Feat: change health check resource fetch order (#5190)

Signed-off-by: Somefive <yd219913@alibaba-inc.com>

Signed-off-by: Somefive <yd219913@alibaba-inc.com>

.github/CODEOWNERS

@@ -1,7 +1,7 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file
 
-*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat
-design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat
+*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong
+design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong
 
 # Owner of Core Controllers
 pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow
@@ -21,7 +21,7 @@ pkg/controller/common/rollout/     @wangyikewxgm @wonderflow
 runtime/rollout                    @wangyikewxgm @wonderflow
 
 # Owner of vela templates
-vela-templates/                     @Somefive @barnettZQG @wonderflow
+vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong
 
 # Owner of vela CLI
 references/cli/                     @Somefive @zzxwill @StevenLeiZhang @charlie0129 @chivalryq

.github/workflows/apiserver-test.yml

@@ -19,8 +19,6 @@ env:
   # Common versions
   GO_VERSION: '1.19'
   GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
 
 jobs:
 
@@ -31,26 +29,12 @@ jobs:
     steps:
       - name: Detect No-op Changes
         id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@v5
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
+        continue-on-error: true
 
   apiserver-unit-tests:
     runs-on: ubuntu-20.04
@@ -59,18 +43,18 @@ jobs:
 
     steps:
       - name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: true
 
       - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: .work/pkg
           key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -81,10 +65,11 @@ jobs:
           sudo apt-get install -y golang-ginkgo-dev
 
       - name: Start MongoDB
-        uses: supercharge/mongodb-github-action@1.7.0
+        uses: supercharge/mongodb-github-action@1.8.0
         with:
           mongodb-version: '5.0'
 
+        # TODO need update action version to resolve node 12 deprecated.
       - name: install Kubebuilder
         uses: RyanSiu1995/kubebuilder-action@v1.2
         with:
@@ -96,7 +81,7 @@ jobs:
         run: make unit-test-apiserver
 
       - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: ./coverage.txt
@@ -105,24 +90,24 @@ jobs:
 
   apiserver-e2e-tests:
     runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    needs: [ detect-noop ]
     if: needs.detect-noop.outputs.noop != 'true'
     strategy:
       matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.20","v1.24"]
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
       cancel-in-progress: true
 
     steps:
       - name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: true
 
@@ -144,7 +129,7 @@ jobs:
           echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
 
       - name: Setup K3d (Hub)
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@v1.0.9
         with:
           version: ${{ matrix.k8s-version }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -152,7 +137,7 @@ jobs:
 
 
       - name: Setup K3d (Worker)
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@v1.0.9
         with:
           version: ${{ matrix.k8s-version }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -176,7 +161,7 @@ jobs:
           make e2e-cleanup
           make e2e-setup-core
           bin/vela addon enable fluxcd
-          bin/vela addon enable vela-workflow
+          bin/vela addon enable vela-workflow --override-definitions
           timeout 600s bash -c -- 'while true; do kubectl get ns flux-system; if [ $? -eq 0 ] ; then break; else sleep 5; fi;done'
           kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=vela-core,app.kubernetes.io/instance=kubevela -n vela-system --timeout=600s
           kubectl wait --for=condition=Ready pod -l app=source-controller -n flux-system --timeout=600s
@@ -194,7 +179,7 @@ jobs:
         run: make end-e2e-core
 
       - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: /tmp/e2e_apiserver_test.out

.github/workflows/back-port.yml

@@ -4,19 +4,25 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   # align with crossplane's choice https://github.com/crossplane/crossplane/blob/master/.github/workflows/backport.yml
   open-pr:
     runs-on: ubuntu-20.04
     if: github.event.pull_request.merged
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
       - name: Open Backport PR
-        uses: zeebe-io/backport-action@v0.0.6
+        uses: zeebe-io/backport-action@v0.0.9
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           github_workspace: ${{ github.workspace }}

.github/workflows/chart.yml

@@ -6,6 +6,9 @@ on:
       - "v*"
   workflow_dispatch: { }
 
+permissions:
+  contents: read
+
 env:
   BUCKET: ${{ secrets.OSS_BUCKET }}
   ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
@@ -28,18 +31,18 @@ jobs:
       VELA_ROLLOUT_HELM_CHART_NAME: vela-rollout
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
       - name: Get git revision
         id: vars
         shell: bash
         run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v3
         with:
           version: v3.4.0
       - name: Setup node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: '14'
       - name: Generate helm doc
@@ -56,7 +59,7 @@ jobs:
         id: get_version
         run: |
           VERSION=${GITHUB_REF#refs/tags/}
-          echo ::set-output name=VERSION::${VERSION}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
       - name: Tag helm chart image
         run: |
           image_tag=${{ steps.get_version.outputs.VERSION }}

.github/workflows/codeql-analysis.yml

@@ -4,11 +4,18 @@ on:
   push:
     branches: [ master, release-* ]
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
 
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      security-events: write  # for github/codeql-action/autobuild to send a status report
+
     strategy:
       fail-fast: false
       matrix:
@@ -16,15 +23,15 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/commit-lint.yml

@@ -8,11 +8,14 @@ on:
       - labeled
       - unlabeled
 
+permissions:
+  pull-requests: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: thehanimo/pr-title-checker@v1.3.1
+      - uses: thehanimo/pr-title-checker@v1.3.5
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           pass_on_octokit_error: true

.github/workflows/core-api-test.yml

@@ -0,0 +1,41 @@
+name: core-api-test
+on:
+  pull_request:
+    paths:
+      - 'apis/**'
+      - 'pkg/oam/**'
+      - "hack/apis/**"
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+jobs:
+  core-api-test:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
+        env:
+          GO_VERSION: '1.19'
+          GOLANGCI_VERSION: 'v1.49'
+        with:
+          go-version: ${{ env.GO_VERSION }}
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Test build kubevela-core-api
+        env:
+          VERSION: ${{ steps.get_version.outputs.VERSION }}
+          COMMIT_ID: ${{ github.sha }}
+        run: |
+          bash ./hack/apis/clientgen.sh
+          bash ./hack/apis/sync.sh test

.github/workflows/definition-lint.yml

@@ -11,6 +11,9 @@ on:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'

.github/workflows/e2e-multicluster-test.yml

@@ -13,51 +13,39 @@ on:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
   GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
 
 jobs:
 
   detect-noop:
+    permissions:
+      actions: write
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
     steps:
       - name: Detect No-op Changes
         id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@v5
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
-
+        continue-on-error: true
 
   e2e-multi-cluster-tests:
     runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    needs: [ detect-noop ]
     if: needs.detect-noop.outputs.noop != 'true'
     strategy:
       matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.20","v1.24"]
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
       cancel-in-progress: true
@@ -65,10 +53,10 @@ jobs:
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -90,14 +78,14 @@ jobs:
           echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
 
       - name: Setup K3d (Hub)
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@v1.0.9
         with:
           version: ${{ matrix.k8s-version }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
           k3d-args: ${{ env.EGRESS_ARG }}
 
       - name: Setup K3d (Worker)
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@v1.0.9
         with:
           version: ${{ matrix.k8s-version }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -130,7 +118,7 @@ jobs:
         run: make end-e2e-core
 
       - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out

.github/workflows/e2e-rollout-test.yml

@@ -13,50 +13,39 @@ on:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
   GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
 
 jobs:
 
   detect-noop:
+    permissions:
+      actions: write
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
     steps:
       - name: Detect No-op Changes
         id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@v5
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
+        continue-on-error: true
 
   e2e-rollout-tests:
     runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    needs: [ detect-noop ]
     if: needs.detect-noop.outputs.noop != 'true'
     strategy:
       matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.20","v1.24"]
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
       cancel-in-progress: true
@@ -64,10 +53,10 @@ jobs:
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -89,7 +78,7 @@ jobs:
           echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
 
       - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@v1.0.9
         with:
           version: ${{ matrix.k8s-version }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -113,7 +102,7 @@ jobs:
         run: make end-e2e
 
       - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: /tmp/e2e-profile.out

.github/workflows/e2e-test.yml

@@ -13,50 +13,39 @@ on:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
   GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
 
 jobs:
 
   detect-noop:
+    permissions:
+      actions: write
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
     steps:
       - name: Detect No-op Changes
         id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@v5
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
+        continue-on-error: true
 
   e2e-tests:
     runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    needs: [ detect-noop ]
     if: needs.detect-noop.outputs.noop != 'true'
     strategy:
       matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.20","v1.24"]
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
       cancel-in-progress: true
@@ -64,10 +53,10 @@ jobs:
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -89,7 +78,7 @@ jobs:
           echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
 
       - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@v1.0.9
         with:
           version: ${{ matrix.k8s-version }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -120,7 +109,7 @@ jobs:
         run: make end-e2e
 
       - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: /tmp/e2e-profile.out

.github/workflows/go.yml

@@ -11,6 +11,9 @@ on:
       - master
       - release-*
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -22,15 +25,17 @@ jobs:
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
+    permissions:
+      actions: write
     steps:
       - name: Detect No-op Changes
         id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@v5
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
+        continue-on-error: true
 
   staticcheck:
     runs-on: ubuntu-20.04
@@ -39,17 +44,17 @@ jobs:
 
     steps:
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: true
 
       - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: .work/pkg
           key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -68,20 +73,23 @@ jobs:
     runs-on: ubuntu-20.04
     needs: detect-noop
     if: needs.detect-noop.outputs.noop != 'true'
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
 
     steps:
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: true
 
       - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: .work/pkg
           key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -103,17 +111,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: true
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Setup node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: '14'
 
@@ -121,7 +129,7 @@ jobs:
         run: go install honnef.co/go/tools/cmd/staticcheck@2022.1
 
       - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: .work/pkg
           key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -149,17 +157,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: true
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: .work/pkg
           key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -173,3 +181,63 @@ jobs:
         run: |
           move .\bin\vela .\bin\vela.exe
           .\bin\vela.exe version
+
+  check-core-image-build:
+    runs-on: ubuntu-latest
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build Test for vela core
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64
+
+  check-apiserver-image-build:
+    runs-on: ubuntu-latest
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build Test for apiserver
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: Dockerfile.apiserver
+          platforms: linux/amd64,linux/arm64
+
+  check-cli-image-build:
+    runs-on: ubuntu-latest
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build Test for CLI
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: Dockerfile.cli
+          platforms: linux/amd64,linux/arm64

.github/workflows/issue-commands.yml

@@ -5,12 +5,15 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   bot:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: "oam-dev/kubevela-github-actions"
           path: ./actions
@@ -32,10 +35,13 @@ jobs:
   backport:
     runs-on: ubuntu-22.04
     if: github.event.issue.pull_request && contains(github.event.comment.body, '/backport')
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Extract Command
         id: command
-        uses: xt0rted/slash-command-action@v1
+        uses: xt0rted/slash-command-action@v2
         with:
           repo-token: ${{ secrets.VELA_BOT_TOKEN }}
           command: backport
@@ -44,7 +50,7 @@ jobs:
           allow-edits: "false"
           permission-level: read
       - name: Handle Command
-        uses: actions/github-script@v4
+        uses: actions/github-script@v6
         env:
           VERSION: ${{ steps.command.outputs.command-arguments }}
         with:
@@ -69,7 +75,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Open Backport PR
-        uses: zeebe-io/backport-action@v0.0.8
+        uses: zeebe-io/backport-action@v0.0.9
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           github_workspace: ${{ github.workspace }}

.github/workflows/license.yml

@@ -9,13 +9,16 @@ on:
     branches:
       - master
       - release-*
+      -
+permissions:
+  contents: read
 
 jobs:
   license_check:
     runs-on: ubuntu-latest
     name: Check for unapproved licenses
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

.github/workflows/registry.yml

@@ -11,11 +11,16 @@ env:
   ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
   ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
 
+permissions:
+  contents: read
+
 jobs:
   publish-core-images:
+    permissions:
+      packages: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
       - name: Get the version
         id: get_version
         run: |
@@ -23,36 +28,36 @@ jobs:
           if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
             VERSION=latest
           fi
-          echo ::set-output name=VERSION::${VERSION}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
       - name: Get git revision
         id: vars
         shell: bash
         run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Login ghcr.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login docker.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: docker.io
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login Alibaba Cloud ACR
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ secrets.ACR_DOMAIN }}
           username: ${{ secrets.ACR_USERNAME }}
           password: ${{ secrets.ACR_PASSWORD }}
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
         with:
           driver-opts: image=moby/buildkit:master
 
-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@v3
         name: Build & Pushing vela-core for Dockerhub, GHCR and ACR
         with:
           context: .
@@ -71,7 +76,7 @@ jobs:
             ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
             ${{ secrets.ACR_DOMAIN }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
 
-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@v3
         name: Build & Pushing CLI for Dockerhub, GHCR and ACR
         with:
           context: .
@@ -91,9 +96,11 @@ jobs:
             ${{ secrets.ACR_DOMAIN }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
 
   publish-addon-images:
+    permissions:
+      packages: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
       - name: Get the version
         id: get_version
         run: |
@@ -101,36 +108,36 @@ jobs:
           if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
             VERSION=latest
           fi
-          echo ::set-output name=VERSION::${VERSION}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
       - name: Get git revision
         id: vars
         shell: bash
         run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Login ghcr.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login docker.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: docker.io
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login Alibaba Cloud ACR
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ${{ secrets.ACR_DOMAIN }}
           username: ${{ secrets.ACR_USERNAME }}
           password: ${{ secrets.ACR_PASSWORD }}
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
         with:
           driver-opts: image=moby/buildkit:master
 
-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@v3
         name: Build & Pushing vela-apiserver for Dockerhub, GHCR and ACR
         with:
           context: .
@@ -149,7 +156,7 @@ jobs:
             ghcr.io/${{ github.repository_owner }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
             ${{ secrets.ACR_DOMAIN }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
 
-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@v3
         name: Build & Pushing runtime rollout Dockerhub, GHCR and ACR
         with:
           context: .
@@ -175,7 +182,7 @@ jobs:
       CAPABILITY_ENDPOINT: oss-cn-beijing.aliyuncs.com
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
       - name: Install ossutil
         run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
       - name: Configure Alibaba Cloud OSSUTIL

.github/workflows/release.yml

@@ -27,22 +27,22 @@ jobs:
       DIST_DIRS: find * -type d -exec
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: 1.19
       - name: Get release
         id: get_release
-        uses: bruceadams/get-release@v1.2.2
+        uses: bruceadams/get-release@v1.3.2
       - name: Get version
         run: echo "VELA_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
       - name: Get matrix
         id: get_matrix
         run: |
           TARGETS=${{matrix.TARGETS}}
-          echo ::set-output name=OS::${TARGETS%/*}
-          echo ::set-output name=ARCH::${TARGETS#*/}
+          echo "OS=${TARGETS%/*}" >> $GITHUB_OUTPUT
+          echo "ARCH=${TARGETS#*/}" >> $GITHUB_OUTPUT
       - name: Get ldflags
         id: get_ldflags
         run: |
@@ -75,35 +75,31 @@ jobs:
           cd .. && \
           sha256sum vela/vela-* kubectl-vela/kubectl-vela-* >> sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt \
       - name: Upload Vela tar.gz
-        uses: actions/upload-release-asset@v1.0.2
+        uses: kubevela/vela-upload-release-asset@v1
         with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
+          release_id: ${{ steps.get_release.outputs.id }}
           asset_path: ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
           asset_name: vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_content_type: binary/octet-stream
       - name: Upload Vela zip
-        uses: actions/upload-release-asset@v1.0.2
+        uses: kubevela/vela-upload-release-asset@v1
         with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
+          release_id: ${{ steps.get_release.outputs.id }}
           asset_path: ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
           asset_name: vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_content_type: binary/octet-stream
       - name: Upload Kubectl-Vela tar.gz
-        uses: actions/upload-release-asset@v1.0.2
+        uses: kubevela/vela-upload-release-asset@v1
         with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
+          release_id: ${{ steps.get_release.outputs.id }}
           asset_path: ./_bin/kubectl-vela/kubectl-vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
           asset_name: kubectl-vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_content_type: binary/octet-stream
       - name: Upload Kubectl-Vela zip
-        uses: actions/upload-release-asset@v1.0.2
+        uses: kubevela/vela-upload-release-asset@v1
         with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
+          release_id: ${{ steps.get_release.outputs.id }}
           asset_path: ./_bin/kubectl-vela/kubectl-vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
           asset_name: kubectl-vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_content_type: binary/octet-stream
       - name: Post sha256
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: sha256sums
           path: ./_bin/sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt
@@ -119,7 +115,6 @@ jobs:
         run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
       - name: sync local to cloud
         run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
-      
       - name: sync the latest version file
         if: ${{ !contains(env.VELA_VERSION,'alpha') && !contains(env.VELA_VERSION,'beta') }}
         run: |
@@ -131,19 +126,18 @@ jobs:
           echo ${{ env.VELA_VERSION }} > ./latest_version
           ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version
 
-
   upload-plugin-homebrew:
     needs: build
     runs-on: ubuntu-latest
     name: upload-sha256sums
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Get release
         id: get_release
-        uses: bruceadams/get-release@v1.2.2
+        uses: bruceadams/get-release@v1.3.2
       - name: Download sha256sums
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: sha256sums
           path: cli-artifacts
@@ -162,12 +156,11 @@ jobs:
             cat ${file} >> sha256sums.txt
           done
       - name: Upload Checksums
-        uses: actions/upload-release-asset@v1.0.2
+        uses: kubevela/vela-upload-release-asset@v1
         with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
+          release_id: ${{ steps.get_release.outputs.id }}
           asset_path: cli-artifacts/sha256sums.txt
           asset_name: sha256sums.txt
-          asset_content_type: text/plain
       - name: Update kubectl plugin version in krew-index
         uses: rajatjindal/krew-release-bot@v0.0.38
       - name: Update Homebrew formula

.github/workflows/scorecards.yml

@@ -0,0 +1,60 @@
+name: Scorecards supply-chain security
+on:
+  schedule:
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
+  push:
+    branches: [ master ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # tag=v2.1.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: results.sarif

.github/workflows/sync-api.yml

@@ -7,25 +7,27 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.19'
+
 jobs:
   sync-core-api:
     runs-on: ubuntu-20.04
     steps:
-      - name: Set up Go 1.17
-        uses: actions/setup-go@v1
-        env:
-          GO_VERSION: '1.19'
-          GOLANGCI_VERSION: 'v1.49'
+      - name: Set up Go
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
-        id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Get the version
         id: get_version
-        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/}
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
 
       - name: Sync to kubevela-core-api Repo
         env:
@@ -34,4 +36,4 @@ jobs:
           COMMIT_ID: ${{ github.sha }}
         run: |
           bash ./hack/apis/clientgen.sh
-          bash ./hack/apis/sync.sh
+          bash ./hack/apis/sync.sh sync

.github/workflows/timed-task.yml

@@ -2,6 +2,9 @@ name: Timed Task
 on:
   schedule:
     - cron: '* * * * *'
+
+permissions: {}
+
 jobs:
   clean-image:
     runs-on: aliyun

.github/workflows/trivy-scan.yml

@@ -4,13 +4,16 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   images:
     name: Image Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Build Vela Core image from Dockerfile
         run: |
@@ -24,7 +27,7 @@ jobs:
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/unit-test.yml

@@ -5,12 +5,15 @@ on:
     branches:
       - master
       - release-*
-  workflow_dispatch: {}
+  workflow_dispatch: { }
   pull_request:
     branches:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -19,18 +22,20 @@ env:
 jobs:
 
   detect-noop:
+    permissions:
+      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
     steps:
       - name: Detect No-op Changes
         id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@v5
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
+        continue-on-error: true
 
   unit-tests:
     runs-on: ubuntu-20.04
@@ -39,18 +44,17 @@ jobs:
 
     steps:
       - name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
-        id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: true
 
       - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: .work/pkg
           key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -61,11 +65,12 @@ jobs:
           sudo apt-get install -y golang-ginkgo-dev
 
       - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@v1.0.9
         with:
           version: v1.20
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+        # TODO need update action version to resolve node 12 deprecated.
       - name: install Kubebuilder
         uses: RyanSiu1995/kubebuilder-action@v1.2
         with:
@@ -77,7 +82,7 @@ jobs:
         run: make test
 
       - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: ./coverage.txt

Dockerfile

@@ -15,9 +15,8 @@ ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
-# Copy the go source
-COPY cmd/core/main.go main.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
+# Copy the go source for building core
+COPY cmd/core/ cmd/core/
 COPY apis/ apis/
 COPY pkg/ pkg/
 COPY version/ version/
@@ -29,7 +28,7 @@ ARG VERSION
 ARG GITVERSION
 RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
     go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o manager-${TARGETARCH} main.go
+    -o manager-${TARGETARCH} cmd/core/main.go
 
 # Use alpine as base image due to the discussion in issue #1448
 # You can replace distroless as minimal base image to package the manager binary

Dockerfile.apiserver

@@ -11,9 +11,8 @@ COPY go.sum go.sum
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
-# Copy the go source
-COPY cmd/core/main.go main.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
+# Copy the go source for building apiserver
+COPY cmd/apiserver/ cmd/apiserver/
 COPY apis/ apis/
 COPY pkg/ pkg/
 COPY version/ version/

GOVERNANCE.md

@@ -1,16 +1 @@
-# Governance
-
-[Project maintainers](https://github.com/kubevela/community/blob/main/OWNERS.md#maintainers) are responsible for activities around maintaining and updating KubeVela.
-Final decisions on the project reside with the project maintainers.
-
-Maintainers **MUST** remain active. If they are unresponsive for >6 months,
-they will be automatically removed unless a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the other project maintainers agrees to extend the period to be greater than 6 months.
-
-New maintainers can be added to the project by a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) vote of the existing maintainers.
-A potential maintainer may be nominated by an existing maintainer.
-A vote is conducted in private between the current maintainers over the course of a one week voting period.
-At the end of the week, votes are counted and a pull request is made on the repo adding the new maintainer to the [CODEOWNERS](https://github.com/kubevela/kubevela/blob/master/.github/CODEOWNERS) file.
-
-A maintainer may step down by submitting an [issue](https://github.com/kubevela/kubevela/issues/new/choose) stating their intent.
-
-Changes to this governance document require a pull request with approval from a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the current maintainers.
+Refer to https://github.com/kubevela/community/blob/main/GOVERNANCE.md

README.md

@@ -6,7 +6,7 @@
   </p>
 </div>
 
-![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+![Build status](https://github.com/kubevela/kubevela/workflows/Go/badge.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
 [![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
@@ -16,6 +16,8 @@
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
+![E2E status](https://github.com/kubevela/kubevela/workflows/E2E%20Test/badge.svg)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela/badge)](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela)
 
 ## Introduction
 

apis/core.oam.dev/common/types.go

@@ -333,8 +333,7 @@ type WorkflowStatus struct {
 	Steps          []workflowv1alpha1.WorkflowStepStatus `json:"steps,omitempty"`
 
 	StartTime metav1.Time `json:"startTime,omitempty"`
-	// +nullable
-	EndTime metav1.Time `json:"endTime,omitempty"`
+	EndTime   metav1.Time `json:"endTime,omitempty"`
 }
 
 // DefinitionType describes the type of DefinitionRevision.
@@ -574,3 +573,29 @@ type ReferredObjectList struct {
 	// +optional
 	Objects []ReferredObject `json:"objects,omitempty"`
 }
+
+// ContainerState defines the state of a container
+type ContainerState string
+
+const (
+	// ContainerRunning indicates the container is running
+	ContainerRunning ContainerState = "Running"
+	// ContainerWaiting indicates the container is waiting
+	ContainerWaiting ContainerState = "Waiting"
+	// ContainerTerminated indicates the container is terminated
+	ContainerTerminated ContainerState = "Terminated"
+)
+
+// ContainerStateToString convert the container state to string
+func ContainerStateToString(state corev1.ContainerState) string {
+	switch {
+	case state.Running != nil:
+		return "Running"
+	case state.Waiting != nil:
+		return "Waiting"
+	case state.Terminated != nil:
+		return "Terminated"
+	default:
+		return "Unknown"
+	}
+}

apis/core.oam.dev/common/types_test.go

@@ -58,3 +58,17 @@ func TestClusterObjectReference(t *testing.T) {
 	o2.Cluster = "c"
 	r.False(o2.Equal(o1))
 }
+
+func TestContainerStateToString(t *testing.T) {
+	r := require.New(t)
+	r.Equal("Waiting", ContainerStateToString(v1.ContainerState{
+		Waiting: &v1.ContainerStateWaiting{},
+	}))
+	r.Equal("Running", ContainerStateToString(v1.ContainerState{
+		Running: &v1.ContainerStateRunning{},
+	}))
+	r.Equal("Terminated", ContainerStateToString(v1.ContainerState{
+		Terminated: &v1.ContainerStateTerminated{},
+	}))
+	r.Equal("Unknown", ContainerStateToString(v1.ContainerState{}))
+}

apis/core.oam.dev/v1alpha1/applyonce_policy_types.go

@@ -59,8 +59,13 @@ type ApplyOnceStrategy struct {
 	ApplyOnceAffectStrategy ApplyOnceAffectStrategy `json:"affect"`
 }
 
+// Type the type name of the policy
+func (in *ApplyOncePolicySpec) Type() string {
+	return ApplyOncePolicyType
+}
+
 // FindStrategy find apply-once strategy for target resource
-func (in ApplyOncePolicySpec) FindStrategy(manifest *unstructured.Unstructured) *ApplyOnceStrategy {
+func (in *ApplyOncePolicySpec) FindStrategy(manifest *unstructured.Unstructured) *ApplyOnceStrategy {
 	if !in.Enable {
 		return nil
 	}

apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go

@@ -18,10 +18,6 @@ package v1alpha1
 
 import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/utils/pointer"
-	"k8s.io/utils/strings/slices"
-
-	"github.com/oam-dev/kubevela/pkg/oam"
 )
 
 const (
@@ -57,59 +53,6 @@ type GarbageCollectPolicyRule struct {
 	Strategy GarbageCollectStrategy     `json:"strategy"`
 }
 
-// ResourcePolicyRuleSelector select the targets of the rule
-// if multiple conditions are specified, combination logic is AND
-type ResourcePolicyRuleSelector struct {
-	CompNames        []string `json:"componentNames,omitempty"`
-	CompTypes        []string `json:"componentTypes,omitempty"`
-	OAMResourceTypes []string `json:"oamTypes,omitempty"`
-	TraitTypes       []string `json:"traitTypes,omitempty"`
-	ResourceTypes    []string `json:"resourceTypes,omitempty"`
-	ResourceNames    []string `json:"resourceNames,omitempty"`
-}
-
-// Match check if current rule selector match the target resource
-// If at least one condition is matched and no other condition failed (could be empty), return true
-// Otherwise, return false
-func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured) bool {
-	var compName, compType, oamType, traitType, resourceType, resourceName string
-	if labels := manifest.GetLabels(); labels != nil {
-		compName = labels[oam.LabelAppComponent]
-		compType = labels[oam.WorkloadTypeLabel]
-		oamType = labels[oam.LabelOAMResourceType]
-		traitType = labels[oam.TraitTypeLabel]
-	}
-	resourceType = manifest.GetKind()
-	resourceName = manifest.GetName()
-	match := func(src []string, val string) (found *bool) {
-		if len(src) == 0 {
-			return nil
-		}
-		return pointer.Bool(val != "" && slices.Contains(src, val))
-	}
-	conditions := []*bool{
-		match(in.CompNames, compName),
-		match(in.CompTypes, compType),
-		match(in.OAMResourceTypes, oamType),
-		match(in.TraitTypes, traitType),
-		match(in.ResourceTypes, resourceType),
-		match(in.ResourceNames, resourceName),
-	}
-	hasMatched := false
-	for _, cond := range conditions {
-		// if any non-empty condition failed, return false
-		if cond != nil && !*cond {
-			return false
-		}
-		// if condition succeed, record it
-		if cond != nil && *cond {
-			hasMatched = true
-		}
-	}
-	// if at least one condition is met, return true
-	return hasMatched
-}
-
 // GarbageCollectStrategy the strategy for target resource to recycle
 type GarbageCollectStrategy string
 
@@ -123,8 +66,13 @@ const (
 	GarbageCollectStrategyOnAppUpdate GarbageCollectStrategy = "onAppUpdate"
 )
 
+// Type the type name of the policy
+func (in *GarbageCollectPolicySpec) Type() string {
+	return GarbageCollectPolicyType
+}
+
 // FindStrategy find gc strategy for target resource
-func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
+func (in *GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
 	for _, rule := range in.Rules {
 		if rule.Selector.Match(manifest) {
 			return &rule.Strategy

apis/core.oam.dev/v1alpha1/policy_types.go

@@ -16,8 +16,6 @@ limitations under the License.
 
 package v1alpha1
 
-import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-
 const (
 	// TopologyPolicyType refers to the type of topology policy
 	TopologyPolicyType = "topology"
@@ -25,8 +23,6 @@ const (
 	OverridePolicyType = "override"
 	// DebugPolicyType refers to the type of debug policy
 	DebugPolicyType = "debug"
-	// SharedResourcePolicyType refers to the type of shared resource policy
-	SharedResourcePolicyType = "shared-resource"
 	// ReplicationPolicyType refers to the type of replication policy
 	ReplicationPolicyType = "replication"
 )
@@ -64,26 +60,6 @@ type OverridePolicySpec struct {
 	Selector   []string            `json:"selector,omitempty"`
 }
 
-// SharedResourcePolicySpec defines the spec of shared-resource policy
-type SharedResourcePolicySpec struct {
-	Rules []SharedResourcePolicyRule `json:"rules"`
-}
-
-// SharedResourcePolicyRule defines the rule for sharing resources
-type SharedResourcePolicyRule struct {
-	Selector ResourcePolicyRuleSelector `json:"selector"`
-}
-
-// FindStrategy return if the target resource should be shared
-func (in SharedResourcePolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
-	for _, rule := range in.Rules {
-		if rule.Selector.Match(manifest) {
-			return true
-		}
-	}
-	return false
-}
-
 // ReplicationPolicySpec defines the spec of replication policy
 // Override policy should be used together with replication policy to select the deployment target components
 type ReplicationPolicySpec struct {

apis/core.oam.dev/v1alpha1/readonly_policy_types.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// ReadOnlyPolicyType refers to the type of read-only policy
+	ReadOnlyPolicyType = "read-only"
+)
+
+// ReadOnlyPolicySpec defines the spec of read-only policy
+type ReadOnlyPolicySpec struct {
+	Rules []ReadOnlyPolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *ReadOnlyPolicySpec) Type() string {
+	return ReadOnlyPolicyType
+}
+
+// ReadOnlyPolicyRule defines the rule for read-only resources
+type ReadOnlyPolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource is read-only
+func (in *ReadOnlyPolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}

apis/core.oam.dev/v1alpha1/resource_policy_types.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/utils/pointer"
+	stringslices "k8s.io/utils/strings/slices"
+
+	"github.com/oam-dev/kubevela/pkg/oam"
+)
+
+// ResourcePolicyRuleSelector select the targets of the rule
+// if multiple conditions are specified, combination logic is AND
+type ResourcePolicyRuleSelector struct {
+	CompNames        []string `json:"componentNames,omitempty"`
+	CompTypes        []string `json:"componentTypes,omitempty"`
+	OAMResourceTypes []string `json:"oamTypes,omitempty"`
+	TraitTypes       []string `json:"traitTypes,omitempty"`
+	ResourceTypes    []string `json:"resourceTypes,omitempty"`
+	ResourceNames    []string `json:"resourceNames,omitempty"`
+}
+
+// Match check if current rule selector match the target resource
+// If at least one condition is matched and no other condition failed (could be empty), return true
+// Otherwise, return false
+func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured) bool {
+	var compName, compType, oamType, traitType, resourceType, resourceName string
+	if labels := manifest.GetLabels(); labels != nil {
+		compName = labels[oam.LabelAppComponent]
+		compType = labels[oam.WorkloadTypeLabel]
+		oamType = labels[oam.LabelOAMResourceType]
+		traitType = labels[oam.TraitTypeLabel]
+	}
+	resourceType = manifest.GetKind()
+	resourceName = manifest.GetName()
+	match := func(src []string, val string) (found *bool) {
+		if len(src) == 0 {
+			return nil
+		}
+		return pointer.Bool(val != "" && stringslices.Contains(src, val))
+	}
+	conditions := []*bool{
+		match(in.CompNames, compName),
+		match(in.CompTypes, compType),
+		match(in.OAMResourceTypes, oamType),
+		match(in.TraitTypes, traitType),
+		match(in.ResourceTypes, resourceType),
+		match(in.ResourceNames, resourceName),
+	}
+	hasMatched := false
+	for _, cond := range conditions {
+		// if any non-empty condition failed, return false
+		if cond != nil && !*cond {
+			return false
+		}
+		// if condition succeed, record it
+		if cond != nil && *cond {
+			hasMatched = true
+		}
+	}
+	// if at least one condition is met, return true
+	return hasMatched
+}

apis/core.oam.dev/v1alpha1/sharedresource_policy_types.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// SharedResourcePolicyType refers to the type of shared resource policy
+	SharedResourcePolicyType = "shared-resource"
+)
+
+// SharedResourcePolicySpec defines the spec of shared-resource policy
+type SharedResourcePolicySpec struct {
+	Rules []SharedResourcePolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *SharedResourcePolicySpec) Type() string {
+	return SharedResourcePolicyType
+}
+
+// SharedResourcePolicyRule defines the rule for sharing resources
+type SharedResourcePolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource should be shared
+func (in *SharedResourcePolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}

apis/core.oam.dev/v1alpha1/takeover_policy_types.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// TakeOverPolicyType refers to the type of take-over policy
+	TakeOverPolicyType = "take-over"
+)
+
+// TakeOverPolicySpec defines the spec of take-over policy
+type TakeOverPolicySpec struct {
+	Rules []TakeOverPolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *TakeOverPolicySpec) Type() string {
+	return TakeOverPolicyType
+}
+
+// TakeOverPolicyRule defines the rule for taking over resources
+type TakeOverPolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource should be taken over
+func (in *TakeOverPolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}

apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go

@@ -585,6 +585,44 @@ func (in *PolicyList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReadOnlyPolicyRule) DeepCopyInto(out *ReadOnlyPolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReadOnlyPolicyRule.
+func (in *ReadOnlyPolicyRule) DeepCopy() *ReadOnlyPolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(ReadOnlyPolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReadOnlyPolicySpec) DeepCopyInto(out *ReadOnlyPolicySpec) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]ReadOnlyPolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReadOnlyPolicySpec.
+func (in *ReadOnlyPolicySpec) DeepCopy() *ReadOnlyPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ReadOnlyPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RefObjectsComponentSpec) DeepCopyInto(out *RefObjectsComponentSpec) {
 	*out = *in
@@ -720,6 +758,44 @@ func (in *SharedResourcePolicySpec) DeepCopy() *SharedResourcePolicySpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TakeOverPolicyRule) DeepCopyInto(out *TakeOverPolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TakeOverPolicyRule.
+func (in *TakeOverPolicyRule) DeepCopy() *TakeOverPolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(TakeOverPolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TakeOverPolicySpec) DeepCopyInto(out *TakeOverPolicySpec) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]TakeOverPolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TakeOverPolicySpec.
+func (in *TakeOverPolicySpec) DeepCopy() *TakeOverPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TakeOverPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopologyPolicySpec) DeepCopyInto(out *TopologyPolicySpec) {
 	*out = *in

apis/core.oam.dev/v1beta1/applicationrevision_types.go

@@ -17,9 +17,11 @@
 package v1beta1
 
 import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"encoding/json"
 
+	"github.com/kubevela/pkg/util/compression"
 	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
@@ -29,6 +31,16 @@ import (
 
 // ApplicationRevisionSpec is the spec of ApplicationRevision
 type ApplicationRevisionSpec struct {
+	// ApplicationRevisionCompressibleFields represents all the fields that can be compressed.
+	ApplicationRevisionCompressibleFields `json:",inline"`
+
+	// Compression represents the compressed components in apprev in base64 (if compression is enabled).
+	Compression ApplicationRevisionCompression `json:"compression,omitempty"`
+}
+
+// ApplicationRevisionCompressibleFields represents all the fields that can be compressed.
+// So we can better organize them and compress only the compressible fields.
+type ApplicationRevisionCompressibleFields struct {
 	// Application records the snapshot of the created/modified Application
 	Application Application `json:"application"`
 
@@ -64,6 +76,59 @@ type ApplicationRevisionSpec struct {
 	ReferredObjects []common.ReferredObject `json:"referredObjects,omitempty"`
 }
 
+// ApplicationRevisionCompression represents the compressed components in apprev in base64.
+type ApplicationRevisionCompression struct {
+	compression.CompressedText `json:",inline"`
+}
+
+// MarshalJSON serves the same purpose as the one in ResourceTrackerSpec.
+func (apprev *ApplicationRevisionSpec) MarshalJSON() ([]byte, error) {
+	type Alias ApplicationRevisionSpec
+	tmp := &struct {
+		*Alias
+	}{}
+
+	if apprev.Compression.Type == compression.Uncompressed {
+		tmp.Alias = (*Alias)(apprev)
+	} else {
+		cpy := apprev.DeepCopy()
+		err := cpy.Compression.EncodeFrom(cpy.ApplicationRevisionCompressibleFields)
+		cpy.ApplicationRevisionCompressibleFields = ApplicationRevisionCompressibleFields{
+			// Application needs to have components.
+			Application: Application{Spec: ApplicationSpec{Components: []common.ApplicationComponent{}}},
+		}
+		if err != nil {
+			return nil, err
+		}
+		tmp.Alias = (*Alias)(cpy)
+	}
+
+	return json.Marshal(tmp.Alias)
+}
+
+// UnmarshalJSON serves the same purpose as the one in ResourceTrackerSpec.
+func (apprev *ApplicationRevisionSpec) UnmarshalJSON(data []byte) error {
+	type Alias ApplicationRevisionSpec
+	tmp := &struct {
+		*Alias
+	}{}
+
+	if err := json.Unmarshal(data, tmp); err != nil {
+		return err
+	}
+
+	if tmp.Compression.Type != compression.Uncompressed {
+		err := tmp.Compression.DecodeTo(&tmp.ApplicationRevisionCompressibleFields)
+		if err != nil {
+			return err
+		}
+		tmp.Compression.Clean()
+	}
+
+	(*ApplicationRevisionSpec)(tmp.Alias).DeepCopyInto(apprev)
+	return nil
+}
+
 // ApplicationRevisionStatus is the status of ApplicationRevision
 type ApplicationRevisionStatus struct {
 	// Succeeded records if the workflow finished running with success

apis/core.oam.dev/v1beta1/applicationrevision_types_test.go

@@ -0,0 +1,86 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"github.com/kubevela/pkg/util/compression"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+)
+
+func TestApplicationRevisionCompression(t *testing.T) {
+	// Fill data
+	spec := &ApplicationRevisionSpec{}
+	spec.Application = Application{Spec: ApplicationSpec{Components: []common.ApplicationComponent{{Name: "test-name"}}}}
+	spec.ComponentDefinitions = make(map[string]ComponentDefinition)
+	spec.ComponentDefinitions["def"] = ComponentDefinition{Spec: ComponentDefinitionSpec{PodSpecPath: "path"}}
+	spec.WorkloadDefinitions = make(map[string]WorkloadDefinition)
+	spec.WorkloadDefinitions["def"] = WorkloadDefinition{Spec: WorkloadDefinitionSpec{Reference: common.DefinitionReference{Name: "testdef"}}}
+	spec.TraitDefinitions = make(map[string]TraitDefinition)
+	spec.TraitDefinitions["def"] = TraitDefinition{Spec: TraitDefinitionSpec{ControlPlaneOnly: true}}
+	spec.ScopeDefinitions = make(map[string]ScopeDefinition)
+	spec.ScopeDefinitions["def"] = ScopeDefinition{Spec: ScopeDefinitionSpec{AllowComponentOverlap: true}}
+	spec.PolicyDefinitions = make(map[string]PolicyDefinition)
+	spec.PolicyDefinitions["def"] = PolicyDefinition{Spec: PolicyDefinitionSpec{ManageHealthCheck: true}}
+	spec.WorkflowStepDefinitions = make(map[string]WorkflowStepDefinition)
+	spec.WorkflowStepDefinitions["def"] = WorkflowStepDefinition{Spec: WorkflowStepDefinitionSpec{Reference: common.DefinitionReference{Name: "testname"}}}
+	spec.ReferredObjects = []common.ReferredObject{{RawExtension: runtime.RawExtension{Raw: []byte("123")}}}
+
+	testAppRev := &ApplicationRevision{Spec: *spec}
+
+	marshalAndUnmarshal := func(in *ApplicationRevision) (*ApplicationRevision, int) {
+		out := &ApplicationRevision{}
+		b, err := json.Marshal(in)
+		assert.NoError(t, err)
+		if in.Spec.Compression.Type != compression.Uncompressed {
+			assert.Contains(t, string(b), fmt.Sprintf("\"type\":\"%s\",\"data\":\"", in.Spec.Compression.Type))
+		}
+		err = json.Unmarshal(b, out)
+		assert.NoError(t, err)
+		assert.Equal(t, out.Spec.Compression.Type, in.Spec.Compression.Type)
+		assert.Equal(t, out.Spec.Compression.Data, "")
+		return out, len(b)
+	}
+
+	// uncompressed
+	testAppRev.Spec.Compression.SetType(compression.Uncompressed)
+	uncomp, uncompsize := marshalAndUnmarshal(testAppRev)
+
+	// zstd compressed
+	testAppRev.Spec.Compression.SetType(compression.Zstd)
+	zstdcomp, zstdsize := marshalAndUnmarshal(testAppRev)
+	// We will compare content later. Clear compression methods since it will interfere
+	// comparison and is verified earlier.
+	zstdcomp.Spec.Compression.SetType(compression.Uncompressed)
+
+	// gzip compressed
+	testAppRev.Spec.Compression.SetType(compression.Gzip)
+	gzipcomp, gzipsize := marshalAndUnmarshal(testAppRev)
+	gzipcomp.Spec.Compression.SetType(compression.Uncompressed)
+
+	assert.Equal(t, uncomp, zstdcomp)
+	assert.Equal(t, zstdcomp, gzipcomp)
+
+	assert.Less(t, zstdsize, uncompsize)
+	assert.Less(t, gzipsize, uncompsize)
+}

apis/core.oam.dev/v1beta1/resourcetracker_types.go

@@ -29,11 +29,12 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/kubevela/pkg/util/compression"
+
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/interfaces"
 	velatypes "github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/oam"
-	"github.com/oam-dev/kubevela/pkg/utils/compression"
 	velaerr "github.com/oam-dev/kubevela/pkg/utils/errors"
 )
 
@@ -76,10 +77,9 @@ type ResourceTrackerSpec struct {
 	Compression           ResourceTrackerCompression `json:"compression,omitempty"`
 }
 
-// ResourceTrackerCompression the compression for ResourceTracker ManagedResources
+// ResourceTrackerCompression represents the compressed components in ResourceTracker.
 type ResourceTrackerCompression struct {
-	Type compression.Type `json:"type,omitempty"`
-	Data string           `json:"data,omitempty"`
+	compression.CompressedText `json:",inline"`
 }
 
 // MarshalJSON will encode ResourceTrackerSpec according to the compression type. If type specified,
@@ -88,30 +88,19 @@ type ResourceTrackerCompression struct {
 func (in *ResourceTrackerSpec) MarshalJSON() ([]byte, error) {
 	type Alias ResourceTrackerSpec
 	tmp := &struct{ *Alias }{}
-	switch in.Compression.Type {
-	case compression.Uncompressed:
+
+	if in.Compression.Type == compression.Uncompressed {
 		tmp.Alias = (*Alias)(in)
-	case compression.Gzip:
+	} else {
 		cpy := in.DeepCopy()
-		data, err := compression.GzipObjectToString(in.ManagedResources)
+		cpy.ManagedResources = nil
+		err := cpy.Compression.EncodeFrom(in.ManagedResources)
 		if err != nil {
 			return nil, err
 		}
-		cpy.ManagedResources = nil
-		cpy.Compression.Data = data
 		tmp.Alias = (*Alias)(cpy)
-	case compression.Zstd:
-		cpy := in.DeepCopy()
-		data, err := compression.ZstdObjectToString(in.ManagedResources)
-		if err != nil {
-			return nil, err
-		}
-		cpy.ManagedResources = nil
-		cpy.Compression.Data = data
-		tmp.Alias = (*Alias)(cpy)
-	default:
-		return nil, compression.NewUnsupportedCompressionTypeError(string(in.Compression.Type))
 	}
+
 	return json.Marshal(tmp.Alias)
 }
 
@@ -124,24 +113,16 @@ func (in *ResourceTrackerSpec) UnmarshalJSON(src []byte) error {
 	if err := json.Unmarshal(src, tmp); err != nil {
 		return err
 	}
-	switch tmp.Compression.Type {
-	case compression.Uncompressed:
-		break
-	case compression.Gzip:
+
+	if tmp.Compression.Type != compression.Uncompressed {
 		tmp.ManagedResources = []ManagedResource{}
-		if err := compression.GunzipStringToObject(tmp.Compression.Data, &tmp.ManagedResources); err != nil {
+		err := tmp.Compression.DecodeTo(&tmp.ManagedResources)
+		if err != nil {
 			return err
 		}
-		tmp.Compression.Data = ""
-	case compression.Zstd:
-		tmp.ManagedResources = []ManagedResource{}
-		if err := compression.UnZstdStringToObject(tmp.Compression.Data, &tmp.ManagedResources); err != nil {
-			return err
-		}
-		tmp.Compression.Data = ""
-	default:
-		return compression.NewUnsupportedCompressionTypeError(string(in.Compression.Type))
+		tmp.Compression.Clean()
 	}
+
 	(*ResourceTrackerSpec)(tmp.Alias).DeepCopyInto(in)
 	return nil
 }

apis/core.oam.dev/v1beta1/resourcetracker_types_test.go

@@ -24,6 +24,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/kubevela/pkg/util/compression"
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -34,7 +35,6 @@ import (
 
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/pkg/oam"
-	"github.com/oam-dev/kubevela/pkg/utils/compression"
 	"github.com/oam-dev/kubevela/pkg/utils/errors"
 )
 
@@ -205,7 +205,6 @@ func TestResourceTrackerCompression(t *testing.T) {
 		"../../../charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml",
 		"../../../charts/vela-core/crds/core.oam.dev_workloaddefinitions.yaml",
 		"../../../charts/vela-core/crds/standard.oam.dev_rollouts.yaml",
-		"../../../charts/vela-core/templates/addon/fluxcd.yaml",
 		"../../../charts/vela-core/templates/kubevela-controller.yaml",
 		"../../../charts/vela-core/README.md",
 		"../../../pkg/velaql/providers/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",

apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go

@@ -137,39 +137,7 @@ func (in *ApplicationRevision) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationRevisionList) DeepCopyInto(out *ApplicationRevisionList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]ApplicationRevision, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionList.
-func (in *ApplicationRevisionList) DeepCopy() *ApplicationRevisionList {
-	if in == nil {
-		return nil
-	}
-	out := new(ApplicationRevisionList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ApplicationRevisionList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ApplicationRevisionSpec) DeepCopyInto(out *ApplicationRevisionSpec) {
+func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRevisionCompressibleFields) {
 	*out = *in
 	in.Application.DeepCopyInto(&out.Application)
 	if in.ComponentDefinitions != nil {
@@ -242,6 +210,71 @@ func (in *ApplicationRevisionSpec) DeepCopyInto(out *ApplicationRevisionSpec) {
 	}
 }
 
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionCompressibleFields.
+func (in *ApplicationRevisionCompressibleFields) DeepCopy() *ApplicationRevisionCompressibleFields {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationRevisionCompressibleFields)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationRevisionCompression) DeepCopyInto(out *ApplicationRevisionCompression) {
+	*out = *in
+	out.CompressedText = in.CompressedText
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionCompression.
+func (in *ApplicationRevisionCompression) DeepCopy() *ApplicationRevisionCompression {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationRevisionCompression)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationRevisionList) DeepCopyInto(out *ApplicationRevisionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ApplicationRevision, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionList.
+func (in *ApplicationRevisionList) DeepCopy() *ApplicationRevisionList {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationRevisionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ApplicationRevisionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationRevisionSpec) DeepCopyInto(out *ApplicationRevisionSpec) {
+	*out = *in
+	in.ApplicationRevisionCompressibleFields.DeepCopyInto(&out.ApplicationRevisionCompressibleFields)
+	out.Compression = in.Compression
+}
+
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionSpec.
 func (in *ApplicationRevisionSpec) DeepCopy() *ApplicationRevisionSpec {
 	if in == nil {
@@ -654,6 +687,7 @@ func (in *ResourceTracker) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceTrackerCompression) DeepCopyInto(out *ResourceTrackerCompression) {
 	*out = *in
+	out.CompressedText = in.CompressedText
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceTrackerCompression.

charts/vela-core/README.md

@@ -41,13 +41,12 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | Name                          | Description                                                                                   | Value     |
 | ----------------------------- | --------------------------------------------------------------------------------------------- | --------- |
 | `systemDefinitionNamespace`   | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil`     |
-| `applicationRevisionLimit`    | Application revision limit                                                                    | `10`      |
-| `definitionRevisionLimit`     | Definition revision limit                                                                     | `20`      |
+| `applicationRevisionLimit`    | Application revision limit                                                                    | `2`       |
+| `definitionRevisionLimit`     | Definition revision limit                                                                     | `2`       |
 | `concurrentReconciles`        | concurrentReconciles is the concurrent reconcile number of the controller                     | `4`       |
 | `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`      |
 | `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `v0.3`    |
 | `disableCaps`                 | Disable capability                                                                            | `rollout` |
-| `enableFluxcdAddon`           | Whether to enable fluxcd addon                                                                | `false`   |
 | `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`     |
 
 
@@ -81,23 +80,25 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 
 ### KubeVela controller optimization parameters
 
-| Name                                              | Description                                                                                                                                                                          | Value   |
-| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
-| `optimize.cachedGvks`                             | Optimize types of resources to be cached.                                                                                                                                            | `""`    |
-| `optimize.resourceTrackerListOp`                  | Optimize ResourceTracker List Op by adding index.                                                                                                                                    | `true`  |
-| `optimize.controllerReconcileLoopReduction`       | Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.                                                                                   | `false` |
-| `optimize.markWithProb`                           | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.                                    | `0.1`   |
-| `optimize.disableComponentRevision`               | Optimize componentRevision by disabling the creation and gc                                                                                                                          | `false` |
-| `optimize.disableApplicationRevision`             | Optimize ApplicationRevision by disabling the creation and gc.                                                                                                                       | `false` |
-| `optimize.disableWorkflowRecorder`                | Optimize workflow recorder by disabling the creation and gc.                                                                                                                         | `false` |
-| `optimize.enableInMemoryWorkflowContext`          | Optimize workflow by use in-memory context.                                                                                                                                          | `false` |
-| `optimize.disableResourceApplyDoubleCheck`        | Optimize workflow by ignoring resource double check after apply.                                                                                                                     | `false` |
-| `optimize.enableResourceTrackerDeleteOnlyTrigger` | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                                                                  | `true`  |
-| `featureGates.enableLegacyComponentRevision`      | if disabled, only component with rollout trait will create component revisions                                                                                                       | `false` |
-| `featureGates.gzipResourceTracker`                | if enabled, resourceTracker will be compressed using gzip before being stored                                                                                                        | `false` |
-| `featureGates.zstdResourceTracker`                | if enabled, resourceTracker will be compressed using zstd before being stored. It is much faster and more efficient than gzip. If both gzip and zstd are enabled, zstd will be used. | `false` |
-| `featureGates.applyOnce`                          | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker                                                | `false` |
-| `featureGates.multiStageComponentApply`           | if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.                                         | `false` |
+| Name                                              | Description                                                                                                                                                                                                                      | Value   |
+| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `optimize.cachedGvks`                             | Optimize types of resources to be cached.                                                                                                                                                                                        | `""`    |
+| `optimize.resourceTrackerListOp`                  | Optimize ResourceTracker List Op by adding index.                                                                                                                                                                                | `true`  |
+| `optimize.controllerReconcileLoopReduction`       | Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.                                                                                                                               | `false` |
+| `optimize.markWithProb`                           | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.                                                                                | `0.1`   |
+| `optimize.disableComponentRevision`               | Optimize componentRevision by disabling the creation and gc                                                                                                                                                                      | `true`  |
+| `optimize.disableApplicationRevision`             | Optimize ApplicationRevision by disabling the creation and gc.                                                                                                                                                                   | `false` |
+| `optimize.disableWorkflowRecorder`                | Optimize workflow recorder by disabling the creation and gc.                                                                                                                                                                     | `false` |
+| `optimize.enableInMemoryWorkflowContext`          | Optimize workflow by use in-memory context.                                                                                                                                                                                      | `false` |
+| `optimize.disableResourceApplyDoubleCheck`        | Optimize workflow by ignoring resource double check after apply.                                                                                                                                                                 | `false` |
+| `optimize.enableResourceTrackerDeleteOnlyTrigger` | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                                                                                                              | `true`  |
+| `featureGates.enableLegacyComponentRevision`      | if disabled, only component with rollout trait will create component revisions                                                                                                                                                   | `false` |
+| `featureGates.gzipResourceTracker`                | compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers.                                                                                      | `false` |
+| `featureGates.zstdResourceTracker`                | compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options. | `true`  |
+| `featureGates.applyOnce`                          | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker                                                                                            | `false` |
+| `featureGates.multiStageComponentApply`           | if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.                                                                                     | `false` |
+| `featureGates.gzipApplicationRevision`            | compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs.                                                                                                        | `false` |
+| `featureGates.zstdApplicationRevision`            | compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options.                   | `true`  |
 
 
 ### MultiCluster parameters
@@ -145,8 +146,8 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `logDebug`                    | Enable debug logs for development purpose                                                                                  | `false`              |
 | `logFilePath`                 | If non-empty, write log files in this path                                                                                 | `""`                 |
 | `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`               |
-| `kubeClient.qps`              | The qps for reconcile clients, default is 50                                                                               | `50`                 |
-| `kubeClient.burst`            | The burst for reconcile clients, default is 100                                                                            | `100`                |
+| `kubeClient.qps`              | The qps for reconcile clients, default is 100                                                                              | `100`                |
+| `kubeClient.burst`            | The burst for reconcile clients, default is 200                                                                            | `200`                |
 | `authentication.enabled`      | Enable authentication for application                                                                                      | `false`              |
 | `authentication.withUser`     | Application authentication will impersonate as the request User                                                            | `false`              |
 | `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                 | `kubevela:vela-core` |

charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml

@@ -844,7 +844,6 @@ spec:
                             type: object
                           endTime:
                             format: date-time
-                            nullable: true
                             type: string
                           finished:
                             type: boolean
@@ -2760,7 +2759,6 @@ spec:
                             type: object
                           endTime:
                             format: date-time
-                            nullable: true
                             type: string
                           finished:
                             type: boolean
@@ -3201,6 +3199,16 @@ spec:
                 description: ComponentDefinitions records the snapshot of the componentDefinitions
                   related with the created/modified Application
                 type: object
+              compression:
+                description: Compression represents the compressed components in apprev
+                  in base64 (if compression is enabled).
+                properties:
+                  data:
+                    type: string
+                  type:
+                    description: Type the compression type
+                    type: string
+                type: object
               policies:
                 additionalProperties:
                   description: Policy is the Schema for the policy API
@@ -4815,7 +4823,6 @@ spec:
                     type: object
                   endTime:
                     format: date-time
-                    nullable: true
                     type: string
                   finished:
                     type: boolean

charts/vela-core/crds/core.oam.dev_applications.yaml

@@ -768,7 +768,6 @@ spec:
                     type: object
                   endTime:
                     format: date-time
-                    nullable: true
                     type: string
                   finished:
                     type: boolean
@@ -1531,7 +1530,6 @@ spec:
                     type: object
                   endTime:
                     format: date-time
-                    nullable: true
                     type: string
                   finished:
                     type: boolean

charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml

@@ -57,8 +57,8 @@ spec:
                 format: int64
                 type: integer
               compression:
-                description: ResourceTrackerCompression the compression for ResourceTracker
-                  ManagedResources
+                description: ResourceTrackerCompression represents the compressed
+                  components in ResourceTracker.
                 properties:
                   data:
                     type: string

charts/vela-core/templates/addon/fluxcd-def.yaml

@@ -1,270 +0,0 @@
-{{- if .Values.enableFluxcdAddon -}}
-apiVersion: core.oam.dev/v1beta1
-kind: Application
-metadata:
-  labels:
-    addons.oam.dev/name: fluxcd-def
-  name: addon-fluxcd-def
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/resource-policy": keep
-spec:
-  components:
-    - name: fluxc-def-resources
-      properties:
-        objects:
-          - apiVersion: core.oam.dev/v1beta1
-            kind: ComponentDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: helm release is a group of K8s resources
-                  from either git repository or helm repo
-              name: helm
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "output: {\n\tapiVersion: \"source.toolkit.fluxcd.io/v1beta1\"\n\tmetadata:
-                {\n\t\tname: context.name\n\t}\n\tif parameter.repoType == \"git\"
-                {\n\t\tkind: \"GitRepository\"\n\t\tspec: {\n\t\t\turl: parameter.url\n\t\t\tif
-                parameter.git.branch != _|_ {\n\t\t\t\tref: branch: parameter.git.branch\n\t\t\t}\n\t\t\t_secret\n\t\t\t_sourceCommonArgs\n\t\t}\n\t}\n\tif
-                parameter.repoType == \"oss\" {\n\t\tkind: \"Bucket\"\n\t\tspec: {\n\t\t\tendpoint:
-                \  parameter.url\n\t\t\tbucketName: parameter.oss.bucketName\n\t\t\tprovider:
-                \  parameter.oss.provider\n\t\t\tif parameter.oss.region != _|_ {\n\t\t\t\tregion:
-                parameter.oss.region\n\t\t\t}\n\t\t\t_secret\n\t\t\t_sourceCommonArgs\n\t\t}\n\t}\n\tif
-                parameter.repoType == \"helm\" {\n\t\tkind: \"HelmRepository\"\n\t\tspec:
-                {\n\t\t\turl: parameter.url\n\t\t\t_secret\n\t\t\t_sourceCommonArgs\n\t\t}\n\t}\n}\n\noutputs:
-                release: {\n\tapiVersion: \"helm.toolkit.fluxcd.io/v2beta1\"\n\tkind:
-                \      \"HelmRelease\"\n\tmetadata: {\n\t\tname: context.name\n\t}\n\tspec:
-                {\n\t\ttimeout: parameter.installTimeout\n\t\tinterval: parameter.interval\n\t\tchart:
-                {\n\t\t\tspec: {\n\t\t\t\tchart:   parameter.chart\n\t\t\t\tversion:
-                parameter.version\n\t\t\t\tsourceRef: {\n\t\t\t\t\tif parameter.repoType
-                == \"git\" {\n\t\t\t\t\t\tkind: \"GitRepository\"\n\t\t\t\t\t}\n\t\t\t\t\tif
-                parameter.repoType == \"helm\" {\n\t\t\t\t\t\tkind: \"HelmRepository\"\n\t\t\t\t\t}\n\t\t\t\t\tif
-                parameter.repoType == \"oss\" {\n\t\t\t\t\t\tkind: \"Bucket\"\n\t\t\t\t\t}\n\t\t\t\t\tname:
-                \     context.name\n\t\t\t\t}\n\t\t\t\tinterval: parameter.interval\n\t\t\t}\n\t\t}\n\t\tif
-                parameter.targetNamespace != _|_ {\n\t\t\ttargetNamespace: parameter.targetNamespace\n\t\t}\n\t\tif
-                parameter.releaseName != _|_ {\n\t\t\treleaseName: parameter.releaseName\n\t\t}\n\t\tif
-                parameter.values != _|_ {\n\t\t\tvalues: parameter.values\n\t\t}\n\t}\n}\n\n_secret:
-                {\n\tif parameter.secretRef != _|_ {\n\t\tsecretRef: {\n\t\t\tname:
-                parameter.secretRef\n\t\t}\n\t}\n}\n\n_sourceCommonArgs: {\n\tinterval:
-                parameter.pullInterval\n\tif parameter.timeout != _|_ {\n\t\ttimeout:
-                parameter.timeout\n\t}\n}\n\nparameter: {\n\trepoType: *\"helm\" |
-                \"git\" | \"oss\"\n\t// +usage=The interval at which to check for
-                repository/bucket and relese updates, default to 5m\n\tpullInterval:
-                *\"5m\" | string\n        // +usage=The  Interval at which to reconcile
-                the Helm release, default to 30s\n        interval: *\"30s\" | string\n\t//
-                +usage=The Git or Helm repository URL, OSS endpoint, accept HTTP/S
-                or SSH address as git url,\n\turl: string\n\t// +usage=The name of
-                the secret containing authentication credentials\n\tsecretRef?: string\n\t//
-                +usage=The timeout for operations like download index/clone repository,
-                optional\n\ttimeout?: string\n\t// +usage=The timeout for operation
-                `helm install`, optional\n\tinstallTimeout: *\"10m\" | string\n\n\tgit?:
-                {\n\t\t// +usage=The Git reference to checkout and monitor for changes,
-                defaults to master branch\n\t\tbranch: string\n\t}\n\toss?: {\n\t\t//
-                +usage=The bucket's name, required if repoType is oss\n\t\tbucketName:
-                string\n\t\t// +usage=\"generic\" for Minio, Amazon S3, Google Cloud
-                Storage, Alibaba Cloud OSS, \"aws\" for retrieve credentials from
-                the EC2 service when credentials not specified, default \"generic\"\n\t\tprovider:
-                *\"generic\" | \"aws\"\n\t\t// +usage=The bucket region, optional\n\t\tregion?:
-                string\n\t}\n\n\t// +usage=1.The relative path to helm chart for git/oss
-                source. 2. chart name for helm resource 3. relative path for chart
-                package(e.g. ./charts/podinfo-1.2.3.tgz)\n\tchart: string\n\t// +usage=Chart
-                version\n\tversion: *\"*\" | string\n\t// +usage=The namespace for
-                helm chart, optional\n\ttargetNamespace?: string\n\t// +usage=The
-                release name\n\treleaseName?: string\n\t// +usage=Chart values\n\tvalues?:
-                #nestedmap\n}\n\n#nestedmap: {\n\t...\n}\n"
-              status:
-                customStatus: "repoMessage:    string\nreleaseMessage: string\nif context.output.status
-              == _|_ {\n\trepoMessage:    \"Fetching repository\"\n\treleaseMessage:
-              \"Wating repository ready\"\n}\nif context.output.status != _|_ {\n\trepoStatus:
-              context.output.status\n\tif repoStatus.conditions[0][\"type\"] != \"Ready\"
-              {\n\t\trepoMessage: \"Fetch repository fail\"\n\t}\n\tif repoStatus.conditions[0][\"type\"]
-              == \"Ready\" {\n\t\trepoMessage: \"Fetch repository successfully\"\n\t}\n\n\tif
-              context.outputs.release.status == _|_ {\n\t\treleaseMessage: \"Creating
-              helm release\"\n\t}\n\tif context.outputs.release.status != _|_ {\n\t\tif
-              context.outputs.release.status.conditions[0][\"message\"] == \"Release
-              reconciliation succeeded\" {\n\t\t\treleaseMessage: \"Create helm release
-              successfully\"\n\t\t}\n\t\tif context.outputs.release.status.conditions[0][\"message\"]
-              != \"Release reconciliation succeeded\" {\n\t\t\treleaseBasicMessage:
-              \"Delivery helm release in progress, message: \" + context.outputs.release.status.conditions[0][\"message\"]\n\t\t\tif
-              len(context.outputs.release.status.conditions) == 1 {\n\t\t\t\treleaseMessage:
-              releaseBasicMessage\n\t\t\t}\n\t\t\tif len(context.outputs.release.status.conditions)
-              > 1 {\n\t\t\t\treleaseMessage: releaseBasicMessage + \", \" + context.outputs.release.status.conditions[1][\"message\"]\n\t\t\t}\n\t\t}\n\t}\n\n}\nmessage:
-              repoMessage + \", \" + releaseMessage"
-                healthPolicy: 'isHealth: len(context.outputs.release.status.conditions)
-              != 0 && context.outputs.release.status.conditions[0]["status"]=="True"'
-              workload:
-                type: autodetects.core.oam.dev
-          - apiVersion: core.oam.dev/v1beta1
-            kind: TraitDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: A list of JSON6902 patch to selected target
-              name: kustomize-json-patch
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "patch: {\n\tspec: {\n\t\tpatchesJson6902: parameter.patchesJson\n\t}\n}\n\nparameter:
-                {\n\t// +usage=A list of JSON6902 patch.\n\tpatchesJson: [...#jsonPatchItem]\n}\n\n//
-                +usage=Contains a JSON6902 patch\n#jsonPatchItem: {\n\ttarget: #selector\n\tpatch:
-                [...{\n\t\t// +usage=operation to perform\n\t\top: string | \"add\"
-                | \"remove\" | \"replace\" | \"move\" | \"copy\" | \"test\"\n\t\t//
-                +usage=operate path e.g. /foo/bar\n\t\tpath: string\n\t\t// +usage=specify
-                source path when op is copy/move\n\t\tfrom?:  string\n\t\t// +usage=specify
-                opraation value when op is test/add/replace\n\t\tvalue?: string\n\t}]\n}\n\n//
-                +usage=Selector specifies a set of resources\n#selector: {\n\tgroup?:
-                \             string\n\tversion?:            string\n\tkind?:               string\n\tnamespace?:
-                \         string\n\tname?:               string\n\tannotationSelector?:
-                string\n\tlabelSelector?:      string\n}\n"
-          - apiVersion: core.oam.dev/v1beta1
-            kind: TraitDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: A list of StrategicMerge or JSON6902 patch
-                  to selected target
-              name: kustomize-patch
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "patch: {\n\tspec: {\n\t\tpatches: parameter.patches\n\t}\n}\nparameter:
-                {\n\t// +usage=a list of StrategicMerge or JSON6902 patch to selected
-                target\n\tpatches: [...#patchItem]\n}\n\n// +usage=Contains a strategicMerge
-                or JSON6902 patch\n#patchItem: {\n\t// +usage=Inline patch string,
-                in yaml style\n\tpatch: string\n\t// +usage=Specify the target the
-                patch should be applied to\n\ttarget: #selector\n}\n\n// +usage=Selector
-                specifies a set of resources\n#selector: {\n\tgroup?:              string\n\tversion?:
-                \           string\n\tkind?:               string\n\tnamespace?:          string\n\tname?:
-                \              string\n\tannotationSelector?: string\n\tlabelSelector?:
-                \     string\n}\n"
-          - apiVersion: core.oam.dev/v1beta1
-            kind: ComponentDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: kustomize can fetching, building, updating
-                  and applying Kustomize manifests from git repo.
-              name: kustomize
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "output: {\n\tapiVersion: \"kustomize.toolkit.fluxcd.io/v1beta1\"\n\tkind:
-                \      \"Kustomization\"\n\tmetadata: {\n\t\tname: context.name\n
-                \   namespace: context.namespace\n\t}\n\tspec: {\n\t\tinterval: parameter.pullInterval\n\t\tsourceRef:
-                {\n\t\t\tif parameter.repoType == \"git\" {\n\t\t\t\tkind: \"GitRepository\"\n\t\t\t}\n\t\t\tif
-                parameter.repoType == \"oss\" {\n\t\t\t\tkind: \"Bucket\"\n\t\t\t}\n\t\t\tname:
-                \     context.name\n\t\t\tnamespace: context.namespace\n\t\t}\n\t\tpath:
-                \      parameter.path\n\t\tprune:      true\n\t\tvalidation: \"client\"\n\t}\n}\n\noutputs:
-                {\n  repo: {\n\t  apiVersion: \"source.toolkit.fluxcd.io/v1beta1\"\n\t
-                \ metadata: {\n\t\t  name: context.name\n      namespace: context.namespace\n\t
-                \ }\n\t  if parameter.repoType == \"git\" {\n\t\t  kind: \"GitRepository\"\n\t\t
-                \ spec: {\n\t\t\t  url: parameter.url\n\t\t\t  if parameter.git.branch
-                != _|_ {\n\t\t\t\t  ref: branch: parameter.git.branch\n\t\t\t  }\n
-                \       if parameter.git.provider != _|_ {\n          if parameter.git.provider
-                == \"GitHub\" {\n            gitImplementation: \"go-git\"\n          }\n
-                \         if parameter.git.provider == \"AzureDevOps\" {\n            gitImplementation:
-                \"libgit2\"\n          }\n        }\n\t\t\t  _secret\n\t\t\t  _sourceCommonArgs\n\t\t
-                \ }\n\t  }\n\t  if parameter.repoType == \"oss\" {\n\t\t  kind: \"Bucket\"\n\t\t
-                \ spec: {\n\t\t\t  endpoint:   parameter.url\n\t\t\t  bucketName:
-                parameter.oss.bucketName\n\t\t\t  provider:   parameter.oss.provider\n\t\t\t
-                \ if parameter.oss.region != _|_ {\n\t\t\t\t  region: parameter.oss.region\n\t\t\t
-                \ }\n\t\t\t  _secret\n\t\t\t  _sourceCommonArgs\n\t\t  }\n\t  }\n
-                \ }\n\n  if parameter.imageRepository != _|_ {\n    imageRepo: {\n
-                \     apiVersion: \"image.toolkit.fluxcd.io/v1beta1\"\n      kind:
-                \"ImageRepository\"\n\t    metadata: {\n\t\t    name: context.name\n
-                \       namespace: context.namespace\n\t    }\n      spec: {\n        image:
-                parameter.imageRepository.image\n        interval: parameter.pullInterval\n
-                \       if parameter.imageRepository.secretRef != _|_ {\n          secretRef:
-                name: parameter.imageRepository.secretRef\n        }\n      }\n    }\n\n
-                \   imagePolicy: {\n      apiVersion: \"image.toolkit.fluxcd.io/v1beta1\"\n
-                \     kind: \"ImagePolicy\"\n\t    metadata: {\n\t\t    name: context.name\n
-                \       namespace: context.namespace\n\t    }\n      spec: {\n        imageRepositoryRef:
-                name: context.name\n        policy: parameter.imageRepository.policy\n
-                \       if parameter.imageRepository.filterTags != _|_ {\n          filterTags:
-                parameter.imageRepository.filterTags\n        }\n      }\n    }\n\n
-                \   imageUpdate: {\n      apiVersion: \"image.toolkit.fluxcd.io/v1beta1\"\n
-                \     kind: \"ImageUpdateAutomation\"\n\t    metadata: {\n\t\t    name:
-                context.name\n        namespace: context.namespace\n\t    }\n      spec:
-                {\n        interval: parameter.pullInterval\n        sourceRef: {\n
-                \         kind: \"GitRepository\"\n          name: context.name\n
-                \       }\n        git: {\n          checkout: ref: branch: parameter.git.branch\n
-                \         commit: {\n            author: {\n              email: \"kubevelabot@users.noreply.github.com\"\n
-                \             name: \"kubevelabot\"\n            }\n            if
-                parameter.imageRepository.commitMessage != _|_ {\n              messageTemplate:
-                \"Update image automatically.\\n\" + parameter.imageRepository.commitMessage\n
-                \           }\n            if parameter.imageRepository.commitMessage
-                == _|_ {\n              messageTemplate: \"Update image automatically.\"\n
-                \           }\n          }\n          push: branch: parameter.git.branch\n
-                \       }\n        update: {\n          path:\tparameter.path\n          strategy:
-                \"Setters\"\n        }\n      }\n    }\n  }\n}\n\n_secret: {\n\tif
-                parameter.secretRef != _|_ {\n\t\tsecretRef: {\n\t\t\tname: parameter.secretRef\n\t\t}\n\t}\n}\n\n_sourceCommonArgs:
-                {\n\tinterval: parameter.pullInterval\n\tif parameter.timeout != _|_
-                {\n\t\ttimeout: parameter.timeout\n\t}\n}\n\nparameter: {\n\trepoType:
-                *\"git\" | \"oss\"\n  // +usage=The image repository for automatically
-                update image to git\n  imageRepository?: {\n    // +usage=The image
-                url\n    image: string\n    // +usage=The name of the secret containing
-                authentication credentials\n    secretRef?: string\n    // +usage=Policy
-                gives the particulars of the policy to be followed in selecting the
-                most recent image.\n    policy: {\n      // +usage=Alphabetical set
-                of rules to use for alphabetical ordering of the tags.\n      alphabetical?:
-                {\n        // +usage=Order specifies the sorting order of the tags.\n
-                \       // +usage=Given the letters of the alphabet as tags, ascending
-                order would select Z, and descending order would select A.\n        order?:
-                \"asc\" | \"desc\"\n      }\n      // +usage=Numerical set of rules
-                to use for numerical ordering of the tags.\n      numerical?: {\n
-                \       // +usage=Order specifies the sorting order of the tags.\n
-                \       // +usage=Given the integer values from 0 to 9 as tags, ascending
-                order would select 9, and descending order would select 0.\n        order:
-                \"asc\" | \"desc\"\n      }\n      // +usage=SemVer gives a semantic
-                version range to check against the tags available.\n      semver?:
-                {\n        // +usage=Range gives a semver range for the image tag;
-                the highest version within the range that's a tag yields the latest
-                image.\n        range: string\n      }\n    }\n    // +usage=FilterTags
-                enables filtering for only a subset of tags based on a set of rules.
-                If no rules are provided, all the tags from the repository will be
-                ordered and compared.\n    filterTags?: {\n      // +usage=Extract
-                allows a capture group to be extracted from the specified regular
-                expression pattern, useful before tag evaluation.\n      extract?:
-                string\n      // +usage=Pattern specifies a regular expression pattern
-                used to filter for image tags.\n      pattern?: string\n    }\n    //
-                +usage=The image url\n    commitMessage?: string\n  }\n\t// +usage=The
-                interval at which to check for repository/bucket and release updates,
-                default to 5m\n\tpullInterval: *\"5m\" | string\n\t// +usage=The Git
-                or Helm repository URL, OSS endpoint, accept HTTP/S or SSH address
-                as git url,\n\turl: string\n\t// +usage=The name of the secret containing
-                authentication credentials\n\tsecretRef?: string\n\t// +usage=The
-                timeout for operations like download index/clone repository, optional\n\ttimeout?:
-                string\n\tgit?: {\n\t\t// +usage=The Git reference to checkout and
-                monitor for changes, defaults to master branch\n\t\tbranch: string\n
-                \   // +usage=Determines which git client library to use. Defaults
-                to GitHub, it will pick go-git. AzureDevOps will pick libgit2.\n    provider?:
-                *\"GitHub\" | \"AzureDevOps\"\n\t}\n\toss?: {\n\t\t// +usage=The bucket's
-                name, required if repoType is oss\n\t\tbucketName: string\n\t\t//
-                +usage=\"generic\" for Minio, Amazon S3, Google Cloud Storage, Alibaba
-                Cloud OSS, \"aws\" for retrieve credentials from the EC2 service when
-                credentials not specified, default \"generic\"\n\t\tprovider: *\"generic\"
-                | \"aws\"\n\t\t// +usage=The bucket region, optional\n\t\tregion?:
-                string\n\t}\n\t//+usage=Path to the directory containing the kustomization.yaml
-                file, or the set of plain YAMLs a kustomization.yaml should be generated
-                for.\n\tpath: string\n}"
-              workload:
-                type: autodetects.core.oam.dev
-          - apiVersion: core.oam.dev/v1beta1
-            kind: TraitDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: A list of strategic merge to kustomize
-                  config
-              name: kustomize-strategy-merge
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "patch: {\n\tspec: {\n\t\tpatchesStrategicMerge: parameter.patchesStrategicMerge\n\t}\n}\n\nparameter:
-                {\n\t// +usage=a list of strategicmerge, defined as inline yaml objects.\n\tpatchesStrategicMerge:
-                [...#nestedmap]\n}\n\n#nestedmap: {\n\t...\n}\n"
-      type: k8s-objects
-
-  {{- end }}

charts/vela-core/templates/defwithtemplate/apply-deployment.yaml

@@ -0,0 +1,51 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-deployment.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply deployment with specified image and cmd.
+  name: apply-deployment
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"strconv"
+        	"strings"
+        	"vela/op"
+        )
+
+        output: op.#Apply & {
+        	value: {
+        		apiVersion: "apps/v1"
+        		kind:       "Deployment"
+        		metadata: {
+        			name:      context.stepName
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        			template: {
+        				metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        				spec: containers: [{
+        					name:  context.stepName
+        					image: parameter.image
+        					if parameter["cmd"] != _|_ {
+        						command: parameter.cmd
+        					}
+        				}]
+        			}
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: output.value.status.readyReplicas == 1
+        }
+        parameter: {
+        	image: string
+        	cmd?: [...string]
+        }
+

charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml

@@ -0,0 +1,91 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-terraform-config.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply terraform configuration in the step
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
+  name: apply-terraform-config
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        apply: op.#Apply & {
+        	value: {
+        		apiVersion: "terraform.core.oam.dev/v1beta2"
+        		kind:       "Configuration"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepName)"
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			deleteResource: parameter.deleteResource
+        			variable:       parameter.variable
+        			forceDelete:    parameter.forceDelete
+        			if parameter.source.path != _|_ {
+        				path: parameter.source.path
+        			}
+        			if parameter.source.remote != _|_ {
+        				remote: parameter.source.remote
+        			}
+        			if parameter.source.hcl != _|_ {
+        				hcl: parameter.source.hcl
+        			}
+        			if parameter.providerRef != _|_ {
+        				providerRef: parameter.providerRef
+        			}
+        			if parameter.jobEnv != _|_ {
+        				jobEnv: parameter.jobEnv
+        			}
+        			if parameter.writeConnectionSecretToRef != _|_ {
+        				writeConnectionSecretToRef: parameter.writeConnectionSecretToRef
+        			}
+        			if parameter.region != _|_ {
+        				region: parameter.region
+        			}
+        		}
+        	}
+        }
+        check: op.#ConditionalWait & {
+        	continue: apply.value.status != _|_ && apply.value.status.apply != _|_ && apply.value.status.apply.state == "Available"
+        }
+        parameter: {
+        	// +usage=specify the source of the terraform configuration
+        	source: close({
+        		// +usage=directly specify the hcl of the terraform configuration
+        		hcl: string
+        	}) | close({
+        		// +usage=specify the remote url of the terraform configuration
+        		remote: *"https://github.com/kubevela-contrib/terraform-modules.git" | string
+        		// +usage=specify the path of the terraform configuration
+        		path?: string
+        	})
+        	// +usage=whether to delete resource
+        	deleteResource: *true | bool
+        	// +usage=the variable in the configuration
+        	variable: {...}
+        	// +usage=this specifies the namespace and name of a secret to which any connection details for this managed resource should be written.
+        	writeConnectionSecretToRef?: {
+        		name:      string
+        		namespace: *context.namespace | string
+        	}
+        	// +usage=providerRef specifies the reference to Provider
+        	providerRef?: {
+        		name:      string
+        		namespace: *context.namespace | string
+        	}
+        	// +usage=region is cloud provider's region. It will override the region in the region field of providerRef
+        	region?: string
+        	// +usage=the envs for job
+        	jobEnv?: {...}
+        	// +usae=forceDelete will force delete Configuration no matter which state it is or whether it has provisioned some resources
+        	forceDelete: *false | bool
+        }
+

charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml

@@ -0,0 +1,144 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-terraform-provider.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply terraform provider config
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
+  name: apply-terraform-provider
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"strings"
+        )
+
+        config: op.#CreateConfig & {
+        	name:      "\(context.name)-\(context.stepName)"
+        	namespace: context.namespace
+        	template:  "terraform-\(parameter.type)"
+        	config: {
+        		name: parameter.name
+        		if parameter.type == "alibaba" {
+        			ALICLOUD_ACCESS_KEY: parameter.accessKey
+        			ALICLOUD_SECRET_KEY: parameter.secretKey
+        			ALICLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "aws" {
+        			AWS_ACCESS_KEY_ID:     parameter.accessKey
+        			AWS_SECRET_ACCESS_KEY: parameter.secretKey
+        			AWS_DEFAULT_REGION:    parameter.region
+        			AWS_SESSION_TOKEN:     parameter.token
+        		}
+        		if parameter.type == "azure" {
+        			ARM_CLIENT_ID:       parameter.clientID
+        			ARM_CLIENT_SECRET:   parameter.clientSecret
+        			ARM_SUBSCRIPTION_ID: parameter.subscriptionID
+        			ARM_TENANT_ID:       parameter.tenantID
+        		}
+        		if parameter.type == "baidu" {
+        			BAIDUCLOUD_ACCESS_KEY: parameter.accessKey
+        			BAIDUCLOUD_SECRET_KEY: parameter.secretKey
+        			BAIDUCLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "ec" {
+        			EC_API_KEY: parameter.apiKey
+        		}
+        		if parameter.type == "gcp" {
+        			GOOGLE_CREDENTIALS: parameter.credentials
+        			GOOGLE_REGION:      parameter.region
+        			GOOGLE_PROJECT:     parameter.project
+        		}
+        		if parameter.type == "tencent" {
+        			TENCENTCLOUD_SECRET_ID:  parameter.secretID
+        			TENCENTCLOUD_SECRET_KEY: parameter.secretKey
+        			TENCENTCLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "ucloud" {
+        			UCLOUD_PRIVATE_KEY: parameter.privateKey
+        			UCLOUD_PUBLIC_KEY:  parameter.publicKey
+        			UCLOUD_PROJECT_ID:  parameter.projectID
+        			UCLOUD_REGION:      parameter.region
+        		}
+        	}
+        }
+        read: op.#Read & {
+        	value: {
+        		apiVersion: "terraform.core.oam.dev/v1beta1"
+        		kind:       "Provider"
+        		metadata: {
+        			name:      parameter.name
+        			namespace: context.namespace
+        		}
+        	}
+        }
+        check: op.#ConditionalWait & {
+        	if read.value.status != _|_ {
+        		continue: read.value.status.state == "ready"
+        	}
+        	if read.value.status == _|_ {
+        		continue: false
+        	}
+        }
+        providerBasic: {
+        	accessKey: string
+        	secretKey: string
+        	region:    string
+        }
+        #AlibabaProvider: {
+        	providerBasic
+        	type: "alibaba"
+        	name: *"alibaba-provider" | string
+        }
+        #AWSProvider: {
+        	providerBasic
+        	token: *"" | string
+        	type:  "aws"
+        	name:  *"aws-provider" | string
+        }
+        #AzureProvider: {
+        	subscriptionID: string
+        	tenantID:       string
+        	clientID:       string
+        	clientSecret:   string
+        	name:           *"azure-provider" | string
+        }
+        #BaiduProvider: {
+        	providerBasic
+        	type: "baidu"
+        	name: *"baidu-provider" | string
+        }
+        #ECProvider: {
+        	type:   "ec"
+        	apiKey: *"" | string
+        	name:   "ec-provider" | string
+        }
+        #GCPProvider: {
+        	credentials: string
+        	region:      string
+        	project:     string
+        	type:        "gcp"
+        	name:        *"gcp-provider" | string
+        }
+        #TencentProvider: {
+        	secretID:  string
+        	secretKey: string
+        	region:    string
+        	type:      "tencent"
+        	name:      *"tencent-provider" | string
+        }
+        #UCloudProvider: {
+        	publicKey:  string
+        	privateKey: string
+        	projectID:  string
+        	region:     string
+        	type:       "ucloud"
+        	name:       *"ucloud-provider" | string
+        }
+        parameter: *#AlibabaProvider | #AWSProvider | #AzureProvider | #BaiduProvider | #ECProvider | #GCPProvider | #TencentProvider | #UCloudProvider
+

charts/vela-core/templates/defwithtemplate/build-push-image.yaml

@@ -0,0 +1,125 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/build-push-image.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Build and push image from git url
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/built-push-image.yaml
+  name: build-push-image
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/json"
+        	"strings"
+        )
+
+        url:    strings.TrimPrefix(strings.TrimPrefix(parameter.git, "https://"), "http://")
+        kaniko: op.#Apply & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Pod"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			containers: [
+        				{
+        					args: [
+        						"--dockerfile=\(parameter.dockerfile)",
+        						"--context=git://\(url)#refs/heads/\(parameter.branch)",
+        						"--destination=\(parameter.image)",
+        						"--verbosity=\(parameter.verbosity)",
+        					]
+        					image: parameter.kanikoExecutor
+        					name:  "kaniko"
+        					if parameter.credentials != _|_ && parameter.credentials.image != _|_ {
+        						volumeMounts: [
+        							{
+        								mountPath: "/kaniko/.docker/"
+        								name:      parameter.credentials.image.name
+        							},
+        						]
+        					}
+        					if parameter.credentials != _|_ && parameter.credentials.git != _|_ {
+        						env: [
+        							{
+        								name: "GIT_TOKEN"
+        								valueFrom: secretKeyRef: {
+        									key:  parameter.credentials.git.key
+        									name: parameter.credentials.git.name
+        								}
+        							},
+        						]
+        					}
+        				},
+        			]
+        			if parameter.credentials != _|_ && parameter.credentials.image != _|_ {
+        				volumes: [
+        					{
+        						name: parameter.credentials.image.name
+        						secret: {
+        							defaultMode: 420
+        							items: [
+        								{
+        									key:  parameter.credentials.image.key
+        									path: "config.json"
+        								},
+        							]
+        							secretName: parameter.credentials.image.name
+        						}
+        					},
+        				]
+        			}
+        			restartPolicy: "Never"
+        		}
+        	}
+        }
+        log: op.#Log & {
+        	source: resources: [{
+        		name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        		namespace: context.namespace
+        	}]
+        }
+        read: op.#Read & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Pod"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        			namespace: context.namespace
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: read.value.status != _|_ && read.value.status.phase == "Succeeded"
+        }
+        #secret: {
+        	name: string
+        	key:  string
+        }
+        parameter: {
+        	kanikoExecutor: *"gcr.io/kaniko-project/executor:latest" | string
+        	git:            string
+        	branch:         *"master" | string
+        	dockerfile:     *"./Dockerfile" | string
+        	image:          string
+        	credentials?: {
+        		git?: {
+        			name: string
+        			key:  string
+        		}
+        		image?: {
+        			name: string
+        			key:  *".dockerconfigjson" | string
+        		}
+        	}
+        	verbosity: *"info" | "panic" | "fatal" | "error" | "warn" | "debug" | "trace"
+        }
+

charts/vela-core/templates/defwithtemplate/clean-jobs.yaml

@@ -0,0 +1,57 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/clean-jobs.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: clean applied jobs in the cluster
+  name: clean-jobs
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        parameter: labelselector?: {...}
+        cleanJobs: op.#Delete & {
+        	value: {
+        		apiVersion: "batch/v1"
+        		kind:       "Job"
+        		metadata: {
+        			name:      context.name
+        			namespace: context.namespace
+        		}
+        	}
+        	filter: {
+        		namespace: context.namespace
+        		if parameter.labelselector != _|_ {
+        			matchingLabels: parameter.labelselector
+        		}
+        		if parameter.labelselector == _|_ {
+        			matchingLabels: "workflow.oam.dev/name": context.name
+        		}
+        	}
+        }
+        cleanPods: op.#Delete & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "pod"
+        		metadata: {
+        			name:      context.name
+        			namespace: context.namespace
+        		}
+        	}
+        	filter: {
+        		namespace: context.namespace
+        		if parameter.labelselector != _|_ {
+        			matchingLabels: parameter.labelselector
+        		}
+        		if parameter.labelselector == _|_ {
+        			matchingLabels: "workflow.oam.dev/name": context.name
+        		}
+        	}
+        }
+

charts/vela-core/templates/defwithtemplate/export2secret.yaml

@@ -15,27 +15,43 @@ spec:
       template: |
         import (
         	"vela/op"
+        	"encoding/base64"
+        	"encoding/json"
         )
 
-        apply: op.#Apply & {
-        	value: {
-        		apiVersion: "v1"
-        		kind:       "Secret"
-        		if parameter.type != _|_ {
-        			type: parameter.type
+        secret: op.#Steps & {
+        	data: *parameter.data | {}
+        	if parameter.kind == "docker-registry" && parameter.dockerRegistry != _|_ {
+        		registryData: auths: "\(parameter.dockerRegistry.server)": {
+        			username: parameter.dockerRegistry.username
+        			password: parameter.dockerRegistry.password
+        			auth:     base64.Encode(null, "\(parameter.dockerRegistry.username):\(parameter.dockerRegistry.password)")
         		}
-        		metadata: {
-        			name: parameter.secretName
-        			if parameter.namespace != _|_ {
-        				namespace: parameter.namespace
-        			}
-        			if parameter.namespace == _|_ {
-        				namespace: context.namespace
-        			}
-        		}
-        		stringData: parameter.data
+        		data: ".dockerconfigjson": json.Marshal(registryData)
+        	}
+        	apply: op.#Apply & {
+        		value: {
+        			apiVersion: "v1"
+        			kind:       "Secret"
+        			if parameter.type == _|_ && parameter.kind == "docker-registry" {
+        				type: "kubernetes.io/dockerconfigjson"
+        			}
+        			if parameter.type != _|_ {
+        				type: parameter.type
+        			}
+        			metadata: {
+        				name: parameter.secretName
+        				if parameter.namespace != _|_ {
+        					namespace: parameter.namespace
+        				}
+        				if parameter.namespace == _|_ {
+        					namespace: context.namespace
+        				}
+        			}
+        			stringData: data
+        		}
+        		cluster: parameter.cluster
         	}
-        	cluster: parameter.cluster
         }
         parameter: {
         	// +usage=Specify the name of the secret
@@ -48,5 +64,16 @@ spec:
         	data: {}
         	// +usage=Specify the cluster of the secret
         	cluster: *"" | string
+        	// +usage=Specify the kind of the secret
+        	kind: *"generic" | "docker-registry"
+        	// +usage=Specify the docker data
+        	dockerRegistry?: {
+        		// +usage=Specify the username of the docker registry
+        		username: string
+        		// +usage=Specify the password of the docker registry
+        		password: string
+        		// +usage=Specify the server of the docker registry
+        		server: *"https://index.docker.io/v1/" | string
+        	}
         }
 

charts/vela-core/templates/defwithtemplate/read-only.yaml

@@ -0,0 +1,38 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/read-only.cue
+apiVersion: core.oam.dev/v1beta1
+kind: PolicyDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Configure the resources to be read-only in the application (no update / state-keep).
+  name: read-only
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        #PolicyRule: {
+        	// +usage=Specify how to select the targets of the rule
+        	selector: [...#RuleSelector]
+        }
+        #RuleSelector: {
+        	// +usage=Select resources by component names
+        	componentNames?: [...string]
+        	// +usage=Select resources by component types
+        	componentTypes?: [...string]
+        	// +usage=Select resources by oamTypes (COMPONENT or TRAIT)
+        	oamTypes?: [...string]
+        	// +usage=Select resources by trait types
+        	traitTypes?: [...string]
+        	// +usage=Select resources by resource types (like Deployment)
+        	resourceTypes?: [...string]
+        	// +usage=Select resources by their names
+        	resourceNames?: [...string]
+        }
+        parameter: {
+        	// +usage=Specify the list of rules to control read only strategy at resource level.
+        	// The selected resource will be read-only to the current application. If the target resource does
+        	// not exist, error will be raised.
+        	rules?: [...#PolicyRule]
+        }
+

charts/vela-core/templates/defwithtemplate/request.yaml

@@ -0,0 +1,47 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/request.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Send request to the url
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/request.yaml
+  name: request
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/json"
+        )
+
+        http: op.#HTTPDo & {
+        	method: parameter.method
+        	url:    parameter.url
+        	request: {
+        		if parameter.body != _|_ {
+        			body: json.Marshal(parameter.body)
+        		}
+        		if parameter.header != _|_ {
+        			header: parameter.header
+        		}
+        	}
+        }
+        fail: op.#Steps & {
+        	if http.response.statusCode > 400 {
+        		requestFail: op.#Fail & {
+        			message: "request of \(parameter.url) is fail: \(http.response.statusCode)"
+        		}
+        	}
+        }
+        response: json.Unmarshal(http.response.body)
+        parameter: {
+        	url:    string
+        	method: *"GET" | "POST" | "PUT" | "DELETE"
+        	body?: {...}
+        	header?: [string]: string
+        }
+

charts/vela-core/templates/defwithtemplate/startup-probe.yaml

@@ -0,0 +1,168 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/startup-probe.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Add startup probe hooks for the specified container of K8s pod for your workload which follows the pod spec in path 'spec.template'.
+  name: startup-probe
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - deployments.apps
+    - statefulsets.apps
+    - daemonsets.apps
+    - jobs.batch
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        #StartupProbeParams: {
+        	// +usage=Specify the name of the target container, if not set, use the component name
+        	containerName: *"" | string
+        	// +usage=Number of seconds after the container has started before liveness probes are initiated. Minimum value is 0.
+        	initialDelaySeconds: *0 | int
+        	// +usage=How often, in seconds, to execute the probe. Minimum value is 1.
+        	periodSeconds: *10 | int
+        	// +usage=Number of seconds after which the probe times out. Minimum value is 1.
+        	timeoutSeconds: *1 | int
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.  Minimum value is 1.
+        	successThreshold: *1 | int
+        	// +usage=Minimum consecutive failures for the probe to be considered failed after having succeeded. Minimum value is 1.
+        	failureThreshold: *3 | int
+        	// +usage=Optional duration in seconds the pod needs to terminate gracefully upon probe failure. Set this value longer than the expected cleanup time for your process.
+        	terminationGracePeriodSeconds?: int
+        	// +usage=Instructions for assessing container startup status by executing a command. Either this attribute or the httpGet attribute or the grpc attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with the httpGet attribute and the tcpSocket attribute and the gRPC attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+        	// +usage=Instructions for assessing container startup status by executing an HTTP GET request. Either this attribute or the exec attribute or the grpc attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with the exec attribute and the tcpSocket attribute and the gRPC attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path?: string
+        		// +usage=The port numer to access on the host or container.
+        		port: int
+        		// +usage=The hostname to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
+        		host?: string
+        		// +usage=The Scheme to use for connecting to the host.
+        		scheme?: *"HTTP" | "HTTPS"
+        		// +usage=Custom headers to set in the request. HTTP allows repeated headers.
+        		httpHeaders?: [...{
+        			// +usage=The header field name
+        			name: string
+        			//+usage=The header field value
+        			value: string
+        		}]
+        	}
+        	// +usage=Instructions for assessing container startup status by probing a gRPC service. Either this attribute or the exec attribute or the grpc attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with the exec attribute and the httpGet attribute and the tcpSocket attribute.
+        	grpc?: {
+        		// +usage=The port number of the gRPC service.
+        		port: int
+        		// +usage=The name of the service to place in the gRPC HealthCheckRequest
+        		service?: string
+        	}
+        	// +usage=Instructions for assessing container startup status by probing a TCP socket. Either this attribute or the exec attribute or the tcpSocket attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with the exec attribute and the httpGet attribute and the gRPC attribute.
+        	tcpSocket?: {
+        		// +usage=Number or name of the port to access on the container.
+        		port: string
+        		// +usage=Host name to connect to, defaults to the pod IP.
+        		host?: string
+        	}
+        }
+        PatchContainer: {
+        	_params:         #StartupProbeParams
+        	name:            _params.containerName
+        	_baseContainers: context.output.spec.template.spec.containers
+        	_matchContainers_: [ for _container_ in _baseContainers if _container_.name == name {_container_}]
+        	if len(_matchContainers_) == 0 {
+        		err: "container \(name) not found"
+        	}
+        	if len(_matchContainers_) > 0 {
+        		startupProbe: {
+        			if _params.exec != _|_ {
+        				exec: _params.exec
+        			}
+        			if _params.httpGet != _|_ {
+        				httpGet: _params.httpGet
+        			}
+        			if _params.grpc != _|_ {
+        				grpc: _params.grpc
+        			}
+        			if _params.tcpSocket != _|_ {
+        				tcpSocket: _params.tcpSocket
+        			}
+        			if _params.initialDelaySeconds != _|_ {
+        				initialDelaySeconds: _params.initialDelaySeconds
+        			}
+        			if _params.periodSeconds != _|_ {
+        				periodSeconds: _params.periodSeconds
+        			}
+        			if _params.tcpSocket != _|_ {
+        				tcpSocket: _params.tcpSocket
+        			}
+        			if _params.timeoutSeconds != _|_ {
+        				timeoutSeconds: _params.timeoutSeconds
+        			}
+        			if _params.successThreshold != _|_ {
+        				successThreshold: _params.successThreshold
+        			}
+        			if _params.failureThreshold != _|_ {
+        				failureThreshold: _params.failureThreshold
+        			}
+        			if _params.terminationGracePeriodSeconds != _|_ {
+        				terminationGracePeriodSeconds: _params.terminationGracePeriodSeconds
+        			}
+        		}
+        	}
+        }
+        patch: spec: template: spec: {
+        	if parameter.probes == _|_ {
+        		// +patchKey=name
+        		containers: [{
+        			PatchContainer & {_params: {
+        				if parameter.containerName == "" {
+        					containerName: context.name
+        				}
+        				if parameter.containerName != "" {
+        					containerName: parameter.containerName
+        				}
+        				periodSeconds:                 parameter.periodSeconds
+        				initialDelaySeconds:           parameter.initialDelaySeconds
+        				timeoutSeconds:                parameter.timeoutSeconds
+        				successThreshold:              parameter.successThreshold
+        				failureThreshold:              parameter.failureThreshold
+        				terminationGracePeriodSeconds: parameter.terminationGracePeriodSeconds
+        				if parameter.exec != _|_ {
+        					exec: parameter.exec
+        				}
+        				if parameter.httpGet != _|_ {
+        					httpGet: parameter.httpGet
+        				}
+        				if parameter.grpc != _|_ {
+        					grpc: parameter.grpc
+        				}
+        				if parameter.tcpSocket != _|_ {
+        					tcpSocket: parameter.grtcpSocketpc
+        				}
+        			}}
+        		}]
+        	}
+        	if parameter.probes != _|_ {
+        		// +patchKey=name
+        		containers: [ for c in parameter.probes {
+        			if c.name == "" {
+        				err: "containerName must be set when specifying startup probe for multiple containers"
+        			}
+        			if c.name != "" {
+        				PatchContainer & {_params: c}
+        			}
+        		}]
+        	}
+        }
+        parameter: *#StartupProbeParams | close({
+        	// +usage=Specify the startup probe for multiple containers
+        	probes: [...#StartupProbeParams]
+        })
+        errs: [ for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]
+

charts/vela-core/templates/defwithtemplate/take-over.yaml

@@ -0,0 +1,38 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/take-over.cue
+apiVersion: core.oam.dev/v1beta1
+kind: PolicyDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Configure the resources to be able to take over when it belongs to no application.
+  name: take-over
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        #PolicyRule: {
+        	// +usage=Specify how to select the targets of the rule
+        	selector: [...#RuleSelector]
+        }
+        #RuleSelector: {
+        	// +usage=Select resources by component names
+        	componentNames?: [...string]
+        	// +usage=Select resources by component types
+        	componentTypes?: [...string]
+        	// +usage=Select resources by oamTypes (COMPONENT or TRAIT)
+        	oamTypes?: [...string]
+        	// +usage=Select resources by trait types
+        	traitTypes?: [...string]
+        	// +usage=Select resources by resource types (like Deployment)
+        	resourceTypes?: [...string]
+        	// +usage=Select resources by their names
+        	resourceNames?: [...string]
+        }
+        parameter: {
+        	// +usage=Specify the list of rules to control take over strategy at resource level.
+        	// The selected resource will be able to be taken over by the current application when the resource belongs to no
+        	// one.
+        	rules?: [...#PolicyRule]
+        }
+

charts/vela-core/templates/defwithtemplate/topologyspreadconstraints.yaml

@@ -0,0 +1,67 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/topologyspreadconstraints.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Add topology spread constraints hooks for every container of K8s pod for your workload which follows the pod spec in path 'spec.template'.
+  name: topologyspreadconstraints
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - deployments.apps
+    - statefulsets.apps
+    - daemonsets.apps
+    - jobs.batch
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        constraintsArray: [
+        	for v in parameter.constraints {
+        		maxSkew:           v.maxSkew
+        		topologyKey:       v.topologyKey
+        		whenUnsatisfiable: v.whenUnsatisfiable
+        		labelSelector:     v.labelSelector
+        		if v.nodeAffinityPolicy != _|_ {
+        			nodeAffinityPolicy: v.nodeAffinityPolicy
+        		}
+        		if v.nodeTaintsPolicy != _|_ {
+        			nodeTaintsPolicy: v.nodeTaintsPolicy
+        		}
+        		if v.minDomains != _|_ {
+        			minDomains: v.minDomains
+        		}
+        		if v.matchLabelKeys != _|_ {
+        			matchLabelKeys: v.matchLabelKeys
+        		}
+        	},
+        ]
+        patch: spec: template: spec: topologySpreadConstraints: constraintsArray
+        #labSelector: {
+        	matchLabels?: [string]: string
+        	matchExpressions?: [...{
+        		key:      string
+        		operator: *"In" | "NotIn" | "Exists" | "DoesNotExist"
+        		values?: [...string]
+        	}]
+        }
+        parameter: constraints: [...{
+        	// +usage=Describe the degree to which Pods may be unevenly distributed
+        	maxSkew: int
+        	// +usage=Specify the key of node labels
+        	topologyKey: string
+        	// +usage=Indicate how to deal with a Pod if it doesn't satisfy the spread constraint
+        	whenUnsatisfiable: *"DoNotSchedule" | "ScheduleAnyway"
+        	// +usage: labelSelector to find matching Pods
+        	labelSelector: #labSelector
+        	// +usage=Indicate a minimum number of eligible domains
+        	minDomains?: int
+        	// +usage=A list of pod label keys to select the pods over which spreading will be calculated
+        	matchLabelKeys?: [...string]
+        	// +usage=Indicate how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew
+        	nodeAffinityPolicy?: *"Honor" | "Ignore"
+        	// +usage=Indicate how we will treat node taints when calculating pod topology spread skew
+        	nodeTaintsPolicy?: *"Honor" | "Ignore"
+        }]
+

charts/vela-core/templates/defwithtemplate/vela-cli.yaml

@@ -0,0 +1,130 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/vela-cli.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Run a vela command
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
+  name: vela-cli
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        mountsArray: [
+        	if parameter.storage != _|_ && parameter.storage.secret != _|_ for v in parameter.storage.secret {
+        		{
+        			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
+        			name: v.name
+        		}
+        	},
+        ]
+        volumesList: [
+        	if parameter.storage != _|_ && parameter.storage.secret != _|_ for v in parameter.storage.secret {
+        		{
+        			name: v.name
+        			secret: {
+        				defaultMode: v.defaultMode
+        				secretName:  v.secretName
+        				if v.items != _|_ {
+        					items: v.items
+        				}
+        			}
+        		}
+        	},
+        ]
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
+        job: op.#Apply & {
+        	value: {
+        		apiVersion: "batch/v1"
+        		kind:       "Job"
+        		metadata: {
+        			name: "\(context.name)-\(context.stepName)-\(context.stepSessionID)"
+        			if parameter.serviceAccountName == "kubevela-vela-core" {
+        				namespace: "vela-system"
+        			}
+        			if parameter.serviceAccountName != "kubevela-vela-core" {
+        				namespace: context.namespace
+        			}
+        		}
+        		spec: {
+        			backoffLimit: 3
+        			template: {
+        				labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        				spec: {
+        					containers: [
+        						{
+        							name:         "\(context.name)-\(context.stepName)-\(context.stepSessionID)-job"
+        							image:        parameter.image
+        							command:      parameter.command
+        							volumeMounts: mountsArray
+        						},
+        					]
+        					restartPolicy:  "Never"
+        					serviceAccount: parameter.serviceAccountName
+        					volumes:        deDupVolumesArray
+        				}
+        			}
+        		}
+        	}
+        }
+        log: op.#Log & {
+        	source: resources: [{labelSelector: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"}]
+        }
+        fail: op.#Steps & {
+        	if job.value.status.failed != _|_ {
+        		if job.value.status.failed > 2 {
+        			breakWorkflow: op.#Fail & {
+        				message: "failed to execute vela command"
+        			}
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: job.value.status.succeeded != _|_ && job.value.status.succeeded > 0
+        }
+        parameter: {
+        	// +usage=Specify the name of the addon.
+        	addonName: string
+        	// +usage=Specify the vela command
+        	command: [...string]
+        	// +usage=Specify the image
+        	image: *"oamdev/vela-cli:v1.6.4" | string
+        	// +usage=specify serviceAccountName want to use
+        	serviceAccountName: *"kubevela-vela-core" | string
+        	storage?: {
+        		// +usage=Mount Secret type storage
+        		secret?: [...{
+        			name:        string
+        			mountPath:   string
+        			subPath?:    string
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}]
+        	}
+        }
+

charts/vela-core/templates/kubevela-controller.yaml

@@ -255,6 +255,8 @@ spec:
             - "--feature-gates=ZstdResourceTracker={{- .Values.featureGates.zstdResourceTracker | toString -}}"
             - "--feature-gates=ApplyOnce={{- .Values.featureGates.applyOnce | toString -}}"
             - "--feature-gates=MultiStageComponentApply= {{- .Values.featureGates.multiStageComponentApply | toString -}}"
+            - "--feature-gates=GzipApplicationRevision={{- .Values.featureGates.gzipResourceTracker | toString -}}"
+            - "--feature-gates=ZstdApplicationRevision={{- .Values.featureGates.zstdResourceTracker | toString -}}"
             {{ if .Values.authentication.enabled }}
             {{ if .Values.authentication.withUser }}
             - "--authentication-with-user"

charts/vela-core/values.yaml

@@ -8,10 +8,10 @@
 systemDefinitionNamespace:
 
 ## @param applicationRevisionLimit Application revision limit
-applicationRevisionLimit: 10
+applicationRevisionLimit: 2
 
 ## @param definitionRevisionLimit Definition revision limit
-definitionRevisionLimit: 20
+definitionRevisionLimit: 2
 
 ## @param concurrentReconciles concurrentReconciles is the concurrent reconcile number of the controller
 concurrentReconciles: 4
@@ -26,9 +26,6 @@ OAMSpecVer: "v0.3"
 ## @param disableCaps Disable capability
 disableCaps: "rollout"
 
-## @param enableFluxcdAddon Whether to enable fluxcd addon
-enableFluxcdAddon: false
-
 ## @param dependCheckWait dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready
 dependCheckWait: 30s
 
@@ -102,7 +99,7 @@ optimize:
   resourceTrackerListOp: true
   controllerReconcileLoopReduction: false
   markWithProb: 0.1
-  disableComponentRevision: false
+  disableComponentRevision: true
   disableApplicationRevision: false
   disableWorkflowRecorder: false
   enableInMemoryWorkflowContext: false
@@ -110,16 +107,21 @@ optimize:
   enableResourceTrackerDeleteOnlyTrigger: true
 
 ##@param featureGates.enableLegacyComponentRevision if disabled, only component with rollout trait will create component revisions
-##@param featureGates.gzipResourceTracker if enabled, resourceTracker will be compressed using gzip before being stored
-##@param featureGates.zstdResourceTracker if enabled, resourceTracker will be compressed using zstd before being stored. It is much faster and more efficient than gzip. If both gzip and zstd are enabled, zstd will be used.
+##@param featureGates.gzipResourceTracker compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers.
+##@param featureGates.zstdResourceTracker compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options.
 ##@param featureGates.applyOnce if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker
 ##@param featureGates.multiStageComponentApply if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.
+##@param featureGates.gzipApplicationRevision compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs.
+##@param featureGates.zstdApplicationRevision compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options.
+##@param
 featureGates:
   enableLegacyComponentRevision: false
   gzipResourceTracker: false
-  zstdResourceTracker: false
+  zstdResourceTracker: true
   applyOnce: false
   multiStageComponentApply: false
+  gzipApplicationRevision: false
+  zstdApplicationRevision: true
 
 ## @section MultiCluster parameters
 
@@ -249,11 +251,11 @@ admissionWebhooks:
     enabled: false
     revisionHistoryLimit: 3
 
-## @param kubeClient.qps The qps for reconcile clients, default is 50
-## @param kubeClient.burst The burst for reconcile clients, default is 100
+## @param kubeClient.qps The qps for reconcile clients, default is 100
+## @param kubeClient.burst The burst for reconcile clients, default is 200
 kubeClient:
-  qps: 50
-  burst: 100
+  qps: 100
+  burst: 200
 
 ## @param authentication.enabled Enable authentication for application
 ## @param authentication.withUser Application authentication will impersonate as the request User

charts/vela-minimal/README.md

@@ -66,7 +66,6 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `minimal`            |
 | `disableCaps`                 | Disable capability                                                                            | `envbinding,rollout` |
 | `applyOnceOnly`               | Valid applyOnceOnly values: true/false/on/off/force                                           | `off`                |
-| `enableFluxcdAddon`           | Whether to enable fluxcd addon                                                                | `false`              |
 | `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`                |
 
 

charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml

@@ -844,7 +844,6 @@ spec:
                             type: object
                           endTime:
                             format: date-time
-                            nullable: true
                             type: string
                           finished:
                             type: boolean
@@ -2760,7 +2759,6 @@ spec:
                             type: object
                           endTime:
                             format: date-time
-                            nullable: true
                             type: string
                           finished:
                             type: boolean
@@ -3201,6 +3199,16 @@ spec:
                 description: ComponentDefinitions records the snapshot of the componentDefinitions
                   related with the created/modified Application
                 type: object
+              compression:
+                description: Compression represents the compressed components in apprev
+                  in base64 (if compression is enabled).
+                properties:
+                  data:
+                    type: string
+                  type:
+                    description: Type the compression type
+                    type: string
+                type: object
               policies:
                 additionalProperties:
                   description: Policy is the Schema for the policy API
@@ -4815,7 +4823,6 @@ spec:
                     type: object
                   endTime:
                     format: date-time
-                    nullable: true
                     type: string
                   finished:
                     type: boolean

charts/vela-minimal/crds/core.oam.dev_applications.yaml

@@ -768,7 +768,6 @@ spec:
                     type: object
                   endTime:
                     format: date-time
-                    nullable: true
                     type: string
                   finished:
                     type: boolean
@@ -1531,7 +1530,6 @@ spec:
                     type: object
                   endTime:
                     format: date-time
-                    nullable: true
                     type: string
                   finished:
                     type: boolean

charts/vela-minimal/crds/core.oam.dev_resourcetrackers.yaml

@@ -57,8 +57,8 @@ spec:
                 format: int64
                 type: integer
               compression:
-                description: ResourceTrackerCompression the compression for ResourceTracker
-                  ManagedResources
+                description: ResourceTrackerCompression represents the compressed
+                  components in ResourceTracker.
                 properties:
                   data:
                     type: string

charts/vela-minimal/templates/defwithtemplate/apply-deployment.yaml

@@ -0,0 +1,51 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-deployment.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply deployment with specified image and cmd.
+  name: apply-deployment
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"strconv"
+        	"strings"
+        	"vela/op"
+        )
+
+        output: op.#Apply & {
+        	value: {
+        		apiVersion: "apps/v1"
+        		kind:       "Deployment"
+        		metadata: {
+        			name:      context.stepName
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        			template: {
+        				metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        				spec: containers: [{
+        					name:  context.stepName
+        					image: parameter.image
+        					if parameter["cmd"] != _|_ {
+        						command: parameter.cmd
+        					}
+        				}]
+        			}
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: output.value.status.readyReplicas == 1
+        }
+        parameter: {
+        	image: string
+        	cmd?: [...string]
+        }
+

charts/vela-minimal/templates/defwithtemplate/apply-terraform-config.yaml

@@ -0,0 +1,91 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-terraform-config.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply terraform configuration in the step
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
+  name: apply-terraform-config
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        apply: op.#Apply & {
+        	value: {
+        		apiVersion: "terraform.core.oam.dev/v1beta2"
+        		kind:       "Configuration"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepName)"
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			deleteResource: parameter.deleteResource
+        			variable:       parameter.variable
+        			forceDelete:    parameter.forceDelete
+        			if parameter.source.path != _|_ {
+        				path: parameter.source.path
+        			}
+        			if parameter.source.remote != _|_ {
+        				remote: parameter.source.remote
+        			}
+        			if parameter.source.hcl != _|_ {
+        				hcl: parameter.source.hcl
+        			}
+        			if parameter.providerRef != _|_ {
+        				providerRef: parameter.providerRef
+        			}
+        			if parameter.jobEnv != _|_ {
+        				jobEnv: parameter.jobEnv
+        			}
+        			if parameter.writeConnectionSecretToRef != _|_ {
+        				writeConnectionSecretToRef: parameter.writeConnectionSecretToRef
+        			}
+        			if parameter.region != _|_ {
+        				region: parameter.region
+        			}
+        		}
+        	}
+        }
+        check: op.#ConditionalWait & {
+        	continue: apply.value.status != _|_ && apply.value.status.apply != _|_ && apply.value.status.apply.state == "Available"
+        }
+        parameter: {
+        	// +usage=specify the source of the terraform configuration
+        	source: close({
+        		// +usage=directly specify the hcl of the terraform configuration
+        		hcl: string
+        	}) | close({
+        		// +usage=specify the remote url of the terraform configuration
+        		remote: *"https://github.com/kubevela-contrib/terraform-modules.git" | string
+        		// +usage=specify the path of the terraform configuration
+        		path?: string
+        	})
+        	// +usage=whether to delete resource
+        	deleteResource: *true | bool
+        	// +usage=the variable in the configuration
+        	variable: {...}
+        	// +usage=this specifies the namespace and name of a secret to which any connection details for this managed resource should be written.
+        	writeConnectionSecretToRef?: {
+        		name:      string
+        		namespace: *context.namespace | string
+        	}
+        	// +usage=providerRef specifies the reference to Provider
+        	providerRef?: {
+        		name:      string
+        		namespace: *context.namespace | string
+        	}
+        	// +usage=region is cloud provider's region. It will override the region in the region field of providerRef
+        	region?: string
+        	// +usage=the envs for job
+        	jobEnv?: {...}
+        	// +usae=forceDelete will force delete Configuration no matter which state it is or whether it has provisioned some resources
+        	forceDelete: *false | bool
+        }
+

charts/vela-minimal/templates/defwithtemplate/apply-terraform-provider.yaml

@@ -0,0 +1,144 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-terraform-provider.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply terraform provider config
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
+  name: apply-terraform-provider
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"strings"
+        )
+
+        config: op.#CreateConfig & {
+        	name:      "\(context.name)-\(context.stepName)"
+        	namespace: context.namespace
+        	template:  "terraform-\(parameter.type)"
+        	config: {
+        		name: parameter.name
+        		if parameter.type == "alibaba" {
+        			ALICLOUD_ACCESS_KEY: parameter.accessKey
+        			ALICLOUD_SECRET_KEY: parameter.secretKey
+        			ALICLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "aws" {
+        			AWS_ACCESS_KEY_ID:     parameter.accessKey
+        			AWS_SECRET_ACCESS_KEY: parameter.secretKey
+        			AWS_DEFAULT_REGION:    parameter.region
+        			AWS_SESSION_TOKEN:     parameter.token
+        		}
+        		if parameter.type == "azure" {
+        			ARM_CLIENT_ID:       parameter.clientID
+        			ARM_CLIENT_SECRET:   parameter.clientSecret
+        			ARM_SUBSCRIPTION_ID: parameter.subscriptionID
+        			ARM_TENANT_ID:       parameter.tenantID
+        		}
+        		if parameter.type == "baidu" {
+        			BAIDUCLOUD_ACCESS_KEY: parameter.accessKey
+        			BAIDUCLOUD_SECRET_KEY: parameter.secretKey
+        			BAIDUCLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "ec" {
+        			EC_API_KEY: parameter.apiKey
+        		}
+        		if parameter.type == "gcp" {
+        			GOOGLE_CREDENTIALS: parameter.credentials
+        			GOOGLE_REGION:      parameter.region
+        			GOOGLE_PROJECT:     parameter.project
+        		}
+        		if parameter.type == "tencent" {
+        			TENCENTCLOUD_SECRET_ID:  parameter.secretID
+        			TENCENTCLOUD_SECRET_KEY: parameter.secretKey
+        			TENCENTCLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "ucloud" {
+        			UCLOUD_PRIVATE_KEY: parameter.privateKey
+        			UCLOUD_PUBLIC_KEY:  parameter.publicKey
+        			UCLOUD_PROJECT_ID:  parameter.projectID
+        			UCLOUD_REGION:      parameter.region
+        		}
+        	}
+        }
+        read: op.#Read & {
+        	value: {
+        		apiVersion: "terraform.core.oam.dev/v1beta1"
+        		kind:       "Provider"
+        		metadata: {
+        			name:      parameter.name
+        			namespace: context.namespace
+        		}
+        	}
+        }
+        check: op.#ConditionalWait & {
+        	if read.value.status != _|_ {
+        		continue: read.value.status.state == "ready"
+        	}
+        	if read.value.status == _|_ {
+        		continue: false
+        	}
+        }
+        providerBasic: {
+        	accessKey: string
+        	secretKey: string
+        	region:    string
+        }
+        #AlibabaProvider: {
+        	providerBasic
+        	type: "alibaba"
+        	name: *"alibaba-provider" | string
+        }
+        #AWSProvider: {
+        	providerBasic
+        	token: *"" | string
+        	type:  "aws"
+        	name:  *"aws-provider" | string
+        }
+        #AzureProvider: {
+        	subscriptionID: string
+        	tenantID:       string
+        	clientID:       string
+        	clientSecret:   string
+        	name:           *"azure-provider" | string
+        }
+        #BaiduProvider: {
+        	providerBasic
+        	type: "baidu"
+        	name: *"baidu-provider" | string
+        }
+        #ECProvider: {
+        	type:   "ec"
+        	apiKey: *"" | string
+        	name:   "ec-provider" | string
+        }
+        #GCPProvider: {
+        	credentials: string
+        	region:      string
+        	project:     string
+        	type:        "gcp"
+        	name:        *"gcp-provider" | string
+        }
+        #TencentProvider: {
+        	secretID:  string
+        	secretKey: string
+        	region:    string
+        	type:      "tencent"
+        	name:      *"tencent-provider" | string
+        }
+        #UCloudProvider: {
+        	publicKey:  string
+        	privateKey: string
+        	projectID:  string
+        	region:     string
+        	type:       "ucloud"
+        	name:       *"ucloud-provider" | string
+        }
+        parameter: *#AlibabaProvider | #AWSProvider | #AzureProvider | #BaiduProvider | #ECProvider | #GCPProvider | #TencentProvider | #UCloudProvider
+

charts/vela-minimal/templates/defwithtemplate/build-push-image.yaml

@@ -0,0 +1,125 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/build-push-image.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Build and push image from git url
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/built-push-image.yaml
+  name: build-push-image
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/json"
+        	"strings"
+        )
+
+        url:    strings.TrimPrefix(strings.TrimPrefix(parameter.git, "https://"), "http://")
+        kaniko: op.#Apply & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Pod"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			containers: [
+        				{
+        					args: [
+        						"--dockerfile=\(parameter.dockerfile)",
+        						"--context=git://\(url)#refs/heads/\(parameter.branch)",
+        						"--destination=\(parameter.image)",
+        						"--verbosity=\(parameter.verbosity)",
+        					]
+        					image: parameter.kanikoExecutor
+        					name:  "kaniko"
+        					if parameter.credentials != _|_ && parameter.credentials.image != _|_ {
+        						volumeMounts: [
+        							{
+        								mountPath: "/kaniko/.docker/"
+        								name:      parameter.credentials.image.name
+        							},
+        						]
+        					}
+        					if parameter.credentials != _|_ && parameter.credentials.git != _|_ {
+        						env: [
+        							{
+        								name: "GIT_TOKEN"
+        								valueFrom: secretKeyRef: {
+        									key:  parameter.credentials.git.key
+        									name: parameter.credentials.git.name
+        								}
+        							},
+        						]
+        					}
+        				},
+        			]
+        			if parameter.credentials != _|_ && parameter.credentials.image != _|_ {
+        				volumes: [
+        					{
+        						name: parameter.credentials.image.name
+        						secret: {
+        							defaultMode: 420
+        							items: [
+        								{
+        									key:  parameter.credentials.image.key
+        									path: "config.json"
+        								},
+        							]
+        							secretName: parameter.credentials.image.name
+        						}
+        					},
+        				]
+        			}
+        			restartPolicy: "Never"
+        		}
+        	}
+        }
+        log: op.#Log & {
+        	source: resources: [{
+        		name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        		namespace: context.namespace
+        	}]
+        }
+        read: op.#Read & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Pod"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        			namespace: context.namespace
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: read.value.status != _|_ && read.value.status.phase == "Succeeded"
+        }
+        #secret: {
+        	name: string
+        	key:  string
+        }
+        parameter: {
+        	kanikoExecutor: *"gcr.io/kaniko-project/executor:latest" | string
+        	git:            string
+        	branch:         *"master" | string
+        	dockerfile:     *"./Dockerfile" | string
+        	image:          string
+        	credentials?: {
+        		git?: {
+        			name: string
+        			key:  string
+        		}
+        		image?: {
+        			name: string
+        			key:  *".dockerconfigjson" | string
+        		}
+        	}
+        	verbosity: *"info" | "panic" | "fatal" | "error" | "warn" | "debug" | "trace"
+        }
+

charts/vela-minimal/templates/defwithtemplate/clean-jobs.yaml

@@ -0,0 +1,57 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/clean-jobs.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: clean applied jobs in the cluster
+  name: clean-jobs
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        parameter: labelselector?: {...}
+        cleanJobs: op.#Delete & {
+        	value: {
+        		apiVersion: "batch/v1"
+        		kind:       "Job"
+        		metadata: {
+        			name:      context.name
+        			namespace: context.namespace
+        		}
+        	}
+        	filter: {
+        		namespace: context.namespace
+        		if parameter.labelselector != _|_ {
+        			matchingLabels: parameter.labelselector
+        		}
+        		if parameter.labelselector == _|_ {
+        			matchingLabels: "workflow.oam.dev/name": context.name
+        		}
+        	}
+        }
+        cleanPods: op.#Delete & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "pod"
+        		metadata: {
+        			name:      context.name
+        			namespace: context.namespace
+        		}
+        	}
+        	filter: {
+        		namespace: context.namespace
+        		if parameter.labelselector != _|_ {
+        			matchingLabels: parameter.labelselector
+        		}
+        		if parameter.labelselector == _|_ {
+        			matchingLabels: "workflow.oam.dev/name": context.name
+        		}
+        	}
+        }
+

charts/vela-minimal/templates/defwithtemplate/export2secret.yaml

@@ -15,27 +15,43 @@ spec:
       template: |
         import (
         	"vela/op"
+        	"encoding/base64"
+        	"encoding/json"
         )
 
-        apply: op.#Apply & {
-        	value: {
-        		apiVersion: "v1"
-        		kind:       "Secret"
-        		if parameter.type != _|_ {
-        			type: parameter.type
+        secret: op.#Steps & {
+        	data: *parameter.data | {}
+        	if parameter.kind == "docker-registry" && parameter.dockerRegistry != _|_ {
+        		registryData: auths: "\(parameter.dockerRegistry.server)": {
+        			username: parameter.dockerRegistry.username
+        			password: parameter.dockerRegistry.password
+        			auth:     base64.Encode(null, "\(parameter.dockerRegistry.username):\(parameter.dockerRegistry.password)")
         		}
-        		metadata: {
-        			name: parameter.secretName
-        			if parameter.namespace != _|_ {
-        				namespace: parameter.namespace
-        			}
-        			if parameter.namespace == _|_ {
-        				namespace: context.namespace
-        			}
-        		}
-        		stringData: parameter.data
+        		data: ".dockerconfigjson": json.Marshal(registryData)
+        	}
+        	apply: op.#Apply & {
+        		value: {
+        			apiVersion: "v1"
+        			kind:       "Secret"
+        			if parameter.type == _|_ && parameter.kind == "docker-registry" {
+        				type: "kubernetes.io/dockerconfigjson"
+        			}
+        			if parameter.type != _|_ {
+        				type: parameter.type
+        			}
+        			metadata: {
+        				name: parameter.secretName
+        				if parameter.namespace != _|_ {
+        					namespace: parameter.namespace
+        				}
+        				if parameter.namespace == _|_ {
+        					namespace: context.namespace
+        				}
+        			}
+        			stringData: data
+        		}
+        		cluster: parameter.cluster
         	}
-        	cluster: parameter.cluster
         }
         parameter: {
         	// +usage=Specify the name of the secret
@@ -48,5 +64,16 @@ spec:
         	data: {}
         	// +usage=Specify the cluster of the secret
         	cluster: *"" | string
+        	// +usage=Specify the kind of the secret
+        	kind: *"generic" | "docker-registry"
+        	// +usage=Specify the docker data
+        	dockerRegistry?: {
+        		// +usage=Specify the username of the docker registry
+        		username: string
+        		// +usage=Specify the password of the docker registry
+        		password: string
+        		// +usage=Specify the server of the docker registry
+        		server: *"https://index.docker.io/v1/" | string
+        	}
         }
 

charts/vela-minimal/templates/defwithtemplate/read-only.yaml

@@ -0,0 +1,38 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/read-only.cue
+apiVersion: core.oam.dev/v1beta1
+kind: PolicyDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Configure the resources to be read-only in the application (no update / state-keep).
+  name: read-only
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        #PolicyRule: {
+        	// +usage=Specify how to select the targets of the rule
+        	selector: [...#RuleSelector]
+        }
+        #RuleSelector: {
+        	// +usage=Select resources by component names
+        	componentNames?: [...string]
+        	// +usage=Select resources by component types
+        	componentTypes?: [...string]
+        	// +usage=Select resources by oamTypes (COMPONENT or TRAIT)
+        	oamTypes?: [...string]
+        	// +usage=Select resources by trait types
+        	traitTypes?: [...string]
+        	// +usage=Select resources by resource types (like Deployment)
+        	resourceTypes?: [...string]
+        	// +usage=Select resources by their names
+        	resourceNames?: [...string]
+        }
+        parameter: {
+        	// +usage=Specify the list of rules to control read only strategy at resource level.
+        	// The selected resource will be read-only to the current application. If the target resource does
+        	// not exist, error will be raised.
+        	rules?: [...#PolicyRule]
+        }
+

charts/vela-minimal/templates/defwithtemplate/request.yaml

@@ -0,0 +1,47 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/request.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Send request to the url
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/request.yaml
+  name: request
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/json"
+        )
+
+        http: op.#HTTPDo & {
+        	method: parameter.method
+        	url:    parameter.url
+        	request: {
+        		if parameter.body != _|_ {
+        			body: json.Marshal(parameter.body)
+        		}
+        		if parameter.header != _|_ {
+        			header: parameter.header
+        		}
+        	}
+        }
+        fail: op.#Steps & {
+        	if http.response.statusCode > 400 {
+        		requestFail: op.#Fail & {
+        			message: "request of \(parameter.url) is fail: \(http.response.statusCode)"
+        		}
+        	}
+        }
+        response: json.Unmarshal(http.response.body)
+        parameter: {
+        	url:    string
+        	method: *"GET" | "POST" | "PUT" | "DELETE"
+        	body?: {...}
+        	header?: [string]: string
+        }
+

charts/vela-minimal/templates/defwithtemplate/startup-probe.yaml

@@ -0,0 +1,168 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/startup-probe.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Add startup probe hooks for the specified container of K8s pod for your workload which follows the pod spec in path 'spec.template'.
+  name: startup-probe
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - deployments.apps
+    - statefulsets.apps
+    - daemonsets.apps
+    - jobs.batch
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        #StartupProbeParams: {
+        	// +usage=Specify the name of the target container, if not set, use the component name
+        	containerName: *"" | string
+        	// +usage=Number of seconds after the container has started before liveness probes are initiated. Minimum value is 0.
+        	initialDelaySeconds: *0 | int
+        	// +usage=How often, in seconds, to execute the probe. Minimum value is 1.
+        	periodSeconds: *10 | int
+        	// +usage=Number of seconds after which the probe times out. Minimum value is 1.
+        	timeoutSeconds: *1 | int
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.  Minimum value is 1.
+        	successThreshold: *1 | int
+        	// +usage=Minimum consecutive failures for the probe to be considered failed after having succeeded. Minimum value is 1.
+        	failureThreshold: *3 | int
+        	// +usage=Optional duration in seconds the pod needs to terminate gracefully upon probe failure. Set this value longer than the expected cleanup time for your process.
+        	terminationGracePeriodSeconds?: int
+        	// +usage=Instructions for assessing container startup status by executing a command. Either this attribute or the httpGet attribute or the grpc attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with the httpGet attribute and the tcpSocket attribute and the gRPC attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+        	// +usage=Instructions for assessing container startup status by executing an HTTP GET request. Either this attribute or the exec attribute or the grpc attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with the exec attribute and the tcpSocket attribute and the gRPC attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path?: string
+        		// +usage=The port numer to access on the host or container.
+        		port: int
+        		// +usage=The hostname to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
+        		host?: string
+        		// +usage=The Scheme to use for connecting to the host.
+        		scheme?: *"HTTP" | "HTTPS"
+        		// +usage=Custom headers to set in the request. HTTP allows repeated headers.
+        		httpHeaders?: [...{
+        			// +usage=The header field name
+        			name: string
+        			//+usage=The header field value
+        			value: string
+        		}]
+        	}
+        	// +usage=Instructions for assessing container startup status by probing a gRPC service. Either this attribute or the exec attribute or the grpc attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with the exec attribute and the httpGet attribute and the tcpSocket attribute.
+        	grpc?: {
+        		// +usage=The port number of the gRPC service.
+        		port: int
+        		// +usage=The name of the service to place in the gRPC HealthCheckRequest
+        		service?: string
+        	}
+        	// +usage=Instructions for assessing container startup status by probing a TCP socket. Either this attribute or the exec attribute or the tcpSocket attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with the exec attribute and the httpGet attribute and the gRPC attribute.
+        	tcpSocket?: {
+        		// +usage=Number or name of the port to access on the container.
+        		port: string
+        		// +usage=Host name to connect to, defaults to the pod IP.
+        		host?: string
+        	}
+        }
+        PatchContainer: {
+        	_params:         #StartupProbeParams
+        	name:            _params.containerName
+        	_baseContainers: context.output.spec.template.spec.containers
+        	_matchContainers_: [ for _container_ in _baseContainers if _container_.name == name {_container_}]
+        	if len(_matchContainers_) == 0 {
+        		err: "container \(name) not found"
+        	}
+        	if len(_matchContainers_) > 0 {
+        		startupProbe: {
+        			if _params.exec != _|_ {
+        				exec: _params.exec
+        			}
+        			if _params.httpGet != _|_ {
+        				httpGet: _params.httpGet
+        			}
+        			if _params.grpc != _|_ {
+        				grpc: _params.grpc
+        			}
+        			if _params.tcpSocket != _|_ {
+        				tcpSocket: _params.tcpSocket
+        			}
+        			if _params.initialDelaySeconds != _|_ {
+        				initialDelaySeconds: _params.initialDelaySeconds
+        			}
+        			if _params.periodSeconds != _|_ {
+        				periodSeconds: _params.periodSeconds
+        			}
+        			if _params.tcpSocket != _|_ {
+        				tcpSocket: _params.tcpSocket
+        			}
+        			if _params.timeoutSeconds != _|_ {
+        				timeoutSeconds: _params.timeoutSeconds
+        			}
+        			if _params.successThreshold != _|_ {
+        				successThreshold: _params.successThreshold
+        			}
+        			if _params.failureThreshold != _|_ {
+        				failureThreshold: _params.failureThreshold
+        			}
+        			if _params.terminationGracePeriodSeconds != _|_ {
+        				terminationGracePeriodSeconds: _params.terminationGracePeriodSeconds
+        			}
+        		}
+        	}
+        }
+        patch: spec: template: spec: {
+        	if parameter.probes == _|_ {
+        		// +patchKey=name
+        		containers: [{
+        			PatchContainer & {_params: {
+        				if parameter.containerName == "" {
+        					containerName: context.name
+        				}
+        				if parameter.containerName != "" {
+        					containerName: parameter.containerName
+        				}
+        				periodSeconds:                 parameter.periodSeconds
+        				initialDelaySeconds:           parameter.initialDelaySeconds
+        				timeoutSeconds:                parameter.timeoutSeconds
+        				successThreshold:              parameter.successThreshold
+        				failureThreshold:              parameter.failureThreshold
+        				terminationGracePeriodSeconds: parameter.terminationGracePeriodSeconds
+        				if parameter.exec != _|_ {
+        					exec: parameter.exec
+        				}
+        				if parameter.httpGet != _|_ {
+        					httpGet: parameter.httpGet
+        				}
+        				if parameter.grpc != _|_ {
+        					grpc: parameter.grpc
+        				}
+        				if parameter.tcpSocket != _|_ {
+        					tcpSocket: parameter.grtcpSocketpc
+        				}
+        			}}
+        		}]
+        	}
+        	if parameter.probes != _|_ {
+        		// +patchKey=name
+        		containers: [ for c in parameter.probes {
+        			if c.name == "" {
+        				err: "containerName must be set when specifying startup probe for multiple containers"
+        			}
+        			if c.name != "" {
+        				PatchContainer & {_params: c}
+        			}
+        		}]
+        	}
+        }
+        parameter: *#StartupProbeParams | close({
+        	// +usage=Specify the startup probe for multiple containers
+        	probes: [...#StartupProbeParams]
+        })
+        errs: [ for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]
+

charts/vela-minimal/templates/defwithtemplate/take-over.yaml

@@ -0,0 +1,38 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/take-over.cue
+apiVersion: core.oam.dev/v1beta1
+kind: PolicyDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Configure the resources to be able to take over when it belongs to no application.
+  name: take-over
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        #PolicyRule: {
+        	// +usage=Specify how to select the targets of the rule
+        	selector: [...#RuleSelector]
+        }
+        #RuleSelector: {
+        	// +usage=Select resources by component names
+        	componentNames?: [...string]
+        	// +usage=Select resources by component types
+        	componentTypes?: [...string]
+        	// +usage=Select resources by oamTypes (COMPONENT or TRAIT)
+        	oamTypes?: [...string]
+        	// +usage=Select resources by trait types
+        	traitTypes?: [...string]
+        	// +usage=Select resources by resource types (like Deployment)
+        	resourceTypes?: [...string]
+        	// +usage=Select resources by their names
+        	resourceNames?: [...string]
+        }
+        parameter: {
+        	// +usage=Specify the list of rules to control take over strategy at resource level.
+        	// The selected resource will be able to be taken over by the current application when the resource belongs to no
+        	// one.
+        	rules?: [...#PolicyRule]
+        }
+

charts/vela-minimal/templates/defwithtemplate/topologyspreadconstraints.yaml

@@ -0,0 +1,67 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/topologyspreadconstraints.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Add topology spread constraints hooks for every container of K8s pod for your workload which follows the pod spec in path 'spec.template'.
+  name: topologyspreadconstraints
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - deployments.apps
+    - statefulsets.apps
+    - daemonsets.apps
+    - jobs.batch
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        constraintsArray: [
+        	for v in parameter.constraints {
+        		maxSkew:           v.maxSkew
+        		topologyKey:       v.topologyKey
+        		whenUnsatisfiable: v.whenUnsatisfiable
+        		labelSelector:     v.labelSelector
+        		if v.nodeAffinityPolicy != _|_ {
+        			nodeAffinityPolicy: v.nodeAffinityPolicy
+        		}
+        		if v.nodeTaintsPolicy != _|_ {
+        			nodeTaintsPolicy: v.nodeTaintsPolicy
+        		}
+        		if v.minDomains != _|_ {
+        			minDomains: v.minDomains
+        		}
+        		if v.matchLabelKeys != _|_ {
+        			matchLabelKeys: v.matchLabelKeys
+        		}
+        	},
+        ]
+        patch: spec: template: spec: topologySpreadConstraints: constraintsArray
+        #labSelector: {
+        	matchLabels?: [string]: string
+        	matchExpressions?: [...{
+        		key:      string
+        		operator: *"In" | "NotIn" | "Exists" | "DoesNotExist"
+        		values?: [...string]
+        	}]
+        }
+        parameter: constraints: [...{
+        	// +usage=Describe the degree to which Pods may be unevenly distributed
+        	maxSkew: int
+        	// +usage=Specify the key of node labels
+        	topologyKey: string
+        	// +usage=Indicate how to deal with a Pod if it doesn't satisfy the spread constraint
+        	whenUnsatisfiable: *"DoNotSchedule" | "ScheduleAnyway"
+        	// +usage: labelSelector to find matching Pods
+        	labelSelector: #labSelector
+        	// +usage=Indicate a minimum number of eligible domains
+        	minDomains?: int
+        	// +usage=A list of pod label keys to select the pods over which spreading will be calculated
+        	matchLabelKeys?: [...string]
+        	// +usage=Indicate how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew
+        	nodeAffinityPolicy?: *"Honor" | "Ignore"
+        	// +usage=Indicate how we will treat node taints when calculating pod topology spread skew
+        	nodeTaintsPolicy?: *"Honor" | "Ignore"
+        }]
+

charts/vela-minimal/templates/defwithtemplate/vela-cli.yaml

@@ -0,0 +1,130 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/vela-cli.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Run a vela command
+    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
+  name: vela-cli
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        mountsArray: [
+        	if parameter.storage != _|_ && parameter.storage.secret != _|_ for v in parameter.storage.secret {
+        		{
+        			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
+        			name: v.name
+        		}
+        	},
+        ]
+        volumesList: [
+        	if parameter.storage != _|_ && parameter.storage.secret != _|_ for v in parameter.storage.secret {
+        		{
+        			name: v.name
+        			secret: {
+        				defaultMode: v.defaultMode
+        				secretName:  v.secretName
+        				if v.items != _|_ {
+        					items: v.items
+        				}
+        			}
+        		}
+        	},
+        ]
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
+        job: op.#Apply & {
+        	value: {
+        		apiVersion: "batch/v1"
+        		kind:       "Job"
+        		metadata: {
+        			name: "\(context.name)-\(context.stepName)-\(context.stepSessionID)"
+        			if parameter.serviceAccountName == "kubevela-vela-core" {
+        				namespace: "vela-system"
+        			}
+        			if parameter.serviceAccountName != "kubevela-vela-core" {
+        				namespace: context.namespace
+        			}
+        		}
+        		spec: {
+        			backoffLimit: 3
+        			template: {
+        				labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        				spec: {
+        					containers: [
+        						{
+        							name:         "\(context.name)-\(context.stepName)-\(context.stepSessionID)-job"
+        							image:        parameter.image
+        							command:      parameter.command
+        							volumeMounts: mountsArray
+        						},
+        					]
+        					restartPolicy:  "Never"
+        					serviceAccount: parameter.serviceAccountName
+        					volumes:        deDupVolumesArray
+        				}
+        			}
+        		}
+        	}
+        }
+        log: op.#Log & {
+        	source: resources: [{labelSelector: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"}]
+        }
+        fail: op.#Steps & {
+        	if job.value.status.failed != _|_ {
+        		if job.value.status.failed > 2 {
+        			breakWorkflow: op.#Fail & {
+        				message: "failed to execute vela command"
+        			}
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: job.value.status.succeeded != _|_ && job.value.status.succeeded > 0
+        }
+        parameter: {
+        	// +usage=Specify the name of the addon.
+        	addonName: string
+        	// +usage=Specify the vela command
+        	command: [...string]
+        	// +usage=Specify the image
+        	image: *"oamdev/vela-cli:v1.6.4" | string
+        	// +usage=specify serviceAccountName want to use
+        	serviceAccountName: *"kubevela-vela-core" | string
+        	storage?: {
+        		// +usage=Mount Secret type storage
+        		secret?: [...{
+        			name:        string
+        			mountPath:   string
+        			subPath?:    string
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}]
+        	}
+        }
+

charts/vela-minimal/values.yaml

@@ -29,9 +29,6 @@ disableCaps: "envbinding,rollout"
 ## @param applyOnceOnly Valid applyOnceOnly values: true/false/on/off/force
 applyOnceOnly: "off"
 
-## @param enableFluxcdAddon Whether to enable fluxcd addon
-enableFluxcdAddon: false
-
 ## @param dependCheckWait dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready
 dependCheckWait: 30s
 

cmd/apiserver/app/options/options.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"k8s.io/apiserver/pkg/util/feature"
+	cliflag "k8s.io/component-base/cli/flag"
+
+	"github.com/oam-dev/kubevela/pkg/apiserver/config"
+)
+
+// ServerRunOptions contains everything necessary to create and run api server
+type ServerRunOptions struct {
+	GenericServerRunOptions *config.Config
+}
+
+// NewServerRunOptions creates a new ServerRunOptions object with default parameters
+func NewServerRunOptions() *ServerRunOptions {
+	s := &ServerRunOptions{
+		GenericServerRunOptions: config.NewConfig(),
+	}
+	return s
+}
+
+// Flags returns the complete NamedFlagSets
+func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
+	fs := fss.FlagSet("generic")
+	s.GenericServerRunOptions.AddFlags(fs, s.GenericServerRunOptions)
+	feature.DefaultMutableFeatureGate.AddFlag(fss.FlagSet("featuregate"))
+	return fss
+}

cmd/apiserver/app/options/validation.go

@@ -14,14 +14,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package compression
+package options
 
-import (
-	"testing"
+import utilerrors "k8s.io/apimachinery/pkg/util/errors"
 
-	"github.com/stretchr/testify/require"
-)
+// Validate validates server run options, to find options' misconfiguration
+func (s *ServerRunOptions) Validate() error {
+	var errors []error
 
-func TestErrors(t *testing.T) {
-	require.Equal(t, NewUnsupportedCompressionTypeError("x").Error(), "unsupported compression type: x")
+	errors = append(errors, s.GenericServerRunOptions.Validate()...)
+
+	return utilerrors.NewAggregate(errors)
 }

cmd/apiserver/app/server.go

@@ -0,0 +1,151 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	restfulspec "github.com/emicklei/go-restful-openapi/v2"
+	"github.com/fatih/color"
+	"github.com/go-openapi/spec"
+	"github.com/spf13/cobra"
+	"k8s.io/klog/v2"
+
+	"github.com/oam-dev/kubevela/cmd/apiserver/app/options"
+	"github.com/oam-dev/kubevela/pkg/apiserver"
+	"github.com/oam-dev/kubevela/pkg/utils"
+	"github.com/oam-dev/kubevela/version"
+)
+
+// NewAPIServerCommand creates a *cobra.Command object with default parameters
+func NewAPIServerCommand() *cobra.Command {
+	s := options.NewServerRunOptions()
+	cmd := &cobra.Command{
+		Use: "apiserver",
+		Long: `The KubeVela API server validates and configures data for the API objects. 
+The API Server services REST operations and provides the frontend to the
+cluster's shared state through which all other components interact.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := s.Validate(); err != nil {
+				return err
+			}
+			return Run(s)
+		},
+		SilenceUsage: true,
+	}
+
+	fs := cmd.Flags()
+	namedFlagSets := s.Flags()
+	for _, set := range namedFlagSets.FlagSets {
+		fs.AddFlagSet(set)
+	}
+
+	buildSwaggerCmd := &cobra.Command{
+		Use:   "build-swagger",
+		Short: "Build swagger documentation of KubeVela apiserver",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			name := "docs/apidoc/latest-swagger.json"
+			if len(args) > 0 {
+				name = args[0]
+			}
+			func() {
+				swagger, err := buildSwagger(s)
+				if err != nil {
+					klog.Fatal(err.Error())
+				}
+				outData, err := json.MarshalIndent(swagger, "", "\t")
+				if err != nil {
+					klog.Fatal(err.Error())
+				}
+				swaggerFile, err := os.OpenFile(name, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
+				if err != nil {
+					klog.Fatal(err.Error())
+				}
+				defer func() {
+					if err := swaggerFile.Close(); err != nil {
+						klog.Errorf("close swagger file failure %s", err.Error())
+					}
+				}()
+				_, err = swaggerFile.Write(outData)
+				if err != nil {
+					klog.Fatal(err.Error())
+				}
+				fmt.Println("build swagger config file success")
+			}()
+			return nil
+		},
+	}
+
+	cmd.AddCommand(buildSwaggerCmd)
+
+	return cmd
+}
+
+// Run runs the specified APIServer. This should never exit.
+func Run(s *options.ServerRunOptions) error {
+	// The server is not terminal, there is no color default.
+	// Force set to false, this is useful for the dry-run API.
+	color.NoColor = false
+
+	errChan := make(chan error)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	if s.GenericServerRunOptions.PprofAddr != "" {
+		go utils.EnablePprof(s.GenericServerRunOptions.PprofAddr, errChan)
+	}
+
+	go func() {
+		if err := run(ctx, s, errChan); err != nil {
+			errChan <- fmt.Errorf("failed to run apiserver: %w", err)
+		}
+	}()
+	var term = make(chan os.Signal, 1)
+	signal.Notify(term, os.Interrupt, syscall.SIGTERM)
+
+	select {
+	case <-term:
+		klog.Infof("Received SIGTERM, exiting gracefully...")
+	case err := <-errChan:
+		klog.Errorf("Received an error: %s, exiting gracefully...", err.Error())
+		return err
+	}
+	klog.Infof("See you next time!")
+	return nil
+}
+
+func run(ctx context.Context, s *options.ServerRunOptions, errChan chan error) error {
+	klog.Infof("KubeVela information: version: %v, gitRevision: %v", version.VelaVersion, version.GitRevision)
+
+	server := apiserver.New(*s.GenericServerRunOptions)
+
+	return server.Run(ctx, errChan)
+}
+
+func buildSwagger(s *options.ServerRunOptions) (*spec.Swagger, error) {
+	server := apiserver.New(*s.GenericServerRunOptions)
+	config, err := server.BuildRestfulConfig()
+	if err != nil {
+		return nil, err
+	}
+	return restfulspec.BuildSwagger(*config), nil
+}

cmd/apiserver/main.go

@@ -17,121 +17,14 @@ limitations under the License.
 package main
 
 import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	"os/signal"
-	"syscall"
-	"time"
+	"log"
 
-	restfulspec "github.com/emicklei/go-restful-openapi/v2"
-	"github.com/fatih/color"
-	"github.com/go-openapi/spec"
-	"github.com/google/uuid"
-	flag "github.com/spf13/pflag"
-	"k8s.io/klog/v2"
-
-	"github.com/oam-dev/kubevela/pkg/apiserver"
-	"github.com/oam-dev/kubevela/pkg/apiserver/config"
-	"github.com/oam-dev/kubevela/pkg/features"
-	"github.com/oam-dev/kubevela/pkg/utils"
-	"github.com/oam-dev/kubevela/version"
+	"github.com/oam-dev/kubevela/cmd/apiserver/app"
 )
 
 func main() {
-	s := &Server{}
-	flag.StringVar(&s.serverConfig.BindAddr, "bind-addr", "0.0.0.0:8000", "The bind address used to serve the http APIs.")
-	flag.StringVar(&s.serverConfig.MetricPath, "metrics-path", "/metrics", "The path to expose the metrics.")
-	flag.StringVar(&s.serverConfig.Datastore.Type, "datastore-type", "kubeapi", "Metadata storage driver type, support kubeapi and mongodb")
-	flag.StringVar(&s.serverConfig.Datastore.Database, "datastore-database", "kubevela", "Metadata storage database name, takes effect when the storage driver is mongodb.")
-	flag.StringVar(&s.serverConfig.Datastore.URL, "datastore-url", "", "Metadata storage database url,takes effect when the storage driver is mongodb.")
-	flag.StringVar(&s.serverConfig.LeaderConfig.ID, "id", uuid.New().String(), "the holder identity name")
-	flag.StringVar(&s.serverConfig.LeaderConfig.LockName, "lock-name", "apiserver-lock", "the lease lock resource name")
-	flag.DurationVar(&s.serverConfig.LeaderConfig.Duration, "duration", time.Second*5, "the lease lock resource name")
-	flag.DurationVar(&s.serverConfig.AddonCacheTime, "addon-cache-duration", time.Minute*10, "how long between two addon cache operation")
-	flag.BoolVar(&s.serverConfig.DisableStatisticCronJob, "disable-statistic-cronJob", false, "close the system statistic info calculating cronJob")
-	flag.StringVar(&s.serverConfig.PprofAddr, "pprof-addr", "", "The address for pprof to use while exporting profiling results. The default value is empty which means do not expose it. Set it to address like :6666 to expose it.")
-	flag.Float64Var(&s.serverConfig.KubeQPS, "kube-api-qps", 100, "the qps for kube clients. Low qps may lead to low throughput. High qps may give stress to api-server.")
-	flag.IntVar(&s.serverConfig.KubeBurst, "kube-api-burst", 300, "the burst for kube clients. Recommend setting it qps*3.")
-	features.APIServerMutableFeatureGate.AddFlag(flag.CommandLine)
-	flag.Parse()
-
-	if len(os.Args) > 2 && os.Args[1] == "build-swagger" {
-		func() {
-			swagger, err := s.buildSwagger()
-			if err != nil {
-				klog.Fatal(err.Error())
-			}
-			outData, err := json.MarshalIndent(swagger, "", "\t")
-			if err != nil {
-				klog.Fatal(err.Error())
-			}
-			swaggerFile, err := os.OpenFile(os.Args[2], os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
-			if err != nil {
-				klog.Fatal(err.Error())
-			}
-			defer func() {
-				if err := swaggerFile.Close(); err != nil {
-					klog.Errorf("close swagger file failure %s", err.Error())
-				}
-			}()
-			_, err = swaggerFile.Write(outData)
-			if err != nil {
-				klog.Fatal(err.Error())
-			}
-			fmt.Println("build swagger config file success")
-		}()
-		return
+	cmd := app.NewAPIServerCommand()
+	if err := cmd.Execute(); err != nil {
+		log.Fatalln(err)
 	}
-
-	// The server is not terminal, there is no color default.
-	// Force set to false, this is useful for the dry-run API.
-	color.NoColor = false
-
-	errChan := make(chan error)
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	if s.serverConfig.PprofAddr != "" {
-		go utils.EnablePprof(s.serverConfig.PprofAddr, errChan)
-	}
-
-	go func() {
-		if err := s.run(ctx, errChan); err != nil {
-			errChan <- fmt.Errorf("failed to run apiserver: %w", err)
-		}
-	}()
-	var term = make(chan os.Signal, 1)
-	signal.Notify(term, os.Interrupt, syscall.SIGTERM)
-
-	select {
-	case <-term:
-		klog.Infof("Received SIGTERM, exiting gracefully...")
-	case err := <-errChan:
-		klog.Errorf("Received an error: %s, exiting gracefully...", err.Error())
-	}
-	klog.Infof("See you next time!")
-}
-
-// Server apiserver
-type Server struct {
-	serverConfig config.Config
-}
-
-func (s *Server) run(ctx context.Context, errChan chan error) error {
-	klog.Infof("KubeVela information: version: %v, gitRevision: %v", version.VelaVersion, version.GitRevision)
-
-	server := apiserver.New(s.serverConfig)
-
-	return server.Run(ctx, errChan)
-}
-
-func (s *Server) buildSwagger() (*spec.Swagger, error) {
-	server := apiserver.New(s.serverConfig)
-	config, err := server.BuildRestfulConfig()
-	if err != nil {
-		return nil, err
-	}
-	return restfulspec.BuildSwagger(*config), nil
 }

cmd/core/app/options/options.go

@@ -0,0 +1,186 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"flag"
+	"strconv"
+	"time"
+
+	ctrlrec "github.com/kubevela/pkg/controller/reconciler"
+	pkgmulticluster "github.com/kubevela/pkg/multicluster"
+	wfTypes "github.com/kubevela/workflow/pkg/types"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	cliflag "k8s.io/component-base/cli/flag"
+	"k8s.io/klog/v2"
+
+	standardcontroller "github.com/oam-dev/kubevela/pkg/controller"
+	commonconfig "github.com/oam-dev/kubevela/pkg/controller/common"
+	"github.com/oam-dev/kubevela/pkg/oam"
+	"github.com/oam-dev/kubevela/pkg/resourcekeeper"
+
+	oamcontroller "github.com/oam-dev/kubevela/pkg/controller/core.oam.dev"
+)
+
+// CoreOptions contains everything necessary to create and run vela-core
+type CoreOptions struct {
+	UseWebhook                 bool
+	CertDir                    string
+	WebhookPort                int
+	MetricsAddr                string
+	EnableLeaderElection       bool
+	LeaderElectionNamespace    string
+	LogFilePath                string
+	LogFileMaxSize             uint64
+	LogDebug                   bool
+	ControllerArgs             *oamcontroller.Args
+	HealthAddr                 string
+	DisableCaps                string
+	StorageDriver              string
+	InformerSyncPeriod         time.Duration
+	QPS                        float64
+	Burst                      int
+	PprofAddr                  string
+	LeaderElectionResourceLock string
+	LeaseDuration              time.Duration
+	RenewDeadLine              time.Duration
+	RetryPeriod                time.Duration
+	EnableClusterGateway       bool
+	EnableClusterMetrics       bool
+	ClusterMetricsInterval     time.Duration
+}
+
+// NewCoreOptions creates a new NewVelaCoreOptions object with default parameters
+func NewCoreOptions() *CoreOptions {
+	s := &CoreOptions{
+		UseWebhook:              false,
+		CertDir:                 "/k8s-webhook-server/serving-certs",
+		WebhookPort:             9443,
+		MetricsAddr:             ":8080",
+		EnableLeaderElection:    false,
+		LeaderElectionNamespace: "",
+		LogFilePath:             "",
+		LogFileMaxSize:          1024,
+		LogDebug:                false,
+		ControllerArgs: &oamcontroller.Args{
+			RevisionLimit:                                50,
+			AppRevisionLimit:                             10,
+			DefRevisionLimit:                             20,
+			CustomRevisionHookURL:                        "",
+			AutoGenWorkloadDefinition:                    true,
+			ConcurrentReconciles:                         4,
+			DependCheckWait:                              30 * time.Second,
+			OAMSpecVer:                                   "v0.3",
+			EnableCompatibility:                          false,
+			IgnoreAppWithoutControllerRequirement:        false,
+			IgnoreDefinitionWithoutControllerRequirement: false,
+		},
+		HealthAddr:                 ":9440",
+		DisableCaps:                "",
+		StorageDriver:              "Local",
+		InformerSyncPeriod:         10 * time.Hour,
+		QPS:                        50,
+		Burst:                      100,
+		PprofAddr:                  "",
+		LeaderElectionResourceLock: "configmapsleases",
+		LeaseDuration:              15 * time.Second,
+		RenewDeadLine:              10 * time.Second,
+		RetryPeriod:                2 * time.Second,
+		EnableClusterGateway:       false,
+		EnableClusterMetrics:       false,
+		ClusterMetricsInterval:     15 * time.Second,
+	}
+	return s
+}
+
+// Flags returns the complete NamedFlagSets
+func (s *CoreOptions) Flags() cliflag.NamedFlagSets {
+	fss := cliflag.NamedFlagSets{}
+
+	gfs := fss.FlagSet("generic")
+	gfs.BoolVar(&s.UseWebhook, "use-webhook", s.UseWebhook, "Enable Admission Webhook")
+	gfs.StringVar(&s.CertDir, "webhook-cert-dir", s.CertDir, "Admission webhook cert/key dir.")
+	gfs.IntVar(&s.WebhookPort, "webhook-port", s.WebhookPort, "admission webhook listen address")
+	gfs.StringVar(&s.MetricsAddr, "metrics-addr", s.MetricsAddr, "The address the metric endpoint binds to.")
+	gfs.BoolVar(&s.EnableLeaderElection, "enable-leader-election", s.EnableLeaderElection,
+		"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
+	gfs.StringVar(&s.LeaderElectionNamespace, "leader-election-namespace", s.LeaderElectionNamespace,
+		"Determines the namespace in which the leader election configmap will be created.")
+	gfs.StringVar(&s.LogFilePath, "log-file-path", s.LogFilePath, "The file to write logs to.")
+	gfs.Uint64Var(&s.LogFileMaxSize, "log-file-max-size", s.LogFileMaxSize, "Defines the maximum size a log file can grow to, Unit is megabytes.")
+	gfs.BoolVar(&s.LogDebug, "log-debug", s.LogDebug, "Enable debug logs for development purpose")
+	gfs.StringVar(&s.HealthAddr, "health-addr", s.HealthAddr, "The address the health endpoint binds to.")
+	gfs.StringVar(&s.DisableCaps, "disable-caps", s.DisableCaps, "To be disabled builtin capability list.")
+	gfs.StringVar(&s.StorageDriver, "storage-driver", s.StorageDriver, "Application file save to the storage driver")
+	gfs.DurationVar(&s.InformerSyncPeriod, "informer-sync-period", s.InformerSyncPeriod,
+		"The re-sync period for informer in controller-runtime. This is a system-level configuration.")
+	gfs.Float64Var(&s.QPS, "kube-api-qps", s.QPS, "the qps for reconcile clients. Low qps may lead to low throughput. High qps may give stress to api-server. Raise this value if concurrent-reconciles is set to be high.")
+	gfs.IntVar(&s.Burst, "kube-api-burst", s.Burst, "the burst for reconcile clients. Recommend setting it qps*2.")
+	gfs.StringVar(&s.PprofAddr, "pprof-addr", s.PprofAddr, "The address for pprof to use while exporting profiling results. The default value is empty which means do not expose it. Set it to address like :6666 to expose it.")
+	gfs.StringVar(&s.LeaderElectionResourceLock, "leader-election-resource-lock", s.LeaderElectionResourceLock, "The resource lock to use for leader election")
+	gfs.DurationVar(&s.LeaseDuration, "leader-election-lease-duration", s.LeaseDuration,
+		"The duration that non-leader candidates will wait to force acquire leadership")
+	gfs.DurationVar(&s.RenewDeadLine, "leader-election-renew-deadline", s.RenewDeadLine,
+		"The duration that the acting controlplane will retry refreshing leadership before giving up")
+	gfs.DurationVar(&s.RetryPeriod, "leader-election-retry-period", s.RetryPeriod,
+		"The duration the LeaderElector clients should wait between tries of actions")
+	gfs.BoolVar(&s.EnableClusterGateway, "enable-cluster-gateway", s.EnableClusterGateway, "Enable cluster-gateway to use multicluster, disabled by default.")
+	gfs.BoolVar(&s.EnableClusterMetrics, "enable-cluster-metrics", s.EnableClusterMetrics, "Enable cluster-metrics-management to collect metrics from clusters with cluster-gateway, disabled by default. When this param is enabled, enable-cluster-gateway should be enabled")
+	gfs.DurationVar(&s.ClusterMetricsInterval, "cluster-metrics-interval", s.ClusterMetricsInterval, "The interval that ClusterMetricsMgr will collect metrics from clusters, default value is 15 seconds.")
+
+	s.ControllerArgs.AddFlags(fss.FlagSet("controllerArgs"), s.ControllerArgs)
+
+	cfs := fss.FlagSet("commonconfig")
+	cfs.DurationVar(&commonconfig.ApplicationReSyncPeriod, "application-re-sync-period", commonconfig.ApplicationReSyncPeriod,
+		"Re-sync period for application to re-sync, also known as the state-keep interval.")
+	cfs.BoolVar(&commonconfig.PerfEnabled, "perf-enabled", commonconfig.PerfEnabled, "Enable performance logging for controllers, disabled by default.")
+
+	ofs := fss.FlagSet("oam")
+	ofs.StringVar(&oam.SystemDefinitionNamespace, "system-definition-namespace", "vela-system", "define the namespace of the system-level definition")
+
+	standardcontroller.AddOptimizeFlags(fss.FlagSet("optimize"))
+	standardcontroller.AddAdmissionFlags(fss.FlagSet("admission"))
+
+	rfs := fss.FlagSet("resourcekeeper")
+	rfs.IntVar(&resourcekeeper.MaxDispatchConcurrent, "max-dispatch-concurrent", 10, "Set the max dispatch concurrent number, default is 10")
+
+	wfs := fss.FlagSet("wfTypes")
+	wfs.IntVar(&wfTypes.MaxWorkflowWaitBackoffTime, "max-workflow-wait-backoff-time", 60, "Set the max workflow wait backoff time, default is 60")
+	wfs.IntVar(&wfTypes.MaxWorkflowFailedBackoffTime, "max-workflow-failed-backoff-time", 300, "Set the max workflow wait backoff time, default is 300")
+	wfs.IntVar(&wfTypes.MaxWorkflowStepErrorRetryTimes, "max-workflow-step-error-retry-times", 10, "Set the max workflow step error retry times, default is 10")
+
+	pkgmulticluster.AddFlags(fss.FlagSet("multicluster"))
+	ctrlrec.AddFlags(fss.FlagSet("controllerreconciles"))
+	utilfeature.DefaultMutableFeatureGate.AddFlag(fss.FlagSet("featuregate"))
+
+	kfs := fss.FlagSet("klog")
+	local := flag.NewFlagSet("klog", flag.ExitOnError)
+	klog.InitFlags(local)
+	kfs.AddGoFlagSet(local)
+
+	if s.LogDebug {
+		_ = kfs.Set("v", strconv.Itoa(int(commonconfig.LogDebug)))
+	}
+
+	if s.LogFilePath != "" {
+		_ = kfs.Set("logtostderr", "false")
+		_ = kfs.Set("log_file", s.LogFilePath)
+		_ = kfs.Set("log_file_max_size", strconv.FormatUint(s.LogFileMaxSize, 10))
+	}
+
+	return fss
+}

cmd/core/app/server.go

@@ -0,0 +1,299 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
+	"time"
+
+	velaclient "github.com/kubevela/pkg/controller/client"
+	"github.com/kubevela/workflow/pkg/cue/packages"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/klog/v2"
+	"k8s.io/klog/v2/klogr"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
+	"github.com/oam-dev/kubevela/apis/types"
+	"github.com/oam-dev/kubevela/cmd/core/app/options"
+	"github.com/oam-dev/kubevela/pkg/auth"
+	standardcontroller "github.com/oam-dev/kubevela/pkg/controller"
+	commonconfig "github.com/oam-dev/kubevela/pkg/controller/common"
+	oamv1alpha2 "github.com/oam-dev/kubevela/pkg/controller/core.oam.dev/v1alpha2"
+	"github.com/oam-dev/kubevela/pkg/controller/utils"
+	"github.com/oam-dev/kubevela/pkg/features"
+	"github.com/oam-dev/kubevela/pkg/monitor/watcher"
+	"github.com/oam-dev/kubevela/pkg/multicluster"
+	"github.com/oam-dev/kubevela/pkg/oam"
+	"github.com/oam-dev/kubevela/pkg/oam/discoverymapper"
+	pkgutil "github.com/oam-dev/kubevela/pkg/utils"
+	"github.com/oam-dev/kubevela/pkg/utils/common"
+	"github.com/oam-dev/kubevela/pkg/utils/system"
+	"github.com/oam-dev/kubevela/pkg/utils/util"
+	oamwebhook "github.com/oam-dev/kubevela/pkg/webhook/core.oam.dev"
+	"github.com/oam-dev/kubevela/version"
+)
+
+var (
+	scheme             = common.Scheme
+	waitSecretTimeout  = 90 * time.Second
+	waitSecretInterval = 2 * time.Second
+)
+
+// NewCoreCommand creates a *cobra.Command object with default parameters
+func NewCoreCommand() *cobra.Command {
+	s := options.NewCoreOptions()
+	cmd := &cobra.Command{
+		Use: "vela-core",
+		Long: `The KubeVela controller manager is a daemon that embeds
+the core control loops shipped with KubeVela`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			return run(signals.SetupSignalHandler(), s)
+		},
+		SilenceUsage: true,
+	}
+
+	fs := cmd.Flags()
+	namedFlagSets := s.Flags()
+	for _, set := range namedFlagSets.FlagSets {
+		fs.AddFlagSet(set)
+	}
+	if s.PprofAddr != "" {
+		go pkgutil.EnablePprof(s.PprofAddr, nil)
+	}
+
+	klog.InfoS("KubeVela information", "version", version.VelaVersion, "revision", version.GitRevision)
+	klog.InfoS("Disable capabilities", "name", s.DisableCaps)
+	klog.InfoS("Vela-Core init", "definition namespace", oam.SystemDefinitionNamespace)
+
+	return cmd
+}
+
+func run(ctx context.Context, s *options.CoreOptions) error {
+	klog.InfoS("KubeVela information", "version", version.VelaVersion, "revision", version.GitRevision)
+	klog.InfoS("Disable capabilities", "name", s.DisableCaps)
+	klog.InfoS("Vela-Core init", "definition namespace", oam.SystemDefinitionNamespace)
+
+	restConfig := ctrl.GetConfigOrDie()
+	restConfig.UserAgent = types.KubeVelaName + "/" + version.GitRevision
+	restConfig.QPS = float32(s.QPS)
+	restConfig.Burst = s.Burst
+	restConfig.Wrap(auth.NewImpersonatingRoundTripper)
+	klog.InfoS("Kubernetes Config Loaded",
+		"UserAgent", restConfig.UserAgent,
+		"QPS", restConfig.QPS,
+		"Burst", restConfig.Burst,
+	)
+
+	// wrapper the round tripper by multi cluster rewriter
+	if s.EnableClusterGateway {
+		client, err := multicluster.Initialize(restConfig, true)
+		if err != nil {
+			klog.ErrorS(err, "failed to enable multi-cluster capability")
+			return err
+		}
+
+		if s.EnableClusterMetrics {
+			_, err := multicluster.NewClusterMetricsMgr(context.Background(), client, s.ClusterMetricsInterval)
+			if err != nil {
+				klog.ErrorS(err, "failed to enable multi-cluster-metrics capability")
+				return err
+			}
+		}
+	}
+
+	ctrl.SetLogger(klogr.New())
+
+	if utilfeature.DefaultMutableFeatureGate.Enabled(features.ApplyOnce) {
+		commonconfig.ApplicationReSyncPeriod = s.InformerSyncPeriod
+	}
+
+	leaderElectionID := util.GenerateLeaderElectionID(types.KubeVelaName, s.ControllerArgs.IgnoreAppWithoutControllerRequirement)
+	mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
+		Scheme:                     scheme,
+		MetricsBindAddress:         s.MetricsAddr,
+		LeaderElection:             s.EnableLeaderElection,
+		LeaderElectionNamespace:    s.LeaderElectionNamespace,
+		LeaderElectionID:           leaderElectionID,
+		Port:                       s.WebhookPort,
+		CertDir:                    s.CertDir,
+		HealthProbeBindAddress:     s.HealthAddr,
+		LeaderElectionResourceLock: s.LeaderElectionResourceLock,
+		LeaseDuration:              &s.LeaseDuration,
+		RenewDeadline:              &s.RenewDeadLine,
+		RetryPeriod:                &s.RetryPeriod,
+		SyncPeriod:                 &s.InformerSyncPeriod,
+		// SyncPeriod is configured with default value, aka. 10h. First, controller-runtime does not
+		// recommend use it as a time trigger, instead, it is expected to work for failure tolerance
+		// of controller-runtime. Additionally, set this value will affect not only application
+		// controller but also all other controllers like definition controller. Therefore, for
+		// functionalities like state-keep, they should be invented in other ways.
+		NewClient: velaclient.DefaultNewControllerClient,
+	})
+	if err != nil {
+		klog.ErrorS(err, "Unable to create a controller manager")
+		return err
+	}
+
+	if err := registerHealthChecks(mgr); err != nil {
+		klog.ErrorS(err, "Unable to register ready/health checks")
+		return err
+	}
+
+	if err := utils.CheckDisabledCapabilities(s.DisableCaps); err != nil {
+		klog.ErrorS(err, "Unable to get enabled capabilities")
+		return err
+	}
+
+	dm, err := discoverymapper.New(mgr.GetConfig())
+	if err != nil {
+		klog.ErrorS(err, "Failed to create CRD discovery client")
+		return err
+	}
+	s.ControllerArgs.DiscoveryMapper = dm
+	pd, err := packages.NewPackageDiscover(mgr.GetConfig())
+	if err != nil {
+		klog.Error(err, "Failed to create CRD discovery for CUE package client")
+		if !packages.IsCUEParseErr(err) {
+			return err
+		}
+	}
+	s.ControllerArgs.PackageDiscover = pd
+
+	if s.UseWebhook {
+		klog.InfoS("Enable webhook", "server port", strconv.Itoa(s.WebhookPort))
+		oamwebhook.Register(mgr, *s.ControllerArgs)
+		if err := waitWebhookSecretVolume(s.CertDir, waitSecretTimeout, waitSecretInterval); err != nil {
+			klog.ErrorS(err, "Unable to get webhook secret")
+			return err
+		}
+	}
+
+	if err = oamv1alpha2.Setup(mgr, *s.ControllerArgs); err != nil {
+		klog.ErrorS(err, "Unable to setup the oam controller")
+		return err
+	}
+
+	if err = standardcontroller.Setup(mgr, s.DisableCaps, *s.ControllerArgs); err != nil {
+		klog.ErrorS(err, "Unable to setup the vela core controller")
+		return err
+	}
+
+	if err = multicluster.InitClusterInfo(restConfig); err != nil {
+		klog.ErrorS(err, "Init control plane cluster info")
+		return err
+	}
+
+	if driver := os.Getenv(system.StorageDriverEnv); len(driver) == 0 {
+		// first use system environment,
+		err := os.Setenv(system.StorageDriverEnv, s.StorageDriver)
+		if err != nil {
+			klog.ErrorS(err, "Unable to setup the vela core controller")
+			return err
+		}
+	}
+	klog.InfoS("Use storage driver", "storageDriver", os.Getenv(system.StorageDriverEnv))
+
+	klog.Info("Start the vela application monitor")
+	informer, err := mgr.GetCache().GetInformer(context.Background(), &v1beta1.Application{})
+	if err != nil {
+		klog.ErrorS(err, "Unable to get informer for application")
+	}
+	watcher.StartApplicationMetricsWatcher(informer)
+
+	klog.Info("Start the vela controller manager")
+
+	if err := mgr.Start(ctx); err != nil {
+		klog.ErrorS(err, "Failed to run manager")
+		return err
+	}
+	if s.LogFilePath != "" {
+		klog.Flush()
+	}
+	klog.Info("Safely stops Program...")
+	return nil
+}
+
+// registerHealthChecks is used to create readiness&liveness probes
+func registerHealthChecks(mgr ctrl.Manager) error {
+	klog.Info("Create readiness/health check")
+	if err := mgr.AddReadyzCheck("ping", healthz.Ping); err != nil {
+		return err
+	}
+	// TODO: change the health check to be different from readiness check
+	if err := mgr.AddHealthzCheck("ping", healthz.Ping); err != nil {
+		return err
+	}
+	return nil
+}
+
+// waitWebhookSecretVolume waits for webhook secret ready to avoid mgr running crash
+func waitWebhookSecretVolume(certDir string, timeout, interval time.Duration) error {
+	start := time.Now()
+	for {
+		time.Sleep(interval)
+		if time.Since(start) > timeout {
+			return fmt.Errorf("getting webhook secret timeout after %s", timeout.String())
+		}
+		klog.InfoS("Wait webhook secret", "time consumed(second)", int64(time.Since(start).Seconds()),
+			"timeout(second)", int64(timeout.Seconds()))
+		if _, err := os.Stat(certDir); !os.IsNotExist(err) {
+			ready := func() bool {
+				f, err := os.Open(filepath.Clean(certDir))
+				if err != nil {
+					return false
+				}
+				defer func() {
+					if err := f.Close(); err != nil {
+						klog.Error(err, "Failed to close file")
+					}
+				}()
+				// check if dir is empty
+				if _, err := f.Readdir(1); errors.Is(err, io.EOF) {
+					return false
+				}
+				// check if secret files are empty
+				err = filepath.Walk(certDir, func(path string, info os.FileInfo, err error) error {
+					// even Cert dir is created, cert files are still empty for a while
+					if info.Size() == 0 {
+						return errors.New("secret is not ready")
+					}
+					return nil
+				})
+				if err == nil {
+					klog.InfoS("Webhook secret is ready", "time consumed(second)",
+						int64(time.Since(start).Seconds()))
+					return true
+				}
+				return false
+			}()
+			if ready {
+				return nil
+			}
+		}
+	}
+}

cmd/core/app/server_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package main
+package app
 
 import (
 	"os"

cmd/core/main.go

@@ -17,359 +17,14 @@ limitations under the License.
 package main
 
 import (
-	"context"
-	"errors"
-	goflag "flag"
-	"fmt"
-	"io"
 	"os"
-	"path/filepath"
-	"strconv"
-	"time"
 
-	ctrlrec "github.com/kubevela/pkg/controller/reconciler"
-	pkgmulticluster "github.com/kubevela/pkg/multicluster"
-	flag "github.com/spf13/pflag"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	"k8s.io/klog/v2"
-	"k8s.io/klog/v2/klogr"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/healthz"
-
-	velaclient "github.com/kubevela/pkg/controller/client"
-	"github.com/kubevela/workflow/pkg/cue/packages"
-	_ "github.com/kubevela/workflow/pkg/features"
-	wfTypes "github.com/kubevela/workflow/pkg/types"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-	"github.com/oam-dev/kubevela/apis/types"
-	"github.com/oam-dev/kubevela/pkg/auth"
-	standardcontroller "github.com/oam-dev/kubevela/pkg/controller"
-	commonconfig "github.com/oam-dev/kubevela/pkg/controller/common"
-	oamcontroller "github.com/oam-dev/kubevela/pkg/controller/core.oam.dev"
-	oamv1alpha2 "github.com/oam-dev/kubevela/pkg/controller/core.oam.dev/v1alpha2"
-	"github.com/oam-dev/kubevela/pkg/controller/utils"
-	"github.com/oam-dev/kubevela/pkg/features"
-	_ "github.com/oam-dev/kubevela/pkg/monitor/metrics"
-	"github.com/oam-dev/kubevela/pkg/monitor/watcher"
-	"github.com/oam-dev/kubevela/pkg/multicluster"
-	"github.com/oam-dev/kubevela/pkg/oam"
-	"github.com/oam-dev/kubevela/pkg/oam/discoverymapper"
-	"github.com/oam-dev/kubevela/pkg/resourcekeeper"
-	pkgutils "github.com/oam-dev/kubevela/pkg/utils"
-	"github.com/oam-dev/kubevela/pkg/utils/common"
-	"github.com/oam-dev/kubevela/pkg/utils/system"
-	"github.com/oam-dev/kubevela/pkg/utils/util"
-	oamwebhook "github.com/oam-dev/kubevela/pkg/webhook/core.oam.dev"
-	"github.com/oam-dev/kubevela/version"
-)
-
-var (
-	scheme             = common.Scheme
-	waitSecretTimeout  = 90 * time.Second
-	waitSecretInterval = 2 * time.Second
+	"github.com/oam-dev/kubevela/cmd/core/app"
 )
 
 func main() {
-	var metricsAddr, logFilePath, leaderElectionNamespace string
-	var enableLeaderElection, logDebug bool
-	var logFileMaxSize uint64
-	var certDir string
-	var webhookPort int
-	var useWebhook bool
-	var controllerArgs oamcontroller.Args
-	var healthAddr string
-	var disableCaps string
-	var storageDriver string
-	var qps float64
-	var burst int
-	var pprofAddr string
-	var leaderElectionResourceLock string
-	var leaseDuration time.Duration
-	var renewDeadline time.Duration
-	var retryPeriod time.Duration
-	var informerSyncPeriod time.Duration
-	var enableClusterGateway bool
-	var enableClusterMetrics bool
-	var clusterMetricsInterval time.Duration
-
-	flag.BoolVar(&useWebhook, "use-webhook", false, "Enable Admission Webhook")
-	flag.StringVar(&certDir, "webhook-cert-dir", "/k8s-webhook-server/serving-certs", "Admission webhook cert/key dir.")
-	flag.IntVar(&webhookPort, "webhook-port", 9443, "admission webhook listen address")
-	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
-	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
-		"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
-	flag.StringVar(&leaderElectionNamespace, "leader-election-namespace", "",
-		"Determines the namespace in which the leader election configmap will be created.")
-	flag.StringVar(&logFilePath, "log-file-path", "", "The file to write logs to.")
-	flag.Uint64Var(&logFileMaxSize, "log-file-max-size", 1024, "Defines the maximum size a log file can grow to, Unit is megabytes.")
-	flag.BoolVar(&logDebug, "log-debug", false, "Enable debug logs for development purpose")
-	flag.IntVar(&controllerArgs.RevisionLimit, "revision-limit", 50,
-		"RevisionLimit is the maximum number of revisions that will be maintained. The default value is 50.")
-	flag.IntVar(&controllerArgs.AppRevisionLimit, "application-revision-limit", 10,
-		"application-revision-limit is the maximum number of application useless revisions that will be maintained, if the useless revisions exceed this number, older ones will be GCed first.The default value is 10.")
-	flag.IntVar(&controllerArgs.DefRevisionLimit, "definition-revision-limit", 20,
-		"definition-revision-limit is the maximum number of component/trait definition useless revisions that will be maintained, if the useless revisions exceed this number, older ones will be GCed first.The default value is 20.")
-	flag.StringVar(&controllerArgs.CustomRevisionHookURL, "custom-revision-hook-url", "",
-		"custom-revision-hook-url is a webhook url which will let KubeVela core to call with applicationConfiguration and component info and return a customized component revision")
-	flag.BoolVar(&controllerArgs.AutoGenWorkloadDefinition, "autogen-workload-definition", true, "Automatic generated workloadDefinition which componentDefinition refers to.")
-	flag.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.")
-	flag.StringVar(&disableCaps, "disable-caps", "", "To be disabled builtin capability list.")
-	flag.StringVar(&storageDriver, "storage-driver", "Local", "Application file save to the storage driver")
-	flag.DurationVar(&commonconfig.ApplicationReSyncPeriod, "application-re-sync-period", 5*time.Minute,
-		"Re-sync period for application to re-sync, also known as the state-keep interval.")
-	flag.DurationVar(&informerSyncPeriod, "informer-sync-period", 10*time.Hour,
-		"The re-sync period for informer in controller-runtime. This is a system-level configuration.")
-	flag.StringVar(&oam.SystemDefinitionNamespace, "system-definition-namespace", "vela-system", "define the namespace of the system-level definition")
-	flag.IntVar(&controllerArgs.ConcurrentReconciles, "concurrent-reconciles", 4, "concurrent-reconciles is the concurrent reconcile number of the controller. The default value is 4")
-	flag.Float64Var(&qps, "kube-api-qps", 50, "the qps for reconcile clients. Low qps may lead to low throughput. High qps may give stress to api-server. Raise this value if concurrent-reconciles is set to be high.")
-	flag.IntVar(&burst, "kube-api-burst", 100, "the burst for reconcile clients. Recommend setting it qps*2.")
-	flag.DurationVar(&controllerArgs.DependCheckWait, "depend-check-wait", 30*time.Second, "depend-check-wait is the time to wait for ApplicationConfiguration's dependent-resource ready."+
-		"The default value is 30s, which means if dependent resources were not prepared, the ApplicationConfiguration would be reconciled after 30s.")
-	flag.StringVar(&controllerArgs.OAMSpecVer, "oam-spec-ver", "v0.3", "oam-spec-ver is the oam spec version controller want to setup, available options: v0.2, v0.3, all")
-	flag.StringVar(&pprofAddr, "pprof-addr", "", "The address for pprof to use while exporting profiling results. The default value is empty which means do not expose it. Set it to address like :6666 to expose it.")
-	flag.BoolVar(&commonconfig.PerfEnabled, "perf-enabled", false, "Enable performance logging for controllers, disabled by default.")
-	flag.StringVar(&leaderElectionResourceLock, "leader-election-resource-lock", "configmapsleases", "The resource lock to use for leader election")
-	flag.DurationVar(&leaseDuration, "leader-election-lease-duration", 15*time.Second,
-		"The duration that non-leader candidates will wait to force acquire leadership")
-	flag.DurationVar(&renewDeadline, "leader-election-renew-deadline", 10*time.Second,
-		"The duration that the acting controlplane will retry refreshing leadership before giving up")
-	flag.DurationVar(&retryPeriod, "leader-election-retry-period", 2*time.Second,
-		"The duration the LeaderElector clients should wait between tries of actions")
-	flag.BoolVar(&enableClusterGateway, "enable-cluster-gateway", false, "Enable cluster-gateway to use multicluster, disabled by default.")
-	flag.BoolVar(&enableClusterMetrics, "enable-cluster-metrics", false, "Enable cluster-metrics-management to collect metrics from clusters with cluster-gateway, disabled by default. When this param is enabled, enable-cluster-gateway should be enabled")
-	flag.DurationVar(&clusterMetricsInterval, "cluster-metrics-interval", 15*time.Second, "The interval that ClusterMetricsMgr will collect metrics from clusters, default value is 15 seconds.")
-	flag.BoolVar(&controllerArgs.EnableCompatibility, "enable-asi-compatibility", false, "enable compatibility for asi")
-	flag.BoolVar(&controllerArgs.IgnoreAppWithoutControllerRequirement, "ignore-app-without-controller-version", false, "If true, application controller will not process the app without 'app.oam.dev/controller-version-require' annotation")
-	flag.BoolVar(&controllerArgs.IgnoreDefinitionWithoutControllerRequirement, "ignore-definition-without-controller-version", false, "If true, trait/component/workflowstep definition controller will not process the definition without 'definition.oam.dev/controller-version-require' annotation")
-	standardcontroller.AddOptimizeFlags()
-	standardcontroller.AddAdmissionFlags()
-	flag.IntVar(&resourcekeeper.MaxDispatchConcurrent, "max-dispatch-concurrent", 10, "Set the max dispatch concurrent number, default is 10")
-	flag.IntVar(&wfTypes.MaxWorkflowWaitBackoffTime, "max-workflow-wait-backoff-time", 60, "Set the max workflow wait backoff time, default is 60")
-	flag.IntVar(&wfTypes.MaxWorkflowFailedBackoffTime, "max-workflow-failed-backoff-time", 300, "Set the max workflow wait backoff time, default is 300")
-	flag.IntVar(&wfTypes.MaxWorkflowStepErrorRetryTimes, "max-workflow-step-error-retry-times", 10, "Set the max workflow step error retry times, default is 10")
-	pkgmulticluster.AddFlags(flag.CommandLine)
-	ctrlrec.AddFlags(flag.CommandLine)
-	utilfeature.DefaultMutableFeatureGate.AddFlag(flag.CommandLine)
-
-	// setup logging
-	klog.InitFlags(nil)
-	flag.CommandLine.AddGoFlagSet(goflag.CommandLine)
-	flag.Parse()
-	if logDebug {
-		_ = flag.Set("v", strconv.Itoa(int(commonconfig.LogDebug)))
-	}
-
-	if pprofAddr != "" {
-		// Start pprof server if enabled
-		go pkgutils.EnablePprof(pprofAddr, nil)
-	}
-
-	if logFilePath != "" {
-		_ = flag.Set("logtostderr", "false")
-		_ = flag.Set("log_file", logFilePath)
-		_ = flag.Set("log_file_max_size", strconv.FormatUint(logFileMaxSize, 10))
-	}
-
-	klog.InfoS("KubeVela information", "version", version.VelaVersion, "revision", version.GitRevision)
-	klog.InfoS("Disable capabilities", "name", disableCaps)
-	klog.InfoS("Vela-Core init", "definition namespace", oam.SystemDefinitionNamespace)
-
-	restConfig := ctrl.GetConfigOrDie()
-	restConfig.UserAgent = types.KubeVelaName + "/" + version.GitRevision
-	restConfig.QPS = float32(qps)
-	restConfig.Burst = burst
-	restConfig.Wrap(auth.NewImpersonatingRoundTripper)
-	klog.InfoS("Kubernetes Config Loaded",
-		"UserAgent", restConfig.UserAgent,
-		"QPS", restConfig.QPS,
-		"Burst", restConfig.Burst,
-	)
-
-	// wrapper the round tripper by multi cluster rewriter
-	if enableClusterGateway {
-		client, err := multicluster.Initialize(restConfig, true)
-		if err != nil {
-			klog.ErrorS(err, "failed to enable multi-cluster capability")
-			os.Exit(1)
-		}
-
-		if enableClusterMetrics {
-			_, err := multicluster.NewClusterMetricsMgr(context.Background(), client, clusterMetricsInterval)
-			if err != nil {
-				klog.ErrorS(err, "failed to enable multi-cluster-metrics capability")
-				os.Exit(1)
-			}
-		}
-	}
-
-	ctrl.SetLogger(klogr.New())
-
-	if utilfeature.DefaultMutableFeatureGate.Enabled(features.ApplyOnce) {
-		commonconfig.ApplicationReSyncPeriod = informerSyncPeriod
-	}
-
-	leaderElectionID := util.GenerateLeaderElectionID(types.KubeVelaName, controllerArgs.IgnoreAppWithoutControllerRequirement)
-	mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
-		Scheme:                     scheme,
-		MetricsBindAddress:         metricsAddr,
-		LeaderElection:             enableLeaderElection,
-		LeaderElectionNamespace:    leaderElectionNamespace,
-		LeaderElectionID:           leaderElectionID,
-		Port:                       webhookPort,
-		CertDir:                    certDir,
-		HealthProbeBindAddress:     healthAddr,
-		LeaderElectionResourceLock: leaderElectionResourceLock,
-		LeaseDuration:              &leaseDuration,
-		RenewDeadline:              &renewDeadline,
-		RetryPeriod:                &retryPeriod,
-		SyncPeriod:                 &informerSyncPeriod,
-		// SyncPeriod is configured with default value, aka. 10h. First, controller-runtime does not
-		// recommend use it as a time trigger, instead, it is expected to work for failure tolerance
-		// of controller-runtime. Additionally, set this value will affect not only application
-		// controller but also all other controllers like definition controller. Therefore, for
-		// functionalities like state-keep, they should be invented in other ways.
-		NewClient: velaclient.DefaultNewControllerClient,
-	})
-	if err != nil {
-		klog.ErrorS(err, "Unable to create a controller manager")
+	command := app.NewCoreCommand()
+	if err := command.Execute(); err != nil {
 		os.Exit(1)
 	}
-
-	if err := registerHealthChecks(mgr); err != nil {
-		klog.ErrorS(err, "Unable to register ready/health checks")
-		os.Exit(1)
-	}
-
-	if err := utils.CheckDisabledCapabilities(disableCaps); err != nil {
-		klog.ErrorS(err, "Unable to get enabled capabilities")
-		os.Exit(1)
-	}
-
-	dm, err := discoverymapper.New(mgr.GetConfig())
-	if err != nil {
-		klog.ErrorS(err, "Failed to create CRD discovery client")
-		os.Exit(1)
-	}
-	controllerArgs.DiscoveryMapper = dm
-	pd, err := packages.NewPackageDiscover(mgr.GetConfig())
-	if err != nil {
-		klog.Error(err, "Failed to create CRD discovery for CUE package client")
-		if !packages.IsCUEParseErr(err) {
-			os.Exit(1)
-		}
-	}
-	controllerArgs.PackageDiscover = pd
-
-	if useWebhook {
-		klog.InfoS("Enable webhook", "server port", strconv.Itoa(webhookPort))
-		oamwebhook.Register(mgr, controllerArgs)
-		if err := waitWebhookSecretVolume(certDir, waitSecretTimeout, waitSecretInterval); err != nil {
-			klog.ErrorS(err, "Unable to get webhook secret")
-			os.Exit(1)
-		}
-	}
-
-	if err = oamv1alpha2.Setup(mgr, controllerArgs); err != nil {
-		klog.ErrorS(err, "Unable to setup the oam controller")
-		os.Exit(1)
-	}
-
-	if err = standardcontroller.Setup(mgr, disableCaps, controllerArgs); err != nil {
-		klog.ErrorS(err, "Unable to setup the vela core controller")
-		os.Exit(1)
-	}
-
-	if err = multicluster.InitClusterInfo(restConfig); err != nil {
-		klog.ErrorS(err, "Init control plane cluster info")
-		os.Exit(1)
-	}
-
-	if driver := os.Getenv(system.StorageDriverEnv); len(driver) == 0 {
-		// first use system environment,
-		err := os.Setenv(system.StorageDriverEnv, storageDriver)
-		if err != nil {
-			klog.ErrorS(err, "Unable to setup the vela core controller")
-			os.Exit(1)
-		}
-	}
-	klog.InfoS("Use storage driver", "storageDriver", os.Getenv(system.StorageDriverEnv))
-
-	klog.Info("Start the vela application monitor")
-	informer, err := mgr.GetCache().GetInformer(context.Background(), &v1beta1.Application{})
-	if err != nil {
-		klog.ErrorS(err, "Unable to get informer for application")
-	}
-	watcher.StartApplicationMetricsWatcher(informer)
-
-	klog.Info("Start the vela controller manager")
-
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
-		klog.ErrorS(err, "Failed to run manager")
-		os.Exit(1)
-	}
-	if logFilePath != "" {
-		klog.Flush()
-	}
-	klog.Info("Safely stops Program...")
-}
-
-// registerHealthChecks is used to create readiness&liveness probes
-func registerHealthChecks(mgr ctrl.Manager) error {
-	klog.Info("Create readiness/health check")
-	if err := mgr.AddReadyzCheck("ping", healthz.Ping); err != nil {
-		return err
-	}
-	// TODO: change the health check to be different from readiness check
-	if err := mgr.AddHealthzCheck("ping", healthz.Ping); err != nil {
-		return err
-	}
-	return nil
-}
-
-// waitWebhookSecretVolume waits for webhook secret ready to avoid mgr running crash
-func waitWebhookSecretVolume(certDir string, timeout, interval time.Duration) error {
-	start := time.Now()
-	for {
-		time.Sleep(interval)
-		if time.Since(start) > timeout {
-			return fmt.Errorf("getting webhook secret timeout after %s", timeout.String())
-		}
-		klog.InfoS("Wait webhook secret", "time consumed(second)", int64(time.Since(start).Seconds()),
-			"timeout(second)", int64(timeout.Seconds()))
-		if _, err := os.Stat(certDir); !os.IsNotExist(err) {
-			ready := func() bool {
-				f, err := os.Open(filepath.Clean(certDir))
-				if err != nil {
-					return false
-				}
-				defer func() {
-					if err := f.Close(); err != nil {
-						klog.Error(err, "Failed to close file")
-					}
-				}()
-				// check if dir is empty
-				if _, err := f.Readdir(1); errors.Is(err, io.EOF) {
-					return false
-				}
-				// check if secret files are empty
-				err = filepath.Walk(certDir, func(path string, info os.FileInfo, err error) error {
-					// even Cert dir is created, cert files are still empty for a while
-					if info.Size() == 0 {
-						return errors.New("secret is not ready")
-					}
-					return nil
-				})
-				if err == nil {
-					klog.InfoS("Webhook secret is ready", "time consumed(second)",
-						int64(time.Since(start).Seconds()))
-					return true
-				}
-				return false
-			}()
-			if ready {
-				return nil
-			}
-		}
-	}
 }

design/README.md

@@ -0,0 +1,48 @@
+# KubeVela Enhancement Proposals (KEPs)
+
+This directory is a place to propose and discuss new ideas of KubeVela concepts, designs, architectures and techniques.
+
+### When do we need KEPs
+
+When major changes are intended to be made to KubeVela project, we need KEPs. Major changes includes:
+- New project-level features that add modules to the architecture, like new Controller or APIServer.
+- Break changes to the core concepts of KubeVela, such as Application, Workflow, Component, etc.
+- Techniques or domains that lots of related enhancements need to be added to KubeVela, like multi-cluster, observability, etc.
+
+Changes to the internal mechanism of core KubeVela are recommended to add proposals as well, including:
+- Application behaviours and related policies: State-keep, garbage-collect, resource dispatch, etc.
+- API changes of auxiliary resources in KubeVela, such as ApplicationRevision, ResourceTracker.
+- New concepts and layers in KubeVela APIServer on VelaUX, such as Project, Target, etc.
+
+Minor changes and enhancements do not necessarily need to be included, but instead recommended to be tracked by issues, such as 
+- New addons.
+- New Component/Trait/WorkflowStep definitions.
+- New additional function APIs in APIServer.
+- Bug detection and fixes.
+- Auxiliary commands in CLI.
+
+### Areas
+
+There are several directories contained. Each directory contains the KEPs in specific area.
+
+- **/vela-core**: The proposals of features and changes to the core KubeVela, including Application APIs, internal mechanisms, auxiliary policies, etc.
+- **/vela-cli**: The proposals of features to the KubeVela CLI, such as `vela top`, `vela def`.
+- **/api**: The proposals of the interfaces KubeVela exposes to users, such as command line args for the core controller.
+- **/platform**: The proposals of integrating features in various related areas outside KubeVela, such as edge computing, artificial intelligence.
+- **/resources**: The related images embedded in the design documentations.
+
+### Writing a new Proposal
+
+The aim of a proposal is to communicate designs with others and give KubeVela users some basic ideas of how features and evolved and developed.
+
+To reach that, there are several things seed to be included in a proposal.
+1. The background of the feature or change, which explains why we need it.
+2. The goals and non-goals for the proposal.
+3. The potential technical solutions for the proposal and comparisons between various solutions. (Single solution is also acceptable.)
+4. How we should move on for the proposal. The estimated milestones or timelines for the feature development.
+
+### Submitting a new proposal
+
+We recommend to use the [template](./TEMPLATE.md) to start a new proposal.
+After finishing the proposal in the proper directory, raise a pull request to add the proposal to the main repo.
+If there are any issues related to the proposal, you can also add links to the issues in the pull request.

design/TEMPLATE.md

@@ -0,0 +1,25 @@
+# NAME OF THE PROPOSAL
+
+### (Optional) Introduction
+
+A short introduction to the proposal.
+
+### Background
+
+Why we need the proposal.
+
+### (Optional) Goals & Non-Goals
+
+The goals and non-goals of the proposal.
+
+### Proposal
+
+The potential solutions and comparisons. Technique details should be placed here. Risks for break changes should be highlighted.
+
+### (Optional) Examples
+
+The examples of how to use if the proposal is completed.
+
+### (Optional) Progress / Timeline / Milestones
+
+Break the proposal implementation into atomic units and estimate the time cost and difficulties for the implementation.

docs/examples/appdeployment/README.md

@@ -1,128 +0,0 @@
-# AppDeployment Tutorial
-
-1. Create an Application
-
-   ```bash
-   $ cat <<EOF | kubectl apply -f -
-   apiVersion: core.oam.dev/v1beta1
-   kind: Application
-   metadata:
-     name: example-app
-     annotations:
-       app.oam.dev/revision-only: "true"
-   spec:
-     components:
-       - name: testsvc
-         type: webservice
-         properties:
-           addRevisionLabel: true
-           image: crccheck/hello-world
-           port: 8000
-   EOF
-   ```
-
-   This will create `example-app-v1` AppRevision. Check it:
-
-   ```bash
-   $ kubectl get applicationrevisions.core.oam.dev
-   NAME             AGE
-   example-app-v1   116s
-   ```
-
-   With above annotation this won't create any pod instances.
-
-1. Then use the above AppRevision to create an AppDeployment.
-
-   ```bash
-   $ kubectl apply -f appdeployment-1.yaml
-   ```
-
-   > Note that in order to AppDeployment to work, your workload object must have a `spec.replicas` field for scaling.
-
-1. Now you can check that there will 1 deployment and 2 pod instances deployed
-
-   ```bash
-   $ kubectl get deploy
-   NAME         READY   UP-TO-DATE   AVAILABLE   AGE
-   testsvc-v1   2/2     2            0           27s
-   ```
-
-1. Update Application properties:
-
-   ```bash
-   $ cat <<EOF | kubectl apply -f -
-   apiVersion: core.oam.dev/v1beta1
-   kind: Application
-   metadata:
-     name: example-app
-     annotations:
-       app.oam.dev/revision-only: "true"
-   spec:
-     components:
-       - name: testsvc
-         type: webservice
-         properties:
-           addRevisionLabel: true
-           image: nginx
-           port: 80
-   EOF
-   ```
-
-   This will create a new `example-app-v2` AppRevision. Check it:
-
-   ```bash
-   $ kubectl get applicationrevisions.core.oam.dev
-   NAME
-   example-app-v1
-   example-app-v2
-   ```
-
-1. Then use the two AppRevisions to update the AppDeployment:
-
-   ```bash
-   $ kubectl apply -f appdeployment-2.yaml
-   ```
-
-   (Optional) If you have Istio installed, you can apply the AppDeployment with traffic split:
-
-   ```bash
-   # set up gateway if not yet
-   $ kubectl apply -f gateway.yaml
-
-   $ kubectl apply -f appdeployment-2-traffic.yaml
-   ```
-
-   Note that for traffic split to work, your must set the following pod labels in workload cue templates (see [webservice.cue](https://github.com/oam-dev/kubevela/blob/master/hack/vela-templates/cue/webservice.cue)):
-
-   ```shell
-   "app.oam.dev/component": context.name
-   "app.oam.dev/appRevision": context.appRevision
-   ```
-
-1. Now you can check that there will 1 deployment and 1 pod per revision.
-
-   ```bash
-   $ kubectl get deploy
-   NAME         READY   UP-TO-DATE   AVAILABLE   AGE
-   testsvc-v1   1/1     1            1           2m14s
-   testsvc-v2   1/1     1            1           8s
-   ```
-
-   (Optional) To verify traffic split:
-
-   ```bash
-   # run this in another terminal
-   $ kubectl -n istio-system port-forward service/istio-ingressgateway 8080:80
-   Forwarding from 127.0.0.1:8080 -> 8080
-   Forwarding from [::1]:8080 -> 8080
-
-   # The command should return pages of either docker whale or nginx in 50/50
-   $ curl -H "Host: example-app.example.com" http://localhost:8080/
-   ```
-
-1. Cleanup:
-
-   ```bash
-   kubectl delete appdeployments.core.oam.dev  --all
-   kubectl delete applications.core.oam.dev --all
-   ```

docs/examples/appdeployment/appdeployment-1.yaml

@@ -1,11 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: AppDeployment
-metadata:
-  name: example-appdeploy
-spec:
-  appRevisions:
-    - revisionName: example-app-v1
-
-      placement:
-        - distribution:
-            replicas: 2

docs/examples/appdeployment/appdeployment-2-traffic.yaml

@@ -1,32 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: AppDeployment
-metadata:
-  name: example-appdeploy
-spec:
-  traffic:
-    hosts:
-      - example-app.example.com
-    gateways:
-      - example-app-gateway
-    http:
-      - weightedTargets:
-          - revisionName: example-app-v1
-            componentName: testsvc
-            port: 8000
-            weight: 50
-          - revisionName: example-app-v2
-            componentName: testsvc
-            port: 80
-            weight: 50
-
-  appRevisions:
-    - revisionName: example-app-v1
-      placement:
-        - distribution:
-            replicas: 1
-
-    - revisionName: example-app-v2
-
-      placement:
-        - distribution:
-            replicas: 1

docs/examples/appdeployment/appdeployment-2.yaml

@@ -1,17 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: AppDeployment
-metadata:
-  name: example-appdeploy
-spec:
-  appRevisions:
-    - revisionName: example-app-v1
-
-      placement:
-        - distribution:
-            replicas: 1
-
-    - revisionName: example-app-v2
-
-      placement:
-        - distribution:
-            replicas: 1

docs/examples/appdeployment/cluster.yaml

@@ -1,7 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: Cluster
-metadata:
-  name: cluster-1
-spec:
-  kubeconfigSecretRef:
-    name: kubeconfig-cluster-1

docs/examples/appdeployment/gateway.yaml

@@ -1,14 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: example-app-gateway
-spec:
-  selector:
-    istio: ingressgateway # use istio default controller
-  servers:
-    - port:
-        number: 80
-        name: http
-        protocol: HTTP
-      hosts:
-        - "*"

docs/examples/deployment-rollout/README.md

@@ -1,36 +0,0 @@
-# Rollout Example
-Here is an example of how to rollout an application with a component of type deployment. 
-
-
-## Rollout steps
-1. Install deployment based workloadDefinition
-```shell
-kubectl apply -f docs/examples/deployment-rollout/webservice-definition.yaml
-```
-
-2. Apply an application 
-```shell
-kubectl apply -f docs/examples/deployment-rollout/app-source.yaml
-```
-
-3. Modify the application image and apply
-```shell
-kubectl apply -f docs/examples/deployment-rollout/app-target.yaml
-```
-4. Apply scale appRollout
-```shell
-kubectl apply -f docs/examples/deployment-rollout/app-rollout-scale.yaml
-```
-5. Apply the application deployment with pause
-```shell
-kubectl apply -f docs/examples/deployment-rollout/app-rollout-pause.yaml
-```
-Check the status of the ApplicationRollout and see the step by step rolling out.
-This rollout will pause after the second batch.
-
-6. Apply the application deployment that completes the rollout
-```shell
-kubectl apply -f docs/examples/deployment-rollout/app-rollout-finish.yaml
-```
-Check the status of the AppRollout and see the rollout completes, and the 
-AppRollout's "Rolling State" becomes `rolloutSucceed`

docs/examples/deployment-rollout/app-rollout-finish.yaml

@@ -1,17 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: AppRollout
-metadata:
-  name: rolling-test
-spec:
-  # application (revision) reference
-  targetAppRevisionName: test-rolling-v2
-  sourceAppRevisionName: test-rolling-v1
-  # HPA reference (optional)
-  componentList:
-    - metrics-provider
-  rolloutPlan:
-    rolloutStrategy: "IncreaseFirst"
-    rolloutBatches:
-      - replicas: 10%
-      - replicas: 2
-      - replicas: 2

docs/examples/deployment-rollout/app-rollout-pause.yaml

@@ -1,18 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: AppRollout
-metadata:
-  name: rolling-test
-spec:
-  # application (revision) reference
-  targetAppRevisionName: test-rolling-v2
-  sourceAppRevisionName: test-rolling-v1
-  # HPA reference (optional)
-  componentList:
-    - metrics-provider
-  rolloutPlan:
-    rolloutStrategy: "IncreaseFirst"
-    rolloutBatches:
-      - replicas: 10%
-      - replicas: 2
-      - replicas: 2
-    batchPartition: 1

docs/examples/deployment-rollout/app-rollout-scale.yaml

@@ -1,14 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: AppRollout
-metadata:
-  name: rolling-test
-spec:
-  # application (revision) reference
-  targetAppRevisionName: test-rolling-v1
-  componentList:
-    - metrics-provider
-  rolloutPlan:
-    rolloutStrategy: "IncreaseFirst"
-    rolloutBatches:
-      - replicas: 5
-    targetSize: 5

docs/examples/deployment-rollout/app-source.yaml

@@ -1,16 +0,0 @@
-apiVersion: core.oam.dev/v1beta1
-kind: Application
-metadata:
-  name: test-rolling
-  annotations:
-    "app.oam.dev/rollout-template": "true"
-spec:
-  components:
-    - name: metrics-provider
-      type: webservice
-      properties:
-        cmd:
-          - ./podinfo
-          - stress-cpu=1
-        image: stefanprodan/podinfo:4.0.6
-        port: 8080