Fix: trim quot char for velaql output (#4269 )

Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit fdd0c93dba) Co-authored-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com>
[Backport release-1.4] Feat: enhance velq ql and support cue file (#4266 )
2026-03-01 09:10:43 +00:00 · 2022-06-27 16:52:26 +08:00 · 2022-06-27 16:17:21 +08:00 · 2022-06-27 11:32:20 +08:00 · 2022-06-27 10:31:49 +08:00 · 2022-06-25 09:00:24 +08:00
142 changed files with 2422 additions and 1233 deletions
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -103,7 +103,7 @@ jobs:
        run: |
          make e2e-cleanup
          make vela-cli
-          make e2e-setup-core
+          make e2e-setup-core-auth
          make
          make setup-runtime-e2e-cluster

--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -15,7 +15,7 @@ env:
  ARTIFACT_HUB_REPOSITORY_ID: ${{ secrets.ARTIFACT_HUB_REPOSITORY_ID }}

 jobs:
-  publish-images:
+  publish-core-images:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
@@ -47,20 +47,16 @@ jobs:
      - name: Login Alibaba Cloud ACR
        uses: docker/login-action@v1
        with:
-          registry: kubevela-registry.cn-hangzhou.cr.aliyuncs.com
-          username: ${{ secrets.ACR_USERNAME }}@aliyun-inner.com
+          registry: ${{ secrets.ACR_DOMAIN }}
+          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}
      - uses: docker/setup-qemu-action@v1
      - uses: docker/setup-buildx-action@v1
        with:
          driver-opts: image=moby/buildkit:master

-      - name: Build & Pushing vela-core for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }} .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-core for Dockerhub and GHCR
+        name: Build & Pushing vela-core for Dockerhub, GHCR and ACR
        with:
          context: .
          file: Dockerfile
@@ -75,36 +71,11 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-core:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - name: Build & Pushing vela-apiserver for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }} -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }} -f Dockerfile.apiserver .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-apiserver for Dockerhub and GHCR
-        with:
-          context: .
-          file: Dockerfile.apiserver
-          labels: |-
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.revision=${{ github.sha }}
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          build-args: |
-            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
-            VERSION=${{ steps.get_version.outputs.VERSION }}
-            GOPROXY=https://proxy.golang.org
-          tags: |-
-            docker.io/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-
-      - name: Build & Pushing vela CLI for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }} -f Dockerfile.cli .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
-      - uses: docker/build-push-action@v2
-        name: Build & Pushing CLI for Dockerhub and GHCR
+        name: Build & Pushing CLI for Dockerhub, GHCR and ACR
        with:
          context: .
          file: Dockerfile.cli
@@ -119,14 +90,70 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-cli:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}

-      - name: Build & Pushing vela runtime rollout for ACR
+  publish-addon-images:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Get the version
+        id: get_version
        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }} -f runtime/rollout/Dockerfile .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+          VERSION=${GITHUB_REF#refs/tags/}
+          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
+            VERSION=latest
+          fi
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Get git revision
+        id: vars
+        shell: bash
+        run: |
+          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+      - name: Login ghcr.io
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login docker.io
+        uses: docker/login-action@v1
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login Alibaba Cloud ACR
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.ACR_DOMAIN }}
+          username: ${{ secrets.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+        with:
+          driver-opts: image=moby/buildkit:master
+
      - uses: docker/build-push-action@v2
-        name: Build & Pushing runtime rollout for Dockerhub and GHCR
+        name: Build & Pushing vela-apiserver for Dockerhub, GHCR and ACR
+        with:
+          context: .
+          file: Dockerfile.apiserver
+          labels: |-
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          build-args: |
+            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
+            VERSION=${{ steps.get_version.outputs.VERSION }}
+            GOPROXY=https://proxy.golang.org
+          tags: |-
+            docker.io/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+
+      - uses: docker/build-push-action@v2
+        name: Build & Pushing runtime rollout Dockerhub, GHCR and ACR
        with:
          context: .
          file: runtime/rollout/Dockerfile
@@ -141,7 +168,8 @@ jobs:
            GOPROXY=https://proxy.golang.org
          tags: |-
            docker.io/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}

  publish-charts:
    env:
--- a/charts/vela-core/templates/cluster-gateway/certmanager.yaml
+++ b/charts/vela-core/templates/cluster-gateway/certmanager.yaml
@@ -13,7 +13,7 @@ metadata:
  name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
  namespace: {{ .Release.Namespace }}
 spec:
-  secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+  secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
  duration: 8760h # 1y
  issuerRef:
    name: {{ template "kubevela.fullname" . }}-cluster-gateway-issuer
--- a/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
+++ b/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
@@ -53,7 +53,7 @@ spec:
        - name: tls-cert-vol
          secret:
            defaultMode: 420
-            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
      {{ end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
@@ -106,7 +106,7 @@ metadata:
  name: v1alpha1.cluster.core.oam.dev
  annotations:
    {{- if and .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.secureTLS.certManager.enabled }}
-    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls"
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2"
    {{- end }}
  labels:
    api: cluster-extension-apiserver
@@ -147,4 +147,7 @@ subjects:
  - kind: Group
    name: kubevela:client
    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: {{ include "kubevela.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
 {{ end }}
--- a/charts/vela-core/templates/cluster-gateway/job-patch.yaml
+++ b/charts/vela-core/templates/cluster-gateway/job-patch.yaml
@@ -86,7 +86,7 @@ spec:
          - create
          - --host={{ .Release.Name }}-cluster-gateway-service,{{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc
          - --namespace={{ .Release.Namespace }}
-          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
+          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
          - --cert-name=tls.crt
          - --key-name=tls.key
      restartPolicy: OnFailure
@@ -131,7 +131,7 @@ spec:
          - /patch
        args:
          - --secret-namespace={{ .Release.Namespace }}
-          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
+          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
      restartPolicy: OnFailure
      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
      securityContext:
--- a/charts/vela-core/templates/defwithtemplate/affinity.yaml
+++ b/charts/vela-core/templates/defwithtemplate/affinity.yaml
@@ -4,7 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: TraitDefinition
 metadata:
  annotations:
-    definition.oam.dev/description: affinity specify affinity and tolerationon K8s pod for your workload which follows the pod spec in path 'spec.template'.
+    definition.oam.dev/description: Affinity specifies affinity and toleration K8s pod for your workload which follows the pod spec in path 'spec.template'.
  labels:
    custom.definition.oam.dev/ui-hidden: "true"
  name: affinity
--- a/charts/vela-core/templates/defwithtemplate/config-image-registry.yaml
+++ b/charts/vela-core/templates/defwithtemplate/config-image-registry.yaml
@@ -20,6 +20,7 @@ spec:
        import (
        	"encoding/base64"
        	"encoding/json"
+        	"strconv"
        )

        output: {
@@ -42,21 +43,29 @@ spec:
        	if parameter.auth == _|_ {
        		type: "Opaque"
        	}
-        	if parameter.auth != _|_ {
-        		stringData: ".dockerconfigjson": json.Marshal({
-        			auths: "\(parameter.registry)": {
-        				username: parameter.auth.username
-        				password: parameter.auth.password
-        				if parameter.auth.email != _|_ {
-        					email: parameter.auth.email
+        	stringData: {
+        		if parameter.auth != _|_ && parameter.auth.username != _|_ {
+        			".dockerconfigjson": json.Marshal({
+        				auths: "\(parameter.registry)": {
+        					username: parameter.auth.username
+        					password: parameter.auth.password
+        					if parameter.auth.email != _|_ {
+        						email: parameter.auth.email
+        					}
+        					auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
        				}
-        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
-        			}
-        		})
+        			})
+        		}
+        		if parameter.insecure != _|_ {
+        			"insecure-skip-verify": strconv.FormatBool(parameter.insecure)
+        		}
+        		if parameter.useHTTP != _|_ {
+        			"protocol-use-http": strconv.FormatBool(parameter.useHTTP)
+        		}
        	}
        }
        parameter: {
-        	// +usage=Image registry FQDN
+        	// +usage=Image registry FQDN, such as: index.docker.io
        	registry: string
        	// +usage=Authenticate the image registry
        	auth?: {
@@ -67,6 +76,10 @@ spec:
        		// +usage=Private Image registry email
        		email?: string
        	}
+        	// +usage=For the registry server that uses the self-signed certificate
+        	insecure?: bool
+        	// +usage=For the registry server that uses the HTTP protocol
+        	useHTTP?: bool
        }
  workload:
    type: autodetects.core.oam.dev
--- a/charts/vela-core/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/container-image.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Set the image of the container.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: container-image
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/cron-task.yaml
@@ -196,14 +196,14 @@ spec:
        		// +usage=Specifies a source the value of this var should come from
        		valueFrom?: {
        			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
        				// +usage=The name of the secret in the pod's namespace to select from
        				name: string
        				// +usage=The key of the secret to select from. Must be a valid secret key
        				key: string
        			}
        			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
        				// +usage=The name of the config map in the pod's namespace to select from
        				name: string
        				// +usage=The key of the config map to select from. Must be a valid secret key
--- a/charts/vela-core/templates/defwithtemplate/deploy2env.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy2env.yaml
@@ -5,6 +5,8 @@ kind: WorkflowStepDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Deploy env binding component to target env
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: deploy2env
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/json-merge-patch.yaml
+++ b/charts/vela-core/templates/defwithtemplate/json-merge-patch.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Patch the output following Json Merge Patch strategy, following RFC 7396.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: json-merge-patch
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/json-patch.yaml
+++ b/charts/vela-core/templates/defwithtemplate/json-patch.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Patch the output following Json Patch strategy, following RFC 6902.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: json-patch
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/ref-objects.yaml
+++ b/charts/vela-core/templates/defwithtemplate/ref-objects.yaml
@@ -5,6 +5,8 @@ kind: ComponentDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Ref-objects allow users to specify ref objects to use. Notice that this component type have special handle logic.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: ref-objects
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/step-group.yaml
+++ b/charts/vela-core/templates/defwithtemplate/step-group.yaml
@@ -5,6 +5,8 @@ kind: WorkflowStepDefinition
 metadata:
  annotations:
    definition.oam.dev/description: step group
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: step-group
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/task.yaml
@@ -149,14 +149,14 @@ spec:
        		// +usage=Specifies a source the value of this var should come from
        		valueFrom?: {
        			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
        				// +usage=The name of the secret in the pod's namespace to select from
        				name: string
        				// +usage=The key of the secret to select from. Must be a valid secret key
        				key: string
        			}
        			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
        				// +usage=The name of the config map in the pod's namespace to select from
        				name: string
        				// +usage=The key of the config map to select from. Must be a valid secret key
--- a/charts/vela-core/templates/kubevela-controller.yaml
+++ b/charts/vela-core/templates/kubevela-controller.yaml
@@ -20,12 +20,54 @@ metadata:
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: "cluster-admin"
+  name: {{ if .Values.authentication.enabled }} {{ include "kubevela.fullname" . }}:manager {{ else }} "cluster-admin" {{ end }}
 subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}

+{{ if .Values.authentication.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:manager
+rules:
+  - apiGroups: ["core.oam.dev", "terraform.core.oam.dev", "prism.oam.dev"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["cluster.open-cluster-management.io"]
+    resources: ["managedclusters"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["users", "groups", "serviceaccounts"]
+    verbs: ["impersonate"]
+  - apiGroups: [""]
+    resources: ["namespaces", "secrets", "services"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["configmaps", "events"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["controllerrevisions"]
+    verbs: ["*"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
+    resources: ["prioritylevelconfigurations", "flowschemas"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["*"]
+{{ end }}
+
 ---
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
@@ -80,6 +122,7 @@ metadata:
  name: {{ include "kubevela.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
+    controller.oam.dev/name: vela-core
  {{- include "kubevela.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
--- a/charts/vela-core/values.yaml
+++ b/charts/vela-core/values.yaml
@@ -226,7 +226,7 @@ admissionWebhooks:
    enabled: true
    image:
      repository: oamdev/kube-webhook-certgen
-      tag: v2.4.0
+      tag: v2.4.1
      pullPolicy: IfNotPresent
    nodeSelector: {}
    affinity: {}
--- a/charts/vela-minimal/templates/cluster-gateway.yaml
+++ b/charts/vela-minimal/templates/cluster-gateway.yaml
@@ -212,4 +212,7 @@ subjects:
  - kind: Group
    name: kubevela:client
    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: {{ include "kubevela.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
 {{ end }}
--- a/charts/vela-minimal/templates/defwithtemplate/affinity.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/affinity.yaml
@@ -4,7 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: TraitDefinition
 metadata:
  annotations:
-    definition.oam.dev/description: affinity specify affinity and tolerationon K8s pod for your workload which follows the pod spec in path 'spec.template'.
+    definition.oam.dev/description: Affinity specifies affinity and toleration K8s pod for your workload which follows the pod spec in path 'spec.template'.
  labels:
    custom.definition.oam.dev/ui-hidden: "true"
  name: affinity
--- a/charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml
@@ -20,6 +20,7 @@ spec:
        import (
        	"encoding/base64"
        	"encoding/json"
+        	"strconv"
        )

        output: {
@@ -42,21 +43,29 @@ spec:
        	if parameter.auth == _|_ {
        		type: "Opaque"
        	}
-        	if parameter.auth != _|_ {
-        		stringData: ".dockerconfigjson": json.Marshal({
-        			auths: "\(parameter.registry)": {
-        				username: parameter.auth.username
-        				password: parameter.auth.password
-        				if parameter.auth.email != _|_ {
-        					email: parameter.auth.email
+        	stringData: {
+        		if parameter.auth != _|_ && parameter.auth.username != _|_ {
+        			".dockerconfigjson": json.Marshal({
+        				auths: "\(parameter.registry)": {
+        					username: parameter.auth.username
+        					password: parameter.auth.password
+        					if parameter.auth.email != _|_ {
+        						email: parameter.auth.email
+        					}
+        					auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
        				}
-        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
-        			}
-        		})
+        			})
+        		}
+        		if parameter.insecure != _|_ {
+        			"insecure-skip-verify": strconv.FormatBool(parameter.insecure)
+        		}
+        		if parameter.useHTTP != _|_ {
+        			"protocol-use-http": strconv.FormatBool(parameter.useHTTP)
+        		}
        	}
        }
        parameter: {
-        	// +usage=Image registry FQDN
+        	// +usage=Image registry FQDN, such as: index.docker.io
        	registry: string
        	// +usage=Authenticate the image registry
        	auth?: {
@@ -67,6 +76,10 @@ spec:
        		// +usage=Private Image registry email
        		email?: string
        	}
+        	// +usage=For the registry server that uses the self-signed certificate
+        	insecure?: bool
+        	// +usage=For the registry server that uses the HTTP protocol
+        	useHTTP?: bool
        }
  workload:
    type: autodetects.core.oam.dev
--- a/charts/vela-minimal/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/container-image.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Set the image of the container.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: container-image
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-minimal/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/cron-task.yaml
@@ -196,14 +196,14 @@ spec:
        		// +usage=Specifies a source the value of this var should come from
        		valueFrom?: {
        			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
        				// +usage=The name of the secret in the pod's namespace to select from
        				name: string
        				// +usage=The key of the secret to select from. Must be a valid secret key
        				key: string
        			}
        			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
        				// +usage=The name of the config map in the pod's namespace to select from
        				name: string
        				// +usage=The key of the config map to select from. Must be a valid secret key
--- a/charts/vela-minimal/templates/defwithtemplate/json-merge-patch.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/json-merge-patch.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Patch the output following Json Merge Patch strategy, following RFC 7396.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: json-merge-patch
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-minimal/templates/defwithtemplate/json-patch.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/json-patch.yaml
@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Patch the output following Json Patch strategy, following RFC 6902.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: json-patch
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-minimal/templates/defwithtemplate/ref-objects.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/ref-objects.yaml
@@ -5,6 +5,8 @@ kind: ComponentDefinition
 metadata:
  annotations:
    definition.oam.dev/description: Ref-objects allow users to specify ref objects to use. Notice that this component type have special handle logic.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: ref-objects
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-minimal/templates/defwithtemplate/step-group.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/step-group.yaml
@@ -5,6 +5,8 @@ kind: WorkflowStepDefinition
 metadata:
  annotations:
    definition.oam.dev/description: step group
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
  name: step-group
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-minimal/templates/defwithtemplate/task.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/task.yaml
@@ -149,14 +149,14 @@ spec:
        		// +usage=Specifies a source the value of this var should come from
        		valueFrom?: {
        			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
        				// +usage=The name of the secret in the pod's namespace to select from
        				name: string
        				// +usage=The key of the secret to select from. Must be a valid secret key
        				key: string
        			}
        			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
        				// +usage=The name of the config map in the pod's namespace to select from
        				name: string
        				// +usage=The key of the config map to select from. Must be a valid secret key
--- a/charts/vela-minimal/templates/kubevela-controller.yaml
+++ b/charts/vela-minimal/templates/kubevela-controller.yaml
@@ -15,6 +15,7 @@ metadata:

 ---

+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -22,12 +23,54 @@ metadata:
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: "cluster-admin"
+  name: {{ if .Values.authentication.enabled }} {{ include "kubevela.fullname" . }}:manager {{ else }} "cluster-admin" {{ end }}
 subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}

+{{ if .Values.authentication.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:manager
+rules:
+  - apiGroups: ["core.oam.dev", "terraform.core.oam.dev", "prism.oam.dev"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["cluster.open-cluster-management.io"]
+    resources: ["managedclusters"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["users", "groups", "serviceaccounts"]
+    verbs: ["impersonate"]
+  - apiGroups: [""]
+    resources: ["namespaces", "secrets", "services"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["configmaps", "events"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["controllerrevisions"]
+    verbs: ["*"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
+    resources: ["prioritylevelconfigurations", "flowschemas"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["*"]
+{{ end }}
+
 ---
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
@@ -82,6 +125,7 @@ metadata:
  name: {{ include "kubevela.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
+    controller.oam.dev/name: vela-core
  {{- include "kubevela.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
--- a/charts/vela-minimal/values.yaml
+++ b/charts/vela-minimal/values.yaml
@@ -203,7 +203,7 @@ admissionWebhooks:
    enabled: true
    image:
      repository: oamdev/kube-webhook-certgen
-      tag: v2.4.0
+      tag: v2.4.1
      pullPolicy: IfNotPresent
    nodeSelector: {}
    affinity: {}
--- a/docs/examples/app-with-policy/gc-policy/reverse-dependency.md
+++ b/docs/examples/app-with-policy/gc-policy/reverse-dependency.md
@@ -1,6 +1,6 @@
 # How to garbage collect resources in the order of dependency

-If you want to garbage collect resources in the order of dependency, you can add `order: dependency` in the `garbage-collect` policy.
+If you want to garbage collect resources in the order of reverse dependency, you can add `order: dependency` in the `garbage-collect` policy.

 > Notice that this order policy is only valid for the resources that are created in the components.

@@ -8,7 +8,7 @@ In the following example, component `test1` depends on `test2`, and `test2` need

 So the order of deployment is: `test3 -> test2 -> test1`.

-When we add `order: dependency` in `garbage-collect` policy and delete the application, the order of garbage collect is: `test3 -> test2 -> test1`.
+When we add `order: dependency` in `garbage-collect` policy and delete the application, the order of garbage collect is: `test1 -> test2 -> test3`.

 ```yaml
 apiVersion: core.oam.dev/v1beta1
--- a/e2e/application/application_test.go
+++ b/e2e/application/application_test.go
@@ -18,10 +18,13 @@ package e2e

 import (
 	context2 "context"
+	"encoding/json"
 	"fmt"
 	"strings"
 	"time"

+	corev1 "k8s.io/api/core/v1"
+
 	"github.com/Netflix/go-expect"
 	"github.com/crossplane/crossplane-runtime/pkg/meta"
 	"github.com/onsi/ginkgo"
@@ -43,6 +46,7 @@ var (
 	testDeleteJsonAppFile       = `{"name":"test-vela-delete","services":{"nginx-test":{"type":"webservice","image":"nginx:1.9.4","port":80}}}`
 	appbasicJsonAppFile         = `{"name":"app-basic","services":{"app-basic":{"type":"webservice","image":"nginx:1.9.4","port":80}}}`
 	appbasicAddTraitJsonAppFile = `{"name":"app-basic","services":{"app-basic":{"type":"webservice","image":"nginx:1.9.4","port":80,"scaler":{"replicas":2}}}}`
+	velaQL                      = "test-component-pod-view{appNs=default,appName=nginx-vela,name=nginx}"
 )

 var _ = ginkgo.Describe("Test Vela Application", func() {
@@ -68,6 +72,9 @@ var _ = ginkgo.Describe("Test Vela Application", func() {

 	e2e.JsonAppFileContext("json appfile apply", testDeleteJsonAppFile)
 	ApplicationDeleteWithForceOptions("test delete with force option", "test-vela-delete")
+
+	e2e.JsonAppFileContext("json appfile apply", testDeleteJsonAppFile)
+	VelaQLPodListContext("ql", velaQL)
 })

 var ApplicationStatusContext = func(context string, applicationName string, workloadType string) bool {
@@ -230,3 +237,75 @@ var ApplicationDeleteWithForceOptions = func(context string, appName string) boo
 		})
 	})
 }
+
+type PodList struct {
+	PodList []Pod `form:"podList" json:"podList"`
+}
+
+type Pod struct {
+	Status   Status   `form:"status" json:"status"`
+	Cluster  string   `form:"cluster" json:"cluster"`
+	Metadata Metadata `form:"metadata" json:"metadata"`
+	Workload Workload `form:"workload" json:"workload"`
+}
+
+type Status struct {
+	Phase    string `form:"phase" json:"phase"`
+	NodeName string `form:"nodeName" json:"nodeName"`
+}
+
+type Metadata struct {
+	Namespace string `form:"namespace" json:"namespace"`
+}
+
+type Workload struct {
+	ApiVersion string `form:"apiVersion" json:"apiVersion"`
+	Kind       string `form:"kind" json:"kind"`
+}
+
+var VelaQLPodListContext = func(context string, velaQL string) bool {
+	return ginkgo.Context(context, func() {
+		ginkgo.It("should get successful result for executing vela ql", func() {
+			args := common.Args{
+				Schema: common.Scheme,
+			}
+			ctx := context2.Background()
+
+			k8sClient, err := args.GetClient()
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
+			componentView := new(corev1.ConfigMap)
+			gomega.Eventually(func(g gomega.Gomega) {
+				g.Expect(common.ReadYamlToObject("./component-pod-view.yaml", componentView)).Should(gomega.BeNil())
+				g.Expect(k8sClient.Create(ctx, componentView)).Should(gomega.Succeed())
+			}, time.Second*3, time.Millisecond*300).Should(gomega.Succeed())
+
+			cli := fmt.Sprintf("vela ql %s", velaQL)
+			output, err := e2e.Exec(cli)
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+			var list PodList
+			err = json.Unmarshal([]byte(output), &list)
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+			for _, v := range list.PodList {
+				if v.Cluster != "" {
+					gomega.Expect(v.Cluster).To(gomega.ContainSubstring("local"))
+				}
+				if v.Status.Phase != "" {
+					gomega.Expect(v.Status.Phase).To(gomega.ContainSubstring("Running"))
+				}
+				if v.Status.NodeName != "" {
+					gomega.Expect(v.Status.NodeName).To(gomega.ContainSubstring("kind-control-plane"))
+				}
+				if v.Metadata.Namespace != "" {
+					gomega.Expect(v.Metadata.Namespace).To(gomega.ContainSubstring("default"))
+				}
+				if v.Workload.ApiVersion != "" {
+					gomega.Expect(v.Workload.ApiVersion).To(gomega.ContainSubstring("apps/v1"))
+				}
+				if v.Workload.Kind != "" {
+					gomega.Expect(v.Workload.Kind).To(gomega.ContainSubstring("Deployment"))
+				}
+			}
+		})
+	})
+}
--- a/e2e/application/component-pod-view.yaml
+++ b/e2e/application/component-pod-view.yaml
@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-component-pod-view
+  namespace: vela-system
+data:
+  template: |
+    import (
+      "vela/ql"
+      "vela/op"
+    )
+
+    parameter: {
+      appName:    string
+      appNs:      string
+      name?:      string
+      cluster?:   string
+      clusterNs?: string
+    }
+
+    application: ql.#ListResourcesInApp & {
+      app: {
+        name:      parameter.appName
+        namespace: parameter.appNs
+        filter: {
+          if parameter.cluster != _|_ {
+            cluster: parameter.cluster
+          }
+          if parameter.clusterNs != _|_ {
+            clusterNamespace: parameter.clusterNs
+          }
+          if parameter.name != _|_ {
+            components: [parameter.name]
+          }
+        }
+      }
+    }
+
+    if application.err != _|_ {
+      status: error: application.err
+    }
+
+    if application.err == _|_ {
+      resources: application.list
+
+      podsMap: op.#Steps & {
+        for i, resource in resources {
+          "\(i)": ql.#CollectPods & {
+            value:   resource.object
+            cluster: resource.cluster
+          }
+        }
+      }
+
+      podsWithCluster: [ for i, pods in podsMap for podObj in pods.list {
+        cluster: pods.cluster
+        obj:     podObj
+      }]
+
+      podStatus: op.#Steps & {
+        for i, pod in podsWithCluster {
+          "\(i)": op.#Steps & {
+            name: pod.obj.metadata.name
+            containers: {for container in pod.obj.status.containerStatuses {
+              "\(container.name)": {
+                image: container.image
+                state: container.state
+              }
+            }}
+            events: ql.#SearchEvents & {
+              value:   pod.obj
+              cluster: pod.cluster
+            }
+            metrics: ql.#Read & {
+              cluster: pod.cluster
+              value: {
+                apiVersion: "metrics.k8s.io/v1beta1"
+                kind:       "PodMetrics"
+                metadata: {
+                  name:      pod.obj.metadata.name
+                  namespace: pod.obj.metadata.namespace
+                }
+              }
+            }
+          }
+        }
+      }
+
+      status: {
+        podList: [ for podInfo in podStatus {
+          name: podInfo.name
+          containers: [ for containerName, container in podInfo.containers {
+            containerName
+          }]
+          events: podInfo.events.list
+        }]
+      }
+    }
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/barnettZQG/inject v0.0.1
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
 	github.com/briandowns/spinner v1.11.1
-	github.com/containerd/containerd v1.5.10
+	github.com/containerd/containerd v1.5.13
 	github.com/coreos/go-oidc v2.1.0+incompatible
 	github.com/coreos/prometheus-operator v0.41.1
 	github.com/crossplane/crossplane-runtime v0.14.1-0.20210722005935-0b469fcc77cd
@@ -46,7 +46,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.9.1
 	github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174
 	github.com/imdario/mergo v0.3.12
-	github.com/kubevela/prism v1.4.0
+	github.com/kubevela/prism v1.4.1-0.20220613123457-94f1190f87c2
 	github.com/kyokomi/emoji v2.2.4+incompatible
 	github.com/mitchellh/hashstructure/v2 v2.0.1
 	github.com/oam-dev/cluster-gateway v1.4.0
@@ -122,7 +122,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/Masterminds/squirrel v1.5.2 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Microsoft/hcsshim v0.8.23 // indirect
+	github.com/Microsoft/hcsshim v0.8.24 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
--- a/go.sum
+++ b/go.sum
@@ -178,8 +178,8 @@ github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2
 github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
 github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
-github.com/Microsoft/hcsshim v0.8.23 h1:47MSwtKGXet80aIn+7h4YI6fwPmwIghAnsx2aOUrG2M=
-github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
+github.com/Microsoft/hcsshim v0.8.24 h1:jP+GMeRXIR1sH1kG4lJr9ShmSjVrua5jmFZDtfYGkn4=
+github.com/Microsoft/hcsshim v0.8.24/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
@@ -412,8 +412,9 @@ github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1
 github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
 github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
 github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
-github.com/containerd/cgroups v1.0.1 h1:iJnMvco9XGvKUvNQkv88bE4uJXxRQH18efbKo9w5vHQ=
 github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
+github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4=
+github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8=
 github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
@@ -435,8 +436,8 @@ github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoT
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.5.10 h1:3cQ2uRVCkJVcx5VombsE7105Gl9Wrl7ORAO3+4+ogf4=
-github.com/containerd/containerd v1.5.10/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ=
+github.com/containerd/containerd v1.5.13 h1:XqvKw9i4P7/mFrC3TSM7yV5cwFZ9avXe6M3YANKnzEE=
+github.com/containerd/containerd v1.5.13/go.mod h1:3AlCrzKROjIuP3JALsY14n8YtntaUDBu7vek+rPN5Vc=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -1343,8 +1344,8 @@ github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubevela/prism v1.4.0 h1:wYCKXA3p9YpkcSsZjGnSEGBVL+3bPoZNEt4DYs3IxW4=
-github.com/kubevela/prism v1.4.0/go.mod h1:RP69+bRb57Occer6BeeF5zK3hrD1IhnYf2RNRsIdh9E=
+github.com/kubevela/prism v1.4.1-0.20220613123457-94f1190f87c2 h1:TaHlO4raKI3ehVSYY8QixYMHdI0VwKHY1KPNWcUre3I=
+github.com/kubevela/prism v1.4.1-0.20220613123457-94f1190f87c2/go.mod h1:RP69+bRb57Occer6BeeF5zK3hrD1IhnYf2RNRsIdh9E=
 github.com/kulti/thelper v0.4.0/go.mod h1:vMu2Cizjy/grP+jmsvOFDx1kYP6+PD1lqg4Yu5exl2U=
 github.com/kunwardeep/paralleltest v1.0.2/go.mod h1:ZPqNm1fVHPllh5LPVujzbVz1JN2GhLxSfY+oqUsvG30=
 github.com/kunwardeep/paralleltest v1.0.3/go.mod h1:vLydzomDFpk7yu5UX02RmP0H8QfRPOV/oFhWN85Mjb4=
--- a/makefiles/e2e.mk
+++ b/makefiles/e2e.mk
@@ -1,14 +1,29 @@
-
-.PHONY: e2e-setup-core
-e2e-setup-core:
+.PHONY: e2e-setup-core-pre-hook
+e2e-setup-core-pre-hook:
 	sh ./hack/e2e/modify_charts.sh
-	helm upgrade --install --create-namespace --namespace vela-system --set image.pullPolicy=IfNotPresent --set image.repository=vela-core-test --set applicationRevisionLimit=5 --set dependCheckWait=10s --set image.tag=$(GIT_COMMIT) --wait kubevela ./charts/vela-core
+
+.PHONY: e2e-setup-core-post-hook
+e2e-setup-core-post-hook:
 	kubectl wait --for=condition=Available deployment/kubevela-vela-core -n vela-system --timeout=180s
 	helm upgrade --install --namespace vela-system --wait oam-rollout --set image.repository=vela-runtime-rollout-test --set image.tag=$(GIT_COMMIT) ./runtime/rollout/charts
 	go run ./e2e/addon/mock &
 	sleep 15
 	bin/vela addon enable rollout

+.PHONY: e2e-setup-core-wo-auth
+e2e-setup-core-wo-auth:
+	helm upgrade --install --create-namespace --namespace vela-system --set image.pullPolicy=IfNotPresent --set image.repository=vela-core-test --set applicationRevisionLimit=5 --set dependCheckWait=10s --set image.tag=$(GIT_COMMIT) --wait kubevela ./charts/vela-core
+
+.PHONY: e2e-setup-core-w-auth
+e2e-setup-core-w-auth:
+	helm upgrade --install --create-namespace --namespace vela-system --set image.pullPolicy=IfNotPresent --set image.repository=vela-core-test --set applicationRevisionLimit=5 --set dependCheckWait=10s --set image.tag=$(GIT_COMMIT) --wait kubevela ./charts/vela-core --set authentication.enabled=true --set authentication.withUser=true --set authentication.groupPattern=*
+
+.PHONY: e2e-setup-core
+e2e-setup-core: e2e-setup-core-pre-hook e2e-setup-core-wo-auth e2e-setup-core-post-hook
+
+.PHONY: e2e-setup-core-auth
+e2e-setup-core-auth: e2e-setup-core-pre-hook e2e-setup-core-w-auth e2e-setup-core-post-hook
+
 .PHONY: setup-runtime-e2e-cluster
 setup-runtime-e2e-cluster:
 	helm upgrade --install --create-namespace --namespace vela-system --kubeconfig=$(RUNTIME_CLUSTER_CONFIG) --set image.pullPolicy=IfNotPresent --set image.repository=vela-runtime-rollout-test --set image.tag=$(GIT_COMMIT) --wait vela-rollout ./runtime/rollout/charts
--- a/pkg/addon/addon.go
+++ b/pkg/addon/addon.go
@@ -1058,21 +1058,22 @@ func Convert2SecName(name string) string {

 // Installer helps addon enable, dependency-check, dispatch resources
 type Installer struct {
-	ctx          context.Context
-	config       *rest.Config
-	addon        *InstallPackage
-	cli          client.Client
-	apply        apply.Applicator
-	r            *Registry
-	registryMeta map[string]SourceMeta
-	args         map[string]interface{}
-	cache        *Cache
-	dc           *discovery.DiscoveryClient
+	ctx                 context.Context
+	config              *rest.Config
+	addon               *InstallPackage
+	cli                 client.Client
+	apply               apply.Applicator
+	r                   *Registry
+	registryMeta        map[string]SourceMeta
+	args                map[string]interface{}
+	cache               *Cache
+	dc                  *discovery.DiscoveryClient
+	skipVersionValidate bool
 }

 // NewAddonInstaller will create an installer for addon
-func NewAddonInstaller(ctx context.Context, cli client.Client, discoveryClient *discovery.DiscoveryClient, apply apply.Applicator, config *rest.Config, r *Registry, args map[string]interface{}, cache *Cache) Installer {
-	return Installer{
+func NewAddonInstaller(ctx context.Context, cli client.Client, discoveryClient *discovery.DiscoveryClient, apply apply.Applicator, config *rest.Config, r *Registry, args map[string]interface{}, cache *Cache, opts ...InstallOption) Installer {
+	i := Installer{
 		ctx:    ctx,
 		config: config,
 		cli:    cli,
@@ -1082,14 +1083,21 @@ func NewAddonInstaller(ctx context.Context, cli client.Client, discoveryClient *
 		cache:  cache,
 		dc:     discoveryClient,
 	}
+	for _, opt := range opts {
+		opt(&i)
+	}
+	return i
 }

 func (h *Installer) enableAddon(addon *InstallPackage) error {
 	var err error
 	h.addon = addon
-	err = checkAddonVersionMeetRequired(h.ctx, addon.SystemRequirements, h.cli, h.dc)
-	if err != nil {
-		return VersionUnMatchError{addonName: addon.Name, err: err}
+
+	if !h.skipVersionValidate {
+		err = checkAddonVersionMeetRequired(h.ctx, addon.SystemRequirements, h.cli, h.dc)
+		if err != nil {
+			return VersionUnMatchError{addonName: addon.Name, err: err}
+		}
 	}

 	if err = h.installDependency(addon); err != nil {
@@ -1445,10 +1453,23 @@ func checkSemVer(actual string, require string) (bool, error) {
 }

 func fetchVelaCoreImageTag(ctx context.Context, k8sClient client.Client) (string, error) {
-	deploy := &appsv1.Deployment{}
-	if err := k8sClient.Get(ctx, types2.NamespacedName{Namespace: types.DefaultKubeVelaNS, Name: types.KubeVelaControllerDeployment}, deploy); err != nil {
+	deployList := &appsv1.DeploymentList{}
+	if err := k8sClient.List(ctx, deployList, client.MatchingLabels{oam.LabelControllerName: oam.ApplicationControllerName}); err != nil {
 		return "", err
 	}
+	deploy := appsv1.Deployment{}
+	if len(deployList.Items) == 0 {
+		// backward compatible logic old version which vela-core controller has no this label
+		if err := k8sClient.Get(ctx, types2.NamespacedName{Namespace: types.DefaultKubeVelaNS, Name: types.KubeVelaControllerDeployment}, &deploy); err != nil {
+			if apierrors.IsNotFound(err) {
+				return "", errors.New("can't find a running KubeVela instance, please install it first")
+			}
+			return "", err
+		}
+	} else {
+		deploy = deployList.Items[0]
+	}
+
 	var tag string
 	for _, c := range deploy.Spec.Template.Spec.Containers {
 		if c.Name == types.DefaultKubeVelaReleaseName {
--- a/pkg/addon/addon_suite_test.go
+++ b/pkg/addon/addon_suite_test.go
@@ -196,7 +196,7 @@ var _ = Describe("Addon func test", func() {
 	It("fetchVelaCoreImageTag func test", func() {
 		deploy = appsv1.Deployment{}
 		tag, err := fetchVelaCoreImageTag(ctx, k8sClient)
-		Expect(err).Should(util.NotFoundMatcher{})
+		Expect(err).ShouldNot(BeNil())
 		Expect(tag).Should(BeEquivalentTo(""))

 		Expect(yaml.Unmarshal([]byte(deployYaml), &deploy)).Should(BeNil())
@@ -217,7 +217,7 @@ var _ = Describe("Addon func test", func() {

 	It("checkAddonVersionMeetRequired func test", func() {
 		deploy = appsv1.Deployment{}
-		Expect(checkAddonVersionMeetRequired(ctx, &SystemRequirements{VelaVersion: ">=v1.2.1"}, k8sClient, dc)).Should(util.NotFoundMatcher{})
+		Expect(checkAddonVersionMeetRequired(ctx, &SystemRequirements{VelaVersion: ">=v1.2.1"}, k8sClient, dc)).ShouldNot(BeNil())
 		Expect(yaml.Unmarshal([]byte(deployYaml), &deploy)).Should(BeNil())
 		deploy.SetNamespace(types.DefaultKubeVelaNS)
 		Expect(k8sClient.Create(ctx, &deploy)).Should(BeNil())
@@ -408,6 +408,8 @@ kind: Deployment
 metadata:
  name: kubevela-vela-core
  namespace: vela-system
+  labels:
+     controller.oam.dev/name: vela-core
 spec:
  progressDeadlineSeconds: 600
  replicas: 1
--- a/pkg/addon/addon_test.go
+++ b/pkg/addon/addon_test.go
@@ -33,6 +33,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 	"github.com/google/go-github/v32/github"
 	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -47,6 +48,7 @@ import (
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 	"github.com/oam-dev/kubevela/apis/types"
+	"github.com/oam-dev/kubevela/pkg/oam"
 	version2 "github.com/oam-dev/kubevela/version"
 )

@@ -791,6 +793,33 @@ func TestCheckAddonVersionMeetRequired(t *testing.T) {
 		MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 			return nil
 		}),
+		MockList: test.NewMockListFn(nil, func(obj client.ObjectList) error {
+			robj := obj.(*appsv1.DeploymentList)
+			list := &appsv1.DeploymentList{
+				Items: []appsv1.Deployment{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Labels: map[string]string{
+								oam.LabelControllerName: oam.ApplicationControllerName,
+							},
+						},
+						Spec: appsv1.DeploymentSpec{
+							Template: corev1.PodTemplateSpec{
+								Spec: corev1.PodSpec{
+									Containers: []corev1.Container{
+										{
+											Image: "vela-core:v1.2.5",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			}
+			list.DeepCopyInto(robj)
+			return nil
+		}),
 	}
 	ctx := context.Background()
 	assert.NoError(t, checkAddonVersionMeetRequired(ctx, &SystemRequirements{VelaVersion: ">=1.2.4"}, k8sClient, nil))
--- a/pkg/addon/example-1.0.1.tgz
+++ b/pkg/addon/example-1.0.1.tgz
--- a/pkg/addon/helper.go
+++ b/pkg/addon/helper.go
@@ -54,8 +54,8 @@ const (
 )

 // EnableAddon will enable addon with dependency check, source is where addon from.
-func EnableAddon(ctx context.Context, name string, version string, cli client.Client, discoveryClient *discovery.DiscoveryClient, apply apply.Applicator, config *rest.Config, r Registry, args map[string]interface{}, cache *Cache) error {
-	h := NewAddonInstaller(ctx, cli, discoveryClient, apply, config, &r, args, cache)
+func EnableAddon(ctx context.Context, name string, version string, cli client.Client, discoveryClient *discovery.DiscoveryClient, apply apply.Applicator, config *rest.Config, r Registry, args map[string]interface{}, cache *Cache, opts ...InstallOption) error {
+	h := NewAddonInstaller(ctx, cli, discoveryClient, apply, config, &r, args, cache, opts...)
 	pkg, err := h.loadInstallPackage(name, version)
 	if err != nil {
 		return err
@@ -93,7 +93,7 @@ func DisableAddon(ctx context.Context, cli client.Client, name string, config *r
 }

 // EnableAddonByLocalDir enable an addon from local dir
-func EnableAddonByLocalDir(ctx context.Context, name string, dir string, cli client.Client, dc *discovery.DiscoveryClient, applicator apply.Applicator, config *rest.Config, args map[string]interface{}) error {
+func EnableAddonByLocalDir(ctx context.Context, name string, dir string, cli client.Client, dc *discovery.DiscoveryClient, applicator apply.Applicator, config *rest.Config, args map[string]interface{}, opts ...InstallOption) error {
 	absDir, err := filepath.Abs(dir)
 	if err != nil {
 		return err
@@ -112,7 +112,7 @@ func EnableAddonByLocalDir(ctx context.Context, name string, dir string, cli cli
 	if err != nil {
 		return err
 	}
-	h := NewAddonInstaller(ctx, cli, dc, applicator, config, &Registry{Name: LocalAddonRegistryName}, args, nil)
+	h := NewAddonInstaller(ctx, cli, dc, applicator, config, &Registry{Name: LocalAddonRegistryName}, args, nil, opts...)
 	needEnableAddonNames, err := h.checkDependency(pkg)
 	if err != nil {
 		return err
--- a/pkg/addon/utils.go
+++ b/pkg/addon/utils.go
@@ -228,3 +228,11 @@ func usingAppsInfo(apps []v1beta1.Application) string {
 func IsVersionRegistry(r Registry) bool {
 	return r.Helm != nil
 }
+
+// InstallOption define additional option for installation
+type InstallOption func(installer *Installer)
+
+// SkipValidateVersion means skip validating system version
+func SkipValidateVersion(installer *Installer) {
+	installer.skipVersionValidate = true
+}
--- a/pkg/addon/versioned_registry.go
+++ b/pkg/addon/versioned_registry.go
@@ -23,6 +23,9 @@ import (

 	"sort"

+	"github.com/Masterminds/semver/v3"
+
+	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
 	"github.com/oam-dev/kubevela/pkg/utils"
 	"github.com/oam-dev/kubevela/pkg/utils/common"
 	"github.com/oam-dev/kubevela/pkg/utils/helm"
@@ -128,19 +131,8 @@ func (i versionedRegistry) loadAddon(ctx context.Context, name, version string)
 	if len(versions) == 0 {
 		return nil, ErrNotExist
 	}
-	var addonVersion *repo.ChartVersion
 	sort.Sort(sort.Reverse(versions))
-	if len(version) == 0 {
-		// if not specify version will always use the latest version
-		addonVersion = versions[0]
-	}
-	var availableVersions []string
-	for i, v := range versions {
-		availableVersions = append(availableVersions, v.Version)
-		if v.Version == version {
-			addonVersion = versions[i]
-		}
-	}
+	addonVersion, availableVersions := chooseVersion(version, versions)
 	if addonVersion == nil {
 		return nil, fmt.Errorf("specified version %s not exist", version)
 	}
@@ -191,3 +183,32 @@ func loadAddonPackage(addonName string, files []*loader.BufferedFile) (*WholeAdd
 		APISchema:      addonUIData.APISchema,
 	}, nil
 }
+
+// chooseVersion will return the target version and all available versions
+func chooseVersion(specifiedVersion string, versions []*repo.ChartVersion) (*repo.ChartVersion, []string) {
+	var addonVersion *repo.ChartVersion
+	var availableVersions []string
+	for i, v := range versions {
+		availableVersions = append(availableVersions, v.Version)
+		if addonVersion != nil {
+			// already find the latest not-prerelease version, skip the find
+			continue
+		}
+		if len(specifiedVersion) != 0 {
+			if v.Version == specifiedVersion {
+				addonVersion = versions[i]
+			}
+		} else {
+			vv, err := semver.NewVersion(v.Version)
+			if err != nil {
+				continue
+			}
+			if len(vv.Prerelease()) != 0 {
+				continue
+			}
+			addonVersion = v
+			log.Logger.Infof("Not specified any version, so use the latest version %s", v.Version)
+		}
+	}
+	return addonVersion, availableVersions
+}
--- a/pkg/addon/versioned_registry_test.go
+++ b/pkg/addon/versioned_registry_test.go
@@ -27,6 +27,9 @@ import (
 	"testing"
 	"time"

+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/repo"
+
 	"github.com/oam-dev/kubevela/pkg/utils/common"

 	"github.com/stretchr/testify/assert"
@@ -98,6 +101,33 @@ func TestVersionRegistry(t *testing.T) {

 }

+func TestChooseAddonVersion(t *testing.T) {
+	versions := []*repo.ChartVersion{
+		{
+			Metadata: &chart.Metadata{
+				Version: "v1.4.0-beta1",
+			},
+		},
+		{
+			Metadata: &chart.Metadata{
+				Version: "v1.3.6",
+			},
+		},
+		{
+			Metadata: &chart.Metadata{
+				Version: "v1.2.0",
+			},
+		},
+	}
+	targetVersion, availableVersion := chooseVersion("v1.2.0", versions)
+	assert.Equal(t, availableVersion, []string{"v1.4.0-beta1", "v1.3.6", "v1.2.0"})
+	assert.Equal(t, targetVersion.Version, "v1.2.0")
+
+	targetVersion, availableVersion = chooseVersion("", versions)
+	assert.Equal(t, availableVersion, []string{"v1.4.0-beta1", "v1.3.6", "v1.2.0"})
+	assert.Equal(t, targetVersion.Version, "v1.3.6")
+}
+
 var versionedHandler http.HandlerFunc = func(writer http.ResponseWriter, request *http.Request) {
 	switch {
 	case strings.Contains(request.URL.Path, "index.yaml"):
--- a/pkg/apiserver/domain/model/user.go
+++ b/pkg/apiserver/domain/model/user.go
@@ -18,7 +18,6 @@ package model

 import (
 	"fmt"
-	"strings"
 	"time"

 	"github.com/form3tech-oss/jwt-go"
@@ -63,17 +62,17 @@ func (u *User) ShortTableName() string {

 // PrimaryKey return custom primary key
 func (u *User) PrimaryKey() string {
-	return verifyUserValue(u.Name)
+	return u.Name
 }

 // Index return custom index
 func (u *User) Index() map[string]string {
 	index := make(map[string]string)
 	if u.Name != "" {
-		index["name"] = verifyUserValue(u.Name)
+		index["name"] = u.Name
 	}
 	if u.Email != "" {
-		index["email"] = verifyUserValue(u.Email)
+		index["email"] = u.Email
 	}
 	return index
 }
@@ -99,14 +98,14 @@ func (u *ProjectUser) ShortTableName() string {

 // PrimaryKey return custom primary key
 func (u *ProjectUser) PrimaryKey() string {
-	return fmt.Sprintf("%s-%s", u.ProjectName, verifyUserValue(u.Username))
+	return fmt.Sprintf("%s-%s", u.ProjectName, u.Username)
 }

 // Index return custom index
 func (u *ProjectUser) Index() map[string]string {
 	index := make(map[string]string)
 	if u.Username != "" {
-		index["username"] = verifyUserValue(u.Username)
+		index["username"] = u.Username
 	}
 	if u.ProjectName != "" {
 		index["projectName"] = u.ProjectName
@@ -114,12 +113,6 @@ func (u *ProjectUser) Index() map[string]string {
 	return index
 }

-func verifyUserValue(v string) string {
-	s := strings.ReplaceAll(v, "@", "-")
-	s = strings.ReplaceAll(s, " ", "-")
-	return strings.ToLower(s)
-}
-
 // CustomClaims is the custom claims
 type CustomClaims struct {
 	Username  string `json:"username"`
--- a/pkg/apiserver/domain/model/workflow.go
+++ b/pkg/apiserver/domain/model/workflow.go
@@ -29,6 +29,12 @@ func init() {
 	RegisterModel(&WorkflowRecord{})
 }

+// Finished means the workflow record is finished
+const Finished = "true"
+
+// UnFinished means the workflow record is not finished
+const UnFinished = "false"
+
 // Workflow application delivery database model
 type Workflow struct {
 	BaseModel
--- a/pkg/apiserver/domain/repository/application.go
+++ b/pkg/apiserver/domain/repository/application.go
@@ -0,0 +1,97 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package repository
+
+import (
+	"context"
+	"errors"
+
+	"github.com/oam-dev/kubevela/pkg/apiserver/domain/model"
+	"github.com/oam-dev/kubevela/pkg/apiserver/infrastructure/datastore"
+	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
+)
+
+// ListApplicationPolicies query the application policies
+func ListApplicationPolicies(ctx context.Context, store datastore.DataStore, app *model.Application) (list []*model.ApplicationPolicy, err error) {
+	var policy = model.ApplicationPolicy{
+		AppPrimaryKey: app.PrimaryKey(),
+	}
+	policies, err := store.List(ctx, &policy, &datastore.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	for _, policy := range policies {
+		pm := policy.(*model.ApplicationPolicy)
+		list = append(list, pm)
+	}
+	return
+}
+
+// ListApplicationEnvPolicies list the policies that only belong to the specified env
+func ListApplicationEnvPolicies(ctx context.Context, store datastore.DataStore, app *model.Application, envName string) (list []*model.ApplicationPolicy, err error) {
+	var policy = model.ApplicationPolicy{
+		AppPrimaryKey: app.PrimaryKey(),
+		EnvName:       envName,
+	}
+	policies, err := store.List(ctx, &policy, &datastore.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	for _, policy := range policies {
+		pm := policy.(*model.ApplicationPolicy)
+		list = append(list, pm)
+	}
+	return
+}
+
+// ListApplicationCommonPolicies list the policies that common to all environments
+func ListApplicationCommonPolicies(ctx context.Context, store datastore.DataStore, app *model.Application) (list []*model.ApplicationPolicy, err error) {
+	var policy = model.ApplicationPolicy{
+		AppPrimaryKey: app.PrimaryKey(),
+	}
+	policies, err := store.List(ctx, &policy, &datastore.ListOptions{
+		FilterOptions: datastore.FilterOptions{
+			IsNotExist: []datastore.IsNotExistQueryOption{{
+				Key: "envName",
+			}},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	for _, policy := range policies {
+		pm := policy.(*model.ApplicationPolicy)
+		list = append(list, pm)
+	}
+	return
+}
+
+// DeleteApplicationEnvPolicies delete the policies via app name and env name
+func DeleteApplicationEnvPolicies(ctx context.Context, store datastore.DataStore, app *model.Application, envName string) error {
+	log.Logger.Debugf("clear the policies via app name %s and env name %s", app.PrimaryKey(), envName)
+	policies, err := ListApplicationEnvPolicies(ctx, store, app, envName)
+	if err != nil {
+		return err
+	}
+	for _, policy := range policies {
+		if err := store.Delete(ctx, policy); err != nil && !errors.Is(err, datastore.ErrRecordNotExist) {
+			log.Logger.Errorf("fail to clear the policies belong to the env %w", err)
+			continue
+		}
+	}
+	return nil
+}
--- a/pkg/apiserver/domain/repository/workflow.go
+++ b/pkg/apiserver/domain/repository/workflow.go
@@ -457,13 +457,13 @@ func HaveTerraformWorkload(ctx context.Context, kubeClient client.Client, compon
 	return terraformComponents
 }

-func createOverriteConfigForTerraformComponent(env *model.Env, target *model.Target, terraformComponents []*model.ApplicationComponent) v1alpha1.EnvConfig {
+func createOverrideConfigForTerraformComponent(env *model.Env, target *model.Target, terraformComponents []*model.ApplicationComponent) v1alpha1.EnvConfig {
 	placement := v1alpha1.EnvPlacement{}
 	if target.Cluster != nil {
 		placement.ClusterSelector = &common.ClusterSelector{Name: target.Cluster.ClusterName}
 		placement.NamespaceSelector = &v1alpha1.NamespaceSelector{Name: target.Cluster.Namespace}
 	}
-	var componentPatchs []v1alpha1.EnvComponentPatch
+	var componentPatches []v1alpha1.EnvComponentPatch
 	// init cloud application region and provider info
 	for _, component := range terraformComponents {
 		properties := model.JSONStruct{
@@ -476,7 +476,7 @@ func createOverriteConfigForTerraformComponent(env *model.Env, target *model.Tar
 			},
 		}
 		if region, ok := target.Variable["region"]; ok {
-			properties["region"] = region
+			properties["customRegion"] = region
 		}
 		if providerName, ok := target.Variable["providerName"]; ok {
 			properties["providerRef"].(map[string]interface{})["name"] = providerName
@@ -484,7 +484,7 @@ func createOverriteConfigForTerraformComponent(env *model.Env, target *model.Tar
 		if providerNamespace, ok := target.Variable["providerNamespace"]; ok {
 			properties["providerRef"].(map[string]interface{})["namespace"] = providerNamespace
 		}
-		componentPatchs = append(componentPatchs, v1alpha1.EnvComponentPatch{
+		componentPatches = append(componentPatches, v1alpha1.EnvComponentPatch{
 			Name:       component.Name,
 			Properties: properties.RawExtension(),
 			Type:       component.Type,
@@ -495,7 +495,7 @@ func createOverriteConfigForTerraformComponent(env *model.Env, target *model.Tar
 		Name:      genPolicyEnvName(target.Name),
 		Placement: placement,
 		Patch: v1alpha1.EnvPatch{
-			Components: componentPatchs,
+			Components: componentPatches,
 		},
 	}
 }
@@ -543,7 +543,7 @@ func GenEnvWorkflowStepsAndPolicies(ctx context.Context, kubeClient client.Clien
 				}),
 			}
 			workflowSteps = append(workflowSteps, step)
-			envs = append(envs, createOverriteConfigForTerraformComponent(env, target, terraformComponents))
+			envs = append(envs, createOverrideConfigForTerraformComponent(env, target, terraformComponents))
 		}
 		properties, err := model.NewJSONStructByStruct(v1alpha1.EnvBindingSpec{
 			Envs: envs,
--- a/pkg/apiserver/domain/service/application.go
+++ b/pkg/apiserver/domain/service/application.go
@@ -244,7 +244,7 @@ func (c *applicationServiceImpl) DetailApplication(ctx context.Context, app *mod
 		}
 	}
 	base := assembler.ConvertAppModelToBase(app, []*apisv1.ProjectBase{project})
-	policies, err := c.queryApplicationPolicies(ctx, app)
+	policies, err := repository.ListApplicationPolicies(ctx, c.Store, app)
 	if err != nil {
 		return nil, err
 	}
@@ -507,14 +507,14 @@ func (c *applicationServiceImpl) UpdateApplication(ctx context.Context, app *mod
 func (c *applicationServiceImpl) ListRecords(ctx context.Context, appName string) (*apisv1.ListWorkflowRecordsResponse, error) {
 	var record = model.WorkflowRecord{
 		AppPrimaryKey: appName,
-		Finished:      "false",
+		Finished:      model.UnFinished,
 	}
 	records, err := c.Store.List(ctx, &record, &datastore.ListOptions{})
 	if err != nil {
 		return nil, err
 	}
 	if len(records) == 0 {
-		record.Finished = "true"
+		record.Finished = model.Finished
 		records, err = c.Store.List(ctx, &record, &datastore.ListOptions{
 			Page:     1,
 			PageSize: 1,
@@ -589,7 +589,7 @@ func (c *applicationServiceImpl) DetailComponent(ctx context.Context, app *model

 // ListPolicies list application policies
 func (c *applicationServiceImpl) ListPolicies(ctx context.Context, app *model.Application) ([]*apisv1.PolicyBase, error) {
-	policies, err := c.queryApplicationPolicies(ctx, app)
+	policies, err := repository.ListApplicationPolicies(ctx, c.Store, app)
 	if err != nil {
 		return nil, err
 	}
@@ -600,21 +600,6 @@ func (c *applicationServiceImpl) ListPolicies(ctx context.Context, app *model.Ap
 	return list, nil
 }

-func (c *applicationServiceImpl) queryApplicationPolicies(ctx context.Context, app *model.Application) (list []*model.ApplicationPolicy, err error) {
-	var policy = model.ApplicationPolicy{
-		AppPrimaryKey: app.PrimaryKey(),
-	}
-	policies, err := c.Store.List(ctx, &policy, &datastore.ListOptions{})
-	if err != nil {
-		return nil, err
-	}
-	for _, policy := range policies {
-		pm := policy.(*model.ApplicationPolicy)
-		list = append(list, pm)
-	}
-	return
-}
-
 // DetailPolicy detail app policy
 // TODO: Add status data about the policy.
 func (c *applicationServiceImpl) DetailPolicy(ctx context.Context, app *model.Application, policyName string) (*apisv1.DetailPolicyResponse, error) {
@@ -853,22 +838,11 @@ func (c *applicationServiceImpl) renderOAMApplication(ctx context.Context, appMo
 	}

 	// query the policies for this environment
-	var policy = model.ApplicationPolicy{
-		AppPrimaryKey: appModel.PrimaryKey(),
-	}
-	policies, err := c.Store.List(ctx, &policy, &datastore.ListOptions{
-		FilterOptions: datastore.FilterOptions{
-			IsNotExist: []datastore.IsNotExistQueryOption{{
-				Key: "envName",
-			},
-			},
-		},
-	})
+	policies, err := repository.ListApplicationCommonPolicies(ctx, c.Store, appModel)
 	if err != nil {
 		return nil, err
 	}
-	policy.EnvName = env.Name
-	envPolicies, err := c.Store.List(ctx, &policy, &datastore.ListOptions{})
+	envPolicies, err := repository.ListApplicationEnvPolicies(ctx, c.Store, appModel, env.Name)
 	if err != nil {
 		return nil, err
 	}
@@ -903,8 +877,7 @@ func (c *applicationServiceImpl) renderOAMApplication(ctx context.Context, appMo
 		app.Spec.Components = append(app.Spec.Components, bc)
 	}

-	for _, entity := range policies {
-		policy := entity.(*model.ApplicationPolicy)
+	for _, policy := range policies {
 		appPolicy := v1beta1.AppPolicy{
 			Name: policy.Name,
 			Type: policy.Type,
--- a/pkg/apiserver/domain/service/application_test.go
+++ b/pkg/apiserver/domain/service/application_test.go
@@ -40,7 +40,6 @@ import (
 	"github.com/oam-dev/kubevela/pkg/apiserver/domain/repository"
 	"github.com/oam-dev/kubevela/pkg/apiserver/infrastructure/datastore"
 	v1 "github.com/oam-dev/kubevela/pkg/apiserver/interfaces/api/dto/v1"
-	"github.com/oam-dev/kubevela/pkg/apiserver/utils"
 	"github.com/oam-dev/kubevela/pkg/apiserver/utils/bcode"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/oam/util"
@@ -78,7 +77,7 @@ var _ = Describe("Test application service function", func() {
 		projectService = &projectServiceImpl{Store: ds, K8sClient: k8sClient, RbacService: rbacService}
 		envService = &envServiceImpl{Store: ds, KubeClient: k8sClient, ProjectService: projectService}
 		workflowService = &workflowServiceImpl{Store: ds, EnvService: envService}
-		definitionService = &definitionServiceImpl{KubeClient: k8sClient, caches: utils.NewMemoryCacheStore(context.Background())}
+		definitionService = &definitionServiceImpl{KubeClient: k8sClient}
 		envBindingService = &envBindingServiceImpl{Store: ds, EnvService: envService, WorkflowService: workflowService, KubeClient: k8sClient, DefinitionService: definitionService}
 		targetService = &targetServiceImpl{Store: ds, K8sClient: k8sClient}
 		appService = &applicationServiceImpl{
--- a/pkg/apiserver/domain/service/cluster_test.go
+++ b/pkg/apiserver/domain/service/cluster_test.go
@@ -60,7 +60,10 @@ var _ = Describe("Test cluster service function", func() {
 		secret.Name = name
 		secret.Namespace = prismclusterv1alpha1.StorageNamespace
 		secret.SetAnnotations(map[string]string{prismclusterv1alpha1.AnnotationClusterAlias: alias})
-		secret.SetLabels(map[string]string{clustergatewaycommon.LabelKeyClusterCredentialType: string(clustergatewayv1alpha1.CredentialTypeX509Certificate)})
+		secret.SetLabels(map[string]string{
+			clustergatewaycommon.LabelKeyClusterEndpointType:   string(clustergatewayv1alpha1.ClusterEndpointTypeConst),
+			clustergatewaycommon.LabelKeyClusterCredentialType: string(clustergatewayv1alpha1.CredentialTypeX509Certificate),
+		})
 		time.Sleep(time.Second)
 		return k8sClient.Create(ctx, secret)
 	}
--- a/pkg/apiserver/domain/service/definition.go
+++ b/pkg/apiserver/domain/service/definition.go
@@ -21,7 +21,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"sort"
-	"time"

 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/pkg/errors"
@@ -53,9 +52,11 @@ type DefinitionService interface {
 	UpdateDefinitionStatus(ctx context.Context, name string, status apisv1.UpdateDefinitionStatusRequest) (*apisv1.DetailDefinitionResponse, error)
 }

+// DefinitionHidden means the definition can not be used in VelaUX
+const DefinitionHidden = "true"
+
 type definitionServiceImpl struct {
 	KubeClient client.Client `inject:"kubeClient"`
-	caches     *utils.MemoryCacheStore
 }

 // DefinitionQueryOption define a set of query options
@@ -80,7 +81,7 @@ const (

 // NewDefinitionService new definition service
 func NewDefinitionService() DefinitionService {
-	return &definitionServiceImpl{caches: utils.NewMemoryCacheStore(context.Background())}
+	return &definitionServiceImpl{}
 }

 func (d *definitionServiceImpl) ListDefinitions(ctx context.Context, ops DefinitionQueryOption) ([]*apisv1.DefinitionBase, error) {
@@ -95,9 +96,6 @@ func (d *definitionServiceImpl) ListDefinitions(ctx context.Context, ops Definit
 }

 func (d *definitionServiceImpl) listDefinitions(ctx context.Context, list *unstructured.UnstructuredList, kind string, ops DefinitionQueryOption) ([]*apisv1.DefinitionBase, error) {
-	if mc := d.caches.Get(ops.String()); mc != nil {
-		return mc.([]*apisv1.DefinitionBase), nil
-	}
 	matchLabels := metav1.LabelSelector{
 		MatchExpressions: []metav1.LabelSelectorRequirement{
 			{
@@ -146,9 +144,6 @@ func (d *definitionServiceImpl) listDefinitions(ctx context.Context, list *unstr
 		}
 		defs = append(defs, definition)
 	}
-	if ops.AppliedWorkloads == "" {
-		d.caches.Put(ops.String(), defs, time.Minute*3)
-	}
 	return defs, nil
 }

@@ -240,30 +235,27 @@ func (d *definitionServiceImpl) DetailDefinition(ctx context.Context, name, defT
 	if err := d.KubeClient.Get(ctx, k8stypes.NamespacedName{
 		Namespace: types.DefaultKubeVelaNS,
 		Name:      fmt.Sprintf("%s-schema-%s", defType, name),
-	}, &cm); err != nil {
-		if apierrors.IsNotFound(err) {
-			return nil, bcode.ErrDefinitionNoSchema
-		}
+	}, &cm); err != nil && !apierrors.IsNotFound(err) {
 		return nil, err
 	}

-	data, ok := cm.Data[types.OpenapiV3JSONSchema]
-	if !ok {
-		return nil, bcode.ErrDefinitionNoSchema
-	}
-	schema := &openapi3.Schema{}
-	if err := schema.UnmarshalJSON([]byte(data)); err != nil {
-		return nil, err
-	}
-	// render default ui schema
-	defaultUISchema := renderDefaultUISchema(schema)
-	// patch from custom ui schema
-	customUISchema := d.renderCustomUISchema(ctx, name, defType, defaultUISchema)
-	return &apisv1.DetailDefinitionResponse{
+	definition := &apisv1.DetailDefinitionResponse{
 		DefinitionBase: *base,
-		APISchema:      schema,
-		UISchema:       customUISchema,
-	}, nil
+	}
+	data, ok := cm.Data[types.OpenapiV3JSONSchema]
+	if ok {
+		schema := &openapi3.Schema{}
+		if err := schema.UnmarshalJSON([]byte(data)); err != nil {
+			return nil, err
+		}
+		definition.APISchema = schema
+		// render default ui schema
+		defaultUISchema := renderDefaultUISchema(schema)
+		// patch from custom ui schema
+		definition.UISchema = d.renderCustomUISchema(ctx, name, defType, defaultUISchema)
+	}
+
+	return definition, nil
 }

 func (d *definitionServiceImpl) renderCustomUISchema(ctx context.Context, name, defType string, defaultSchema []*utils.UIParameter) []*utils.UIParameter {
@@ -355,7 +347,7 @@ func (d *definitionServiceImpl) UpdateDefinitionStatus(ctx context.Context, name
 	}
 	if !exist && update.HiddenInUI {
 		labels := def.GetLabels()
-		labels[types.LabelDefinitionHidden] = "true"
+		labels[types.LabelDefinitionHidden] = DefinitionHidden
 		def.SetLabels(labels)
 		if err := d.KubeClient.Update(ctx, def); err != nil {
 			return nil, err
--- a/pkg/apiserver/domain/service/definition_test.go
+++ b/pkg/apiserver/domain/service/definition_test.go
@@ -44,7 +44,7 @@ var _ = Describe("Test namespace service functions", func() {
 	)

 	BeforeEach(func() {
-		definitionService = &definitionServiceImpl{KubeClient: k8sClient, caches: utils.NewMemoryCacheStore(context.TODO())}
+		definitionService = &definitionServiceImpl{KubeClient: k8sClient}
 		err := k8sClient.Create(context.Background(), &corev1.Namespace{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "vela-system",
@@ -215,7 +215,6 @@ var _ = Describe("Test namespace service functions", func() {
 	It("Test update ui schema", func() {
 		du := &definitionServiceImpl{
 			KubeClient: k8sClient,
-			caches:     utils.NewMemoryCacheStore(context.Background()),
 		}
 		cdata, err := ioutil.ReadFile("./testdata/workflowstep-apply-object.yaml")
 		Expect(err).Should(Succeed())
@@ -235,7 +234,6 @@ var _ = Describe("Test namespace service functions", func() {
 	It("Test update status of the definition", func() {
 		du := &definitionServiceImpl{
 			KubeClient: k8sClient,
-			caches:     utils.NewMemoryCacheStore(context.Background()),
 		}
 		detail, err := du.UpdateDefinitionStatus(context.TODO(), "apply-object", v1.UpdateDefinitionStatusRequest{
 			DefinitionType: "workflowstep",
--- a/pkg/apiserver/domain/service/envbinding.go
+++ b/pkg/apiserver/domain/service/envbinding.go
@@ -204,10 +204,7 @@ func (e *envBindingServiceImpl) DeleteEnvBinding(ctx context.Context, appModel *
 	}

 	// delete the topology and env-bindings policies
-	if err := e.Store.Delete(ctx, &model.ApplicationPolicy{AppPrimaryKey: appModel.PrimaryKey(), EnvName: envName}); err != nil && !errors.Is(err, datastore.ErrRecordNotExist) {
-		return fmt.Errorf("fail to clear the policies belong to the env %w", err)
-	}
-	return nil
+	return repository.DeleteApplicationEnvPolicies(ctx, e.Store, appModel, envName)
 }

 func (e *envBindingServiceImpl) BatchDeleteEnvBinding(ctx context.Context, app *model.Application) error {
--- a/pkg/apiserver/domain/service/envbinding_test.go
+++ b/pkg/apiserver/domain/service/envbinding_test.go
@@ -27,7 +27,6 @@ import (
 	"github.com/oam-dev/kubevela/pkg/apiserver/domain/repository"
 	"github.com/oam-dev/kubevela/pkg/apiserver/infrastructure/datastore"
 	apisv1 "github.com/oam-dev/kubevela/pkg/apiserver/interfaces/api/dto/v1"
-	"github.com/oam-dev/kubevela/pkg/apiserver/utils"
 )

 var _ = Describe("Test envBindingService functions", func() {
@@ -54,7 +53,7 @@ var _ = Describe("Test envBindingService functions", func() {
 		projectService := &projectServiceImpl{Store: ds, K8sClient: k8sClient, RbacService: rbacService}
 		envService = &envServiceImpl{Store: ds, KubeClient: k8sClient, ProjectService: projectService}
 		workflowService = &workflowServiceImpl{Store: ds, KubeClient: k8sClient, EnvService: envService}
-		definitionService = &definitionServiceImpl{KubeClient: k8sClient, caches: utils.NewMemoryCacheStore(context.TODO())}
+		definitionService = &definitionServiceImpl{KubeClient: k8sClient}
 		envBindingService = &envBindingServiceImpl{Store: ds, WorkflowService: workflowService, DefinitionService: definitionService, KubeClient: k8sClient, EnvService: envService}
 		envBindingDemo1 = apisv1.EnvBinding{
 			Name: "envbinding-dev",
@@ -99,7 +98,7 @@ var _ = Describe("Test envBindingService functions", func() {
 		Expect(err).Should(BeNil())
 		Expect(cmp.Diff(base.Name, req.Name)).Should(BeEmpty())

-		By("auto create two workflow")
+		By("test the auto created workflow")
 		workflow, err := workflowService.GetWorkflow(context.TODO(), testApp, repository.ConvertWorkflowName("envbinding-dev"))
 		Expect(err).Should(BeNil())
 		Expect(cmp.Diff(workflow.Steps[0].Name, "dev-target")).Should(BeEmpty())
@@ -139,15 +138,19 @@ var _ = Describe("Test envBindingService functions", func() {
 		Expect(err).Should(BeNil())
 		_, err = workflowService.GetWorkflow(context.TODO(), testApp, repository.ConvertWorkflowName("envbinding-dev"))
 		Expect(err).ShouldNot(BeNil())
+
 		err = envBindingService.DeleteEnvBinding(context.TODO(), testApp, "envbinding-prod")
 		Expect(err).Should(BeNil())
 		_, err = workflowService.GetWorkflow(context.TODO(), testApp, repository.ConvertWorkflowName("envbinding-prod"))
 		Expect(err).ShouldNot(BeNil())
+		policies, err := repository.ListApplicationPolicies(context.TODO(), ds, testApp)
+		Expect(err).Should(BeNil())
+		Expect(len(policies)).Should(Equal(0))
 	})

 	It("Test Application BatchCreateEnv function", func() {
 		testBatchApp := &model.Application{
-			Name: "test-batch-createt",
+			Name: "test-batch-created",
 		}
 		err := envBindingService.BatchCreateEnvBinding(context.TODO(), testBatchApp, apisv1.EnvBindingList{&envBindingDemo1, &envBindingDemo2})
 		Expect(err).Should(BeNil())
--- a/pkg/apiserver/domain/service/image.go
+++ b/pkg/apiserver/domain/service/image.go
@@ -0,0 +1,228 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/oam-dev/kubevela/apis/types"
+	v1 "github.com/oam-dev/kubevela/pkg/apiserver/interfaces/api/dto/v1"
+	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
+)
+
+// NewImageService create a image service instance
+func NewImageService() ImageService {
+	return &imageImpl{}
+}
+
+// ImageService the image service provide some handler functions about the docker image
+type ImageService interface {
+	ListImageRepos(ctx context.Context, project string) ([]v1.ImageRegistry, error)
+	GetImageInfo(ctx context.Context, project, secretName, imageName string) v1.ImageInfo
+}
+
+type imageImpl struct {
+	K8sClient client.Client `inject:"kubeClient"`
+}
+
+// ListImageRepos list the image repositories via user configuration
+func (i *imageImpl) ListImageRepos(ctx context.Context, project string) ([]v1.ImageRegistry, error) {
+	var secrets corev1.SecretList
+	if err := i.K8sClient.List(ctx, &secrets, client.InNamespace(types.DefaultKubeVelaNS),
+		client.MatchingLabels{
+			types.LabelConfigCatalog: types.VelaCoreConfig,
+			types.LabelConfigType:    types.ImageRegistry,
+		}); err != nil {
+		return nil, err
+	}
+	var repos []v1.ImageRegistry
+	for _, secret := range secrets.Items {
+		if secret.Labels[types.LabelConfigProject] == "" || secret.Labels[types.LabelConfigProject] == project {
+			repos = append(repos, v1.ImageRegistry{
+				Name:       secret.Name,
+				SecretName: secret.Name,
+				Domain:     secret.Labels[types.LabelConfigIdentifier],
+			})
+		}
+	}
+	return repos, nil
+}
+
+// GetImageInfo get the image info from image registry
+func (i *imageImpl) GetImageInfo(ctx context.Context, project, secretName, imageName string) v1.ImageInfo {
+	var imageInfo = v1.ImageInfo{
+		Name: imageName,
+	}
+	ref, err := name.ParseReference(imageName)
+	if err != nil {
+		imageInfo.Message = "The image name is invalid"
+		return imageInfo
+	}
+	registryDomain := ref.Context().RegistryStr()
+	imageInfo.Registry = registryDomain
+	var secrets corev1.SecretList
+	if err := i.K8sClient.List(ctx, &secrets, client.InNamespace(types.DefaultKubeVelaNS),
+		client.MatchingLabels{
+			types.LabelConfigCatalog:    types.VelaCoreConfig,
+			types.LabelConfigType:       types.ImageRegistry,
+			types.LabelConfigIdentifier: registryDomain,
+		}); err != nil {
+		log.Logger.Warnf("fail to list the docker registries, %s", err.Error())
+	}
+	var selectSecret []*corev1.Secret
+	var selectSecretNames []string
+	// get info with specified secret
+	if secretName != "" {
+		for i, secret := range secrets.Items {
+			if secret.Labels[types.LabelConfigProject] == "" || secret.Labels[types.LabelConfigProject] == project {
+				if secretName == secret.Name {
+					selectSecret = append(selectSecret, &secrets.Items[i])
+					selectSecretNames = append(selectSecretNames, secret.Name)
+					break
+				}
+			}
+		}
+	}
+
+	// get info with the secret which match the registry domain
+	if selectSecret == nil {
+		for i, secret := range secrets.Items {
+			if secret.Labels[types.LabelConfigProject] == "" || secret.Labels[types.LabelConfigProject] == project {
+				if secret.Labels[types.LabelConfigIdentifier] == registryDomain {
+					selectSecret = append(selectSecret, &secrets.Items[i])
+					selectSecretNames = append(selectSecretNames, secret.Name)
+				}
+			}
+		}
+	}
+	var username, password string
+	var insecure = false
+	var useHTTP = false
+	imageInfo.SecretNames = selectSecretNames
+	if len(selectSecret) > 0 {
+		insecure, useHTTP, username, password = getAccountFromSecret(*selectSecret[0], registryDomain)
+	}
+	err = getImageInfo(imageName, insecure, useHTTP, username, password, &imageInfo)
+	if err != nil {
+		imageInfo.Message = fmt.Sprintf("Fail to get the image info:%s", err.Error())
+	}
+	return imageInfo
+}
+
+// getAccountFromSecret get the username and password from the secret of `kubernetes.io/dockerconfigjson` type
+// refer: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+func getAccountFromSecret(secret corev1.Secret, registryDomain string) (insecure, useHTTP bool, username, password string) {
+	if secret.Data != nil {
+		// If users use the self-signed certificate, enable the insecure-skip-verify
+		insecure = string(secret.Data["insecure-skip-verify"]) == "true"
+		useHTTP = string(secret.Data["protocol-use-http"]) == "true"
+		conf := secret.Data[".dockerconfigjson"]
+		if len(conf) > 0 {
+			var authConfig map[string]map[string]map[string]string
+			if err := json.Unmarshal(conf, &authConfig); err != nil {
+				log.Logger.Warnf("fail to unmarshal the secret %s , %s", secret.Name, err.Error())
+				return
+			}
+			if authConfig != nil && authConfig["auths"] != nil && authConfig["auths"][registryDomain] != nil {
+				data := authConfig["auths"][registryDomain]
+				username = data["username"]
+				password = data["password"]
+			}
+		}
+	}
+	return
+}
+
+func getImageInfo(imageName string, insecure, useHTTP bool, username, password string, info *v1.ImageInfo) error {
+	var options []remote.Option
+	if username != "" || password != "" {
+		basic := &authn.Basic{
+			Username: username,
+			Password: password,
+		}
+		options = append(options, remote.WithAuth(basic))
+	}
+	if insecure {
+		options = append(options, remote.WithTransport(&http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				// By default we wrap the transport in retries, so reduce the
+				// default dial timeout to 5s to avoid 5x 30s of connection
+				// timeouts when doing the "ping" on certain http registries.
+				Timeout:   5 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			ForceAttemptHTTP2:     true,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+			// #nosec G402
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure},
+		}))
+	}
+
+	var parseOptions []name.Option
+	if useHTTP {
+		parseOptions = append(parseOptions, name.Insecure)
+	}
+	var err error
+	ref, err := name.ParseReference(imageName, parseOptions...)
+	if err != nil {
+		return err
+	}
+	image, err := remote.Image(ref, options...)
+	if err != nil {
+		if strings.Contains(err.Error(), "incorrect username or password") {
+			return fmt.Errorf("incorrect username or password")
+		}
+		var terr *transport.Error
+		if errors.As(err, &terr) {
+			fmt.Println(terr)
+		}
+		return err
+	}
+	info.Manifest, err = image.Manifest()
+	if err != nil {
+		return fmt.Errorf("fail to get the manifest:%w", err)
+	}
+	info.Info, err = image.ConfigFile()
+	if err != nil {
+		return fmt.Errorf("fail to get the config:%w", err)
+	}
+	for _, l := range info.Manifest.Layers {
+		info.Size += l.Size
+	}
+	info.Size += info.Manifest.Config.Size
+	return nil
+}
--- a/pkg/apiserver/domain/service/image_test.go
+++ b/pkg/apiserver/domain/service/image_test.go
@@ -0,0 +1,67 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	velatypes "github.com/oam-dev/kubevela/apis/types"
+	v1 "github.com/oam-dev/kubevela/pkg/apiserver/interfaces/api/dto/v1"
+)
+
+func TestGetImageInfo(t *testing.T) {
+
+	s2 := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "s2",
+			Namespace: velatypes.DefaultKubeVelaNS,
+			Labels: map[string]string{
+				velatypes.LabelConfigCatalog:    velatypes.VelaCoreConfig,
+				velatypes.LabelConfigType:       velatypes.ImageRegistry,
+				velatypes.LabelConfigProject:    "",
+				velatypes.LabelConfigIdentifier: "index.docker.io",
+			},
+		},
+		Data: map[string][]byte{
+			"insecure-skip-verify": []byte("true"),
+			".dockerconfigjson":    []byte(`{"auths":{"index.docker.io":{"auth":"aHlicmlkY2xvdWRAcHJvZC5YTEyMw==","username":"xxx","password":"yyy"}}}`),
+		},
+	}
+
+	insecure, useHTTP, user, pass := getAccountFromSecret(*s2, "index.docker.io")
+	assert.DeepEqual(t, user, "xxx")
+	assert.DeepEqual(t, pass, "yyy")
+	assert.DeepEqual(t, insecure, true)
+	assert.DeepEqual(t, useHTTP, false)
+
+	var cf v1.ImageInfo
+	// Test the public image
+	err := getImageInfo("nginx", false, false, "", "", &cf)
+	assert.DeepEqual(t, err, nil)
+	assert.DeepEqual(t, cf.Info.Config.Entrypoint, []string{"/docker-entrypoint.sh"})
+
+	// Test the private image
+	err = getImageInfo("nginx424ru823-should-not-existed", false, false, "abc", "efg", &cf)
+	assert.DeepEqual(t, err.Error(), "incorrect username or password")
+
+	err = getImageInfo("text.registry/test-image", false, false, "", "", &cf)
+	assert.DeepEqual(t, err != nil, true)
+}
--- a/pkg/apiserver/domain/service/project.go
+++ b/pkg/apiserver/domain/service/project.go
@@ -18,15 +18,12 @@ package service

 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"

-	"github.com/google/go-containerregistry/pkg/name"
 	terraformtypes "github.com/oam-dev/terraform-controller/api/types"
 	terraformapi "github.com/oam-dev/terraform-controller/api/v1beta1"
-	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -41,7 +38,6 @@ import (
 	"github.com/oam-dev/kubevela/pkg/apiserver/utils/bcode"
 	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
 	"github.com/oam-dev/kubevela/pkg/multicluster"
-	image "github.com/oam-dev/kubevela/pkg/utils/imageregistry"
 )

 // ProjectService project manage service.
@@ -59,7 +55,6 @@ type ProjectService interface {
 	UpdateProjectUser(ctx context.Context, projectName string, userName string, req apisv1.UpdateProjectUserRequest) (*apisv1.ProjectUserBase, error)
 	Init(ctx context.Context) error
 	GetConfigs(ctx context.Context, projectName, configType string) ([]*apisv1.Config, error)
-	ValidateImage(ctx context.Context, projectName, image string) (*apisv1.ImageResponse, error)
 }

 type projectServiceImpl struct {
@@ -623,57 +618,3 @@ func retrieveConfigFromApplication(a v1beta1.Application, project string) *apisv
 		Description:       a.Annotations[types.AnnotationConfigDescription],
 	}
 }
-
-func (p *projectServiceImpl) ValidateImage(ctx context.Context, projectName, image string) (*apisv1.ImageResponse, error) {
-	return validateImage(ctx, p.K8sClient, projectName, image)
-}
-
-func validateImage(ctx context.Context, k8sClient client.Client, project, imageName string) (*apisv1.ImageResponse, error) {
-	var (
-		secrets         v1.SecretList
-		username        string
-		password        string
-		imagePullSecret string
-	)
-
-	ref, err := name.ParseReference(imageName)
-	if err != nil {
-		return nil, err
-	}
-	imageURL := ref.Context().RegistryStr()
-
-	if err := k8sClient.List(ctx, &secrets, client.InNamespace(types.DefaultKubeVelaNS),
-		client.MatchingLabels{
-			types.LabelConfigCatalog:    types.VelaCoreConfig,
-			types.LabelConfigType:       types.ImageRegistry,
-			types.LabelConfigIdentifier: ref.Context().RegistryStr(),
-		}); err != nil {
-		return nil, err
-	}
-
-	for _, s := range secrets.Items {
-		if s.Labels[types.LabelConfigProject] == "" || s.Labels[types.LabelConfigProject] == project {
-			conf := s.Data[".dockerconfigjson"]
-			var auths map[string]map[string]map[string]string
-			if err := json.Unmarshal(conf, &auths); err != nil {
-				return nil, err
-			}
-			imagePullSecret = s.Name
-			if auths["auths"] != nil && auths["auths"][imageURL] != nil {
-				data := auths["auths"][imageURL]
-				username = data["username"]
-				password = data["password"]
-				break
-			}
-		}
-	}
-
-	existed, err := image.IsExisted(username, password, imageName)
-	if err != nil {
-		return nil, err
-	}
-	return &apisv1.ImageResponse{
-		Existed: existed,
-		Secret:  imagePullSecret,
-	}, nil
-}
--- a/pkg/apiserver/domain/service/project_test.go
+++ b/pkg/apiserver/domain/service/project_test.go
@@ -18,20 +18,14 @@ package service

 import (
 	"context"
-	"testing"
 	"time"

 	"github.com/google/go-cmp/cmp"
-	terraformtypes "github.com/oam-dev/terraform-controller/api/types"
-	terraformapi "github.com/oam-dev/terraform-controller/api/v1beta1"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
-	"gotest.tools/assert"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
@@ -299,331 +293,3 @@ var _ = Describe("Test project service functions", func() {
 		Expect(roles.Total).Should(BeEquivalentTo(0))
 	})
 })
-
-func TestProjectGetConfigs(t *testing.T) {
-	s := runtime.NewScheme()
-	v1beta1.AddToScheme(s)
-	corev1.AddToScheme(s)
-	terraformapi.AddToScheme(s)
-
-	createdTime, _ := time.Parse(time.UnixDate, "Wed Apr 7 11:06:39 PST 2022")
-
-	app1 := &v1beta1.Application{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "a1",
-			Namespace: velatypes.DefaultKubeVelaNS,
-			Labels: map[string]string{
-				model.LabelSourceOfTruth:     model.FromInner,
-				velatypes.LabelConfigCatalog: velatypes.VelaCoreConfig,
-				velatypes.LabelConfigType:    "terraform-provider",
-				"config.oam.dev/project":     "p1",
-			},
-			CreationTimestamp: metav1.NewTime(createdTime),
-		},
-		Status: common.AppStatus{Phase: common.ApplicationRunning},
-	}
-
-	app2 := &v1beta1.Application{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "a2",
-			Namespace: velatypes.DefaultKubeVelaNS,
-			Labels: map[string]string{
-				model.LabelSourceOfTruth:     model.FromInner,
-				velatypes.LabelConfigCatalog: velatypes.VelaCoreConfig,
-				velatypes.LabelConfigType:    "terraform-provider",
-			},
-			CreationTimestamp: metav1.NewTime(createdTime),
-		},
-		Status: common.AppStatus{Phase: common.ApplicationRunning},
-	}
-
-	app3 := &v1beta1.Application{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "a3",
-			Namespace: velatypes.DefaultKubeVelaNS,
-			Labels: map[string]string{
-				model.LabelSourceOfTruth:     model.FromInner,
-				velatypes.LabelConfigCatalog: velatypes.VelaCoreConfig,
-				velatypes.LabelConfigType:    "dex-connector",
-				"config.oam.dev/project":     "p3",
-			},
-			CreationTimestamp: metav1.NewTime(createdTime),
-		},
-		Status: common.AppStatus{Phase: common.ApplicationRunning},
-	}
-
-	provider1 := &terraformapi.Provider{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:              "provider1",
-			Namespace:         "default",
-			CreationTimestamp: metav1.NewTime(createdTime),
-		},
-		Status: terraformapi.ProviderStatus{
-			State: terraformtypes.ProviderIsReady,
-		},
-	}
-
-	provider2 := &terraformapi.Provider{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "provider2",
-			Namespace: "default",
-			Labels: map[string]string{
-				velatypes.LabelConfigCatalog: velatypes.VelaCoreConfig,
-			},
-		},
-		Status: terraformapi.ProviderStatus{
-			State: terraformtypes.ProviderIsNotReady,
-		},
-	}
-
-	k8sClient := fake.NewClientBuilder().WithScheme(s).WithObjects(app1, app2, app3, provider1, provider2).Build()
-
-	h := &projectServiceImpl{K8sClient: k8sClient}
-
-	type args struct {
-		projectName string
-		configType  string
-		h           ProjectService
-	}
-
-	type want struct {
-		configs []*apisv1.Config
-		errMsg  string
-	}
-
-	ctx := context.Background()
-
-	testcases := []struct {
-		name string
-		args args
-		want want
-	}{
-		{
-			name: "project is matched",
-			args: args{
-				projectName: "p1",
-				configType:  "terraform-provider",
-				h:           h,
-			},
-			want: want{
-				configs: []*apisv1.Config{{
-					ConfigType:        "terraform-provider",
-					Name:              "a1",
-					Project:           "p1",
-					CreatedTime:       &createdTime,
-					ApplicationStatus: "running",
-					Status:            "Ready",
-				}, {
-					ConfigType:        "terraform-provider",
-					Name:              "a2",
-					Project:           "",
-					CreatedTime:       &createdTime,
-					ApplicationStatus: "running",
-					Status:            "Ready",
-				}, {
-					Name:        "provider1",
-					CreatedTime: &createdTime,
-					Status:      "Ready",
-				}},
-			},
-		},
-		{
-			name: "project is not matched",
-			args: args{
-				projectName: "p999",
-				configType:  "terraform-provider",
-				h:           h,
-			},
-			want: want{
-				configs: []*apisv1.Config{{
-					ConfigType:        "terraform-provider",
-					Name:              "a2",
-					Project:           "",
-					CreatedTime:       &createdTime,
-					ApplicationStatus: "running",
-					Status:            "Ready",
-				}, {
-					Name:        "provider1",
-					CreatedTime: &createdTime,
-					Status:      "Ready",
-				}},
-			},
-		},
-		{
-			name: "config type is empty",
-			args: args{
-				projectName: "p3",
-				configType:  "",
-				h:           h,
-			},
-			want: want{
-				configs: []*apisv1.Config{{
-					ConfigType:        "terraform-provider",
-					Name:              "a2",
-					Project:           "",
-					CreatedTime:       &createdTime,
-					ApplicationStatus: "running",
-					Status:            "Ready",
-				}, {
-					ConfigType:        "dex-connector",
-					Name:              "a3",
-					Project:           "p3",
-					CreatedTime:       &createdTime,
-					ApplicationStatus: "running",
-					Status:            "Ready",
-				}, {
-					Name:        "provider1",
-					CreatedTime: &createdTime,
-					Status:      "Ready",
-				}},
-			},
-		},
-		{
-			name: "config type is dex",
-			args: args{
-				projectName: "p3",
-				configType:  "config-dex-connector",
-				h:           h,
-			},
-			want: want{
-				configs: []*apisv1.Config{{
-					ConfigType:        "dex-connector",
-					Name:              "a3",
-					Project:           "p3",
-					CreatedTime:       &createdTime,
-					ApplicationStatus: "running",
-					Status:            "Ready",
-				}},
-			},
-		},
-		{
-			name: "config type is invalid",
-			args: args{
-				configType: "xxx",
-				h:          h,
-			},
-			want: want{
-				errMsg: "unsupported config type",
-			},
-		},
-	}
-
-	for _, tc := range testcases {
-		t.Run(tc.name, func(t *testing.T) {
-			got, err := tc.args.h.GetConfigs(ctx, tc.args.projectName, tc.args.configType)
-			if tc.want.errMsg != "" || err != nil {
-				assert.ErrorContains(t, err, tc.want.errMsg)
-			}
-			assert.DeepEqual(t, got, tc.want.configs)
-		})
-	}
-}
-
-func TestValidateImage(t *testing.T) {
-	s := runtime.NewScheme()
-	v1beta1.AddToScheme(s)
-	corev1.AddToScheme(s)
-	terraformapi.AddToScheme(s)
-
-	s1 := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "s1",
-			Namespace: velatypes.DefaultKubeVelaNS,
-			Labels: map[string]string{
-				velatypes.LabelConfigCatalog:    velatypes.VelaCoreConfig,
-				velatypes.LabelConfigType:       velatypes.ImageRegistry,
-				velatypes.LabelConfigProject:    "",
-				velatypes.LabelConfigIdentifier: "abce34289jwerojwerofaf77.com789",
-			},
-		},
-		Data: map[string][]byte{
-			".dockerconfigjson": []byte(`{"auths":{"abce34289jwerojwerofaf77.com789":{"auth":"aHlicmlkY2xvdWRAcHJvZC5YTEyMw==","username":"xxx","password":"yyy"}}}`),
-		},
-	}
-	k8sClient1 := fake.NewClientBuilder().WithScheme(s).WithObjects(s1).Build()
-	h1 := &projectServiceImpl{K8sClient: k8sClient1}
-
-	s2 := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "s2",
-			Namespace: velatypes.DefaultKubeVelaNS,
-			Labels: map[string]string{
-				velatypes.LabelConfigCatalog:    velatypes.VelaCoreConfig,
-				velatypes.LabelConfigType:       velatypes.ImageRegistry,
-				velatypes.LabelConfigProject:    "",
-				velatypes.LabelConfigIdentifier: "index.docker.io",
-			},
-		},
-		Data: map[string][]byte{
-			".dockerconfigjson": []byte(`{"auths":{"index.docker.io":{"auth":"aHlicmlkY2xvdWRAcHJvZC5YTEyMw==","username":"xxx","password":"yyy"}}}`),
-		},
-	}
-
-	k8sClient2 := fake.NewClientBuilder().WithScheme(s).WithObjects(s2).Build()
-	h2 := &projectServiceImpl{K8sClient: k8sClient2}
-
-	type args struct {
-		project   string
-		imageName string
-		h         ProjectService
-	}
-
-	type want struct {
-		resp   *apisv1.ImageResponse
-		errMsg string
-	}
-
-	ctx := context.Background()
-
-	testcases := []struct {
-		name string
-		args args
-		want want
-	}{
-		{
-			name: "validate image",
-			args: args{
-				project:   "p1",
-				imageName: "nginx",
-				h:         h1,
-			},
-			want: want{
-				resp: &apisv1.ImageResponse{
-					Existed: true,
-				},
-			},
-		},
-		{
-			name: "invalid image",
-			args: args{
-				project:   "p1",
-				imageName: "abce34289jwerojwerofaf77.com789/d/e:v1",
-				h:         h1,
-			},
-			want: want{
-				errMsg: "Get",
-			},
-		},
-		{
-			name: "private docker image",
-			args: args{
-				project:   "p1",
-				imageName: "nginx424ru823-should-not-existed",
-				h:         h2,
-			},
-			want: want{
-				errMsg: "incorrect username or password",
-			},
-		},
-	}
-
-	for _, tc := range testcases {
-		t.Run(tc.name, func(t *testing.T) {
-			got, err := tc.args.h.ValidateImage(ctx, tc.args.project, tc.args.imageName)
-			if tc.want.errMsg != "" || err != nil {
-				assert.ErrorContains(t, err, tc.want.errMsg)
-			}
-			assert.DeepEqual(t, got, tc.want.resp)
-		})
-	}
-}
--- a/pkg/apiserver/domain/service/rbac.go
+++ b/pkg/apiserver/domain/service/rbac.go
@@ -202,7 +202,6 @@ var ResourceMaps = map[string]resourceMetadata{
 			},
 			"applicationTemplate": {},
 			"config":              {},
-			"image":               {},
 		},
 		pathName: "projectName",
 	},
--- a/pkg/apiserver/domain/service/service.go
+++ b/pkg/apiserver/domain/service/service.go
@@ -50,7 +50,7 @@ func InitServiceBean(c config.Config) []interface{} {
 	return []interface{}{
 		clusterService, rbacService, projectService, envService, targetService, workflowService, oamApplicationService,
 		velaQLService, definitionService, addonService, envBindingService, systemInfoService, helmService, userService,
-		authenticationService, configService, applicationService, webhookService,
+		authenticationService, configService, applicationService, webhookService, NewImageService(),
 	}
 }

--- a/pkg/apiserver/domain/service/user.go
+++ b/pkg/apiserver/domain/service/user.go
@@ -33,7 +33,8 @@ import (
 )

 const (
-	initAdminPassword = "VelaUX12345"
+	// InitAdminPassword the password of first admin user
+	InitAdminPassword = "VelaUX12345"
 )

 // UserService User manage api
@@ -70,7 +71,7 @@ func (u *userServiceImpl) Init(ctx context.Context) error {
 		Name: admin,
 	}); err != nil {
 		if errors.Is(err, datastore.ErrRecordNotExist) {
-			encrypted, err := GeneratePasswordHash(initAdminPassword)
+			encrypted, err := GeneratePasswordHash(InitAdminPassword)
 			if err != nil {
 				return err
 			}
@@ -83,7 +84,7 @@ func (u *userServiceImpl) Init(ctx context.Context) error {
 				return err
 			}
 			// print default password of admin user in log
-			log.Logger.Infof("initialized admin username and password: admin / %s", initAdminPassword)
+			log.Logger.Infof("initialized admin username and password: admin / %s", InitAdminPassword)
 		} else {
 			return err
 		}
--- a/pkg/apiserver/infrastructure/datastore/kubeapi/kubeapi.go
+++ b/pkg/apiserver/infrastructure/datastore/kubeapi/kubeapi.go
@@ -75,6 +75,7 @@ func generateName(entity datastore.Entity) string {
 	// record the old ways here, it'll be migrated
 	// name := fmt.Sprintf("veladatabase-%s-%s", entity.TableName(), entity.PrimaryKey())
 	name := fmt.Sprintf("%s-%s", entity.ShortTableName(), entity.PrimaryKey())
+	name = verifyValue(name)
 	return strings.ReplaceAll(name, "_", "-")
 }

@@ -86,6 +87,9 @@ func (m *kubeapi) generateConfigMap(entity datastore.Entity) *corev1.ConfigMap {
 	}
 	labels["table"] = entity.TableName()
 	labels["primaryKey"] = entity.PrimaryKey()
+	for k, v := range labels {
+		labels[k] = verifyValue(v)
+	}
 	var configMap = corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      generateName(entity),
@@ -178,6 +182,9 @@ func (m *kubeapi) Put(ctx context.Context, entity datastore.Entity) error {
 	}
 	labels["table"] = entity.TableName()
 	labels["primaryKey"] = entity.PrimaryKey()
+	for k, v := range labels {
+		labels[k] = verifyValue(v)
+	}
 	entity.SetUpdateTime(time.Now())
 	var configMap corev1.ConfigMap
 	if err := m.kubeClient.Get(ctx, types.NamespacedName{Namespace: m.namespace, Name: generateName(entity)}, &configMap); err != nil {
@@ -345,7 +352,7 @@ func (m *kubeapi) List(ctx context.Context, entity datastore.Entity, op *datasto
 	selector = selector.Add(*rq)

 	for k, v := range entity.Index() {
-		rq, err := labels.NewRequirement(k, selection.Equals, []string{v})
+		rq, err := labels.NewRequirement(k, selection.Equals, []string{verifyValue(v)})
 		if err != nil {
 			return nil, datastore.ErrIndexInvalid
 		}
@@ -353,7 +360,11 @@ func (m *kubeapi) List(ctx context.Context, entity datastore.Entity, op *datasto
 	}
 	if op != nil {
 		for _, inFilter := range op.In {
-			rq, err := labels.NewRequirement(inFilter.Key, selection.In, inFilter.Values)
+			var values []string
+			for _, value := range inFilter.Values {
+				values = append(values, verifyValue(value))
+			}
+			rq, err := labels.NewRequirement(inFilter.Key, selection.In, values)
 			if err != nil {
 				log.Logger.Errorf("new list requirement failure %s", err.Error())
 				return nil, datastore.ErrIndexInvalid
@@ -431,7 +442,7 @@ func (m *kubeapi) Count(ctx context.Context, entity datastore.Entity, filterOpti
 		return 0, datastore.NewDBError(err)
 	}
 	for k, v := range entity.Index() {
-		rq, err := labels.NewRequirement(k, selection.Equals, []string{v})
+		rq, err := labels.NewRequirement(k, selection.Equals, []string{verifyValue(v)})
 		if err != nil {
 			return 0, datastore.ErrIndexInvalid
 		}
@@ -439,7 +450,11 @@ func (m *kubeapi) Count(ctx context.Context, entity datastore.Entity, filterOpti
 	}
 	if filterOptions != nil {
 		for _, inFilter := range filterOptions.In {
-			rq, err := labels.NewRequirement(inFilter.Key, selection.In, inFilter.Values)
+			var values []string
+			for _, value := range inFilter.Values {
+				values = append(values, verifyValue(value))
+			}
+			rq, err := labels.NewRequirement(inFilter.Key, selection.In, values)
 			if err != nil {
 				return 0, datastore.ErrIndexInvalid
 			}
@@ -473,3 +488,9 @@ func (m *kubeapi) Count(ctx context.Context, entity datastore.Entity, filterOpti
 	}
 	return int64(len(items)), nil
 }
+
+func verifyValue(v string) string {
+	s := strings.ReplaceAll(v, "@", "-")
+	s = strings.ReplaceAll(s, " ", "-")
+	return strings.ToLower(s)
+}
--- a/pkg/apiserver/infrastructure/datastore/kubeapi/kubeapi_test.go
+++ b/pkg/apiserver/infrastructure/datastore/kubeapi/kubeapi_test.go
@@ -246,4 +246,42 @@ var _ = Describe("Test kubeapi datastore driver", func() {
 		equal := cmp.Equal(err, datastore.ErrRecordNotExist, cmpopts.EquateErrors())
 		Expect(equal).Should(BeTrue())
 	})
+
+	It("Test verify index", func() {
+		var usr = model.User{Name: "can@delete", Email: "xxx@xx.com"}
+		err := kubeStore.Add(context.TODO(), &usr)
+		Expect(err).ToNot(HaveOccurred())
+
+		usr.Email = "change"
+		err = kubeStore.Put(context.TODO(), &usr)
+		Expect(err).ToNot(HaveOccurred())
+
+		err = kubeStore.Get(context.TODO(), &usr)
+		Expect(err).Should(BeNil())
+		diff := cmp.Diff(usr.Email, "change")
+		Expect(diff).Should(BeEmpty())
+
+		list, err := kubeStore.List(context.TODO(), &usr, &datastore.ListOptions{FilterOptions: datastore.FilterOptions{In: []datastore.InQueryOption{
+			{
+				Key:    "name",
+				Values: []string{"can@delete"},
+			},
+		}}})
+		Expect(err).ShouldNot(HaveOccurred())
+		diff = cmp.Diff(len(list), 1)
+		Expect(diff).Should(BeEmpty())
+
+		count, err := kubeStore.Count(context.TODO(), &usr, &datastore.FilterOptions{In: []datastore.InQueryOption{
+			{
+				Key:    "name",
+				Values: []string{"can@delete"},
+			},
+		}})
+		Expect(err).ShouldNot(HaveOccurred())
+		Expect(count).Should(Equal(int64(1)))
+
+		usr.Name = "can@delete"
+		err = kubeStore.Delete(context.TODO(), &usr)
+		Expect(err).ShouldNot(HaveOccurred())
+	})
 })
--- a/pkg/apiserver/interfaces/api/application.go
+++ b/pkg/apiserver/interfaces/api/application.go
@@ -554,8 +554,9 @@ func (c *applicationAPIInterface) GetWebServiceRoute() *restful.WebService {
 		Metadata(restfulspec.KeyOpenAPITags, tags).
 		Filter(c.RbacService.CheckPerm("application", "compare")).
 		Filter(c.appCheckFilter).
+		Reads(apis.AppCompareReq{}).
 		Param(ws.PathParameter("appName", "identifier of the application ").DataType("string")).
-		Returns(200, "OK", apis.ApplicationBase{}).
+		Returns(200, "OK", apis.AppCompareResponse{}).
 		Returns(400, "Bad Request", bcode.Bcode{}).
 		Writes(apis.AppCompareResponse{}))

@@ -574,6 +575,7 @@ func (c *applicationAPIInterface) GetWebServiceRoute() *restful.WebService {
 		Metadata(restfulspec.KeyOpenAPITags, tags).
 		Filter(c.RbacService.CheckPerm("application", "detail")).
 		Filter(c.appCheckFilter).
+		Reads(apis.AppDryRunReq{}).
 		Param(ws.PathParameter("appName", "identifier of the application ").DataType("string")).
 		Returns(200, "OK", apis.AppDryRunResponse{}).
 		Returns(400, "Bad Request", bcode.Bcode{}).
--- a/pkg/apiserver/interfaces/api/dto/v1/types.go
+++ b/pkg/apiserver/interfaces/api/dto/v1/types.go
@@ -22,6 +22,7 @@ import (
 	"helm.sh/helm/v3/pkg/repo"

 	"github.com/getkin/kin-openapi/openapi3"
+	registryv1 "github.com/google/go-containerregistry/pkg/v1"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
@@ -1380,3 +1381,26 @@ type ChartRepoResponse struct {
 type ChartRepoResponseList struct {
 	ChartRepoResponse []*ChartRepoResponse `json:"repos"`
 }
+
+// ImageInfo the docker image info
+type ImageInfo struct {
+	Name        string                 `json:"name"`
+	SecretNames []string               `json:"secretNames"`
+	Registry    string                 `json:"registry"`
+	Message     string                 `json:"message,omitempty"`
+	Info        *registryv1.ConfigFile `json:"info,omitempty"`
+	Size        int64                  `json:"size"`
+	Manifest    *registryv1.Manifest   `json:"manifest"`
+}
+
+// ImageRegistry the image repository info
+type ImageRegistry struct {
+	Name       string `json:"name"`
+	SecretName string `json:"secretName"`
+	Domain     string `json:"domain"`
+}
+
+// ListImageRegistryResponse the response struct of listing the image registries
+type ListImageRegistryResponse struct {
+	Registries []ImageRegistry `json:"registries"`
+}
--- a/pkg/apiserver/interfaces/api/interfaces.go
+++ b/pkg/apiserver/interfaces/api/interfaces.go
@@ -76,7 +76,7 @@ func InitAPIBean() []interface{} {
 	RegisterAPIInterface(NewTargetAPIInterface())
 	RegisterAPIInterface(NewVelaQLAPIInterface())
 	RegisterAPIInterface(NewWebhookAPIInterface())
-	RegisterAPIInterface(NewHelmAPIInterface())
+	RegisterAPIInterface(NewRepositoryAPIInterface())

 	// Authentication
 	RegisterAPIInterface(NewAuthenticationAPIInterface())
--- a/pkg/apiserver/interfaces/api/project.go
+++ b/pkg/apiserver/interfaces/api/project.go
@@ -203,16 +203,6 @@ func (n *projectAPIInterface) GetWebServiceRoute() *restful.WebService {
 		Returns(400, "Bad Request", bcode.Bcode{}).
 		Writes([]*apis.Config{}))

-	ws.Route(ws.GET("/{projectName}/validate_image").To(n.validateImage).
-		Doc("validate an image in a project").
-		Metadata(restfulspec.KeyOpenAPITags, tags).
-		Filter(n.RbacService.CheckPerm("project/image", "get")).
-		Param(ws.QueryParameter("image", "image name").DataType("string")).
-		Param(ws.PathParameter("projectName", "identifier of the project").DataType("string")).
-		Returns(200, "OK", []*apis.ImageResponse{}).
-		Returns(400, "Bad Request", bcode.Bcode{}).
-		Writes([]*apis.ImageResponse{}))
-
 	ws.Filter(authCheckFilter)
 	return ws
 }
@@ -599,23 +589,3 @@ func (n *projectAPIInterface) getConfigs(req *restful.Request, res *restful.Resp
 		return
 	}
 }
-
-func (n *projectAPIInterface) validateImage(req *restful.Request, res *restful.Response) {
-	resp, err := n.ProjectService.ValidateImage(req.Request.Context(), req.PathParameter("projectName"), req.QueryParameter("image"))
-	if err != nil {
-		bcode.ReturnError(req, res, err)
-		return
-	}
-	if resp == nil {
-		if err := res.WriteEntity(apis.EmptyResponse{}); err != nil {
-			bcode.ReturnError(req, res, err)
-			return
-		}
-		return
-	}
-	err = res.WriteEntity(map[string]interface{}{"data": resp})
-	if err != nil {
-		bcode.ReturnError(req, res, err)
-		return
-	}
-}
--- a/pkg/apiserver/interfaces/api/repository.go
+++ b/pkg/apiserver/interfaces/api/repository.go
@@ -17,7 +17,6 @@ limitations under the License.
 package api

 import (
-	"context"
 	"strconv"

 	restfulspec "github.com/emicklei/go-restful-openapi/v2"
@@ -29,16 +28,18 @@ import (
 	"github.com/oam-dev/kubevela/pkg/utils"
 )

-type helmAPIInterface struct {
-	HelmService service.HelmService `inject:""`
+type repositoryAPIInterface struct {
+	HelmService  service.HelmService  `inject:""`
+	ImageService service.ImageService `inject:""`
+	RbacService  service.RBACService  `inject:""`
 }

-// NewHelmAPIInterface will return helm APIInterface
-func NewHelmAPIInterface() Interface {
-	return &helmAPIInterface{}
+// NewRepositoryAPIInterface will return the repository APIInterface
+func NewRepositoryAPIInterface() Interface {
+	return &repositoryAPIInterface{}
 }

-func (h helmAPIInterface) GetWebServiceRoute() *restful.WebService {
+func (h repositoryAPIInterface) GetWebServiceRoute() *restful.WebService {
 	ws := new(restful.WebService)
 	ws.Path(versionPrefix+"/repository").
 		Consumes(restful.MIME_XML, restful.MIME_JSON).
@@ -47,11 +48,12 @@ func (h helmAPIInterface) GetWebServiceRoute() *restful.WebService {

 	tags := []string{"repository", "helm"}

-	// List charts
+	// List chart repos
 	ws.Route(ws.GET("/chart_repos").To(h.listRepo).
 		Doc("list chart repo").
 		Metadata(restfulspec.KeyOpenAPITags, tags).
-		Param(ws.QueryParameter("project", "the config project").DataType("string")).
+		Param(ws.QueryParameter("project", "the config project").DataType("string").Required(true)).
+		Filter(h.RbacService.CheckPerm("project/config", "list")).
 		Returns(200, "OK", []string{}).
 		Returns(400, "Bad Request", bcode.Bcode{}).
 		Writes([]string{}))
@@ -86,11 +88,31 @@ func (h helmAPIInterface) GetWebServiceRoute() *restful.WebService {
 		Returns(400, "Bad Request", bcode.Bcode{}).
 		Writes([]string{}))

+	ws.Route(ws.GET("/image/repos").To(h.getImageRepos).
+		Doc("get the oci repos").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(ws.QueryParameter("project", "the config project").DataType("string").Required(true)).
+		Filter(h.RbacService.CheckPerm("project/config", "list")).
+		Returns(200, "OK", v1.ListImageRegistryResponse{}).
+		Returns(400, "Bad Request", bcode.Bcode{}).
+		Writes([]string{}))
+
+	ws.Route(ws.GET("/image/info").To(h.getImageInfo).
+		Doc("get the oci repos").
+		Metadata(restfulspec.KeyOpenAPITags, tags).
+		Param(ws.QueryParameter("project", "the config project").DataType("string").Required(true)).
+		Param(ws.QueryParameter("name", "the image name").DataType("string").Required(true)).
+		Param(ws.QueryParameter("secretName", "the secret name of the image repository").DataType("string")).
+		Filter(h.RbacService.CheckPerm("project/config", "list")).
+		Returns(200, "OK", v1.ImageInfo{}).
+		Returns(400, "Bad Request", bcode.Bcode{}).
+		Writes([]string{}))
+
 	ws.Filter(authCheckFilter)
 	return ws
 }

-func (h helmAPIInterface) listCharts(req *restful.Request, res *restful.Response) {
+func (h repositoryAPIInterface) listCharts(req *restful.Request, res *restful.Response) {
 	url := utils.Sanitize(req.QueryParameter("repoUrl"))
 	secName := utils.Sanitize(req.QueryParameter("secretName"))
 	skipCache, err := isSkipCache(req)
@@ -98,7 +120,7 @@ func (h helmAPIInterface) listCharts(req *restful.Request, res *restful.Response
 		bcode.ReturnError(req, res, bcode.ErrSkipCacheParameter)
 		return
 	}
-	charts, err := h.HelmService.ListChartNames(context.Background(), url, secName, skipCache)
+	charts, err := h.HelmService.ListChartNames(req.Request.Context(), url, secName, skipCache)
 	if err != nil {
 		bcode.ReturnError(req, res, err)
 		return
@@ -110,7 +132,7 @@ func (h helmAPIInterface) listCharts(req *restful.Request, res *restful.Response
 	}
 }

-func (h helmAPIInterface) listVersions(req *restful.Request, res *restful.Response) {
+func (h repositoryAPIInterface) listVersions(req *restful.Request, res *restful.Response) {
 	url := req.QueryParameter("repoUrl")
 	chartName := req.PathParameter("chart")
 	secName := req.QueryParameter("secretName")
@@ -120,7 +142,7 @@ func (h helmAPIInterface) listVersions(req *restful.Request, res *restful.Respon
 		return
 	}

-	versions, err := h.HelmService.ListChartVersions(context.Background(), url, chartName, secName, skipCache)
+	versions, err := h.HelmService.ListChartVersions(req.Request.Context(), url, chartName, secName, skipCache)
 	if err != nil {
 		bcode.ReturnError(req, res, err)
 		return
@@ -132,7 +154,7 @@ func (h helmAPIInterface) listVersions(req *restful.Request, res *restful.Respon
 	}
 }

-func (h helmAPIInterface) chartValues(req *restful.Request, res *restful.Response) {
+func (h repositoryAPIInterface) chartValues(req *restful.Request, res *restful.Response) {
 	url := req.QueryParameter("repoUrl")
 	secName := req.QueryParameter("secretName")
 	chartName := req.PathParameter("chart")
@@ -143,7 +165,7 @@ func (h helmAPIInterface) chartValues(req *restful.Request, res *restful.Respons
 		return
 	}

-	versions, err := h.HelmService.GetChartValues(context.Background(), url, chartName, version, secName, skipCache)
+	versions, err := h.HelmService.GetChartValues(req.Request.Context(), url, chartName, version, secName, skipCache)
 	if err != nil {
 		bcode.ReturnError(req, res, err)
 		return
@@ -155,9 +177,9 @@ func (h helmAPIInterface) chartValues(req *restful.Request, res *restful.Respons
 	}
 }

-func (h helmAPIInterface) listRepo(req *restful.Request, res *restful.Response) {
+func (h repositoryAPIInterface) listRepo(req *restful.Request, res *restful.Response) {
 	project := req.QueryParameter("project")
-	repos, err := h.HelmService.ListChartRepo(context.Background(), project)
+	repos, err := h.HelmService.ListChartRepo(req.Request.Context(), project)
 	if err != nil {
 		bcode.ReturnError(req, res, err)
 		return
@@ -169,6 +191,31 @@ func (h helmAPIInterface) listRepo(req *restful.Request, res *restful.Response)
 	}
 }

+func (h repositoryAPIInterface) getImageRepos(req *restful.Request, res *restful.Response) {
+	project := req.QueryParameter("project")
+	repos, err := h.ImageService.ListImageRepos(req.Request.Context(), project)
+	if err != nil {
+		bcode.ReturnError(req, res, err)
+		return
+	}
+	err = res.WriteEntity(v1.ListImageRegistryResponse{Registries: repos})
+	if err != nil {
+		bcode.ReturnError(req, res, err)
+		return
+	}
+
+}
+
+func (h repositoryAPIInterface) getImageInfo(req *restful.Request, res *restful.Response) {
+	project := req.QueryParameter("project")
+	imageInfo := h.ImageService.GetImageInfo(req.Request.Context(), project, req.QueryParameter("secretName"), req.QueryParameter("name"))
+	err := res.WriteEntity(imageInfo)
+	if err != nil {
+		bcode.ReturnError(req, res, err)
+		return
+	}
+}
+
 func isSkipCache(req *restful.Request) (bool, error) {
 	skipStr := req.QueryParameter("skipCache")
 	skipCache := false
--- a/pkg/appfile/appfile.go
+++ b/pkg/appfile/appfile.go
@@ -42,6 +42,7 @@ import (
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 	"github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/appfile/helm"
+	"github.com/oam-dev/kubevela/pkg/auth"
 	velaclient "github.com/oam-dev/kubevela/pkg/client"
 	"github.com/oam-dev/kubevela/pkg/component"
 	"github.com/oam-dev/kubevela/pkg/cue/definition"
@@ -922,6 +923,7 @@ func (af *Appfile) LoadDynamicComponent(ctx context.Context, cli client.Client,
 		return nil, errors.Wrapf(err, "invalid ref-objects component properties")
 	}
 	var uns []*unstructured.Unstructured
+	ctx = auth.ContextWithUserInfo(ctx, af.app)
 	for _, selector := range spec.Objects {
 		objs, err := component.SelectRefObjectsForDispatch(ctx, component.ReferredObjectsDelegatingClient(cli, af.ReferredObjects), af.Namespace, comp.Name, selector)
 		if err != nil {
--- a/pkg/appfile/parser.go
+++ b/pkg/appfile/parser.go
@@ -34,6 +34,7 @@ import (
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 	"github.com/oam-dev/kubevela/apis/types"
+	"github.com/oam-dev/kubevela/pkg/auth"
 	"github.com/oam-dev/kubevela/pkg/component"
 	"github.com/oam-dev/kubevela/pkg/cue/definition"
 	"github.com/oam-dev/kubevela/pkg/cue/packages"
@@ -332,6 +333,7 @@ func (p *Parser) parseReferredObjectsFromRevision(af *Appfile) error {
 }

 func (p *Parser) parseReferredObjects(ctx context.Context, af *Appfile) error {
+	ctx = auth.ContextWithUserInfo(ctx, af.app)
 	for _, comp := range af.Components {
 		if comp.Type != v1alpha1.RefObjectsComponentType {
 			continue
--- a/pkg/cmd/factory.go
+++ b/pkg/cmd/factory.go
@@ -99,3 +99,40 @@ func NewDefaultFactory(cfg *rest.Config) Factory {
 	copiedCfg.Wrap(multicluster.NewSecretModeMultiClusterRoundTripper)
 	return &defaultFactory{cfg: &copiedCfg}
 }
+
+type deferredFactory struct {
+	sync.Mutex
+	Factory
+	ConfigGetter
+}
+
+// NewDeferredFactory create a factory that will only get KubeConfig until it is needed for the first time
+func NewDeferredFactory(getter ConfigGetter) Factory {
+	return &deferredFactory{ConfigGetter: getter}
+}
+
+func (f *deferredFactory) init() {
+	cfg, err := f.ConfigGetter()
+	cmdutil.CheckErr(err)
+	f.Factory = NewDefaultFactory(cfg)
+}
+
+// Config return the kubeConfig
+func (f *deferredFactory) Config() *rest.Config {
+	f.Lock()
+	defer f.Unlock()
+	if f.Factory == nil {
+		f.init()
+	}
+	return f.Factory.Config()
+}
+
+// Client return the kubeClient
+func (f *deferredFactory) Client() client.Client {
+	f.Lock()
+	defer f.Unlock()
+	if f.Factory == nil {
+		f.init()
+	}
+	return f.Factory.Client()
+}
--- a/pkg/controller/core.oam.dev/v1alpha2/application/application_controller.go
+++ b/pkg/controller/core.oam.dev/v1alpha2/application/application_controller.go
@@ -442,10 +442,10 @@ func (r *Reconciler) updateStatus(ctx context.Context, app *v1beta1.Application,
 }

 func (r *Reconciler) doWorkflowFinish(app *v1beta1.Application, wf workflow.Workflow) error {
+	app.Status.Workflow.Finished = true
 	if err := wf.Trace(); err != nil {
 		return errors.WithMessage(err, "record workflow state")
 	}
-	app.Status.Workflow.Finished = true
 	return nil
 }

--- a/pkg/controller/core.oam.dev/v1alpha2/application/apply.go
+++ b/pkg/controller/core.oam.dev/v1alpha2/application/apply.go
@@ -264,6 +264,10 @@ func (h *AppHandler) collectHealthStatus(ctx context.Context, wl *appfile.Worklo

 	var traitStatusList []common.ApplicationTraitStatus
 	for _, tr := range wl.Traits {
+		if tr.FullTemplate.TraitDefinition.Spec.ControlPlaneOnly {
+			namespace = appRev.GetNamespace()
+			wl.Ctx.SetCtx(context.WithValue(wl.Ctx.GetCtx(), multicluster.ClusterContextKey, multicluster.ClusterLocalName))
+		}
 		var traitStatus = common.ApplicationTraitStatus{
 			Type:    tr.Name,
 			Healthy: true,
@@ -277,6 +281,8 @@ func (h *AppHandler) collectHealthStatus(ctx context.Context, wl *appfile.Worklo
 			return nil, false, errors.WithMessagef(err, "app=%s, comp=%s, trait=%s, evaluate status message error", appName, wl.Name, tr.Name)
 		}
 		traitStatusList = append(traitStatusList, traitStatus)
+		namespace = appRev.GetNamespace()
+		wl.Ctx.SetCtx(context.WithValue(wl.Ctx.GetCtx(), multicluster.ClusterContextKey, status.Cluster))
 	}

 	status.Traits = traitStatusList
@@ -299,12 +305,12 @@ func setStatus(status *common.ApplicationComponentStatus, observedGeneration, ge
 		}
 		return true
 	}
+	status.Message = message
 	if !isLatest() || state != terraformtypes.Available {
 		status.Healthy = false
 		return false
 	}
 	status.Healthy = true
-	status.Message = message
 	return true
 }

--- a/pkg/controller/core.oam.dev/v1alpha2/application/gc_policy_test.go
+++ b/pkg/controller/core.oam.dev/v1alpha2/application/gc_policy_test.go
@@ -561,15 +561,21 @@ var _ = Describe("Test Application with GC options", func() {

 			By("delete application")
 			Expect(k8sClient.Delete(ctx, app)).Should(BeNil())
-			By("worker3 will be deleted")
+			By("worker1 will be deleted")
 			testutil.ReconcileOnce(reconciler, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(app)})
 			Expect(k8sClient.List(ctx, workerList, listOpts...)).Should(BeNil())
+			for _, worker := range workerList.Items {
+				Expect(worker.Name).ShouldNot(Equal("worker1"))
+			}
 			Expect(len(workerList.Items)).Should(Equal(2))
 			By("worker2 will be deleted")
 			testutil.ReconcileOnce(reconciler, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(app)})
 			Expect(k8sClient.List(ctx, workerList, listOpts...)).Should(BeNil())
 			Expect(len(workerList.Items)).Should(Equal(1))
-			By("worker1 will be deleted")
+			for _, worker := range workerList.Items {
+				Expect(worker.Name).ShouldNot(Equal("worker2"))
+			}
+			By("worker3 will be deleted")
 			testutil.ReconcileOnce(reconciler, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(app)})
 			Expect(k8sClient.List(ctx, workerList, listOpts...)).Should(BeNil())
 			Expect(len(workerList.Items)).Should(Equal(0))
--- a/pkg/controller/core.oam.dev/v1alpha2/application/generator.go
+++ b/pkg/controller/core.oam.dev/v1alpha2/application/generator.go
@@ -188,7 +188,7 @@ func convertStepProperties(step *v1beta1.WorkflowStep, app *v1beta1.Application)
 }

 func checkDependsOnValidComponent(dependsOnComponentNames, allComponentNames []string) (string, bool) {
-	// does not depends on other components
+	// does not depend on other components
 	if dependsOnComponentNames == nil {
 		return "", true
 	}
@@ -237,7 +237,7 @@ func (h *AppHandler) checkComponentHealth(appParser *appfile.Parser, appRev *v1b
 			return false, err
 		}

-		_, isHealth, err := h.collectHealthStatus(ctx, wl, appRev, overrideNamespace)
+		_, isHealth, err := h.collectHealthStatus(auth.ContextWithUserInfo(ctx, h.app), wl, appRev, overrideNamespace)
 		return isHealth, err
 	}
 }
@@ -288,7 +288,7 @@ func (h *AppHandler) applyComponentFunc(appParser *appfile.Parser, appRev *v1bet
 		if DisableResourceApplyDoubleCheck {
 			return readyWorkload, readyTraits, true, nil
 		}
-		workload, traits, err := getComponentResources(ctx, manifest, wl.SkipApplyWorkload, h.r.Client)
+		workload, traits, err := getComponentResources(auth.ContextWithUserInfo(ctx, h.app), manifest, wl.SkipApplyWorkload, h.r.Client)
 		return workload, traits, true, err
 	}
 }
--- a/pkg/controller/core.oam.dev/v1alpha2/application/revision.go
+++ b/pkg/controller/core.oam.dev/v1alpha2/application/revision.go
@@ -898,6 +898,7 @@ func cleanUpWorkflowComponentRevision(ctx context.Context, h *AppHandler) error
 	}
 	// collect component revision in use
 	compRevisionInUse := map[string]map[string]struct{}{}
+	ctx = auth.ContextWithUserInfo(ctx, h.app)
 	for i, resource := range h.app.Status.AppliedResources {
 		compName := resource.Name
 		ns := resource.Namespace
--- a/pkg/controller/utils/capability.go
+++ b/pkg/controller/utils/capability.go
@@ -30,7 +30,7 @@ import (
 	"cuelang.org/go/cue/build"
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/pkg/errors"
-	git "gopkg.in/src-d/go-git.v4"
+	"gopkg.in/src-d/go-git.v4"
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -215,25 +215,26 @@ func GetOpenAPISchemaFromTerraformComponentDefinition(configuration string) ([]b

 // GetTerraformConfigurationFromRemote gets Terraform Configuration(HCL)
 func GetTerraformConfigurationFromRemote(name, remoteURL, remotePath string) (string, error) {
-	tmpPath := filepath.Join("./tmp/terraform", name)
-	// Check if the directory exists. If yes, remove it.
-	if _, err := os.Stat(tmpPath); err == nil {
-		err := os.RemoveAll(tmpPath)
-		if err != nil {
-			return "", errors.Wrap(err, "failed to remove the directory")
-		}
-	}
-	_, err := git.PlainClone(tmpPath, false, &git.CloneOptions{
-		URL:      remoteURL,
-		Progress: nil,
-	})
+	userHome, err := os.UserHomeDir()
 	if err != nil {
 		return "", err
 	}
+	cachePath := filepath.Join(userHome, ".vela", "terraform", name)
+	// Check if the directory exists. If yes, remove it.
+	entities, err := os.ReadDir(cachePath)
+	if err != nil || len(entities) == 0 {
+		fmt.Printf("loading terraform module %s into %s from %s\n", name, cachePath, remoteURL)
+		if _, err = git.PlainClone(cachePath, false, &git.CloneOptions{
+			URL:      remoteURL,
+			Progress: os.Stdout,
+		}); err != nil {
+			return "", err
+		}
+	}

-	tfPath := filepath.Join(tmpPath, remotePath, "variables.tf")
+	tfPath := filepath.Join(cachePath, remotePath, "variables.tf")
 	if _, err := os.Stat(tfPath); err != nil {
-		tfPath = filepath.Join(tmpPath, remotePath, "main.tf")
+		tfPath = filepath.Join(cachePath, remotePath, "main.tf")
 		if _, err := os.Stat(tfPath); err != nil {
 			return "", errors.Wrap(err, "failed to find main.tf or variables.tf in Terraform configurations of the remote repository")
 		}
@@ -242,10 +243,6 @@ func GetTerraformConfigurationFromRemote(name, remoteURL, remotePath string) (st
 	if err != nil {
 		return "", errors.Wrap(err, "failed to read Terraform configuration")
 	}
-	if err := os.RemoveAll(tmpPath); err != nil {
-		return "", err
-	}
-
 	return string(conf), nil
 }

--- a/pkg/controller/utils/capability_config_test.go
+++ b/pkg/controller/utils/capability_config_test.go
@@ -17,24 +17,16 @@
 package utils

 import (
-	"context"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"

-	. "github.com/agiledragon/gomonkey/v2"
-
-	"github.com/pkg/errors"
-	"gopkg.in/src-d/go-git.v4"
 	"gotest.tools/assert"
 )

 func TestGetTerraformConfigurationFromRemote(t *testing.T) {
-	// If you hit a panic on macOS as below, please fix it by referencing https://github.com/eisenxp/macos-golink-wrapper.
-	// panic: permission denied [recovered]
-	//    panic: permission denied
 	type want struct {
 		config string
 		errMsg string
@@ -46,8 +38,6 @@ func TestGetTerraformConfigurationFromRemote(t *testing.T) {
 		path         string
 		data         []byte
 		variableFile string
-		// mockWorkingPath will create `/tmp/terraform`
-		mockWorkingPath bool
 	}
 	cases := map[string]struct {
 		args args
@@ -57,7 +47,7 @@ func TestGetTerraformConfigurationFromRemote(t *testing.T) {
 			args: args{
 				name: "valid",
 				url:  "https://github.com/kubevela-contrib/terraform-modules.git",
-				path: "",
+				path: "unittest/",
 				data: []byte(`
 variable "aaa" {
 	type = list(object({
@@ -85,7 +75,7 @@ variable "aaa" {
 			args: args{
 				name: "aws-subnet",
 				url:  "https://github.com/kubevela-contrib/terraform-modules.git",
-				path: "aws/subnet",
+				path: "unittest/aws/subnet",
 				data: []byte(`
 variable "aaa" {
 	type = list(object({
@@ -109,47 +99,20 @@ variable "aaa" {
 }`,
 			},
 		},
-		"working path exists": {
-			args: args{
-				variableFile:    "main.tf",
-				mockWorkingPath: true,
-			},
-			want: want{
-				errMsg: "failed to remove the directory",
-			},
-		},
 	}

 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
-			if tc.args.mockWorkingPath {
-				err := os.MkdirAll("./tmp/terraform", 0755)
-				assert.NilError(t, err)
-				defer os.RemoveAll("./tmp/terraform")
-				patch1 := ApplyFunc(os.Remove, func(_ string) error {
-					return errors.New("failed")
-				})
-				defer patch1.Reset()
-				patch2 := ApplyFunc(os.Open, func(_ string) (*os.File, error) {
-					return nil, errors.New("failed")
-				})
-				defer patch2.Reset()
-			}
-
-			patch := ApplyFunc(git.PlainCloneContext, func(ctx context.Context, path string, isBare bool, o *git.CloneOptions) (*git.Repository, error) {
-				var tmpPath string
-				if tc.args.path != "" {
-					tmpPath = filepath.Join("./tmp/terraform", tc.args.name, tc.args.path)
-				} else {
-					tmpPath = filepath.Join("./tmp/terraform", tc.args.name)
-				}
+			home, _ := os.UserHomeDir()
+			path := filepath.Join(home, ".vela", "terraform")
+			tmpPath := filepath.Join(path, tc.args.name, tc.args.path)
+			if len(tc.args.data) > 0 {
 				err := os.MkdirAll(tmpPath, os.ModePerm)
 				assert.NilError(t, err)
 				err = ioutil.WriteFile(filepath.Clean(filepath.Join(tmpPath, tc.args.variableFile)), tc.args.data, 0644)
 				assert.NilError(t, err)
-				return nil, nil
-			})
-			defer patch.Reset()
+			}
+			defer os.RemoveAll(tmpPath)

 			conf, err := GetTerraformConfigurationFromRemote(tc.args.name, tc.args.url, tc.args.path)
 			if tc.want.errMsg != "" {
--- a/pkg/cue/model/keyword.go
+++ b/pkg/cue/model/keyword.go
@@ -51,7 +51,7 @@ const (
 	ContextComponents = "components"
 	// ContextComponentType is the component type of current trait binding with
 	ContextComponentType = "componentType"
-	// ComponentRevisionPlaceHolder is the component revision name placeHolder, this field will be replace with real value
+	// ComponentRevisionPlaceHolder is the component revision name placeHolder, this field will be replaced with real value
 	// after component be created
 	ComponentRevisionPlaceHolder = "KUBEVELA_COMPONENT_REVISION_PLACEHOLDER"
 	// ContextDataArtifacts is used to store unstructured resources of components
--- a/pkg/cue/model/sets/operation.go
+++ b/pkg/cue/model/sets/operation.go
@@ -302,7 +302,7 @@ func strategyUnify(baseFile *ast.File, patchFile *ast.File, params *UnifyParams,

 	ret := baseInst.Value().Unify(patchInst.Value())

-	rv, err := toString(ret)
+	rv, err := toString(ret, removeTmpVar)
 	if err != nil {
 		return rv, errors.WithMessage(err, " format result toString")
 	}
@@ -358,7 +358,11 @@ func jsonMergePatch(base cue.Value, patch cue.Value) (string, error) {
 	if err != nil {
 		return "", errors.Wrapf(err, "failed to merge base value and patch value by JsonMergePatch")
 	}
-	return string(merged), nil
+	output, err := OpenBaiscLit(string(merged))
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to parse open basic lit for merged result")
+	}
+	return output, nil
 }

 func jsonPatch(base cue.Value, patch cue.Value) (string, error) {
@@ -379,5 +383,9 @@ func jsonPatch(base cue.Value, patch cue.Value) (string, error) {
 	if err != nil {
 		return "", errors.Wrapf(err, "failed to apply json patch")
 	}
-	return string(merged), nil
+	output, err := OpenBaiscLit(string(merged))
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to parse open basic lit for merged result")
+	}
+	return output, nil
 }
--- a/pkg/cue/model/sets/utils.go
+++ b/pkg/cue/model/sets/utils.go
@@ -358,3 +358,38 @@ func listOpen(expr ast.Node) {
 		}
 	}
 }
+
+func removeTmpVar(expr ast.Node) ast.Node {
+	switch v := expr.(type) {
+	case *ast.File:
+		for _, decl := range v.Decls {
+			removeTmpVar(decl)
+		}
+	case *ast.Field:
+		removeTmpVar(v.Value)
+	case *ast.StructLit:
+		var elts []ast.Decl
+		for _, elt := range v.Elts {
+			if field, isField := elt.(*ast.Field); isField {
+				if ident, isIdent := field.Label.(*ast.Ident); isIdent && strings.HasPrefix(ident.Name, "_") {
+					continue
+				}
+			}
+			removeTmpVar(elt)
+			elts = append(elts, elt)
+		}
+		v.Elts = elts
+	case *ast.BinaryExpr:
+		removeTmpVar(v.X)
+		removeTmpVar(v.Y)
+	case *ast.EmbedDecl:
+		removeTmpVar(v.Expr)
+	case *ast.Comprehension:
+		removeTmpVar(v.Value)
+	case *ast.ListLit:
+		for _, elt := range v.Elts {
+			removeTmpVar(elt)
+		}
+	}
+	return expr
+}
--- a/pkg/cue/model/sets/walk_test.go
+++ b/pkg/cue/model/sets/walk_test.go
@@ -23,6 +23,7 @@ import (
 	"cuelang.org/go/cue/ast"
 	"cuelang.org/go/cue/parser"
 	"github.com/bmizerany/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestWalk(t *testing.T) {
@@ -128,3 +129,33 @@ func TestWalk(t *testing.T) {
 	}

 }
+
+func TestRemoveTmpVar(t *testing.T) {
+	src := `spec: {
+    _tmp: "x"
+	list: [{
+		_tmp: "x"
+		retain: "y"
+	}, {
+		_tmp: "x"
+		retain: "z"
+	}]
+	retain: "y"
+}
+`
+	r := require.New(t)
+	var runtime cue.Runtime
+	inst, err := runtime.Compile("-", src)
+	r.NoError(err)
+	s, err := toString(inst.Value(), removeTmpVar)
+	r.NoError(err)
+	r.Equal(`spec: {
+	list: [{
+		retain: "y"
+	}, {
+		retain: "z"
+	}]
+	retain: "y"
+}
+`, s)
+}
--- a/pkg/cue/process/handle.go
+++ b/pkg/cue/process/handle.go
@@ -302,9 +302,6 @@ func (ctx *templateContext) GetCtx() context.Context {
 }

 func (ctx *templateContext) SetCtx(newContext context.Context) {
-	if ctx.ctx != nil {
-		return
-	}
 	ctx.ctx = newContext
 }

--- a/pkg/features/controller_features.go
+++ b/pkg/features/controller_features.go
@@ -46,7 +46,7 @@ var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
 	DeprecatedPolicySpec:          {Default: false, PreRelease: featuregate.Alpha},
 	LegacyObjectTypeIdentifier:    {Default: false, PreRelease: featuregate.Alpha},
 	DeprecatedObjectLabelSelector: {Default: false, PreRelease: featuregate.Alpha},
-	LegacyResourceTrackerGC:       {Default: true, PreRelease: featuregate.Alpha},
+	LegacyResourceTrackerGC:       {Default: false, PreRelease: featuregate.Beta},
 	EnableSuspendOnFailure:        {Default: false, PreRelease: featuregate.Alpha},
 	AuthenticateApplication:       {Default: false, PreRelease: featuregate.Alpha},
 }
--- a/pkg/multicluster/cluster_management.go
+++ b/pkg/multicluster/cluster_management.go
@@ -22,6 +22,9 @@ import (
 	"fmt"

 	"github.com/briandowns/spinner"
+	prismclusterv1alpha1 "github.com/kubevela/prism/pkg/apis/cluster/v1alpha1"
+	clusterv1alpha1 "github.com/oam-dev/cluster-gateway/pkg/apis/cluster/v1alpha1"
+	clustercommon "github.com/oam-dev/cluster-gateway/pkg/common"
 	"github.com/oam-dev/cluster-register/pkg/hub"
 	"github.com/oam-dev/cluster-register/pkg/spoke"
 	"github.com/pkg/errors"
@@ -36,11 +39,7 @@ import (
 	ocmclusterv1 "open-cluster-management.io/api/cluster/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	clusterv1alpha1 "github.com/oam-dev/cluster-gateway/pkg/apis/cluster/v1alpha1"
-	clustercommon "github.com/oam-dev/cluster-gateway/pkg/common"
-
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-	"github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/policy/envbinding"
 	"github.com/oam-dev/kubevela/pkg/utils"
 	velaerrors "github.com/oam-dev/kubevela/pkg/utils/errors"
@@ -49,6 +48,7 @@ import (

 // KubeClusterConfig info for cluster management
 type KubeClusterConfig struct {
+	FilePath        string
 	ClusterName     string
 	CreateNamespace string
 	*clientcmdapi.Config
@@ -84,15 +84,26 @@ func (clusterConfig *KubeClusterConfig) Validate() error {
 	return nil
 }

-// RegisterByVelaSecret create cluster secrets for KubeVela to use
-func (clusterConfig *KubeClusterConfig) RegisterByVelaSecret(ctx context.Context, cli client.Client) error {
-	if err := ensureClusterNotExists(ctx, cli, clusterConfig.ClusterName); err != nil {
-		return errors.Wrapf(err, "cannot use cluster name %s", clusterConfig.ClusterName)
+// PostRegistration try to create namespace after cluster registered. If failed, cluster will be unregistered.
+func (clusterConfig *KubeClusterConfig) PostRegistration(ctx context.Context, cli client.Client) error {
+	if clusterConfig.CreateNamespace == "" {
+		return nil
 	}
+	if err := ensureNamespaceExists(ctx, cli, clusterConfig.ClusterName, clusterConfig.CreateNamespace); err != nil {
+		_ = DetachCluster(ctx, cli, clusterConfig.ClusterName, DetachClusterManagedClusterKubeConfigPathOption(clusterConfig.FilePath))
+		return fmt.Errorf("failed to ensure %s namespace installed in cluster %s: %w", clusterConfig.CreateNamespace, clusterConfig.ClusterName, err)
+	}
+	return nil
+}
+
+func (clusterConfig *KubeClusterConfig) createClusterSecret(ctx context.Context, cli client.Client, withEndpoint bool) error {
 	var credentialType clusterv1alpha1.CredentialType
-	data := map[string][]byte{
-		"endpoint": []byte(clusterConfig.Cluster.Server),
-		"ca.crt":   clusterConfig.Cluster.CertificateAuthorityData,
+	data := map[string][]byte{}
+	if withEndpoint {
+		data["endpoint"] = []byte(clusterConfig.Cluster.Server)
+		if !clusterConfig.Cluster.InsecureSkipTLSVerify {
+			data["ca.crt"] = clusterConfig.Cluster.CertificateAuthorityData
+		}
 	}
 	if len(clusterConfig.AuthInfo.Token) > 0 {
 		credentialType = clusterv1alpha1.CredentialTypeServiceAccountToken
@@ -113,22 +124,50 @@ func (clusterConfig *KubeClusterConfig) RegisterByVelaSecret(ctx context.Context
 		Type: corev1.SecretTypeOpaque,
 		Data: data,
 	}
-	if err := cli.Create(ctx, secret); err != nil {
+	return cli.Create(ctx, secret)
+}
+
+// RegisterByVelaSecret create cluster secrets for KubeVela to use
+func (clusterConfig *KubeClusterConfig) RegisterByVelaSecret(ctx context.Context, cli client.Client) error {
+	if err := ensureClusterNotExists(ctx, cli, clusterConfig.ClusterName); err != nil {
+		return errors.Wrapf(err, "cannot use cluster name %s", clusterConfig.ClusterName)
+	}
+	if err := clusterConfig.createClusterSecret(ctx, cli, true); err != nil {
 		return errors.Wrapf(err, "failed to add cluster to kubernetes")
 	}
-	// TODO(somefive): create namespace now only work for cluster secret
-	if clusterConfig.CreateNamespace != "" {
-		if err := ensureNamespaceExists(ctx, cli, clusterConfig.ClusterName, clusterConfig.CreateNamespace); err != nil {
-			_ = cli.Delete(ctx, secret)
-			return errors.Wrapf(err, "failed to ensure %s namespace installed in cluster %s", clusterConfig.CreateNamespace, clusterConfig.ClusterName)
+	return clusterConfig.PostRegistration(ctx, cli)
+}
+
+// CreateBootstrapConfigMapIfNotExists alternative to
+// https://github.com/kubernetes/kubernetes/blob/v1.24.1/cmd/kubeadm/app/phases/bootstraptoken/clusterinfo/clusterinfo.go#L43
+func CreateBootstrapConfigMapIfNotExists(ctx context.Context, cli client.Client) error {
+	cm := &corev1.ConfigMap{}
+	key := apitypes.NamespacedName{Namespace: metav1.NamespacePublic, Name: "cluster-info"}
+	if err := cli.Get(ctx, key, cm); err != nil {
+		if apierrors.IsNotFound(err) {
+			cm.ObjectMeta = metav1.ObjectMeta{Namespace: key.Namespace, Name: key.Name}
+			adminConfig, err := clientcmd.NewDefaultPathOptions().GetStartingConfig()
+			if err != nil {
+				return err
+			}
+			adminCluster := adminConfig.Contexts[adminConfig.CurrentContext].Cluster
+			bs, err := clientcmd.Write(clientcmdapi.Config{
+				Clusters: map[string]*clientcmdapi.Cluster{"": adminConfig.Clusters[adminCluster]},
+			})
+			if err != nil {
+				return err
+			}
+			cm.Data = map[string]string{"kubeconfig": string(bs)}
+			return cli.Create(ctx, cm)
 		}
+		return err
 	}
 	return nil
 }

 // RegisterClusterManagedByOCM create ocm managed cluster for use
 // TODO(somefive): OCM ManagedCluster only support cli join now
-func (clusterConfig *KubeClusterConfig) RegisterClusterManagedByOCM(ctx context.Context, args *JoinClusterArgs) error {
+func (clusterConfig *KubeClusterConfig) RegisterClusterManagedByOCM(ctx context.Context, cli client.Client, args *JoinClusterArgs) error {
 	newTrackingSpinner := args.trackingSpinnerFactory
 	hubCluster, err := hub.NewHubCluster(args.hubConfig)
 	if err != nil {
@@ -162,6 +201,9 @@ func (clusterConfig *KubeClusterConfig) RegisterClusterManagedByOCM(ctx context.
 		return errors.Wrap(err, "fail to convert spoke-cluster kubeconfig")
 	}

+	if err = CreateBootstrapConfigMapIfNotExists(ctx, cli); err != nil {
+		return fmt.Errorf("failed to ensure cluster-info ConfigMap in kube-public namespace exists: %w", err)
+	}
 	spokeTracker := newTrackingSpinner("Building registration config for the managed cluster")
 	spokeTracker.FinalMSG = "Successfully prepared registration config.\n"
 	spokeTracker.Start()
@@ -170,6 +212,7 @@ func (clusterConfig *KubeClusterConfig) RegisterClusterManagedByOCM(ctx context.
 		args.ioStreams.Infof("Using the api endpoint from hub kubeconfig %q as registration entry.\n", args.hubConfig.Host)
 		overridingRegistrationEndpoint = args.hubConfig.Host
 	}
+
 	hubKubeToken, err := hubCluster.GenerateHubClusterKubeConfig(ctx, overridingRegistrationEndpoint)
 	if err != nil {
 		return errors.Wrap(err, "fail to generate the token for spoke-cluster")
@@ -228,7 +271,7 @@ func (clusterConfig *KubeClusterConfig) RegisterClusterManagedByOCM(ctx context.

 // LoadKubeClusterConfigFromFile create KubeClusterConfig from kubeconfig file
 func LoadKubeClusterConfigFromFile(filepath string) (*KubeClusterConfig, error) {
-	clusterConfig := &KubeClusterConfig{}
+	clusterConfig := &KubeClusterConfig{FilePath: filepath}
 	var err error
 	clusterConfig.Config, err = clientcmd.LoadFromFile(filepath)
 	if err != nil {
@@ -343,7 +386,7 @@ func JoinClusterByKubeConfig(ctx context.Context, cli client.Client, kubeconfigP
 			return nil, errors.Wrapf(err, "failed to determine the registration endpoint for the hub cluster "+
 				"when parsing --in-cluster-bootstrap flag")
 		}
-		if err = clusterConfig.RegisterClusterManagedByOCM(ctx, args); err != nil {
+		if err = clusterConfig.RegisterClusterManagedByOCM(ctx, cli, args); err != nil {
 			return clusterConfig, err
 		}
 	}
@@ -382,12 +425,12 @@ func DetachCluster(ctx context.Context, cli client.Client, clusterName string, o
 	if clusterName == ClusterLocalName {
 		return ErrReservedLocalClusterName
 	}
-	vc, err := GetVirtualCluster(ctx, cli, clusterName)
+	vc, err := prismclusterv1alpha1.NewClusterClient(cli).Get(ctx, clusterName)
 	if err != nil {
 		return err
 	}

-	switch vc.Type {
+	switch vc.Spec.CredentialType {
 	case clusterv1alpha1.CredentialTypeX509Certificate, clusterv1alpha1.CredentialTypeServiceAccountToken:
 		clusterSecret, err := getMutableClusterSecret(ctx, cli, clusterName)
 		if err != nil {
@@ -396,7 +439,7 @@ func DetachCluster(ctx context.Context, cli client.Client, clusterName string, o
 		if err := cli.Delete(ctx, clusterSecret); err != nil {
 			return errors.Wrapf(err, "failed to detach cluster %s", clusterName)
 		}
-	case types.CredentialTypeOCMManagedCluster:
+	case prismclusterv1alpha1.CredentialTypeOCMManagedCluster:
 		if args.managedClusterKubeConfigPath == "" {
 			return errors.New("kubeconfig-path must be set to detach ocm managed cluster")
 		}
@@ -414,7 +457,7 @@ func DetachCluster(ctx context.Context, cli client.Client, clusterName string, o
 			return err
 		}
 		managedCluster := ocmclusterv1.ManagedCluster{ObjectMeta: metav1.ObjectMeta{Name: clusterName}}
-		if err = cli.Delete(context.Background(), &managedCluster); err != nil {
+		if err = cli.Delete(ctx, &managedCluster); err != nil {
 			if !apierrors.IsNotFound(err) {
 				return err
 			}
--- a/pkg/oam/labels.go
+++ b/pkg/oam/labels.go
@@ -98,6 +98,9 @@ const (
 	LabelProject = "core.oam.dev/project"

 	LabelResourceRules = "rules.oam.dev/resources"
+
+	// LabelControllerName indicates the controller name
+	LabelControllerName = "controller.oam.dev/name"
 )

 const (
--- a/pkg/oam/var.go
+++ b/pkg/oam/var.go
@@ -16,7 +16,10 @@ limitations under the License.

 package oam

-// SystemDefinitonNamespace golbal value for controller and webhook systemlevel namespace
 var (
+	// SystemDefinitonNamespace golbal value for controller and webhook systemlevel namespace
 	SystemDefinitonNamespace string = "vela-system"
+
+	// ApplicationControllerName means the controller is application
+	ApplicationControllerName string = "vela-core"
 )
--- a/pkg/resourcekeeper/delete.go
+++ b/pkg/resourcekeeper/delete.go
@@ -49,6 +49,7 @@ func newDeleteConfig(options ...DeleteOption) *deleteConfig {

 // Delete delete resources
 func (h *resourceKeeper) Delete(ctx context.Context, manifests []*unstructured.Unstructured, options ...DeleteOption) (err error) {
+	h.ClearNamespaceForClusterScopedResources(manifests)
 	if err = h.AdmissionCheck(ctx, manifests); err != nil {
 		return err
 	}
--- a/pkg/resourcekeeper/dispatch.go
+++ b/pkg/resourcekeeper/dispatch.go
@@ -59,6 +59,7 @@ func (h *resourceKeeper) Dispatch(ctx context.Context, manifests []*unstructured
 	if h.applyOncePolicy != nil && h.applyOncePolicy.Enable && h.applyOncePolicy.Rules == nil {
 		options = append(options, MetaOnlyOption{})
 	}
+	h.ClearNamespaceForClusterScopedResources(manifests)
 	// 0. check admission
 	if err = h.AdmissionCheck(ctx, manifests); err != nil {
 		return err
--- a/pkg/resourcekeeper/gc.go
+++ b/pkg/resourcekeeper/gc.go
@@ -327,26 +327,25 @@ func (h *gcHandler) deleteManagedResource(ctx context.Context, mr v1beta1.Manage

 func (h *gcHandler) checkDependentComponent(mr v1beta1.ManagedResource) []string {
 	dependent := make([]string, 0)
-	inputs := make([]string, 0)
+	outputs := make([]string, 0)
 	for _, comp := range h.app.Spec.Components {
 		if comp.Name == mr.Component {
-			dependent = comp.DependsOn
-			if len(comp.Inputs) > 0 {
-				for _, input := range comp.Inputs {
-					inputs = append(inputs, input.From)
-				}
-			} else {
-				return dependent
+			for _, output := range comp.Outputs {
+				outputs = append(outputs, output.Name)
+			}
+		} else {
+			for _, dependsOn := range comp.DependsOn {
+				if dependsOn == mr.Component {
+					dependent = append(dependent, comp.Name)
+					break
+				}
 			}
-			break
 		}
 	}
 	for _, comp := range h.app.Spec.Components {
-		if len(comp.Outputs) > 0 {
-			for _, output := range comp.Outputs {
-				if utils.StringsContain(inputs, output.Name) {
-					dependent = append(dependent, comp.Name)
-				}
+		for _, input := range comp.Inputs {
+			if utils.StringsContain(outputs, input.From) {
+				dependent = append(dependent, comp.Name)
 			}
 		}
 	}
--- a/pkg/resourcekeeper/gc_suite_test.go
+++ b/pkg/resourcekeeper/gc_suite_test.go
@@ -19,6 +19,7 @@ package resourcekeeper
 import (
 	"context"
 	"encoding/json"
+	"testing"
 	"time"

 	"github.com/crossplane/crossplane-runtime/pkg/meta"
@@ -30,10 +31,13 @@ import (
 	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+	"github.com/oam-dev/kubevela/pkg/features"
 	"github.com/oam-dev/kubevela/pkg/multicluster"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/utils"
@@ -56,6 +60,7 @@ var _ = Describe("Test ResourceKeeper garbage collection", func() {
 	})

 	It("Test gcHandler garbage collect legacy RT", func() {
+		defer featuregatetesting.SetFeatureGateDuringTest(&testing.T{}, utilfeature.DefaultFeatureGate, features.LegacyResourceTrackerGC, true)()
 		version.VelaVersion = velaVersionNumberToUpgradeResourceTracker
 		ctx := context.Background()
 		cli := multicluster.NewFakeClient(testClient)
--- a/pkg/resourcekeeper/gc_test.go
+++ b/pkg/resourcekeeper/gc_test.go
@@ -253,3 +253,86 @@ func TestResourceKeeperGarbageCollect(t *testing.T) {
 	r.NoError(err)
 	r.True(finished)
 }
+
+func TestCheckDependentComponent(t *testing.T) {
+	rk := &resourceKeeper{
+		app: &v1beta1.Application{
+			Spec: v1beta1.ApplicationSpec{
+				Components: []apicommon.ApplicationComponent{
+					{
+						Name: "comp-1",
+						Outputs: apicommon.StepOutputs{
+							{
+								Name: "output-1",
+							},
+						},
+					},
+					{
+						Name: "comp-2",
+						Outputs: apicommon.StepOutputs{
+							{
+								Name: "output-2",
+							},
+						},
+					},
+					{
+						Name: "comp-3",
+						Inputs: apicommon.StepInputs{
+							{
+								From: "output-1",
+							},
+							{
+								From: "output-2",
+							},
+						},
+					},
+					{
+						Name:      "comp-4",
+						DependsOn: []string{"comp-3"},
+					},
+					{
+						Name:      "comp-5",
+						DependsOn: []string{"comp-4", "comp-3"},
+					},
+				},
+			},
+		},
+	}
+	testCases := []struct {
+		comp   string
+		result []string
+	}{
+		{
+			comp:   "comp-1",
+			result: []string{"comp-3"},
+		},
+		{
+			comp:   "comp-2",
+			result: []string{"comp-3"},
+		},
+		{
+			comp:   "comp-3",
+			result: []string{"comp-4", "comp-5"},
+		},
+		{
+			comp:   "comp-4",
+			result: []string{"comp-5"},
+		},
+		{
+			comp:   "comp-5",
+			result: []string{},
+		},
+	}
+	gcHandler := &gcHandler{
+		resourceKeeper: rk,
+	}
+	r := require.New(t)
+	for _, tc := range testCases {
+		mr := v1beta1.ManagedResource{
+			OAMObjectReference: apicommon.OAMObjectReference{
+				Component: tc.comp,
+			},
+		}
+		r.Equal(gcHandler.checkDependentComponent(mr), tc.result)
+	}
+}
--- a/pkg/resourcekeeper/statekeep.go
+++ b/pkg/resourcekeeper/statekeep.go
@@ -35,6 +35,7 @@ func (h *resourceKeeper) StateKeep(ctx context.Context) error {
 	if h.applyOncePolicy != nil && h.applyOncePolicy.Enable && h.applyOncePolicy.Rules == nil {
 		return nil
 	}
+	ctx = auth.ContextWithUserInfo(ctx, h.app)
 	for _, rt := range []*v1beta1.ResourceTracker{h._currentRT, h._rootRT} {
 		if rt != nil && rt.GetDeletionTimestamp() == nil {
 			for _, mr := range rt.Spec.ManagedResources {
@@ -45,7 +46,6 @@ func (h *resourceKeeper) StateKeep(ctx context.Context) error {
 				if mr.Deleted {
 					if entry.exists && entry.obj != nil && entry.obj.GetDeletionTimestamp() == nil {
 						deleteCtx := multicluster.ContextWithClusterName(ctx, mr.Cluster)
-						deleteCtx = auth.ContextWithUserInfo(deleteCtx, h.app)
 						if err := h.Client.Delete(deleteCtx, entry.obj); err != nil {
 							return errors.Wrapf(err, "failed to delete outdated resource %s in resourcetracker %s", mr.ResourceKey(), rt.Name)
 						}
@@ -64,7 +64,6 @@ func (h *resourceKeeper) StateKeep(ctx context.Context) error {
 					if err != nil {
 						return errors.Wrapf(err, "failed to apply once resource %s from resourcetracker %s", mr.ResourceKey(), rt.Name)
 					}
-					applyCtx = auth.ContextWithUserInfo(applyCtx, h.app)
 					if err = h.applicator.Apply(applyCtx, manifest, apply.MustBeControlledByApp(h.app)); err != nil {
 						return errors.Wrapf(err, "failed to re-apply resource %s from resourcetracker %s", mr.ResourceKey(), rt.Name)
 					}
--- a/pkg/resourcekeeper/utils.go
+++ b/pkg/resourcekeeper/utils.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourcekeeper
+
+import (
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+// ClearNamespaceForClusterScopedResources clear namespace for cluster scoped resources
+func (h *resourceKeeper) ClearNamespaceForClusterScopedResources(manifests []*unstructured.Unstructured) {
+	for _, manifest := range manifests {
+		mappings, err := h.Client.RESTMapper().RESTMappings(manifest.GroupVersionKind().GroupKind(), manifest.GroupVersionKind().Version)
+		if err != nil {
+			continue
+		}
+		if len(mappings) > 0 && mappings[0].Scope.Name() == meta.RESTScopeNameRoot {
+			manifest.SetNamespace("")
+		}
+	}
+}
--- a/pkg/resourcekeeper/utils_test.go
+++ b/pkg/resourcekeeper/utils_test.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourcekeeper
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+	"github.com/oam-dev/kubevela/pkg/utils/apply"
+)
+
+var _ = Describe("Test ResourceKeeper utilities", func() {
+
+	It("Test ClearNamespaceForClusterScopedResources", func() {
+		cli := testClient
+		h := &resourceKeeper{
+			Client:     cli,
+			app:        &v1beta1.Application{ObjectMeta: metav1.ObjectMeta{Name: "app", Namespace: "default"}},
+			applicator: apply.NewAPIApplicator(cli),
+			cache:      newResourceCache(cli),
+		}
+		ns := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "example", Namespace: "vela"}}
+		nsObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(ns)
+		Expect(err).Should(Succeed())
+		cm := &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "example", Namespace: "vela"}}
+		cmObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(cm)
+		Expect(err).Should(Succeed())
+		uns := []*unstructured.Unstructured{{Object: nsObj}, {Object: cmObj}}
+		uns[0].SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Namespace"))
+		uns[1].SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("ConfigMap"))
+		h.ClearNamespaceForClusterScopedResources(uns)
+		Expect(uns[0].GetNamespace()).Should(Equal(""))
+		Expect(uns[1].GetNamespace()).Should(Equal("vela"))
+	})
+
+})
--- a/pkg/resourcetracker/tree.go
+++ b/pkg/resourcetracker/tree.go
@@ -85,10 +85,7 @@ func (options *ResourceTreePrintOptions) loadResourceRows(currentRT *v1beta1.Res
 			if mr.Deleted {
 				continue
 			}
-			rows = append(rows, &resourceRow{
-				mr:     mr.DeepCopy(),
-				status: resourceRowStatusUpdated,
-			})
+			rows = append(rows, buildResourceRow(mr, resourceRowStatusUpdated))
 		}
 	}
 	for _, rt := range historyRT {
@@ -100,10 +97,7 @@ func (options *ResourceTreePrintOptions) loadResourceRows(currentRT *v1beta1.Res
 				}
 			}
 			if matchedRow == nil {
-				rows = append(rows, &resourceRow{
-					mr:     mr.DeepCopy(),
-					status: resourceRowStatusOutdated,
-				})
+				rows = append(rows, buildResourceRow(mr, resourceRowStatusOutdated))
 			}
 		}
 	}
@@ -410,3 +404,14 @@ func RetrieveKubeCtlGetMessageGenerator(cfg *rest.Config) (ResourceDetailRetriev
 		return nil
 	}, nil
 }
+
+func buildResourceRow(mr v1beta1.ManagedResource, resourceStatus string) *resourceRow {
+	rr := &resourceRow{
+		mr:     mr.DeepCopy(),
+		status: resourceStatus,
+	}
+	if rr.mr.Cluster == "" {
+		rr.mr.Cluster = multicluster.ClusterLocalName
+	}
+	return rr
+}
--- a/pkg/resourcetracker/tree_test.go
+++ b/pkg/resourcetracker/tree_test.go
@@ -22,6 +22,10 @@ import (

 	"github.com/stretchr/testify/require"
 	"k8s.io/utils/pointer"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+	"github.com/oam-dev/kubevela/pkg/multicluster"
 )

 func TestResourceTreePrintOption_getWidthForDetails(t *testing.T) {
@@ -46,3 +50,39 @@ func TestResourceTreePrintOptions_wrapDetails(t *testing.T) {
 		},
 		options._wrapDetails(detail, 40))
 }
+
+func TestBuildResourceRow(t *testing.T) {
+	r := require.New(t)
+
+	cases := map[string]struct {
+		Cluster                   string
+		ResourceRowStatus         string
+		ExpectedCluster           string
+		ExpectedResourceRowStatus string
+	}{
+		"localCluster": {
+			Cluster:                   "",
+			ResourceRowStatus:         resourceRowStatusUpdated,
+			ExpectedCluster:           multicluster.ClusterLocalName,
+			ExpectedResourceRowStatus: resourceRowStatusUpdated,
+		},
+		"remoteCluster": {
+			Cluster:                   "remoteCluster",
+			ResourceRowStatus:         resourceRowStatusUpdated,
+			ExpectedCluster:           "remoteCluster",
+			ExpectedResourceRowStatus: resourceRowStatusUpdated,
+		},
+	}
+
+	for name, c := range cases {
+		mr := v1beta1.ManagedResource{
+			ClusterObjectReference: common.ClusterObjectReference{
+				Cluster: c.Cluster,
+			},
+		}
+		rr := buildResourceRow(mr, c.ResourceRowStatus)
+		r.Equal(c.ExpectedCluster, rr.mr.Cluster, name)
+		r.Equal(c.ExpectedResourceRowStatus, rr.status, name)
+	}
+
+}
--- a/pkg/utils/config/application.go
+++ b/pkg/utils/config/application.go
@@ -35,9 +35,8 @@ import (
 )

 const (
-	errAuthenticateProvider   = "failed to authenticate Terraform cloud provider %s for %s"
 	errProviderExists         = "terraform provider %s for %s already exists"
-	errDeleteProvider         = "failed to delete Terraform Provider %s"
+	errDeleteProvider         = "failed to delete Terraform Provider %s err: %w"
 	errCouldNotDeleteProvider = "the Terraform Provider %s could not be disabled because it was created by enabling a Terraform provider or was manually created"
 	errCheckProviderExistence = "failed to check if Terraform Provider %s exists"
 )
@@ -54,7 +53,7 @@ func CreateApplication(ctx context.Context, k8sClient client.Client, name, compo
 	if strings.HasPrefix(componentType, types.TerraformComponentPrefix) {
 		existed, err := IsTerraformProviderExisted(ctx, k8sClient, name)
 		if err != nil {
-			return errors.Wrapf(err, errAuthenticateProvider, name, componentType)
+			return errors.Wrapf(err, errCheckProviderExistence, name)
 		}
 		if existed {
 			return fmt.Errorf(errProviderExists, name, componentType)
@@ -112,16 +111,16 @@ func DeleteApplication(ctx context.Context, k8sClient client.Client, name string
 				name = legacyName
 			}
 			if err1 != nil {
-				if kerrors.IsNotFound(err1) {
-					err2 := k8sClient.Get(ctx, client.ObjectKey{Namespace: types.DefaultKubeVelaNS, Name: name}, &v1beta1.Application{})
-					if err2 != nil {
-						if kerrors.IsNotFound(err2) {
-							return fmt.Errorf(errCouldNotDeleteProvider, name)
-						}
-						return fmt.Errorf(errDeleteProvider, name)
-					}
+				if !kerrors.IsNotFound(err1) {
+					return fmt.Errorf(errDeleteProvider, name, err1)
+				}
+				err2 := k8sClient.Get(ctx, client.ObjectKey{Namespace: types.DefaultKubeVelaNS, Name: name}, &v1beta1.Application{})
+				if err2 != nil {
+					if kerrors.IsNotFound(err2) {
+						return fmt.Errorf(errCouldNotDeleteProvider, name)
+					}
+					return fmt.Errorf(errDeleteProvider, name, err2)
 				}
-				return fmt.Errorf(errDeleteProvider, name)
 			}
 		}
 	}
--- a/pkg/utils/helm/helm_helper.go
+++ b/pkg/utils/helm/helm_helper.go
@@ -140,20 +140,16 @@ func (h *Helper) UpgradeChart(ch *chart.Chart, releaseName, namespace string, va
 				r.Info.Status == release.StatusPendingRollback {
 				return nil, fmt.Errorf("previous installation (e.g., using vela install or helm upgrade) is still in progress. Please try again in %d minutes", timeoutInMinutes)
 			}
-
 		}

 		// merge un-existing values into the values as user-input, because the helm chart upgrade didn't handle the new default values in the chart.
+		// the new default values <= the old custom values <= the new custom values
 		if config.ReuseValues {
 			// sort will sort the release by revision from old to new
 			relutil.SortByRevision(releases)
 			rel := releases[len(releases)-1]
-			// merge new chart values into old values, the values of old chart has the high priority
-			mergedWithNewValues := chartutil.CoalesceTables(rel.Chart.Values, ch.Values)
-			// merge the chart with the released chart config but follow the old config
-			mergeWithConfigs := chartutil.CoalesceTables(rel.Config, mergedWithNewValues)
 			// merge new values as the user input, follow the new user input for --set
-			values = chartutil.CoalesceTables(values, mergeWithConfigs)
+			values = chartutil.CoalesceTables(values, rel.Config)
 		}

 		// overwrite existing installation
@@ -161,7 +157,8 @@ func (h *Helper) UpgradeChart(ch *chart.Chart, releaseName, namespace string, va
 		install.Namespace = namespace
 		install.Wait = config.Wait
 		install.Timeout = time.Duration(timeoutInMinutes) * time.Minute
-		install.ReuseValues = config.ReuseValues
+		// use the new default value set.
+		install.ReuseValues = false
 		newRelease, err = install.Run(releaseName, ch, values)
 	}
 	// check if install/upgrade worked
--- a/pkg/utils/helm/helm_helper_test.go
+++ b/pkg/utils/helm/helm_helper_test.go
@@ -49,7 +49,10 @@ var _ = Describe("Test helm helper", func() {
 		helper := NewHelper()
 		chart, err := helper.LoadCharts("./testdata/autoscalertrait-0.1.0.tgz", nil)
 		Expect(err).Should(BeNil())
-		release, err := helper.UpgradeChart(chart, "autoscalertrait", "default", nil, UpgradeChartOptions{
+		release, err := helper.UpgradeChart(chart, "autoscalertrait", "default", map[string]interface{}{
+			"replicaCount": 2,
+			"image.tag":    "0.1.0",
+		}, UpgradeChartOptions{
 			Config:  cfg,
 			Detail:  false,
 			Logging: util.IOStreams{Out: os.Stdout, ErrOut: os.Stderr},
@@ -58,6 +61,42 @@ var _ = Describe("Test helm helper", func() {
 		crds := GetCRDFromChart(release.Chart)
 		Expect(cmp.Diff(len(crds), 1)).Should(BeEmpty())
 		Expect(err).Should(BeNil())
+		deployments := GetDeploymentsFromManifest(release.Manifest)
+		Expect(cmp.Diff(len(deployments), 1)).Should(BeEmpty())
+		Expect(cmp.Diff(*deployments[0].Spec.Replicas, int32(2))).Should(BeEmpty())
+		containers := deployments[0].Spec.Template.Spec.Containers
+		Expect(cmp.Diff(len(containers), 1)).Should(BeEmpty())
+
+		// add new default value
+		Expect(cmp.Diff(containers[0].Image, "ghcr.io/oam-dev/catalog/autoscalertrait:0.1.0")).Should(BeEmpty())
+
+		chartNew, err := helper.LoadCharts("./testdata/autoscalertrait-0.2.0.tgz", nil)
+		Expect(err).Should(BeNil())
+
+		// the new custom values should override the last release custom values
+		releaseNew, err := helper.UpgradeChart(chartNew, "autoscalertrait", "default", map[string]interface{}{
+			"image.tag": "0.2.0",
+		}, UpgradeChartOptions{
+			Config:      cfg,
+			Detail:      false,
+			ReuseValues: true,
+			Logging:     util.IOStreams{Out: os.Stdout, ErrOut: os.Stderr},
+			Wait:        false,
+		})
+		Expect(err).Should(BeNil())
+		deployments = GetDeploymentsFromManifest(releaseNew.Manifest)
+		Expect(cmp.Diff(len(deployments), 1)).Should(BeEmpty())
+		// keep the custom values
+		Expect(cmp.Diff(*deployments[0].Spec.Replicas, int32(2))).Should(BeEmpty())
+		containers = deployments[0].Spec.Template.Spec.Containers
+		Expect(cmp.Diff(len(containers), 1)).Should(BeEmpty())
+
+		// change the default value
+		Expect(cmp.Diff(containers[0].Image, "ghcr.io/oam-dev/catalog/autoscalertrait:0.2.0")).Should(BeEmpty())
+
+		// add new default value
+		Expect(cmp.Diff(len(containers[0].Env), 1)).Should(BeEmpty())
+		Expect(cmp.Diff(containers[0].Env[0].Name, "env1")).Should(BeEmpty())
 	})

 	It("Test UninstallRelease", func() {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
github-actions[bot]	36b6c3e7b5	Fix: trim quot char for velaql output (#4269 ) Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `fdd0c93dba`) Co-authored-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com>	2022-06-27 16:52:26 +08:00
github-actions[bot]	4cc019722c	[Backport release-1.4] Feat: enhance velq ql and support cue file (#4266 ) * Feat: enhance velq ql and support cue file Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `70ed417326`) * add statement Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `25260eb9ef`) Co-authored-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com>	2022-06-27 16:17:21 +08:00
github-actions[bot]	b040ae65da	[Backport release-1.4] Fix: provider can't be added since 1.4 as context abused && Feat: add cache for remote terraform module in vela show (#4263 ) * Fix: provider can't be added since 1.4 as context abused Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `b05fb26418`) * Feat: add cache for remote terraform module in vela show Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `4722028530`) * Fix: add message for terraform resource in error state Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `438145b12e`) Co-authored-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com>	2022-06-27 11:32:20 +08:00
github-actions[bot]	f0fb4ed099	Feat: omit service output if there's nothing (#4262 ) Signed-off-by: Sumit Tembe <sumit.tembe@outlook.com> (cherry picked from commit `8911143389`) Co-authored-by: Sumit Tembe <sumit.tembe@outlook.com>	2022-06-27 10:31:49 +08:00
github-actions[bot]	7f89d12059	environment from configmap or secret not mandatory in task and crontask componentdefinition (#4254 ) Signed-off-by: Carmendelope <carmen@napptive.com> (cherry picked from commit `35f130ea08`) Co-authored-by: Carmendelope <carmen@napptive.com>	2022-06-25 09:00:24 +08:00
github-actions[bot]	3c61bcb8f0	Fix: vela status print wrong STATUS (#4249 ) Signed-off-by: StevenLeiZhang <zhangleiic@163.com> (cherry picked from commit `5f4616a453`) Co-authored-by: StevenLeiZhang <zhangleiic@163.com>	2022-06-24 17:16:58 +08:00
github-actions[bot]	a14b536fd1	[Backport release-1.4] Feat: skip validating version check (#4247 ) * skip validating version check Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `4b94a967ae`) * add comments Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `bbdc19c472`) * fix comments Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `b5c705013d`) * fix test Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `adff7ef309`) * fix commments Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `cf4afee0d8`) * add compatible logic for old controller Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `3f5a6d33b9`) * modify minimal Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `b020725112`) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>	2022-06-24 14:13:17 +08:00
github-actions[bot]	ba5a726854	[Backport release-1.4] Fix: fixed the problems of display definition in web and support displaying WorkflowStep and Policy (#4241 ) * Fix: fixed the problems of display definition in web Some ComponentDefinitions, TraitDefinitions, WorkflowDefinitions failed to show the usage in web browser Signed-off-by: Zheng Xi Zhou <zhengxi.zzx@alibaba-inc.com> (cherry picked from commit `c8985ccc3e`) * set printable type for {} Signed-off-by: Zheng Xi Zhou <zhengxi.zzx@alibaba-inc.com> (cherry picked from commit `87efb357b2`) * support WorkflowSteps and Policies Signed-off-by: Zheng Xi Zhou <zhengxi.zzx@alibaba-inc.com> (cherry picked from commit `8fb83152bc`) Co-authored-by: Zheng Xi Zhou <zhengxi.zzx@alibaba-inc.com>	2022-06-23 19:46:51 +08:00
github-actions[bot]	ffb9d06427	Fix: json-patch & json-merge-patch open result (#4229 ) Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `4ea3ca8d5b`) Co-authored-by: Somefive <yd219913@alibaba-inc.com>	2022-06-22 20:05:19 +08:00
barnettZQG	819dc26ace	Chore: change the acr registry address (#4214 ) (#4216 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com>	2022-06-22 14:46:13 +08:00
github-actions[bot]	5e3ab732df	[Backport release-1.4] Feat: add the API for querying the image info (#4211 ) * Feat: add the API for querying the image info Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `e257cc6658`) * Fix: the code style Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `45e183b44b`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-06-21 15:05:15 +08:00
github-actions[bot]	62d5507499	Fix: cue patch remove temp var (#4208 ) Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `660e89b3a0`) Co-authored-by: Somefive <yd219913@alibaba-inc.com>	2022-06-20 17:38:34 +08:00
github-actions[bot]	c0daf688a6	Fix: clear namespace for cluster scoped resource for dispatching (#4195 ) Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `7c9de1b071`) Co-authored-by: Somefive <yd219913@alibaba-inc.com>	2022-06-16 14:50:44 +08:00
github-actions[bot]	48d19a2427	[Backport release-1.4] Feat: cli addon add registry add more git types (#4191 ) * add more git types Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `1d6a5eea22`) * fix comments Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> fix comments Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `91122432ec`) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>	2022-06-16 12:23:15 +08:00
github-actions[bot]	4da8d49e60	Fix: fix the annotation for APIService (#4190 ) Make the annatation for cert-manger be the same as the new version secret Signed-off-by: Zheng Xi Zhou <zhengxi.zzx@alibaba-inc.com> (cherry picked from commit `62ef7b7f99`) Co-authored-by: Zheng Xi Zhou <zhengxi.zzx@alibaba-inc.com>	2022-06-16 11:02:35 +08:00
github-actions[bot]	4db9e89816	Fix: enhance CLI for managing OCM clusters (#4178 ) Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `0662e2a79d`) Co-authored-by: Somefive <yd219913@alibaba-inc.com>	2022-06-15 11:23:12 +08:00
github-actions[bot]	667053409d	Fix: fix trait customStatus error when controlPlanOnly=true (#4177 ) Signed-off-by: fourierr <maxiangboo@qq.com> (cherry picked from commit `38648fcf30`) Co-authored-by: fourierr <maxiangboo@qq.com>	2022-06-15 11:22:15 +08:00
github-actions[bot]	eb9ddaabd3	[Backport release-1.4] Feat: optimize the API that list and detail definition (#4160 ) * Fix: ignore the error that the definition API schema is not exist Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `855716d989`) * Fix: disable the cache when listing the definitions Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `f25882974d`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-06-13 13:25:41 +08:00
github-actions[bot]	f11a94612f	Feat: support insecure cluster (#4159 ) Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `8abedf3005`) Co-authored-by: Somefive <yd219913@alibaba-inc.com>	2022-06-13 13:15:34 +08:00
github-actions[bot]	56f9d7cb9c	[Backport release-1.4] Fix: mongoDB datastore can't list special email user(#4104 ) (#4148 ) * Add description column to vela trait and component command (#4107) Signed-off-by: Holger Protzek <holger.protzek@springernature.com> Signed-off-by: fengkang <fengkangb@digitalchina.com> (cherry picked from commit `9c57ae2a15`) * Fix: mongoDB datastore can't list special email user(#4104) Signed-off-by: fengkang <fengkangb@digitalchina.com> (cherry picked from commit `ec07790935`) * Fix: mongoDB datastore can't list special email user(#4104) change the function name from verifyUserValue to verifyValue add test case to test kubeapi.go:87 Signed-off-by: fengkang <fengkangb@digitalchina.com> (cherry picked from commit `4c55e0688f`) * Fix: mongoDB datastore can't list special email user(#4104) change the function name from verifyUserValue to verifyValue add test case to test kubeapi.go:87 add delete test case Signed-off-by: fengkang <fengkangb@digitalchina.com> (cherry picked from commit `b2e76001c9`) * Fix: mongoDB datastore can't list special email user(#4104) optimize the test case Signed-off-by: fengkang <fengkangb@digitalchina.com> (cherry picked from commit `a63c96fae1`) * Fix: mongoDB datastore can't list special email user(#4104) optimize the test case use user change all verify timing in kubeapi Signed-off-by: fengkang <fengkangb@digitalchina.com> (cherry picked from commit `2ede4f7b0c`) * Fix: mongoDB datastore can't list special email user(#4104) Signed-off-by: fengkang <fengkangb@digitalchina.com> (cherry picked from commit `356150642f`) * Fix: mongoDB datastore can't list special email user(#4104) Signed-off-by: fengkang <fengkangb@digitalchina.com> (cherry picked from commit `48a9e55937`) Co-authored-by: Holger Protzek <3481523+hprotzek@users.noreply.github.com> Co-authored-by: fengkang01 <fengkangb@digitalchina.com>	2022-06-10 15:33:53 +08:00
github-actions[bot]	fbbc666019	[Backport release-1.4] Fix: api not exist don't break whole query process (#4137 ) * make resource tree more resourceTree more robust Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `327ec35cf4`) * log the error Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `1136afe78c`) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>	2022-06-09 11:36:57 +08:00
github-actions[bot]	d0788254cb	Fix: vela addon registry get panic (#4136 ) Signed-off-by: ZhongsJie <zhongsjie@gmail.com> (cherry picked from commit `0d329e394e`) Co-authored-by: ZhongsJie <zhongsjie@gmail.com>	2022-06-09 10:19:28 +08:00
github-actions[bot]	c72a6aef87	Chore(deps): Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 (#4125 ) Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.10 to 1.5.13. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](https://github.com/containerd/containerd/compare/v1.5.10...v1.5.13) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit `9982c7ceaa`) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-06-08 12:56:05 +08:00
github-actions[bot]	195b7fe0c7	[Backport release-1.4] Fix: bump oamdev/kube-webhook-certgen to v2.4.1 to support arm64 (#4117 ) * Fix: split the image build process to make it faster Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `339977e874`) * Fix: bump oamdev/kube-webhook-certgen to v2.4.1 to support arm64 Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `dc054e2ce2`) Co-authored-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com>	2022-06-05 15:10:48 +08:00
github-actions[bot]	33c9e3b170	Fix: change the image name in ghcr to align with docker image registry (#4111 ) Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `71776c374b`) Co-authored-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com>	2022-06-04 14:19:21 +08:00
github-actions[bot]	ea0508a634	[Backport release-1.4] Fix: hold the force uninstalling process untill the last addon been deleted (#4103 ) * hold the force uninstalling process untill the last addon been deleted Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> fix lint Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> fix comments Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> fix comments Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `1d4266432c`) * fix comments Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> fix lint Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `cecd8c28d0`) * add period Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `62e4dac538`) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>	2022-06-02 16:29:02 +08:00
github-actions[bot]	23e29aa62a	Fix: vela provider delete command's example is wrong (#4099 ) Signed-off-by: StevenLeiZhang <zhangleiic@163.com> (cherry picked from commit `9b66f90100`) Co-authored-by: StevenLeiZhang <zhangleiic@163.com>	2022-06-02 11:04:34 +08:00
github-actions[bot]	ed2cb80219	Fix: the new default values do not take effect when upgrading the vela core (#4097 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `0ccbbb2636`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-06-02 10:23:30 +08:00
github-actions[bot]	1a3d5debd5	Fix: show the default password (#4095 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `c3cfc4729e`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-06-02 10:14:43 +08:00
github-actions[bot]	d4a82fe292	Fix: load the provider subcommands on demand (#4090 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `52bbf937bb`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-06-01 16:32:53 +08:00
github-actions[bot]	963ae400fa	Feat: use deferred config in CLI (#4085 ) Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `478434003b`) Co-authored-by: Somefive <yd219913@alibaba-inc.com>	2022-06-01 10:24:57 +08:00
github-actions[bot]	8f7a8258fe	[Backport release-1.4] Fix(addon): more note info and filter prerelease addon version (#4082 ) * more note info and filter prerelease addon version Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `6eefcd2c14`) * wrap the error optimize the show info Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `00ad8304c8`) * fix golint Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `9de32d5474`) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>	2022-05-31 18:56:54 +08:00
github-actions[bot]	70bc306678	Chore: hide some definitions in VelaUX (#4080 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `68b8db1d00`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-05-31 16:41:54 +08:00
github-actions[bot]	57428bbc8d	Fix: change the region to customRegion (#4079 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `9f0008f001`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-05-31 16:19:37 +08:00
github-actions[bot]	e08541ca5c	Fix: Improve vela provider add response (#4078 ) Signed-off-by: StevenLeiZhang <zhangleiic@163.com> (cherry picked from commit `39e96d287b`) Co-authored-by: StevenLeiZhang <zhangleiic@163.com>	2022-05-31 16:16:54 +08:00
github-actions[bot]	521a4edc10	Feat: vela ql into vela-cli (#4077 ) Signed-off-by: Shukun Zhang <2236407598@qq.com> (cherry picked from commit `38886a0ee2`) Co-authored-by: Shukun Zhang <2236407598@qq.com>	2022-05-31 16:13:00 +08:00
github-actions[bot]	82b330710c	Fix: upgrade from v1.3+ to v1.4+ with new secret for cluster-gateway (#4076 ) Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com> (cherry picked from commit `161588c64e`) Co-authored-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com>	2022-05-31 16:05:36 +08:00
github-actions[bot]	4a649f2cf1	Fix: Can not delete terraform provider (#4074 ) Signed-off-by: StevenLeiZhang <zhangleiic@163.com> (cherry picked from commit `de79442f53`) Co-authored-by: StevenLeiZhang <zhangleiic@163.com>	2022-05-31 15:21:17 +08:00
github-actions[bot]	f6664106a2	Fix: remove the tcp protocol prefix in the endpoint string (#4068 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `8852ac691a`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-05-30 20:17:47 +08:00
github-actions[bot]	bbe2a2dec6	[Backport release-1.4] Fix: CI workflow for rollout acr image build and push (#4067 ) * fix the rollout acr image Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `f6f4a36909`) * fix test test Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> finish fix Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `1ce37d8ce1`) * merge two sction Signed-off-by: 楚岳 <wangyike.wyk@alibaba-inc.com> (cherry picked from commit `adf2517e72`) Co-authored-by: 楚岳 <wangyike.wyk@alibaba-inc.com>	2022-05-30 19:35:47 +08:00
github-actions[bot]	404c7f6975	Fix: set workflow to finish before record in controller revision (#4066 ) Signed-off-by: FogDong <dongtianxin.tx@alibaba-inc.com> (cherry picked from commit `7042c63e90`) Co-authored-by: FogDong <dongtianxin.tx@alibaba-inc.com>	2022-05-30 19:30:03 +08:00
github-actions[bot]	2edfbabdab	Fix: fix the dependency gc policy to reverse dependency (#4065 ) Signed-off-by: FogDong <dongtianxin.tx@alibaba-inc.com> (cherry picked from commit `45cf38edb0`) Co-authored-by: FogDong <dongtianxin.tx@alibaba-inc.com>	2022-05-30 19:29:42 +08:00
github-actions[bot]	e7b304de3b	Fix: the policies can not be deleted (#4062 ) Signed-off-by: barnettZQG <barnett.zqg@gmail.com> (cherry picked from commit `0c11a69779`) Co-authored-by: barnettZQG <barnett.zqg@gmail.com>	2022-05-30 16:23:03 +08:00
github-actions[bot]	b8b54baf26	Fix: fail to get the endpoints via the velaql (#4058 ) Signed-off-by: yangsoon <songyang.song@alibaba-inc.com> (cherry picked from commit `a40d99f8d8`) Co-authored-by: yangsoon <songyang.song@alibaba-inc.com>	2022-05-30 15:52:38 +08:00
github-actions[bot]	87b6c9416e	[Backport release-1.4] Feat: minimize controller privileges & enforce authentication in multicluster e2e test (#4044 ) * Feat: enable auth in multicluster test & restrict controller privileges while enabling authentication Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `fc3fc39eb0`) * Feat: fix statekeep permission leak & comprev cleanup leak Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `eaa317316d`) * Fix: use user info in ref-object select Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `67463d13fe`) * Feat: set legacy-rt-gc to disabled by default Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `77f1fc4286`) * Fix: pending healthscope with authentication test Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit `c21ae8ac6a`) Co-authored-by: Somefive <yd219913@alibaba-inc.com>	2022-05-28 01:27:35 +08:00