Fix: fix the typo error in vela top (#5983 )

[Backport release-1.8] Chore: add e2e ci env bootstrap & remove multlcluster legacy rollout ci #5926 (#5939 )
Fix: migrate CI to CNCF machines in release-x branch (#5952 )
2026-02-23 14:23:54 +00:00 · 2023-05-12 22:42:41 +08:00 · 2023-05-04 16:48:14 +08:00 · 2023-05-04 16:32:37 +08:00 · 2023-05-04 10:27:03 +08:00 · 2023-04-28 10:46:32 +08:00
689 changed files with 19308 additions and 49201 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -26,12 +26,14 @@ vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong
 # Owner of vela CLI
 references/cli/                     @Somefive @zzxwill @StevenLeiZhang @charlie0129 @chivalryq

-# Owner of vela APIServer
-pkg/apiserver/                     @barnettZQG @yangsoon @FogDong
-
 # Owner of vela addon framework
 pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129

 # Owner of resource keeper and tracker
 pkg/resourcekeeper                 @Somefive @FogDong
 pkg/resourcetracker                @Somefive @FogDong
+
+.github/                           @chivalryq @wonderflow
+makefiles                          @chivalryq @wonderflow
+go.*                               @chivalryq @wonderflow
+
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "Chore: "
+      include: "scope"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "Chore: "
+      include: "scope"      
--- a/.github/workflows/apiserver-test.yml
+++ b/.github/workflows/apiserver-test.yml
@@ -1,196 +0,0 @@
-name: VelaUX APIServer Test
-
-on:
-  push:
-    branches:
-      - master
-      - release-*
-      - apiserver
-    tags:
-      - v*
-  workflow_dispatch: { }
-  pull_request:
-    branches:
-      - master
-      - release-*
-      - apiserver
-
-env:
-  # Common versions
-  GO_VERSION: '1.19'
-
-permissions:
-  contents: read
-
-jobs:
-
-  detect-noop:
-    runs-on: ubuntu-20.04
-    outputs:
-      noop: ${{ steps.noop.outputs.should_skip }}
-    steps:
-      - name: Detect No-op Changes
-        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
-          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-        continue-on-error: true
-
-  apiserver-unit-tests:
-    runs-on: ubuntu-20.04
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true'
-
-    steps:
-      - name: Set up Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
-        with:
-          submodules: true
-
-      - name: Cache Go Dependencies
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install ginkgo
-        run: |
-          sudo apt-get install -y golang-ginkgo-dev
-
-      - name: Start MongoDB
-        uses: supercharge/mongodb-github-action@538a4d2a1041920c47630172445cb688592d6e51 # 1.8.0
-        with:
-          mongodb-version: '5.0'
-
-        # TODO need update action version to resolve node 12 deprecated.
-      - name: install Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@ff52bff1bae252239223476e5ab0d71d6ba02343
-        with:
-          version: 3.1.0
-          kubebuilderOnly: false
-          kubernetesVersion: v1.21.2
-
-      - name: Run api server unit test
-        run: make unit-test-apiserver
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.txt
-          flags: apiserver-unittests
-          name: codecov-umbrella
-
-  apiserver-e2e-tests:
-    runs-on: aliyun
-    needs: [ detect-noop ]
-    if: needs.detect-noop.outputs.noop != 'true'
-    strategy:
-      matrix:
-        k8s-version: ["v1.20","v1.24"]
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
-      cancel-in-progress: true
-
-    steps:
-      - name: Set up Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
-        with:
-          submodules: true
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Tear down K3d if exist
-        run: |
-          k3d cluster delete || true
-          k3d cluster delete worker || true
-
-      - name: Calculate K3d args
-        run: |
-          EGRESS_ARG=""
-          if [[ "${{ matrix.k8s-version }}" == v1.24 ]]; then
-            EGRESS_ARG="--k3s-arg --egress-selector-mode=disabled@server:0"
-          fi
-          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
-
-      - name: Setup K3d (Hub)
-        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96
-        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-args: ${{ env.EGRESS_ARG }}
-
-
-      - name: Setup K3d (Worker)
-        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96
-        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-name: worker
-          k3d-args: --kubeconfig-update-default=false --network=k3d-k3s-default ${{ env.EGRESS_ARG }}
-
-
-      - name: Kind Cluster (Worker)
-        run: |
-          internal_ip=$(docker network inspect k3d-k3s-default|jq ".[0].Containers"| jq -r '.[]| select(.Name=="k3d-worker-server-0")|.IPv4Address' | cut -d/ -f1)
-          k3d kubeconfig get worker > /tmp/worker.client.kubeconfig
-          cp /tmp/worker.client.kubeconfig /tmp/worker.kubeconfig
-          sed -i "s/0.0.0.0:[0-9]\+/$internal_ip:6443/"  /tmp/worker.kubeconfig
-
-      - name: Load image to k3d cluster
-        run: make image-load
-
-      - name: Cleanup for e2e tests
-        run: |
-          make vela-cli
-          make e2e-cleanup
-          make e2e-setup-core
-          bin/vela addon enable fluxcd
-          bin/vela addon enable vela-workflow --override-definitions
-          timeout 600s bash -c -- 'while true; do kubectl get ns flux-system; if [ $? -eq 0 ] ; then break; else sleep 5; fi;done'
-          kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=vela-core,app.kubernetes.io/instance=kubevela -n vela-system --timeout=600s
-          kubectl wait --for=condition=Ready pod -l app=source-controller -n flux-system --timeout=600s
-          kubectl wait --for=condition=Ready pod -l app=helm-controller -n flux-system --timeout=600s
-          kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=vela-workflow -n vela-system --timeout=600s
-
-      - name: Run api server e2e test
-        run: |
-          export ALIYUN_ACCESS_KEY_ID=${{ secrets.ALIYUN_ACCESS_KEY_ID }}
-          export ALIYUN_ACCESS_KEY_SECRET=${{ secrets.ALIYUN_ACCESS_KEY_SECRET }}
-          export GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
-          make e2e-apiserver-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e-core
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e_apiserver_test.out
-          flags: apiserver-e2etests
-          name: codecov-umbrella
-
-      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
-
-      - name: Cleanup image
-        if: ${{ always() }}
-        run: make image-cleanup
--- a/.github/workflows/back-port.yml
+++ b/.github/workflows/back-port.yml
@@ -17,12 +17,12 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          fetch-depth: 0

      - name: Open Backport PR
-        uses: zeebe-io/backport-action@2ee900dc92632adf994f8e437b6d16840fd61f58
+        uses: zeebe-io/backport-action@a759fd2d7d3314c9bb57d97a0350a12e878d3c7a
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -31,7 +31,7 @@ jobs:
      VELA_ROLLOUT_HELM_CHART_NAME: vela-rollout
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Get git revision
        id: vars
        shell: bash
@@ -42,7 +42,7 @@ jobs:
        with:
          version: v3.4.0
      - name: Setup node
-        uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
        with:
          node-version: '14'
      - name: Generate helm doc
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

      - name: Initialize CodeQL
        uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -15,7 +15,7 @@ jobs:
  check:
    runs-on: ubuntu-latest
    steps:
-      - uses: thehanimo/pr-title-checker@v1.3.5
+      - uses: thehanimo/pr-title-checker@v1.3.7
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          pass_on_octokit_error: true
--- a/.github/workflows/core-api-test.yml
+++ b/.github/workflows/core-api-test.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Set up Go 1.19
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        env:
          GO_VERSION: '1.19'
        with:
@@ -25,7 +25,7 @@ jobs:
        id: go

      - name: Check out code into the Go module directory
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

      - name: Get the version
        id: get_version
--- a/.github/workflows/definition-lint.yml
+++ b/.github/workflows/definition-lint.yml
@@ -23,12 +23,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

@@ -43,5 +43,5 @@ jobs:
          go build -o docgen hack/docgen/def/gen.go
          ./docgen --type=comp --force-example-doc --path=./comp-def-check.md
          ./docgen --type=trait --force-example-doc --path=./trait-def-check.md
-          ./docgen --type=wf --force-example-doc --path=./wf-def-check.md
+          ./docgen --type=wf --force-example-doc --path=./wf-def-check.md --def-dir=./vela-templates/definitions/internal/workflowstep/
          ./docgen --type=policy --force-example-doc --path=./policy-def-check.md
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -39,7 +39,7 @@ jobs:
        continue-on-error: true

  e2e-multi-cluster-tests:
-    runs-on: aliyun
+    runs-on: self-hosted
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
@@ -49,13 +49,20 @@ jobs:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

-
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Install tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
+          snap install docker
+          snap install kubectl --classic
+          snap install helm --classic

      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

@@ -114,7 +121,8 @@ jobs:
          make e2e-multicluster-test

      - name: Stop kubevela, get profile
-        run: make end-e2e-core
+        run: |
+          make end-e2e-core-shards

      - name: Upload coverage report
        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
--- a/.github/workflows/e2e-rollout-test.yml
+++ b/.github/workflows/e2e-rollout-test.yml
@@ -39,7 +39,7 @@ jobs:
        continue-on-error: true

  e2e-rollout-tests:
-    runs-on: aliyun
+    runs-on: self-hosted
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
@@ -52,16 +52,18 @@ jobs:

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Get dependencies
        run: |
          go get -v -t -d ./...
+          go install github.com/onsi/ginkgo/ginkgo
+          go get github.com/onsi/gomega/...

      - name: Tear down K3d if exist
        run: |
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -39,7 +39,7 @@ jobs:
        continue-on-error: true

  e2e-tests:
-    runs-on: aliyun
+    runs-on: self-hosted
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
@@ -52,16 +52,26 @@ jobs:

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Install tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
+          snap install docker
+          snap install kubectl --classic
+          snap install helm --classic

      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Get dependencies
        run: |
          go get -v -t -d ./...
+          go install github.com/onsi/ginkgo/ginkgo
+          go get github.com/onsi/gomega/...

      - name: Tear down K3d if exist
        run: |
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -44,12 +44,12 @@ jobs:

    steps:
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

@@ -69,12 +69,12 @@ jobs:

    steps:
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

@@ -83,33 +83,33 @@ jobs:
      # version, but we prefer this action because it leaves 'annotations' (i.e.
      # it comments on PRs to point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@07db5389c99593f11ad7b44463c2d4233066a9b1 # v3.3.0
+        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0
        with:
          version: ${{ env.GOLANGCI_VERSION }}

  check-diff:
-    runs-on: aliyun
+    runs-on: self-hosted
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Setup node
-        uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
        with:
          node-version: '14'

      - name: Cache Go Dependencies
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -133,17 +133,17 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Cache Go Dependencies
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -164,55 +164,35 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true
      - name: Set up QEMU
        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
+        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
      - name: Build Test for vela core
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        with:
          context: .
          file: Dockerfile
          platforms: linux/amd64,linux/arm64

-  check-apiserver-image-build:
-    runs-on: ubuntu-latest
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
-        with:
-          submodules: true
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
-      - name: Build Test for apiserver
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
-        with:
-          context: .
-          file: Dockerfile.apiserver
-          platforms: linux/amd64,linux/arm64
-
  check-cli-image-build:
    runs-on: ubuntu-latest
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true
      - name: Set up QEMU
        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
+        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
      - name: Build Test for CLI
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        with:
          context: .
          file: Dockerfile.cli
--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -13,13 +13,13 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
          ref: v0.4.2
      - name: Setup Node.js
-        uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
        with:
          node-version: '14'
          cache: 'npm'
@@ -36,8 +36,9 @@ jobs:
    runs-on: ubuntu-22.04
    if: github.event.issue.pull_request && contains(github.event.comment.body, '/backport')
    permissions:
-      issues: write
+      contents: write
      pull-requests: write
+      issues: write
    steps:
      - name: Extract Command
        id: command
@@ -50,7 +51,7 @@ jobs:
          allow-edits: "false"
          permission-level: read
      - name: Handle Command
-        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0
+        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
        env:
          VERSION: ${{ steps.command.outputs.command-arguments }}
        with:
@@ -62,7 +63,7 @@ jobs:
              label = "backport " + version
            }
            // Add our backport label.
-            github.issues.addLabels({
+            github.rest.issues.addLabels({
              // Every pull request is an issue, but not every issue is a pull request.
              issue_number: context.issue.number,
              owner: context.repo.owner,
@@ -71,11 +72,11 @@ jobs:
            })
            console.log("Added '" + label + "' label.")
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          fetch-depth: 0
      - name: Open Backport PR
-        uses: zeebe-io/backport-action@2ee900dc92632adf994f8e437b6d16840fd61f58
+        uses: zeebe-io/backport-action@a759fd2d7d3314c9bb57d97a0350a12e878d3c7a
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    name: Check for unapproved licenses
    steps:
-      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -20,7 +20,7 @@ jobs:
      packages: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Get the version
        id: get_version
        run: |
@@ -53,11 +53,11 @@ jobs:
          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}
      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
+      - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        name: Build & Pushing vela-core for Dockerhub, GHCR and ACR
        with:
          context: .
@@ -76,7 +76,7 @@ jobs:
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
+      - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        name: Build & Pushing CLI for Dockerhub, GHCR and ACR
        with:
          context: .
@@ -100,7 +100,7 @@ jobs:
      packages: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Get the version
        id: get_version
        run: |
@@ -133,30 +133,11 @@ jobs:
          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}
      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
-        name: Build & Pushing vela-apiserver for Dockerhub, GHCR and ACR
-        with:
-          context: .
-          file: Dockerfile.apiserver
-          labels: |-
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.revision=${{ github.sha }}
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          build-args: |
-            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
-            VERSION=${{ steps.get_version.outputs.VERSION }}
-            GOPROXY=https://proxy.golang.org
-          tags: |-
-            docker.io/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository_owner }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-
-      - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
+      - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        name: Build & Pushing runtime rollout Dockerhub, GHCR and ACR
        with:
          context: .
@@ -182,7 +163,7 @@ jobs:
      CAPABILITY_ENDPOINT: oss-cn-beijing.aliyuncs.com
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Install ossutil
        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
      - name: Configure Alibaba Cloud OSSUTIL
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,7 +7,6 @@ on:
  workflow_dispatch: { }

 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  BUCKET: ${{ secrets.CLI_OSS_BUCKET }}
  ENDPOINT: ${{ secrets.CLI_OSS_ENDPOINT }}
  ACCESS_KEY: ${{ secrets.CLI_OSS_ACCESS_KEY }}
@@ -28,107 +27,38 @@ jobs:
      repository-projects: read
      statuses: read
    runs-on: ubuntu-latest
-    name: build
-    strategy:
-      matrix:
-        TARGETS: [ linux/amd64, darwin/amd64, windows/amd64, linux/arm64, darwin/arm64 ]
-    env:
-      VELA_VERSION_KEY: github.com/oam-dev/kubevela/version.VelaVersion
-      VELA_GITVERSION_KEY: github.com/oam-dev/kubevela/version.GitRevision
-      GO_BUILD_ENV: GO111MODULE=on CGO_ENABLED=0
-      DIST_DIRS: find * -type d -exec
+    name: goreleaser
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+        with:
+          fetch-depth: 0
+      - run: git fetch --force --tags
      - name: Set up Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: 1.19
-      - name: Get release
-        id: get_release
-        uses: bruceadams/get-release@74c3d60f5a28f358ccf241a00c9021ea16f0569f # v1.3.2
+          cache: true
+      - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        with:
+          distribution: goreleaser
+          version: 1.14.1
+          args: release --rm-dist --timeout 60m
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # Since goreleaser haven't supported aliyun OSS, we need to upload the release manually
      - name: Get version
        run: echo "VELA_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-      - name: Get matrix
-        id: get_matrix
-        run: |
-          TARGETS=${{matrix.TARGETS}}
-          echo "OS=${TARGETS%/*}" >> $GITHUB_OUTPUT
-          echo "ARCH=${TARGETS#*/}" >> $GITHUB_OUTPUT
-      - name: Get ldflags
-        id: get_ldflags
-        run: |
-          LDFLAGS="-s -w -X ${{ env.VELA_VERSION_KEY }}=${{ env.VELA_VERSION }} -X ${{ env.VELA_GITVERSION_KEY }}=git-$(git rev-parse --short HEAD)"
-          echo "LDFLAGS=${LDFLAGS}" >> $GITHUB_ENV
-      - name: Build
-        run: |
-          ${{ env.GO_BUILD_ENV }} GOOS=${{ steps.get_matrix.outputs.OS }} GOARCH=${{ steps.get_matrix.outputs.ARCH }} \
-            go build -ldflags "${{ env.LDFLAGS }}" \
-            -o _bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}/vela -v \
-            ./references/cmd/cli/main.go
-          ${{ env.GO_BUILD_ENV }} GOOS=${{ steps.get_matrix.outputs.OS }} GOARCH=${{ steps.get_matrix.outputs.ARCH }} \
-            go build -ldflags "${{ env.LDFLAGS }}" \
-            -o _bin/kubectl-vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}/kubectl-vela -v \
-            ./cmd/plugin/main.go
-      - name: Compress
-        run: |
-          echo "\n## Release Info\nVERSION: ${{ env.VELA_VERSION }}" >> README.md && \
-          echo "GIT_COMMIT: ${GITHUB_SHA}\n" >> README.md && \
-          cd _bin/vela && \
-          ${{ env.DIST_DIRS }} cp ../../LICENSE {} \; && \
-          ${{ env.DIST_DIRS }} cp ../../README.md {} \; && \
-          ${{ env.DIST_DIRS }} tar -zcf vela-{}.tar.gz {} \; && \
-          ${{ env.DIST_DIRS }} zip -r vela-{}.zip {} \; && \
-          cd ../kubectl-vela && \
-          ${{ env.DIST_DIRS }} cp ../../LICENSE {} \; && \
-          ${{ env.DIST_DIRS }} cp ../../README.md {} \; && \
-          ${{ env.DIST_DIRS }} tar -zcf kubectl-vela-{}.tar.gz {} \; && \
-          ${{ env.DIST_DIRS }} zip -r kubectl-vela-{}.zip {} \; && \
-          cd .. && \
-          sha256sum vela/vela-* kubectl-vela/kubectl-vela-* >> sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt \
-      - name: Upload Vela tar.gz
-        uses: kubevela/vela-upload-release-asset@9b3858e67d3205e056d6220e5972abb32fc47289 # v1.0.0
-        with:
-          release_id: ${{ steps.get_release.outputs.id }}
-          asset_path: ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_name: vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-      - name: Upload Vela zip
-        uses: kubevela/vela-upload-release-asset@9b3858e67d3205e056d6220e5972abb32fc47289 # v1.0.0
-        with:
-          release_id: ${{ steps.get_release.outputs.id }}
-          asset_path: ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_name: vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-      - name: Upload Kubectl-Vela tar.gz
-        uses: kubevela/vela-upload-release-asset@9b3858e67d3205e056d6220e5972abb32fc47289 # v1.0.0
-        with:
-          release_id: ${{ steps.get_release.outputs.id }}
-          asset_path: ./_bin/kubectl-vela/kubectl-vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_name: kubectl-vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-      - name: Upload Kubectl-Vela zip
-        uses: kubevela/vela-upload-release-asset@9b3858e67d3205e056d6220e5972abb32fc47289 # v1.0.0
-        with:
-          release_id: ${{ steps.get_release.outputs.id }}
-          asset_path: ./_bin/kubectl-vela/kubectl-vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_name: kubectl-vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-      - name: Post sha256
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
-        with:
-          name: sha256sums
-          path: ./_bin/sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt
-          retention-days: 1
-      - name: clear the asset
-        run: |
-          rm -rf ./_bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}
-          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
      - name: Install ossutil
        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
      - name: Configure Alibaba Cloud OSSUTIL
-        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
+        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT}
+      - name: split files to be upload
+        run: mkdir -p ./dist/files_upload && mv ./dist/*.tar.gz ./dist/files_upload && mv ./dist/*.zip ./dist/files_upload
      - name: sync local to cloud
-        run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
+        run: ./ossutil --config-file .ossutilconfig sync ./dist/files_upload oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
      - name: sync the latest version file
-        if: ${{ !contains(env.VELA_VERSION,'alpha') && !contains(env.VELA_VERSION,'beta') }}
+        if: ${{ !contains(env.VELA_VERSION,'alpha') && !contains(env.VELA_VERSION,'beta') && !contains(env.VELA_VERSION,'rc') }}
        run: |
          LATEST_VERSION=$(curl -fsSl https://static.kubevela.net/binary/vela/latest_version)
          verlte() {
@@ -137,7 +67,6 @@ jobs:
          verlte ${{ env.VELA_VERSION }} $LATEST_VERSION && echo "${{ env.VELA_VERSION }} <= $LATEST_VERSION, skip update" && exit 0
          echo ${{ env.VELA_VERSION }} > ./latest_version
          ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version
-
  upload-plugin-homebrew:
    permissions:
      contents: write
@@ -150,42 +79,15 @@ jobs:
      statuses: read
    needs: build
    runs-on: ubuntu-latest
+    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
    name: upload-sha256sums
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
-      - name: Get release
-        id: get_release
-        uses: bruceadams/get-release@74c3d60f5a28f358ccf241a00c9021ea16f0569f # v1.3.2
-      - name: Download sha256sums
-        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
-        with:
-          name: sha256sums
-          path: cli-artifacts
-      - name: Display structure of downloaded files
-        run: ls -R
-        working-directory: cli-artifacts
-      - name: Get version
-        run: echo "VELA_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-      - shell: bash
-        working-directory: cli-artifacts
-        run: |
-          for file in *
-          do
-            sed -i "s/\/vela/-${{ env.VELA_VERSION }}/g" ${file}
-            sed -i "s/\/kubectl-vela/-${{ env.VELA_VERSION }}/g" ${file}
-            cat ${file} >> sha256sums.txt
-          done
-      - name: Upload Checksums
-        uses: kubevela/vela-upload-release-asset@9b3858e67d3205e056d6220e5972abb32fc47289 # v1.0.0
-        with:
-          release_id: ${{ steps.get_release.outputs.id }}
-          asset_path: cli-artifacts/sha256sums.txt
-          asset_name: sha256sums.txt
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Update kubectl plugin version in krew-index
-        uses: rajatjindal/krew-release-bot@3320c0b546b5d2320613c46762bd3f73e2801bdc # v0.0.38
+        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # v0.0.43
      - name: Update Homebrew formula
-        uses: dawidd6/action-homebrew-bump-formula@02e79d9da43d79efa846d73695b6052cbbdbf48a # v3.8.3
+        uses: dawidd6/action-homebrew-bump-formula@e9b43cd30eec6ea80777e7e22e1526beb1675c18 # v3.9.0
        with:
          token: ${{ secrets.HOMEBREW_TOKEN }}
          formula: kubevela
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -23,12 +23,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # tag=v2.1.0
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # tag=v2.1.2
        with:
          results_file: results.sarif
          results_format: sarif
@@ -47,7 +47,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: SARIF file
          path: results.sarif
--- a/.github/workflows/sdk-test.yml
+++ b/.github/workflows/sdk-test.yml
@@ -0,0 +1,51 @@
+name: SDK Test
+
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch: {}
+  pull_request:
+    paths:
+      - "vela-templates/definitions/**"
+      - "pkg/definition/gen_sdk/**"
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+env:
+  # Common versions
+  GO_VERSION: '1.19'
+  GOLANGCI_VERSION: 'v1.49'
+
+jobs:
+  sdk-tests:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Setup Go
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Install Go tools
+        run: |
+          make goimports
+          make golangci
+
+      - name: Build CLI
+        run: make vela-cli
+
+      - name: Build SDK
+        run: bin/vela def gen-api -f vela-templates/definitions/internal/ -o ./kubevela-go-sdk --package=github.com/kubevela-contrib/kubevela-go-sdk --init
+
+      - name: Validate SDK
+        run: |
+          cd kubevela-go-sdk
+          go mod tidy
+          golangci-lint run --timeout 5m -e "exported:" -e "dot-imports" ./...
--- a/.github/workflows/sync-api.yml
+++ b/.github/workflows/sync-api.yml
@@ -18,12 +18,12 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Set up Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

      - name: Get the version
        id: get_version
--- a/.github/workflows/sync-sdk.yaml
+++ b/.github/workflows/sync-sdk.yaml
@@ -0,0 +1,52 @@
+name: Sync SDK
+
+on:
+  push:
+    paths:
+      - vela-templates/definitions/internal/**
+      - pkg/definition/gen_sdk/**
+      - .github/workflows/sync-sdk.yaml
+    tags:
+      - "v*"
+    branches:
+      - master
+      - release-*
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.19'
+
+jobs:
+  sync_sdk:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Get dependencies
+        run: |
+          go get -v -t -d ./...
+
+      - name: Install Go tools
+        run: |
+          make goimports
+          
+      - name: Build CLI
+        run: make vela-cli
+
+      - name: Sync SDK to kubevela/kubevela-go-sdk
+        run: bash ./hack/sdk/sync.sh
+        env:
+          SSH_DEPLOY_KEY: ${{ secrets.GO_SDK_DEPLOY_KEY }}
+          VERSION: ${{ steps.get_version.outputs.VERSION }}
+          COMMIT_ID: ${{ github.sha }}
--- a/.github/workflows/timed-task.yml
+++ b/.github/workflows/timed-task.yml
@@ -8,7 +8,7 @@ permissions:

 jobs:
  clean-image:
-    runs-on: aliyun
+    runs-on: self-hosted
    steps:
      - name: Cleanup image
        run: docker image prune -f
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

      - name: Build Vela Core image from Dockerfile
        run: |
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -43,17 +43,17 @@ jobs:

    steps:
      - name: Set up Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

      - name: Cache Go Dependencies
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -61,6 +61,8 @@ jobs:

      - name: Install ginkgo
        run: |
+          sudo sed -i 's/azure\.//' /etc/apt/sources.list
+          sudo apt-get update
          sudo apt-get install -y golang-ginkgo-dev

      - name: Setup K3d
--- a/.gitignore
+++ b/.gitignore
@@ -53,3 +53,5 @@ git-page/
 # e2e rollout runtime image build
 runtime/rollout/e2e/tmp
 vela.json
+
+dist/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,76 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+builds:
+  - id: vela-cli
+    binary: vela
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./references/cmd/cli/main.go
+    ldflags:
+      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}
+    env:
+      - CGO_ENABLED=0
+
+  - id: kubectl-vela
+    binary: kubectl-vela
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./cmd/plugin/main.go
+    ldflags:
+      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}
+
+archives:
+  - format: tar.gz
+    id: vela-cli-tgz
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    builds:
+      - vela-cli
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: zip
+    id: vela-cli-zip
+    builds:
+      - vela-cli
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: tar.gz
+    id: plugin-tgz
+    builds:
+      - kubectl-vela
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: zip
+    id: plugin-zip
+    builds:
+      - kubectl-vela
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+
+checksum:
+  name_template: 'sha256sums.txt'
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+
+# The lines beneath this are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
--- a/.krew.yaml
+++ b/.krew.yaml
@@ -33,8 +33,8 @@ spec:
        arch: amd64
    {{addURIAndSha "https://github.com/oam-dev/kubevela/releases/download/{{ .TagName }}/kubectl-vela-{{ .TagName }}-windows-amd64.zip" .TagName }}
    files:
-    - from: "*/kubectl-vela"
-      to: "kubectl-vela.exe"
+    - from: "*/kubectl-vela.exe"
+      to: "."
    - from: "*/LICENSE"
      to: "."
    bin: "kubectl-vela.exe"
--- a/4
+++ b/4
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:a9b24b67dc83b3383d22a14941c2b2b2ca6a103d805cac6820fd1355943beaf1 as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -34,7 +34,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-FROM ${BASE_IMAGE:-alpine:3.15@sha256:cf34c62ee8eb3fe8aa24c1fab45d7e9d12768d945c3f5a6fd6a63d901e898479}
+FROM ${BASE_IMAGE:-alpine@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

--- a/Dockerfile.apiserver
+++ b/Dockerfile.apiserver
@@ -1,48 +0,0 @@
-ARG BASE_IMAGE
-# Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:a9b24b67dc83b3383d22a14941c2b2b2ca6a103d805cac6820fd1355943beaf1 as builder
-ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
-WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-# Copy the go source for building apiserver
-COPY cmd/apiserver/ cmd/apiserver/
-COPY apis/ apis/
-COPY pkg/ pkg/
-COPY version/ version/
-COPY references/ references/
-
-# Build
-ARG TARGETARCH
-ARG VERSION
-ARG GITVERSION
-
-RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
-    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o apiserver-${TARGETARCH} cmd/apiserver/main.go
-
-# Use alpine as base image due to the discussion in issue #1448
-# You can replace distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-# Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-
-FROM ${BASE_IMAGE:-alpine:3.15@sha256:cf34c62ee8eb3fe8aa24c1fab45d7e9d12768d945c3f5a6fd6a63d901e898479}
-# This is required by daemon connecting with cri
-RUN apk add --no-cache ca-certificates bash expat
-
-WORKDIR /
-
-ARG TARGETARCH
-COPY --from=builder /workspace/apiserver-${TARGETARCH} /usr/local/bin/apiserver
-
-COPY entrypoint.sh /usr/local/bin/
-
-ENTRYPOINT ["entrypoint.sh"]
-
-CMD ["apiserver"]
--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the cli binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:a9b24b67dc83b3383d22a14941c2b2b2ca6a103d805cac6820fd1355943beaf1 as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
 WORKDIR /workspace
--- a/Dockerfile.e2e
+++ b/Dockerfile.e2e
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:a9b24b67dc83b3383d22a14941c2b2b2ca6a103d805cac6820fd1355943beaf1 as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -13,7 +13,6 @@ RUN go mod download
 # Copy the go source
 COPY cmd/core/main.go main.go
 COPY cmd/core/main_e2e_test.go main_e2e_test.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
 COPY cmd/ cmd/
 COPY apis/ apis/
 COPY pkg/ pkg/
@@ -29,10 +28,6 @@ RUN  apk add gcc musl-dev libc-dev ;\
    GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
    go test -c -o manager-${TARGETARCH}  -cover -covermode=atomic -coverpkg ./... .

-RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
-    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o apiserver-${TARGETARCH} cmd/apiserver/main.go
-
 # Use alpine as base image due to the discussion in issue #1448
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
@@ -46,7 +41,6 @@ WORKDIR /

 ARG TARGETARCH
 COPY --from=builder /workspace/manager-${TARGETARCH} /usr/local/bin/manager
-COPY --from=builder /workspace/apiserver-${TARGETARCH} /usr/local/bin/apiserver

 COPY entrypoint.sh /usr/local/bin/

--- a/23
+++ b/23
@@ -18,8 +18,6 @@ test-cli-gen:
 unit-test-core:
 	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
 	go test $(shell go list ./references/... | grep -v apiserver)
-unit-test-apiserver:
-	go test -gcflags=all=-l -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/...  | grep -E 'apiserver|velaql')

 # Build vela cli binary
 build: vela-cli kubectl-vela
@@ -39,16 +37,23 @@ fmt: goimports installcue
 	$(CUE) fmt ./pkg/stdlib/op.cue
 	$(CUE) fmt ./pkg/workflow/tasks/template/static/*
 # Run go vet against code
+
+sdk_fmt:
+	./hack/sdk/reviewable.sh
+
 vet:
-	go vet ./...
+	@$(INFO) go vet
+	@go vet $(shell go list ./...|grep -v scaffold)

 staticcheck: staticchecktool
-	$(STATICCHECK) ./...
+	@$(INFO) staticcheck
+	@$(STATICCHECK) $(shell go list ./...|grep -v scaffold)

 lint: golangci
-	$(GOLANGCILINT) run ./...
+	@$(INFO) lint
+	@$(GOLANGCILINT) run --skip-dirs 'scaffold'

-reviewable: manifests fmt vet lint staticcheck helm-doc-gen
+reviewable: manifests fmt vet lint staticcheck helm-doc-gen sdk_fmt
 	go mod tidy

 # Execute auto-gen code commands and ensure branch is clean.
@@ -61,9 +66,6 @@ check-diff: reviewable
 docker-push:
 	docker push $(VELA_CORE_IMAGE)

-build-swagger:
-	go run ./cmd/apiserver/main.go build-swagger ./docs/apidoc/swagger.json
-


 image-cleanup:
@@ -98,10 +100,9 @@ image-load-runtime-cluster:
 core-test:
 	go test ./pkg/... -coverprofile cover.out

-# Build vela core manager and apiserver binary
+# Build vela core manager binary
 manager:
 	$(GOBUILD_ENV) go build -o bin/manager -a -ldflags $(LDFLAGS) ./cmd/core/main.go
-	$(GOBUILD_ENV) go build -o bin/apiserver -a -ldflags $(LDFLAGS) ./cmd/apiserver/main.go

 vela-runtime-rollout-manager:
 	$(GOBUILD_ENV) go build -o ./runtime/rollout/bin/manager -a -ldflags $(LDFLAGS) ./runtime/rollout/cmd/main.go
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
 ![E2E status](https://github.com/kubevela/kubevela/workflows/E2E%20Test/badge.svg)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela/badge)](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela)
+[![](https://img.shields.io/badge/KubeVela-Check%20Your%20Contribution-orange)](https://opensource.alibaba.com/contribution_leaderboard/details?projectValue=kubevela)

 ## Introduction

@@ -29,17 +30,28 @@ KubeVela is a modern application delivery platform that makes deploying and oper

 KubeVela practices the "render, orchestrate, deploy" workflow with below highlighted values added to existing ecosystem:

-* Deployment as Code
+#### **Deployment as Code**

-Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with CUE. No add-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by [Open Application Model](https://oam.dev/).
+Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with [CUE](https://cuelang.org/).
+No ad-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by [Open Application Model](https://oam.dev/).

-* Built-in security and compliance building blocks
+#### **Built-in observability, multi-tenancy and security support**

-Choose from the wide range of LDAP integrations we provided out-of-box, enjoy multi-cluster authorization that is fully automated, pick and apply fine-grained RBAC modules and customize them per your own supply chain requirements.
+Choose from the wide range of LDAP integrations we provided out-of-box, enjoy enhanced [multi-tenancy and multi-cluster authorization and authentication](https://kubevela.net/docs/platform-engineers/auth/advance),
+pick and apply fine-grained RBAC modules and customize them per your own supply chain requirements.
+All delivery process has fully [automated observability dashboards](https://kubevela.net/docs/platform-engineers/operations/observability).

-* Multi-cloud/hybrid-environments app delivery as first-class citizen
+#### **Multi-cloud/hybrid-environments app delivery as first-class citizen**

-Progressive rollout across test/staging/production environments, automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds, fully managed cloud environments provision.
+Natively supports multi-cluster/hybrid-cloud scenarios such as progressive rollout across test/staging/production environments,
+automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds,
+along with automated cloud environments provision.
+
+#### **Lightweight but highly extensible architecture**
+
+Minimize your control plane deployment with only one pod and 0.5c1g resources to handle thousands of application delivery.
+Glue and orchestrate all your infrastructure capabilities as reusable modules with a highly extensible architecture
+and share the large growing community [addons](https://kubevela.net/docs/reference/addons/overview).

 ## Getting Started

--- a/apis/core.oam.dev/common/types.go
+++ b/apis/core.oam.dev/common/types.go
@@ -336,7 +336,8 @@ type WorkflowStatus struct {
 	Steps          []workflowv1alpha1.WorkflowStepStatus `json:"steps,omitempty"`

 	StartTime metav1.Time `json:"startTime,omitempty"`
-	EndTime   metav1.Time `json:"endTime,omitempty"`
+	// +nullable
+	EndTime metav1.Time `json:"endTime,omitempty"`
 }

 // DefinitionType describes the type of DefinitionRevision.
--- a/apis/core.oam.dev/v1beta1/applicationrevision_types.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types.go
@@ -45,13 +45,13 @@ type ApplicationRevisionCompressibleFields struct {
 	Application Application `json:"application"`

 	// ComponentDefinitions records the snapshot of the componentDefinitions related with the created/modified Application
-	ComponentDefinitions map[string]ComponentDefinition `json:"componentDefinitions,omitempty"`
+	ComponentDefinitions map[string]*ComponentDefinition `json:"componentDefinitions,omitempty"`

 	// WorkloadDefinitions records the snapshot of the workloadDefinitions related with the created/modified Application
 	WorkloadDefinitions map[string]WorkloadDefinition `json:"workloadDefinitions,omitempty"`

 	// TraitDefinitions records the snapshot of the traitDefinitions related with the created/modified Application
-	TraitDefinitions map[string]TraitDefinition `json:"traitDefinitions,omitempty"`
+	TraitDefinitions map[string]*TraitDefinition `json:"traitDefinitions,omitempty"`

 	// ScopeDefinitions records the snapshot of the scopeDefinitions related with the created/modified Application
 	ScopeDefinitions map[string]ScopeDefinition `json:"scopeDefinitions,omitempty"`
@@ -60,7 +60,7 @@ type ApplicationRevisionCompressibleFields struct {
 	PolicyDefinitions map[string]PolicyDefinition `json:"policyDefinitions,omitempty"`

 	// WorkflowStepDefinitions records the snapshot of the WorkflowStepDefinitions related with the created/modified Application
-	WorkflowStepDefinitions map[string]WorkflowStepDefinition `json:"workflowStepDefinitions,omitempty"`
+	WorkflowStepDefinitions map[string]*WorkflowStepDefinition `json:"workflowStepDefinitions,omitempty"`

 	// ScopeGVK records the apiVersion to GVK mapping
 	ScopeGVK map[string]metav1.GroupVersionKind `json:"scopeGVK,omitempty"`
--- a/apis/core.oam.dev/v1beta1/applicationrevision_types_test.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types_test.go
@@ -32,18 +32,18 @@ func TestApplicationRevisionCompression(t *testing.T) {
 	// Fill data
 	spec := &ApplicationRevisionSpec{}
 	spec.Application = Application{Spec: ApplicationSpec{Components: []common.ApplicationComponent{{Name: "test-name"}}}}
-	spec.ComponentDefinitions = make(map[string]ComponentDefinition)
-	spec.ComponentDefinitions["def"] = ComponentDefinition{Spec: ComponentDefinitionSpec{PodSpecPath: "path"}}
+	spec.ComponentDefinitions = make(map[string]*ComponentDefinition)
+	spec.ComponentDefinitions["def"] = &ComponentDefinition{Spec: ComponentDefinitionSpec{PodSpecPath: "path"}}
 	spec.WorkloadDefinitions = make(map[string]WorkloadDefinition)
 	spec.WorkloadDefinitions["def"] = WorkloadDefinition{Spec: WorkloadDefinitionSpec{Reference: common.DefinitionReference{Name: "testdef"}}}
-	spec.TraitDefinitions = make(map[string]TraitDefinition)
-	spec.TraitDefinitions["def"] = TraitDefinition{Spec: TraitDefinitionSpec{ControlPlaneOnly: true}}
+	spec.TraitDefinitions = make(map[string]*TraitDefinition)
+	spec.TraitDefinitions["def"] = &TraitDefinition{Spec: TraitDefinitionSpec{ControlPlaneOnly: true}}
 	spec.ScopeDefinitions = make(map[string]ScopeDefinition)
 	spec.ScopeDefinitions["def"] = ScopeDefinition{Spec: ScopeDefinitionSpec{AllowComponentOverlap: true}}
 	spec.PolicyDefinitions = make(map[string]PolicyDefinition)
 	spec.PolicyDefinitions["def"] = PolicyDefinition{Spec: PolicyDefinitionSpec{ManageHealthCheck: true}}
-	spec.WorkflowStepDefinitions = make(map[string]WorkflowStepDefinition)
-	spec.WorkflowStepDefinitions["def"] = WorkflowStepDefinition{Spec: WorkflowStepDefinitionSpec{Reference: common.DefinitionReference{Name: "testname"}}}
+	spec.WorkflowStepDefinitions = make(map[string]*WorkflowStepDefinition)
+	spec.WorkflowStepDefinitions["def"] = &WorkflowStepDefinition{Spec: WorkflowStepDefinitionSpec{Reference: common.DefinitionReference{Name: "testname"}}}
 	spec.ReferredObjects = []common.ReferredObject{{RawExtension: runtime.RawExtension{Raw: []byte("123")}}}

 	testAppRev := &ApplicationRevision{Spec: *spec}
--- a/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
@@ -142,9 +142,17 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 	in.Application.DeepCopyInto(&out.Application)
 	if in.ComponentDefinitions != nil {
 		in, out := &in.ComponentDefinitions, &out.ComponentDefinitions
-		*out = make(map[string]ComponentDefinition, len(*in))
+		*out = make(map[string]*ComponentDefinition, len(*in))
 		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
+			var outVal *ComponentDefinition
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(ComponentDefinition)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
 		}
 	}
 	if in.WorkloadDefinitions != nil {
@@ -156,9 +164,17 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 	}
 	if in.TraitDefinitions != nil {
 		in, out := &in.TraitDefinitions, &out.TraitDefinitions
-		*out = make(map[string]TraitDefinition, len(*in))
+		*out = make(map[string]*TraitDefinition, len(*in))
 		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
+			var outVal *TraitDefinition
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(TraitDefinition)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
 		}
 	}
 	if in.ScopeDefinitions != nil {
@@ -177,9 +193,17 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 	}
 	if in.WorkflowStepDefinitions != nil {
 		in, out := &in.WorkflowStepDefinitions, &out.WorkflowStepDefinitions
-		*out = make(map[string]WorkflowStepDefinition, len(*in))
+		*out = make(map[string]*WorkflowStepDefinition, len(*in))
 		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
+			var outVal *WorkflowStepDefinition
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(WorkflowStepDefinition)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
 		}
 	}
 	if in.ScopeGVK != nil {
--- a/apis/types/capability.go
+++ b/apis/types/capability.go
@@ -176,9 +176,8 @@ type Capability struct {
 	Namespace string `json:"namespace,omitempty"`

 	// Plugin Source
-	Source  *Source       `json:"source,omitempty"`
-	Install *Installation `json:"install,omitempty"`
-	CrdInfo *CRDInfo      `json:"crdInfo,omitempty"`
+	Source  *Source  `json:"source,omitempty"`
+	CrdInfo *CRDInfo `json:"crdInfo,omitempty"`

 	// Terraform
 	TerraformConfiguration string `json:"terraformConfiguration,omitempty"`
--- a/apis/types/types.go
+++ b/apis/types/types.go
@@ -186,3 +186,17 @@ const (
 	// VelaCoreConfig is to mark application, config and its secret or Terraform provider lelong to a KubeVela config
 	VelaCoreConfig = "velacore-config"
 )
+
+const (
+	// LabelSourceOfTruth describes the source of this app
+	LabelSourceOfTruth = "app.oam.dev/source-of-truth"
+
+	// FromCR means the data source of truth is from k8s CR
+	FromCR = "from-k8s-resource"
+	// FromUX means the data source of truth is from velaux data store
+	FromUX = "from-velaux"
+	// FromInner means the data source of truth is from KubeVela inner usage
+	// the configuration that don't want to be synced
+	// the addon application should be synced, but set to readonly mode
+	FromInner = "from-inner-system"
+)
--- a/charts/vela-core/README.md
+++ b/charts/vela-core/README.md
@@ -49,7 +49,6 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `disableCaps`                 | Disable capability                                                                            | `rollout` |
 | `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`     |

-
 ### KubeVela workflow parameters

 | Name                                   | Description                                            | Value   |
@@ -59,7 +58,6 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
 | `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |

-
 ### KubeVela controller parameters

 | Name                        | Description                          | Value              |
@@ -77,48 +75,51 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `webhookService.port`       | KubeVela webhook service port        | `9443`             |
 | `healthCheck.port`          | KubeVela health check port           | `9440`             |

-
 ### KubeVela controller optimization parameters

-| Name                                              | Description                                                                                                                                                                                                                      | Value   |
-| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `optimize.cachedGvks`                             | Optimize types of resources to be cached.                                                                                                                                                                                        | `""`    |
-| `optimize.resourceTrackerListOp`                  | Optimize ResourceTracker List Op by adding index.                                                                                                                                                                                | `true`  |
-| `optimize.controllerReconcileLoopReduction`       | Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.                                                                                                                               | `false` |
-| `optimize.markWithProb`                           | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.                                                                                | `0.1`   |
-| `optimize.disableComponentRevision`               | Optimize componentRevision by disabling the creation and gc                                                                                                                                                                      | `true`  |
-| `optimize.disableApplicationRevision`             | Optimize ApplicationRevision by disabling the creation and gc.                                                                                                                                                                   | `false` |
-| `optimize.disableWorkflowRecorder`                | Optimize workflow recorder by disabling the creation and gc.                                                                                                                                                                     | `false` |
-| `optimize.enableInMemoryWorkflowContext`          | Optimize workflow by use in-memory context.                                                                                                                                                                                      | `false` |
-| `optimize.disableResourceApplyDoubleCheck`        | Optimize workflow by ignoring resource double check after apply.                                                                                                                                                                 | `false` |
-| `optimize.enableResourceTrackerDeleteOnlyTrigger` | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                                                                                                              | `true`  |
-| `featureGates.enableLegacyComponentRevision`      | if disabled, only component with rollout trait will create component revisions                                                                                                                                                   | `false` |
-| `featureGates.gzipResourceTracker`                | compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers.                                                                                      | `false` |
-| `featureGates.zstdResourceTracker`                | compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options. | `true`  |
-| `featureGates.applyOnce`                          | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker                                                                                            | `false` |
-| `featureGates.multiStageComponentApply`           | if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.                                                                                     | `false` |
-| `featureGates.gzipApplicationRevision`            | compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs.                                                                                                        | `false` |
-| `featureGates.zstdApplicationRevision`            | compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options.                   | `true`  |
-| `featureGates.preDispatchDryRun`                  | enable dryrun before dispatching resources. Enable this flag can help prevent unsuccessful dispatch resources entering resourcetracker and improve the user experiences of gc but at the cost of increasing network requests.    | `true`  |
-
+| Name                                                         | Description                                                                                                                                                                                                                      | Value   |
+| ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `optimize.cachedGvks`                                        | Optimize types of resources to be cached.                                                                                                                                                                                        | `""`    |
+| `optimize.markWithProb`                                      | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.                                                                                | `0.1`   |
+| `optimize.disableComponentRevision`                          | Optimize componentRevision by disabling the creation and gc                                                                                                                                                                      | `true`  |
+| `optimize.disableApplicationRevision`                        | Optimize ApplicationRevision by disabling the creation and gc.                                                                                                                                                                   | `false` |
+| `optimize.enableInMemoryWorkflowContext`                     | Optimize workflow by use in-memory context.                                                                                                                                                                                      | `false` |
+| `optimize.disableResourceApplyDoubleCheck`                   | Optimize workflow by ignoring resource double check after apply.                                                                                                                                                                 | `false` |
+| `optimize.enableResourceTrackerDeleteOnlyTrigger`            | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                                                                                                              | `true`  |
+| `featureGates.enableLegacyComponentRevision`                 | if disabled, only component with rollout trait will create component revisions                                                                                                                                                   | `false` |
+| `featureGates.gzipResourceTracker`                           | compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers.                                                                                      | `false` |
+| `featureGates.zstdResourceTracker`                           | compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options. | `true`  |
+| `featureGates.applyOnce`                                     | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker                                                                                            | `false` |
+| `featureGates.multiStageComponentApply`                      | if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.                                                                                     | `true`  |
+| `featureGates.gzipApplicationRevision`                       | compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs.                                                                                                        | `false` |
+| `featureGates.zstdApplicationRevision`                       | compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options.                   | `true`  |
+| `featureGates.preDispatchDryRun`                             | enable dryrun before dispatching resources. Enable this flag can help prevent unsuccessful dispatch resources entering resourcetracker and improve the user experiences of gc but at the cost of increasing network requests.    | `true`  |
+| `featureGates.validateComponentWhenSharding`                 | enable component validation in webhook when sharding mode enabled                                                                                                                                                                | `false` |
+| `featureGates.disableWebhookAutoSchedule`                    | disable auto schedule for application mutating webhook when sharding enabled                                                                                                                                                     | `false` |
+| `featureGates.disableBootstrapClusterInfo`                   | disable the cluster info bootstrap at the starting of the controller                                                                                                                                                             | `false` |
+| `featureGates.informerCacheFilterUnnecessaryFields`          | filter unnecessary fields for informer cache                                                                                                                                                                                     | `true`  |
+| `featureGates.sharedDefinitionStorageForApplicationRevision` | use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields                                                                                    | `true`  |
+| `featureGates.disableWorkflowContextConfigMapCache`          | disable the workflow context's configmap informer cache                                                                                                                                                                          | `true`  |

 ### MultiCluster parameters

-| Name                                                        | Description                                     | Value                            |
-| ----------------------------------------------------------- | ----------------------------------------------- | -------------------------------- |
-| `multicluster.enabled`                                      | Whether to enable multi-cluster                 | `true`                           |
-| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect | `false`                          |
-| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                    | `1`                              |
-| `multicluster.clusterGateway.port`                          | ClusterGateway port                             | `9443`                           |
-| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                 | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                        | `v1.7.0-alpha.3`                 |
-| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                | `IfNotPresent`                   |
-| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                        | `100m`                           |
-| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                     | `200Mi`                          |
-| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                    | `true`                           |
-| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                    | `/etc/k8s-cluster-gateway-certs` |
-| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                  | `false`                          |
-
+| Name                                                        | Description                                                                                 | Value                            |
+| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
+| `multicluster.enabled`                                      | Whether to enable multi-cluster                                                             | `true`                           |
+| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect                                             | `false`                          |
+| `multicluster.clusterGateway.direct`                        | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true`                           |
+| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                                                                | `1`                              |
+| `multicluster.clusterGateway.port`                          | ClusterGateway port                                                                         | `9443`                           |
+| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                                                             | `oamdev/cluster-gateway`         |
+| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                                                                    | `v1.8.0`                         |
+| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                                                            | `IfNotPresent`                   |
+| `multicluster.clusterGateway.resources.requests.cpu`        | ClusterGateway cpu request                                                                  | `50m`                            |
+| `multicluster.clusterGateway.resources.requests.memory`     | ClusterGateway memory request                                                               | `20Mi`                           |
+| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                                                                    | `500m`                           |
+| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                                                                 | `200Mi`                          |
+| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                                                                | `true`                           |
+| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                                                                | `/etc/k8s-cluster-gateway-certs` |
+| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                                                              | `false`                          |

 ### Test parameters

@@ -129,30 +130,31 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `test.k8s.repository` | Test k8s repository | `oamdev/alpine-k8s`  |
 | `test.k8s.tag`        | Test k8s tag        | `1.18.2`             |

-
 ### Common parameters

-| Name                          | Description                                                                                                                | Value                |
-| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------- |
-| `imagePullSecrets`            | Image pull secrets                                                                                                         | `[]`                 |
-| `nameOverride`                | Override name                                                                                                              | `""`                 |
-| `fullnameOverride`            | Fullname override                                                                                                          | `""`                 |
-| `serviceAccount.create`       | Specifies whether a service account should be created                                                                      | `true`               |
-| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                  | `{}`                 |
-| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`                |
-| `nodeSelector`                | Node selector                                                                                                              | `{}`                 |
-| `tolerations`                 | Tolerations                                                                                                                | `[]`                 |
-| `affinity`                    | Affinity                                                                                                                   | `{}`                 |
-| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                            | `true`               |
-| `logDebug`                    | Enable debug logs for development purpose                                                                                  | `false`              |
-| `logFilePath`                 | If non-empty, write log files in this path                                                                                 | `""`                 |
-| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`               |
-| `kubeClient.qps`              | The qps for reconcile clients, default is 100                                                                              | `100`                |
-| `kubeClient.burst`            | The burst for reconcile clients, default is 200                                                                            | `200`                |
-| `authentication.enabled`      | Enable authentication for application                                                                                      | `false`              |
-| `authentication.withUser`     | Application authentication will impersonate as the request User                                                            | `true`               |
-| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                 | `kubevela:vela-core` |
-| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                  | `kubevela:*`         |
+| Name                          | Description                                                                                                                                                        | Value                |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `imagePullSecrets`            | Image pull secrets                                                                                                                                                 | `[]`                 |
+| `nameOverride`                | Override name                                                                                                                                                      | `""`                 |
+| `fullnameOverride`            | Fullname override                                                                                                                                                  | `""`                 |
+| `serviceAccount.create`       | Specifies whether a service account should be created                                                                                                              | `true`               |
+| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                                                          | `{}`                 |
+| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                             | `nil`                |
+| `nodeSelector`                | Node selector                                                                                                                                                      | `{}`                 |
+| `tolerations`                 | Tolerations                                                                                                                                                        | `[]`                 |
+| `affinity`                    | Affinity                                                                                                                                                           | `{}`                 |
+| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
+| `logDebug`                    | Enable debug logs for development purpose                                                                                                                          | `false`              |
+| `logFilePath`                 | If non-empty, write log files in this path                                                                                                                         | `""`                 |
+| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
+| `kubeClient.qps`              | The qps for reconcile clients                                                                                                                                      | `400`                |
+| `kubeClient.burst`            | The burst for reconcile clients                                                                                                                                    | `600`                |
+| `authentication.enabled`      | Enable authentication for application                                                                                                                              | `false`              |
+| `authentication.withUser`     | Application authentication will impersonate as the request User                                                                                                    | `true`               |
+| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                                                         | `kubevela:vela-core` |
+| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                                                          | `kubevela:*`         |
+| `sharding.enabled`            | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false`              |
+| `sharding.schedulableShards`  | The shards available for scheduling. If empty, dynamic discovery will be used.                                                                                     | `""`                 |


 ## Uninstallation
--- a/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
@@ -848,6 +848,7 @@ spec:
                            x-kubernetes-map-type: atomic
                          endTime:
                            format: date-time
+                            nullable: true
                            type: string
                          finished:
                            type: boolean
@@ -2162,6 +2163,8 @@ spec:
                            inputs:
                              description: StepInputs defines variable input of WorkflowStep
                              items:
+                                description: InputItem defines an input variable of
+                                  WorkflowStep
                                properties:
                                  from:
                                    type: string
@@ -2177,6 +2180,8 @@ spec:
                              description: StepOutputs defines output variable of
                                WorkflowStep
                              items:
+                                description: OutputItem defines an output variable
+                                  of WorkflowStep
                                properties:
                                  name:
                                    type: string
@@ -2283,6 +2288,8 @@ spec:
                                inputs:
                                  description: Inputs is the inputs of the step
                                  items:
+                                    description: InputItem defines an input variable
+                                      of WorkflowStep
                                    properties:
                                      from:
                                        type: string
@@ -2299,6 +2306,11 @@ spec:
                                    alias:
                                      type: string
                                  type: object
+                                mode:
+                                  description: Mode is only valid for sub steps, it
+                                    defines the mode of the sub steps
+                                  nullable: true
+                                  type: string
                                name:
                                  description: Name is the unique name of the workflow
                                    step.
@@ -2306,6 +2318,8 @@ spec:
                                outputs:
                                  description: Outputs is the outputs of the step
                                  items:
+                                    description: OutputItem defines an output variable
+                                      of WorkflowStep
                                    properties:
                                      name:
                                        type: string
@@ -2339,6 +2353,8 @@ spec:
                                      inputs:
                                        description: Inputs is the inputs of the step
                                        items:
+                                          description: InputItem defines an input
+                                            variable of WorkflowStep
                                          properties:
                                            from:
                                              type: string
@@ -2363,6 +2379,8 @@ spec:
                                        description: Outputs is the outputs of the
                                          step
                                        items:
+                                          description: OutputItem defines an output
+                                            variable of WorkflowStep
                                          properties:
                                            name:
                                              type: string
@@ -2806,6 +2824,7 @@ spec:
                            x-kubernetes-map-type: atomic
                          endTime:
                            format: date-time
+                            nullable: true
                            type: string
                          finished:
                            type: boolean
@@ -4138,6 +4157,7 @@ spec:
                        inputs:
                          description: Inputs is the inputs of the step
                          items:
+                            description: InputItem defines an input variable of WorkflowStep
                            properties:
                              from:
                                type: string
@@ -4153,12 +4173,19 @@ spec:
                            alias:
                              type: string
                          type: object
+                        mode:
+                          description: Mode is only valid for sub steps, it defines
+                            the mode of the sub steps
+                          nullable: true
+                          type: string
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
                        outputs:
                          description: Outputs is the outputs of the step
                          items:
+                            description: OutputItem defines an output variable of
+                              WorkflowStep
                            properties:
                              name:
                                type: string
@@ -4189,6 +4216,8 @@ spec:
                              inputs:
                                description: Inputs is the inputs of the step
                                items:
+                                  description: InputItem defines an input variable
+                                    of WorkflowStep
                                  properties:
                                    from:
                                      type: string
@@ -4212,6 +4241,8 @@ spec:
                              outputs:
                                description: Outputs is the outputs of the step
                                items:
+                                  description: OutputItem defines an output variable
+                                    of WorkflowStep
                                  properties:
                                    name:
                                      type: string
@@ -4942,6 +4973,7 @@ spec:
                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
+                    nullable: true
                    type: string
                  finished:
                    type: boolean
--- a/charts/vela-core/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applications.yaml
@@ -774,6 +774,7 @@ spec:
                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
+                    nullable: true
                    type: string
                  finished:
                    type: boolean
@@ -933,6 +934,7 @@ spec:
                    inputs:
                      description: StepInputs defines variable input of WorkflowStep
                      items:
+                        description: InputItem defines an input variable of WorkflowStep
                        properties:
                          from:
                            type: string
@@ -947,6 +949,7 @@ spec:
                    outputs:
                      description: StepOutputs defines output variable of WorkflowStep
                      items:
+                        description: OutputItem defines an output variable of WorkflowStep
                        properties:
                          name:
                            type: string
@@ -1049,6 +1052,7 @@ spec:
                        inputs:
                          description: Inputs is the inputs of the step
                          items:
+                            description: InputItem defines an input variable of WorkflowStep
                            properties:
                              from:
                                type: string
@@ -1064,12 +1068,19 @@ spec:
                            alias:
                              type: string
                          type: object
+                        mode:
+                          description: Mode is only valid for sub steps, it defines
+                            the mode of the sub steps
+                          nullable: true
+                          type: string
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
                        outputs:
                          description: Outputs is the outputs of the step
                          items:
+                            description: OutputItem defines an output variable of
+                              WorkflowStep
                            properties:
                              name:
                                type: string
@@ -1100,6 +1111,8 @@ spec:
                              inputs:
                                description: Inputs is the inputs of the step
                                items:
+                                  description: InputItem defines an input variable
+                                    of WorkflowStep
                                  properties:
                                    from:
                                      type: string
@@ -1123,6 +1136,8 @@ spec:
                              outputs:
                                description: Outputs is the outputs of the step
                                items:
+                                  description: OutputItem defines an output variable
+                                    of WorkflowStep
                                  properties:
                                    name:
                                      type: string
@@ -1535,6 +1550,7 @@ spec:
                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
+                    nullable: true
                    type: string
                  finished:
                    type: boolean
--- a/charts/vela-core/crds/core.oam.dev_envbindings.yaml
+++ b/charts/vela-core/crds/core.oam.dev_envbindings.yaml
@@ -1,319 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  name: envbindings.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: EnvBinding
-    listKind: EnvBindingList
-    plural: envbindings
-    shortNames:
-    - envbind
-    singular: envbinding
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.engine
-      name: ENGINE
-      type: string
-    - jsonPath: .status.phase
-      name: PHASE
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: AGE
-      type: date
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: EnvBinding is the Schema for the EnvBinding API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A EnvBindingSpec defines the desired state of a EnvBinding.
-            properties:
-              appTemplate:
-                description: AppTemplate indicates the application template.
-                type: object
-                x-kubernetes-embedded-resource: true
-                x-kubernetes-preserve-unknown-fields: true
-              engine:
-                description: ClusterManagementEngine represents a multi-cluster management
-                  solution
-                type: string
-              envs:
-                items:
-                  description: EnvConfig is the configuration for different environments.
-                  properties:
-                    name:
-                      type: string
-                    patch:
-                      description: EnvPatch specify the parameter configuration for
-                        different environments
-                      properties:
-                        components:
-                          items:
-                            description: ApplicationComponent describe the component
-                              of application
-                            properties:
-                              dependsOn:
-                                items:
-                                  type: string
-                                type: array
-                              externalRevision:
-                                description: ExternalRevision specified the component
-                                  revisionName
-                                type: string
-                              inputs:
-                                description: StepInputs defines variable input of
-                                  WorkflowStep
-                                items:
-                                  properties:
-                                    from:
-                                      type: string
-                                    parameterKey:
-                                      type: string
-                                  required:
-                                  - from
-                                  - parameterKey
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                              outputs:
-                                description: StepOutputs defines output variable of
-                                  WorkflowStep
-                                items:
-                                  properties:
-                                    name:
-                                      type: string
-                                    valueFrom:
-                                      type: string
-                                  required:
-                                  - name
-                                  - valueFrom
-                                  type: object
-                                type: array
-                              properties:
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                              scopes:
-                                additionalProperties:
-                                  type: string
-                                description: scopes in ApplicationComponent defines
-                                  the component-level scopes the format is <scope-type:scope-instance-name>
-                                  pairs, the key represents type of `ScopeDefinition`
-                                  while the value represent the name of scope instance.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                              traits:
-                                description: Traits define the trait of one component,
-                                  the type must be array to keep the order.
-                                items:
-                                  description: ApplicationTrait defines the trait
-                                    of application
-                                  properties:
-                                    properties:
-                                      type: object
-                                      x-kubernetes-preserve-unknown-fields: true
-                                    type:
-                                      type: string
-                                  required:
-                                  - type
-                                  type: object
-                                type: array
-                              type:
-                                type: string
-                            required:
-                            - name
-                            - type
-                            type: object
-                          type: array
-                      required:
-                      - components
-                      type: object
-                    placement:
-                      description: EnvPlacement defines the placement rules for an
-                        app.
-                      properties:
-                        clusterSelector:
-                          description: ClusterSelector defines the rules to select
-                            a Cluster resource. Either name or labels is needed.
-                          properties:
-                            labels:
-                              additionalProperties:
-                                type: string
-                              description: Labels defines the label selector to select
-                                the cluster.
-                              type: object
-                            name:
-                              description: Name is the name of the cluster.
-                              type: string
-                          type: object
-                        namespaceSelector:
-                          description: NamespaceSelector defines the rules to select
-                            a Namespace resource. Either name or labels is needed.
-                          properties:
-                            labels:
-                              additionalProperties:
-                                type: string
-                              description: Labels defines the label selector to select
-                                the namespace.
-                              type: object
-                            name:
-                              description: Name is the name of the namespace.
-                              type: string
-                          type: object
-                      type: object
-                    selector:
-                      description: EnvSelector defines which components should this
-                        env contains
-                      properties:
-                        components:
-                          items:
-                            type: string
-                          type: array
-                      type: object
-                  required:
-                  - name
-                  - patch
-                  type: object
-                type: array
-              outputResourcesTo:
-                description: OutputResourcesTo specifies the namespace and name of
-                  a ConfigMap which store the resources rendered after differentiated
-                  configuration
-                properties:
-                  name:
-                    description: Name of the secret.
-                    type: string
-                  namespace:
-                    description: Namespace of the secret.
-                    type: string
-                required:
-                - name
-                type: object
-            required:
-            - appTemplate
-            - envs
-            type: object
-          status:
-            description: A EnvBindingStatus is the status of EnvBinding
-            properties:
-              clusterDecisions:
-                items:
-                  description: ClusterDecision recorded the mapping of environment
-                    and cluster
-                  properties:
-                    cluster:
-                      type: string
-                    env:
-                      type: string
-                    namespace:
-                      type: string
-                  required:
-                  - env
-                  type: object
-                type: array
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              phase:
-                description: EnvBindingPhase is a label for the condition of a EnvBinding
-                  at the current time
-                type: string
-              resourceTracker:
-                description: ResourceTracker record the status of the ResourceTracker
-                properties:
-                  apiVersion:
-                    description: API version of the referent.
-                    type: string
-                  fieldPath:
-                    description: 'If referring to a piece of an object instead of
-                      an entire object, this string should contain a valid JSON/Go
-                      field access statement, such as desiredState.manifest.containers[2].
-                      For example, if the object reference is to a container within
-                      a pod, this would take on a value like: "spec.containers{name}"
-                      (where "name" refers to the name of the container that triggered
-                      the event) or if no container name is specified "spec.containers[2]"
-                      (container with index 2 in this pod). This syntax is chosen
-                      only to have some well-defined way of referencing a part of
-                      an object. TODO: this design is not final and this field is
-                      subject to change in the future.'
-                    type: string
-                  kind:
-                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                    type: string
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                    type: string
-                  namespace:
-                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                    type: string
-                  resourceVersion:
-                    description: 'Specific resourceVersion to which this reference
-                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                    type: string
-                  uid:
-                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                    type: string
-                type: object
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
+++ b/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
@@ -13,6 +13,11 @@ spec:
    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 6 }}
  template:
    metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "9443"
+        prometheus.io/scrape: "true"
+        prometheus.io/scheme: "https"
      labels:
      {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 8 }}
    spec:
@@ -37,6 +42,7 @@ spec:
            - "--tls-cert-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.crt"
            - "--tls-private-key-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.key"
            {{- end }}
+            - "--authorization-always-allow-paths=/healthz,/readyz,/livez,/metrics"
          image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }}
          imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }}
          resources:
@@ -66,10 +72,19 @@ spec:
      nodeSelector:
      {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with .Values.affinity }}
      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{ if .Values.affinity }}
+        {{- toYaml .Values.affinity | nindent 8 }}
+      {{ else }}
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 20 }}
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      {{ end }}
      {{- with .Values.tolerations }}
      tolerations:
      {{- toYaml . | nindent 8 }}
--- a/charts/vela-core/templates/defwithtemplate/apply-application-in-parallel.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-application-in-parallel.yaml
@@ -1,5 +1,5 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/apply-application-in-parallel.cue
+# Definition source cue file: vela-templates/definitions/deprecated/apply-application-in-parallel.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
--- a/charts/vela-core/templates/defwithtemplate/apply-application.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-application.yaml
@@ -1,9 +1,10 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/apply-application.cue
+# Definition source cue file: vela-templates/definitions/deprecated/apply-application.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Apply application for your workflow steps, it has no arguments, should be used for custom steps before or after application applied.
  labels:
    custom.definition.oam.dev/deprecated: "true"
--- a/charts/vela-core/templates/defwithtemplate/apply-component.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-component.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Apply a specific component and its corresponding traits in application
  labels:
    custom.definition.oam.dev/scope: Application
--- a/charts/vela-core/templates/defwithtemplate/apply-deployment.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-deployment.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/alias: ""
    definition.oam.dev/description: Apply deployment with specified image and cmd.
  name: apply-deployment
@@ -19,6 +20,7 @@ spec:
        )

        output: op.#Apply & {
+        	cluster: parameter.cluster
        	value: {
        		apiVersion: "apps/v1"
        		kind:       "Deployment"
@@ -28,6 +30,7 @@ spec:
        		}
        		spec: {
        			selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        			replicas: parameter.replicas
        			template: {
        				metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
        				spec: containers: [{
@@ -42,10 +45,12 @@ spec:
        	}
        }
        wait: op.#ConditionalWait & {
-        	continue: output.value.status.readyReplicas == 1
+        	continue: output.value.status.readyReplicas == parameter.replicas
        }
        parameter: {
-        	image: string
+        	image:    string
+        	replicas: *1 | int
+        	cluster:  *"" | string
        	cmd?: [...string]
        }

--- a/charts/vela-core/templates/defwithtemplate/apply-object.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-object.yaml
@@ -4,9 +4,8 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/description: Apply raw kubernetes objects for your workflow steps
-  labels:
-    custom.definition.oam.dev/ui-hidden: "true"
  name: apply-object
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/apply-remaining.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-remaining.yaml
@@ -1,9 +1,10 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/apply-remaining.cue
+# Definition source cue file: vela-templates/definitions/deprecated/apply-remaining.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Apply remaining components and traits
  labels:
    custom.definition.oam.dev/deprecated: "true"
--- a/charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml
@@ -4,9 +4,9 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Terraform
    definition.oam.dev/alias: ""
    definition.oam.dev/description: Apply terraform configuration in the step
-    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
  name: apply-terraform-config
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml
@@ -4,9 +4,9 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Terraform
    definition.oam.dev/alias: ""
    definition.oam.dev/description: Apply terraform provider config
-    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
  name: apply-terraform-provider
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@@ -116,7 +116,7 @@ spec:
        #ECProvider: {
        	type:   "ec"
        	apiKey: *"" | string
-        	name:   "ec-provider" | string
+        	name:   *"ec-provider" | string
        }
        #GCPProvider: {
        	credentials: string
--- a/charts/vela-core/templates/defwithtemplate/build-push-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/build-push-image.yaml
@@ -4,9 +4,9 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: CI Integration
    definition.oam.dev/alias: ""
    definition.oam.dev/description: Build and push image from git url
-    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/built-push-image.yaml
  name: build-push-image
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/check-metrics.yaml
+++ b/charts/vela-core/templates/defwithtemplate/check-metrics.yaml
@@ -0,0 +1,56 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/check-metrics.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/category: Application Delivery
+    definition.oam.dev/description: Verify application's metrics
+  labels:
+    custom.definition.oam.dev/catalog: Delivery
+  name: check-metrics
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        check: op.#PromCheck & {
+        	query:          parameter.query
+        	metricEndpoint: parameter.metricEndpoint
+        	condition:      parameter.condition
+        	stepID:         context.stepSessionID
+        	duration:       parameter.duration
+        	failDuration:   parameter.failDuration
+        }
+        fail: op.#Steps & {
+        	if check.failed != _|_ {
+        		if check.failed == true {
+        			breakWorkflow: op.#Fail & {
+        				message: check.message
+        			}
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: check.result
+        	if check.message != _|_ {
+        		message: check.message
+        	}
+        }
+        parameter: {
+        	// +usage=Query is a raw prometheus query to perform
+        	query: string
+        	// +usage=The HTTP address and port of the prometheus server
+        	metricEndpoint?: "http://prometheus-server.o11y-system.svc:9090" | string
+        	// +usage=Condition is an expression which determines if a measurement is considered successful. eg: >=0.95
+        	condition: string
+        	// +usage=Duration defines the duration of time required for this step to be considered successful.
+        	duration?: *"5m" | string
+        	// +usage=FailDuration is the duration of time that, if the check fails, will result in the step being marked as failed.
+        	failDuration?: *"2m" | string
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/clean-jobs.yaml
+++ b/charts/vela-core/templates/defwithtemplate/clean-jobs.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/description: clean applied jobs in the cluster
  name: clean-jobs
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/collect-service-endpoints.yaml
+++ b/charts/vela-core/templates/defwithtemplate/collect-service-endpoints.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Collect service endpoints for the application.
  name: collect-service-endpoints
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/container-image.yaml
@@ -72,7 +72,7 @@ spec:
        		}]
        	}
        }
-        parameter: *#PatchParams | close({
+        parameter: #PatchParams | close({
        	// +usage=Specify the container image for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-core/templates/defwithtemplate/create-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/create-config.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Config Management
    definition.oam.dev/description: Create or update a config
  name: create-config
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/cron-task.yaml
@@ -12,8 +12,13 @@ spec:
    cue:
      template: |
        output: {
-        	apiVersion: "batch/v1beta1"
-        	kind:       "CronJob"
+        	if context.clusterVersion.minor < 25 {
+        		apiVersion: "batch/v1beta1"
+        	}
+        	if context.clusterVersion.minor >= 25 {
+        		apiVersion: "batch/v1"
+        	}
+        	kind: "CronJob"
        	spec: {
        		schedule:                   parameter.schedule
        		concurrencyPolicy:          parameter.concurrencyPolicy
@@ -313,8 +318,5 @@ spec:
        	failureThreshold: *3 | int
        }
  workload:
-    definition:
-      apiVersion: batch/v1beta1
-      kind: CronJob
-    type: cronjobs.batch
+    type: autodetects.core.oam.dev

--- a/charts/vela-core/templates/defwithtemplate/delete-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/delete-config.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Config Management
    definition.oam.dev/description: Delete a config
  name: delete-config
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/depends-on-app.yaml
+++ b/charts/vela-core/templates/defwithtemplate/depends-on-app.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Wait for the specified Application to complete.
  name: depends-on-app
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/deploy-cloud-resource.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy-cloud-resource.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Deploy cloud resource and deliver secret to multi clusters.
  labels:
    custom.definition.oam.dev/scope: Application
--- a/charts/vela-core/templates/defwithtemplate/deploy.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: A powerful and unified deploy step for components multi-cluster delivery with policies.
  labels:
    custom.definition.oam.dev/scope: Application
@@ -26,7 +27,7 @@ spec:
        	//+usage=If set to false, the workflow will suspend automatically before this step, default to be true.
        	auto: *true | bool
        	//+usage=Declare the policies that used for this deployment. If not specified, the components will be deployed to the hub cluster.
-        	policies?: [...string]
+        	policies: *[] | [...string]
        	//+usage=Maximum number of concurrent delivered components.
        	parallelism: *5 | int
        	//+usage=If set false, this step will apply the components with the terraform workload.
--- a/charts/vela-core/templates/defwithtemplate/deploy2env.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy2env.yaml
@@ -1,5 +1,5 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/deploy2env.cue
+# Definition source cue file: vela-templates/definitions/deprecated/deploy2env.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
--- a/charts/vela-core/templates/defwithtemplate/deploy2runtime.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy2runtime.yaml
@@ -1,5 +1,5 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/deploy2runtime.cue
+# Definition source cue file: vela-templates/definitions/deprecated/deploy2runtime.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
--- a/charts/vela-core/templates/defwithtemplate/export-data.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export-data.yaml
@@ -4,7 +4,10 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Export data to clusters specified by topology.
+  labels:
+    custom.definition.oam.dev/scope: Application
  name: export-data
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/export-service.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export-service.yaml
@@ -4,7 +4,10 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Export service to clusters specified by topology.
+  labels:
+    custom.definition.oam.dev/scope: Application
  name: export-service
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/export2config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export2config.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/description: Export data to specified Kubernetes ConfigMap in your workflow.
  name: export2config
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/export2secret.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export2secret.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/description: Export data to Kubernetes Secret in your workflow.
  name: export2secret
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/expose.yaml
+++ b/charts/vela-core/templates/defwithtemplate/expose.yaml
@@ -17,6 +17,7 @@ spec:
      template: |
        import (
        	"strconv"
+        	"strings"
        )

        outputs: service: {
@@ -25,25 +26,70 @@ spec:
        	metadata: name:        context.name
        	metadata: annotations: parameter.annotations
        	spec: {
-        		selector: "app.oam.dev/component": context.name
-        		ports: [
-        			for p in parameter.port {
-        				name:       "port-" + strconv.FormatInt(p, 10)
-        				port:       p
-        				targetPort: p
+        		if parameter["matchLabels"] == _|_ {
+        			selector: "app.oam.dev/component": context.name
+        		}
+        		if parameter["matchLabels"] != _|_ {
+        			selector: parameter["matchLabels"]
+        		}
+
+        		// compatible with the old way
+        		if parameter["port"] != _|_ if parameter["ports"] == _|_ {
+        			ports: [
+        				for p in parameter.port {
+        					name:       "port-" + strconv.FormatInt(p, 10)
+        					port:       p
+        					targetPort: p
+        				},
+        			]
+        		}
+        		if parameter["ports"] != _|_ {
+        			ports: [ for v in parameter.ports {
+        				port:       v.port
+        				targetPort: v.port
+        				if v.name != _|_ {
+        					name: v.name
+        				}
+        				if v.name == _|_ {
+        					_name: "port-" + strconv.FormatInt(v.port, 10)
+        					name:  *_name | string
+        					if v.protocol != "TCP" {
+        						name: _name + "-" + strings.ToLower(v.protocol)
+        					}
+        				}
+        				if v.nodePort != _|_ if parameter.type == "NodePort" {
+        					nodePort: v.nodePort
+        				}
+        				if v.protocol != _|_ {
+        					protocol: v.protocol
+        				}
        			},
-        		]
+        			]
+        		}
        		type: parameter.type
        	}
        }
        parameter: {
-        	// +usage=Specify the exposion ports
-        	port: [...int]
+        	// +usage=Deprecated, the old way to specify the exposion ports
+        	port?: [...int]
+        	// +usage=Specify portsyou want customer traffic sent to
+        	ports?: [...{
+        		// +usage=Number of port to expose on the pod's IP address
+        		port: int
+        		// +usage=Name of the port
+        		name?: string
+        		// +usage=Protocol for port. Must be UDP, TCP, or SCTP
+        		protocol: *"TCP" | "UDP" | "SCTP"
+        		// +usage=exposed node port. Only Valid when exposeType is NodePort
+        		nodePort?: int
+        	}]
        	// +usage=Specify the annotaions of the exposed service
-        	annotations: [string]: string
+        	annotations: [string]:  string
+        	matchLabels?: [string]: string
        	// +usage=Specify what kind of Service you want. options: "ClusterIP","NodePort","LoadBalancer","ExternalName"
        	type: *"ClusterIP" | "NodePort" | "LoadBalancer" | "ExternalName"
        }
+  stage: PostDispatch
  status:
    customStatus: |-
      message: *"" | string
@@ -53,7 +99,10 @@ spec:
      }
      if service.spec.type == "LoadBalancer" {
      	status: service.status
-      	isHealth: status != _|_ && status.loadBalancer != _|_ && status.loadBalancer.ingress != _|_ && len(status.loadBalancer.ingress) > 0
+      	isHealth: *false | bool
+      	if status != _|_ if status.loadBalancer != _|_ if status.loadBalancer.ingress != _|_ if len(status.loadBalancer.ingress) > 0 if status.loadBalancer.ingress[0].ip != _|_ {
+      		isHealth: true
+      	}
      	if !isHealth {
      		message: "ExternalIP: Pending"
      	}
@@ -62,10 +111,15 @@ spec:
      	}
      }
    healthPolicy: |-
-      isHealth: *true | bool
      service: context.outputs.service
      if service.spec.type == "LoadBalancer" {
      	status: service.status
-      	isHealth: status != _|_ && status.loadBalancer != _|_ && status.loadBalancer.ingress != _|_ && len(status.loadBalancer.ingress) > 0
+      	isHealth: *false | bool
+      	if status != _|_ if status.loadBalancer != _|_ if status.loadBalancer.ingress != _|_ if len(status.loadBalancer.ingress) > 0 if status.loadBalancer.ingress[0].ip != _|_ {
+      		isHealth: true
+      	}
+      }
+      if service.spec.type != "LoadBalancer" {
+      	isHealth: true
      }

--- a/charts/vela-core/templates/defwithtemplate/gateway.yaml
+++ b/charts/vela-core/templates/defwithtemplate/gateway.yaml
@@ -113,19 +113,20 @@ spec:
      }
      if context.outputs.ingress.status.loadBalancer.ingress != _|_ {
      	let igs = context.outputs.ingress.status.loadBalancer.ingress
+      	let host = context.outputs.ingress.spec.rules[0].host
        if igs[0].ip != _|_ {
-        	if igs[0].host != _|_ {
+        	if host != _|_ {
      	    message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host + ", IP: " + igs[0].ip
        	}
-        	if igs[0].host == _|_ {
+        	if host == _|_ {
      	    message: "Host not specified, visit the cluster or load balancer in front of the cluster with IP: " + igs[0].ip
        	}
        }
        if igs[0].ip == _|_ {
-        	if igs[0].host != _|_ {
+        	if host != _|_ {
      		  message: "Visiting URL: " + context.outputs.ingress.spec.rules[0].host
      		}
-        	if igs[0].host != _|_ {
+        	if host != _|_ {
      	    message: "Host not specified, visit the cluster or load balancer in front of the cluster"
      		}
        }
--- a/charts/vela-core/templates/defwithtemplate/generate-jdbc-connection.yaml
+++ b/charts/vela-core/templates/defwithtemplate/generate-jdbc-connection.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Terraform
    definition.oam.dev/description: Generate a JDBC connection based on Component of alibaba-rds
  name: generate-jdbc-connection
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/init-container.yaml
+++ b/charts/vela-core/templates/defwithtemplate/init-container.yaml
@@ -27,6 +27,7 @@ spec:
        			mountPath: parameter.appMountPath
        		}]
        	}]
+        	// +patchKey=name
        	initContainers: [{
        		name:            parameter.name
        		image:           parameter.image
--- a/charts/vela-core/templates/defwithtemplate/k8s-update-strategy.yaml
+++ b/charts/vela-core/templates/defwithtemplate/k8s-update-strategy.yaml
@@ -0,0 +1,77 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/k8s-update-strategy.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Set k8s update strategy for Deployment/DaemonSet/StatefulSet
+  name: k8s-update-strategy
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - deployments.apps
+    - statefulsets.apps
+    - daemonsets.apps
+  conflictsWith: []
+  podDisruptive: false
+  schematic:
+    cue:
+      template: |
+        patch: spec: {
+        	if parameter.targetKind == "Deployment" && parameter.strategy.type != "OnDelete" {
+        		// +patchStrategy=retainKeys
+        		strategy: {
+        			type: parameter.strategy.type
+        			if parameter.strategy.type == "RollingUpdate" {
+        				rollingUpdate: {
+        					maxSurge:       parameter.strategy.rollingStrategy.maxSurge
+        					maxUnavailable: parameter.strategy.rollingStrategy.maxUnavailable
+        				}
+        			}
+        		}
+        	}
+
+        	if parameter.targetKind == "StatefulSet" && parameter.strategy.type != "Recreate" {
+        		// +patchStrategy=retainKeys
+        		updateStrategy: {
+        			type: parameter.strategy.type
+        			if parameter.strategy.type == "RollingUpdate" {
+        				rollingUpdate: partition: parameter.strategy.rollingStrategy.partition
+        			}
+        		}
+        	}
+
+        	if parameter.targetKind == "DaemonSet" && parameter.strategy.type != "Recreate" {
+        		// +patchStrategy=retainKeys
+        		updateStrategy: {
+        			type: parameter.strategy.type
+        			if parameter.strategy.type == "RollingUpdate" {
+        				rollingUpdate: {
+        					maxSurge:       parameter.strategy.rollingStrategy.maxSurge
+        					maxUnavailable: parameter.strategy.rollingStrategy.maxUnavailable
+        				}
+        			}
+        		}
+        	}
+
+        }
+        parameter: {
+        	// +usage=Specify the apiVersion of target
+        	targetAPIVersion: *"apps/v1" | string
+        	// +usage=Specify the kind of target
+        	targetKind: *"Deployment" | "StatefulSet" | "DaemonSet"
+        	// +usage=Specify the strategy of update
+        	strategy: {
+        		// +usage=Specify the strategy type
+        		type: *"RollingUpdate" | "Recreate" | "OnDelete"
+        		// +usage=Specify the parameters of rollong update strategy
+        		rollingStrategy?: {
+        			maxSurge:       *"25%" | string
+        			maxUnavailable: *"25%" | string
+        			partition:      *0 | int
+        		}
+        	}
+        }
+  workloadRefPath: ""
+
--- a/charts/vela-core/templates/defwithtemplate/list-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/list-config.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Config Management
    definition.oam.dev/description: List the configs
  name: list-config
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/notification.yaml
+++ b/charts/vela-core/templates/defwithtemplate/notification.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: External Integration
    definition.oam.dev/description: Send notifications to Email, DingTalk, Slack, Lark or webhook in your workflow.
  name: notification
  namespace: {{ include "systemDefinitionNamespace" . }}
@@ -56,44 +57,41 @@ spec:
        		// +usage=Specify the message that you want to sent, refer to [dingtalk messaging](https://developers.dingtalk.com/document/robots/custom-robot-access/title-72m-8ag-pqw)
        		message: {
        			// +usage=Specify the message content of dingtalk notification
-        			text?: *null | close({
+        			text?: close({
        				content: string
        			})
        			// +usage=msgType can be text, link, mardown, actionCard, feedCard
        			msgtype: *"text" | "link" | "markdown" | "actionCard" | "feedCard"
-        			link?:   *null | close({
+        			#link: {
        				text?:       string
        				title?:      string
        				messageUrl?: string
        				picUrl?:     string
-        			})
-        			markdown?: *null | close({
+        			}
+
+        			link?:     #link
+        			markdown?: close({
        				text:  string
        				title: string
        			})
-        			at?: *null | close({
-        				atMobiles?: *null | [...string]
-        				isAtAll?:   bool
+        			at?: close({
+        				atMobiles?: [...string]
+        				isAtAll?: bool
        			})
-        			actionCard?: *null | close({
+        			actionCard?: close({
        				text:           string
        				title:          string
        				hideAvatar:     string
        				btnOrientation: string
        				singleTitle:    string
        				singleURL:      string
-        				btns:           *null | close([...*null | close({
+        				btns?: [...close({
        					title:     string
        					actionURL: string
-        				})])
+        				})]
        			})
-        			feedCard?: *null | close({
-        				links: *null | close([...*null | close({
-        					text?:       string
-        					title?:      string
-        					messageUrl?: string
-        					picUrl?:     string
-        				})])
+        			feedCard?: close({
+        				links: [...#link]
        			})
        		}
        	}
@@ -114,11 +112,11 @@ spec:
        		// +usage=Specify the message that you want to sent, refer to [slack messaging](https://api.slack.com/reference/messaging/payload)
        		message: {
        			// +usage=Specify the message text for slack notification
-        			text:         string
-        			blocks?:      *null | close([...block])
-        			attachments?: *null | close({
-        				blocks?: *null | close([...block])
-        				color?:  string
+        			text: string
+        			blocks?: [...block]
+        			attachments?: close({
+        				blocks?: [...block]
+        				color?: string
        			})
        			thread_ts?: string
        			// +usage=Specify the message text format in markdown for slack notification
--- a/charts/vela-core/templates/defwithtemplate/print-message-in-status.yaml
+++ b/charts/vela-core/templates/defwithtemplate/print-message-in-status.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Process Control
    definition.oam.dev/description: print message in workflow step status
  name: print-message-in-status
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/read-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/read-config.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Config Management
    definition.oam.dev/description: Read a config
  name: read-config
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/read-object.yaml
+++ b/charts/vela-core/templates/defwithtemplate/read-object.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/description: Read Kubernetes objects from cluster for your workflow steps
  name: read-object
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/read-only.yaml
+++ b/charts/vela-core/templates/defwithtemplate/read-only.yaml
@@ -13,7 +13,7 @@ spec:
      template: |
        #PolicyRule: {
        	// +usage=Specify how to select the targets of the rule
-        	selector: [...#RuleSelector]
+        	selector: #RuleSelector
        }
        #RuleSelector: {
        	// +usage=Select resources by component names
--- a/charts/vela-core/templates/defwithtemplate/request.yaml
+++ b/charts/vela-core/templates/defwithtemplate/request.yaml
@@ -4,9 +4,9 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: External Intergration
    definition.oam.dev/alias: ""
    definition.oam.dev/description: Send request to the url
-    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/request.yaml
  name: request
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/resource.yaml
+++ b/charts/vela-core/templates/defwithtemplate/resource.yaml
@@ -17,49 +17,56 @@ spec:
  schematic:
    cue:
      template: |
-        patch: spec: template: spec: containers: [...{
-        	resources: {
-        		if parameter.cpu != _|_ && parameter.memory != _|_ && parameter.requests == _|_ && parameter.limits == _|_ {
-        			requests: {
-        				cpu:    parameter.cpu
-        				memory: parameter.memory
+        patch: spec: template: spec: {
+        	// +patchKey=name
+        	containers: [{
+        		resources: {
+        			if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
+        				// +patchStrategy=retainKeys
+        				requests: {
+        					cpu:    parameter.cpu
+        					memory: parameter.memory
+        				}
+        				// +patchStrategy=retainKeys
+        				limits: {
+        					cpu:    parameter.cpu
+        					memory: parameter.memory
+        				}
        			}
-        			limits: {
-        				cpu:    parameter.cpu
-        				memory: parameter.memory
-        			}
-        		}

-        		if parameter.requests != _|_ {
-        			requests: {
-        				cpu:    parameter.requests.cpu
-        				memory: parameter.requests.memory
+        			if parameter.requests != _|_ {
+        				// +patchStrategy=retainKeys
+        				requests: {
+        					cpu:    parameter.requests.cpu
+        					memory: parameter.requests.memory
+        				}
+        			}
+        			if parameter.limits != _|_ {
+        				// +patchStrategy=retainKeys
+        				limits: {
+        					cpu:    parameter.limits.cpu
+        					memory: parameter.limits.memory
+        				}
        			}
        		}
-        		if parameter.limits != _|_ {
-        			limits: {
-        				cpu:    parameter.limits.cpu
-        				memory: parameter.limits.memory
-        			}
-        		}
-        	}
-        }]
+        	}]
+        }
        parameter: {
        	// +usage=Specify the amount of cpu for requests and limits
-        	cpu?: *1 | number
+        	cpu?: *1 | number | string
        	// +usage=Specify the amount of memory for requests and limits
        	memory?: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
        	// +usage=Specify the resources in requests
        	requests?: {
        		// +usage=Specify the amount of cpu for requests
-        		cpu: *1 | number
+        		cpu: *1 | number | string
        		// +usage=Specify the amount of memory for requests
        		memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
        	}
        	// +usage=Specify the resources in limits
        	limits?: {
        		// +usage=Specify the amount of cpu for limits
-        		cpu: *1 | number
+        		cpu: *1 | number | string
        		// +usage=Specify the amount of memory for limits
        		memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
        	}
--- a/charts/vela-core/templates/defwithtemplate/share-cloud-resource.yaml
+++ b/charts/vela-core/templates/defwithtemplate/share-cloud-resource.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Sync secrets created by terraform component to runtime clusters so that runtime clusters can share the created cloud resource.
  labels:
    custom.definition.oam.dev/scope: Application
--- a/charts/vela-core/templates/defwithtemplate/step-group.yaml
+++ b/charts/vela-core/templates/defwithtemplate/step-group.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Process Control
    definition.oam.dev/description: A special step that you can declare 'subSteps' in it, 'subSteps' is an array containing any step type whose valid parameters do not include the `step-group` step type itself. The sub steps were executed in parallel.
  name: step-group
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/storage.yaml
+++ b/charts/vela-core/templates/defwithtemplate/storage.yaml
@@ -323,7 +323,7 @@ spec:
        			envName:   string
        			secretKey: string
        		}]
-        		mountPath?:  string
+        		mountPath:   string
        		subPath?:    string
        		defaultMode: *420 | int
        		readOnly:    *false | bool
--- a/charts/vela-core/templates/defwithtemplate/suspend.yaml
+++ b/charts/vela-core/templates/defwithtemplate/suspend.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Process Control
    definition.oam.dev/description: Suspend the current workflow, it can be resumed by 'vela workflow resume' command.
  name: suspend
  namespace: {{ include "systemDefinitionNamespace" . }}
@@ -11,8 +12,22 @@ spec:
  schematic:
    cue:
      template: |
+        import (
+        	"vela/op"
+        )
+
+        suspend: op.#Suspend & {
+        	if parameter.duration != _|_ {
+        		duration: parameter.duration
+        	}
+        	if parameter.message != _|_ {
+        		message: parameter.message
+        	}
+        }
        parameter: {
        	// +usage=Specify the wait duration time to resume workflow such as "30s", "1min" or "2m15s"
        	duration?: string
+        	// +usage=The suspend message to show
+        	message?: string
        }

--- a/charts/vela-core/templates/defwithtemplate/vela-cli.yaml
+++ b/charts/vela-core/templates/defwithtemplate/vela-cli.yaml
@@ -4,8 +4,8 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Scripts & Commands
    definition.oam.dev/description: Run a vela command
-    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
  name: vela-cli
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/webhook.yaml
+++ b/charts/vela-core/templates/defwithtemplate/webhook.yaml
@@ -4,7 +4,8 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
-    definition.oam.dev/description: Send a request to the specified Webhook URL. If no request body is specified, the current Application body will be sent by default.
+    custom.definition.oam.dev/category: External Intergration
+    definition.oam.dev/description: Send a POST request to the specified Webhook URL. If no request body is specified, the current Application body will be sent by default.
  name: webhook
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/webservice.yaml
+++ b/charts/vela-core/templates/defwithtemplate/webservice.yaml
@@ -569,7 +569,13 @@ spec:
      		observedGeneration: context.output.status.observedGeneration
      	}
      }
-      isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      _isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      isHealth: *_isHealth | bool
+      if context.output.metadata.annotations != _|_ {
+      	if context.output.metadata.annotations["app.oam.dev/disable-health-check"] != _|_ {
+      		isHealth: true
+      	}
+      }
  workload:
    definition:
      apiVersion: apps/v1
--- a/charts/vela-core/templates/kubevela-controller.yaml
+++ b/charts/vela-core/templates/kubevela-controller.yaml
@@ -48,10 +48,12 @@ rules:
  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
    resources: ["prioritylevelconfigurations", "flowschemas"]
    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["*"]
  - apiGroups: ["authorization.k8s.io"]
    resources: ["subjectaccessreviews"]
    verbs: ["*"]
-
 ---

 apiVersion: rbac.authorization.k8s.io/v1
@@ -85,6 +87,34 @@ subjects:
    namespace: {{ .Release.Namespace }}

 {{ end }}
+
+
+{{ if and .Values.sharding.enabled .Values.authentication.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kubevela.fullname" . }}:shard-scheduler
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kubevela.fullname" . }}:shard-scheduler
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kubevela.fullname" . }}:shard-scheduler
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kubevela.serviceAccountName" . }}
+{{ end }}
+
 ---
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
@@ -183,6 +213,9 @@ spec:
    metadata:
      labels:
    {{- include "kubevela.selectorLabels" . | nindent 8 }}
+        {{ if .Values.sharding.enabled }}
+        controller.core.oam.dev/shard-id: master
+        {{ end }}
      annotations:
          prometheus.io/path: /metrics
          prometheus.io/port: "8080"
@@ -217,12 +250,6 @@ spec:
            {{ if ne .Values.optimize.cachedGvks "" }}
            - "--optimize-cached-gvks={{ .Values.optimize.cachedGvks }}"
            {{ end }}
-            {{ if not .Values.optimize.resourceTrackerListOp }}
-            - "--optimize-resource-tracker-list-op=false"
-            {{ end }}
-            {{ if .Values.optimize.controllerReconcileLoopReduction }}
-            - "--optimize-controller-reconcile-loop-reduction"
-            {{ end }}
            {{ if .Values.optimize.markWithProb }}
            - "--optimize-mark-with-prob={{ .Values.optimize.markWithProb }}"
            {{ end }}
@@ -232,9 +259,6 @@ spec:
            {{ if .Values.optimize.disableApplicationRevision }}
            - "--optimize-disable-application-revision"
            {{ end }}
-            {{ if .Values.optimize.disableWorkflowRecorder }}
-            - "--optimize-disable-workflow-recorder"
-            {{ end }}
            {{ if .Values.optimize.enableInMemoryWorkflowContext }}
            - "--optimize-enable-in-memory-workflow-context"
            {{ end }}
@@ -254,6 +278,12 @@ spec:
            - "--oam-spec-ver={{ .Values.OAMSpecVer }}"
            {{ if .Values.multicluster.enabled }}
            - "--enable-cluster-gateway"
+            {{ if .Values.multicluster.clusterGateway.direct }}
+            - "--cluster-gateway-url={{ .Release.Name }}-cluster-gateway-service:9443"
+            {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
+            - "--cluster-gateway-ca-file=/cluster-gateway-tls-cert/ca"
+            {{ end }}
+            {{ end }}
            {{ end }}
            {{ if .Values.multicluster.metrics.enabled }}
            - "--enable-cluster-metrics"
@@ -272,9 +302,13 @@ spec:
            - "--feature-gates=ZstdResourceTracker={{- .Values.featureGates.zstdResourceTracker | toString -}}"
            - "--feature-gates=ApplyOnce={{- .Values.featureGates.applyOnce | toString -}}"
            - "--feature-gates=MultiStageComponentApply= {{- .Values.featureGates.multiStageComponentApply | toString -}}"
-            - "--feature-gates=GzipApplicationRevision={{- .Values.featureGates.gzipResourceTracker | toString -}}"
-            - "--feature-gates=ZstdApplicationRevision={{- .Values.featureGates.zstdResourceTracker | toString -}}"
+            - "--feature-gates=GzipApplicationRevision={{- .Values.featureGates.gzipApplicationRevision | toString -}}"
+            - "--feature-gates=ZstdApplicationRevision={{- .Values.featureGates.zstdApplicationRevision | toString -}}"
            - "--feature-gates=PreDispatchDryRun={{- .Values.featureGates.preDispatchDryRun | toString -}}"
+            - "--feature-gates=DisableBootstrapClusterInfo={{- .Values.featureGates.disableBootstrapClusterInfo | toString -}}"
+            - "--feature-gates=InformerCacheFilterUnnecessaryFields={{- .Values.featureGates.informerCacheFilterUnnecessaryFields | toString -}}"
+            - "--feature-gates=SharedDefinitionStorageForApplicationRevision={{- .Values.featureGates.sharedDefinitionStorageForApplicationRevision | toString -}}"
+            - "--feature-gates=DisableWorkflowContextConfigMapCache={{- .Values.featureGates.disableWorkflowContextConfigMapCache | toString -}}"
            {{ if .Values.authentication.enabled }}
            {{ if .Values.authentication.withUser }}
            - "--authentication-with-user"
@@ -282,6 +316,12 @@ spec:
            - "--authentication-default-user={{ .Values.authentication.defaultUser }}"
            - "--authentication-group-pattern={{ .Values.authentication.groupPattern }}"
            {{ end }}
+            {{ if .Values.sharding.enabled }}
+            - "--enable-sharding"
+            - "--schedulable-shards={{ .Values.sharding.schedulableShards }}"
+            - "--feature-gates=ValidateComponentWhenSharding={{- .Values.featureGates.validateComponentWhenSharding | toString -}}"
+            - "--feature-gates=DisableWebhookAutoSchedule={{- .Values.featureGates.disableWebhookAutoSchedule | toString -}}"
+            {{ end }}
          image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
          imagePullPolicy: {{ quote .Values.image.pullPolicy }}
          resources:
@@ -310,6 +350,11 @@ spec:
            - mountPath: {{ .Values.admissionWebhooks.certificate.mountPath }}
              name: tls-cert-vol
              readOnly: true
+          {{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.direct }}
+            - mountPath: /cluster-gateway-tls-cert
+              name: tls-cert-vol-cg
+              readOnly: true
+          {{ end }}
          {{ end }}
      {{ if .Values.admissionWebhooks.enabled }}
      volumes:
@@ -317,15 +362,30 @@ spec:
          secret:
            defaultMode: 420
            secretName: {{ template "kubevela.fullname" . }}-admission
+      {{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.direct }}
+        - name: tls-cert-vol-cg
+          secret:
+            defaultMode: 420
+            secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2
+      {{ end }}
      {{ end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
      {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with .Values.affinity }}
      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{ if .Values.affinity }}
+        {{- toYaml .Values.affinity | nindent 8 }}
+      {{ else }}
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    {{- include "kubevela.selectorLabels" . | nindent 20 }}
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      {{ end }}
      {{- with .Values.tolerations }}
      tolerations:
    {{- toYaml . | nindent 8 }}
--- a/charts/vela-core/templates/velaql/component-pod.yaml
+++ b/charts/vela-core/templates/velaql/component-pod.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 data:
  template: |
      import (
-      "vela/ql"
+        "vela/ql"
      )

      parameter: {
@@ -55,9 +55,15 @@ data:
              phase: pod.object.status.phase
              // refer to https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase
              if phase != "Pending" && phase != "Unknown" {
-                podIP:    pod.object.status.podIP
-                hostIP:   pod.object.status.hostIP
-                nodeName: pod.object.spec.nodeName
+                if pod.object.podIP != _|_ {
+                  podIP: pod.object.status.podIP
+                }
+                if pod.object.hostIP != _|_ {
+                  hostIP: pod.object.status.hostIP
+                }
+                if pod.object.nodeName != _|_ {
+                  nodeName: pod.object.spec.nodeName
+                }
              }
            }
          }]
--- a/charts/vela-core/values.yaml
+++ b/charts/vela-core/values.yaml
@@ -85,23 +85,17 @@ healthCheck:

 ## @section KubeVela controller optimization parameters
 ##@param optimize.cachedGvks Optimize types of resources to be cached.
-##@param optimize.resourceTrackerListOp Optimize ResourceTracker List Op by adding index.
-##@param optimize.controllerReconcileLoopReduction Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.
 ##@param optimize.markWithProb Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.
 ##@param optimize.disableComponentRevision Optimize componentRevision by disabling the creation and gc
 ##@param optimize.disableApplicationRevision Optimize ApplicationRevision by disabling the creation and gc.
-##@param optimize.disableWorkflowRecorder Optimize workflow recorder by disabling the creation and gc.
 ##@param optimize.enableInMemoryWorkflowContext Optimize workflow by use in-memory context.
 ##@param optimize.disableResourceApplyDoubleCheck Optimize workflow by ignoring resource double check after apply.
 ##@param optimize.enableResourceTrackerDeleteOnlyTrigger Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.
 optimize:
  cachedGvks: ""
-  resourceTrackerListOp: true
-  controllerReconcileLoopReduction: false
  markWithProb: 0.1
  disableComponentRevision: true
  disableApplicationRevision: false
-  disableWorkflowRecorder: false
  enableInMemoryWorkflowContext: false
  disableResourceApplyDoubleCheck: false
  enableResourceTrackerDeleteOnlyTrigger: true
@@ -114,26 +108,41 @@ optimize:
 ##@param featureGates.gzipApplicationRevision compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs.
 ##@param featureGates.zstdApplicationRevision compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options.
 ##@param featureGates.preDispatchDryRun enable dryrun before dispatching resources. Enable this flag can help prevent unsuccessful dispatch resources entering resourcetracker and improve the user experiences of gc but at the cost of increasing network requests.
+##@param featureGates.validateComponentWhenSharding enable component validation in webhook when sharding mode enabled
+##@param featureGates.disableWebhookAutoSchedule disable auto schedule for application mutating webhook when sharding enabled
+##@param featureGates.disableBootstrapClusterInfo disable the cluster info bootstrap at the starting of the controller
+##@param featureGates.informerCacheFilterUnnecessaryFields filter unnecessary fields for informer cache
+##@param featureGates.sharedDefinitionStorageForApplicationRevision use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields
+##@param featureGates.disableWorkflowContextConfigMapCache disable the workflow context's configmap informer cache
 ##@param
 featureGates:
  enableLegacyComponentRevision: false
  gzipResourceTracker: false
  zstdResourceTracker: true
  applyOnce: false
-  multiStageComponentApply: false
+  multiStageComponentApply: true
  gzipApplicationRevision: false
  zstdApplicationRevision: true
  preDispatchDryRun: true
+  validateComponentWhenSharding: false
+  disableWebhookAutoSchedule: false
+  disableBootstrapClusterInfo: false
+  informerCacheFilterUnnecessaryFields: true
+  sharedDefinitionStorageForApplicationRevision: true
+  disableWorkflowContextConfigMapCache: true

 ## @section MultiCluster parameters

 ## @param multicluster.enabled Whether to enable multi-cluster
 ## @param multicluster.metrics.enabled Whether to enable multi-cluster metrics collect
+## @param multicluster.clusterGateway.direct controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer
 ## @param multicluster.clusterGateway.replicaCount ClusterGateway replica count
 ## @param multicluster.clusterGateway.port ClusterGateway port
 ## @param multicluster.clusterGateway.image.repository ClusterGateway image repository
 ## @param multicluster.clusterGateway.image.tag ClusterGateway image tag
 ## @param multicluster.clusterGateway.image.pullPolicy ClusterGateway image pull policy
+## @param multicluster.clusterGateway.resources.requests.cpu ClusterGateway cpu request
+## @param multicluster.clusterGateway.resources.requests.memory ClusterGateway memory request
 ## @param multicluster.clusterGateway.resources.limits.cpu ClusterGateway cpu limit
 ## @param multicluster.clusterGateway.resources.limits.memory ClusterGateway memory limit
 ## @param multicluster.clusterGateway.secureTLS.enabled Whether to enable secure TLS
@@ -144,15 +153,19 @@ multicluster:
  metrics:
    enabled: false
  clusterGateway:
+    direct: true
    replicaCount: 1
    port: 9443
    image:
      repository: oamdev/cluster-gateway
-      tag: v1.7.0-alpha.3
+      tag: v1.8.0
      pullPolicy: IfNotPresent
    resources:
+      requests:
+        cpu: 50m
+        memory: 20Mi
      limits:
-        cpu: 100m
+        cpu: 500m
        memory: 200Mi
    secureTLS:
      enabled: true
@@ -253,11 +266,11 @@ admissionWebhooks:
    enabled: false
    revisionHistoryLimit: 3

-## @param kubeClient.qps The qps for reconcile clients, default is 100
-## @param kubeClient.burst The burst for reconcile clients, default is 200
+## @param kubeClient.qps The qps for reconcile clients
+## @param kubeClient.burst The burst for reconcile clients
 kubeClient:
-  qps: 100
-  burst: 200
+  qps: 400
+  burst: 600

 ## @param authentication.enabled Enable authentication for application
 ## @param authentication.withUser Application authentication will impersonate as the request User
@@ -268,3 +281,9 @@ authentication:
  withUser: true
  defaultUser: kubevela:vela-core
  groupPattern: kubevela:*
+
+## @param sharding.enabled When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details.
+## @param sharding.schedulableShards The shards available for scheduling. If empty, dynamic discovery will be used.
+sharding:
+  enabled: false
+  schedulableShards: ""
--- a/charts/vela-minimal/README.md
+++ b/charts/vela-minimal/README.md
@@ -65,10 +65,8 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`                 |
 | `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `minimal`            |
 | `disableCaps`                 | Disable capability                                                                            | `envbinding,rollout` |
-| `applyOnceOnly`               | Valid applyOnceOnly values: true/false/on/off/force                                           | `off`                |
 | `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`                |

-
 ### KubeVela workflow parameters

 | Name                                   | Description                                            | Value   |
@@ -78,7 +76,6 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
 | `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |

-
 ### KubeVela controller parameters

 | Name                        | Description                          | Value              |
@@ -96,22 +93,28 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `webhookService.port`       | KubeVela webhook service port        | `9443`             |
 | `healthCheck.port`          | KubeVela health check port           | `9440`             |

+### KubeVela controller optimization parameters
+
+| Name                     | Description                                                                                                                           | Value   |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `featureGates.applyOnce` | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker | `false` |

 ### MultiCluster parameters

-| Name                                                  | Description                      | Value                            |
-| ----------------------------------------------------- | -------------------------------- | -------------------------------- |
-| `multicluster.enabled`                                | Whether to enable multi-cluster  | `true`                           |
-| `multicluster.clusterGateway.replicaCount`            | ClusterGateway replica count     | `1`                              |
-| `multicluster.clusterGateway.port`                    | ClusterGateway port              | `9443`                           |
-| `multicluster.clusterGateway.image.repository`        | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`               | ClusterGateway image tag         | `v1.4.0`                         |
-| `multicluster.clusterGateway.image.pullPolicy`        | ClusterGateway image pull policy | `IfNotPresent`                   |
-| `multicluster.clusterGateway.resources.limits.cpu`    | ClusterGateway cpu limit         | `100m`                           |
-| `multicluster.clusterGateway.resources.limits.memory` | ClusterGateway memory limit      | `200Mi`                          |
-| `multicluster.clusterGateway.secureTLS.enabled`       | Whether to enable secure TLS     | `true`                           |
-| `multicluster.clusterGateway.secureTLS.certPath`      | Path to the certificate file     | `/etc/k8s-cluster-gateway-certs` |
-
+| Name                                                    | Description                      | Value                            |
+| ------------------------------------------------------- | -------------------------------- | -------------------------------- |
+| `multicluster.enabled`                                  | Whether to enable multi-cluster  | `true`                           |
+| `multicluster.clusterGateway.replicaCount`              | ClusterGateway replica count     | `1`                              |
+| `multicluster.clusterGateway.port`                      | ClusterGateway port              | `9443`                           |
+| `multicluster.clusterGateway.image.repository`          | ClusterGateway image repository  | `oamdev/cluster-gateway`         |
+| `multicluster.clusterGateway.image.tag`                 | ClusterGateway image tag         | `v1.8.0-alpha.3`                 |
+| `multicluster.clusterGateway.image.pullPolicy`          | ClusterGateway image pull policy | `IfNotPresent`                   |
+| `multicluster.clusterGateway.resources.requests.cpu`    | ClusterGateway cpu request       | `50m`                            |
+| `multicluster.clusterGateway.resources.requests.memory` | ClusterGateway memory request    | `20Mi`                           |
+| `multicluster.clusterGateway.resources.limits.cpu`      | ClusterGateway cpu limit         | `500m`                           |
+| `multicluster.clusterGateway.resources.limits.memory`   | ClusterGateway memory limit      | `200Mi`                          |
+| `multicluster.clusterGateway.secureTLS.enabled`         | Whether to enable secure TLS     | `true`                           |
+| `multicluster.clusterGateway.secureTLS.certPath`        | Path to the certificate file     | `/etc/k8s-cluster-gateway-certs` |

 ### Test parameters

@@ -122,7 +125,6 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-minimal --
 | `test.k8s.repository` | Test k8s repository | `oamdev/alpine-k8s`  |
 | `test.k8s.tag`        | Test k8s tag        | `1.18.2`             |

-
 ### Common parameters

 | Name                          | Description                                                                                                                | Value                |
--- a/charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-minimal/crds/core.oam.dev_applicationrevisions.yaml
@@ -848,6 +848,7 @@ spec:
                            x-kubernetes-map-type: atomic
                          endTime:
                            format: date-time
+                            nullable: true
                            type: string
                          finished:
                            type: boolean
@@ -2162,6 +2163,8 @@ spec:
                            inputs:
                              description: StepInputs defines variable input of WorkflowStep
                              items:
+                                description: InputItem defines an input variable of
+                                  WorkflowStep
                                properties:
                                  from:
                                    type: string
@@ -2177,6 +2180,8 @@ spec:
                              description: StepOutputs defines output variable of
                                WorkflowStep
                              items:
+                                description: OutputItem defines an output variable
+                                  of WorkflowStep
                                properties:
                                  name:
                                    type: string
@@ -2283,6 +2288,8 @@ spec:
                                inputs:
                                  description: Inputs is the inputs of the step
                                  items:
+                                    description: InputItem defines an input variable
+                                      of WorkflowStep
                                    properties:
                                      from:
                                        type: string
@@ -2299,6 +2306,11 @@ spec:
                                    alias:
                                      type: string
                                  type: object
+                                mode:
+                                  description: Mode is only valid for sub steps, it
+                                    defines the mode of the sub steps
+                                  nullable: true
+                                  type: string
                                name:
                                  description: Name is the unique name of the workflow
                                    step.
@@ -2306,6 +2318,8 @@ spec:
                                outputs:
                                  description: Outputs is the outputs of the step
                                  items:
+                                    description: OutputItem defines an output variable
+                                      of WorkflowStep
                                    properties:
                                      name:
                                        type: string
@@ -2339,6 +2353,8 @@ spec:
                                      inputs:
                                        description: Inputs is the inputs of the step
                                        items:
+                                          description: InputItem defines an input
+                                            variable of WorkflowStep
                                          properties:
                                            from:
                                              type: string
@@ -2363,6 +2379,8 @@ spec:
                                        description: Outputs is the outputs of the
                                          step
                                        items:
+                                          description: OutputItem defines an output
+                                            variable of WorkflowStep
                                          properties:
                                            name:
                                              type: string
@@ -2806,6 +2824,7 @@ spec:
                            x-kubernetes-map-type: atomic
                          endTime:
                            format: date-time
+                            nullable: true
                            type: string
                          finished:
                            type: boolean
@@ -4138,6 +4157,7 @@ spec:
                        inputs:
                          description: Inputs is the inputs of the step
                          items:
+                            description: InputItem defines an input variable of WorkflowStep
                            properties:
                              from:
                                type: string
@@ -4153,12 +4173,19 @@ spec:
                            alias:
                              type: string
                          type: object
+                        mode:
+                          description: Mode is only valid for sub steps, it defines
+                            the mode of the sub steps
+                          nullable: true
+                          type: string
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
                        outputs:
                          description: Outputs is the outputs of the step
                          items:
+                            description: OutputItem defines an output variable of
+                              WorkflowStep
                            properties:
                              name:
                                type: string
@@ -4189,6 +4216,8 @@ spec:
                              inputs:
                                description: Inputs is the inputs of the step
                                items:
+                                  description: InputItem defines an input variable
+                                    of WorkflowStep
                                  properties:
                                    from:
                                      type: string
@@ -4212,6 +4241,8 @@ spec:
                              outputs:
                                description: Outputs is the outputs of the step
                                items:
+                                  description: OutputItem defines an output variable
+                                    of WorkflowStep
                                  properties:
                                    name:
                                      type: string
@@ -4942,6 +4973,7 @@ spec:
                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
+                    nullable: true
                    type: string
                  finished:
                    type: boolean
--- a/charts/vela-minimal/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-minimal/crds/core.oam.dev_applications.yaml
@@ -774,6 +774,7 @@ spec:
                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
+                    nullable: true
                    type: string
                  finished:
                    type: boolean
@@ -933,6 +934,7 @@ spec:
                    inputs:
                      description: StepInputs defines variable input of WorkflowStep
                      items:
+                        description: InputItem defines an input variable of WorkflowStep
                        properties:
                          from:
                            type: string
@@ -947,6 +949,7 @@ spec:
                    outputs:
                      description: StepOutputs defines output variable of WorkflowStep
                      items:
+                        description: OutputItem defines an output variable of WorkflowStep
                        properties:
                          name:
                            type: string
@@ -1049,6 +1052,7 @@ spec:
                        inputs:
                          description: Inputs is the inputs of the step
                          items:
+                            description: InputItem defines an input variable of WorkflowStep
                            properties:
                              from:
                                type: string
@@ -1064,12 +1068,19 @@ spec:
                            alias:
                              type: string
                          type: object
+                        mode:
+                          description: Mode is only valid for sub steps, it defines
+                            the mode of the sub steps
+                          nullable: true
+                          type: string
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
                        outputs:
                          description: Outputs is the outputs of the step
                          items:
+                            description: OutputItem defines an output variable of
+                              WorkflowStep
                            properties:
                              name:
                                type: string
@@ -1100,6 +1111,8 @@ spec:
                              inputs:
                                description: Inputs is the inputs of the step
                                items:
+                                  description: InputItem defines an input variable
+                                    of WorkflowStep
                                  properties:
                                    from:
                                      type: string
@@ -1123,6 +1136,8 @@ spec:
                              outputs:
                                description: Outputs is the outputs of the step
                                items:
+                                  description: OutputItem defines an output variable
+                                    of WorkflowStep
                                  properties:
                                    name:
                                      type: string
@@ -1535,6 +1550,7 @@ spec:
                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
+                    nullable: true
                    type: string
                  finished:
                    type: boolean
--- a/charts/vela-minimal/templates/cluster-gateway.yaml
+++ b/charts/vela-minimal/templates/cluster-gateway.yaml
@@ -58,10 +58,19 @@ spec:
      nodeSelector:
      {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with .Values.affinity }}
      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{ if .Values.affinity }}
+        {{- toYaml .Values.affinity | nindent 8 }}
+      {{ else }}
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 20 }}
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      {{ end }}
      {{- with .Values.tolerations }}
      tolerations:
      {{- toYaml . | nindent 8 }}
--- a/charts/vela-minimal/templates/defwithtemplate/apply-component.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/apply-component.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Apply a specific component and its corresponding traits in application
  labels:
    custom.definition.oam.dev/scope: Application
--- a/charts/vela-minimal/templates/defwithtemplate/apply-deployment.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/apply-deployment.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/alias: ""
    definition.oam.dev/description: Apply deployment with specified image and cmd.
  name: apply-deployment
@@ -19,6 +20,7 @@ spec:
        )

        output: op.#Apply & {
+        	cluster: parameter.cluster
        	value: {
        		apiVersion: "apps/v1"
        		kind:       "Deployment"
@@ -28,6 +30,7 @@ spec:
        		}
        		spec: {
        			selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        			replicas: parameter.replicas
        			template: {
        				metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
        				spec: containers: [{
@@ -42,10 +45,12 @@ spec:
        	}
        }
        wait: op.#ConditionalWait & {
-        	continue: output.value.status.readyReplicas == 1
+        	continue: output.value.status.readyReplicas == parameter.replicas
        }
        parameter: {
-        	image: string
+        	image:    string
+        	replicas: *1 | int
+        	cluster:  *"" | string
        	cmd?: [...string]
        }

--- a/charts/vela-minimal/templates/defwithtemplate/apply-object.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/apply-object.yaml
@@ -4,9 +4,8 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/description: Apply raw kubernetes objects for your workflow steps
-  labels:
-    custom.definition.oam.dev/ui-hidden: "true"
  name: apply-object
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-minimal/templates/defwithtemplate/apply-terraform-config.yaml
+++ b/charts/vela-minimal/templates/defwithtemplate/apply-terraform-config.yaml
@@ -4,9 +4,9 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Terraform
    definition.oam.dev/alias: ""
    definition.oam.dev/description: Apply terraform configuration in the step
-    definition.oam.dev/example-url: https://raw.githubusercontent.com/kubevela/workflow/main/examples/workflow-run/apply-terraform-resource.yaml
  name: apply-terraform-config
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/Show More
+++ b/Show More