooks.patch.enabled  }}
-    failurePolicy: Ignore
-    {{- else }}
-    failurePolicy: Fail
-    {{- end }}
-    name: mutating.core.oam-dev.v1alpha2.components
-    sideEffects: None
-    rules:
-      - apiGroups:
-          - core.oam.dev
-        apiVersions:
-          - v1alpha2
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - components
-        scope: Namespaced
-    admissionReviewVersions:
-      - v1beta1
-      - v1
-    timeoutSeconds: 5
-
-{{- end -}}
--- a/charts/oam-runtime/templates/admission-webhooks/validatingWebhookConfiguration.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/validatingWebhookConfiguration.yaml
@@ -1,69 +0,0 @@
-{{- if .Values.admissionWebhooks.enabled -}}
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: {{ template "oam-runtime.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
-  {{- if .Values.admissionWebhooks.certManager.enabled }}
-  annotations:
-    cert-manager.io/inject-ca-from: {{ printf "%s/%s-root-cert" .Release.Namespace (include "oam-runtime.fullname" .) | quote }}
-  {{- end }}
-webhooks:
-  - clientConfig:
-      caBundle: Cg==
-      service:
-        name: {{ template "oam-runtime.name" . }}-webhook
-        namespace: {{ .Release.Namespace }}
-        path: /validating-core-oam-dev-v1alpha2-applicationconfigurations
-    {{- if .Values.admissionWebhooks.patch.enabled  }}
-    failurePolicy: Ignore
-    {{- else }}
-    failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }}
-    {{- end }}
-    name: validating.core.oam.dev.v1alpha2.applicationconfigurations
-    sideEffects: None
-    rules:
-      - apiGroups:
-          - core.oam.dev
-        apiVersions:
-          - v1alpha2
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - applicationconfigurations
-        scope: Namespaced
-    admissionReviewVersions:
-      - v1beta1
-      - v1
-    timeoutSeconds: 5
-  - clientConfig:
-      caBundle: Cg==
-      service:
-        name: {{ template "oam-runtime.name" . }}-webhook
-        namespace: {{ .Release.Namespace }}
-        path: /validating-core-oam-dev-v1alpha2-components
-    {{- if .Values.admissionWebhooks.patch.enabled  }}
-    failurePolicy: Ignore
-    {{- else }}
-    failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }}
-    {{- end }}
-    name: validating.core.oam.dev.v1alpha2.components
-    sideEffects: None
-    rules:
-      - apiGroups:
-          - core.oam.dev
-        apiVersions:
-          - v1alpha2
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - components
-        scope: Namespaced
-    admissionReviewVersions:
-      - v1beta1
-      - v1
-    timeoutSeconds: 5
-          
-{{- end -}}
--- a/charts/oam-runtime/templates/admission-webhooks/webhookService.yaml
+++ b/charts/oam-runtime/templates/admission-webhooks/webhookService.yaml
@@ -1,19 +0,0 @@
-{{- if .Values.admissionWebhooks.enabled -}}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "oam-runtime.name" . }}-webhook
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.webhookService.type }}
-  ports:
-    - port: 443
-      targetPort: {{ .Values.webhookService.port }}
-      protocol: TCP
-      name: https
-  selector:
-    {{ include "oam-runtime.selectorLabels" . | nindent 6 }}
-
-{{- end -}}
--- a/charts/oam-runtime/templates/certmanager.yaml
+++ b/charts/oam-runtime/templates/certmanager.yaml
@@ -1,55 +0,0 @@
-{{- if and .Values.admissionWebhooks.certManager.enabled -}}
-
-# The following manifests contain a self-signed issuer CR and a certificate CR.
-# More document can be found at https://docs.cert-manager.io
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: {{ template "oam-runtime.fullname" . }}-self-signed-issuer
-spec:
-  selfSigned: {}
-
---
-# Generate a CA Certificate used to sign certificates for the webhook
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ template "oam-runtime.fullname" . }}-root-cert
-spec:
-  secretName: {{ template "oam-runtime.fullname" . }}-root-cert
-  duration: 43800h # 5y
-  revisionHistoryLimit: {{ .Values.admissionWebhooks.certManager.revisionHistoryLimit }}
-  issuerRef:
-    name: {{ template "oam-runtime.fullname" . }}-self-signed-issuer
-  commonName: "ca.webhook.oam-runtime"
-  isCA: true
-  
---
-# Create an Issuer that uses the above generated CA certificate to issue certs
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: {{ template "oam-runtime.fullname" . }}-root-issuer
-  namespace: {{ .Release.Namespace }}
-spec:
-  ca:
-    secretName: {{ template "oam-runtime.fullname" . }}-root-cert
-
---
-# generate a serving certificate for the apiservices to use
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ template "oam-runtime.fullname" . }}-admission
-  namespace: {{ .Release.Namespace }}
-spec:
-  secretName: {{ template "oam-runtime.fullname" . }}-admission
-  duration: 8760h # 1y
-  revisionHistoryLimit: {{ .Values.admissionWebhooks.certManager.revisionHistoryLimit }}
-  issuerRef:
-    name: {{ template "oam-runtime.fullname" . }}-root-issuer
-  dnsNames:
-    - {{ template "oam-runtime.name" . }}-webhook.{{ .Release.Namespace }}.svc
-    - {{ template "oam-runtime.name" . }}-webhook.{{ .Release.Namespace }}.svc.cluster.local
-
-{{- end }}
--- a/charts/oam-runtime/templates/definitions/healthscopes.yaml
+++ b/charts/oam-runtime/templates/definitions/healthscopes.yaml
@@ -1,10 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: ScopeDefinition
-metadata:
-  name: healthscopes.core.oam.dev
-  namespace: {{.Values.systemDefinitionNamespace}}
-spec:
-  workloadRefsPath: spec.workloadRefs
-  allowComponentOverlap: true
-  definitionRef:
-    name: healthscopes.core.oam.dev
--- a/charts/oam-runtime/templates/oam-runtime-controller.yaml
+++ b/charts/oam-runtime/templates/oam-runtime-controller.yaml
@@ -1,177 +0,0 @@
---
-
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "oam-runtime.serviceAccountName" . }}
-  labels:
-    {{- include "oam-runtime.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-  {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}
-
---
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "oam-runtime.fullname" . }}:manager-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: "cluster-admin"
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "oam-runtime.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
-
---
-# permissions to do leader election.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "oam-runtime.fullname" . }}:leader-election-role
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps/status
-    verbs:
-      - get
-      - update
-      - patch
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "oam-runtime.fullname" . }}:leader-election-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "oam-runtime.fullname" . }}:leader-election-role
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "oam-runtime.serviceAccountName" . }}
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "oam-runtime.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-  {{- include "oam-runtime.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-  {{- include "oam-runtime.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-    {{- include "oam-runtime.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "oam-runtime.serviceAccountName" . }}
-      securityContext:
-      {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Release.Name }}
-          securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}
-          args:
-            - "--metrics-addr=:8080"
-            - "--enable-leader-election"
-            {{ if ne .Values.logFilePath "" }}
-            - "--log-file-path={{ .Values.logFilePath }}"
-            - "--log-file-max-size={{ .Values.logFileMaxSize }}"
-            {{ end }}
-            {{ if .Values.logDebug }}
-            - "--log-debug=true"
-            {{ end }}
-            {{ if .Values.admissionWebhooks.enabled }}
-            - "--use-webhook=true"
-            - "--webhook-port={{ .Values.webhookService.port }}"
-            - "--webhook-cert-dir={{ .Values.admissionWebhooks.certificate.mountPath }}"
-            {{ end }}
-            - "--health-addr=:{{ .Values.healthCheck.port }}"
-            - "--apply-once-only={{ .Values.applyOnceOnly }}"
-            {{ if ne .Values.disableCaps "" }}
-            - "--disable-caps={{ .Values.disableCaps }}"
-            {{ end }}
-            - "--system-definition-namespace={{ .Values.systemDefinitionNamespace }}"
-            - "--oam-spec-ver={{ .Values.OAMSpecVer }}"
-            - "--concurrent-reconciles={{ .Values.concurrentReconciles }}"
-          image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
-          imagePullPolicy: {{ quote .Values.image.pullPolicy }}
-          resources:
-          {{- toYaml .Values.resources | nindent 12 }}
-          {{ if .Values.admissionWebhooks.enabled }}
-          ports:
-            - containerPort: {{ .Values.webhookService.port }}
-              name: webhook-server
-              protocol: TCP
-            - containerPort: {{ .Values.healthCheck.port }}
-              name: healthz
-              protocol: TCP
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: healthz
-            initialDelaySeconds: 90
-            periodSeconds: 5
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: healthz
-            initialDelaySeconds: 90
-            periodSeconds: 5
-          volumeMounts:
-            - mountPath: {{ .Values.admissionWebhooks.certificate.mountPath }}
-              name: tls-cert-vol
-              readOnly: true
-          {{ end }}
-      {{ if .Values.admissionWebhooks.enabled }}
-      volumes:
-        - name: tls-cert-vol
-          secret:
-            defaultMode: 420
-            secretName: {{ template "oam-runtime.fullname" . }}-admission
-      {{ end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-    {{- toYaml . | nindent 8 }}
-  {{- end }}
--- a/charts/oam-runtime/templates/test/test-application.yaml
+++ b/charts/oam-runtime/templates/test/test-application.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: {{ include "oam-runtime.fullname" . }}-test-connection
-  labels:
-  {{- include "oam-runtime.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test-success
-spec:
-  containers:
-    - name: wget
-      image: {{ .Values.imageRegistry }}{{ .Values.test.app.repository }}:{{ .Values.test.app.tag }}
-      command: ['wget']
-      args: ['{{ include "oam-runtime.fullname" . }}:{{ .Values.healthCheck.port }}']
-  restartPolicy: Never
--- a/charts/oam-runtime/values.yaml
+++ b/charts/oam-runtime/values.yaml
@@ -1,109 +0,0 @@
-# Default values for kubevela.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-# Valid applyOnceOnly values: true/false/on/off/force
-applyOnceOnly: "off"
-
-disableCaps: "all"
-
-imageRegistry: ""
-image:
-  repository: oamdev/vela-core
-  tag: latest
-  pullPolicy: Always
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
-
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
-resources:
-  limits:
-    cpu: 500m
-    memory: 1Gi
-  requests:
-    cpu: 50m
-    memory: 20Mi
-
-webhookService:
-  type: ClusterIP
-  port: 11443
-
-healthCheck:
-  port: 11440
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-rbac:
-  create: true
-
-admissionWebhooks:
-  enabled: true
-  failurePolicy: Fail
-  certificate:
-    mountPath: /etc/k8s-webhook-certs
-  patch:
-    enabled: true
-    image:
-      repository: oamdev/kube-webhook-certgen
-      tag: v2.3
-      pullPolicy: IfNotPresent
-    nodeSelector: {}
-    affinity: {}
-    tolerations: []
-  certManager:
-    enabled: false
-    revisionHistoryLimit: 3
-  # If autoGenWorkloadDefinition is true, webhook will auto generated workloadDefinition which componentDefinition refers to
-  autoGenWorkloadDefinition: true
-
-#Enable debug logs for development purpose
-logDebug: false
-
-#If non-empty, write log files in this path
-logFilePath: ""
-
-#Defines the maximum size a log file can grow to. Unit is megabytes.
-#If the value is 0, the maximum file size is unlimited.
-logFileMaxSize: 1024
-
-systemDefinitionNamespace: oam-runtime-system
-
-# concurrentReconciles is the concurrent reconcile number of the controller
-concurrentReconciles: 4
-
-# dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready
-dependCheckWait: 30s
-
-# OAMSpecVer is the oam spec version controller want to setup
-OAMSpecVer: "v0.2"
-
-test:
-  app:
-    repository: oamdev/busybox
-    tag: v1
--- a/charts/vela-core/README.md
+++ b/charts/vela-core/README.md
@@ -53,11 +53,12 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai

 ### KubeVela workflow parameters

-| Name                                   | Description                                            | Value |
-| -------------------------------------- | ------------------------------------------------------ | ----- |
-| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`  |
-| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300` |
-| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`  |
+| Name                                   | Description                                            | Value   |
+| -------------------------------------- | ------------------------------------------------------ | ------- |
+| `workflow.enableSuspendOnFailure`      | Enable suspend on workflow failure                     | `false` |
+| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`    |
+| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
+| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |


 ### KubeVela controller parameters
@@ -92,6 +93,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `optimize.enableInMemoryWorkflowContext`          | Optimize workflow by use in-memory context.                                                                                                       | `false` |
 | `optimize.disableResourceApplyDoubleCheck`        | Optimize workflow by ignoring resource double check after apply.                                                                                  | `false` |
 | `optimize.enableResourceTrackerDeleteOnlyTrigger` | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                               | `true`  |
+| `featureGates.enableLegacyComponentRevision`      | if disabled, only component with rollout trait will create component revisions                                                                    | `false` |


 ### MultiCluster parameters
@@ -103,7 +105,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                    | `1`                              |
 | `multicluster.clusterGateway.port`                          | ClusterGateway port                             | `9443`                           |
 | `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                 | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                        | `v1.3.2`                         |
+| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                        | `v1.4.0`                         |
 | `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                | `IfNotPresent`                   |
 | `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                        | `100m`                           |
 | `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                     | `200Mi`                          |
--- a/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
@@ -856,7 +856,7 @@ spec:
                          steps:
                            items:
                              description: WorkflowStepStatus record the status of
-                                a workflow step
+                                a workflow step, include step status and subStep status
                              properties:
                                firstExecuteTime:
                                  description: FirstExecuteTime is the first time
@@ -887,45 +887,44 @@ spec:
                                    state.
                                  type: string
                                subSteps:
-                                  description: SubStepsStatus record the status of
-                                    workflow steps.
-                                  properties:
-                                    mode:
-                                      description: WorkflowMode describes the mode
-                                        of workflow
-                                      type: string
-                                    stepIndex:
-                                      type: integer
-                                    steps:
-                                      items:
-                                        description: WorkflowSubStepStatus record
-                                          the status of a workflow step
-                                        properties:
-                                          id:
-                                            type: string
-                                          message:
-                                            description: A human readable message
-                                              indicating details about why the workflowStep
-                                              is in this state.
-                                            type: string
-                                          name:
-                                            type: string
-                                          phase:
-                                            description: WorkflowStepPhase describes
-                                              the phase of a workflow step.
-                                            type: string
-                                          reason:
-                                            description: A brief CamelCase message
-                                              indicating details about why the workflowStep
-                                              is in this state.
-                                            type: string
-                                          type:
-                                            type: string
-                                        required:
-                                        - id
-                                        type: object
-                                      type: array
-                                  type: object
+                                  items:
+                                    description: WorkflowSubStepStatus record the
+                                      status of a workflow subStep
+                                    properties:
+                                      firstExecuteTime:
+                                        description: FirstExecuteTime is the first
+                                          time this step execution.
+                                        format: date-time
+                                        type: string
+                                      id:
+                                        type: string
+                                      lastExecuteTime:
+                                        description: LastExecuteTime is the last time
+                                          this step execution.
+                                        format: date-time
+                                        type: string
+                                      message:
+                                        description: A human readable message indicating
+                                          details about why the workflowStep is in
+                                          this state.
+                                        type: string
+                                      name:
+                                        type: string
+                                      phase:
+                                        description: WorkflowStepPhase describes the
+                                          phase of a workflow step.
+                                        type: string
+                                      reason:
+                                        description: A brief CamelCase message indicating
+                                          details about why the workflowStep is in
+                                          this state.
+                                        type: string
+                                      type:
+                                        type: string
+                                    required:
+                                    - id
+                                    type: object
+                                  type: array
                                type:
                                  type: string
                              required:
@@ -2199,6 +2198,17 @@ spec:
                          a context in annotation. - should mark "finish" phase in
                          status.conditions.'
                        properties:
+                          mode:
+                            description: WorkflowExecuteMode defines the mode of workflow
+                              execution
+                            properties:
+                              steps:
+                                description: WorkflowMode describes the mode of workflow
+                                type: string
+                              subSteps:
+                                description: WorkflowMode describes the mode of workflow
+                                type: string
+                            type: object
                          ref:
                            type: string
                          steps:
@@ -2210,6 +2220,8 @@ spec:
                                  items:
                                    type: string
                                  type: array
+                                if:
+                                  type: string
                                inputs:
                                  description: StepInputs defines variable input of
                                    WorkflowStep
@@ -2224,6 +2236,13 @@ spec:
                                    - parameterKey
                                    type: object
                                  type: array
+                                meta:
+                                  description: WorkflowStepMeta contains the meta
+                                    data of a workflow step
+                                  properties:
+                                    alias:
+                                      type: string
+                                  type: object
                                name:
                                  description: Name is the unique name of the workflow
                                    step.
@@ -2245,6 +2264,70 @@ spec:
                                properties:
                                  type: object
                                  x-kubernetes-preserve-unknown-fields: true
+                                subSteps:
+                                  items:
+                                    description: WorkflowSubStep defines how to execute
+                                      a workflow subStep.
+                                    properties:
+                                      dependsOn:
+                                        items:
+                                          type: string
+                                        type: array
+                                      if:
+                                        type: string
+                                      inputs:
+                                        description: StepInputs defines variable input
+                                          of WorkflowStep
+                                        items:
+                                          properties:
+                                            from:
+                                              type: string
+                                            parameterKey:
+                                              type: string
+                                          required:
+                                          - from
+                                          - parameterKey
+                                          type: object
+                                        type: array
+                                      meta:
+                                        description: WorkflowStepMeta contains the
+                                          meta data of a workflow step
+                                        properties:
+                                          alias:
+                                            type: string
+                                        type: object
+                                      name:
+                                        description: Name is the unique name of the
+                                          workflow step.
+                                        type: string
+                                      outputs:
+                                        description: StepOutputs defines output variable
+                                          of WorkflowStep
+                                        items:
+                                          properties:
+                                            name:
+                                              type: string
+                                            valueFrom:
+                                              type: string
+                                          required:
+                                          - name
+                                          - valueFrom
+                                          type: object
+                                        type: array
+                                      properties:
+                                        type: object
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      timeout:
+                                        type: string
+                                      type:
+                                        type: string
+                                    required:
+                                    - name
+                                    - type
+                                    type: object
+                                  type: array
+                                timeout:
+                                  type: string
                                type:
                                  type: string
                              required:
@@ -2667,7 +2750,7 @@ spec:
                          steps:
                            items:
                              description: WorkflowStepStatus record the status of
-                                a workflow step
+                                a workflow step, include step status and subStep status
                              properties:
                                firstExecuteTime:
                                  description: FirstExecuteTime is the first time
@@ -2698,45 +2781,44 @@ spec:
                                    state.
                                  type: string
                                subSteps:
-                                  description: SubStepsStatus record the status of
-                                    workflow steps.
-                                  properties:
-                                    mode:
-                                      description: WorkflowMode describes the mode
-                                        of workflow
-                                      type: string
-                                    stepIndex:
-                                      type: integer
-                                    steps:
-                                      items:
-                                        description: WorkflowSubStepStatus record
-                                          the status of a workflow step
-                                        properties:
-                                          id:
-                                            type: string
-                                          message:
-                                            description: A human readable message
-                                              indicating details about why the workflowStep
-                                              is in this state.
-                                            type: string
-                                          name:
-                                            type: string
-                                          phase:
-                                            description: WorkflowStepPhase describes
-                                              the phase of a workflow step.
-                                            type: string
-                                          reason:
-                                            description: A brief CamelCase message
-                                              indicating details about why the workflowStep
-                                              is in this state.
-                                            type: string
-                                          type:
-                                            type: string
-                                        required:
-                                        - id
-                                        type: object
-                                      type: array
-                                  type: object
+                                  items:
+                                    description: WorkflowSubStepStatus record the
+                                      status of a workflow subStep
+                                    properties:
+                                      firstExecuteTime:
+                                        description: FirstExecuteTime is the first
+                                          time this step execution.
+                                        format: date-time
+                                        type: string
+                                      id:
+                                        type: string
+                                      lastExecuteTime:
+                                        description: LastExecuteTime is the last time
+                                          this step execution.
+                                        format: date-time
+                                        type: string
+                                      message:
+                                        description: A human readable message indicating
+                                          details about why the workflowStep is in
+                                          this state.
+                                        type: string
+                                      name:
+                                        type: string
+                                      phase:
+                                        description: WorkflowStepPhase describes the
+                                          phase of a workflow step.
+                                        type: string
+                                      reason:
+                                        description: A brief CamelCase message indicating
+                                          details about why the workflowStep is in
+                                          this state.
+                                        type: string
+                                      type:
+                                        type: string
+                                    required:
+                                    - id
+                                    type: object
+                                  type: array
                                type:
                                  type: string
                              required:
@@ -3905,6 +3987,8 @@ spec:
                          items:
                            type: string
                          type: array
+                        if:
+                          type: string
                        inputs:
                          description: StepInputs defines variable input of WorkflowStep
                          items:
@@ -3918,6 +4002,13 @@ spec:
                            - parameterKey
                            type: object
                          type: array
+                        meta:
+                          description: WorkflowStepMeta contains the meta data of
+                            a workflow step
+                          properties:
+                            alias:
+                              type: string
+                          type: object
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
@@ -3937,6 +4028,70 @@ spec:
                        properties:
                          type: object
                          x-kubernetes-preserve-unknown-fields: true
+                        subSteps:
+                          items:
+                            description: WorkflowSubStep defines how to execute a
+                              workflow subStep.
+                            properties:
+                              dependsOn:
+                                items:
+                                  type: string
+                                type: array
+                              if:
+                                type: string
+                              inputs:
+                                description: StepInputs defines variable input of
+                                  WorkflowStep
+                                items:
+                                  properties:
+                                    from:
+                                      type: string
+                                    parameterKey:
+                                      type: string
+                                  required:
+                                  - from
+                                  - parameterKey
+                                  type: object
+                                type: array
+                              meta:
+                                description: WorkflowStepMeta contains the meta data
+                                  of a workflow step
+                                properties:
+                                  alias:
+                                    type: string
+                                type: object
+                              name:
+                                description: Name is the unique name of the workflow
+                                  step.
+                                type: string
+                              outputs:
+                                description: StepOutputs defines output variable of
+                                  WorkflowStep
+                                items:
+                                  properties:
+                                    name:
+                                      type: string
+                                    valueFrom:
+                                      type: string
+                                  required:
+                                  - name
+                                  - valueFrom
+                                  type: object
+                                type: array
+                              properties:
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                              timeout:
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - name
+                            - type
+                            type: object
+                          type: array
+                        timeout:
+                          type: string
                        type:
                          type: string
                      required:
@@ -4619,7 +4774,7 @@ spec:
                  steps:
                    items:
                      description: WorkflowStepStatus record the status of a workflow
-                        step
+                        step, include step status and subStep status
                      properties:
                        firstExecuteTime:
                          description: FirstExecuteTime is the first time this step
@@ -4648,44 +4803,42 @@ spec:
                            about why the workflowStep is in this state.
                          type: string
                        subSteps:
-                          description: SubStepsStatus record the status of workflow
-                            steps.
-                          properties:
-                            mode:
-                              description: WorkflowMode describes the mode of workflow
-                              type: string
-                            stepIndex:
-                              type: integer
-                            steps:
-                              items:
-                                description: WorkflowSubStepStatus record the status
-                                  of a workflow step
-                                properties:
-                                  id:
-                                    type: string
-                                  message:
-                                    description: A human readable message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  name:
-                                    type: string
-                                  phase:
-                                    description: WorkflowStepPhase describes the phase
-                                      of a workflow step.
-                                    type: string
-                                  reason:
-                                    description: A brief CamelCase message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  type:
-                                    type: string
-                                required:
-                                - id
-                                type: object
-                              type: array
-                          type: object
+                          items:
+                            description: WorkflowSubStepStatus record the status of
+                              a workflow subStep
+                            properties:
+                              firstExecuteTime:
+                                description: FirstExecuteTime is the first time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              id:
+                                type: string
+                              lastExecuteTime:
+                                description: LastExecuteTime is the last time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              message:
+                                description: A human readable message indicating details
+                                  about why the workflowStep is in this state.
+                                type: string
+                              name:
+                                type: string
+                              phase:
+                                description: WorkflowStepPhase describes the phase
+                                  of a workflow step.
+                                type: string
+                              reason:
+                                description: A brief CamelCase message indicating
+                                  details about why the workflowStep is in this state.
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - id
+                            type: object
+                          type: array
                        type:
                          type: string
                      required:
--- a/charts/vela-core/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applications.yaml
@@ -6,18 +6,6 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.6.2
  name: applications.core.oam.dev
 spec:
-  conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          name: vela-core-webhook
-          namespace: vela-system
-          path: /convert
-          port: 443
-      conversionReviewVersions:
-      - v1beta1
-      - v1alpha2
  group: core.oam.dev
  names:
    categories:
@@ -791,7 +779,7 @@ spec:
                  steps:
                    items:
                      description: WorkflowStepStatus record the status of a workflow
-                        step
+                        step, include step status and subStep status
                      properties:
                        firstExecuteTime:
                          description: FirstExecuteTime is the first time this step
@@ -820,44 +808,42 @@ spec:
                            about why the workflowStep is in this state.
                          type: string
                        subSteps:
-                          description: SubStepsStatus record the status of workflow
-                            steps.
-                          properties:
-                            mode:
-                              description: WorkflowMode describes the mode of workflow
-                              type: string
-                            stepIndex:
-                              type: integer
-                            steps:
-                              items:
-                                description: WorkflowSubStepStatus record the status
-                                  of a workflow step
-                                properties:
-                                  id:
-                                    type: string
-                                  message:
-                                    description: A human readable message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  name:
-                                    type: string
-                                  phase:
-                                    description: WorkflowStepPhase describes the phase
-                                      of a workflow step.
-                                    type: string
-                                  reason:
-                                    description: A brief CamelCase message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  type:
-                                    type: string
-                                required:
-                                - id
-                                type: object
-                              type: array
-                          type: object
+                          items:
+                            description: WorkflowSubStepStatus record the status of
+                              a workflow subStep
+                            properties:
+                              firstExecuteTime:
+                                description: FirstExecuteTime is the first time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              id:
+                                type: string
+                              lastExecuteTime:
+                                description: LastExecuteTime is the last time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              message:
+                                description: A human readable message indicating details
+                                  about why the workflowStep is in this state.
+                                type: string
+                              name:
+                                type: string
+                              phase:
+                                description: WorkflowStepPhase describes the phase
+                                  of a workflow step.
+                                type: string
+                              reason:
+                                description: A brief CamelCase message indicating
+                                  details about why the workflowStep is in this state.
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - id
+                            type: object
+                          type: array
                        type:
                          type: string
                      required:
@@ -1023,6 +1009,17 @@ spec:
                  order, and each step: - will have a context in annotation. - should
                  mark "finish" phase in status.conditions.'
                properties:
+                  mode:
+                    description: WorkflowExecuteMode defines the mode of workflow
+                      execution
+                    properties:
+                      steps:
+                        description: WorkflowMode describes the mode of workflow
+                        type: string
+                      subSteps:
+                        description: WorkflowMode describes the mode of workflow
+                        type: string
+                    type: object
                  ref:
                    type: string
                  steps:
@@ -1034,6 +1031,8 @@ spec:
                          items:
                            type: string
                          type: array
+                        if:
+                          type: string
                        inputs:
                          description: StepInputs defines variable input of WorkflowStep
                          items:
@@ -1047,6 +1046,13 @@ spec:
                            - parameterKey
                            type: object
                          type: array
+                        meta:
+                          description: WorkflowStepMeta contains the meta data of
+                            a workflow step
+                          properties:
+                            alias:
+                              type: string
+                          type: object
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
@@ -1066,6 +1072,70 @@ spec:
                        properties:
                          type: object
                          x-kubernetes-preserve-unknown-fields: true
+                        subSteps:
+                          items:
+                            description: WorkflowSubStep defines how to execute a
+                              workflow subStep.
+                            properties:
+                              dependsOn:
+                                items:
+                                  type: string
+                                type: array
+                              if:
+                                type: string
+                              inputs:
+                                description: StepInputs defines variable input of
+                                  WorkflowStep
+                                items:
+                                  properties:
+                                    from:
+                                      type: string
+                                    parameterKey:
+                                      type: string
+                                  required:
+                                  - from
+                                  - parameterKey
+                                  type: object
+                                type: array
+                              meta:
+                                description: WorkflowStepMeta contains the meta data
+                                  of a workflow step
+                                properties:
+                                  alias:
+                                    type: string
+                                type: object
+                              name:
+                                description: Name is the unique name of the workflow
+                                  step.
+                                type: string
+                              outputs:
+                                description: StepOutputs defines output variable of
+                                  WorkflowStep
+                                items:
+                                  properties:
+                                    name:
+                                      type: string
+                                    valueFrom:
+                                      type: string
+                                  required:
+                                  - name
+                                  - valueFrom
+                                  type: object
+                                type: array
+                              properties:
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                              timeout:
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - name
+                            - type
+                            type: object
+                          type: array
+                        timeout:
+                          type: string
                        type:
                          type: string
                      required:
@@ -1458,7 +1528,7 @@ spec:
                  steps:
                    items:
                      description: WorkflowStepStatus record the status of a workflow
-                        step
+                        step, include step status and subStep status
                      properties:
                        firstExecuteTime:
                          description: FirstExecuteTime is the first time this step
@@ -1487,44 +1557,42 @@ spec:
                            about why the workflowStep is in this state.
                          type: string
                        subSteps:
-                          description: SubStepsStatus record the status of workflow
-                            steps.
-                          properties:
-                            mode:
-                              description: WorkflowMode describes the mode of workflow
-                              type: string
-                            stepIndex:
-                              type: integer
-                            steps:
-                              items:
-                                description: WorkflowSubStepStatus record the status
-                                  of a workflow step
-                                properties:
-                                  id:
-                                    type: string
-                                  message:
-                                    description: A human readable message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  name:
-                                    type: string
-                                  phase:
-                                    description: WorkflowStepPhase describes the phase
-                                      of a workflow step.
-                                    type: string
-                                  reason:
-                                    description: A brief CamelCase message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  type:
-                                    type: string
-                                required:
-                                - id
-                                type: object
-                              type: array
-                          type: object
+                          items:
+                            description: WorkflowSubStepStatus record the status of
+                              a workflow subStep
+                            properties:
+                              firstExecuteTime:
+                                description: FirstExecuteTime is the first time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              id:
+                                type: string
+                              lastExecuteTime:
+                                description: LastExecuteTime is the last time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              message:
+                                description: A human readable message indicating details
+                                  about why the workflowStep is in this state.
+                                type: string
+                              name:
+                                type: string
+                              phase:
+                                description: WorkflowStepPhase describes the phase
+                                  of a workflow step.
+                                type: string
+                              reason:
+                                description: A brief CamelCase message indicating
+                                  details about why the workflowStep is in this state.
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - id
+                            type: object
+                          type: array
                        type:
                          type: string
                      required:
--- a/charts/vela-core/crds/core.oam.dev_workflows.yaml
+++ b/charts/vela-core/crds/core.oam.dev_workflows.yaml
@@ -42,6 +42,8 @@ spec:
                  items:
                    type: string
                  type: array
+                if:
+                  type: string
                inputs:
                  description: StepInputs defines variable input of WorkflowStep
                  items:
@@ -55,6 +57,13 @@ spec:
                    - parameterKey
                    type: object
                  type: array
+                meta:
+                  description: WorkflowStepMeta contains the meta data of a workflow
+                    step
+                  properties:
+                    alias:
+                      type: string
+                  type: object
                name:
                  description: Name is the unique name of the workflow step.
                  type: string
@@ -74,6 +83,67 @@ spec:
                properties:
                  type: object
                  x-kubernetes-preserve-unknown-fields: true
+                subSteps:
+                  items:
+                    description: WorkflowSubStep defines how to execute a workflow
+                      subStep.
+                    properties:
+                      dependsOn:
+                        items:
+                          type: string
+                        type: array
+                      if:
+                        type: string
+                      inputs:
+                        description: StepInputs defines variable input of WorkflowStep
+                        items:
+                          properties:
+                            from:
+                              type: string
+                            parameterKey:
+                              type: string
+                          required:
+                          - from
+                          - parameterKey
+                          type: object
+                        type: array
+                      meta:
+                        description: WorkflowStepMeta contains the meta data of a
+                          workflow step
+                        properties:
+                          alias:
+                            type: string
+                        type: object
+                      name:
+                        description: Name is the unique name of the workflow step.
+                        type: string
+                      outputs:
+                        description: StepOutputs defines output variable of WorkflowStep
+                        items:
+                          properties:
+                            name:
+                              type: string
+                            valueFrom:
+                              type: string
+                          required:
+                          - name
+                          - valueFrom
+                          type: object
+                        type: array
+                      properties:
+                        type: object
+                        x-kubernetes-preserve-unknown-fields: true
+                      timeout:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                    - name
+                    - type
+                    type: object
+                  type: array
+                timeout:
+                  type: string
                type:
                  type: string
              required:
@@ -89,6 +159,16 @@ spec:
      openAPIV3Schema:
        description: Workflow defines workflow steps and other attributes
        properties:
+          mode:
+            description: WorkflowExecuteMode defines the mode of workflow execution
+            properties:
+              steps:
+                description: WorkflowMode describes the mode of workflow
+                type: string
+              subSteps:
+                description: WorkflowMode describes the mode of workflow
+                type: string
+            type: object
          ref:
            type: string
          steps:
@@ -99,6 +179,8 @@ spec:
                  items:
                    type: string
                  type: array
+                if:
+                  type: string
                inputs:
                  description: StepInputs defines variable input of WorkflowStep
                  items:
@@ -112,6 +194,13 @@ spec:
                    - parameterKey
                    type: object
                  type: array
+                meta:
+                  description: WorkflowStepMeta contains the meta data of a workflow
+                    step
+                  properties:
+                    alias:
+                      type: string
+                  type: object
                name:
                  description: Name is the unique name of the workflow step.
                  type: string
@@ -131,6 +220,67 @@ spec:
                properties:
                  type: object
                  x-kubernetes-preserve-unknown-fields: true
+                subSteps:
+                  items:
+                    description: WorkflowSubStep defines how to execute a workflow
+                      subStep.
+                    properties:
+                      dependsOn:
+                        items:
+                          type: string
+                        type: array
+                      if:
+                        type: string
+                      inputs:
+                        description: StepInputs defines variable input of WorkflowStep
+                        items:
+                          properties:
+                            from:
+                              type: string
+                            parameterKey:
+                              type: string
+                          required:
+                          - from
+                          - parameterKey
+                          type: object
+                        type: array
+                      meta:
+                        description: WorkflowStepMeta contains the meta data of a
+                          workflow step
+                        properties:
+                          alias:
+                            type: string
+                        type: object
+                      name:
+                        description: Name is the unique name of the workflow step.
+                        type: string
+                      outputs:
+                        description: StepOutputs defines output variable of WorkflowStep
+                        items:
+                          properties:
+                            name:
+                              type: string
+                            valueFrom:
+                              type: string
+                          required:
+                          - name
+                          - valueFrom
+                          type: object
+                        type: array
+                      properties:
+                        type: object
+                        x-kubernetes-preserve-unknown-fields: true
+                      timeout:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                    - name
+                    - type
+                    type: object
+                  type: array
+                timeout:
+                  type: string
                type:
                  type: string
              required:
--- a/charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -36,7 +36,9 @@ spec:
            - --namespace={{ .Release.Namespace }}
            - --secret-name={{ template "kubevela.fullname" . }}-admission
            - --patch-failure-policy={{ .Values.admissionWebhooks.failurePolicy }}
-            - --crds=applications.core.oam.dev
+            {{- if .Values.admissionWebhooks.appConversion.enabled }}
+            - --crds={"name":"applications.core.oam.dev","conversion":{"strategy":"Webhook","webhook":{"clientConfig":{"service":{"name":"vela-core-webhook","namespace":"vela-system","path":"/convert","port":443}},"conversionReviewVersions":["v1beta1","v1alpha2"]}}}
+            {{- end }}
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
      {{- with .Values.admissionWebhooks.patch.affinity }}
--- a/charts/vela-core/templates/cluster-gateway/certmanager.yaml
+++ b/charts/vela-core/templates/cluster-gateway/certmanager.yaml
@@ -13,7 +13,7 @@ metadata:
  name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
  namespace: {{ .Release.Namespace }}
 spec:
-  secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+  secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
  duration: 8760h # 1y
  issuerRef:
    name: {{ template "kubevela.fullname" . }}-cluster-gateway-issuer
--- a/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
+++ b/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
@@ -31,7 +31,7 @@ spec:
            - "apiserver"
            - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
            - "--secret-namespace={{ .Release.Namespace }}"
-            - "--feature-gates=APIPriorityAndFairness=false"
+            - "--feature-gates=APIPriorityAndFairness=false,ClientIdentityPenetration={{ .Values.authentication.enabled }}"
            {{- if .Values.multicluster.clusterGateway.secureTLS.enabled }}
            - "--tls-cert-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.crt"
            - "--tls-private-key-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.key"
@@ -53,7 +53,7 @@ spec:
        - name: tls-cert-vol
          secret:
            defaultMode: 420
-            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
      {{ end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
@@ -106,7 +106,7 @@ metadata:
  name: v1alpha1.cluster.core.oam.dev
  annotations:
    {{- if and .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.secureTLS.certManager.enabled }}
-    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls"
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2"
    {{- end }}
  labels:
    api: cluster-extension-apiserver
@@ -129,7 +129,7 @@ spec:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 rules:
  - apiGroups: [ "cluster.core.oam.dev" ]
    resources: [ "clustergateways/proxy" ]
@@ -138,13 +138,16 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 subjects:
  - kind: Group
-    name: cluster-gateway-accessor
+    name: kubevela:client
    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: {{ include "kubevela.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
 {{ end }}
--- a/charts/vela-core/templates/cluster-gateway/job-patch.yaml
+++ b/charts/vela-core/templates/cluster-gateway/job-patch.yaml
@@ -86,7 +86,7 @@ spec:
          - create
          - --host={{ .Release.Name }}-cluster-gateway-service,{{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc
          - --namespace={{ .Release.Namespace }}
-          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
+          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
          - --cert-name=tls.crt
          - --key-name=tls.key
      restartPolicy: OnFailure
@@ -131,7 +131,7 @@ spec:
          - /patch
        args:
          - --secret-namespace={{ .Release.Namespace }}
-          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
+          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
      restartPolicy: OnFailure
      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
      securityContext:
--- a/charts/vela-core/templates/defwithtemplate/affinity.yaml
+++ b/charts/vela-core/templates/defwithtemplate/affinity.yaml
@@ -0,0 +1,186 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/affinity.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Affinity specifies affinity and toleration K8s pod for your workload which follows the pod spec in path 'spec.template'.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: affinity
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - '*'
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        patch: spec: template: spec: {
+        	if parameter.podAffinity != _|_ {
+        		affinity: podAffinity: {
+        			if parameter.podAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAffinity.required {
+        						if k.labelSelector != _|_ {
+        							labelSelector: k.labelSelector
+        						}
+        						if k.namespace != _|_ {
+        							namespace: k.namespace
+        						}
+        						topologyKey: k.topologyKey
+        						if k.namespaceSelector != _|_ {
+        							namespaceSelector: k.namespaceSelector
+        						}
+        					}]
+        			}
+        			if parameter.podAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAffinity.preferred {
+        						weight:          k.weight
+        						podAffinityTerm: k.podAffinityTerm
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.podAntiAffinity != _|_ {
+        		affinity: podAntiAffinity: {
+        			if parameter.podAntiAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAntiAffinity.required {
+        						if k.labelSelector != _|_ {
+        							labelSelector: k.labelSelector
+        						}
+        						if k.namespace != _|_ {
+        							namespace: k.namespace
+        						}
+        						topologyKey: k.topologyKey
+        						if k.namespaceSelector != _|_ {
+        							namespaceSelector: k.namespaceSelector
+        						}
+        					}]
+        			}
+        			if parameter.podAntiAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAntiAffinity.preferred {
+        						weight:          k.weight
+        						podAffinityTerm: k.podAffinityTerm
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.nodeAffinity != _|_ {
+        		affinity: nodeAffinity: {
+        			if parameter.nodeAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: [
+        					for k in parameter.nodeAffinity.required.nodeSelectorTerms {
+        						if k.matchExpressions != _|_ {
+        							matchExpressions: k.matchExpressions
+        						}
+        						if k.matchFields != _|_ {
+        							matchFields: k.matchFields
+        						}
+        					}]
+        			}
+        			if parameter.nodeAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.nodeAffinity.preferred {
+        						weight:     k.weight
+        						preference: k.preference
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.tolerations != _|_ {
+        		tolerations: [
+        			for k in parameter.tolerations {
+        				if k.key != _|_ {
+        					key: k.key
+        				}
+        				if k.effect != _|_ {
+        					effect: k.effect
+        				}
+        				if k.value != _|_ {
+        					value: k.value
+        				}
+        				operator: k.operator
+        				if k.tolerationSeconds != _|_ {
+        					tolerationSeconds: k.tolerationSeconds
+        				}
+        			}]
+        	}
+        }
+        #labelSelector: {
+        	matchLabels?: [string]: string
+        	matchExpressions?: [...{
+        		key:      string
+        		operator: *"In" | "NotIn" | "Exists" | "DoesNotExist"
+        		values?: [...string]
+        	}]
+        }
+        #podAffinityTerm: {
+        	labelSelector?: #labelSelector
+        	namespaces?: [...string]
+        	topologyKey:        string
+        	namespaceSelector?: #labelSelector
+        }
+        #nodeSelecor: {
+        	key:      string
+        	operator: *"In" | "NotIn" | "Exists" | "DoesNotExist" | "Gt" | "Lt"
+        	values?: [...string]
+        }
+        #nodeSelectorTerm: {
+        	matchExpressions?: [...#nodeSelecor]
+        	matchFields?: [...#nodeSelecor]
+        }
+        parameter: {
+        	// +usage=Specify the pod affinity scheduling rules
+        	podAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: [...#podAffinityTerm]
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding podAffinityTerm
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a set of pods
+        			podAffinityTerm: #podAffinityTerm
+        		}]
+        	}
+        	// +usage=Specify the pod anti-affinity scheduling rules
+        	podAntiAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: [...#podAffinityTerm]
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding podAffinityTerm
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a set of pods
+        			podAffinityTerm: #podAffinityTerm
+        		}]
+        	}
+        	// +usage=Specify the node affinity scheduling rules for the pod
+        	nodeAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: {
+        			// +usage=Specify a list of node selector
+        			nodeSelectorTerms: [...#nodeSelectorTerm]
+        		}
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding nodeSelector
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a node selector
+        			preference: #nodeSelectorTerm
+        		}]
+        	}
+        	// +usage=Specify tolerant taint
+        	tolerations?: [...{
+        		key?:     string
+        		operator: *"Equal" | "Exists"
+        		value?:   string
+        		effect?:  "NoSchedule" | "PreferNoSchedule" | "NoExecute"
+        		// +usage=Specify the period of time the toleration
+        		tolerationSeconds?: int
+        	}]
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/command.yaml
+++ b/charts/vela-core/templates/defwithtemplate/command.yaml
@@ -106,7 +106,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the commands for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-core/templates/defwithtemplate/config-image-registry.yaml
+++ b/charts/vela-core/templates/defwithtemplate/config-image-registry.yaml
@@ -20,6 +20,7 @@ spec:
        import (
        	"encoding/base64"
        	"encoding/json"
+        	"strconv"
        )

        output: {
@@ -42,21 +43,29 @@ spec:
        	if parameter.auth == _|_ {
        		type: "Opaque"
        	}
-        	if parameter.auth != _|_ {
-        		stringData: ".dockerconfigjson": json.Marshal({
-        			auths: "\(parameter.registry)": {
-        				username: parameter.auth.username
-        				password: parameter.auth.password
-        				if parameter.auth.email != _|_ {
-        					email: parameter.auth.email
+        	stringData: {
+        		if parameter.auth != _|_ && parameter.auth.username != _|_ {
+        			".dockerconfigjson": json.Marshal({
+        				auths: "\(parameter.registry)": {
+        					username: parameter.auth.username
+        					password: parameter.auth.password
+        					if parameter.auth.email != _|_ {
+        						email: parameter.auth.email
+        					}
+        					auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
        				}
-        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
-        			}
-        		})
+        			})
+        		}
+        		if parameter.insecure != _|_ {
+        			"insecure-skip-verify": strconv.FormatBool(parameter.insecure)
+        		}
+        		if parameter.useHTTP != _|_ {
+        			"protocol-use-http": strconv.FormatBool(parameter.useHTTP)
+        		}
        	}
        }
        parameter: {
-        	// +usage=Image registry FQDN
+        	// +usage=Image registry FQDN, such as: index.docker.io
        	registry: string
        	// +usage=Authenticate the image registry
        	auth?: {
@@ -67,6 +76,10 @@ spec:
        		// +usage=Private Image registry email
        		email?: string
        	}
+        	// +usage=For the registry server that uses the self-signed certificate
+        	insecure?: bool
+        	// +usage=For the registry server that uses the HTTP protocol
+        	useHTTP?: bool
        }
  workload:
    type: autodetects.core.oam.dev
--- a/charts/vela-core/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/container-image.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Set the image of the container.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: container-image
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@@ -69,7 +71,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the container image for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-core/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/cron-task.yaml
@@ -196,14 +196,14 @@ spec:
        		// +usage=Specifies a source the value of this var should come from
        		valueFrom?: {
        			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
        				// +usage=The name of the secret in the pod's namespace to select from
        				name: string
        				// +usage=The key of the secret to select from. Must be a valid secret key
        				key: string
        			}
        			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
        				// +usage=The name of the config map in the pod's namespace to select from
        				name: string
        				// +usage=The key of the config map to select from. Must be a valid secret key
--- a/charts/vela-core/templates/defwithtemplate/deploy.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy.yaml
@@ -16,12 +16,18 @@ spec:
        )

        deploy: op.#Deploy & {
-        	policies:    parameter.policies
-        	parallelism: parameter.parallelism
+        	policies:                 parameter.policies
+        	parallelism:              parameter.parallelism
+        	ignoreTerraformComponent: parameter.ignoreTerraformComponent
        }
        parameter: {
+        	//+usage=If set false, the workflow will be suspend before this step.
        	auto: *true | bool
+        	//+usage=Declare the policies used for this step.
        	policies?: [...string]
+        	//+usage=Maximum number of concurrent delivered components.
        	parallelism: *5 | int
+        	//+usage=If set false, this step will apply the components with the terraform workload.
+        	ignoreTerraformComponent: *true | bool
        }

--- a/charts/vela-core/templates/defwithtemplate/deploy2env.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy2env.yaml
@@ -5,6 +5,8 @@ kind: WorkflowStepDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Deploy env binding component to target env
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: deploy2env
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/env.yaml
+++ b/charts/vela-core/templates/defwithtemplate/env.yaml
@@ -62,7 +62,8 @@ spec:
        					}
        				}
        			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
-        				v
+        				name:  k
+        				value: v
        			}]
        		}
        	}
@@ -96,7 +97,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the environment variables for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-core/templates/defwithtemplate/envbinding.yaml
+++ b/charts/vela-core/templates/defwithtemplate/envbinding.yaml
@@ -0,0 +1,46 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/deprecated/envbinding.cue
+apiVersion: core.oam.dev/v1beta1
+kind: PolicyDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Determining the destination where components should be deployed to, and support override configuration
+  labels:
+    custom.definition.oam.dev/deprecated: "true"
+  name: envbinding
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        #PatchParams: {
+        	// +usage=Specify the name of the patch component, if empty, all components will be merged
+        	name?: string
+        	// +usage=Specify the type of the patch component.
+        	type?: string
+        	properties?: {...}
+        	traits?: [...{
+        		type: string
+        		properties?: {...}
+        		// +usage=Specify if the trait shoued be remove, default false
+        		disable: *false | bool
+        	}]
+        }
+        parameter: envs: [...{
+        	name: string
+        	placement?: {
+        		clusterSelector?: {
+        			// +usage=Specify cluster name, defualt local
+        			name: *"local" | string
+        			labels?: [string]: string
+        		}
+        		namespaceSelector?: {
+        			// +usage=Specify namespace name.
+        			name?: string
+        			labels?: [string]: string
+        		}
+        	}
+        	selector?: components: [...string]
+        	patch?: components: [...#PatchParams]
+        }]
+
--- a/charts/vela-core/templates/defwithtemplate/gateway.yaml
+++ b/charts/vela-core/templates/defwithtemplate/gateway.yaml
@@ -44,8 +44,18 @@ spec:
        		if parameter.classInSpec {
        			ingressClassName: parameter.class
        		}
+        		if parameter.secretName != _|_ {
+        			tls: [{
+        				hosts: [
+        					parameter.domain,
+        				]
+        				secretName: parameter.secretName
+        			}]
+        		}
        		rules: [{
-        			host: parameter.domain
+        			if parameter.domain != _|_ {
+        				host: parameter.domain
+        			}
        			http: paths: [
        				for k, v in parameter.http {
        					path:     k
@@ -61,7 +71,7 @@ spec:
        }
        parameter: {
        	// +usage=Specify the domain you want to expose
-        	domain: string
+        	domain?: string

        	// +usage=Specify the mapping relationship between the http path and the workload port
        	http: [string]: int
@@ -71,6 +81,9 @@ spec:

        	// +usage=Set ingress class in '.spec.ingressClassName' instead of 'kubernetes.io/ingress.class' annotation.
        	classInSpec: *false | bool
+
+        	// +usage=Specify the secret name you want to quote.
+        	secretName?: string
        }
  status:
    customStatus: |-
@@ -80,10 +93,20 @@ spec:
      }
      if len(igs) > 0 {
        if igs[0].ip != _|_ {
-      	  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host + ", IP: " + igs[0].ip
+        	if igs[0].host != _|_ {
+      	    message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host + ", IP: " + igs[0].ip
+        	}
+        	if igs[0].host == _|_ {
+      	    message: "Host not specified, visit the cluster or load balancer in front of the cluster"
+        	}
        }
        if igs[0].ip == _|_ {
-      	  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host
+        	if igs[0].host != _|_ {
+      		  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host
+      		}
+        	if igs[0].host != _|_ {
+      	    message: "Host not specified, visit the cluster or load balancer in front of the cluster"
+      		}
        }
      }
    healthPolicy: 'isHealth: len(context.outputs.service.spec.clusterIP) > 0'
--- a/charts/vela-core/templates/defwithtemplate/json-merge-patch.yaml
+++ b/charts/vela-core/templates/defwithtemplate/json-merge-patch.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Patch the output following Json Merge Patch strategy, following RFC 7396.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: json-merge-patch
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/json-patch.yaml
+++ b/charts/vela-core/templates/defwithtemplate/json-patch.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Patch the output following Json Patch strategy, following RFC 6902.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: json-patch
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/node-affinity.yaml
+++ b/charts/vela-core/templates/defwithtemplate/node-affinity.yaml
@@ -1,11 +1,12 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/node-affinity.cue
+# Definition source cue file: vela-templates/definitions/deprecated/node-affinity.cue
 apiVersion: core.oam.dev/v1beta1
 kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: affinity specify node affinity and toleration on K8s pod for your workload which follows the pod spec in path 'spec.template'.
  labels:
+    custom.definition.oam.dev/deprecated: "true"
    custom.definition.oam.dev/ui-hidden: "true"
  name: node-affinity
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/override.yaml
+++ b/charts/vela-core/templates/defwithtemplate/override.yaml
@@ -0,0 +1,33 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/override.cue
+apiVersion: core.oam.dev/v1beta1
+kind: PolicyDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Override configuration when deploying resources
+  name: override
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        #PatchParams: {
+        	// +usage=Specify the name of the patch component, if empty, all components will be merged
+        	name?: string
+        	// +usage=Specify the type of the patch component.
+        	type?: string
+        	properties?: {...}
+        	traits?: [...{
+        		type: string
+        		properties?: {...}
+        		// +usage=Specify if the trait shoued be remove, default false
+        		disable: *false | bool
+        	}]
+        }
+        parameter: {
+        	// +usage=Specify the overridden component configuration.
+        	components: [...#PatchParams]
+        	// +usage=Specify a list of component names to use, if empty, all components will be selected.
+        	selector?: [...string]
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/ref-objects.yaml
+++ b/charts/vela-core/templates/defwithtemplate/ref-objects.yaml
@@ -5,6 +5,8 @@ kind: ComponentDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Ref-objects allow users to specify ref objects to use. Notice that this component type have special handle logic.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: ref-objects
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@@ -20,7 +22,12 @@ spec:
        	}
        	...
        }
-        output: parameter.objects[0]
+        output: {
+        	if len(parameter.objects) > 0 {
+        		parameter.objects[0]
+        	}
+        	...
+        }
        outputs: {
        	for i, v in parameter.objects {
        		if i > 0 {
--- a/charts/vela-core/templates/defwithtemplate/service-account.yaml
+++ b/charts/vela-core/templates/defwithtemplate/service-account.yaml
@@ -14,10 +14,114 @@ spec:
  schematic:
    cue:
      template: |
+        #Privileges: {
+        	// +usage=Specify the verbs to be allowed for the resource
+        	verbs: [...string]
+        	// +usage=Specify the apiGroups of the resource
+        	apiGroups?: [...string]
+        	// +usage=Specify the resources to be allowed
+        	resources?: [...string]
+        	// +usage=Specify the resourceNames to be allowed
+        	resourceNames?: [...string]
+        	// +usage=Specify the resource url to be allowed
+        	nonResourceURLs?: [...string]
+        	// +usage=Specify the scope of the privileges, default to be namespace scope
+        	scope: *"namespace" | "cluster"
+        }
        parameter: {
        	// +usage=Specify the name of ServiceAccount
        	name: string
+        	// +usage=Specify whether to create new ServiceAccount or not
+        	create: *false | bool
+        	// +usage=Specify the privileges of the ServiceAccount, if not empty, RoleBindings(ClusterRoleBindings) will be created
+        	privileges?: [...#Privileges]
        }
        // +patchStrategy=retainKeys
        patch: spec: template: spec: serviceAccountName: parameter.name
+        _clusterPrivileges: [ for p in parameter.privileges if p.scope == "cluster" {p}]
+        _namespacePrivileges: [ for p in parameter.privileges if p.scope == "namespace" {p}]
+        outputs: {
+        	if parameter.create {
+        		"service-account": {
+        			apiVersion: "v1"
+        			kind:       "ServiceAccount"
+        			metadata: name: parameter.name
+        		}
+        	}
+        	if parameter.privileges != _|_ {
+        		if len(_clusterPrivileges) > 0 {
+        			"cluster-role": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "ClusterRole"
+        				metadata: name: "\(context.namespace):\(parameter.name)"
+        				rules: [ for p in _clusterPrivileges {
+        					verbs: p.verbs
+        					if p.apiGroups != _|_ {
+        						apiGroups: p.apiGroups
+        					}
+        					if p.resources != _|_ {
+        						resources: p.resources
+        					}
+        					if p.resourceNames != _|_ {
+        						resources: p.resourceNames
+        					}
+        					if p.nonResourceURLs != _|_ {
+        						nonResourceURLs: p.nonResourceURLs
+        					}
+        				}]
+        			}
+        			"cluster-role-binding": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "ClusterRoleBinding"
+        				metadata: name: "\(context.namespace):\(parameter.name)"
+        				roleRef: {
+        					apiGroup: "rbac.authorization.k8s.io"
+        					kind:     "ClusterRole"
+        					name:     "\(context.namespace):\(parameter.name)"
+        				}
+        				subjects: [{
+        					kind:      "ServiceAccount"
+        					name:      parameter.name
+        					namespace: "\(context.namespace)"
+        				}]
+        			}
+        		}
+        		if len(_namespacePrivileges) > 0 {
+        			role: {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "Role"
+        				metadata: name: parameter.name
+        				rules: [ for p in _namespacePrivileges {
+        					verbs: p.verbs
+        					if p.apiGroups != _|_ {
+        						apiGroups: p.apiGroups
+        					}
+        					if p.resources != _|_ {
+        						resources: p.resources
+        					}
+        					if p.resourceNames != _|_ {
+        						resources: p.resourceNames
+        					}
+        					if p.nonResourceURLs != _|_ {
+        						nonResourceURLs: p.nonResourceURLs
+        					}
+        				}]
+        			}
+        			"role-binding": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "RoleBinding"
+        				metadata: name: parameter.name
+        				roleRef: {
+        					apiGroup: "rbac.authorization.k8s.io"
+        					kind:     "Role"
+        					name:     parameter.name
+        				}
+        				subjects: [{
+        					kind: "ServiceAccount"
+        					name: parameter.name
+        				}]
+        			}
+        		}
+        	}
+        }

--- a/charts/vela-core/templates/defwithtemplate/step-group.yaml
+++ b/charts/vela-core/templates/defwithtemplate/step-group.yaml
@@ -0,0 +1,18 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/step-group.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: step group
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: step-group
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        // no parameters
+        parameter: {}
+
--- a/charts/vela-core/templates/defwithtemplate/task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/task.yaml
@@ -149,14 +149,14 @@ spec:
        		// +usage=Specifies a source the value of this var should come from
        		valueFrom?: {
        			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
        				// +usage=The name of the secret in the pod's namespace to select from
        				name: string
        				// +usage=The key of the secret to select from. Must be a valid secret key
        				key: string
        			}
        			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
        				// +usage=The name of the config map in the pod's namespace to select from
        				name: string
        				// +usage=The key of the config map to select from. Must be a valid secret key
--- a/charts/vela-core/templates/defwithtemplate/topology.yaml
+++ b/charts/vela-core/templates/defwithtemplate/topology.yaml
@@ -0,0 +1,24 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/topology.cue
+apiVersion: core.oam.dev/v1beta1
+kind: PolicyDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Determining the destination where components should be deployed to.
+  name: topology
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        parameter: {
+        	// +usage=Specify the names of the clusters to select.
+        	cluster?: [...string]
+        	// +usage=Specify the label selector for clusters
+        	clusterLabelSelector?: [string]: string
+        	// +usage=Deprecated: Use clusterLabelSelector instead.
+        	clusterSelector?: [string]: string
+        	// +usage=Specify the target namespace to deploy in the selected clusters, default inherit the original namespace.
+        	namespace?: string
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/webservice.yaml
+++ b/charts/vela-core/templates/defwithtemplate/webservice.yaml
@@ -473,7 +473,9 @@ spec:
        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
        		path: string
        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
-        		port: int
+        		port:    int
+        		host?:   string
+        		scheme?: *"HTTP" | string
        		httpHeaders?: [...{
        			name:  string
        			value: string
--- a/charts/vela-core/templates/kubevela-controller.yaml
+++ b/charts/vela-core/templates/kubevela-controller.yaml
@@ -20,14 +20,53 @@ metadata:
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: "cluster-admin"
+  name: {{ if .Values.authentication.enabled }} {{ include "kubevela.fullname" . }}:manager {{ else }} "cluster-admin" {{ end }}
 subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
-  - kind: Group
-    name: core.oam.dev
-    apiGroup: rbac.authorization.k8s.io
+
+{{ if .Values.authentication.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:manager
+rules:
+  - apiGroups: ["core.oam.dev", "terraform.core.oam.dev", "prism.oam.dev"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["cluster.open-cluster-management.io"]
+    resources: ["managedclusters"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["users", "groups", "serviceaccounts"]
+    verbs: ["impersonate"]
+  - apiGroups: [""]
+    resources: ["namespaces", "secrets", "services"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["configmaps", "events"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["controllerrevisions"]
+    verbs: ["*"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
+    resources: ["prioritylevelconfigurations", "flowschemas"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["*"]
+{{ end }}

 ---
 # permissions to do leader election.
@@ -83,6 +122,7 @@ metadata:
  name: {{ include "kubevela.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
+    controller.oam.dev/name: vela-core
  {{- include "kubevela.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
@@ -175,7 +215,9 @@ spec:
            - "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}"
            - "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}"
            - "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}"
+            - "--feature-gates=EnableSuspendOnFailure={{- .Values.workflow.enableSuspendOnFailure | toString -}}"
            - "--feature-gates=AuthenticateApplication={{- .Values.authentication.enabled | toString -}}"
+            - "--feature-gates=LegacyComponentRevision={{- .Values.featureGates.enableLegacyComponentRevision | toString -}}"
            {{ if .Values.authentication.enabled }}
            {{ if .Values.authentication.withUser }}
            - "--authentication-with-user"
--- a/charts/vela-core/templates/velaql/resourceTree.yaml
+++ b/charts/vela-core/templates/velaql/resourceTree.yaml
@@ -0,0 +1,45 @@
+apiVersion: "v1"
+kind:       "ConfigMap"
+metadata:
+  name:      "application-resource-tree-view"
+  namespace: {{ include "systemDefinitionNamespace" . }}
+data:
+  template: |
+    import (
+        "vela/ql"
+    )
+    parameter: {
+        appName:    string
+        appNs:      string
+        name?:      string
+        cluster?:   string
+        clusterNs?: string
+    }
+    response: ql.#GetApplicationTree & {
+        app: {
+            name:      parameter.appName
+            namespace: parameter.appNs
+            filter: {
+                if parameter.cluster != _|_ {
+                    cluster: parameter.cluster
+                }
+                if parameter.clusterNs != _|_ {
+                    clusterNamespace: parameter.clusterNs
+                }
+                if parameter.name != _|_ {
+                    components: [parameter.name]
+                }
+            }
+        }
+    }
+
+    if response.err == _|_ {
+        status: {
+            resources: response.list
+        }
+    }
+    if response.err != _|_ {
+        status: {
+            error: response.err
+        }
+    }
--- a/charts/vela-core/values.yaml
+++ b/charts/vela-core/values.yaml
@@ -35,10 +35,12 @@ dependCheckWait: 30s

 ## @section KubeVela workflow parameters

+## @param workflow.enableSuspendOnFailure Enable suspend on workflow failure
 ## @param workflow.backoff.maxTime.waitState The max backoff time of workflow in a wait condition
 ## @param workflow.backoff.maxTime.failedState The max backoff time of workflow in a failed condition
 ## @param workflow.step.errorRetryTimes The max retry times of a failed workflow step
 workflow:
+  enableSuspendOnFailure: false
  backoff:
    maxTime:
      waitState: 60
@@ -107,6 +109,10 @@ optimize:
  disableResourceApplyDoubleCheck: false
  enableResourceTrackerDeleteOnlyTrigger: true

+##@param featureGates.enableLegacyComponentRevision if disabled, only component with rollout trait will create component revisions
+featureGates:
+  enableLegacyComponentRevision: false
+
 ## @section MultiCluster parameters

 ## @param multicluster.enabled Whether to enable multi-cluster
@@ -130,7 +136,7 @@ multicluster:
    port: 9443
    image:
      repository: oamdev/cluster-gateway
-      tag: v1.3.2
+      tag: v1.4.0
      pullPolicy: IfNotPresent
    resources:
      limits:
@@ -224,11 +230,13 @@ admissionWebhooks:
    enabled: true
    image:
      repository: oamdev/kube-webhook-certgen
-      tag: v2.3
+      tag: v2.4.1
      pullPolicy: IfNotPresent
    nodeSelector: {}
    affinity: {}
    tolerations: []
+  appConversion:
+    enabled: false
  certManager:
    enabled: false
    revisionHistoryLimit: 3
--- a/charts/vela-minimal/README.md
+++ b/charts/vela-minimal/README.md
@@ -72,11 +72,12 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --

 ### KubeVela workflow parameters

-| Name                                   | Description                                            | Value |
-| -------------------------------------- | ------------------------------------------------------ | ----- |
-| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`  |
-| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300` |
-| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`  |
+| Name                                   | Description                                            | Value   |
+| -------------------------------------- | ------------------------------------------------------ | ------- |
+| `workflow.enableSuspendOnFailure`      | Enable suspend on workflow failure                     | `false` |
+| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`    |
+| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
+| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |


 ### KubeVela controller parameters
@@ -105,7 +106,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
 | `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
 | `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.3.2`                         |
+| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.4.0`                         |
 | `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
 | `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
 | `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |
--- a/charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml
@@ -856,7 +856,7 @@ spec:
                          steps:
                            items:
                              description: WorkflowStepStatus record the status of
-                                a workflow step
+                                a workflow step, include step status and subStep status
                              properties:
                                firstExecuteTime:
                                  description: FirstExecuteTime is the first time
@@ -887,45 +887,44 @@ spec:
                                    state.
                                  type: string
                                subSteps:
-                                  description: SubStepsStatus record the status of
-                                    workflow steps.
-                                  properties:
-                                    mode:
-                                      description: WorkflowMode describes the mode
-                                        of workflow
-                                      type: string
-                                    stepIndex:
-                                      type: integer
-                                    steps:
-                                      items:
-                                        description: WorkflowSubStepStatus record
-                                          the status of a workflow step
-                                        properties:
-                                          id:
-                                            type: string
-                                          message:
-                                            description: A human readable message
-                                              indicating details about why the workflowStep
-                                              is in this state.
-                                            type: string
-                                          name:
-                                            type: string
-                                          phase:
-                                            description: WorkflowStepPhase describes
-                                              the phase of a workflow step.
-                                            type: string
-                                          reason:
-                                            description: A brief CamelCase message
-                                              indicating details about why the workflowStep
-                                              is in this state.
-                                            type: string
-                                          type:
-                                            type: string
-                                        required:
-                                        - id
-                                        type: object
-                                      type: array
-                                  type: object
+                                  items:
+                                    description: WorkflowSubStepStatus record the
+                                      status of a workflow subStep
+                                    properties:
+                                      firstExecuteTime:
+                                        description: FirstExecuteTime is the first
+                                          time this step execution.
+                                        format: date-time
+                                        type: string
+                                      id:
+                                        type: string
+                                      lastExecuteTime:
+                                        description: LastExecuteTime is the last time
+                                          this step execution.
+                                        format: date-time
+                                        type: string
+                                      message:
+                                        description: A human readable message indicating
+                                          details about why the workflowStep is in
+                                          this state.
+                                        type: string
+                                      name:
+                                        type: string
+                                      phase:
+                                        description: WorkflowStepPhase describes the
+                                          phase of a workflow step.
+                                        type: string
+                                      reason:
+                                        description: A brief CamelCase message indicating
+                                          details about why the workflowStep is in
+                                          this state.
+                                        type: string
+                                      type:
+                                        type: string
+                                    required:
+                                    - id
+                                    type: object
+                                  type: array
                                type:
                                  type: string
                              required:
@@ -2199,6 +2198,17 @@ spec:
                          a context in annotation. - should mark "finish" phase in
                          status.conditions.'
                        properties:
+                          mode:
+                            description: WorkflowExecuteMode defines the mode of workflow
+                              execution
+                            properties:
+                              steps:
+                                description: WorkflowMode describes the mode of workflow
+                                type: string
+                              subSteps:
+                                description: WorkflowMode describes the mode of workflow
+                                type: string
+                            type: object
                          ref:
                            type: string
                          steps:
@@ -2210,6 +2220,8 @@ spec:
                                  items:
                                    type: string
                                  type: array
+                                if:
+                                  type: string
                                inputs:
                                  description: StepInputs defines variable input of
                                    WorkflowStep
@@ -2224,6 +2236,13 @@ spec:
                                    - parameterKey
                                    type: object
                                  type: array
+                                meta:
+                                  description: WorkflowStepMeta contains the meta
+                                    data of a workflow step
+                                  properties:
+                                    alias:
+                                      type: string
+                                  type: object
                                name:
                                  description: Name is the unique name of the workflow
                                    step.
@@ -2245,6 +2264,70 @@ spec:
                                properties:
                                  type: object
                                  x-kubernetes-preserve-unknown-fields: true
+                                subSteps:
+                                  items:
+                                    description: WorkflowSubStep defines how to execute
+                                      a workflow subStep.
+                                    properties:
+                                      dependsOn:
+                                        items:
+                                          type: string
+                                        type: array
+                                      if:
+                                        type: string
+                                      inputs:
+                                        description: StepInputs defines variable input
+                                          of WorkflowStep
+                                        items:
+                                          properties:
+                                            from:
+                                              type: string
+                                            parameterKey:
+                                              type: string
+                                          required:
+                                          - from
+                                          - parameterKey
+                                          type: object
+                                        type: array
+                                      meta:
+                                        description: WorkflowStepMeta contains the
+                                          meta data of a workflow step
+                                        properties:
+                                          alias:
+                                            type: string
+                                        type: object
+                                      name:
+                                        description: Name is the unique name of the
+                                          workflow step.
+                                        type: string
+                                      outputs:
+                                        description: StepOutputs defines output variable
+                                          of WorkflowStep
+                                        items:
+                                          properties:
+                                            name:
+                                              type: string
+                                            valueFrom:
+                                              type: string
+                                          required:
+                                          - name
+                                          - valueFrom
+                                          type: object
+                                        type: array
+                                      properties:
+                                        type: object
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      timeout:
+                                        type: string
+                                      type:
+                                        type: string
+                                    required:
+                                    - name
+                                    - type
+                                    type: object
+                                  type: array
+                                timeout:
+                                  type: string
                                type:
                                  type: string
                              required:
@@ -2667,7 +2750,7 @@ spec:
                          steps:
                            items:
                              description: WorkflowStepStatus record the status of
-                                a workflow step
+                                a workflow step, include step status and subStep status
                              properties:
                                firstExecuteTime:
                                  description: FirstExecuteTime is the first time
@@ -2698,45 +2781,44 @@ spec:
                                    state.
                                  type: string
                                subSteps:
-                                  description: SubStepsStatus record the status of
-                                    workflow steps.
-                                  properties:
-                                    mode:
-                                      description: WorkflowMode describes the mode
-                                        of workflow
-                                      type: string
-                                    stepIndex:
-                                      type: integer
-                                    steps:
-                                      items:
-                                        description: WorkflowSubStepStatus record
-                                          the status of a workflow step
-                                        properties:
-                                          id:
-                                            type: string
-                                          message:
-                                            description: A human readable message
-                                              indicating details about why the workflowStep
-                                              is in this state.
-                                            type: string
-                                          name:
-                                            type: string
-                                          phase:
-                                            description: WorkflowStepPhase describes
-                                              the phase of a workflow step.
-                                            type: string
-                                          reason:
-                                            description: A brief CamelCase message
-                                              indicating details about why the workflowStep
-                                              is in this state.
-                                            type: string
-                                          type:
-                                            type: string
-                                        required:
-                                        - id
-                                        type: object
-                                      type: array
-                                  type: object
+                                  items:
+                                    description: WorkflowSubStepStatus record the
+                                      status of a workflow subStep
+                                    properties:
+                                      firstExecuteTime:
+                                        description: FirstExecuteTime is the first
+                                          time this step execution.
+                                        format: date-time
+                                        type: string
+                                      id:
+                                        type: string
+                                      lastExecuteTime:
+                                        description: LastExecuteTime is the last time
+                                          this step execution.
+                                        format: date-time
+                                        type: string
+                                      message:
+                                        description: A human readable message indicating
+                                          details about why the workflowStep is in
+                                          this state.
+                                        type: string
+                                      name:
+                                        type: string
+                                      phase:
+                                        description: WorkflowStepPhase describes the
+                                          phase of a workflow step.
+                                        type: string
+                                      reason:
+                                        description: A brief CamelCase message indicating
+                                          details about why the workflowStep is in
+                                          this state.
+                                        type: string
+                                      type:
+                                        type: string
+                                    required:
+                                    - id
+                                    type: object
+                                  type: array
                                type:
                                  type: string
                              required:
@@ -3905,6 +3987,8 @@ spec:
                          items:
                            type: string
                          type: array
+                        if:
+                          type: string
                        inputs:
                          description: StepInputs defines variable input of WorkflowStep
                          items:
@@ -3918,6 +4002,13 @@ spec:
                            - parameterKey
                            type: object
                          type: array
+                        meta:
+                          description: WorkflowStepMeta contains the meta data of
+                            a workflow step
+                          properties:
+                            alias:
+                              type: string
+                          type: object
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
@@ -3937,6 +4028,70 @@ spec:
                        properties:
                          type: object
                          x-kubernetes-preserve-unknown-fields: true
+                        subSteps:
+                          items:
+                            description: WorkflowSubStep defines how to execute a
+                              workflow subStep.
+                            properties:
+                              dependsOn:
+                                items:
+                                  type: string
+                                type: array
+                              if:
+                                type: string
+                              inputs:
+                                description: StepInputs defines variable input of
+                                  WorkflowStep
+                                items:
+                                  properties:
+                                    from:
+                                      type: string
+                                    parameterKey:
+                                      type: string
+                                  required:
+                                  - from
+                                  - parameterKey
+                                  type: object
+                                type: array
+                              meta:
+                                description: WorkflowStepMeta contains the meta data
+                                  of a workflow step
+                                properties:
+                                  alias:
+                                    type: string
+                                type: object
+                              name:
+                                description: Name is the unique name of the workflow
+                                  step.
+                                type: string
+                              outputs:
+                                description: StepOutputs defines output variable of
+                                  WorkflowStep
+                                items:
+                                  properties:
+                                    name:
+                                      type: string
+                                    valueFrom:
+                                      type: string
+                                  required:
+                                  - name
+                                  - valueFrom
+                                  type: object
+                                type: array
+                              properties:
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                              timeout:
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - name
+                            - type
+                            type: object
+                          type: array
+                        timeout:
+                          type: string
                        type:
                          type: string
                      required:
@@ -4619,7 +4774,7 @@ spec:
                  steps:
                    items:
                      description: WorkflowStepStatus record the status of a workflow
-                        step
+                        step, include step status and subStep status
                      properties:
                        firstExecuteTime:
                          description: FirstExecuteTime is the first time this step
@@ -4648,44 +4803,42 @@ spec:
                            about why the workflowStep is in this state.
                          type: string
                        subSteps:
-                          description: SubStepsStatus record the status of workflow
-                            steps.
-                          properties:
-                            mode:
-                              description: WorkflowMode describes the mode of workflow
-                              type: string
-                            stepIndex:
-                              type: integer
-                            steps:
-                              items:
-                                description: WorkflowSubStepStatus record the status
-                                  of a workflow step
-                                properties:
-                                  id:
-                                    type: string
-                                  message:
-                                    description: A human readable message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  name:
-                                    type: string
-                                  phase:
-                                    description: WorkflowStepPhase describes the phase
-                                      of a workflow step.
-                                    type: string
-                                  reason:
-                                    description: A brief CamelCase message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  type:
-                                    type: string
-                                required:
-                                - id
-                                type: object
-                              type: array
-                          type: object
+                          items:
+                            description: WorkflowSubStepStatus record the status of
+                              a workflow subStep
+                            properties:
+                              firstExecuteTime:
+                                description: FirstExecuteTime is the first time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              id:
+                                type: string
+                              lastExecuteTime:
+                                description: LastExecuteTime is the last time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              message:
+                                description: A human readable message indicating details
+                                  about why the workflowStep is in this state.
+                                type: string
+                              name:
+                                type: string
+                              phase:
+                                description: WorkflowStepPhase describes the phase
+                                  of a workflow step.
+                                type: string
+                              reason:
+                                description: A brief CamelCase message indicating
+                                  details about why the workflowStep is in this state.
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - id
+                            type: object
+                          type: array
                        type:
                          type: string
                      required:
--- a/charts/vela-minimal/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-minimal/crds/core.oam.dev_applications.yaml
@@ -6,18 +6,6 @@ metadata:
    controller-gen.kubebuilder.io/version: v0.6.2
  name: applications.core.oam.dev
 spec:
-  conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          name: vela-core-webhook
-          namespace: vela-system
-          path: /convert
-          port: 443
-      conversionReviewVersions:
-      - v1beta1
-      - v1alpha2
  group: core.oam.dev
  names:
    categories:
@@ -791,7 +779,7 @@ spec:
                  steps:
                    items:
                      description: WorkflowStepStatus record the status of a workflow
-                        step
+                        step, include step status and subStep status
                      properties:
                        firstExecuteTime:
                          description: FirstExecuteTime is the first time this step
@@ -820,44 +808,42 @@ spec:
                            about why the workflowStep is in this state.
                          type: string
                        subSteps:
-                          description: SubStepsStatus record the status of workflow
-                            steps.
-                          properties:
-                            mode:
-                              description: WorkflowMode describes the mode of workflow
-                              type: string
-                            stepIndex:
-                              type: integer
-                            steps:
-                              items:
-                                description: WorkflowSubStepStatus record the status
-                                  of a workflow step
-                                properties:
-                                  id:
-                                    type: string
-                                  message:
-                                    description: A human readable message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  name:
-                                    type: string
-                                  phase:
-                                    description: WorkflowStepPhase describes the phase
-                                      of a workflow step.
-                                    type: string
-                                  reason:
-                                    description: A brief CamelCase message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  type:
-                                    type: string
-                                required:
-                                - id
-                                type: object
-                              type: array
-                          type: object
+                          items:
+                            description: WorkflowSubStepStatus record the status of
+                              a workflow subStep
+                            properties:
+                              firstExecuteTime:
+                                description: FirstExecuteTime is the first time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              id:
+                                type: string
+                              lastExecuteTime:
+                                description: LastExecuteTime is the last time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              message:
+                                description: A human readable message indicating details
+                                  about why the workflowStep is in this state.
+                                type: string
+                              name:
+                                type: string
+                              phase:
+                                description: WorkflowStepPhase describes the phase
+                                  of a workflow step.
+                                type: string
+                              reason:
+                                description: A brief CamelCase message indicating
+                                  details about why the workflowStep is in this state.
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - id
+                            type: object
+                          type: array
                        type:
                          type: string
                      required:
@@ -1023,6 +1009,17 @@ spec:
                  order, and each step: - will have a context in annotation. - should
                  mark "finish" phase in status.conditions.'
                properties:
+                  mode:
+                    description: WorkflowExecuteMode defines the mode of workflow
+                      execution
+                    properties:
+                      steps:
+                        description: WorkflowMode describes the mode of workflow
+                        type: string
+                      subSteps:
+                        description: WorkflowMode describes the mode of workflow
+                        type: string
+                    type: object
                  ref:
                    type: string
                  steps:
@@ -1034,6 +1031,8 @@ spec:
                          items:
                            type: string
                          type: array
+                        if:
+                          type: string
                        inputs:
                          description: StepInputs defines variable input of WorkflowStep
                          items:
@@ -1047,6 +1046,13 @@ spec:
                            - parameterKey
                            type: object
                          type: array
+                        meta:
+                          description: WorkflowStepMeta contains the meta data of
+                            a workflow step
+                          properties:
+                            alias:
+                              type: string
+                          type: object
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
@@ -1066,6 +1072,70 @@ spec:
                        properties:
                          type: object
                          x-kubernetes-preserve-unknown-fields: true
+                        subSteps:
+                          items:
+                            description: WorkflowSubStep defines how to execute a
+                              workflow subStep.
+                            properties:
+                              dependsOn:
+                                items:
+                                  type: string
+                                type: array
+                              if:
+                                type: string
+                              inputs:
+                                description: StepInputs defines variable input of
+                                  WorkflowStep
+                                items:
+                                  properties:
+                                    from:
+                                      type: string
+                                    parameterKey:
+                                      type: string
+                                  required:
+                                  - from
+                                  - parameterKey
+                                  type: object
+                                type: array
+                              meta:
+                                description: WorkflowStepMeta contains the meta data
+                                  of a workflow step
+                                properties:
+                                  alias:
+                                    type: string
+                                type: object
+                              name:
+                                description: Name is the unique name of the workflow
+                                  step.
+                                type: string
+                              outputs:
+                                description: StepOutputs defines output variable of
+                                  WorkflowStep
+                                items:
+                                  properties:
+                                    name:
+                                      type: string
+                                    valueFrom:
+                                      type: string
+                                  required:
+                                  - name
+                                  - valueFrom
+                                  type: object
+                                type: array
+                              properties:
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                              timeout:
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - name
+                            - type
+                            type: object
+                          type: array
+                        timeout:
+                          type: string
                        type:
                          type: string
                      required:
@@ -1458,7 +1528,7 @@ spec:
                  steps:
                    items:
                      description: WorkflowStepStatus record the status of a workflow
-                        step
+                        step, include step status and subStep status
                      properties:
                        firstExecuteTime:
                          description: FirstExecuteTime is the first time this step
@@ -1487,44 +1557,42 @@ spec:
                            about why the workflowStep is in this state.
                          type: string
                        subSteps:
-                          description: SubStepsStatus record the status of workflow
-                            steps.
-                          properties:
-                            mode:
-                              description: WorkflowMode describes the mode of workflow
-                              type: string
-                            stepIndex:
-                              type: integer
-                            steps:
-                              items:
-                                description: WorkflowSubStepStatus record the status
-                                  of a workflow step
-                                properties:
-                                  id:
-                                    type: string
-                                  message:
-                                    description: A human readable message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  name:
-                                    type: string
-                                  phase:
-                                    description: WorkflowStepPhase describes the phase
-                                      of a workflow step.
-                                    type: string
-                                  reason:
-                                    description: A brief CamelCase message indicating
-                                      details about why the workflowStep is in this
-                                      state.
-                                    type: string
-                                  type:
-                                    type: string
-                                required:
-                                - id
-                                type: object
-                              type: array
-                          type: object
+                          items:
+                            description: WorkflowSubStepStatus record the status of
+                              a workflow subStep
+                            properties:
+                              firstExecuteTime:
+                                description: FirstExecuteTime is the first time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              id:
+                                type: string
+                              lastExecuteTime:
+                                description: LastExecuteTime is the last time this
+                                  step execution.
+                                format: date-time
+                                type: string
+                              message:
+                                description: A human readable message indicating details
+                                  about why the workflowStep is in this state.
+                                type: string
+                              name:
+                                type: string
+                              phase:
+                                description: WorkflowStepPhase describes the phase
+                                  of a workflow step.
+                                type: string
+                              reason:
+                                description: A brief CamelCase message indicating
+                                  details about why the workflowStep is in this state.
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - id
+                            type: object
+                          type: array
                        type:
                          type: string
                      required:
--- a/charts/vela-minimal/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/vela-minimal/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -32,7 +32,9 @@ spec:
            - --namespace={{ .Release.Namespace }}
            - --secret-name={{ template "kubevela.fullname" . }}-admission
            - --patch-failure-policy={{ .Values.admissionWebhooks.failurePolicy }}
-            - --crds=applications.core.oam.dev
+            {{- if .Values.admissionWebhooks.appConversion.enabled }}
+            - --crds={"name":"applications.core.oam.dev","conversion":{"strategy":"Webhook","webhook":{"clientConfig":{"service":{"name":"vela-core-webhook","namespace":"vela-system","path":"/convert","port":443}},"conversionReviewVersions":["v1beta1","v1alpha2"]}}}
+            {{- end }}
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
      {{- with .Values.admissionWebhooks.patch.nodeSelector }}
--- a/charts/vela-minimal/templates/cluster-gateway.yaml
+++ b/charts/vela-minimal/templates/cluster-gateway.yaml
@@ -31,7 +31,7 @@ spec:
            - "apiserver"
            - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
            - "--secret-namespace={{ .Release.Namespace }}"
-            - "--feature-gates=APIPriorityAndFairness=false"
+            - "--feature-gates=APIPriorityAndFairness=false,ClientIdentityPenetration={{ .Values.authentication.enabled }}"
            {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
            - "--cert-dir={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}"
            {{ end }}
@@ -194,24 +194,25 @@ spec:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 rules:
  - apiGroups: [ "cluster.core.oam.dev" ]
    resources: [ "clustergateways/proxy" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
-{{ end }}
 ---
-{{ if and .Values.multicluster.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 subjects:
  - kind: Group
-    name: cluster-gateway-accessor
+    name: kubevela:client
    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: {{ include "kubevela.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
 {{ end }}
--- a/charts/vela-minimal/templates/defwithtemplate/affinity.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/affinity.yaml
@@ -0,0 +1,186 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/affinity.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Affinity specifies affinity and toleration K8s pod for your workload which follows the pod spec in path 'spec.template'.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: affinity
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - '*'
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        patch: spec: template: spec: {
+        	if parameter.podAffinity != _|_ {
+        		affinity: podAffinity: {
+        			if parameter.podAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAffinity.required {
+        						if k.labelSelector != _|_ {
+        							labelSelector: k.labelSelector
+        						}
+        						if k.namespace != _|_ {
+        							namespace: k.namespace
+        						}
+        						topologyKey: k.topologyKey
+        						if k.namespaceSelector != _|_ {
+        							namespaceSelector: k.namespaceSelector
+        						}
+        					}]
+        			}
+        			if parameter.podAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAffinity.preferred {
+        						weight:          k.weight
+        						podAffinityTerm: k.podAffinityTerm
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.podAntiAffinity != _|_ {
+        		affinity: podAntiAffinity: {
+        			if parameter.podAntiAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAntiAffinity.required {
+        						if k.labelSelector != _|_ {
+        							labelSelector: k.labelSelector
+        						}
+        						if k.namespace != _|_ {
+        							namespace: k.namespace
+        						}
+        						topologyKey: k.topologyKey
+        						if k.namespaceSelector != _|_ {
+        							namespaceSelector: k.namespaceSelector
+        						}
+        					}]
+        			}
+        			if parameter.podAntiAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAntiAffinity.preferred {
+        						weight:          k.weight
+        						podAffinityTerm: k.podAffinityTerm
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.nodeAffinity != _|_ {
+        		affinity: nodeAffinity: {
+        			if parameter.nodeAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: [
+        					for k in parameter.nodeAffinity.required.nodeSelectorTerms {
+        						if k.matchExpressions != _|_ {
+        							matchExpressions: k.matchExpressions
+        						}
+        						if k.matchFields != _|_ {
+        							matchFields: k.matchFields
+        						}
+        					}]
+        			}
+        			if parameter.nodeAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.nodeAffinity.preferred {
+        						weight:     k.weight
+        						preference: k.preference
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.tolerations != _|_ {
+        		tolerations: [
+        			for k in parameter.tolerations {
+        				if k.key != _|_ {
+        					key: k.key
+        				}
+        				if k.effect != _|_ {
+        					effect: k.effect
+        				}
+        				if k.value != _|_ {
+        					value: k.value
+        				}
+        				operator: k.operator
+        				if k.tolerationSeconds != _|_ {
+        					tolerationSeconds: k.tolerationSeconds
+        				}
+        			}]
+        	}
+        }
+        #labelSelector: {
+        	matchLabels?: [string]: string
+        	matchExpressions?: [...{
+        		key:      string
+        		operator: *"In" | "NotIn" | "Exists" | "DoesNotExist"
+        		values?: [...string]
+        	}]
+        }
+        #podAffinityTerm: {
+        	labelSelector?: #labelSelector
+        	namespaces?: [...string]
+        	topologyKey:        string
+        	namespaceSelector?: #labelSelector
+        }
+        #nodeSelecor: {
+        	key:      string
+        	operator: *"In" | "NotIn" | "Exists" | "DoesNotExist" | "Gt" | "Lt"
+        	values?: [...string]
+        }
+        #nodeSelectorTerm: {
+        	matchExpressions?: [...#nodeSelecor]
+        	matchFields?: [...#nodeSelecor]
+        }
+        parameter: {
+        	// +usage=Specify the pod affinity scheduling rules
+        	podAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: [...#podAffinityTerm]
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding podAffinityTerm
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a set of pods
+        			podAffinityTerm: #podAffinityTerm
+        		}]
+        	}
+        	// +usage=Specify the pod anti-affinity scheduling rules
+        	podAntiAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: [...#podAffinityTerm]
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding podAffinityTerm
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a set of pods
+        			podAffinityTerm: #podAffinityTerm
+        		}]
+        	}
+        	// +usage=Specify the node affinity scheduling rules for the pod
+        	nodeAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: {
+        			// +usage=Specify a list of node selector
+        			nodeSelectorTerms: [...#nodeSelectorTerm]
+        		}
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding nodeSelector
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a node selector
+        			preference: #nodeSelectorTerm
+        		}]
+        	}
+        	// +usage=Specify tolerant taint
+        	tolerations?: [...{
+        		key?:     string
+        		operator: *"Equal" | "Exists"
+        		value?:   string
+        		effect?:  "NoSchedule" | "PreferNoSchedule" | "NoExecute"
+        		// +usage=Specify the period of time the toleration
+        		tolerationSeconds?: int
+        	}]
+        }
+
--- a/charts/vela-minimal/templates/defwithtemplate/command.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/command.yaml
@@ -106,7 +106,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the commands for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml
@@ -20,6 +20,7 @@ spec:
        import (
        	"encoding/base64"
        	"encoding/json"
+        	"strconv"
        )

        output: {
@@ -42,21 +43,29 @@ spec:
        	if parameter.auth == _|_ {
        		type: "Opaque"
        	}
-        	if parameter.auth != _|_ {
-        		stringData: ".dockerconfigjson": json.Marshal({
-        			auths: "\(parameter.registry)": {
-        				username: parameter.auth.username
-        				password: parameter.auth.password
-        				if parameter.auth.email != _|_ {
-        					email: parameter.auth.email
+        	stringData: {
+        		if parameter.auth != _|_ && parameter.auth.username != _|_ {
+        			".dockerconfigjson": json.Marshal({
+        				auths: "\(parameter.registry)": {
+        					username: parameter.auth.username
+        					password: parameter.auth.password
+        					if parameter.auth.email != _|_ {
+        						email: parameter.auth.email
+        					}
+        					auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
        				}
-        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
-        			}
-        		})
+        			})
+        		}
+        		if parameter.insecure != _|_ {
+        			"insecure-skip-verify": strconv.FormatBool(parameter.insecure)
+        		}
+        		if parameter.useHTTP != _|_ {
+        			"protocol-use-http": strconv.FormatBool(parameter.useHTTP)
+        		}
        	}
        }
        parameter: {
-        	// +usage=Image registry FQDN
+        	// +usage=Image registry FQDN, such as: index.docker.io
        	registry: string
        	// +usage=Authenticate the image registry
        	auth?: {
@@ -67,6 +76,10 @@ spec:
        		// +usage=Private Image registry email
        		email?: string
        	}
+        	// +usage=For the registry server that uses the self-signed certificate
+        	insecure?: bool
+        	// +usage=For the registry server that uses the HTTP protocol
+        	useHTTP?: bool
        }
  workload:
    type: autodetects.core.oam.dev
--- a/charts/vela-minimal/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/container-image.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Set the image of the container.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: container-image
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@@ -69,7 +71,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the container image for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-minimal/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/cron-task.yaml
@@ -196,14 +196,14 @@ spec:
        		// +usage=Specifies a source the value of this var should come from
        		valueFrom?: {
        			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
        				// +usage=The name of the secret in the pod's namespace to select from
        				name: string
        				// +usage=The key of the secret to select from. Must be a valid secret key
        				key: string
        			}
        			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
        				// +usage=The name of the config map in the pod's namespace to select from
        				name: string
        				// +usage=The key of the config map to select from. Must be a valid secret key
--- a/charts/vela-minimal/templates/defwithtemplate/deploy.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/deploy.yaml
@@ -16,12 +16,18 @@ spec:
        )

        deploy: op.#Deploy & {
-        	policies:    parameter.policies
-        	parallelism: parameter.parallelism
+        	policies:                 parameter.policies
+        	parallelism:              parameter.parallelism
+        	ignoreTerraformComponent: parameter.ignoreTerraformComponent
        }
        parameter: {
+        	//+usage=If set false, the workflow will be suspend before this step.
        	auto: *true | bool
+        	//+usage=Declare the policies used for this step.
        	policies?: [...string]
+        	//+usage=Maximum number of concurrent delivered components.
        	parallelism: *5 | int
+        	//+usage=If set false, this step will apply the components with the terraform workload.
+        	ignoreTerraformComponent: *true | bool
        }

--- a/charts/vela-minimal/templates/defwithtemplate/env.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/env.yaml
@@ -62,7 +62,8 @@ spec:
        					}
        				}
        			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
-        				v
+        				name:  k
+        				value: v
        			}]
        		}
        	}
@@ -96,7 +97,7 @@ spec:
        		}]
        	}
        }
-        parameter: #PatchParams | close({
+        parameter: *#PatchParams | close({
        	// +usage=Specify the environment variables for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-minimal/templates/defwithtemplate/gateway.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/gateway.yaml
@@ -44,8 +44,18 @@ spec:
        		if parameter.classInSpec {
        			ingressClassName: parameter.class
        		}
+        		if parameter.secretName != _|_ {
+        			tls: [{
+        				hosts: [
+        					parameter.domain,
+        				]
+        				secretName: parameter.secretName
+        			}]
+        		}
        		rules: [{
-        			host: parameter.domain
+        			if parameter.domain != _|_ {
+        				host: parameter.domain
+        			}
        			http: paths: [
        				for k, v in parameter.http {
        					path:     k
@@ -61,7 +71,7 @@ spec:
        }
        parameter: {
        	// +usage=Specify the domain you want to expose
-        	domain: string
+        	domain?: string

        	// +usage=Specify the mapping relationship between the http path and the workload port
        	http: [string]: int
@@ -71,6 +81,9 @@ spec:

        	// +usage=Set ingress class in '.spec.ingressClassName' instead of 'kubernetes.io/ingress.class' annotation.
        	classInSpec: *false | bool
+
+        	// +usage=Specify the secret name you want to quote.
+        	secretName?: string
        }
  status:
    customStatus: |-
@@ -80,10 +93,20 @@ spec:
      }
      if len(igs) > 0 {
        if igs[0].ip != _|_ {
-      	  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host + ", IP: " + igs[0].ip
+        	if igs[0].host != _|_ {
+      	    message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host + ", IP: " + igs[0].ip
+        	}
+        	if igs[0].host == _|_ {
+      	    message: "Host not specified, visit the cluster or load balancer in front of the cluster"
+        	}
        }
        if igs[0].ip == _|_ {
-      	  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host
+        	if igs[0].host != _|_ {
+      		  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host
+      		}
+        	if igs[0].host != _|_ {
+      	    message: "Host not specified, visit the cluster or load balancer in front of the cluster"
+      		}
        }
      }
    healthPolicy: 'isHealth: len(context.outputs.service.spec.clusterIP) > 0'
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Welcome to use the oam-runtime follows OAM spec v0.2! Enjoy your shipping application journey!`