Fix: addon function converted (#4411)

Signed-off-by: Jianbo Sun <jianbo.sjb@alibaba-inc.com>

.github/workflows/chart.yaml

@@ -0,0 +1,89 @@
+name: Publish Chart
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch: { }
+
+env:
+  BUCKET: ${{ secrets.OSS_BUCKET }}
+  ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
+  ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
+  ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
+  ARTIFACT_HUB_REPOSITORY_ID: ${{ secrets.ARTIFACT_HUB_REPOSITORY_ID }}
+
+jobs:  
+  publish-charts:
+    env:
+      HELM_CHARTS_DIR: charts
+      HELM_CHART: charts/vela-core
+      MINIMAL_HELM_CHART: charts/vela-minimal
+      LEGACY_HELM_CHART: legacy/charts/vela-core-legacy
+      VELA_ROLLOUT_HELM_CHART: runtime/rollout/charts
+      LOCAL_OSS_DIRECTORY: .oss/
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@master
+      - name: Get git revision
+        id: vars
+        shell: bash
+        run: |
+          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+      - name: Setup node
+        uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+      - name: Generate helm doc
+        run: |
+          make helm-doc-gen
+      - name: Prepare legacy chart
+        run: |
+          rsync -r $LEGACY_HELM_CHART $HELM_CHARTS_DIR
+          rsync -r $HELM_CHART/* $LEGACY_HELM_CHART --exclude=Chart.yaml --exclude=crds
+      - name: Prepare vela chart
+        run: |
+          rsync -r $VELA_ROLLOUT_HELM_CHART $HELM_CHARTS_DIR
+      - name: Get the version
+        id: get_version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Tag helm chart image
+        run: |
+          image_tag=${{ steps.get_version.outputs.VERSION }}
+          chart_version=${{ steps.get_version.outputs.VERSION }}
+          sed -i "s/latest/${image_tag}/g" $HELM_CHART/values.yaml
+          sed -i "s/latest/${image_tag}/g" $MINIMAL_HELM_CHART/values.yaml
+          sed -i "s/latest/${image_tag}/g" $LEGACY_HELM_CHART/values.yaml
+          sed -i "s/latest/${image_tag}/g" $VELA_ROLLOUT_HELM_CHART/values.yaml
+          chart_smever=${chart_version#"v"}
+          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml
+          sed -i "s/0.1.0/$chart_smever/g" $MINIMAL_HELM_CHART/Chart.yaml
+          sed -i "s/0.1.0/$chart_smever/g" $LEGACY_HELM_CHART/Chart.yaml
+          sed -i "s/0.1.0/$chart_smever/g" $VELA_ROLLOUT_HELM_CHART/Chart.yaml
+      - name: Install ossutil
+        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
+      - name: Configure Alibaba Cloud OSSUTIL
+        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
+      - name: sync cloud to local
+        run: ./ossutil --config-file .ossutilconfig sync oss://$BUCKET/core $LOCAL_OSS_DIRECTORY
+      - name: add artifacthub stuff to the repo
+        run: |
+          rsync $HELM_CHART/README.md $LEGACY_HELM_CHART/README.md
+          rsync $HELM_CHART/README.md $VELA_ROLLOUT_HELM_CHART/README.md
+          sed -i "s/ARTIFACT_HUB_REPOSITORY_ID/$ARTIFACT_HUB_REPOSITORY_ID/g" hack/artifacthub/artifacthub-repo.yml
+          rsync hack/artifacthub/artifacthub-repo.yml $LOCAL_OSS_DIRECTORY
+      - name: Package helm charts
+        run: |
+          helm package $HELM_CHART --destination $LOCAL_OSS_DIRECTORY
+          helm package $MINIMAL_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
+          helm package $LEGACY_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
+          helm package $VELA_ROLLOUT_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
+          helm repo index --url https://$BUCKET.$ENDPOINT/core $LOCAL_OSS_DIRECTORY
+      - name: sync local to cloud
+        run: ./ossutil --config-file .ossutilconfig sync $LOCAL_OSS_DIRECTORY oss://$BUCKET/core -f

.github/workflows/e2e-multicluster-test.yml

@@ -103,7 +103,7 @@ jobs:
         run: |
           make e2e-cleanup
           make vela-cli
-          make e2e-setup-core
+          make e2e-setup-core-auth
           make
           make setup-runtime-e2e-cluster
 

.github/workflows/registry.yml

@@ -8,14 +8,11 @@ on:
   workflow_dispatch: {}
 
 env:
-  BUCKET: ${{ secrets.OSS_BUCKET }}
-  ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
   ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
   ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
-  ARTIFACT_HUB_REPOSITORY_ID: ${{ secrets.ARTIFACT_HUB_REPOSITORY_ID }}
 
 jobs:
-  publish-images:
+  publish-core-images:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@master
@@ -47,20 +44,16 @@ jobs:
       - name: Login Alibaba Cloud ACR
         uses: docker/login-action@v1
         with:
-          registry: kubevela-registry.cn-hangzhou.cr.aliyuncs.com
-          username: ${{ secrets.ACR_USERNAME }}@aliyun-inner.com
+          registry: ${{ secrets.ACR_DOMAIN }}
+          username: ${{ secrets.ACR_USERNAME }}
           password: ${{ secrets.ACR_PASSWORD }}
       - uses: docker/setup-qemu-action@v1
       - uses: docker/setup-buildx-action@v1
         with:
           driver-opts: image=moby/buildkit:master
 
-      - name: Build & Pushing vela-core for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }} .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
       - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-core for Dockerhub and GHCR
+        name: Build & Pushing vela-core for Dockerhub, GHCR and ACR
         with:
           context: .
           file: Dockerfile
@@ -75,14 +68,70 @@ jobs:
             GOPROXY=https://proxy.golang.org
           tags: |-
             docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-core:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
 
-      - name: Build & Pushing vela-apiserver for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }} -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }} -f Dockerfile.apiserver .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
       - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-apiserver for Dockerhub and GHCR
+        name: Build & Pushing CLI for Dockerhub, GHCR and ACR
+        with:
+          context: .
+          file: Dockerfile.cli
+          labels: |-
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          build-args: |
+            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
+            VERSION=${{ steps.get_version.outputs.VERSION }}
+            GOPROXY=https://proxy.golang.org
+          tags: |-
+            docker.io/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+
+  publish-addon-images:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Get the version
+        id: get_version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
+            VERSION=latest
+          fi
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Get git revision
+        id: vars
+        shell: bash
+        run: |
+          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+      - name: Login ghcr.io
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login docker.io
+        uses: docker/login-action@v1
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login Alibaba Cloud ACR
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.ACR_DOMAIN }}
+          username: ${{ secrets.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+        with:
+          driver-opts: image=moby/buildkit:master
+
+      - uses: docker/build-push-action@v2
+        name: Build & Pushing vela-apiserver for Dockerhub, GHCR and ACR
         with:
           context: .
           file: Dockerfile.apiserver
@@ -97,14 +146,11 @@ jobs:
             GOPROXY=https://proxy.golang.org
           tags: |-
             docker.io/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
 
-      - name: Build & Pushing vela runtime rollout for ACR
-        run: |
-          docker build --build-arg GOPROXY=https://proxy.golang.org --build-arg VERSION=${{ steps.get_version.outputs.VERSION }} --build-arg GITVERSION=git-${{ steps.vars.outputs.git_revision }}  -t kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }} .
-          docker push kubevela-registry.cn-hangzhou.cr.aliyuncs.com/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
       - uses: docker/build-push-action@v2
-        name: Build & Pushing runtime rollout for Dockerhub and GHCR
+        name: Build & Pushing runtime rollout Dockerhub, GHCR and ACR
         with:
           context: .
           file: runtime/rollout/Dockerfile
@@ -119,91 +165,8 @@ jobs:
             GOPROXY=https://proxy.golang.org
           tags: |-
             docker.io/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository }}/vela-rollout:${{ steps.get_version.outputs.VERSION }}
-
-  publish-charts:
-    env:
-      HELM_CHARTS_DIR: charts
-      HELM_CHART: charts/vela-core
-      MINIMAL_HELM_CHART: charts/vela-minimal
-      LEGACY_HELM_CHART: legacy/charts/vela-core-legacy
-      VELA_ROLLOUT_HELM_CHART: runtime/rollout/charts
-      LOCAL_OSS_DIRECTORY: .oss/
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@master
-      - name: Get git revision
-        id: vars
-        shell: bash
-        run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
-      - name: Install Helm
-        uses: azure/setup-helm@v1
-        with:
-          version: v3.4.0
-      - name: Setup node
-        uses: actions/setup-node@v2
-        with:
-          node-version: '14'
-      - name: Generate helm doc
-        run: |
-          make helm-doc-gen
-      - name: Prepare legacy chart
-        run: |
-          rsync -r $LEGACY_HELM_CHART $HELM_CHARTS_DIR
-          rsync -r $HELM_CHART/* $LEGACY_HELM_CHART --exclude=Chart.yaml --exclude=crds
-      - name: Prepare vela chart
-        run: |
-          rsync -r $VELA_ROLLOUT_HELM_CHART $HELM_CHARTS_DIR
-      - uses: oprypin/find-latest-tag@v1
-        with:
-          repository: oam-dev/kubevela
-          releases-only: true
-        id: latest_tag
-      - name: Tag helm chart image
-        run: |
-          latest_repo_tag=${{ steps.latest_tag.outputs.tag }}
-          sub="."
-          major="$(cut -d"$sub" -f1 <<<"$latest_repo_tag")"
-          minor="$(cut -d"$sub" -f2 <<<"$latest_repo_tag")"
-          patch="0"
-          current_repo_tag="$major.$minor.$patch"
-          image_tag=${GITHUB_REF#refs/tags/}
-          chart_version=$latest_repo_tag
-          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
-            image_tag=latest
-            chart_version=${current_repo_tag}-nightly-build
-          fi
-          sed -i "s/latest/${image_tag}/g" $HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $MINIMAL_HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $LEGACY_HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $VELA_ROLLOUT_HELM_CHART/values.yaml
-          chart_smever=${chart_version#"v"}
-          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $MINIMAL_HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $LEGACY_HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $VELA_ROLLOUT_HELM_CHART/Chart.yaml
-      - name: Install ossutil
-        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
-      - name: Configure Alibaba Cloud OSSUTIL
-        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
-      - name: sync cloud to local
-        run: ./ossutil --config-file .ossutilconfig sync oss://$BUCKET/core $LOCAL_OSS_DIRECTORY
-      - name: add artifacthub stuff to the repo
-        run: |
-          rsync $HELM_CHART/README.md $LEGACY_HELM_CHART/README.md
-          rsync $HELM_CHART/README.md $VELA_ROLLOUT_HELM_CHART/README.md
-          sed -i "s/ARTIFACT_HUB_REPOSITORY_ID/$ARTIFACT_HUB_REPOSITORY_ID/g" hack/artifacthub/artifacthub-repo.yml
-          rsync hack/artifacthub/artifacthub-repo.yml $LOCAL_OSS_DIRECTORY
-      - name: Package helm charts
-        run: |
-          helm package $HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $MINIMAL_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $LEGACY_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $VELA_ROLLOUT_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm repo index --url https://$BUCKET.$ENDPOINT/core $LOCAL_OSS_DIRECTORY
-      - name: sync local to cloud
-        run: ./ossutil --config-file .ossutilconfig sync $LOCAL_OSS_DIRECTORY oss://$BUCKET/core -f
+            ghcr.io/${{ github.repository_owner }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
 
   publish-capabilities:
     env:

.github/workflows/release.yml

@@ -121,7 +121,13 @@ jobs:
         run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
       
       - name: sync the latest version file
+        if: ${{ !contains(env.VELA_VERSION,'alpha') && !contains(env.VELA_VERSION,'beta') }}
         run: |
+          LATEST_VERSION=$(curl -fsSl https://static.kubevela.net/binary/vela/latest_version)
+          verlte() {
+            [  "$1" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
+          }
+          verlte ${{ env.VELA_VERSION }} $LATEST_VERSION && echo "${{ env.VELA_VERSION }} <= $LATEST_VERSION, skip update" && exit 0
           echo ${{ env.VELA_VERSION }} > ./latest_version
           ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version
 

Dockerfile

@@ -36,7 +36,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
 FROM ${BASE_IMAGE:-alpine:3.15}
-# This is required by daemon connnecting with cri
+# This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat
 
 WORKDIR /

Dockerfile.apiserver

@@ -34,7 +34,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
 
 FROM ${BASE_IMAGE:-alpine:3.15}
-# This is required by daemon connnecting with cri
+# This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat
 
 WORKDIR /

Dockerfile.cli

@@ -0,0 +1,43 @@
+ARG BASE_IMAGE
+# Build the cli binary
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.17-alpine as builder
+ARG GOPROXY
+ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY apis/ apis/
+COPY pkg/ pkg/
+COPY version/ version/
+COPY references/ references/
+
+# Build
+ARG TARGETARCH
+ARG VERSION
+ARG GITVERSION
+
+RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH:-amd64} \
+    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
+    -o vela-${TARGETARCH} ./references/cmd/cli/main.go
+
+
+# Use alpine as base image due to the discussion in issue #1448
+# You can replace distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+# Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
+
+FROM ${BASE_IMAGE:-alpine:3.15}
+# This is required by daemon connecting with cri
+RUN apk add --no-cache ca-certificates bash expat
+
+WORKDIR /
+
+ARG TARGETARCH
+COPY --from=builder /workspace/vela-${TARGETARCH} /vela
+ENTRYPOINT ["/vela"]

Dockerfile.e2e

@@ -39,7 +39,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
 
 FROM ${BASE_IMAGE:-alpine:3.15}
-# This is required by daemon connnecting with cri
+# This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat
 
 WORKDIR /

apis/core.oam.dev/common/types.go

@@ -347,6 +347,8 @@ type WorkflowStep struct {
 
 	SubSteps []WorkflowSubStep `json:"subSteps,omitempty"`
 
+	If string `json:"if,omitempty"`
+
 	DependsOn []string `json:"dependsOn,omitempty"`
 
 	Inputs StepInputs `json:"inputs,omitempty"`
@@ -364,6 +366,8 @@ type WorkflowSubStep struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
 	Properties *runtime.RawExtension `json:"properties,omitempty"`
 
+	If string `json:"if,omitempty"`
+
 	DependsOn []string `json:"dependsOn,omitempty"`
 
 	Inputs StepInputs `json:"inputs,omitempty"`
@@ -397,6 +401,8 @@ const (
 	WorkflowStepPhaseSucceeded WorkflowStepPhase = "succeeded"
 	// WorkflowStepPhaseFailed will report error in `message`.
 	WorkflowStepPhaseFailed WorkflowStepPhase = "failed"
+	// WorkflowStepPhaseSkipped will make the controller skip the step.
+	WorkflowStepPhaseSkipped WorkflowStepPhase = "skipped"
 	// WorkflowStepPhaseStopped will make the controller stop the workflow.
 	WorkflowStepPhaseStopped WorkflowStepPhase = "stopped"
 	// WorkflowStepPhaseRunning will make the controller continue the workflow.

apis/core.oam.dev/v1alpha1/envbinding_types.go

@@ -117,6 +117,9 @@ type PlacementDecision struct {
 
 // String encode placement decision
 func (in PlacementDecision) String() string {
+	if in.Namespace == "" {
+		return in.Cluster
+	}
 	return in.Cluster + "/" + in.Namespace
 }
 

apis/types/types.go

@@ -169,8 +169,3 @@ const (
 	// VelaCoreConfig is to mark application, config and its secret or Terraform provider lelong to a KubeVela config
 	VelaCoreConfig = "velacore-config"
 )
-
-const (
-	// ClusterGatewayAccessorGroup the group to impersonate which allows the access to the cluster-gateway
-	ClusterGatewayAccessorGroup = "cluster-gateway-accessor"
-)

charts/vela-core/README.md

@@ -53,11 +53,12 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 
 ### KubeVela workflow parameters
 
-| Name                                   | Description                                            | Value |
-| -------------------------------------- | ------------------------------------------------------ | ----- |
-| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`  |
-| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300` |
-| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`  |
+| Name                                   | Description                                            | Value   |
+| -------------------------------------- | ------------------------------------------------------ | ------- |
+| `workflow.enableSuspendOnFailure`      | Enable suspend on workflow failure                     | `false` |
+| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`    |
+| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
+| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |
 
 
 ### KubeVela controller parameters
@@ -103,7 +104,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                    | `1`                              |
 | `multicluster.clusterGateway.port`                          | ClusterGateway port                             | `9443`                           |
 | `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                 | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                        | `v1.3.2`                         |
+| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                        | `v1.4.0`                         |
 | `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                | `IfNotPresent`                   |
 | `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                        | `100m`                           |
 | `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                     | `200Mi`                          |

charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml

@@ -2209,6 +2209,8 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                if:
+                                  type: string
                                 inputs:
                                   description: StepInputs defines variable input of
                                     WorkflowStep
@@ -2253,6 +2255,8 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      if:
+                                        type: string
                                       inputs:
                                         description: StepInputs defines variable input
                                           of WorkflowStep
@@ -3954,6 +3958,8 @@ spec:
                           items:
                             type: string
                           type: array
+                        if:
+                          type: string
                         inputs:
                           description: StepInputs defines variable input of WorkflowStep
                           items:
@@ -3995,6 +4001,8 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              if:
+                                type: string
                               inputs:
                                 description: StepInputs defines variable input of
                                   WorkflowStep

charts/vela-core/crds/core.oam.dev_applications.yaml

@@ -1020,6 +1020,8 @@ spec:
                           items:
                             type: string
                           type: array
+                        if:
+                          type: string
                         inputs:
                           description: StepInputs defines variable input of WorkflowStep
                           items:
@@ -1061,6 +1063,8 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              if:
+                                type: string
                               inputs:
                                 description: StepInputs defines variable input of
                                   WorkflowStep

charts/vela-core/crds/core.oam.dev_workflows.yaml

@@ -42,6 +42,8 @@ spec:
                   items:
                     type: string
                   type: array
+                if:
+                  type: string
                 inputs:
                   description: StepInputs defines variable input of WorkflowStep
                   items:
@@ -83,6 +85,8 @@ spec:
                         items:
                           type: string
                         type: array
+                      if:
+                        type: string
                       inputs:
                         description: StepInputs defines variable input of WorkflowStep
                         items:
@@ -147,6 +151,8 @@ spec:
                   items:
                     type: string
                   type: array
+                if:
+                  type: string
                 inputs:
                   description: StepInputs defines variable input of WorkflowStep
                   items:
@@ -188,6 +194,8 @@ spec:
                         items:
                           type: string
                         type: array
+                      if:
+                        type: string
                       inputs:
                         description: StepInputs defines variable input of WorkflowStep
                         items:

charts/vela-core/templates/cluster-gateway/certmanager.yaml

@@ -13,7 +13,7 @@ metadata:
   name: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
   namespace: {{ .Release.Namespace }}
 spec:
-  secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+  secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
   duration: 8760h # 1y
   issuerRef:
     name: {{ template "kubevela.fullname" . }}-cluster-gateway-issuer

charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml

@@ -31,7 +31,7 @@ spec:
             - "apiserver"
             - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
             - "--secret-namespace={{ .Release.Namespace }}"
-            - "--feature-gates=APIPriorityAndFairness=false"
+            - "--feature-gates=APIPriorityAndFairness=false,ClientIdentityPenetration={{ .Values.authentication.enabled }}"
             {{- if .Values.multicluster.clusterGateway.secureTLS.enabled }}
             - "--tls-cert-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.crt"
             - "--tls-private-key-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.key"
@@ -53,7 +53,7 @@ spec:
         - name: tls-cert-vol
           secret:
             defaultMode: 420
-            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls
+            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
       {{ end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -106,7 +106,7 @@ metadata:
   name: v1alpha1.cluster.core.oam.dev
   annotations:
     {{- if and .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.secureTLS.certManager.enabled }}
-    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls"
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2"
     {{- end }}
   labels:
     api: cluster-extension-apiserver
@@ -129,7 +129,7 @@ spec:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 rules:
   - apiGroups: [ "cluster.core.oam.dev" ]
     resources: [ "clustergateways/proxy" ]
@@ -138,16 +138,16 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 subjects:
-  - kind: Group
-    name: cluster-gateway-accessor
-    apiGroup: rbac.authorization.k8s.io
   - kind: Group
     name: kubevela:client
     apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: {{ include "kubevela.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
 {{ end }}

charts/vela-core/templates/cluster-gateway/job-patch.yaml

@@ -86,7 +86,7 @@ spec:
           - create
           - --host={{ .Release.Name }}-cluster-gateway-service,{{ .Release.Name }}-cluster-gateway-service.{{ .Release.Namespace }}.svc
           - --namespace={{ .Release.Namespace }}
-          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
+          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
           - --cert-name=tls.crt
           - --key-name=tls.key
       restartPolicy: OnFailure
@@ -131,7 +131,7 @@ spec:
           - /patch
         args:
           - --secret-namespace={{ .Release.Namespace }}
-          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls
+          - --secret-name={{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
       restartPolicy: OnFailure
       serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
       securityContext:

charts/vela-core/templates/defwithtemplate/affinity.yaml

@@ -0,0 +1,186 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/affinity.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Affinity specifies affinity and toleration K8s pod for your workload which follows the pod spec in path 'spec.template'.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: affinity
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - '*'
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        patch: spec: template: spec: {
+        	if parameter.podAffinity != _|_ {
+        		affinity: podAffinity: {
+        			if parameter.podAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAffinity.required {
+        						if k.labelSelector != _|_ {
+        							labelSelector: k.labelSelector
+        						}
+        						if k.namespace != _|_ {
+        							namespace: k.namespace
+        						}
+        						topologyKey: k.topologyKey
+        						if k.namespaceSelector != _|_ {
+        							namespaceSelector: k.namespaceSelector
+        						}
+        					}]
+        			}
+        			if parameter.podAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAffinity.preferred {
+        						weight:          k.weight
+        						podAffinityTerm: k.podAffinityTerm
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.podAntiAffinity != _|_ {
+        		affinity: podAntiAffinity: {
+        			if parameter.podAntiAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAntiAffinity.required {
+        						if k.labelSelector != _|_ {
+        							labelSelector: k.labelSelector
+        						}
+        						if k.namespace != _|_ {
+        							namespace: k.namespace
+        						}
+        						topologyKey: k.topologyKey
+        						if k.namespaceSelector != _|_ {
+        							namespaceSelector: k.namespaceSelector
+        						}
+        					}]
+        			}
+        			if parameter.podAntiAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAntiAffinity.preferred {
+        						weight:          k.weight
+        						podAffinityTerm: k.podAffinityTerm
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.nodeAffinity != _|_ {
+        		affinity: nodeAffinity: {
+        			if parameter.nodeAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: [
+        					for k in parameter.nodeAffinity.required.nodeSelectorTerms {
+        						if k.matchExpressions != _|_ {
+        							matchExpressions: k.matchExpressions
+        						}
+        						if k.matchFields != _|_ {
+        							matchFields: k.matchFields
+        						}
+        					}]
+        			}
+        			if parameter.nodeAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.nodeAffinity.preferred {
+        						weight:     k.weight
+        						preference: k.preference
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.tolerations != _|_ {
+        		tolerations: [
+        			for k in parameter.tolerations {
+        				if k.key != _|_ {
+        					key: k.key
+        				}
+        				if k.effect != _|_ {
+        					effect: k.effect
+        				}
+        				if k.value != _|_ {
+        					value: k.value
+        				}
+        				operator: k.operator
+        				if k.tolerationSeconds != _|_ {
+        					tolerationSeconds: k.tolerationSeconds
+        				}
+        			}]
+        	}
+        }
+        #labelSelector: {
+        	matchLabels?: [string]: string
+        	matchExpressions?: [...{
+        		key:      string
+        		operator: *"In" | "NotIn" | "Exists" | "DoesNotExist"
+        		values?: [...string]
+        	}]
+        }
+        #podAffinityTerm: {
+        	labelSelector?: #labelSelector
+        	namespaces?: [...string]
+        	topologyKey:        string
+        	namespaceSelector?: #labelSelector
+        }
+        #nodeSelecor: {
+        	key:      string
+        	operator: *"In" | "NotIn" | "Exists" | "DoesNotExist" | "Gt" | "Lt"
+        	values?: [...string]
+        }
+        #nodeSelectorTerm: {
+        	matchExpressions?: [...#nodeSelecor]
+        	matchFields?: [...#nodeSelecor]
+        }
+        parameter: {
+        	// +usage=Specify the pod affinity scheduling rules
+        	podAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: [...#podAffinityTerm]
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding podAffinityTerm
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a set of pods
+        			podAffinityTerm: #podAffinityTerm
+        		}]
+        	}
+        	// +usage=Specify the pod anti-affinity scheduling rules
+        	podAntiAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: [...#podAffinityTerm]
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding podAffinityTerm
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a set of pods
+        			podAffinityTerm: #podAffinityTerm
+        		}]
+        	}
+        	// +usage=Specify the node affinity scheduling rules for the pod
+        	nodeAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: {
+        			// +usage=Specify a list of node selector
+        			nodeSelectorTerms: [...#nodeSelectorTerm]
+        		}
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding nodeSelector
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a node selector
+        			preference: #nodeSelectorTerm
+        		}]
+        	}
+        	// +usage=Specify tolerant taint
+        	tolerations?: [...{
+        		key?:     string
+        		operator: *"Equal" | "Exists"
+        		value?:   string
+        		effect?:  "NoSchedule" | "PreferNoSchedule" | "NoExecute"
+        		// +usage=Specify the period of time the toleration
+        		tolerationSeconds?: int
+        	}]
+        }
+

charts/vela-core/templates/defwithtemplate/config-image-registry.yaml

@@ -20,6 +20,7 @@ spec:
         import (
         	"encoding/base64"
         	"encoding/json"
+        	"strconv"
         )
 
         output: {
@@ -42,21 +43,29 @@ spec:
         	if parameter.auth == _|_ {
         		type: "Opaque"
         	}
-        	if parameter.auth != _|_ {
-        		stringData: ".dockerconfigjson": json.Marshal({
-        			auths: "\(parameter.registry)": {
-        				username: parameter.auth.username
-        				password: parameter.auth.password
-        				if parameter.auth.email != _|_ {
-        					email: parameter.auth.email
+        	stringData: {
+        		if parameter.auth != _|_ && parameter.auth.username != _|_ {
+        			".dockerconfigjson": json.Marshal({
+        				auths: "\(parameter.registry)": {
+        					username: parameter.auth.username
+        					password: parameter.auth.password
+        					if parameter.auth.email != _|_ {
+        						email: parameter.auth.email
+        					}
+        					auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
         				}
-        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
-        			}
-        		})
+        			})
+        		}
+        		if parameter.insecure != _|_ {
+        			"insecure-skip-verify": strconv.FormatBool(parameter.insecure)
+        		}
+        		if parameter.useHTTP != _|_ {
+        			"protocol-use-http": strconv.FormatBool(parameter.useHTTP)
+        		}
         	}
         }
         parameter: {
-        	// +usage=Image registry FQDN
+        	// +usage=Image registry FQDN, such as: index.docker.io
         	registry: string
         	// +usage=Authenticate the image registry
         	auth?: {
@@ -67,6 +76,10 @@ spec:
         		// +usage=Private Image registry email
         		email?: string
         	}
+        	// +usage=For the registry server that uses the self-signed certificate
+        	insecure?: bool
+        	// +usage=For the registry server that uses the HTTP protocol
+        	useHTTP?: bool
         }
   workload:
     type: autodetects.core.oam.dev

charts/vela-core/templates/defwithtemplate/container-image.yaml

@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Set the image of the container.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: container-image
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-core/templates/defwithtemplate/cron-task.yaml

@@ -196,14 +196,14 @@ spec:
         		// +usage=Specifies a source the value of this var should come from
         		valueFrom?: {
         			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
         				// +usage=The name of the secret in the pod's namespace to select from
         				name: string
         				// +usage=The key of the secret to select from. Must be a valid secret key
         				key: string
         			}
         			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
         				// +usage=The name of the config map in the pod's namespace to select from
         				name: string
         				// +usage=The key of the config map to select from. Must be a valid secret key

charts/vela-core/templates/defwithtemplate/deploy2env.yaml

@@ -5,6 +5,8 @@ kind: WorkflowStepDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Deploy env binding component to target env
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: deploy2env
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-core/templates/defwithtemplate/env.yaml

@@ -62,7 +62,8 @@ spec:
         					}
         				}
         			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
-        				v
+        				name:  k
+        				value: v
         			}]
         		}
         	}

charts/vela-core/templates/defwithtemplate/init-container.yaml

@@ -43,7 +43,7 @@ spec:
         		volumeMounts: [{
         			name:      parameter.mountName
         			mountPath: parameter.initMountPath
-        		}]
+        		}] + parameter.extraVolumeMounts
         	}]
         	// +patchKey=name
         	volumes: [{
@@ -97,5 +97,13 @@ spec:
 
         	// +usage=Specify the mount path of init container
         	initMountPath: string
+
+        	// +usage=Specify the extra volume mounts for the init container
+        	extraVolumeMounts: [...{
+        		// +usage=The name of the volume to be mounted
+        		name: string
+        		// +usage=The mountPath for mount in the init container
+        		mountPath: string
+        	}]
         }
 

charts/vela-core/templates/defwithtemplate/json-merge-patch.yaml

@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Patch the output following Json Merge Patch strategy, following RFC 7396.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: json-merge-patch
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-core/templates/defwithtemplate/json-patch.yaml

@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Patch the output following Json Patch strategy, following RFC 6902.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: json-patch
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-core/templates/defwithtemplate/node-affinity.yaml

@@ -1,11 +1,12 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/node-affinity.cue
+# Definition source cue file: vela-templates/definitions/deprecated/node-affinity.cue
 apiVersion: core.oam.dev/v1beta1
 kind: TraitDefinition
 metadata:
   annotations:
     definition.oam.dev/description: affinity specify node affinity and toleration on K8s pod for your workload which follows the pod spec in path 'spec.template'.
   labels:
+    custom.definition.oam.dev/deprecated: "true"
     custom.definition.oam.dev/ui-hidden: "true"
   name: node-affinity
   namespace: {{ include "systemDefinitionNamespace" . }}

charts/vela-core/templates/defwithtemplate/ref-objects.yaml

@@ -5,6 +5,8 @@ kind: ComponentDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Ref-objects allow users to specify ref objects to use. Notice that this component type have special handle logic.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: ref-objects
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@@ -12,12 +14,18 @@ spec:
     cue:
       template: |
         #K8sObject: {
-        	apiVersion: string
-        	kind:       string
-        	metadata: {
-        		name: string
-        		...
-        	}
+        	// +usage=The resource type for the Kubernetes objects
+        	resource?: string
+        	// +usage=The group name for the Kubernetes objects
+        	group?: string
+        	// +usage=If specified, fetch the Kubernetes objects with the name, exclusive to labelSelector
+        	name?: string
+        	// +usage=If specified, fetch the Kubernetes objects from the namespace. Otherwise, fetch from the application's namespace.
+        	namespace?: string
+        	// +usage=If specified, fetch the Kubernetes objects from the cluster. Otherwise, fetch from the local cluster.
+        	cluster?: string
+        	// +usage=If specified, fetch the Kubernetes objects according to the label selector, exclusive to name
+        	labelSelector?: [string]: string
         	...
         }
         output: parameter.objects[0]
@@ -28,7 +36,12 @@ spec:
         		}
         	}
         }
-        parameter: objects: [...#K8sObject]
+        parameter: {
+        	// +usage=If specified, application will fetch native Kubernetes objects according to the object description
+        	objects?: [...#K8sObject]
+        	// +usage=If specified, the objects in the urls will be loaded.
+        	urls?: [...string]
+        }
   status:
     customStatus: |-
       if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {

charts/vela-core/templates/defwithtemplate/service-account.yaml

@@ -14,10 +14,114 @@ spec:
   schematic:
     cue:
       template: |
+        #Privileges: {
+        	// +usage=Specify the verbs to be allowed for the resource
+        	verbs: [...string]
+        	// +usage=Specify the apiGroups of the resource
+        	apiGroups?: [...string]
+        	// +usage=Specify the resources to be allowed
+        	resources?: [...string]
+        	// +usage=Specify the resourceNames to be allowed
+        	resourceNames?: [...string]
+        	// +usage=Specify the resource url to be allowed
+        	nonResourceURLs?: [...string]
+        	// +usage=Specify the scope of the privileges, default to be namespace scope
+        	scope: *"namespace" | "cluster"
+        }
         parameter: {
         	// +usage=Specify the name of ServiceAccount
         	name: string
+        	// +usage=Specify whether to create new ServiceAccount or not
+        	create: *false | bool
+        	// +usage=Specify the privileges of the ServiceAccount, if not empty, RoleBindings(ClusterRoleBindings) will be created
+        	privileges?: [...#Privileges]
         }
         // +patchStrategy=retainKeys
         patch: spec: template: spec: serviceAccountName: parameter.name
+        _clusterPrivileges: [ for p in parameter.privileges if p.scope == "cluster" {p}]
+        _namespacePrivileges: [ for p in parameter.privileges if p.scope == "namespace" {p}]
+        outputs: {
+        	if parameter.create {
+        		"service-account": {
+        			apiVersion: "v1"
+        			kind:       "ServiceAccount"
+        			metadata: name: parameter.name
+        		}
+        	}
+        	if parameter.privileges != _|_ {
+        		if len(_clusterPrivileges) > 0 {
+        			"cluster-role": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "ClusterRole"
+        				metadata: name: "\(context.namespace):\(parameter.name)"
+        				rules: [ for p in _clusterPrivileges {
+        					verbs: p.verbs
+        					if p.apiGroups != _|_ {
+        						apiGroups: p.apiGroups
+        					}
+        					if p.resources != _|_ {
+        						resources: p.resources
+        					}
+        					if p.resourceNames != _|_ {
+        						resourceNames: p.resourceNames
+        					}
+        					if p.nonResourceURLs != _|_ {
+        						nonResourceURLs: p.nonResourceURLs
+        					}
+        				}]
+        			}
+        			"cluster-role-binding": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "ClusterRoleBinding"
+        				metadata: name: "\(context.namespace):\(parameter.name)"
+        				roleRef: {
+        					apiGroup: "rbac.authorization.k8s.io"
+        					kind:     "ClusterRole"
+        					name:     "\(context.namespace):\(parameter.name)"
+        				}
+        				subjects: [{
+        					kind:      "ServiceAccount"
+        					name:      parameter.name
+        					namespace: "\(context.namespace)"
+        				}]
+        			}
+        		}
+        		if len(_namespacePrivileges) > 0 {
+        			role: {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "Role"
+        				metadata: name: parameter.name
+        				rules: [ for p in _namespacePrivileges {
+        					verbs: p.verbs
+        					if p.apiGroups != _|_ {
+        						apiGroups: p.apiGroups
+        					}
+        					if p.resources != _|_ {
+        						resources: p.resources
+        					}
+        					if p.resourceNames != _|_ {
+        						resourceNames: p.resourceNames
+        					}
+        					if p.nonResourceURLs != _|_ {
+        						nonResourceURLs: p.nonResourceURLs
+        					}
+        				}]
+        			}
+        			"role-binding": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "RoleBinding"
+        				metadata: name: parameter.name
+        				roleRef: {
+        					apiGroup: "rbac.authorization.k8s.io"
+        					kind:     "Role"
+        					name:     parameter.name
+        				}
+        				subjects: [{
+        					kind: "ServiceAccount"
+        					name: parameter.name
+        				}]
+        			}
+        		}
+        	}
+        }
 

charts/vela-core/templates/defwithtemplate/sidecar.yaml

@@ -82,6 +82,11 @@ spec:
         				// +usage=The key of the config map to select from. Must be a valid secret key
         				key: string
         			}
+        			// +usage=Specify the field reference for env
+        			fieldRef?: {
+        				// +usage=Specify the field path for env
+        				fieldPath: string
+        			}
         		}
         	}]
 

charts/vela-core/templates/defwithtemplate/step-group.yaml

@@ -5,6 +5,8 @@ kind: WorkflowStepDefinition
 metadata:
   annotations:
     definition.oam.dev/description: step group
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: step-group
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-core/templates/defwithtemplate/storage.yaml

@@ -64,6 +64,9 @@ spec:
         			{
         				name:      "pvc-" + v.name
         				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
         			}
         		}
         	},
@@ -73,6 +76,9 @@ spec:
         		{
         			name:      "configmap-" + v.name
         			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
         		}
         	},
         ] | []
@@ -103,6 +109,9 @@ spec:
         		{
         			name:      "secret-" + v.name
         			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
         		}
         	},
         ] | []
@@ -133,6 +142,9 @@ spec:
         		{
         			name:      "emptydir-" + v.name
         			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
         		}
         	},
         ] | []
@@ -141,12 +153,28 @@ spec:
         		{
         			name:       "pvc-" + v.name
         			devicePath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
         		}
         	},
         ] | []
+        volumesList: pvcVolumesList + configMapVolumesList + secretVolumesList + emptyDirVolumesList
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
         patch: spec: template: spec: {
         	// +patchKey=name
-        	volumes: pvcVolumesList + configMapVolumesList + secretVolumesList + emptyDirVolumesList
+        	volumes: deDupVolumesArray
 
         	containers: [{
         		// +patchKey=name
@@ -234,6 +262,7 @@ spec:
         		name:              string
         		mountOnly:         *false | bool
         		mountPath:         string
+        		subPath?:          string
         		volumeMode:        *"Filesystem" | string
         		volumeName?:       string
         		accessModes:       *["ReadWriteOnce"] | [...string]
@@ -275,6 +304,7 @@ spec:
         			configMapKey: string
         		}]
         		mountPath?:  string
+        		subPath?:    string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
         		data?: {...}
@@ -298,6 +328,7 @@ spec:
         			secretKey: string
         		}]
         		mountPath?:  string
+        		subPath?:    string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
         		stringData?: {...}
@@ -313,6 +344,7 @@ spec:
         	emptyDir?: [...{
         		name:      string
         		mountPath: string
+        		subPath?:  string
         		medium:    *"" | "Memory"
         	}]
         }

charts/vela-core/templates/defwithtemplate/task.yaml

@@ -149,14 +149,14 @@ spec:
         		// +usage=Specifies a source the value of this var should come from
         		valueFrom?: {
         			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
         				// +usage=The name of the secret in the pod's namespace to select from
         				name: string
         				// +usage=The key of the secret to select from. Must be a valid secret key
         				key: string
         			}
         			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
         				// +usage=The name of the config map in the pod's namespace to select from
         				name: string
         				// +usage=The key of the config map to select from. Must be a valid secret key

charts/vela-core/templates/defwithtemplate/webservice.yaml

@@ -20,7 +20,10 @@ spec:
         		for v in parameter.volumeMounts.pvc {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -29,7 +32,10 @@ spec:
         			for v in parameter.volumeMounts.configMap {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -38,7 +44,10 @@ spec:
         		for v in parameter.volumeMounts.secret {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -47,7 +56,10 @@ spec:
         			for v in parameter.volumeMounts.emptyDir {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -56,7 +68,10 @@ spec:
         			for v in parameter.volumeMounts.hostPath {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -119,6 +134,19 @@ spec:
         		},
         	] | []
         }
+        volumesList: volumesArray.pvc + volumesArray.configMap + volumesArray.secret + volumesArray.emptyDir + volumesArray.hostPath
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
         output: {
         	apiVersion: "apps/v1"
         	kind:       "Deployment"
@@ -262,7 +290,7 @@ spec:
         				}
 
         				if parameter["volumeMounts"] != _|_ {
-        					volumes: volumesArray.pvc + volumesArray.configMap + volumesArray.secret + volumesArray.emptyDir + volumesArray.hostPath
+        					volumes: deDupVolumesArray
         				}
         			}
         		}
@@ -375,6 +403,7 @@ spec:
         		pvc?: [...{
         			name:      string
         			mountPath: string
+        			subPath?:  string
         			// +usage=The name of the PVC
         			claimName: string
         		}]
@@ -382,6 +411,7 @@ spec:
         		configMap?: [...{
         			name:        string
         			mountPath:   string
+        			subPath?:    string
         			defaultMode: *420 | int
         			cmName:      string
         			items?: [...{
@@ -394,6 +424,7 @@ spec:
         		secret?: [...{
         			name:        string
         			mountPath:   string
+        			subPath?:    string
         			defaultMode: *420 | int
         			secretName:  string
         			items?: [...{
@@ -406,12 +437,14 @@ spec:
         		emptyDir?: [...{
         			name:      string
         			mountPath: string
+        			subPath?:  string
         			medium:    *"" | "Memory"
         		}]
         		// +usage=Mount HostPath type volume
         		hostPath?: [...{
         			name:      string
         			mountPath: string
+        			subPath?:  string
         			path:      string
         		}]
         	}

charts/vela-core/templates/kubevela-controller.yaml

@@ -20,14 +20,53 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: "cluster-admin"
+  name: {{ if .Values.authentication.enabled }} {{ include "kubevela.fullname" . }}:manager {{ else }} "cluster-admin" {{ end }}
 subjects:
   - kind: ServiceAccount
     name: {{ include "kubevela.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-  - kind: Group
-    name: core.oam.dev
-    apiGroup: rbac.authorization.k8s.io
+
+{{ if .Values.authentication.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:manager
+rules:
+  - apiGroups: ["core.oam.dev", "terraform.core.oam.dev", "prism.oam.dev"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["cluster.open-cluster-management.io"]
+    resources: ["managedclusters"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["users", "groups", "serviceaccounts"]
+    verbs: ["impersonate"]
+  - apiGroups: [""]
+    resources: ["namespaces", "secrets", "services"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["configmaps", "events"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["controllerrevisions"]
+    verbs: ["*"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
+    resources: ["prioritylevelconfigurations", "flowschemas"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["*"]
+{{ end }}
 
 ---
 # permissions to do leader election.
@@ -83,6 +122,7 @@ metadata:
   name: {{ include "kubevela.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+    controller.oam.dev/name: vela-core
   {{- include "kubevela.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
@@ -175,6 +215,7 @@ spec:
             - "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}"
             - "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}"
             - "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}"
+            - "--feature-gates=EnableSuspendOnFailure={{- .Values.workflow.enableSuspendOnFailure | toString -}}"
             - "--feature-gates=AuthenticateApplication={{- .Values.authentication.enabled | toString -}}"
             {{ if .Values.authentication.enabled }}
             {{ if .Values.authentication.withUser }}

charts/vela-core/values.yaml

@@ -35,10 +35,12 @@ dependCheckWait: 30s
 
 ## @section KubeVela workflow parameters
 
+## @param workflow.enableSuspendOnFailure Enable suspend on workflow failure
 ## @param workflow.backoff.maxTime.waitState The max backoff time of workflow in a wait condition
 ## @param workflow.backoff.maxTime.failedState The max backoff time of workflow in a failed condition
 ## @param workflow.step.errorRetryTimes The max retry times of a failed workflow step
 workflow:
+  enableSuspendOnFailure: false
   backoff:
     maxTime:
       waitState: 60
@@ -130,7 +132,7 @@ multicluster:
     port: 9443
     image:
       repository: oamdev/cluster-gateway
-      tag: v1.3.2
+      tag: v1.4.0
       pullPolicy: IfNotPresent
     resources:
       limits:
@@ -224,7 +226,7 @@ admissionWebhooks:
     enabled: true
     image:
       repository: oamdev/kube-webhook-certgen
-      tag: v2.4.0
+      tag: v2.4.1
       pullPolicy: IfNotPresent
     nodeSelector: {}
     affinity: {}

charts/vela-minimal/README.md

@@ -72,11 +72,12 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 
 ### KubeVela workflow parameters
 
-| Name                                   | Description                                            | Value |
-| -------------------------------------- | ------------------------------------------------------ | ----- |
-| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`  |
-| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300` |
-| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`  |
+| Name                                   | Description                                            | Value   |
+| -------------------------------------- | ------------------------------------------------------ | ------- |
+| `workflow.enableSuspendOnFailure`      | Enable suspend on workflow failure                     | `false` |
+| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`    |
+| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
+| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |
 
 
 ### KubeVela controller parameters
@@ -105,7 +106,7 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
 | `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
 | `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.3.2`                         |
+| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.4.0`                         |
 | `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
 | `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
 | `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |

charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml

@@ -2209,6 +2209,8 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                if:
+                                  type: string
                                 inputs:
                                   description: StepInputs defines variable input of
                                     WorkflowStep
@@ -2253,6 +2255,8 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      if:
+                                        type: string
                                       inputs:
                                         description: StepInputs defines variable input
                                           of WorkflowStep
@@ -3954,6 +3958,8 @@ spec:
                           items:
                             type: string
                           type: array
+                        if:
+                          type: string
                         inputs:
                           description: StepInputs defines variable input of WorkflowStep
                           items:
@@ -3995,6 +4001,8 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              if:
+                                type: string
                               inputs:
                                 description: StepInputs defines variable input of
                                   WorkflowStep

charts/vela-minimal/crds/core.oam.dev_applications.yaml

@@ -1020,6 +1020,8 @@ spec:
                           items:
                             type: string
                           type: array
+                        if:
+                          type: string
                         inputs:
                           description: StepInputs defines variable input of WorkflowStep
                           items:
@@ -1061,6 +1063,8 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              if:
+                                type: string
                               inputs:
                                 description: StepInputs defines variable input of
                                   WorkflowStep

charts/vela-minimal/templates/cluster-gateway.yaml

@@ -31,7 +31,7 @@ spec:
             - "apiserver"
             - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
             - "--secret-namespace={{ .Release.Namespace }}"
-            - "--feature-gates=APIPriorityAndFairness=false"
+            - "--feature-gates=APIPriorityAndFairness=false,ClientIdentityPenetration={{ .Values.authentication.enabled }}"
             {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
             - "--cert-dir={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}"
             {{ end }}
@@ -194,24 +194,25 @@ spec:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 rules:
   - apiGroups: [ "cluster.core.oam.dev" ]
     resources: [ "clustergateways/proxy" ]
     verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
-{{ end }}
 ---
-{{ if and .Values.multicluster.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 subjects:
   - kind: Group
-    name: cluster-gateway-accessor
+    name: kubevela:client
     apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: {{ include "kubevela.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
 {{ end }}

charts/vela-minimal/templates/defwithtemplate/affinity.yaml

@@ -0,0 +1,186 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/affinity.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Affinity specifies affinity and toleration K8s pod for your workload which follows the pod spec in path 'spec.template'.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
+  name: affinity
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - '*'
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        patch: spec: template: spec: {
+        	if parameter.podAffinity != _|_ {
+        		affinity: podAffinity: {
+        			if parameter.podAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAffinity.required {
+        						if k.labelSelector != _|_ {
+        							labelSelector: k.labelSelector
+        						}
+        						if k.namespace != _|_ {
+        							namespace: k.namespace
+        						}
+        						topologyKey: k.topologyKey
+        						if k.namespaceSelector != _|_ {
+        							namespaceSelector: k.namespaceSelector
+        						}
+        					}]
+        			}
+        			if parameter.podAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAffinity.preferred {
+        						weight:          k.weight
+        						podAffinityTerm: k.podAffinityTerm
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.podAntiAffinity != _|_ {
+        		affinity: podAntiAffinity: {
+        			if parameter.podAntiAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAntiAffinity.required {
+        						if k.labelSelector != _|_ {
+        							labelSelector: k.labelSelector
+        						}
+        						if k.namespace != _|_ {
+        							namespace: k.namespace
+        						}
+        						topologyKey: k.topologyKey
+        						if k.namespaceSelector != _|_ {
+        							namespaceSelector: k.namespaceSelector
+        						}
+        					}]
+        			}
+        			if parameter.podAntiAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.podAntiAffinity.preferred {
+        						weight:          k.weight
+        						podAffinityTerm: k.podAffinityTerm
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.nodeAffinity != _|_ {
+        		affinity: nodeAffinity: {
+        			if parameter.nodeAffinity.required != _|_ {
+        				requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: [
+        					for k in parameter.nodeAffinity.required.nodeSelectorTerms {
+        						if k.matchExpressions != _|_ {
+        							matchExpressions: k.matchExpressions
+        						}
+        						if k.matchFields != _|_ {
+        							matchFields: k.matchFields
+        						}
+        					}]
+        			}
+        			if parameter.nodeAffinity.preferred != _|_ {
+        				preferredDuringSchedulingIgnoredDuringExecution: [
+        					for k in parameter.nodeAffinity.preferred {
+        						weight:     k.weight
+        						preference: k.preference
+        					}]
+        			}
+        		}
+        	}
+        	if parameter.tolerations != _|_ {
+        		tolerations: [
+        			for k in parameter.tolerations {
+        				if k.key != _|_ {
+        					key: k.key
+        				}
+        				if k.effect != _|_ {
+        					effect: k.effect
+        				}
+        				if k.value != _|_ {
+        					value: k.value
+        				}
+        				operator: k.operator
+        				if k.tolerationSeconds != _|_ {
+        					tolerationSeconds: k.tolerationSeconds
+        				}
+        			}]
+        	}
+        }
+        #labelSelector: {
+        	matchLabels?: [string]: string
+        	matchExpressions?: [...{
+        		key:      string
+        		operator: *"In" | "NotIn" | "Exists" | "DoesNotExist"
+        		values?: [...string]
+        	}]
+        }
+        #podAffinityTerm: {
+        	labelSelector?: #labelSelector
+        	namespaces?: [...string]
+        	topologyKey:        string
+        	namespaceSelector?: #labelSelector
+        }
+        #nodeSelecor: {
+        	key:      string
+        	operator: *"In" | "NotIn" | "Exists" | "DoesNotExist" | "Gt" | "Lt"
+        	values?: [...string]
+        }
+        #nodeSelectorTerm: {
+        	matchExpressions?: [...#nodeSelecor]
+        	matchFields?: [...#nodeSelecor]
+        }
+        parameter: {
+        	// +usage=Specify the pod affinity scheduling rules
+        	podAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: [...#podAffinityTerm]
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding podAffinityTerm
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a set of pods
+        			podAffinityTerm: #podAffinityTerm
+        		}]
+        	}
+        	// +usage=Specify the pod anti-affinity scheduling rules
+        	podAntiAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: [...#podAffinityTerm]
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding podAffinityTerm
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a set of pods
+        			podAffinityTerm: #podAffinityTerm
+        		}]
+        	}
+        	// +usage=Specify the node affinity scheduling rules for the pod
+        	nodeAffinity?: {
+        		// +usage=Specify the required during scheduling ignored during execution
+        		required?: {
+        			// +usage=Specify a list of node selector
+        			nodeSelectorTerms: [...#nodeSelectorTerm]
+        		}
+        		// +usage=Specify the preferred during scheduling ignored during execution
+        		preferred?: [...{
+        			// +usage=Specify weight associated with matching the corresponding nodeSelector
+        			weight: int & >=1 & <=100
+        			// +usage=Specify a node selector
+        			preference: #nodeSelectorTerm
+        		}]
+        	}
+        	// +usage=Specify tolerant taint
+        	tolerations?: [...{
+        		key?:     string
+        		operator: *"Equal" | "Exists"
+        		value?:   string
+        		effect?:  "NoSchedule" | "PreferNoSchedule" | "NoExecute"
+        		// +usage=Specify the period of time the toleration
+        		tolerationSeconds?: int
+        	}]
+        }
+

charts/vela-minimal/templates/defwithtemplate/config-image-registry.yaml

@@ -20,6 +20,7 @@ spec:
         import (
         	"encoding/base64"
         	"encoding/json"
+        	"strconv"
         )
 
         output: {
@@ -42,21 +43,29 @@ spec:
         	if parameter.auth == _|_ {
         		type: "Opaque"
         	}
-        	if parameter.auth != _|_ {
-        		stringData: ".dockerconfigjson": json.Marshal({
-        			auths: "\(parameter.registry)": {
-        				username: parameter.auth.username
-        				password: parameter.auth.password
-        				if parameter.auth.email != _|_ {
-        					email: parameter.auth.email
+        	stringData: {
+        		if parameter.auth != _|_ && parameter.auth.username != _|_ {
+        			".dockerconfigjson": json.Marshal({
+        				auths: "\(parameter.registry)": {
+        					username: parameter.auth.username
+        					password: parameter.auth.password
+        					if parameter.auth.email != _|_ {
+        						email: parameter.auth.email
+        					}
+        					auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
         				}
-        				auth: base64.Encode(null, (parameter.auth.username + ":" + parameter.auth.password))
-        			}
-        		})
+        			})
+        		}
+        		if parameter.insecure != _|_ {
+        			"insecure-skip-verify": strconv.FormatBool(parameter.insecure)
+        		}
+        		if parameter.useHTTP != _|_ {
+        			"protocol-use-http": strconv.FormatBool(parameter.useHTTP)
+        		}
         	}
         }
         parameter: {
-        	// +usage=Image registry FQDN
+        	// +usage=Image registry FQDN, such as: index.docker.io
         	registry: string
         	// +usage=Authenticate the image registry
         	auth?: {
@@ -67,6 +76,10 @@ spec:
         		// +usage=Private Image registry email
         		email?: string
         	}
+        	// +usage=For the registry server that uses the self-signed certificate
+        	insecure?: bool
+        	// +usage=For the registry server that uses the HTTP protocol
+        	useHTTP?: bool
         }
   workload:
     type: autodetects.core.oam.dev

charts/vela-minimal/templates/defwithtemplate/container-image.yaml

@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Set the image of the container.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: container-image
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-minimal/templates/defwithtemplate/cron-task.yaml

@@ -196,14 +196,14 @@ spec:
         		// +usage=Specifies a source the value of this var should come from
         		valueFrom?: {
         			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
         				// +usage=The name of the secret in the pod's namespace to select from
         				name: string
         				// +usage=The key of the secret to select from. Must be a valid secret key
         				key: string
         			}
         			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
         				// +usage=The name of the config map in the pod's namespace to select from
         				name: string
         				// +usage=The key of the config map to select from. Must be a valid secret key

charts/vela-minimal/templates/defwithtemplate/env.yaml

@@ -62,7 +62,8 @@ spec:
         					}
         				}
         			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
-        				v
+        				name:  k
+        				value: v
         			}]
         		}
         	}

charts/vela-minimal/templates/defwithtemplate/init-container.yaml

@@ -43,7 +43,7 @@ spec:
         		volumeMounts: [{
         			name:      parameter.mountName
         			mountPath: parameter.initMountPath
-        		}]
+        		}] + parameter.extraVolumeMounts
         	}]
         	// +patchKey=name
         	volumes: [{
@@ -97,5 +97,13 @@ spec:
 
         	// +usage=Specify the mount path of init container
         	initMountPath: string
+
+        	// +usage=Specify the extra volume mounts for the init container
+        	extraVolumeMounts: [...{
+        		// +usage=The name of the volume to be mounted
+        		name: string
+        		// +usage=The mountPath for mount in the init container
+        		mountPath: string
+        	}]
         }
 

charts/vela-minimal/templates/defwithtemplate/json-merge-patch.yaml

@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Patch the output following Json Merge Patch strategy, following RFC 7396.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: json-merge-patch
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-minimal/templates/defwithtemplate/json-patch.yaml

@@ -5,6 +5,8 @@ kind: TraitDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Patch the output following Json Patch strategy, following RFC 6902.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: json-patch
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-minimal/templates/defwithtemplate/ref-objects.yaml

@@ -5,6 +5,8 @@ kind: ComponentDefinition
 metadata:
   annotations:
     definition.oam.dev/description: Ref-objects allow users to specify ref objects to use. Notice that this component type have special handle logic.
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: ref-objects
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@@ -12,12 +14,18 @@ spec:
     cue:
       template: |
         #K8sObject: {
-        	apiVersion: string
-        	kind:       string
-        	metadata: {
-        		name: string
-        		...
-        	}
+        	// +usage=The resource type for the Kubernetes objects
+        	resource?: string
+        	// +usage=The group name for the Kubernetes objects
+        	group?: string
+        	// +usage=If specified, fetch the Kubernetes objects with the name, exclusive to labelSelector
+        	name?: string
+        	// +usage=If specified, fetch the Kubernetes objects from the namespace. Otherwise, fetch from the application's namespace.
+        	namespace?: string
+        	// +usage=If specified, fetch the Kubernetes objects from the cluster. Otherwise, fetch from the local cluster.
+        	cluster?: string
+        	// +usage=If specified, fetch the Kubernetes objects according to the label selector, exclusive to name
+        	labelSelector?: [string]: string
         	...
         }
         output: parameter.objects[0]
@@ -28,7 +36,12 @@ spec:
         		}
         	}
         }
-        parameter: objects: [...#K8sObject]
+        parameter: {
+        	// +usage=If specified, application will fetch native Kubernetes objects according to the object description
+        	objects?: [...#K8sObject]
+        	// +usage=If specified, the objects in the urls will be loaded.
+        	urls?: [...string]
+        }
   status:
     customStatus: |-
       if context.output.apiVersion == "apps/v1" && context.output.kind == "Deployment" {

charts/vela-minimal/templates/defwithtemplate/service-account.yaml

@@ -14,10 +14,114 @@ spec:
   schematic:
     cue:
       template: |
+        #Privileges: {
+        	// +usage=Specify the verbs to be allowed for the resource
+        	verbs: [...string]
+        	// +usage=Specify the apiGroups of the resource
+        	apiGroups?: [...string]
+        	// +usage=Specify the resources to be allowed
+        	resources?: [...string]
+        	// +usage=Specify the resourceNames to be allowed
+        	resourceNames?: [...string]
+        	// +usage=Specify the resource url to be allowed
+        	nonResourceURLs?: [...string]
+        	// +usage=Specify the scope of the privileges, default to be namespace scope
+        	scope: *"namespace" | "cluster"
+        }
         parameter: {
         	// +usage=Specify the name of ServiceAccount
         	name: string
+        	// +usage=Specify whether to create new ServiceAccount or not
+        	create: *false | bool
+        	// +usage=Specify the privileges of the ServiceAccount, if not empty, RoleBindings(ClusterRoleBindings) will be created
+        	privileges?: [...#Privileges]
         }
         // +patchStrategy=retainKeys
         patch: spec: template: spec: serviceAccountName: parameter.name
+        _clusterPrivileges: [ for p in parameter.privileges if p.scope == "cluster" {p}]
+        _namespacePrivileges: [ for p in parameter.privileges if p.scope == "namespace" {p}]
+        outputs: {
+        	if parameter.create {
+        		"service-account": {
+        			apiVersion: "v1"
+        			kind:       "ServiceAccount"
+        			metadata: name: parameter.name
+        		}
+        	}
+        	if parameter.privileges != _|_ {
+        		if len(_clusterPrivileges) > 0 {
+        			"cluster-role": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "ClusterRole"
+        				metadata: name: "\(context.namespace):\(parameter.name)"
+        				rules: [ for p in _clusterPrivileges {
+        					verbs: p.verbs
+        					if p.apiGroups != _|_ {
+        						apiGroups: p.apiGroups
+        					}
+        					if p.resources != _|_ {
+        						resources: p.resources
+        					}
+        					if p.resourceNames != _|_ {
+        						resourceNames: p.resourceNames
+        					}
+        					if p.nonResourceURLs != _|_ {
+        						nonResourceURLs: p.nonResourceURLs
+        					}
+        				}]
+        			}
+        			"cluster-role-binding": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "ClusterRoleBinding"
+        				metadata: name: "\(context.namespace):\(parameter.name)"
+        				roleRef: {
+        					apiGroup: "rbac.authorization.k8s.io"
+        					kind:     "ClusterRole"
+        					name:     "\(context.namespace):\(parameter.name)"
+        				}
+        				subjects: [{
+        					kind:      "ServiceAccount"
+        					name:      parameter.name
+        					namespace: "\(context.namespace)"
+        				}]
+        			}
+        		}
+        		if len(_namespacePrivileges) > 0 {
+        			role: {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "Role"
+        				metadata: name: parameter.name
+        				rules: [ for p in _namespacePrivileges {
+        					verbs: p.verbs
+        					if p.apiGroups != _|_ {
+        						apiGroups: p.apiGroups
+        					}
+        					if p.resources != _|_ {
+        						resources: p.resources
+        					}
+        					if p.resourceNames != _|_ {
+        						resourceNames: p.resourceNames
+        					}
+        					if p.nonResourceURLs != _|_ {
+        						nonResourceURLs: p.nonResourceURLs
+        					}
+        				}]
+        			}
+        			"role-binding": {
+        				apiVersion: "rbac.authorization.k8s.io/v1"
+        				kind:       "RoleBinding"
+        				metadata: name: parameter.name
+        				roleRef: {
+        					apiGroup: "rbac.authorization.k8s.io"
+        					kind:     "Role"
+        					name:     parameter.name
+        				}
+        				subjects: [{
+        					kind: "ServiceAccount"
+        					name: parameter.name
+        				}]
+        			}
+        		}
+        	}
+        }
 

charts/vela-minimal/templates/defwithtemplate/sidecar.yaml

@@ -82,6 +82,11 @@ spec:
         				// +usage=The key of the config map to select from. Must be a valid secret key
         				key: string
         			}
+        			// +usage=Specify the field reference for env
+        			fieldRef?: {
+        				// +usage=Specify the field path for env
+        				fieldPath: string
+        			}
         		}
         	}]
 

charts/vela-minimal/templates/defwithtemplate/step-group.yaml

@@ -5,6 +5,8 @@ kind: WorkflowStepDefinition
 metadata:
   annotations:
     definition.oam.dev/description: step group
+  labels:
+    custom.definition.oam.dev/ui-hidden: "true"
   name: step-group
   namespace: {{ include "systemDefinitionNamespace" . }}
 spec:

charts/vela-minimal/templates/defwithtemplate/storage.yaml

@@ -64,6 +64,9 @@ spec:
         			{
         				name:      "pvc-" + v.name
         				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
         			}
         		}
         	},
@@ -73,6 +76,9 @@ spec:
         		{
         			name:      "configmap-" + v.name
         			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
         		}
         	},
         ] | []
@@ -103,6 +109,9 @@ spec:
         		{
         			name:      "secret-" + v.name
         			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
         		}
         	},
         ] | []
@@ -133,6 +142,9 @@ spec:
         		{
         			name:      "emptydir-" + v.name
         			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
         		}
         	},
         ] | []
@@ -141,12 +153,28 @@ spec:
         		{
         			name:       "pvc-" + v.name
         			devicePath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
         		}
         	},
         ] | []
+        volumesList: pvcVolumesList + configMapVolumesList + secretVolumesList + emptyDirVolumesList
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
         patch: spec: template: spec: {
         	// +patchKey=name
-        	volumes: pvcVolumesList + configMapVolumesList + secretVolumesList + emptyDirVolumesList
+        	volumes: deDupVolumesArray
 
         	containers: [{
         		// +patchKey=name
@@ -234,6 +262,7 @@ spec:
         		name:              string
         		mountOnly:         *false | bool
         		mountPath:         string
+        		subPath?:          string
         		volumeMode:        *"Filesystem" | string
         		volumeName?:       string
         		accessModes:       *["ReadWriteOnce"] | [...string]
@@ -275,6 +304,7 @@ spec:
         			configMapKey: string
         		}]
         		mountPath?:  string
+        		subPath?:    string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
         		data?: {...}
@@ -298,6 +328,7 @@ spec:
         			secretKey: string
         		}]
         		mountPath?:  string
+        		subPath?:    string
         		defaultMode: *420 | int
         		readOnly:    *false | bool
         		stringData?: {...}
@@ -313,6 +344,7 @@ spec:
         	emptyDir?: [...{
         		name:      string
         		mountPath: string
+        		subPath?:  string
         		medium:    *"" | "Memory"
         	}]
         }

charts/vela-minimal/templates/defwithtemplate/task.yaml

@@ -149,14 +149,14 @@ spec:
         		// +usage=Specifies a source the value of this var should come from
         		valueFrom?: {
         			// +usage=Selects a key of a secret in the pod's namespace
-        			secretKeyRef: {
+        			secretKeyRef?: {
         				// +usage=The name of the secret in the pod's namespace to select from
         				name: string
         				// +usage=The key of the secret to select from. Must be a valid secret key
         				key: string
         			}
         			// +usage=Selects a key of a config map in the pod's namespace
-        			configMapKeyRef: {
+        			configMapKeyRef?: {
         				// +usage=The name of the config map in the pod's namespace to select from
         				name: string
         				// +usage=The key of the config map to select from. Must be a valid secret key

charts/vela-minimal/templates/defwithtemplate/webservice.yaml

@@ -20,7 +20,10 @@ spec:
         		for v in parameter.volumeMounts.pvc {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -29,7 +32,10 @@ spec:
         			for v in parameter.volumeMounts.configMap {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -38,7 +44,10 @@ spec:
         		for v in parameter.volumeMounts.secret {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -47,7 +56,10 @@ spec:
         			for v in parameter.volumeMounts.emptyDir {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -56,7 +68,10 @@ spec:
         			for v in parameter.volumeMounts.hostPath {
         			{
         				mountPath: v.mountPath
-        				name:      v.name
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
         			}
         		},
         	] | []
@@ -119,6 +134,19 @@ spec:
         		},
         	] | []
         }
+        volumesList: volumesArray.pvc + volumesArray.configMap + volumesArray.secret + volumesArray.emptyDir + volumesArray.hostPath
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
         output: {
         	apiVersion: "apps/v1"
         	kind:       "Deployment"
@@ -262,7 +290,7 @@ spec:
         				}
 
         				if parameter["volumeMounts"] != _|_ {
-        					volumes: volumesArray.pvc + volumesArray.configMap + volumesArray.secret + volumesArray.emptyDir + volumesArray.hostPath
+        					volumes: deDupVolumesArray
         				}
         			}
         		}
@@ -375,6 +403,7 @@ spec:
         		pvc?: [...{
         			name:      string
         			mountPath: string
+        			subPath?:  string
         			// +usage=The name of the PVC
         			claimName: string
         		}]
@@ -382,6 +411,7 @@ spec:
         		configMap?: [...{
         			name:        string
         			mountPath:   string
+        			subPath?:    string
         			defaultMode: *420 | int
         			cmName:      string
         			items?: [...{
@@ -394,6 +424,7 @@ spec:
         		secret?: [...{
         			name:        string
         			mountPath:   string
+        			subPath?:    string
         			defaultMode: *420 | int
         			secretName:  string
         			items?: [...{
@@ -406,12 +437,14 @@ spec:
         		emptyDir?: [...{
         			name:      string
         			mountPath: string
+        			subPath?:  string
         			medium:    *"" | "Memory"
         		}]
         		// +usage=Mount HostPath type volume
         		hostPath?: [...{
         			name:      string
         			mountPath: string
+        			subPath?:  string
         			path:      string
         		}]
         	}

charts/vela-minimal/templates/kubevela-controller.yaml

@@ -15,6 +15,7 @@ metadata:
 
 ---
 
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -22,14 +23,53 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: "cluster-admin"
+  name: {{ if .Values.authentication.enabled }} {{ include "kubevela.fullname" . }}:manager {{ else }} "cluster-admin" {{ end }}
 subjects:
   - kind: ServiceAccount
     name: {{ include "kubevela.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-  - kind: Group
-    name: core.oam.dev
-    apiGroup: rbac.authorization.k8s.io
+
+{{ if .Values.authentication.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubevela.fullname" . }}:manager
+rules:
+  - apiGroups: ["core.oam.dev", "terraform.core.oam.dev", "prism.oam.dev"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["cluster.open-cluster-management.io"]
+    resources: ["managedclusters"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["users", "groups", "serviceaccounts"]
+    verbs: ["impersonate"]
+  - apiGroups: [""]
+    resources: ["namespaces", "secrets", "services"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["configmaps", "events"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["controllerrevisions"]
+    verbs: ["*"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
+    resources: ["prioritylevelconfigurations", "flowschemas"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["*"]
+{{ end }}
 
 ---
 # permissions to do leader election.
@@ -85,6 +125,7 @@ metadata:
   name: {{ include "kubevela.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+    controller.oam.dev/name: vela-core
   {{- include "kubevela.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
@@ -145,6 +186,7 @@ spec:
             - "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}"
             - "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}"
             - "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}"
+            - "--feature-gates=EnableSuspendOnFailure={{- .Values.workflow.enableSuspendOnFailure | toString -}}"
             - "--feature-gates=AuthenticateApplication={{- .Values.authentication.enabled | toString -}}"
             {{ if .Values.authentication.enabled }}
             {{ if .Values.authentication.withUser }}

charts/vela-minimal/values.yaml

@@ -38,10 +38,12 @@ dependCheckWait: 30s
 
 ## @section KubeVela workflow parameters
 
+## @param workflow.enableSuspendOnFailure Enable suspend on workflow failure
 ## @param workflow.backoff.maxTime.waitState The max backoff time of workflow in a wait condition
 ## @param workflow.backoff.maxTime.failedState The max backoff time of workflow in a failed condition
 ## @param workflow.step.errorRetryTimes The max retry times of a failed workflow step
 workflow:
+  enableSuspendOnFailure: false
   backoff:
     maxTime:
       waitState: 60
@@ -107,7 +109,7 @@ multicluster:
     port: 9443
     image:
       repository: oamdev/cluster-gateway
-      tag: v1.3.2
+      tag: v1.4.0
       pullPolicy: IfNotPresent
     resources:
       limits:
@@ -201,7 +203,7 @@ admissionWebhooks:
     enabled: true
     image:
       repository: oamdev/kube-webhook-certgen
-      tag: v2.4.0
+      tag: v2.4.1
       pullPolicy: IfNotPresent
     nodeSelector: {}
     affinity: {}

cmd/apiserver/main.go

@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"flag"
 	"fmt"
 	"os"
 	"os/signal"
@@ -29,10 +28,12 @@ import (
 	restfulspec "github.com/emicklei/go-restful-openapi/v2"
 	"github.com/go-openapi/spec"
 	"github.com/google/uuid"
+	flag "github.com/spf13/pflag"
 
 	"github.com/oam-dev/kubevela/pkg/apiserver"
 	"github.com/oam-dev/kubevela/pkg/apiserver/config"
 	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
+	"github.com/oam-dev/kubevela/pkg/features"
 	"github.com/oam-dev/kubevela/version"
 )
 
@@ -50,7 +51,7 @@ func main() {
 	flag.BoolVar(&s.serverConfig.DisableStatisticCronJob, "disable-statistic-cronJob", false, "close the system statistic info calculating cronJob")
 	flag.Float64Var(&s.serverConfig.KubeQPS, "kube-api-qps", 100, "the qps for kube clients. Low qps may lead to low throughput. High qps may give stress to api-server.")
 	flag.IntVar(&s.serverConfig.KubeBurst, "kube-api-burst", 300, "the burst for kube clients. Recommend setting it qps*3.")
-
+	features.APIServerMutableFeatureGate.AddFlag(flag.CommandLine)
 	flag.Parse()
 
 	if len(os.Args) > 2 && os.Args[1] == "build-swagger" {
@@ -109,19 +110,13 @@ type Server struct {
 func (s *Server) run(ctx context.Context, errChan chan error) error {
 	log.Logger.Infof("KubeVela information: version: %v, gitRevision: %v", version.VelaVersion, version.GitRevision)
 
-	server, err := apiserver.New(s.serverConfig)
-	if err != nil {
-		return fmt.Errorf("create apiserver failed : %w ", err)
-	}
+	server := apiserver.New(s.serverConfig)
 
 	return server.Run(ctx, errChan)
 }
 
 func (s *Server) buildSwagger() (*spec.Swagger, error) {
-	server, err := apiserver.New(s.serverConfig)
-	if err != nil {
-		return nil, err
-	}
+	server := apiserver.New(s.serverConfig)
 	config, err := server.BuildRestfulConfig()
 	if err != nil {
 		return nil, err

cmd/core/main.go

@@ -36,7 +36,6 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 
-	apicommon "github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/auth"
 	ctrlClient "github.com/oam-dev/kubevela/pkg/client"
@@ -46,13 +45,11 @@ import (
 	oamv1alpha2 "github.com/oam-dev/kubevela/pkg/controller/core.oam.dev/v1alpha2"
 	"github.com/oam-dev/kubevela/pkg/controller/utils"
 	"github.com/oam-dev/kubevela/pkg/cue/packages"
-	"github.com/oam-dev/kubevela/pkg/features"
 	_ "github.com/oam-dev/kubevela/pkg/monitor/metrics"
 	"github.com/oam-dev/kubevela/pkg/multicluster"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/oam/discoverymapper"
 	"github.com/oam-dev/kubevela/pkg/resourcekeeper"
-	pkgutils "github.com/oam-dev/kubevela/pkg/utils"
 	"github.com/oam-dev/kubevela/pkg/utils/common"
 	"github.com/oam-dev/kubevela/pkg/utils/system"
 	"github.com/oam-dev/kubevela/pkg/utils/util"
@@ -205,18 +202,10 @@ func main() {
 	restConfig.QPS = float32(qps)
 	restConfig.Burst = burst
 	restConfig.Wrap(auth.NewImpersonatingRoundTripper)
-	if utilfeature.DefaultMutableFeatureGate.Enabled(features.ControllerAutoImpersonation) {
-		restConfig.Impersonate.UserName = types.VelaCoreName
-		restConfig.Impersonate.Groups = []string{apicommon.Group}
-		pkgutils.AutoSetSelfImpersonationInConfig(restConfig)
-	}
 	klog.InfoS("Kubernetes Config Loaded",
 		"UserAgent", restConfig.UserAgent,
 		"QPS", restConfig.QPS,
 		"Burst", restConfig.Burst,
-		"Auto-Impersonation", utilfeature.DefaultMutableFeatureGate.Enabled(features.ControllerAutoImpersonation),
-		"Impersonate-User", restConfig.Impersonate.UserName,
-		"Impersonate-Group", strings.Join(restConfig.Impersonate.Groups, ","),
 	)
 
 	// wrapper the round tripper by multi cluster rewriter

docs/apidoc/swagger.json

@@ -3910,7 +3910,7 @@
 				"parameters": [
 					{
 						"type": "string",
-						"description": "identifier of the application ",
+						"description": "identifier of the environment",
 						"name": "envName",
 						"in": "path",
 						"required": true
@@ -3950,7 +3950,7 @@
 				"parameters": [
 					{
 						"type": "string",
-						"description": "identifier of the application ",
+						"description": "identifier of the environment",
 						"name": "envName",
 						"in": "path",
 						"required": true
@@ -4013,7 +4013,7 @@
 				"tags": [
 					"rbac"
 				],
-				"summary": "list all project level perm policies",
+				"summary": "list all platform level perm policies",
 				"operationId": "listPlatformPermissions",
 				"responses": {
 					"200": {
@@ -4026,6 +4026,73 @@
 						}
 					}
 				}
+			},
+			"post": {
+				"consumes": [
+					"application/xml",
+					"application/json"
+				],
+				"produces": [
+					"application/json",
+					"application/xml"
+				],
+				"tags": [
+					"rbac"
+				],
+				"summary": "create the platform perm policy",
+				"operationId": "createPlatformPermission",
+				"parameters": [
+					{
+						"name": "body",
+						"in": "body",
+						"required": true,
+						"schema": {
+							"$ref": "#/definitions/v1.CreatePermissionRequest"
+						}
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"$ref": "#/definitions/v1.PermissionBase"
+						}
+					}
+				}
+			}
+		},
+		"/api/v1/permissions/{permissionName}": {
+			"delete": {
+				"consumes": [
+					"application/xml",
+					"application/json"
+				],
+				"produces": [
+					"application/json",
+					"application/xml"
+				],
+				"tags": [
+					"rbac"
+				],
+				"summary": "delete a platform perm policy",
+				"operationId": "deletePlatformPermission",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "identifier of the permission",
+						"name": "permissionName",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"$ref": "#/definitions/v1.EmptyResponse"
+						}
+					}
+				}
 			}
 		},
 		"/api/v1/projects": {
@@ -4276,6 +4343,85 @@
 						}
 					}
 				}
+			},
+			"post": {
+				"consumes": [
+					"application/xml",
+					"application/json"
+				],
+				"produces": [
+					"application/json",
+					"application/xml"
+				],
+				"tags": [
+					"project"
+				],
+				"summary": "create a project level perm policy",
+				"operationId": "createProjectPermission",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "identifier of the project",
+						"name": "projectName",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"type": "array",
+							"items": {
+								"$ref": "#/definitions/v1.PermissionBase"
+							}
+						}
+					}
+				}
+			}
+		},
+		"/api/v1/projects/{projectName}/permissions/{permissionName}": {
+			"delete": {
+				"consumes": [
+					"application/xml",
+					"application/json"
+				],
+				"produces": [
+					"application/json",
+					"application/xml"
+				],
+				"tags": [
+					"project"
+				],
+				"summary": "delete a project level perm policy",
+				"operationId": "deleteProjectPermission",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "identifier of the project",
+						"name": "projectName",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "identifier of the permission",
+						"name": "permissionName",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"type": "array",
+							"items": {
+								"$ref": "#/definitions/v1.PermissionBase"
+							}
+						}
+					}
+				}
 			}
 		},
 		"/api/v1/projects/{projectName}/roles": {
@@ -4990,6 +5136,13 @@
 				"summary": "update platform level role",
 				"operationId": "updatePlatformRole",
 				"parameters": [
+					{
+						"type": "string",
+						"description": "identifier of the role",
+						"name": "roleName",
+						"in": "path",
+						"required": true
+					},
 					{
 						"name": "body",
 						"in": "body",
@@ -5022,6 +5175,15 @@
 				],
 				"summary": "update platform level role",
 				"operationId": "deletePlatformRole",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "identifier of the role",
+						"name": "roleName",
+						"in": "path",
+						"required": true
+					}
+				],
 				"responses": {
 					"200": {
 						"description": "OK",
@@ -6456,20 +6618,34 @@
 				}
 			}
 		},
-		"common.SubStepsStatus": {
+		"common.StepStatus": {
+			"required": [
+				"id"
+			],
 			"properties": {
-				"mode": {
+				"firstExecuteTime": {
 					"type": "string"
 				},
-				"stepIndex": {
-					"type": "integer",
-					"format": "int32"
+				"id": {
+					"type": "string"
 				},
-				"steps": {
-					"type": "array",
-					"items": {
-						"$ref": "#/definitions/common.WorkflowSubStepStatus"
-					}
+				"lastExecuteTime": {
+					"type": "string"
+				},
+				"message": {
+					"type": "string"
+				},
+				"name": {
+					"type": "string"
+				},
+				"phase": {
+					"type": "string"
+				},
+				"reason": {
+					"type": "string"
+				},
+				"type": {
+					"type": "string"
 				}
 			}
 		},
@@ -6571,7 +6747,45 @@
 					"type": "string"
 				},
 				"subSteps": {
-					"$ref": "#/definitions/common.SubStepsStatus"
+					"type": "array",
+					"items": {
+						"$ref": "#/definitions/common.WorkflowSubStepStatus"
+					}
+				},
+				"type": {
+					"type": "string"
+				}
+			}
+		},
+		"common.WorkflowSubStep": {
+			"required": [
+				"name",
+				"type"
+			],
+			"properties": {
+				"dependsOn": {
+					"type": "array",
+					"items": {
+						"type": "string"
+					}
+				},
+				"inputs": {
+					"type": "array",
+					"items": {
+						"$ref": "#/definitions/common.inputItem"
+					}
+				},
+				"name": {
+					"type": "string"
+				},
+				"outputs": {
+					"type": "array",
+					"items": {
+						"$ref": "#/definitions/common.outputItem"
+					}
+				},
+				"properties": {
+					"type": "string"
 				},
 				"type": {
 					"type": "string"
@@ -6583,9 +6797,15 @@
 				"id"
 			],
 			"properties": {
+				"firstExecuteTime": {
+					"type": "string"
+				},
 				"id": {
 					"type": "string"
 				},
+				"lastExecuteTime": {
+					"type": "string"
+				},
 				"message": {
 					"type": "string"
 				},
@@ -6897,8 +7117,8 @@
 		},
 		"model.Cluster": {
 			"required": [
-				"createTime",
 				"updateTime",
+				"createTime",
 				"name",
 				"alias",
 				"description",
@@ -7449,8 +7669,8 @@
 		},
 		"v1.AddonStatusResponse": {
 			"required": [
-				"name",
 				"phase",
+				"name",
 				"args"
 			],
 			"properties": {
@@ -7606,12 +7826,12 @@
 		},
 		"v1.ApplicationDeployResponse": {
 			"required": [
+				"status",
 				"note",
-				"envName",
 				"triggerType",
 				"createTime",
 				"version",
-				"status"
+				"envName"
 			],
 			"properties": {
 				"codeInfo": {
@@ -8580,6 +8800,38 @@
 				}
 			}
 		},
+		"v1.CreatePermissionRequest": {
+			"required": [
+				"name",
+				"alias",
+				"resources",
+				"actions",
+				"effect"
+			],
+			"properties": {
+				"actions": {
+					"type": "array",
+					"items": {
+						"type": "string"
+					}
+				},
+				"alias": {
+					"type": "string"
+				},
+				"effect": {
+					"type": "string"
+				},
+				"name": {
+					"type": "string"
+				},
+				"resources": {
+					"type": "array",
+					"items": {
+						"type": "string"
+					}
+				}
+			}
+		},
 		"v1.CreatePolicyRequest": {
 			"required": [
 				"name",
@@ -8776,11 +9028,11 @@
 		},
 		"v1.DetailAddonResponse": {
 			"required": [
-				"name",
-				"version",
-				"description",
-				"icon",
 				"invisible",
+				"name",
+				"description",
+				"version",
+				"icon",
 				"schema",
 				"uiSchema",
 				"definitions",
@@ -8860,13 +9112,13 @@
 		},
 		"v1.DetailApplicationResponse": {
 			"required": [
+				"name",
 				"project",
 				"description",
-				"createTime",
 				"icon",
 				"alias",
+				"createTime",
 				"updateTime",
-				"name",
 				"policies",
 				"envBindings",
 				"resourceInfo"
@@ -8923,20 +9175,20 @@
 		},
 		"v1.DetailClusterResponse": {
 			"required": [
-				"kubeConfig",
 				"name",
 				"description",
-				"apiServerURL",
+				"createTime",
+				"icon",
 				"status",
 				"reason",
-				"icon",
 				"provider",
-				"kubeConfigSecret",
-				"labels",
-				"dashboardURL",
-				"createTime",
-				"updateTime",
+				"apiServerURL",
 				"alias",
+				"dashboardURL",
+				"updateTime",
+				"labels",
+				"kubeConfig",
+				"kubeConfigSecret",
 				"resourceInfo"
 			],
 			"properties": {
@@ -8994,14 +9246,14 @@
 		},
 		"v1.DetailComponentResponse": {
 			"required": [
+				"creator",
+				"appPrimaryKey",
 				"alias",
-				"updateTime",
-				"name",
 				"type",
 				"main",
 				"createTime",
-				"appPrimaryKey",
-				"creator",
+				"updateTime",
+				"name",
 				"definition"
 			],
 			"properties": {
@@ -9089,11 +9341,11 @@
 		},
 		"v1.DetailDefinitionResponse": {
 			"required": [
-				"name",
-				"status",
-				"labels",
 				"alias",
 				"description",
+				"status",
+				"labels",
+				"name",
 				"icon",
 				"schema",
 				"uiSchema"
@@ -9148,14 +9400,14 @@
 		},
 		"v1.DetailPolicyResponse": {
 			"required": [
-				"creator",
-				"properties",
 				"createTime",
 				"updateTime",
 				"envName",
 				"name",
 				"type",
-				"description"
+				"description",
+				"creator",
+				"properties"
 			],
 			"properties": {
 				"createTime": {
@@ -9188,16 +9440,16 @@
 		},
 		"v1.DetailRevisionResponse": {
 			"required": [
-				"updateTime",
-				"note",
-				"triggerType",
-				"reason",
-				"envName",
 				"createTime",
-				"deployUser",
+				"updateTime",
+				"reason",
 				"appPrimaryKey",
 				"version",
 				"status",
+				"envName",
+				"deployUser",
+				"note",
+				"triggerType",
 				"workflowName"
 			],
 			"properties": {
@@ -9252,10 +9504,10 @@
 		},
 		"v1.DetailTargetResponse": {
 			"required": [
-				"name",
 				"createTime",
+				"updateTime",
 				"project",
-				"updateTime"
+				"name"
 			],
 			"properties": {
 				"alias": {
@@ -9295,11 +9547,11 @@
 		},
 		"v1.DetailUserResponse": {
 			"required": [
+				"disabled",
 				"createTime",
 				"lastLoginTime",
 				"name",
 				"email",
-				"disabled",
 				"projects",
 				"roles"
 			],
@@ -9340,12 +9592,12 @@
 		},
 		"v1.DetailWorkflowRecordResponse": {
 			"required": [
-				"namespace",
-				"workflowName",
-				"workflowAlias",
 				"applicationRevision",
 				"status",
 				"name",
+				"namespace",
+				"workflowName",
+				"workflowAlias",
 				"deployTime",
 				"deployUser",
 				"note",
@@ -9397,14 +9649,14 @@
 		},
 		"v1.DetailWorkflowResponse": {
 			"required": [
-				"createTime",
 				"alias",
-				"description",
 				"enable",
-				"updateTime",
+				"createTime",
 				"name",
 				"default",
-				"envName"
+				"envName",
+				"updateTime",
+				"description"
 			],
 			"properties": {
 				"alias": {
@@ -9599,8 +9851,8 @@
 		},
 		"v1.EnvBindingTarget": {
 			"required": [
-				"name",
-				"alias"
+				"alias",
+				"name"
 			],
 			"properties": {
 				"alias": {
@@ -9983,11 +10235,11 @@
 		},
 		"v1.LoginUserInfoResponse": {
 			"required": [
+				"createTime",
 				"lastLoginTime",
 				"name",
 				"email",
 				"disabled",
-				"createTime",
 				"projects",
 				"platformPermissions",
 				"projectPermissions"
@@ -10992,6 +11244,12 @@
 				"properties": {
 					"type": "string"
 				},
+				"subSteps": {
+					"type": "array",
+					"items": {
+						"$ref": "#/definitions/common.WorkflowSubStep"
+					}
+				},
 				"type": {
 					"type": "string"
 				}
@@ -11006,22 +11264,6 @@
 					"$ref": "#/definitions/common.Schematic"
 				}
 			}
-		},
-		"v1beta2.BaseConfigurationSpec": {
-			"properties": {
-				"customRegion": {
-					"type": "string"
-				},
-				"deleteResource": {
-					"type": "boolean"
-				},
-				"providerRef": {
-					"$ref": "#/definitions/types.Reference"
-				},
-				"writeConnectionSecretToRef": {
-					"$ref": "#/definitions/types.SecretReference"
-				}
-			}
 		}
 	}
 }

docs/examples/app-with-policy/gc-policy/reverse-dependency.md

@@ -1,6 +1,6 @@
 # How to garbage collect resources in the order of dependency
 
-If you want to garbage collect resources in the order of dependency, you can add `order: dependency` in the `garbage-collect` policy.
+If you want to garbage collect resources in the order of reverse dependency, you can add `order: dependency` in the `garbage-collect` policy.
 
 > Notice that this order policy is only valid for the resources that are created in the components.
 
@@ -8,7 +8,7 @@ In the following example, component `test1` depends on `test2`, and `test2` need
 
 So the order of deployment is: `test3 -> test2 -> test1`.
 
-When we add `order: dependency` in `garbage-collect` policy and delete the application, the order of garbage collect is: `test3 -> test2 -> test1`.
+When we add `order: dependency` in `garbage-collect` policy and delete the application, the order of garbage collect is: `test1 -> test2 -> test3`.
 
 ```yaml
 apiVersion: core.oam.dev/v1beta1

docs/examples/core-definitions/component/webservice.yaml

@@ -25,3 +25,7 @@ spec:
             - name: my-mount
               mountPath: /test
               claimName: myclaim
+            - name: my-mount
+              mountPath: /test2
+              subPath: /sub
+              claimName: myclaim

docs/examples/core-definitions/trait/storage.yaml

@@ -16,8 +16,9 @@ spec:
             pvc:
               - name: test1
                 mountPath: /test/mount/pvc
-              - name: test2
+              - name: test1
                 mountPath: /test/mount2/pvc
+                subPath: /sub
             configMap:
               - name: test1
                 mountPath: /test/mount/cm

docs/examples/traits/affinity/example.yaml

@@ -0,0 +1,27 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: busybox
+spec:
+  components:
+    - name: busybox
+      type: webservice
+      properties:
+        image: busybox
+        cmd: ["sleep", "86400"]
+        labels:
+          label-key: label-value
+          to-delete-label-key: to-delete-label-value
+      traits:
+        - type: affinity
+          properties:
+            podAffinity:
+              preferred:
+                - weight: 1
+                  podAffinityTerm:
+                    labelSelector:
+                      matchExpressions:
+                        - key: "secrity"
+                          values: ["S1"]
+                    namespaces: ["default"]
+                    topologyKey: "kubernetes.io/hostname"

docs/examples/workflow/step-group/README.md

@@ -0,0 +1,23 @@
+# Step Group
+
+## How to start
+
+Edit a yaml file as `example.yaml`, then execute it with `vela up` command.
+
+## Parameter Introduction
+
+`step-group` has a `subSteps` parameter which is an array containing any step type whose valid parameters do not include the `step-group` step type itself.
+
+`step-group` doesn't support `properties` for now.
+
+## Execute process
+
+When executing the `step-group` step, the subSteps in the step group are executed in dag mode. The step group will only complete when all subSteps have been executed to completion.
+SubStep has the same execution behavior as a normal step.
+
+
+
+
+
+
+

docs/examples/workflow/step-group/example.yaml

@@ -1,7 +1,7 @@
 apiVersion: core.oam.dev/v1beta1
 kind: Application
 metadata:
-  name: step-group-example
+  name: example
   namespace: default
 spec:
   components:
@@ -10,13 +10,22 @@ spec:
       properties:
         image: crccheck/hello-world
         port: 8000
+    - name: express-server2
+      type: webservice
+      properties:
+        image: crccheck/hello-world
+        port: 8000
 
   workflow:
     steps:
       - name: step
         type: step-group
         subSteps:
-          - name: apply-server
+          - name: apply-sub-step1
             type: apply-component
             properties:
               component: express-server
+          - name: apply-sub-step2
+            type: apply-component
+            properties:
+              component: express-server2

e2e/application/application_test.go

@@ -18,9 +18,13 @@ package e2e
 
 import (
 	context2 "context"
+	"encoding/json"
 	"fmt"
+	"strings"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
+
 	"github.com/Netflix/go-expect"
 	"github.com/crossplane/crossplane-runtime/pkg/meta"
 	"github.com/onsi/ginkgo"
@@ -42,6 +46,7 @@ var (
 	testDeleteJsonAppFile       = `{"name":"test-vela-delete","services":{"nginx-test":{"type":"webservice","image":"nginx:1.9.4","port":80}}}`
 	appbasicJsonAppFile         = `{"name":"app-basic","services":{"app-basic":{"type":"webservice","image":"nginx:1.9.4","port":80}}}`
 	appbasicAddTraitJsonAppFile = `{"name":"app-basic","services":{"app-basic":{"type":"webservice","image":"nginx:1.9.4","port":80,"scaler":{"replicas":2}}}}`
+	velaQL                      = "test-component-pod-view{appNs=default,appName=nginx-vela,name=nginx}"
 )
 
 var _ = ginkgo.Describe("Test Vela Application", func() {
@@ -67,6 +72,9 @@ var _ = ginkgo.Describe("Test Vela Application", func() {
 
 	e2e.JsonAppFileContext("json appfile apply", testDeleteJsonAppFile)
 	ApplicationDeleteWithForceOptions("test delete with force option", "test-vela-delete")
+
+	e2e.JsonAppFileContext("json appfile apply", testDeleteJsonAppFile)
+	VelaQLPodListContext("ql", velaQL)
 })
 
 var ApplicationStatusContext = func(context string, applicationName string, workloadType string) bool {
@@ -98,7 +106,7 @@ var ApplicationStatusDeeplyContext = func(context string, applicationName, workl
 			cli := fmt.Sprintf("vela status %s", applicationName)
 			output, err := e2e.LongTimeExec(cli, 120*time.Second)
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
-			gomega.Expect(output).To(gomega.ContainSubstring("healthy"))
+			gomega.Expect(strings.ToLower(output)).To(gomega.ContainSubstring("healthy"))
 			// TODO(zzxwill) need to check workloadType after app status is refined
 		})
 	})
@@ -229,3 +237,75 @@ var ApplicationDeleteWithForceOptions = func(context string, appName string) boo
 		})
 	})
 }
+
+type PodList struct {
+	PodList []Pod `form:"podList" json:"podList"`
+}
+
+type Pod struct {
+	Status   Status   `form:"status" json:"status"`
+	Cluster  string   `form:"cluster" json:"cluster"`
+	Metadata Metadata `form:"metadata" json:"metadata"`
+	Workload Workload `form:"workload" json:"workload"`
+}
+
+type Status struct {
+	Phase    string `form:"phase" json:"phase"`
+	NodeName string `form:"nodeName" json:"nodeName"`
+}
+
+type Metadata struct {
+	Namespace string `form:"namespace" json:"namespace"`
+}
+
+type Workload struct {
+	ApiVersion string `form:"apiVersion" json:"apiVersion"`
+	Kind       string `form:"kind" json:"kind"`
+}
+
+var VelaQLPodListContext = func(context string, velaQL string) bool {
+	return ginkgo.Context(context, func() {
+		ginkgo.It("should get successful result for executing vela ql", func() {
+			args := common.Args{
+				Schema: common.Scheme,
+			}
+			ctx := context2.Background()
+
+			k8sClient, err := args.GetClient()
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
+			componentView := new(corev1.ConfigMap)
+			gomega.Eventually(func(g gomega.Gomega) {
+				g.Expect(common.ReadYamlToObject("./component-pod-view.yaml", componentView)).Should(gomega.BeNil())
+				g.Expect(k8sClient.Create(ctx, componentView)).Should(gomega.Succeed())
+			}, time.Second*3, time.Millisecond*300).Should(gomega.Succeed())
+
+			cli := fmt.Sprintf("vela ql %s", velaQL)
+			output, err := e2e.Exec(cli)
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+			var list PodList
+			err = json.Unmarshal([]byte(output), &list)
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+			for _, v := range list.PodList {
+				if v.Cluster != "" {
+					gomega.Expect(v.Cluster).To(gomega.ContainSubstring("local"))
+				}
+				if v.Status.Phase != "" {
+					gomega.Expect(v.Status.Phase).To(gomega.ContainSubstring("Running"))
+				}
+				if v.Status.NodeName != "" {
+					gomega.Expect(v.Status.NodeName).To(gomega.ContainSubstring("kind-control-plane"))
+				}
+				if v.Metadata.Namespace != "" {
+					gomega.Expect(v.Metadata.Namespace).To(gomega.ContainSubstring("default"))
+				}
+				if v.Workload.ApiVersion != "" {
+					gomega.Expect(v.Workload.ApiVersion).To(gomega.ContainSubstring("apps/v1"))
+				}
+				if v.Workload.Kind != "" {
+					gomega.Expect(v.Workload.Kind).To(gomega.ContainSubstring("Deployment"))
+				}
+			}
+		})
+	})
+}

e2e/application/component-pod-view.yaml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-component-pod-view
+  namespace: vela-system
+data:
+  template: |
+    import (
+      "vela/ql"
+      "vela/op"
+    )
+
+    parameter: {
+      appName:    string
+      appNs:      string
+      name?:      string
+      cluster?:   string
+      clusterNs?: string
+    }
+
+    application: ql.#ListResourcesInApp & {
+      app: {
+        name:      parameter.appName
+        namespace: parameter.appNs
+        filter: {
+          if parameter.cluster != _|_ {
+            cluster: parameter.cluster
+          }
+          if parameter.clusterNs != _|_ {
+            clusterNamespace: parameter.clusterNs
+          }
+          if parameter.name != _|_ {
+            components: [parameter.name]
+          }
+        }
+      }
+    }
+
+    if application.err != _|_ {
+      status: error: application.err
+    }
+
+    if application.err == _|_ {
+      resources: application.list
+
+      podsMap: op.#Steps & {
+        for i, resource in resources {
+          "\(i)": ql.#CollectPods & {
+            value:   resource.object
+            cluster: resource.cluster
+          }
+        }
+      }
+
+      podsWithCluster: [ for i, pods in podsMap for podObj in pods.list {
+        cluster: pods.cluster
+        obj:     podObj
+      }]
+
+      podStatus: op.#Steps & {
+        for i, pod in podsWithCluster {
+          "\(i)": op.#Steps & {
+            name: pod.obj.metadata.name
+            containers: {for container in pod.obj.status.containerStatuses {
+              "\(container.name)": {
+                image: container.image
+                state: container.state
+              }
+            }}
+            events: ql.#SearchEvents & {
+              value:   pod.obj
+              cluster: pod.cluster
+            }
+            metrics: ql.#Read & {
+              cluster: pod.cluster
+              value: {
+                apiVersion: "metrics.k8s.io/v1beta1"
+                kind:       "PodMetrics"
+                metadata: {
+                  name:      pod.obj.metadata.name
+                  namespace: pod.obj.metadata.namespace
+                }
+              }
+            }
+          }
+        }
+      }
+
+      status: {
+        podList: [ for podInfo in podStatus {
+          name: podInfo.name
+          containers: [ for containerName, container in podInfo.containers {
+            containerName
+          }]
+          events: podInfo.events.list
+        }]
+      }
+    }

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/barnettZQG/inject v0.0.1
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
 	github.com/briandowns/spinner v1.11.1
-	github.com/containerd/containerd v1.5.10
+	github.com/containerd/containerd v1.5.13
 	github.com/coreos/go-oidc v2.1.0+incompatible
 	github.com/coreos/prometheus-operator v0.41.1
 	github.com/crossplane/crossplane-runtime v0.14.1-0.20210722005935-0b469fcc77cd
@@ -25,15 +25,19 @@ require (
 	github.com/emicklei/go-restful-openapi/v2 v2.3.0
 	github.com/emicklei/go-restful/v3 v3.0.0-rc2
 	github.com/evanphx/json-patch v4.12.0+incompatible
+	github.com/fatih/camelcase v1.0.0
 	github.com/fatih/color v1.13.0
+	github.com/fluxcd/helm-controller/api v0.21.0
+	github.com/fluxcd/source-controller/api v0.24.4
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible
 	github.com/gertd/go-pluralize v0.1.7
 	github.com/getkin/kin-openapi v0.94.0
-	github.com/go-logr/logr v1.2.0
+	github.com/go-logr/logr v1.2.2
 	github.com/go-openapi/spec v0.19.8
 	github.com/go-playground/validator/v10 v10.9.0
 	github.com/go-resty/resty/v2 v2.7.0
 	github.com/google/go-cmp v0.5.8
+	github.com/google/go-containerregistry v0.9.0
 	github.com/google/go-github/v32 v32.1.0
 	github.com/google/uuid v1.3.0
 	github.com/gosuri/uilive v0.0.4
@@ -42,10 +46,10 @@ require (
 	github.com/hashicorp/hcl/v2 v2.9.1
 	github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174
 	github.com/imdario/mergo v0.3.12
-	github.com/kubevela/prism v0.0.0-20220512081342-9b641aa819f3
+	github.com/kubevela/prism v1.4.1-0.20220613123457-94f1190f87c2
 	github.com/kyokomi/emoji v2.2.4+incompatible
 	github.com/mitchellh/hashstructure/v2 v2.0.1
-	github.com/oam-dev/cluster-gateway v1.3.3-0.20220509095841-4272c540e1e9
+	github.com/oam-dev/cluster-gateway v1.4.0
 	github.com/oam-dev/cluster-register v1.0.4-0.20220325092210-cee4a3d3fb7d
 	github.com/oam-dev/terraform-config-inspect v0.0.0-20210418082552-fc72d929aa28
 	github.com/oam-dev/terraform-controller v0.7.0
@@ -56,6 +60,7 @@ require (
 	github.com/openkruise/kruise-api v1.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
@@ -63,6 +68,7 @@ require (
 	github.com/tidwall/gjson v1.9.3
 	github.com/wercker/stern v0.0.0-20190705090245-4fa46dd6987f
 	github.com/wonderflow/cert-manager-api v1.0.3
+	github.com/xanzy/go-gitlab v0.60.0
 	github.com/xlab/treeprint v1.1.0
 	go.mongodb.org/mongo-driver v1.5.1
 	go.uber.org/zap v1.19.1
@@ -70,6 +76,7 @@ require (
 	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/tools v0.1.11-0.20220316014157-77aa08bb151a // indirect
+	gomodules.xyz/jsonpatch/v2 v2.2.0
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/src-d/go-git.v4 v4.13.1
@@ -78,7 +85,7 @@ require (
 	helm.sh/helm/v3 v3.7.2
 	istio.io/client-go v0.0.0-20210128182905-ee2edd059e02
 	k8s.io/api v0.23.6
-	k8s.io/apiextensions-apiserver v0.23.5
+	k8s.io/apiextensions-apiserver v0.23.6
 	k8s.io/apimachinery v0.23.6
 	k8s.io/apiserver v0.23.6
 	k8s.io/cli-runtime v0.23.6
@@ -98,20 +105,6 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )
 
-require (
-	github.com/fatih/camelcase v1.0.0
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/robfig/cron/v3 v3.0.1
-	github.com/xanzy/go-gitlab v0.60.0
-	github.com/xanzy/ssh-agent v0.3.0 // indirect
-	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0
-)
-
-require github.com/google/go-containerregistry v0.9.0
-
 require (
 	cloud.google.com/go/compute v1.6.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -129,7 +122,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/Masterminds/squirrel v1.5.2 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Microsoft/hcsshim v0.8.23 // indirect
+	github.com/Microsoft/hcsshim v0.8.24 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
@@ -168,6 +161,9 @@ require (
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/facebookgo/structtag v0.0.0-20150214074306-217e25fb9691 // indirect
 	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/fluxcd/pkg/apis/acl v0.0.3 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v0.3.3 // indirect
+	github.com/fluxcd/pkg/apis/meta v0.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
@@ -187,13 +183,15 @@ require (
 	github.com/golang/snappy v0.0.3 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
@@ -203,6 +201,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
 	github.com/klauspost/compress v1.15.4 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/pty v1.1.8 // indirect
@@ -255,6 +254,7 @@ require (
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tjfoc/gmsm v1.3.2 // indirect
+	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.0.2 // indirect
 	github.com/xdg-go/stringprep v1.0.2 // indirect
@@ -285,6 +285,7 @@ require (
 	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 // indirect
 	golang.org/x/sys v0.0.0-20220513210249-45d2b4557a2a // indirect
 	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
 	golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3 // indirect
@@ -301,10 +302,10 @@ require (
 	istio.io/api v0.0.0-20210128181506-0c4b8e54850f // indirect
 	istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a // indirect
 	oras.land/oras-go v0.4.0 // indirect
-	sigs.k8s.io/apiserver-network-proxy v0.0.24 // indirect
+	sigs.k8s.io/apiserver-network-proxy v0.0.30 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30 // indirect
 	sigs.k8s.io/apiserver-runtime v1.1.1 // indirect
-	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/kustomize/api v0.10.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect

go.sum

@@ -178,8 +178,8 @@ github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2
 github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
 github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
-github.com/Microsoft/hcsshim v0.8.23 h1:47MSwtKGXet80aIn+7h4YI6fwPmwIghAnsx2aOUrG2M=
-github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
+github.com/Microsoft/hcsshim v0.8.24 h1:jP+GMeRXIR1sH1kG4lJr9ShmSjVrua5jmFZDtfYGkn4=
+github.com/Microsoft/hcsshim v0.8.24/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
@@ -412,8 +412,9 @@ github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1
 github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
 github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
 github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
-github.com/containerd/cgroups v1.0.1 h1:iJnMvco9XGvKUvNQkv88bE4uJXxRQH18efbKo9w5vHQ=
 github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
+github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4=
+github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8=
 github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
@@ -435,8 +436,8 @@ github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoT
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.5.10 h1:3cQ2uRVCkJVcx5VombsE7105Gl9Wrl7ORAO3+4+ogf4=
-github.com/containerd/containerd v1.5.10/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ=
+github.com/containerd/containerd v1.5.13 h1:XqvKw9i4P7/mFrC3TSM7yV5cwFZ9avXe6M3YANKnzEE=
+github.com/containerd/containerd v1.5.13/go.mod h1:3AlCrzKROjIuP3JALsY14n8YtntaUDBu7vek+rPN5Vc=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -668,6 +669,16 @@ github.com/fatih/structtag v1.1.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fluxcd/helm-controller/api v0.21.0 h1:MWvVzz6u9jR1aE7j1YaSEjBehw0zMndkODnjAE0/1nQ=
+github.com/fluxcd/helm-controller/api v0.21.0/go.mod h1:cgP5ZR46HIhC8phUfx4Z60He9zNuIHbH3r8YEVl5ip8=
+github.com/fluxcd/pkg/apis/acl v0.0.3 h1:Lw0ZHdpnO4G7Zy9KjrzwwBmDZQuy4qEjaU/RvA6k1lc=
+github.com/fluxcd/pkg/apis/acl v0.0.3/go.mod h1:XPts6lRJ9C9fIF9xVWofmQwftvhY25n1ps7W9xw0XLU=
+github.com/fluxcd/pkg/apis/kustomize v0.3.3 h1:bPN29SdVzWl0yhgivuf/83IAe2R6vUuDVcB3LzyVU8E=
+github.com/fluxcd/pkg/apis/kustomize v0.3.3/go.mod h1:5HTOFZfQFVMMqR2rvuxpbZhpb+sQpcTT6RCQZOhjFzA=
+github.com/fluxcd/pkg/apis/meta v0.13.0 h1:0QuNKEExSjk+Rv0I6a85p2H3xOlWhdxZRsh10waEL/c=
+github.com/fluxcd/pkg/apis/meta v0.13.0/go.mod h1:Z26X5uTU5LxAyWETGueRQY7TvdPaGfKU7Wye9bdUlho=
+github.com/fluxcd/source-controller/api v0.24.4 h1:m54sS1rJlgJf5j9qDRgKLhbPJAnJ9dY+VrstPKj0aQo=
+github.com/fluxcd/source-controller/api v0.24.4/go.mod h1:b0MmMPGE8gcpgSyGXe5m7see77tBW26eZrvGkkPstUs=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
@@ -722,8 +733,9 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.2 h1:ahHml/yUpnlb96Rp8HCvtYVPY8ZYpxq3g7UYchIYwbs=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
 github.com/go-logr/zapr v0.4.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
 github.com/go-logr/zapr v1.2.0 h1:n4JnPI1T3Qq1SFEi/F8rwLrZERp2bso19PJZDB9dayk=
@@ -1007,8 +1019,9 @@ github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -1331,8 +1344,8 @@ github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubevela/prism v0.0.0-20220512081342-9b641aa819f3 h1:SiQjuAJVLa75M/uVufyEylzlmi+1sZzCnsDN76IFTr4=
-github.com/kubevela/prism v0.0.0-20220512081342-9b641aa819f3/go.mod h1:Ms3P9eWEeddXk7Q51+9sV1cGQL0cjlpBcSdp1/HoCaI=
+github.com/kubevela/prism v1.4.1-0.20220613123457-94f1190f87c2 h1:TaHlO4raKI3ehVSYY8QixYMHdI0VwKHY1KPNWcUre3I=
+github.com/kubevela/prism v1.4.1-0.20220613123457-94f1190f87c2/go.mod h1:RP69+bRb57Occer6BeeF5zK3hrD1IhnYf2RNRsIdh9E=
 github.com/kulti/thelper v0.4.0/go.mod h1:vMu2Cizjy/grP+jmsvOFDx1kYP6+PD1lqg4Yu5exl2U=
 github.com/kunwardeep/paralleltest v1.0.2/go.mod h1:ZPqNm1fVHPllh5LPVujzbVz1JN2GhLxSfY+oqUsvG30=
 github.com/kunwardeep/paralleltest v1.0.3/go.mod h1:vLydzomDFpk7yu5UX02RmP0H8QfRPOV/oFhWN85Mjb4=
@@ -1551,8 +1564,8 @@ github.com/nishanths/predeclared v0.2.1/go.mod h1:HvkGJcA3naj4lOwnFXFDkFxVtSqQMB
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oam-dev/cluster-gateway v1.3.3-0.20220509095841-4272c540e1e9 h1:D3Z+QJi/5+J+wHwVPEo2ygFHXPaMS9t4NHfyIHZatiw=
-github.com/oam-dev/cluster-gateway v1.3.3-0.20220509095841-4272c540e1e9/go.mod h1:WcxTF3tOZFxRm1wztAJnXPM4cpjYqnEFIuAU9EM6pD0=
+github.com/oam-dev/cluster-gateway v1.4.0 h1:ZZcNRYsUDRWM5JnNX28/zdSPRKERGstcAY+PaJKA0mE=
+github.com/oam-dev/cluster-gateway v1.4.0/go.mod h1:qnCczkXtTY7h0SqxjZqAAyKQPwrJjLIFy+IdeoaYKCU=
 github.com/oam-dev/cluster-register v1.0.4-0.20220325092210-cee4a3d3fb7d h1:ZZsBkksYDzwJEjqx9/XBD+VwlhHz8flkZvMJYzO4ASA=
 github.com/oam-dev/cluster-register v1.0.4-0.20220325092210-cee4a3d3fb7d/go.mod h1:nKEUMfuEB8pHKsaSah9IA+UQzezrPYebBdRozyNtlZc=
 github.com/oam-dev/stern v1.13.2 h1:jlGgtJbKmIVhzkH44ft5plkgs8XEfvxbFrQdX60CQR4=
@@ -2353,6 +2366,7 @@ golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211215060638-4ddde0e984e9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
@@ -2533,6 +2547,7 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -2905,6 +2920,7 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
+google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.45.0 h1:NEpgUqV3Z+ZjkqMsxMg11IaDrXY4RY6CQukSGK0uI1M=
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
@@ -3063,8 +3079,9 @@ k8s.io/apiextensions-apiserver v0.21.3/go.mod h1:kl6dap3Gd45+21Jnh6utCx8Z2xxLm8L
 k8s.io/apiextensions-apiserver v0.22.1/go.mod h1:HeGmorjtRmRLE+Q8dJu6AYRoZccvCMsghwS8XTUYb2c=
 k8s.io/apiextensions-apiserver v0.22.4/go.mod h1:kH9lxD8dbJ+k0ZizGET55lFgdGjO8t45fgZnCVdZEpw=
 k8s.io/apiextensions-apiserver v0.23.0/go.mod h1:xIFAEEDlAZgpVBl/1VSjGDmLoXAWRG40+GsWhKhAxY4=
-k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI=
 k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ=
+k8s.io/apiextensions-apiserver v0.23.6 h1:v58cQ6Z0/GK1IXYr+oW0fnYl52o9LTY0WgoWvI8uv5Q=
+k8s.io/apiextensions-apiserver v0.23.6/go.mod h1:YVh17Mphv183THQJA5spNFp9XfoidFyL3WoDgZxQIZU=
 k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
 k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010/go.mod h1:Waf/xTS2FGRrgXCkO5FP3XxTOWh0qLf2QhL1qFZZ/R8=
 k8s.io/apimachinery v0.0.0-20190913080033-27d36303b655/go.mod h1:nL6pwRT8NgfF8TT68DBI8uEePRt89cSvoXUVqbkWHq4=
@@ -3260,6 +3277,7 @@ k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20211208161948-7d6a63dca704/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
@@ -3287,8 +3305,8 @@ rsc.io/letsencrypt v0.0.3/go.mod h1:buyQKZ6IXrRnB7TdkHP0RyEybLx18HHyOSoTyoOLqNY=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/apiserver-network-proxy v0.0.24 h1:yaswrAqidc2XdLK2GRacVEBb55g4dg91f/B7b0SYliY=
-sigs.k8s.io/apiserver-network-proxy v0.0.24/go.mod h1:z/U9KltvRVSMttVl3cdQo8cPuXEjr+Qn3A5sUJR55XI=
+sigs.k8s.io/apiserver-network-proxy v0.0.30 h1:Zr5Zqd2GymcYUwijHUDEaQ1I3Dx0giTIWaD80N6j2mE=
+sigs.k8s.io/apiserver-network-proxy v0.0.30/go.mod h1:0wSWl5ohhp7kYl5XOP0w1IZSWTHhe9TojjDGityZxnc=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.24 h1:bCO6TN9VG1bK3nCG5ghQ5httx1HpsG5MD8XtRDySHDM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.24/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/apiserver-runtime v1.1.0/go.mod h1:cmahVEn9R791yUnSiFMFdwTqi2dOe5WQRNwcY6jb7l0=
@@ -3308,8 +3326,9 @@ sigs.k8s.io/controller-tools v0.2.4/go.mod h1:m/ztfQNocGYBgTTCmFdnK94uVvgxeZeE3L
 sigs.k8s.io/controller-tools v0.2.8/go.mod h1:9VKHPszmf2DHz/QmHkcfZoewO6BL7pPs9uAiBVsaJSE=
 sigs.k8s.io/controller-tools v0.6.2 h1:+Y8L0UsAugDipGRw8lrkPoAi6XqlQVZuf1DQHME3PgU=
 sigs.k8s.io/controller-tools v0.6.2/go.mod h1:oaeGpjXn6+ZSEIQkUe/+3I40PNiDYp9aeawbt3xTgJ8=
-sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s=
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
+sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
+sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
 sigs.k8s.io/kind v0.9.0 h1:SoDlXq6pEc7dGagHULNRCCBYrLH6xOi7lqXTRXeAlg4=
 sigs.k8s.io/kind v0.9.0/go.mod h1:cxKQWwmbtRDzQ+RNKnR6gZG6fjbeTtItp5cGf+ww+1Y=
 sigs.k8s.io/kube-storage-version-migrator v0.0.4/go.mod h1:mXfSLkx9xbJHQsgNDDUZK/iQTs2tMbx/hsJlWe6Fthw=

legacy/charts/vela-core-legacy/crds/core.oam.dev_applicationrevisions.yaml

@@ -2209,6 +2209,8 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                if:
+                                  type: string
                                 inputs:
                                   description: StepInputs defines variable input of
                                     WorkflowStep
@@ -2253,6 +2255,8 @@ spec:
                                         items:
                                           type: string
                                         type: array
+                                      if:
+                                        type: string
                                       inputs:
                                         description: StepInputs defines variable input
                                           of WorkflowStep
@@ -3954,6 +3958,8 @@ spec:
                           items:
                             type: string
                           type: array
+                        if:
+                          type: string
                         inputs:
                           description: StepInputs defines variable input of WorkflowStep
                           items:
@@ -3995,6 +4001,8 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              if:
+                                type: string
                               inputs:
                                 description: StepInputs defines variable input of
                                   WorkflowStep

legacy/charts/vela-core-legacy/crds/core.oam.dev_applications.yaml

@@ -1021,6 +1021,8 @@ spec:
                           items:
                             type: string
                           type: array
+                        if:
+                          type: string
                         inputs:
                           description: StepInputs defines variable input of WorkflowStep
                           items:
@@ -1062,6 +1064,8 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              if:
+                                type: string
                               inputs:
                                 description: StepInputs defines variable input of
                                   WorkflowStep

legacy/charts/vela-core-legacy/crds/core.oam.dev_workflows.yaml

@@ -42,6 +42,8 @@ spec:
                   items:
                     type: string
                   type: array
+                if:
+                  type: string
                 inputs:
                   description: StepInputs defines variable input of WorkflowStep
                   items:
@@ -83,6 +85,8 @@ spec:
                         items:
                           type: string
                         type: array
+                      if:
+                        type: string
                       inputs:
                         description: StepInputs defines variable input of WorkflowStep
                         items:
@@ -147,6 +151,8 @@ spec:
                   items:
                     type: string
                   type: array
+                if:
+                  type: string
                 inputs:
                   description: StepInputs defines variable input of WorkflowStep
                   items:
@@ -188,6 +194,8 @@ spec:
                         items:
                           type: string
                         type: array
+                      if:
+                        type: string
                       inputs:
                         description: StepInputs defines variable input of WorkflowStep
                         items:

makefiles/build.mk

@@ -9,7 +9,7 @@ kubectl-vela:
 
 # Build the docker image
 .PHONY: docker-build
-docker-build: docker-build-core docker-build-apiserver
+docker-build: docker-build-core docker-build-apiserver docker-build-cli
 	@$(OK)
 
 .PHONY: docker-build-core
@@ -20,6 +20,10 @@ docker-build-core:
 docker-build-apiserver:
 	docker build --build-arg=VERSION=$(VELA_VERSION) --build-arg=GITVERSION=$(GIT_COMMIT) -t $(VELA_APISERVER_IMAGE) -f Dockerfile.apiserver .
 
+.PHONY: docker-build-cli
+docker-build-cli:
+	docker build --build-arg=VERSION=$(VELA_VERSION) --build-arg=GITVERSION=$(GIT_COMMIT) -t $(VELA_CLI_IMAGE)  -f Dockerfile.cli .
+
 # Build the runtime docker image
 .PHONY: docker-build-runtime-rollout
 docker-build-runtime-rollout:

makefiles/const.mk

@@ -43,6 +43,7 @@ endif
 
 # Image URL to use all building/pushing image targets
 VELA_CORE_IMAGE      ?= vela-core:latest
+VELA_CLI_IMAGE      ?= oamdev/vela-cli:latest
 VELA_CORE_TEST_IMAGE ?= vela-core-test:$(GIT_COMMIT)
 VELA_APISERVER_IMAGE      ?= apiserver:latest
 VELA_RUNTIME_ROLLOUT_IMAGE       ?= vela-runtime-rollout:latest

makefiles/e2e.mk

@@ -1,14 +1,29 @@
-
-.PHONY: e2e-setup-core
-e2e-setup-core:
+.PHONY: e2e-setup-core-pre-hook
+e2e-setup-core-pre-hook:
 	sh ./hack/e2e/modify_charts.sh
-	helm upgrade --install --create-namespace --namespace vela-system --set image.pullPolicy=IfNotPresent --set image.repository=vela-core-test --set applicationRevisionLimit=5 --set dependCheckWait=10s --set image.tag=$(GIT_COMMIT) --wait kubevela ./charts/vela-core
+
+.PHONY: e2e-setup-core-post-hook
+e2e-setup-core-post-hook:
 	kubectl wait --for=condition=Available deployment/kubevela-vela-core -n vela-system --timeout=180s
 	helm upgrade --install --namespace vela-system --wait oam-rollout --set image.repository=vela-runtime-rollout-test --set image.tag=$(GIT_COMMIT) ./runtime/rollout/charts
 	go run ./e2e/addon/mock &
 	sleep 15
 	bin/vela addon enable rollout
 
+.PHONY: e2e-setup-core-wo-auth
+e2e-setup-core-wo-auth:
+	helm upgrade --install --create-namespace --namespace vela-system --set image.pullPolicy=IfNotPresent --set image.repository=vela-core-test --set applicationRevisionLimit=5 --set dependCheckWait=10s --set image.tag=$(GIT_COMMIT) --wait kubevela ./charts/vela-core
+
+.PHONY: e2e-setup-core-w-auth
+e2e-setup-core-w-auth:
+	helm upgrade --install --create-namespace --namespace vela-system --set image.pullPolicy=IfNotPresent --set image.repository=vela-core-test --set applicationRevisionLimit=5 --set dependCheckWait=10s --set image.tag=$(GIT_COMMIT) --wait kubevela ./charts/vela-core --set authentication.enabled=true --set authentication.withUser=true --set authentication.groupPattern=*
+
+.PHONY: e2e-setup-core
+e2e-setup-core: e2e-setup-core-pre-hook e2e-setup-core-wo-auth e2e-setup-core-post-hook
+
+.PHONY: e2e-setup-core-auth
+e2e-setup-core-auth: e2e-setup-core-pre-hook e2e-setup-core-w-auth e2e-setup-core-post-hook
+
 .PHONY: setup-runtime-e2e-cluster
 setup-runtime-e2e-cluster:
 	helm upgrade --install --create-namespace --namespace vela-system --kubeconfig=$(RUNTIME_CLUSTER_CONFIG) --set image.pullPolicy=IfNotPresent --set image.repository=vela-runtime-rollout-test --set image.tag=$(GIT_COMMIT) --wait vela-rollout ./runtime/rollout/charts

pkg/addon/addon.go

@@ -61,6 +61,7 @@ import (
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 	"github.com/oam-dev/kubevela/apis/types"
+	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
 	utils2 "github.com/oam-dev/kubevela/pkg/controller/utils"
 	cuemodel "github.com/oam-dev/kubevela/pkg/cue/model"
 	"github.com/oam-dev/kubevela/pkg/cue/model/value"
@@ -1057,21 +1058,22 @@ func Convert2SecName(name string) string {
 
 // Installer helps addon enable, dependency-check, dispatch resources
 type Installer struct {
-	ctx          context.Context
-	config       *rest.Config
-	addon        *InstallPackage
-	cli          client.Client
-	apply        apply.Applicator
-	r            *Registry
-	registryMeta map[string]SourceMeta
-	args         map[string]interface{}
-	cache        *Cache
-	dc           *discovery.DiscoveryClient
+	ctx                 context.Context
+	config              *rest.Config
+	addon               *InstallPackage
+	cli                 client.Client
+	apply               apply.Applicator
+	r                   *Registry
+	registryMeta        map[string]SourceMeta
+	args                map[string]interface{}
+	cache               *Cache
+	dc                  *discovery.DiscoveryClient
+	skipVersionValidate bool
 }
 
 // NewAddonInstaller will create an installer for addon
-func NewAddonInstaller(ctx context.Context, cli client.Client, discoveryClient *discovery.DiscoveryClient, apply apply.Applicator, config *rest.Config, r *Registry, args map[string]interface{}, cache *Cache) Installer {
-	return Installer{
+func NewAddonInstaller(ctx context.Context, cli client.Client, discoveryClient *discovery.DiscoveryClient, apply apply.Applicator, config *rest.Config, r *Registry, args map[string]interface{}, cache *Cache, opts ...InstallOption) Installer {
+	i := Installer{
 		ctx:    ctx,
 		config: config,
 		cli:    cli,
@@ -1081,14 +1083,21 @@ func NewAddonInstaller(ctx context.Context, cli client.Client, discoveryClient *
 		cache:  cache,
 		dc:     discoveryClient,
 	}
+	for _, opt := range opts {
+		opt(&i)
+	}
+	return i
 }
 
 func (h *Installer) enableAddon(addon *InstallPackage) error {
 	var err error
 	h.addon = addon
-	err = checkAddonVersionMeetRequired(h.ctx, addon.SystemRequirements, h.cli, h.dc)
-	if err != nil {
-		return VersionUnMatchError{addonName: addon.Name, err: err}
+
+	if !h.skipVersionValidate {
+		err = checkAddonVersionMeetRequired(h.ctx, addon.SystemRequirements, h.cli, h.dc)
+		if err != nil {
+			return VersionUnMatchError{addonName: addon.Name, err: err}
+		}
 	}
 
 	if err = h.installDependency(addon); err != nil {
@@ -1418,20 +1427,49 @@ func checkSemVer(actual string, require string) (bool, error) {
 	l := strings.ReplaceAll(require, "v", " ")
 	constraint, err := semver.NewConstraint(l)
 	if err != nil {
+		log.Logger.Errorf("fail to new constraint: %s", err.Error())
 		return false, err
 	}
 	v, err := semver.NewVersion(smeVer)
 	if err != nil {
+		log.Logger.Errorf("fail to new version %s: %s", smeVer, err.Error())
 		return false, err
 	}
-	return constraint.Check(v), nil
+	if constraint.Check(v) {
+		return true, nil
+	}
+	if strings.Contains(actual, "-") && !strings.Contains(require, "-") {
+		smeVer := strings.TrimPrefix(actual[:strings.Index(actual, "-")], "v")
+		v, err := semver.NewVersion(smeVer)
+		if err != nil {
+			log.Logger.Errorf("fail to new version %s: %s", smeVer, err.Error())
+			return false, err
+		}
+		if constraint.Check(v) {
+			return true, nil
+		}
+	}
+	return false, nil
 }
 
 func fetchVelaCoreImageTag(ctx context.Context, k8sClient client.Client) (string, error) {
-	deploy := &appsv1.Deployment{}
-	if err := k8sClient.Get(ctx, types2.NamespacedName{Namespace: types.DefaultKubeVelaNS, Name: types.KubeVelaControllerDeployment}, deploy); err != nil {
+	deployList := &appsv1.DeploymentList{}
+	if err := k8sClient.List(ctx, deployList, client.MatchingLabels{oam.LabelControllerName: oam.ApplicationControllerName}); err != nil {
 		return "", err
 	}
+	deploy := appsv1.Deployment{}
+	if len(deployList.Items) == 0 {
+		// backward compatible logic old version which vela-core controller has no this label
+		if err := k8sClient.Get(ctx, types2.NamespacedName{Namespace: types.DefaultKubeVelaNS, Name: types.KubeVelaControllerDeployment}, &deploy); err != nil {
+			if apierrors.IsNotFound(err) {
+				return "", errors.New("can't find a running KubeVela instance, please install it first")
+			}
+			return "", err
+		}
+	} else {
+		deploy = deployList.Items[0]
+	}
+
 	var tag string
 	for _, c := range deploy.Spec.Template.Spec.Containers {
 		if c.Name == types.DefaultKubeVelaReleaseName {

pkg/addon/addon_suite_test.go

@@ -196,7 +196,7 @@ var _ = Describe("Addon func test", func() {
 	It("fetchVelaCoreImageTag func test", func() {
 		deploy = appsv1.Deployment{}
 		tag, err := fetchVelaCoreImageTag(ctx, k8sClient)
-		Expect(err).Should(util.NotFoundMatcher{})
+		Expect(err).ShouldNot(BeNil())
 		Expect(tag).Should(BeEquivalentTo(""))
 
 		Expect(yaml.Unmarshal([]byte(deployYaml), &deploy)).Should(BeNil())
@@ -217,7 +217,7 @@ var _ = Describe("Addon func test", func() {
 
 	It("checkAddonVersionMeetRequired func test", func() {
 		deploy = appsv1.Deployment{}
-		Expect(checkAddonVersionMeetRequired(ctx, &SystemRequirements{VelaVersion: ">=v1.2.1"}, k8sClient, dc)).Should(util.NotFoundMatcher{})
+		Expect(checkAddonVersionMeetRequired(ctx, &SystemRequirements{VelaVersion: ">=v1.2.1"}, k8sClient, dc)).ShouldNot(BeNil())
 		Expect(yaml.Unmarshal([]byte(deployYaml), &deploy)).Should(BeNil())
 		deploy.SetNamespace(types.DefaultKubeVelaNS)
 		Expect(k8sClient.Create(ctx, &deploy)).Should(BeNil())
@@ -408,6 +408,8 @@ kind: Deployment
 metadata:
   name: kubevela-vela-core
   namespace: vela-system
+  labels:
+     controller.oam.dev/name: vela-core
 spec:
   progressDeadlineSeconds: 600
   replicas: 1

pkg/addon/addon_test.go

@@ -33,6 +33,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 	"github.com/google/go-github/v32/github"
 	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -47,6 +48,7 @@ import (
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 	"github.com/oam-dev/kubevela/apis/types"
+	"github.com/oam-dev/kubevela/pkg/oam"
 	version2 "github.com/oam-dev/kubevela/version"
 )
 
@@ -763,6 +765,21 @@ func TestCheckSemVer(t *testing.T) {
 			require: ">=v1.3.0-beta.2",
 			res:     true,
 		},
+		{
+			actual:  "v1.4.0-beta.1",
+			require: ">=v1.3.0",
+			res:     true,
+		},
+		{
+			actual:  "v1.4.0",
+			require: ">=v1.3.0-beta.2",
+			res:     true,
+		},
+		{
+			actual:  "1.2.4-beta.2",
+			require: ">=v1.2.4-beta.3",
+			res:     false,
+		},
 	}
 	for _, testCase := range testCases {
 		result, err := checkSemVer(testCase.actual, testCase.require)
@@ -776,6 +793,33 @@ func TestCheckAddonVersionMeetRequired(t *testing.T) {
 		MockGet: test.NewMockGetFn(nil, func(obj client.Object) error {
 			return nil
 		}),
+		MockList: test.NewMockListFn(nil, func(obj client.ObjectList) error {
+			robj := obj.(*appsv1.DeploymentList)
+			list := &appsv1.DeploymentList{
+				Items: []appsv1.Deployment{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Labels: map[string]string{
+								oam.LabelControllerName: oam.ApplicationControllerName,
+							},
+						},
+						Spec: appsv1.DeploymentSpec{
+							Template: corev1.PodTemplateSpec{
+								Spec: corev1.PodSpec{
+									Containers: []corev1.Container{
+										{
+											Image: "vela-core:v1.2.5",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			}
+			list.DeepCopyInto(robj)
+			return nil
+		}),
 	}
 	ctx := context.Background()
 	assert.NoError(t, checkAddonVersionMeetRequired(ctx, &SystemRequirements{VelaVersion: ">=1.2.4"}, k8sClient, nil))

pkg/addon/helper.go

@@ -54,8 +54,8 @@ const (
 )
 
 // EnableAddon will enable addon with dependency check, source is where addon from.
-func EnableAddon(ctx context.Context, name string, version string, cli client.Client, discoveryClient *discovery.DiscoveryClient, apply apply.Applicator, config *rest.Config, r Registry, args map[string]interface{}, cache *Cache) error {
-	h := NewAddonInstaller(ctx, cli, discoveryClient, apply, config, &r, args, cache)
+func EnableAddon(ctx context.Context, name string, version string, cli client.Client, discoveryClient *discovery.DiscoveryClient, apply apply.Applicator, config *rest.Config, r Registry, args map[string]interface{}, cache *Cache, opts ...InstallOption) error {
+	h := NewAddonInstaller(ctx, cli, discoveryClient, apply, config, &r, args, cache, opts...)
 	pkg, err := h.loadInstallPackage(name, version)
 	if err != nil {
 		return err
@@ -93,7 +93,7 @@ func DisableAddon(ctx context.Context, cli client.Client, name string, config *r
 }
 
 // EnableAddonByLocalDir enable an addon from local dir
-func EnableAddonByLocalDir(ctx context.Context, name string, dir string, cli client.Client, dc *discovery.DiscoveryClient, applicator apply.Applicator, config *rest.Config, args map[string]interface{}) error {
+func EnableAddonByLocalDir(ctx context.Context, name string, dir string, cli client.Client, dc *discovery.DiscoveryClient, applicator apply.Applicator, config *rest.Config, args map[string]interface{}, opts ...InstallOption) error {
 	absDir, err := filepath.Abs(dir)
 	if err != nil {
 		return err
@@ -112,7 +112,7 @@ func EnableAddonByLocalDir(ctx context.Context, name string, dir string, cli cli
 	if err != nil {
 		return err
 	}
-	h := NewAddonInstaller(ctx, cli, dc, applicator, config, &Registry{Name: LocalAddonRegistryName}, args, nil)
+	h := NewAddonInstaller(ctx, cli, dc, applicator, config, &Registry{Name: LocalAddonRegistryName}, args, nil, opts...)
 	needEnableAddonNames, err := h.checkDependency(pkg)
 	if err != nil {
 		return err

pkg/addon/utils.go

@@ -228,3 +228,11 @@ func usingAppsInfo(apps []v1beta1.Application) string {
 func IsVersionRegistry(r Registry) bool {
 	return r.Helm != nil
 }
+
+// InstallOption define additional option for installation
+type InstallOption func(installer *Installer)
+
+// SkipValidateVersion means skip validating system version
+func SkipValidateVersion(installer *Installer) {
+	installer.skipVersionValidate = true
+}

pkg/addon/versioned_registry.go

@@ -23,6 +23,9 @@ import (
 
 	"sort"
 
+	"github.com/Masterminds/semver/v3"
+
+	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
 	"github.com/oam-dev/kubevela/pkg/utils"
 	"github.com/oam-dev/kubevela/pkg/utils/common"
 	"github.com/oam-dev/kubevela/pkg/utils/helm"
@@ -128,19 +131,8 @@ func (i versionedRegistry) loadAddon(ctx context.Context, name, version string)
 	if len(versions) == 0 {
 		return nil, ErrNotExist
 	}
-	var addonVersion *repo.ChartVersion
 	sort.Sort(sort.Reverse(versions))
-	if len(version) == 0 {
-		// if not specify version will always use the latest version
-		addonVersion = versions[0]
-	}
-	var availableVersions []string
-	for i, v := range versions {
-		availableVersions = append(availableVersions, v.Version)
-		if v.Version == version {
-			addonVersion = versions[i]
-		}
-	}
+	addonVersion, availableVersions := chooseVersion(version, versions)
 	if addonVersion == nil {
 		return nil, fmt.Errorf("specified version %s not exist", version)
 	}
@@ -191,3 +183,32 @@ func loadAddonPackage(addonName string, files []*loader.BufferedFile) (*WholeAdd
 		APISchema:      addonUIData.APISchema,
 	}, nil
 }
+
+// chooseVersion will return the target version and all available versions
+func chooseVersion(specifiedVersion string, versions []*repo.ChartVersion) (*repo.ChartVersion, []string) {
+	var addonVersion *repo.ChartVersion
+	var availableVersions []string
+	for i, v := range versions {
+		availableVersions = append(availableVersions, v.Version)
+		if addonVersion != nil {
+			// already find the latest not-prerelease version, skip the find
+			continue
+		}
+		if len(specifiedVersion) != 0 {
+			if v.Version == specifiedVersion {
+				addonVersion = versions[i]
+			}
+		} else {
+			vv, err := semver.NewVersion(v.Version)
+			if err != nil {
+				continue
+			}
+			if len(vv.Prerelease()) != 0 {
+				continue
+			}
+			addonVersion = v
+			log.Logger.Infof("Not specified any version, so use the latest version %s", v.Version)
+		}
+	}
+	return addonVersion, availableVersions
+}

pkg/addon/versioned_registry_test.go

@@ -27,6 +27,9 @@ import (
 	"testing"
 	"time"
 
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/repo"
+
 	"github.com/oam-dev/kubevela/pkg/utils/common"
 
 	"github.com/stretchr/testify/assert"
@@ -98,6 +101,33 @@ func TestVersionRegistry(t *testing.T) {
 
 }
 
+func TestChooseAddonVersion(t *testing.T) {
+	versions := []*repo.ChartVersion{
+		{
+			Metadata: &chart.Metadata{
+				Version: "v1.4.0-beta1",
+			},
+		},
+		{
+			Metadata: &chart.Metadata{
+				Version: "v1.3.6",
+			},
+		},
+		{
+			Metadata: &chart.Metadata{
+				Version: "v1.2.0",
+			},
+		},
+	}
+	targetVersion, availableVersion := chooseVersion("v1.2.0", versions)
+	assert.Equal(t, availableVersion, []string{"v1.4.0-beta1", "v1.3.6", "v1.2.0"})
+	assert.Equal(t, targetVersion.Version, "v1.2.0")
+
+	targetVersion, availableVersion = chooseVersion("", versions)
+	assert.Equal(t, availableVersion, []string{"v1.4.0-beta1", "v1.3.6", "v1.2.0"})
+	assert.Equal(t, targetVersion.Version, "v1.3.6")
+}
+
 var versionedHandler http.HandlerFunc = func(writer http.ResponseWriter, request *http.Request) {
 	switch {
 	case strings.Contains(request.URL.Path, "index.yaml"):

pkg/apiserver/domain/model/user.go

@@ -18,7 +18,6 @@ package model
 
 import (
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/form3tech-oss/jwt-go"
@@ -63,17 +62,17 @@ func (u *User) ShortTableName() string {
 
 // PrimaryKey return custom primary key
 func (u *User) PrimaryKey() string {
-	return verifyUserValue(u.Name)
+	return u.Name
 }
 
 // Index return custom index
 func (u *User) Index() map[string]string {
 	index := make(map[string]string)
 	if u.Name != "" {
-		index["name"] = verifyUserValue(u.Name)
+		index["name"] = u.Name
 	}
 	if u.Email != "" {
-		index["email"] = verifyUserValue(u.Email)
+		index["email"] = u.Email
 	}
 	return index
 }
@@ -99,14 +98,14 @@ func (u *ProjectUser) ShortTableName() string {
 
 // PrimaryKey return custom primary key
 func (u *ProjectUser) PrimaryKey() string {
-	return fmt.Sprintf("%s-%s", u.ProjectName, verifyUserValue(u.Username))
+	return fmt.Sprintf("%s-%s", u.ProjectName, u.Username)
 }
 
 // Index return custom index
 func (u *ProjectUser) Index() map[string]string {
 	index := make(map[string]string)
 	if u.Username != "" {
-		index["username"] = verifyUserValue(u.Username)
+		index["username"] = u.Username
 	}
 	if u.ProjectName != "" {
 		index["projectName"] = u.ProjectName
@@ -114,12 +113,6 @@ func (u *ProjectUser) Index() map[string]string {
 	return index
 }
 
-func verifyUserValue(v string) string {
-	s := strings.ReplaceAll(v, "@", "-")
-	s = strings.ReplaceAll(s, " ", "-")
-	return strings.ToLower(s)
-}
-
 // CustomClaims is the custom claims
 type CustomClaims struct {
 	Username  string `json:"username"`

pkg/apiserver/domain/model/workflow.go

@@ -29,6 +29,12 @@ func init() {
 	RegisterModel(&WorkflowRecord{})
 }
 
+// Finished means the workflow record is finished
+const Finished = "true"
+
+// UnFinished means the workflow record is not finished
+const UnFinished = "false"
+
 // Workflow application delivery database model
 type Workflow struct {
 	BaseModel

pkg/apiserver/domain/repository/application.go

@@ -0,0 +1,97 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package repository
+
+import (
+	"context"
+	"errors"
+
+	"github.com/oam-dev/kubevela/pkg/apiserver/domain/model"
+	"github.com/oam-dev/kubevela/pkg/apiserver/infrastructure/datastore"
+	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
+)
+
+// ListApplicationPolicies query the application policies
+func ListApplicationPolicies(ctx context.Context, store datastore.DataStore, app *model.Application) (list []*model.ApplicationPolicy, err error) {
+	var policy = model.ApplicationPolicy{
+		AppPrimaryKey: app.PrimaryKey(),
+	}
+	policies, err := store.List(ctx, &policy, &datastore.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	for _, policy := range policies {
+		pm := policy.(*model.ApplicationPolicy)
+		list = append(list, pm)
+	}
+	return
+}
+
+// ListApplicationEnvPolicies list the policies that only belong to the specified env
+func ListApplicationEnvPolicies(ctx context.Context, store datastore.DataStore, app *model.Application, envName string) (list []*model.ApplicationPolicy, err error) {
+	var policy = model.ApplicationPolicy{
+		AppPrimaryKey: app.PrimaryKey(),
+		EnvName:       envName,
+	}
+	policies, err := store.List(ctx, &policy, &datastore.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	for _, policy := range policies {
+		pm := policy.(*model.ApplicationPolicy)
+		list = append(list, pm)
+	}
+	return
+}
+
+// ListApplicationCommonPolicies list the policies that common to all environments
+func ListApplicationCommonPolicies(ctx context.Context, store datastore.DataStore, app *model.Application) (list []*model.ApplicationPolicy, err error) {
+	var policy = model.ApplicationPolicy{
+		AppPrimaryKey: app.PrimaryKey(),
+	}
+	policies, err := store.List(ctx, &policy, &datastore.ListOptions{
+		FilterOptions: datastore.FilterOptions{
+			IsNotExist: []datastore.IsNotExistQueryOption{{
+				Key: "envName",
+			}},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	for _, policy := range policies {
+		pm := policy.(*model.ApplicationPolicy)
+		list = append(list, pm)
+	}
+	return
+}
+
+// DeleteApplicationEnvPolicies delete the policies via app name and env name
+func DeleteApplicationEnvPolicies(ctx context.Context, store datastore.DataStore, app *model.Application, envName string) error {
+	log.Logger.Debugf("clear the policies via app name %s and env name %s", app.PrimaryKey(), envName)
+	policies, err := ListApplicationEnvPolicies(ctx, store, app, envName)
+	if err != nil {
+		return err
+	}
+	for _, policy := range policies {
+		if err := store.Delete(ctx, policy); err != nil && !errors.Is(err, datastore.ErrRecordNotExist) {
+			log.Logger.Errorf("fail to clear the policies belong to the env %w", err)
+			continue
+		}
+	}
+	return nil
+}

pkg/apiserver/domain/repository/grpc.go

@@ -0,0 +1,54 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package repository
+
+import (
+	"context"
+
+	"github.com/oam-dev/kubevela/pkg/apiserver/domain/model"
+	"github.com/oam-dev/kubevela/pkg/apiserver/infrastructure/datastore"
+)
+
+// ListRoles list roles from store
+func ListRoles(ctx context.Context, store datastore.DataStore, projectName string, page, pageSize int) ([]*model.Role, int64, error) {
+	var role = model.Role{
+		Project: projectName,
+	}
+	var filter datastore.FilterOptions
+	if projectName == "" {
+		filter.IsNotExist = append(filter.IsNotExist, datastore.IsNotExistQueryOption{
+			Key: "project",
+		})
+	}
+	entities, err := store.List(ctx, &role, &datastore.ListOptions{FilterOptions: filter, Page: page, PageSize: pageSize, SortBy: []datastore.SortOption{{Key: "createTime", Order: datastore.SortOrderDescending}}})
+	if err != nil {
+		return nil, 0, err
+	}
+	var roles []*model.Role
+	for i := range entities {
+		roles = append(roles, entities[i].(*model.Role))
+	}
+	count := int64(len(roles))
+	if page > 0 && pageSize > 0 {
+		var err error
+		count, err = store.Count(ctx, &role, &filter)
+		if err != nil {
+			return nil, 0, err
+		}
+	}
+	return roles, count, nil
+}

pkg/apiserver/domain/repository/workflow.go

@@ -457,13 +457,13 @@ func HaveTerraformWorkload(ctx context.Context, kubeClient client.Client, compon
 	return terraformComponents
 }
 
-func createOverriteConfigForTerraformComponent(env *model.Env, target *model.Target, terraformComponents []*model.ApplicationComponent) v1alpha1.EnvConfig {
+func createOverrideConfigForTerraformComponent(env *model.Env, target *model.Target, terraformComponents []*model.ApplicationComponent) v1alpha1.EnvConfig {
 	placement := v1alpha1.EnvPlacement{}
 	if target.Cluster != nil {
 		placement.ClusterSelector = &common.ClusterSelector{Name: target.Cluster.ClusterName}
 		placement.NamespaceSelector = &v1alpha1.NamespaceSelector{Name: target.Cluster.Namespace}
 	}
-	var componentPatchs []v1alpha1.EnvComponentPatch
+	var componentPatches []v1alpha1.EnvComponentPatch
 	// init cloud application region and provider info
 	for _, component := range terraformComponents {
 		properties := model.JSONStruct{
@@ -476,7 +476,7 @@ func createOverriteConfigForTerraformComponent(env *model.Env, target *model.Tar
 			},
 		}
 		if region, ok := target.Variable["region"]; ok {
-			properties["region"] = region
+			properties["customRegion"] = region
 		}
 		if providerName, ok := target.Variable["providerName"]; ok {
 			properties["providerRef"].(map[string]interface{})["name"] = providerName
@@ -484,7 +484,7 @@ func createOverriteConfigForTerraformComponent(env *model.Env, target *model.Tar
 		if providerNamespace, ok := target.Variable["providerNamespace"]; ok {
 			properties["providerRef"].(map[string]interface{})["namespace"] = providerNamespace
 		}
-		componentPatchs = append(componentPatchs, v1alpha1.EnvComponentPatch{
+		componentPatches = append(componentPatches, v1alpha1.EnvComponentPatch{
 			Name:       component.Name,
 			Properties: properties.RawExtension(),
 			Type:       component.Type,
@@ -495,7 +495,7 @@ func createOverriteConfigForTerraformComponent(env *model.Env, target *model.Tar
 		Name:      genPolicyEnvName(target.Name),
 		Placement: placement,
 		Patch: v1alpha1.EnvPatch{
-			Components: componentPatchs,
+			Components: componentPatches,
 		},
 	}
 }
@@ -543,7 +543,7 @@ func GenEnvWorkflowStepsAndPolicies(ctx context.Context, kubeClient client.Clien
 				}),
 			}
 			workflowSteps = append(workflowSteps, step)
-			envs = append(envs, createOverriteConfigForTerraformComponent(env, target, terraformComponents))
+			envs = append(envs, createOverrideConfigForTerraformComponent(env, target, terraformComponents))
 		}
 		properties, err := model.NewJSONStructByStruct(v1alpha1.EnvBindingSpec{
 			Envs: envs,

pkg/apiserver/domain/service/application.go

@@ -244,7 +244,7 @@ func (c *applicationServiceImpl) DetailApplication(ctx context.Context, app *mod
 		}
 	}
 	base := assembler.ConvertAppModelToBase(app, []*apisv1.ProjectBase{project})
-	policies, err := c.queryApplicationPolicies(ctx, app)
+	policies, err := repository.ListApplicationPolicies(ctx, c.Store, app)
 	if err != nil {
 		return nil, err
 	}
@@ -507,14 +507,14 @@ func (c *applicationServiceImpl) UpdateApplication(ctx context.Context, app *mod
 func (c *applicationServiceImpl) ListRecords(ctx context.Context, appName string) (*apisv1.ListWorkflowRecordsResponse, error) {
 	var record = model.WorkflowRecord{
 		AppPrimaryKey: appName,
-		Finished:      "false",
+		Finished:      model.UnFinished,
 	}
 	records, err := c.Store.List(ctx, &record, &datastore.ListOptions{})
 	if err != nil {
 		return nil, err
 	}
 	if len(records) == 0 {
-		record.Finished = "true"
+		record.Finished = model.Finished
 		records, err = c.Store.List(ctx, &record, &datastore.ListOptions{
 			Page:     1,
 			PageSize: 1,
@@ -589,7 +589,7 @@ func (c *applicationServiceImpl) DetailComponent(ctx context.Context, app *model
 
 // ListPolicies list application policies
 func (c *applicationServiceImpl) ListPolicies(ctx context.Context, app *model.Application) ([]*apisv1.PolicyBase, error) {
-	policies, err := c.queryApplicationPolicies(ctx, app)
+	policies, err := repository.ListApplicationPolicies(ctx, c.Store, app)
 	if err != nil {
 		return nil, err
 	}
@@ -600,21 +600,6 @@ func (c *applicationServiceImpl) ListPolicies(ctx context.Context, app *model.Ap
 	return list, nil
 }
 
-func (c *applicationServiceImpl) queryApplicationPolicies(ctx context.Context, app *model.Application) (list []*model.ApplicationPolicy, err error) {
-	var policy = model.ApplicationPolicy{
-		AppPrimaryKey: app.PrimaryKey(),
-	}
-	policies, err := c.Store.List(ctx, &policy, &datastore.ListOptions{})
-	if err != nil {
-		return nil, err
-	}
-	for _, policy := range policies {
-		pm := policy.(*model.ApplicationPolicy)
-		list = append(list, pm)
-	}
-	return
-}
-
 // DetailPolicy detail app policy
 // TODO: Add status data about the policy.
 func (c *applicationServiceImpl) DetailPolicy(ctx context.Context, app *model.Application, policyName string) (*apisv1.DetailPolicyResponse, error) {
@@ -853,22 +838,11 @@ func (c *applicationServiceImpl) renderOAMApplication(ctx context.Context, appMo
 	}
 
 	// query the policies for this environment
-	var policy = model.ApplicationPolicy{
-		AppPrimaryKey: appModel.PrimaryKey(),
-	}
-	policies, err := c.Store.List(ctx, &policy, &datastore.ListOptions{
-		FilterOptions: datastore.FilterOptions{
-			IsNotExist: []datastore.IsNotExistQueryOption{{
-				Key: "envName",
-			},
-			},
-		},
-	})
+	policies, err := repository.ListApplicationCommonPolicies(ctx, c.Store, appModel)
 	if err != nil {
 		return nil, err
 	}
-	policy.EnvName = env.Name
-	envPolicies, err := c.Store.List(ctx, &policy, &datastore.ListOptions{})
+	envPolicies, err := repository.ListApplicationEnvPolicies(ctx, c.Store, appModel, env.Name)
 	if err != nil {
 		return nil, err
 	}
@@ -903,8 +877,7 @@ func (c *applicationServiceImpl) renderOAMApplication(ctx context.Context, appMo
 		app.Spec.Components = append(app.Spec.Components, bc)
 	}
 
-	for _, entity := range policies {
-		policy := entity.(*model.ApplicationPolicy)
+	for _, policy := range policies {
 		appPolicy := v1beta1.AppPolicy{
 			Name: policy.Name,
 			Type: policy.Type,

pkg/apiserver/domain/service/application_test.go

@@ -40,7 +40,6 @@ import (
 	"github.com/oam-dev/kubevela/pkg/apiserver/domain/repository"
 	"github.com/oam-dev/kubevela/pkg/apiserver/infrastructure/datastore"
 	v1 "github.com/oam-dev/kubevela/pkg/apiserver/interfaces/api/dto/v1"
-	"github.com/oam-dev/kubevela/pkg/apiserver/utils"
 	"github.com/oam-dev/kubevela/pkg/apiserver/utils/bcode"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	"github.com/oam-dev/kubevela/pkg/oam/util"
@@ -78,7 +77,7 @@ var _ = Describe("Test application service function", func() {
 		projectService = &projectServiceImpl{Store: ds, K8sClient: k8sClient, RbacService: rbacService}
 		envService = &envServiceImpl{Store: ds, KubeClient: k8sClient, ProjectService: projectService}
 		workflowService = &workflowServiceImpl{Store: ds, EnvService: envService}
-		definitionService = &definitionServiceImpl{KubeClient: k8sClient, caches: utils.NewMemoryCacheStore(context.Background())}
+		definitionService = &definitionServiceImpl{KubeClient: k8sClient}
 		envBindingService = &envBindingServiceImpl{Store: ds, EnvService: envService, WorkflowService: workflowService, KubeClient: k8sClient, DefinitionService: definitionService}
 		targetService = &targetServiceImpl{Store: ds, K8sClient: k8sClient}
 		appService = &applicationServiceImpl{

pkg/apiserver/domain/service/cluster_test.go

@@ -60,7 +60,10 @@ var _ = Describe("Test cluster service function", func() {
 		secret.Name = name
 		secret.Namespace = prismclusterv1alpha1.StorageNamespace
 		secret.SetAnnotations(map[string]string{prismclusterv1alpha1.AnnotationClusterAlias: alias})
-		secret.SetLabels(map[string]string{clustergatewaycommon.LabelKeyClusterCredentialType: string(clustergatewayv1alpha1.CredentialTypeX509Certificate)})
+		secret.SetLabels(map[string]string{
+			clustergatewaycommon.LabelKeyClusterEndpointType:   string(clustergatewayv1alpha1.ClusterEndpointTypeConst),
+			clustergatewaycommon.LabelKeyClusterCredentialType: string(clustergatewayv1alpha1.CredentialTypeX509Certificate),
+		})
 		time.Sleep(time.Second)
 		return k8sClient.Create(ctx, secret)
 	}

pkg/apiserver/domain/service/config.go

@@ -463,6 +463,8 @@ func destroySyncConfigsApp(ctx context.Context, k8sClient client.Client, project
 		if !kerrors.IsNotFound(err) {
 			return err
 		}
+		klog.InfoS("config sync application doesn't exist, no need destroy", "application", name)
+		return nil
 	}
 	return k8sClient.Delete(ctx, app)
 }

pkg/apiserver/domain/service/definition.go

@@ -21,7 +21,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"sort"
-	"time"
 
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/pkg/errors"
@@ -53,9 +52,11 @@ type DefinitionService interface {
 	UpdateDefinitionStatus(ctx context.Context, name string, status apisv1.UpdateDefinitionStatusRequest) (*apisv1.DetailDefinitionResponse, error)
 }
 
+// DefinitionHidden means the definition can not be used in VelaUX
+const DefinitionHidden = "true"
+
 type definitionServiceImpl struct {
 	KubeClient client.Client `inject:"kubeClient"`
-	caches     *utils.MemoryCacheStore
 }
 
 // DefinitionQueryOption define a set of query options
@@ -80,7 +81,7 @@ const (
 
 // NewDefinitionService new definition service
 func NewDefinitionService() DefinitionService {
-	return &definitionServiceImpl{caches: utils.NewMemoryCacheStore(context.Background())}
+	return &definitionServiceImpl{}
 }
 
 func (d *definitionServiceImpl) ListDefinitions(ctx context.Context, ops DefinitionQueryOption) ([]*apisv1.DefinitionBase, error) {
@@ -95,9 +96,6 @@ func (d *definitionServiceImpl) ListDefinitions(ctx context.Context, ops Definit
 }
 
 func (d *definitionServiceImpl) listDefinitions(ctx context.Context, list *unstructured.UnstructuredList, kind string, ops DefinitionQueryOption) ([]*apisv1.DefinitionBase, error) {
-	if mc := d.caches.Get(ops.String()); mc != nil {
-		return mc.([]*apisv1.DefinitionBase), nil
-	}
 	matchLabels := metav1.LabelSelector{
 		MatchExpressions: []metav1.LabelSelectorRequirement{
 			{
@@ -146,9 +144,6 @@ func (d *definitionServiceImpl) listDefinitions(ctx context.Context, list *unstr
 		}
 		defs = append(defs, definition)
 	}
-	if ops.AppliedWorkloads == "" {
-		d.caches.Put(ops.String(), defs, time.Minute*3)
-	}
 	return defs, nil
 }
 
@@ -240,30 +235,27 @@ func (d *definitionServiceImpl) DetailDefinition(ctx context.Context, name, defT
 	if err := d.KubeClient.Get(ctx, k8stypes.NamespacedName{
 		Namespace: types.DefaultKubeVelaNS,
 		Name:      fmt.Sprintf("%s-schema-%s", defType, name),
-	}, &cm); err != nil {
-		if apierrors.IsNotFound(err) {
-			return nil, bcode.ErrDefinitionNoSchema
-		}
+	}, &cm); err != nil && !apierrors.IsNotFound(err) {
 		return nil, err
 	}
 
-	data, ok := cm.Data[types.OpenapiV3JSONSchema]
-	if !ok {
-		return nil, bcode.ErrDefinitionNoSchema
-	}
-	schema := &openapi3.Schema{}
-	if err := schema.UnmarshalJSON([]byte(data)); err != nil {
-		return nil, err
-	}
-	// render default ui schema
-	defaultUISchema := renderDefaultUISchema(schema)
-	// patch from custom ui schema
-	customUISchema := d.renderCustomUISchema(ctx, name, defType, defaultUISchema)
-	return &apisv1.DetailDefinitionResponse{
+	definition := &apisv1.DetailDefinitionResponse{
 		DefinitionBase: *base,
-		APISchema:      schema,
-		UISchema:       customUISchema,
-	}, nil
+	}
+	data, ok := cm.Data[types.OpenapiV3JSONSchema]
+	if ok {
+		schema := &openapi3.Schema{}
+		if err := schema.UnmarshalJSON([]byte(data)); err != nil {
+			return nil, err
+		}
+		definition.APISchema = schema
+		// render default ui schema
+		defaultUISchema := renderDefaultUISchema(schema)
+		// patch from custom ui schema
+		definition.UISchema = d.renderCustomUISchema(ctx, name, defType, defaultUISchema)
+	}
+
+	return definition, nil
 }
 
 func (d *definitionServiceImpl) renderCustomUISchema(ctx context.Context, name, defType string, defaultSchema []*utils.UIParameter) []*utils.UIParameter {
@@ -355,7 +347,7 @@ func (d *definitionServiceImpl) UpdateDefinitionStatus(ctx context.Context, name
 	}
 	if !exist && update.HiddenInUI {
 		labels := def.GetLabels()
-		labels[types.LabelDefinitionHidden] = "true"
+		labels[types.LabelDefinitionHidden] = DefinitionHidden
 		def.SetLabels(labels)
 		if err := d.KubeClient.Update(ctx, def); err != nil {
 			return nil, err

pkg/apiserver/domain/service/definition_test.go

@@ -44,7 +44,7 @@ var _ = Describe("Test namespace service functions", func() {
 	)
 
 	BeforeEach(func() {
-		definitionService = &definitionServiceImpl{KubeClient: k8sClient, caches: utils.NewMemoryCacheStore(context.TODO())}
+		definitionService = &definitionServiceImpl{KubeClient: k8sClient}
 		err := k8sClient.Create(context.Background(), &corev1.Namespace{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "vela-system",
@@ -215,7 +215,6 @@ var _ = Describe("Test namespace service functions", func() {
 	It("Test update ui schema", func() {
 		du := &definitionServiceImpl{
 			KubeClient: k8sClient,
-			caches:     utils.NewMemoryCacheStore(context.Background()),
 		}
 		cdata, err := ioutil.ReadFile("./testdata/workflowstep-apply-object.yaml")
 		Expect(err).Should(Succeed())
@@ -235,7 +234,6 @@ var _ = Describe("Test namespace service functions", func() {
 	It("Test update status of the definition", func() {
 		du := &definitionServiceImpl{
 			KubeClient: k8sClient,
-			caches:     utils.NewMemoryCacheStore(context.Background()),
 		}
 		detail, err := du.UpdateDefinitionStatus(context.TODO(), "apply-object", v1.UpdateDefinitionStatusRequest{
 			DefinitionType: "workflowstep",

pkg/apiserver/domain/service/envbinding.go

@@ -204,10 +204,7 @@ func (e *envBindingServiceImpl) DeleteEnvBinding(ctx context.Context, appModel *
 	}
 
 	// delete the topology and env-bindings policies
-	if err := e.Store.Delete(ctx, &model.ApplicationPolicy{AppPrimaryKey: appModel.PrimaryKey(), EnvName: envName}); err != nil && !errors.Is(err, datastore.ErrRecordNotExist) {
-		return fmt.Errorf("fail to clear the policies belong to the env %w", err)
-	}
-	return nil
+	return repository.DeleteApplicationEnvPolicies(ctx, e.Store, appModel, envName)
 }
 
 func (e *envBindingServiceImpl) BatchDeleteEnvBinding(ctx context.Context, app *model.Application) error {

pkg/apiserver/domain/service/envbinding_test.go

@@ -27,7 +27,6 @@ import (
 	"github.com/oam-dev/kubevela/pkg/apiserver/domain/repository"
 	"github.com/oam-dev/kubevela/pkg/apiserver/infrastructure/datastore"
 	apisv1 "github.com/oam-dev/kubevela/pkg/apiserver/interfaces/api/dto/v1"
-	"github.com/oam-dev/kubevela/pkg/apiserver/utils"
 )
 
 var _ = Describe("Test envBindingService functions", func() {
@@ -54,7 +53,7 @@ var _ = Describe("Test envBindingService functions", func() {
 		projectService := &projectServiceImpl{Store: ds, K8sClient: k8sClient, RbacService: rbacService}
 		envService = &envServiceImpl{Store: ds, KubeClient: k8sClient, ProjectService: projectService}
 		workflowService = &workflowServiceImpl{Store: ds, KubeClient: k8sClient, EnvService: envService}
-		definitionService = &definitionServiceImpl{KubeClient: k8sClient, caches: utils.NewMemoryCacheStore(context.TODO())}
+		definitionService = &definitionServiceImpl{KubeClient: k8sClient}
 		envBindingService = &envBindingServiceImpl{Store: ds, WorkflowService: workflowService, DefinitionService: definitionService, KubeClient: k8sClient, EnvService: envService}
 		envBindingDemo1 = apisv1.EnvBinding{
 			Name: "envbinding-dev",
@@ -99,7 +98,7 @@ var _ = Describe("Test envBindingService functions", func() {
 		Expect(err).Should(BeNil())
 		Expect(cmp.Diff(base.Name, req.Name)).Should(BeEmpty())
 
-		By("auto create two workflow")
+		By("test the auto created workflow")
 		workflow, err := workflowService.GetWorkflow(context.TODO(), testApp, repository.ConvertWorkflowName("envbinding-dev"))
 		Expect(err).Should(BeNil())
 		Expect(cmp.Diff(workflow.Steps[0].Name, "dev-target")).Should(BeEmpty())
@@ -139,15 +138,19 @@ var _ = Describe("Test envBindingService functions", func() {
 		Expect(err).Should(BeNil())
 		_, err = workflowService.GetWorkflow(context.TODO(), testApp, repository.ConvertWorkflowName("envbinding-dev"))
 		Expect(err).ShouldNot(BeNil())
+
 		err = envBindingService.DeleteEnvBinding(context.TODO(), testApp, "envbinding-prod")
 		Expect(err).Should(BeNil())
 		_, err = workflowService.GetWorkflow(context.TODO(), testApp, repository.ConvertWorkflowName("envbinding-prod"))
 		Expect(err).ShouldNot(BeNil())
+		policies, err := repository.ListApplicationPolicies(context.TODO(), ds, testApp)
+		Expect(err).Should(BeNil())
+		Expect(len(policies)).Should(Equal(0))
 	})
 
 	It("Test Application BatchCreateEnv function", func() {
 		testBatchApp := &model.Application{
-			Name: "test-batch-createt",
+			Name: "test-batch-created",
 		}
 		err := envBindingService.BatchCreateEnvBinding(context.TODO(), testBatchApp, apisv1.EnvBindingList{&envBindingDemo1, &envBindingDemo2})
 		Expect(err).Should(BeNil())

pkg/apiserver/domain/service/image.go

@@ -0,0 +1,228 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/oam-dev/kubevela/apis/types"
+	v1 "github.com/oam-dev/kubevela/pkg/apiserver/interfaces/api/dto/v1"
+	"github.com/oam-dev/kubevela/pkg/apiserver/utils/log"
+)
+
+// NewImageService create a image service instance
+func NewImageService() ImageService {
+	return &imageImpl{}
+}
+
+// ImageService the image service provide some handler functions about the docker image
+type ImageService interface {
+	ListImageRepos(ctx context.Context, project string) ([]v1.ImageRegistry, error)
+	GetImageInfo(ctx context.Context, project, secretName, imageName string) v1.ImageInfo
+}
+
+type imageImpl struct {
+	K8sClient client.Client `inject:"kubeClient"`
+}
+
+// ListImageRepos list the image repositories via user configuration
+func (i *imageImpl) ListImageRepos(ctx context.Context, project string) ([]v1.ImageRegistry, error) {
+	var secrets corev1.SecretList
+	if err := i.K8sClient.List(ctx, &secrets, client.InNamespace(types.DefaultKubeVelaNS),
+		client.MatchingLabels{
+			types.LabelConfigCatalog: types.VelaCoreConfig,
+			types.LabelConfigType:    types.ImageRegistry,
+		}); err != nil {
+		return nil, err
+	}
+	var repos []v1.ImageRegistry
+	for _, secret := range secrets.Items {
+		if secret.Labels[types.LabelConfigProject] == "" || secret.Labels[types.LabelConfigProject] == project {
+			repos = append(repos, v1.ImageRegistry{
+				Name:       secret.Name,
+				SecretName: secret.Name,
+				Domain:     secret.Labels[types.LabelConfigIdentifier],
+			})
+		}
+	}
+	return repos, nil
+}
+
+// GetImageInfo get the image info from image registry
+func (i *imageImpl) GetImageInfo(ctx context.Context, project, secretName, imageName string) v1.ImageInfo {
+	var imageInfo = v1.ImageInfo{
+		Name: imageName,
+	}
+	ref, err := name.ParseReference(imageName)
+	if err != nil {
+		imageInfo.Message = "The image name is invalid"
+		return imageInfo
+	}
+	registryDomain := ref.Context().RegistryStr()
+	imageInfo.Registry = registryDomain
+	var secrets corev1.SecretList
+	if err := i.K8sClient.List(ctx, &secrets, client.InNamespace(types.DefaultKubeVelaNS),
+		client.MatchingLabels{
+			types.LabelConfigCatalog:    types.VelaCoreConfig,
+			types.LabelConfigType:       types.ImageRegistry,
+			types.LabelConfigIdentifier: registryDomain,
+		}); err != nil {
+		log.Logger.Warnf("fail to list the docker registries, %s", err.Error())
+	}
+	var selectSecret []*corev1.Secret
+	var selectSecretNames []string
+	// get info with specified secret
+	if secretName != "" {
+		for i, secret := range secrets.Items {
+			if secret.Labels[types.LabelConfigProject] == "" || secret.Labels[types.LabelConfigProject] == project {
+				if secretName == secret.Name {
+					selectSecret = append(selectSecret, &secrets.Items[i])
+					selectSecretNames = append(selectSecretNames, secret.Name)
+					break
+				}
+			}
+		}
+	}
+
+	// get info with the secret which match the registry domain
+	if selectSecret == nil {
+		for i, secret := range secrets.Items {
+			if secret.Labels[types.LabelConfigProject] == "" || secret.Labels[types.LabelConfigProject] == project {
+				if secret.Labels[types.LabelConfigIdentifier] == registryDomain {
+					selectSecret = append(selectSecret, &secrets.Items[i])
+					selectSecretNames = append(selectSecretNames, secret.Name)
+				}
+			}
+		}
+	}
+	var username, password string
+	var insecure = false
+	var useHTTP = false
+	imageInfo.SecretNames = selectSecretNames
+	if len(selectSecret) > 0 {
+		insecure, useHTTP, username, password = getAccountFromSecret(*selectSecret[0], registryDomain)
+	}
+	err = getImageInfo(imageName, insecure, useHTTP, username, password, &imageInfo)
+	if err != nil {
+		imageInfo.Message = fmt.Sprintf("Fail to get the image info:%s", err.Error())
+	}
+	return imageInfo
+}
+
+// getAccountFromSecret get the username and password from the secret of `kubernetes.io/dockerconfigjson` type
+// refer: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+func getAccountFromSecret(secret corev1.Secret, registryDomain string) (insecure, useHTTP bool, username, password string) {
+	if secret.Data != nil {
+		// If users use the self-signed certificate, enable the insecure-skip-verify
+		insecure = string(secret.Data["insecure-skip-verify"]) == "true"
+		useHTTP = string(secret.Data["protocol-use-http"]) == "true"
+		conf := secret.Data[".dockerconfigjson"]
+		if len(conf) > 0 {
+			var authConfig map[string]map[string]map[string]string
+			if err := json.Unmarshal(conf, &authConfig); err != nil {
+				log.Logger.Warnf("fail to unmarshal the secret %s , %s", secret.Name, err.Error())
+				return
+			}
+			if authConfig != nil && authConfig["auths"] != nil && authConfig["auths"][registryDomain] != nil {
+				data := authConfig["auths"][registryDomain]
+				username = data["username"]
+				password = data["password"]
+			}
+		}
+	}
+	return
+}
+
+func getImageInfo(imageName string, insecure, useHTTP bool, username, password string, info *v1.ImageInfo) error {
+	var options []remote.Option
+	if username != "" || password != "" {
+		basic := &authn.Basic{
+			Username: username,
+			Password: password,
+		}
+		options = append(options, remote.WithAuth(basic))
+	}
+	if insecure {
+		options = append(options, remote.WithTransport(&http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				// By default we wrap the transport in retries, so reduce the
+				// default dial timeout to 5s to avoid 5x 30s of connection
+				// timeouts when doing the "ping" on certain http registries.
+				Timeout:   5 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			ForceAttemptHTTP2:     true,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+			// #nosec G402
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure},
+		}))
+	}
+
+	var parseOptions []name.Option
+	if useHTTP {
+		parseOptions = append(parseOptions, name.Insecure)
+	}
+	var err error
+	ref, err := name.ParseReference(imageName, parseOptions...)
+	if err != nil {
+		return err
+	}
+	image, err := remote.Image(ref, options...)
+	if err != nil {
+		if strings.Contains(err.Error(), "incorrect username or password") {
+			return fmt.Errorf("incorrect username or password")
+		}
+		var terr *transport.Error
+		if errors.As(err, &terr) {
+			fmt.Println(terr)
+		}
+		return err
+	}
+	info.Manifest, err = image.Manifest()
+	if err != nil {
+		return fmt.Errorf("fail to get the manifest:%w", err)
+	}
+	info.Info, err = image.ConfigFile()
+	if err != nil {
+		return fmt.Errorf("fail to get the config:%w", err)
+	}
+	for _, l := range info.Manifest.Layers {
+		info.Size += l.Size
+	}
+	info.Size += info.Manifest.Config.Size
+	return nil
+}

pkg/apiserver/domain/service/image_test.go

@@ -0,0 +1,67 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	velatypes "github.com/oam-dev/kubevela/apis/types"
+	v1 "github.com/oam-dev/kubevela/pkg/apiserver/interfaces/api/dto/v1"
+)
+
+func TestGetImageInfo(t *testing.T) {
+
+	s2 := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "s2",
+			Namespace: velatypes.DefaultKubeVelaNS,
+			Labels: map[string]string{
+				velatypes.LabelConfigCatalog:    velatypes.VelaCoreConfig,
+				velatypes.LabelConfigType:       velatypes.ImageRegistry,
+				velatypes.LabelConfigProject:    "",
+				velatypes.LabelConfigIdentifier: "index.docker.io",
+			},
+		},
+		Data: map[string][]byte{
+			"insecure-skip-verify": []byte("true"),
+			".dockerconfigjson":    []byte(`{"auths":{"index.docker.io":{"auth":"aHlicmlkY2xvdWRAcHJvZC5YTEyMw==","username":"xxx","password":"yyy"}}}`),
+		},
+	}
+
+	insecure, useHTTP, user, pass := getAccountFromSecret(*s2, "index.docker.io")
+	assert.DeepEqual(t, user, "xxx")
+	assert.DeepEqual(t, pass, "yyy")
+	assert.DeepEqual(t, insecure, true)
+	assert.DeepEqual(t, useHTTP, false)
+
+	var cf v1.ImageInfo
+	// Test the public image
+	err := getImageInfo("nginx", false, false, "", "", &cf)
+	assert.DeepEqual(t, err, nil)
+	assert.DeepEqual(t, cf.Info.Config.Entrypoint, []string{"/docker-entrypoint.sh"})
+
+	// Test the private image
+	err = getImageInfo("nginx424ru823-should-not-existed", false, false, "abc", "efg", &cf)
+	assert.DeepEqual(t, err.Error(), "incorrect username or password")
+
+	err = getImageInfo("text.registry/test-image", false, false, "", "", &cf)
+	assert.DeepEqual(t, err != nil, true)
+}