add timeout&local-rate-limt annotations

Co-authored-by: 澄潭 <zty98751@alibaba-inc.com>

.github/ISSUE_TEMPLATE/FEATURE_REQUEST.md

@@ -1,6 +1,9 @@
 ---
 name: Feature Request
 about: Suggest an idea for Higress
+title: ''
+labels: ''
+assignees: ''
 
 ---
 
@@ -13,4 +16,4 @@ A clear and concise description of what you want to happen. You can explain more
 
 
 ## Other related information
-Add any other context or screenshots about the feature request here.
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Ask a question 💬
+    url: https://github.com/alibaba/higress/discussions
+    about: Ask a question or request support for using Higress.

.github/ISSUE_TEMPLATE/non--crash-security--bug.md

@@ -1,10 +1,15 @@
 ---
-name: Bug Report
-about: If you would like to report an issue to Higress, please use this template.
-
+name: Non-{crash,security} bug
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
 
 ---
 
+**If you are reporting *any* crash or *any* potential security issue, *do not*
+open an issue in this repo. Please report the issue via [ASRC](https://security.alibaba.com/)(Alibaba Security Response Center) where the issue will be triaged appropriately.**
+
 - [ ] I have searched the [issues](https://github.com/alibaba/higress/issues) of this repository and believe that this is not a duplicate.
 
 ### Ⅰ. Issue Description
@@ -35,4 +40,4 @@ Just paste your stack trace here!
 
 - Higress version:  
 - OS :
-- Others:
+- Others:

.github/workflows/build-and-test.yaml

@@ -0,0 +1,188 @@
+name: "Build and Test"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: ["*"]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+    # There are too many lint errors in current code bases
+    # uncomment when we decide what lint should be addressed or ignored.
+    # - run: make lint
+
+  coverage-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Setup Golang Caches
+      uses: actions/cache@v3
+      with:
+        path: |-
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-go
+
+    - name: Setup Submodule Caches
+      uses: actions/cache@v3
+      with:
+        path: |-
+            envoy
+            istio
+            .git/modules
+        key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-new
+    
+    - run: git stash # restore patch
+
+    # test
+    - name: Run Coverage Tests
+      run: GOPROXY="https://proxy.golang.org,direct" make go.test.coverage
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v3
+      with:
+        fail_ci_if_error: true
+        files: ./coverage.xml
+        verbose: true
+
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    needs: [lint,coverage-test]
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            envoy
+            istio
+            .git/modules
+          key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-new
+
+      - run: git stash # restore patch
+
+      - name: "Build Higress Binary"
+        run: GOPROXY="https://proxy.golang.org,direct" make build
+
+      - name: Upload Higress Binary
+        uses: actions/upload-artifact@v3
+        with:
+          name: higress
+          path: out/
+
+  gateway-conformance-test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+    - uses: actions/checkout@v3
+
+  higress-conformance-test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+    - uses: actions/checkout@v3
+      
+    - name: "Setup Go"
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+
+    - name: Setup Golang Caches
+      uses: actions/cache@v3
+      with:
+        path: |-
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ github.run_id }}
+        restore-keys: |
+          ${{ runner.os }}-go
+      
+    - name: Setup Submodule Caches
+      uses: actions/cache@v3
+      with:
+        path: |-
+            envoy
+            istio
+            .git/modules
+        key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-new
+          
+    - run: git stash # restore patch
+
+    - name: "Run Higress E2E Conformance Tests"
+      run: GOPROXY="https://proxy.golang.org,direct" make higress-conformance-test
+      
+  higress-wasmplugin-test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    strategy:
+      matrix:
+        # TODO(Xunzhuo): Enable C WASM Filters in CI
+        wasmPluginType: [ GO ]
+    steps:
+    - uses: actions/checkout@v3
+      
+    - name: "Setup Go"
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+
+    - name: Setup Golang Caches
+      uses: actions/cache@v3
+      with:
+        path: |-
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ github.run_id }}
+        restore-keys: |
+          ${{ runner.os }}-go
+      
+    - name: Setup Submodule Caches
+      uses: actions/cache@v3
+      with:
+        path: |-
+            envoy
+            istio
+            .git/modules
+        key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-new
+          
+    - run: git stash # restore patch
+
+    - name: "Run Ingress WasmPlugins Tests"
+      run: GOPROXY="https://proxy.golang.org,direct" PLUGIN_TYPE=${{ matrix.wasmPluginType }} make higress-wasmplugin-test
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: [higress-conformance-test,gateway-conformance-test,higress-wasmplugin-test]
+    steps:
+    - uses: actions/checkout@v3

.github/workflows/build-and-test.yml

@@ -1,82 +0,0 @@
-name: "Build and Test"
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: ["*"]
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-    # There are too many lint errors in current code bases
-    # uncomment when we decide what lint should be addressed or ignored.
-    # - run: make lint
-
-  coverage-test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-
-    # test
-    - name: Run Coverage Tests
-      run: GOPROXY="https://proxy.golang.org,direct" make go.test.coverage
-    - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v3
-      with:
-        fail_ci_if_error: true
-        files: ./coverage.xml
-        verbose: true
-
-  build:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
-    needs: [lint,coverage-test]
-    steps:
-      - name: "Setup Go"
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-
-      - name: "checkout ${{ github.ref }}"
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: "Build Higress Binary"
-        run: GOPROXY="https://proxy.golang.org,direct" make build
-
-      - name: Upload Higress Binary
-        uses: actions/upload-artifact@v3
-        with:
-          name: higress
-          path: out/
-
-  gateway-conformance-test:
-    runs-on: ubuntu-latest
-    needs: [build]
-    steps:
-    - uses: actions/checkout@v3
-
-  ingress-conformance-test:
-    runs-on: ubuntu-latest
-    needs: [build]
-    steps:
-    - name: "Setup Go"
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-    - uses: actions/checkout@v3
-    - name: "Run Ingress Conformance Tests"
-      run: GOPROXY="https://proxy.golang.org,direct" make ingress-conformance-test
-
-  publish:
-    runs-on: ubuntu-latest
-    needs: [ingress-conformance-test,gateway-conformance-test]
-    steps:
-    - uses: actions/checkout@v3

.github/workflows/build-image-and-push.yaml

@@ -0,0 +1,207 @@
+name: Build Docker Images and Push to Image Registry
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  build-controller-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-controller
+    env:
+      CONTROLLER_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      CONTROLLER_IMAGE_NAME: ${{ vars.CONTROLLER_IMAGE_NAME || 'higress/higress' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            envoy
+            istio
+            .git/modules
+          key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-new
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.CONTROLLER_IMAGE_REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.CONTROLLER_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Docker Image and Push
+        run: |
+          GOPROXY="https://proxy.golang.org,direct" make docker-buildx-push
+          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress"
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
+          done
+
+  build-pilot-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-pilot
+    env:
+      PILOT_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      PILOT_IMAGE_NAME: ${{ vars.PILOT_IMAGE_NAME || 'higress/pilot' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            envoy
+            istio
+            .git/modules
+          key: ${{ runner.os }}-submodules-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-new
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.PILOT_IMAGE_REGISTRY }}/${{ env.PILOT_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.PILOT_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Pilot-Discovery Image and Push
+        run: |
+          GOPROXY="https://proxy.golang.org,direct" make build-istio
+          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/pilot"
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
+          done
+
+
+  build-gateway-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-pilot
+    env:
+      GATEWAY_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      GATEWAY_IMAGE_NAME: ${{ vars.GATEWAY_IMAGE_NAME || 'higress/gateway' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            envoy
+            istio
+            .git/modules
+          key: ${{ runner.os }}-submodules-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-new
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.GATEWAY_IMAGE_REGISTRY }}/${{ env.GATEWAY_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.GATEWAY_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}            
+          
+      - name: Build Gateway Image and Push
+        run: |
+          GOPROXY="https://proxy.golang.org,direct" make build-gateway
+          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/proxyv2"
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
+          done

.github/workflows/deploy-standalone-to-oss.yaml

@@ -0,0 +1,37 @@
+name: Deploy Standalone to OSS
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  deploy-to-oss:
+    runs-on: ubuntu-latest
+    environment:
+      name: oss
+    steps:
+      # Step 1
+      - name: Checkout
+        uses: actions/checkout@v3
+      # Step 2
+      - id: package
+        name: Prepare Standalone Package
+        run: |
+          mkdir ./artifact
+          cp ./tools/get-higress.sh ./artifact
+          LOCAL_RELEASE_URL="https://github.com/higress-group/higress-standalone/releases"
+          VERSION=$(curl -Ls $LOCAL_RELEASE_URL | grep 'href="/higress-group/higress-standalone/releases/tag/v[0-9]*.[0-9]*.[0-9]*\"' | sed -E 's/.*\/higress-group\/higress-standalone\/releases\/tag\/(v[0-9\.]+)".*/\1/g' | head -1)
+          DOWNLOAD_URL="https://github.com/higress-group/higress-standalone/archive/refs/tags/${VERSION}.tar.gz"
+          curl -SsL "$DOWNLOAD_URL" -o "./artifact/higress-${VERSION}.tar.gz"
+          echo -n "$VERSION" > ./artifact/VERSION
+          echo "Version=$VERSION"
+      # Step 3
+      - name: Upload to OSS
+        uses: doggycool/ossutil-github-action@master
+        with:
+          ossArgs: 'cp -r -u ./artifact/ oss://higress-website-cn-hongkong/standalone/'
+          accessKey: ${{ secrets.ACCESS_KEYID }}
+          accessSecret: ${{ secrets.ACCESS_KEYSECRET }}
+          endpoint: oss-cn-hongkong.aliyuncs.com

.github/workflows/deploy-to-oss.yaml

@@ -0,0 +1,54 @@
+name: Deploy Artifacts to OSS
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  deploy-to-oss:
+    runs-on: ubuntu-latest
+    environment:
+      name: oss
+    steps:
+      # Step 1
+      - name: Checkout
+        uses: actions/checkout@v3
+      # Step 2
+      - name: Download Helm Charts Index
+        uses: doggycool/ossutil-github-action@master
+        with:
+          ossArgs: 'cp -r -u oss://higress-website-cn-hongkong/helm-charts/index.yaml ./artifact/'
+          accessKey: ${{ secrets.ACCESS_KEYID }}
+          accessSecret: ${{ secrets.ACCESS_KEYSECRET }}
+          endpoint: oss-cn-hongkong.aliyuncs.com
+      # Step 3
+      - id: calc-version
+        name: Calculate Version Number
+        run: |
+          version=$(echo ${{ github.ref_name }} | cut -c2-)
+          echo "Version=$version"
+          echo "version=$version" >> $GITHUB_OUTPUT
+      # Step 4
+      - name: Build Artifact
+        uses: stefanprodan/kube-tools@v1
+        with:
+          helmv3: 3.7.2
+          command: |
+            cp api/kubernetes/customresourcedefinitions.gen.yaml helm/core/crds
+            helmv3 repo add higress.io https://higress.io/helm-charts
+            helmv3 package helm/core --debug --app-version ${{steps.calc-version.outputs.version}} --version ${{steps.calc-version.outputs.version}} -d ./artifact
+            helmv3 dependency build helm/higress
+            helmv3 package helm/higress --debug --app-version ${{steps.calc-version.outputs.version}} --version ${{steps.calc-version.outputs.version}} -d ./artifact
+            helmv3 repo index --url https://higress.io/helm-charts/ --merge ./artifact/index.yaml ./artifact
+            cp ./artifact/index.yaml ./artifact/cn-index.yaml
+            sed -i 's/higress\.io/higress\.cn/g' ./artifact/cn-index.yaml
+      # Step 5
+      - name: Upload to OSS
+        uses: doggycool/ossutil-github-action@master
+        with:
+          ossArgs: 'cp -r -u ./artifact/ oss://higress-website-cn-hongkong/helm-charts/'
+          accessKey: ${{ secrets.ACCESS_KEYID }}
+          accessSecret: ${{ secrets.ACCESS_KEYSECRET }}
+          endpoint: oss-cn-hongkong.aliyuncs.com

.github/workflows/latest-release.yaml

@@ -0,0 +1,68 @@
+name: Latest Release
+
+on:
+  push:
+    branches:
+    - "main"
+
+jobs:
+  latest-release:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Build hgctl latest multiarch binaries
+      run: | 
+        GOPROXY="https://proxy.golang.org,direct" make build-hgctl-multiarch
+        tar -zcvf hgctl_latest_linux_amd64.tar.gz out/linux_amd64/
+        tar -zcvf hgctl_latest_linux_arm64.tar.gz out/linux_arm64/
+        tar -zcvf hgctl_latest_darwin_amd64.tar.gz out/darwin_amd64/
+        tar -zcvf hgctl_latest_darwin_arm64.tar.gz out/darwin_arm64/
+
+    # Ignore the error when we delete the latest release, it might not exist.
+
+    # GitHub APIs take sometime to make effect, we should make sure before Recreate the Latest Release and Tag,
+    # tag and release all get deleted. So we sleep sometime after deleting tag and release to wait for it taking effect.
+
+    - name: Delete the Latest Release
+      continue-on-error: true
+      run: |
+        gh release delete latest --repo $GITHUB_REPOSITORY
+        sleep 4
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+    # Ignore the error when we delete the latest tag, it might not exist.
+    - name: Delete the Latest Tag
+      continue-on-error: true
+      run: |
+        gh api --method DELETE /repos/$GITHUB_REPOSITORY/git/refs/tags/latest
+        sleep 4
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+    - name: Recreate the Latest Release and Tag
+      uses: softprops/action-gh-release@v1
+      with:
+        draft: false
+        prerelease: true
+        tag_name: latest
+        files: |
+          hgctl_latest_linux_amd64.tar.gz
+          hgctl_latest_linux_arm64.tar.gz
+          hgctl_latest_darwin_amd64.tar.gz
+          hgctl_latest_darwin_arm64.tar.gz
+        body: |
+          This is the "latest" release of **Higress**, which contains the most recent commits from the main branch.
+          
+          This release **might not be stable**.
+
+          It is only intended for developers wishing to try out the latest features in Higress, some of which may not be fully implemented.
+
+          Try latest version of `hgctl` with:
+
+          ``` shell
+            curl -Ls https://raw.githubusercontent.com/alibaba/higress/main/tools/hack/get-hgctl.sh | VERSION=latest bash
+          ```

.gitignore

@@ -6,8 +6,12 @@ out
 .DS_Store
 coverage.xml
 .idea/
+.vscode/
 bazel-bin
 bazel-out
 bazel-testlogs
 bazel-wasm-cpp
 tools/bin/
+helm/**/charts/**.tgz
+target/
+tools/hack/cluster.conf

.licenserc.yaml

@@ -26,6 +26,8 @@ header:
     - 'VERSION'
     - 'tools/'
     - 'test/README.md'
+    - 'pkg/cmd/hgctl/testdata/config'
+    - 'pkg/cmd/hgctl/manifests'
 
   comment: on-failure
 dependency:

CODEOWNERS

@@ -1,4 +1,10 @@
-# Top level
-* @johnlanni @SpecialYang @Lynskylate @gengleilei @NameHaibinZhang
+/api @johnlanni 
+/envoy @gengleilei @johnlanni @Lynskylate
+/istio @SpecialYang @johnlanni
+/pkg @SpecialYang @johnlanni @Charlie17Li @Xunzhuo
+/plugins @johnlanni
+/registry @NameHaibinZhang @johnlanni
+/test @Xunzhuo
+/tools @johnlanni @Xunzhuo
+
 
-# TODO Add code reviewers for subdirectory.

CONTRIBUTING_CN.md

@@ -27,7 +27,7 @@
 
 ## 报告一般问题
 
-老实说，我们把每一个 Higress 用户都视为非常善良的贡献者。在体验了 Higress 之后，您可能会对项目有一些反馈。然后随时通过 [NEW ISSUE](https://github. com/alibaba/higress/issues/new/choose)打开一个问题。
+老实说，我们把每一个 Higress 用户都视为非常善良的贡献者。在体验了 Higress 之后，您可能会对项目有一些反馈。然后随时通过 [NEW ISSUE](https://github.com/alibaba/higress/issues/new/choose)打开一个问题。
 
 因为我们在一个分布式的方式合作项目Higress，我们欣赏写得很好的，详细的，准确的问题报告。为了让沟通更高效，我们希望每个人都可以搜索您的问题是否在搜索列表中。如果您发现它存在，请在现有问题下的评论中添加您的详细信息，而不是打开一个全新的问题。
 

CONTRIBUTING_EN.md

@@ -28,8 +28,7 @@ Security issues are always treated seriously. As our usual principle, we discour
 ## Reporting general issues
 
 To be honest, we regard every user of Higress as a very kind contributor. After experiencing Higress, you may have 
-some feedback for the project. Then feel free to open an issue via [NEW ISSUE](https://github.
-com/alibaba/higress/issues/new/choose).
+some feedback for the project. Then feel free to open an issue via [NEW ISSUE](https://github.com/alibaba/higress/issues/new/choose).
 
 Since we collaborate project Higress in a distributed way, we appreciate **WELL-WRITTEN**, **DETAILED**, **EXPLICIT** issue reports. To make the communication more efficient, we wish everyone could search if your issue is an existing one in the searching list. If you find it existing, please add your details in comments under the existing issue instead of opening a brand new one.
 

Makefile.core.mk

@@ -6,17 +6,28 @@ export HUB ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
 
 export CHARTS ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/charts
 
+VERSION_PACKAGE := github.com/alibaba/higress/pkg/cmd/version
+
+GIT_COMMIT:=$(shell git rev-parse HEAD)
+
+GO_LDFLAGS += -X $(VERSION_PACKAGE).higressVersion=$(shell cat VERSION) \
+	-X $(VERSION_PACKAGE).gitCommitID=$(GIT_COMMIT)
+
 GO ?= go
 
 export GOPROXY ?= https://proxy.golang.com.cn,direct
 
+TARGET_ARCH ?= amd64
+
 GOARCH_LOCAL := $(TARGET_ARCH)
 GOOS_LOCAL := $(TARGET_OS)
-RELEASE_LDFLAGS='-extldflags -static -s -w'
+RELEASE_LDFLAGS='$(GO_LDFLAGS) -extldflags -static -s -w'
 
 export OUT:=$(TARGET_OUT)
 export OUT_LINUX:=$(TARGET_OUT_LINUX)
 
+BUILDX_PLATFORM ?=
+
 # If tag not explicitly set in users' .istiorc.mk or command line, default to the git sha.
 TAG ?= $(shell git rev-parse --verify HEAD)
 ifeq ($(TAG),)
@@ -32,7 +43,9 @@ endif
 
 HIGRESS_DOCKER_BUILD_TOP:=${OUT_LINUX}/docker_build
 
-BINARIES:=./cmd/higress
+HIGRESS_BINARIES:=./cmd/higress
+
+HGCTL_BINARIES:=./cmd/hgctl
 
 $(OUT):
 	@mkdir -p $@
@@ -40,6 +53,7 @@ $(OUT):
 submodule:
 	git submodule update --init
 
+.PHONY: prebuild
 prebuild: submodule
 	./tools/hack/prebuild.sh
 
@@ -52,11 +66,32 @@ go.test.coverage: prebuild
 
 .PHONY: build
 build: prebuild $(OUT)
-	GOPROXY=$(GOPROXY) GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT)/ $(BINARIES)
+	GOPROXY=$(GOPROXY) GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT)/ $(HIGRESS_BINARIES)
 
 .PHONY: build-linux
 build-linux: prebuild $(OUT)
-	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT_LINUX)/ $(BINARIES)
+	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT_LINUX)/ $(HIGRESS_BINARIES)
+
+$(AMD64_OUT_LINUX)/higress:
+	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_amd64/ $(HIGRESS_BINARIES)
+
+$(ARM64_OUT_LINUX)/higress:
+	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HIGRESS_BINARIES)
+
+.PHONY: build-hgctl
+build-hgctl: prebuild $(OUT)
+	GOPROXY=$(GOPROXY) GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT)/ $(HGCTL_BINARIES)
+
+.PHONY: build-linux-hgctl
+build-linux-hgctl: prebuild $(OUT)
+	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT_LINUX)/ $(HGCTL_BINARIES)
+
+.PHONY: build-hgctl-multiarch
+build-hgctl-multiarch: prebuild $(OUT)
+	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_amd64/ $(HGCTL_BINARIES)
+	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HGCTL_BINARIES)
+	GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/darwin_amd64/ $(HGCTL_BINARIES)
+	GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/darwin_arm64/ $(HGCTL_BINARIES)
 
 # Create targets for OUT_LINUX/binary
 # There are two use cases here:
@@ -73,14 +108,14 @@ $(OUT_LINUX)/$(shell basename $(1)): $(OUT_LINUX)
 endif
 endef
 
-$(foreach bin,$(BINARIES),$(eval $(call build-linux,$(bin),"")))
+$(foreach bin,$(HIGRESS_BINARIES),$(eval $(call build-linux,$(bin),"")))
 
 # Create helper targets for each binary, like "pilot-discovery"
 # As an optimization, these still build everything
-$(foreach bin,$(BINARIES),$(shell basename $(bin))): build
+$(foreach bin,$(HIGRESS_BINARIES),$(shell basename $(bin))): build
 ifneq ($(OUT_LINUX),$(LOCAL_OUT))
 # if we are on linux already, then this rule is handled by build-linux above, which handles BUILD_ALL variable
-$(foreach bin,$(BINARIES),${LOCAL_OUT}/$(shell basename $(bin))): build
+$(foreach bin,$(HIGRESS_BINARIES),${LOCAL_OUT}/$(shell basename $(bin))): build
 endif
 
 .PHONY: push
@@ -90,59 +125,76 @@ include docker/docker.mk
 
 docker-build: docker.higress ## Build and push docker images to registry defined by $HUB and $TAG
 
+docker-buildx-push: clean-env docker.higress-buildx
+
+docker-build-base:
+	docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t ${HUB}/base:${BASE_VERSION} -f docker/Dockerfile.base . --push
+
 export PARENT_GIT_TAG:=$(shell cat VERSION)
 export PARENT_GIT_REVISION:=$(TAG)
 
 export ENVOY_TAR_PATH:=/home/package/envoy.tar.gz
 
-build-istio: prebuild
-	cd external/istio; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
+external/package/envoy-amd64.tar.gz:
+#	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
+	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.2.0/envoy-amd64.tar.gz"
 
-external/package/envoy.tar.gz:
-	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
+external/package/envoy-arm64.tar.gz:
+#	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
+	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.2.0/envoy-arm64.tar.gz"
 
-build-gateway: prebuild external/package/envoy.tar.gz
-	cd external/istio; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
+build-pilot:
+	cd external/istio; rm -rf out/linux_amd64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 make build-linux
+	cd external/istio; rm -rf out/linux_arm64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=arm64 BUILD_WITH_CONTAINER=1 make build-linux
+
+build-pilot-local:
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=${GOARCH_LOCAL} BUILD_WITH_CONTAINER=1 make build-linux
+
+build-gateway: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz build-pilot
+	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
+
+build-gateway-local: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz build-pilot
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
+
+build-istio: prebuild build-pilot
+	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
+
+build-istio-local: prebuild build-pilot-local
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
+
+build-wasmplugins:
+	./tools/hack/build-wasm-plugins.sh
 
 pre-install:
-	cp api/kubernetes/customresourcedefinitions.gen.yaml helm/higress/crds
-	cd helm/istio; helm dependency update
-	cd helm/kind/higress; helm dependency update
-	cd helm/kind/istio; helm dependency update
+	cp api/kubernetes/customresourcedefinitions.gen.yaml helm/core/crds
 
 define create_ns
    kubectl get namespace | grep $(1) || kubectl create namespace $(1)
 endef
 
 install: pre-install
-	helm install higress helm/kind/higress -n higress-system --create-namespace
+	cd helm/higress; helm dependency build
+	helm install higress helm/higress -n higress-system --create-namespace --set 'global.local=true'
 
-ENVOY_LATEST_IMAGE_TAG ?= 0.6.0
-ISTIO_LATEST_IMAGE_TAG ?= 0.6.0
+ENVOY_LATEST_IMAGE_TAG ?= sha-34054f8
+ISTIO_LATEST_IMAGE_TAG ?= sha-34054f8
 
 install-dev: pre-install
-	helm install higress helm/higress -n higress-system --create-namespace --set-json='controller.tag="$(TAG)"' --set-json='gateway.replicas=1' --set-json='gateway.tag="$(ENVOY_LATEST_IMAGE_TAG)"' --set-json='global.kind=true'
+	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
+install-dev-wasmplugin: build-wasmplugins pre-install
+	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true'
 
 uninstall:
 	helm uninstall higress -n higress-system
 
 upgrade: pre-install
-	helm upgrade higress helm/kind/higress -n higress-system
+	cd helm/higress; helm dependency build
+	helm upgrade higress helm/higress -n higress-system --set 'global.local=true'
 
 helm-push:
-	cp api/kubernetes/customresourcedefinitions.gen.yaml helm/higress/crds
+	cp api/kubernetes/customresourcedefinitions.gen.yaml helm/core/crds
 	cd helm; tar -zcf higress.tgz higress; helm push higress.tgz "oci://$(CHARTS)"
 
-helm-push-istio:
-	cd helm/istio; helm dependency update
-	cd helm; tar -zcf istio.tgz istio; helm push istio.tgz "oci://$(CHARTS)"
-
-helm-push-kind:
-	cd helm/kind/higress; helm dependency update
-	cd helm/kind; tar -zcf higress.tgz higress; helm push higress.tgz "oci://$(CHARTS)"
-	cd helm/kind/istio; helm dependency update
-	cd helm/kind; tar -zcf istio.tgz istio; helm push istio.tgz "oci://$(CHARTS)"
-
 cue = cue-gen -paths=./external/api/common-protos
 
 gen-api: prebuild
@@ -180,9 +232,13 @@ include tools/lint.mk
 .PHONY: gateway-conformance-test
 gateway-conformance-test:
 
-# ingress-conformance-test runs ingress api conformance tests.
-.PHONY: ingress-conformance-test
-ingress-conformance-test: $(tools/kind) delete-cluster create-cluster kube-load-image install-dev run-ingress-e2e-test delete-cluster
+# higress-conformance-test runs ingress api conformance tests.
+.PHONY: higress-conformance-test
+higress-conformance-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev run-higress-e2e-test delete-cluster
+
+# higress-wasmplugin-test runs ingress wasmplugin tests.
+.PHONY: higress-wasmplugin-test
+higress-wasmplugin-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin run-higress-e2e-test-wasmplugin delete-cluster
 
 # create-cluster creates a kube cluster with kind.
 .PHONY: create-cluster
@@ -195,16 +251,40 @@ delete-cluster: $(tools/kind) ## Delete kind cluster.
 	$(tools/kind) delete cluster --name higress
 
 # kube-load-image loads a local built docker image into kube cluster.
+# dubbo-provider-demo和nacos-standlone-rc3的镜像已经上传到阿里云镜像库，第一次需要先拉到本地
+# docker pull registry.cn-hangzhou.aliyuncs.com/hinsteny/dubbo-provider-demo:0.0.1
+# docker pull registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3:1.0.0-RC3
 .PHONY: kube-load-image
-kube-load-image: docker-build $(tools/kind) ## Install the EG image to a kind cluster using the provided $IMAGE and $TAG.
+kube-load-image: $(tools/kind) ## Install the Higress image to a kind cluster using the provided $IMAGE and $TAG.
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress $(TAG)
-
-# run-ingress-e2e-test starts to run ingress e2e tests.
-.PHONY: run-ingress-e2e-test
-run-ingress-e2e-test:
+	tools/hack/docker-pull-image.sh docker.io/alihigress/dubbo-provider-demo 0.0.1
+	tools/hack/docker-pull-image.sh docker.io/alihigress/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/docker-pull-image.sh docker.io/hashicorp/consul 1.16.0
+	tools/hack/docker-pull-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
+	tools/hack/docker-pull-image.sh docker.io/bitinit/eureka latest
+	tools/hack/docker-pull-image.sh docker.io/alihigress/httpbin 1.0.2
+	tools/hack/kind-load-image.sh docker.io/alihigress/dubbo-provider-demo 0.0.1
+	tools/hack/kind-load-image.sh docker.io/alihigress/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/kind-load-image.sh docker.io/hashicorp/consul 1.16.0
+	tools/hack/kind-load-image.sh docker.io/alihigress/httpbin 1.0.2
+	tools/hack/kind-load-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
+	tools/hack/kind-load-image.sh docker.io/bitinit/eureka latest
+# run-higress-e2e-test starts to run ingress e2e tests.
+.PHONY: run-higress-e2e-test
+run-higress-e2e-test:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
 	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
-	kubectl wait --timeout=5m -n higress-system deployment/higress-controller --for=condition=Available
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
-	kubectl wait --timeout=5m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true --use-unique-ports=true
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true
+
+# run-higress-e2e-test starts to run ingress e2e tests.
+.PHONY: run-higress-e2e-test-wasmplugin
+run-higress-e2e-test-wasmplugin:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true

README.md

@@ -8,9 +8,10 @@
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
 
 [**官网**](https://higress.io/)   |
-  [**文档**](https://higress.io/zh-cn/docs/overview/what-is-higress.html)   |
-  [**博客**](https://higress.io/zh-cn/blog/index.html)   |
-  [**开发指引**](https://higress.io/zh-cn/docs/dev/code.html)   
+  [**文档**](https://higress.io/zh-cn/docs/overview/what-is-higress)   |
+  [**博客**](https://higress.io/zh-cn/blog)   |
+  [**开发指引**](https://higress.io/zh-cn/docs/developers/developers_dev)   |
+  [**Higress 企业版**](https://www.aliyun.com/product/aliware/mse?spm=higress-website.topbar.0.0.0)  
 
 
 <p>
@@ -20,15 +21,17 @@
 
 Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源 [Istio](https://github.com/istio/istio) 与 [Envoy](https://github.com/envoyproxy/envoy) 为核心构建的下一代云原生网关。Higress 实现了安全防护网关、流量网关、微服务网关三层网关合一，可以显著降低网关的部署和运维成本。
 
-![arch](https://img.alicdn.com/imgextra/i4/O1CN01OgGP1728t0xeRfRYJ_!!6000000007989-0-tps-1726-1366.jpg)
+![arch](https://img.alicdn.com/imgextra/i1/O1CN01iO9ph825juHbOIg75_!!6000000007563-2-tps-2483-2024.png)
 
 ## Summary
-
+    
+- [**功能展示**](#功能展示)
 - [**使用场景**](#使用场景)
 - [**核心优势**](#核心优势)
-- [**Quick Start**](#quick-start)
+- [**Quick Start**](https://higress.io/zh-cn/docs/user/quickstart)
 - [**社区**](#社区)
 
+
 ## 使用场景
 
 - **Kubernetes Ingress 网关**:
@@ -73,164 +76,42 @@ Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源
 
   插件支持热更新，变更插件逻辑和配置都对流量无损。
 
-## Quick Start
+## 功能展示
+    
+- **丰富的可观测**
 
-- [**本地环境**](#本地环境)
-- [**生产环境**](#生产环境)
+  提供开箱即用的可观测，Grafana&Prometheus 可以使用内置的也可对接自建的
 
-### 本地环境
+  ![](./docs/images/monitor.gif)
+    
 
-#### 第一步、 安装 kubectl & kind
+- **插件扩展机制**
 
-**MacOS：**
+  官方提供了多种插件，用户也可以[开发](./plugins/wasm-go)自己的插件，构建成 docker/oci 镜像后在控制台配置，可以实时变更插件逻辑，对流量完全无损。
 
-```bash
-curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/darwin/amd64/kubectl
-# for Intel Macs
-[ $(uname -m) = x86_64 ]&& curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-amd64
-# for M1 / ARM Macs
-[ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-arm64
-chmod +x ./kind ./kubectl
-mv ./kind ./kubectl /some-dir-in-your-PATH/
-```
+  ![](./docs/images/plugin.gif)
 
-**Windows 中使用 PowerShell:**
 
-```bash
-curl.exe -Lo kubectl.exe https://storage.googleapis.com/kubernetes-release/release/$(curl.exe -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/windows/amd64/kubectl.exe
-curl.exe -Lo kind-windows-amd64.exe https://kind.sigs.k8s.io/dl/v0.17.0/kind-windows-amd64
-Move-Item .\kind-windows-amd64.exe c:\some-dir-in-your-PATH\kind.exe
-Move-Item .\kubectl.exe c:\some-dir-in-your-PATH\kubectl.exe
-```
+- **多种服务发现**
 
-**Linux:**
+  默认提供 K8s Service 服务发现，通过配置可以对接 Nacos/ZooKeeper 等注册中心实现服务发现，也可以基于静态 IP 或者 DNS 来发现
 
-```bash
-curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
-curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-linux-amd64
-chmod +x ./kind ./kubectl
-sudo mv ./kind ./kubectl /usr/local/bin/kind
-```
+  ![](./docs/images/service-source.gif)
+    
 
-#### 第二步、 创建并启用 kind
+- **域名和证书**
 
-首先创建一个集群配置文件: `cluster.conf`
+  可以创建管理 TLS 证书，并配置域名的 HTTP/HTTPS 行为，域名策略里支持对特定域名生效插件
 
-```yaml
-# cluster.conf
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-nodes:
-- role: control-plane
-  kubeadmConfigPatches:
-  - |
-    kind: InitConfiguration
-    nodeRegistration:
-      kubeletExtraArgs:
-        node-labels: "ingress-ready=true"
-  extraPortMappings:
-  - containerPort: 80
-    hostPort: 80
-    protocol: TCP
-  - containerPort: 443
-    hostPort: 443
-    protocol: TCP
-```
+  ![](./docs/images/domain.gif)
 
-Mac & Linux 系统执行:
 
-```bash
-kind create cluster --name higress --config=cluster.conf
-kubectl config use-context kind-higress
-```
+- **丰富的路由能力**
 
-Windows 系统执行:
+  通过上面定义的服务发现机制，发现的服务会出现在服务列表中；创建路由时，选择域名，定义路由匹配机制，再选择目标服务进行路由；路由策略里支持对特定路由生效插件
 
-```bash
-kind.exe create cluster --name higress --config=cluster.conf
-kubectl.exe config use-context kind-higress
-```
+  ![](./docs/images/route-service.gif)
 
-#### 第三步、 安装 higress
-
-```bash
-kubectl create ns higress-system
-helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
-```
-
-注：helm版本需升级至**v3.8.0**及以上
-
-#### 第四步、 创建 Ingress 资源并测试
-
-```bash
-kubectl apply -f https://github.com/alibaba/higress/releases/download/v0.6.0/quickstart.yaml
-```
-
-测试 Ingress 生效：
-
-```bash
-# should output "foo"
-curl localhost/foo
-# should output "bar"
-curl localhost/bar
-```
-
-#### 卸载资源
-
-```bash
-kubectl delete -f https://github.com/alibaba/higress/releases/download/v0.6.0/quickstart.yaml
-
-helm uninstall higress -n higress-system
-
-kubectl delete ns higress-system
-```
-
-### 生产环境
-
-#### 第一步、 安装 higress
-
-```bash
-kubectl create ns higress-system
-helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress 
-```
-
-#### 第二步、 创建 Ingress 资源并测试
-
-假设在 default 命名空间下已经部署了一个 test service，服务端口为 80 ，则创建下面这个 K8s Ingress
-
-```yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: simple-example
-spec:
-  ingressClassName: higress
-  rules:
-  - host: foo.bar.com
-    http:
-      paths:
-      - path: /foo
-        pathType: Prefix
-        backend:
-          service:
-            name: test
-            port:
-              number: 80  
-```
-
-测试能访问到该服务：
-
-```bash
-curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')"/foo -H 'host: foo.bar.com'
-```
-
-#### 卸载资源
-
-```bash
-helm uninstall higress -n higress-system
-
-kubectl delete ns higress-system
-```
 
 ## 社区
 
@@ -244,7 +125,7 @@ kubectl delete ns higress-system
 
 社区交流群: 
 
-![image](https://img.alicdn.com/imgextra/i1/O1CN01d7LmWu1rMB71rfRhA_!!6000000005616-2-tps-720-405.png)
+![image](https://img.alicdn.com/imgextra/i1/O1CN01KWonlE1DkpqaYVTiC_!!6000000000255-0-tps-720-405.jpg)
 
 
 开发者群：

README_EN.md

@@ -4,6 +4,16 @@
   Next-generation Cloud Native Gateway
 </h1>
 
+[![Build Status](https://github.com/alibaba/higress/workflows/build%20and%20codecov/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
+
+[**Official Site**](https://higress.io/en-us/) &nbsp; |
+&nbsp; [**Docs**](https://higress.io/en-us/docs/overview/what-is-higress) &nbsp; |
+&nbsp; [**Blog**](https://higress.io/en-us/blog) &nbsp; |
+&nbsp; [**Developer**](https://higress.io/en-us/docs/developers/developers_dev) &nbsp; |
+&nbsp; [**Higress in Cloud**](https://www.alibabacloud.com/product/microservices-engine?spm=higress-website.topbar.0.0.0) &nbsp;
+
+
 <p>
    English | <a href="README.md">中文<a/>
 </p>
@@ -13,7 +23,7 @@ Higress is a next-generation cloud-native gateway based on Alibaba's internal ga
 Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.com/envoyproxy/envoy), Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.
 
 <h1 align="center">
-  <img src="https://img.alicdn.com/imgextra/i1/O1CN01vnNawh26mU5C9py9w_!!6000000007704-0-tps-1726-1366.jpg" alt="Higress Architecture">
+  <img src="https://img.alicdn.com/imgextra/i1/O1CN01iO9ph825juHbOIg75_!!6000000007563-2-tps-2483-2024.png" alt="Higress Architecture">
 </h1>
 
 
@@ -21,7 +31,8 @@ Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.co
 
 - [**Use Cases**](#use-cases)
 - [**Higress Features**](#higress-features)
-- [**Quick Start**](#quick-start)
+- [**Quick Start**](https://higress.io/en-us/docs/user/quickstart)
+- [**Community**](#community)
 - [**Thanks**](#thanks)
 
 ## Use Cases
@@ -44,162 +55,29 @@ Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.co
 
 ## Higress Features
 
-   （TODO）
+- **Easy to use**
+
+  Provide one-stop gateway solutions for traffic scheduling, service management, and security protection, support Console, K8s Ingress, and Gateway API configuration methods, and also support HTTP to Dubbo protocol conversion, and easily complete protocol mapping configuration.  
   
-## Quick Start
+- **Easy to expand**
 
-- [**Local Environment**](#local-environment)
-- [**Production Environment**](#production-environment)
+  Provides Wasm, Lua, and out-of-process plug-in extension mechanisms, so that multi-language plug-in writing is no longer an obstacle. The granularity of plug-in effectiveness supports not only the global level, domain name level, but also fine-grained routing level
+  
+- **Dynamic hot update**
+  
+  Get rid of the traffic jitter caused by reload at the bottom, the configuration change takes effect in milliseconds and the business is not affected, the Wasm plug-in is hot updated and the traffic is not damaged
+  
+- **Smooth upgrade**
 
-### Local Environment
+  Compatible with 80%+ usage scenarios of Nginx Ingress Annotation, and provides more feature-rich annotations, easy to handle Nginx Ingress migration in one step
+  
+- **Security**
 
-#### step 1. install kubectl & kind
+  Provides JWT, OIDC, custom authentication and authentication, deeply integrates open source web application firewall.
 
-**On MacOS:**
+## Community
 
-```bash
-curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/darwin/amd64/kubectl
-# for Intel Macs
-[ $(uname -m) = x86_64 ]&& curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-amd64
-# for M1 / ARM Macs
-[ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-arm64
-chmod +x ./kind ./kubectl
-mv ./kind ./kubectl /some-dir-in-your-PATH/
-```
-
-**On Windows in PowerShell:**
-
-```bash
-curl.exe -Lo kubectl.exe https://storage.googleapis.com/kubernetes-release/release/$(curl.exe -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/windows/amd64/kubectl.exe
-curl.exe -Lo kind-windows-amd64.exe https://kind.sigs.k8s.io/dl/v0.17.0/kind-windows-amd64
-Move-Item .\kind-windows-amd64.exe c:\some-dir-in-your-PATH\kind.exe
-Move-Item .\kubectl.exe c:\some-dir-in-your-PATH\kubectl.exe
-```
-
-**On Linux:**
-
-```bash
-curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
-curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-linux-amd64
-chmod +x ./kind ./kubectl
-sudo mv ./kind ./kubectl /usr/local/bin/kind
-```
-
-#### step 2. create kind cluster
-
-create a cluster config file: `cluster.conf`
-
-```yaml
-# cluster.conf
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-nodes:
-- role: control-plane
-  kubeadmConfigPatches:
-  - |
-    kind: InitConfiguration
-    nodeRegistration:
-      kubeletExtraArgs:
-        node-labels: "ingress-ready=true"
-  extraPortMappings:
-  - containerPort: 80
-    hostPort: 80
-    protocol: TCP
-  - containerPort: 443
-    hostPort: 443
-    protocol: TCP
-```
-
-Mac & Linux:
-
-```bash
-kind create cluster --name higress --config=cluster.conf
-kubectl config use-context kind-higress
-```
-
-Windows:
-
-```bash
-kind.exe create cluster --name higress --config=cluster.conf
-kubectl.exe config use-context kind-higress
-```
-
-#### step 3. install higress
-
-```bash
-kubectl create ns higress-system
-helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
-```
-Note: The helm version needs to be upgraded to **v3.8.0** and above
-#### step 4. create the ingress and test it
-
-```bash
-kubectl apply -f https://kind.sigs.k8s.io/examples/ingress/usage.yaml
-```
-
-Now verify that the ingress works
-
-```bash
-# should output "foo"
-curl localhost/foo
-# should output "bar"
-curl localhost/bar
-```
-
-#### Clean-Up
-
-```bash
-kubectl delete -f https://kind.sigs.k8s.io/examples/ingress/usage.yaml
-
-helm uninstall higress -n higress-system
-
-kubectl delete ns higress-system
-```
-
-### Production Environment
-
-#### step 1. install higress
-
-```bash
-kubectl create ns higress-system
-helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress 
-```
-
-#### step 2. create the ingress and test it
-
-for example there is a service `test` in default namespace.
-
-```yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: simple-example
-spec:
-  ingressClassName: higress
-  rules:
-  - host: foo.bar.com
-    http:
-      paths:
-      - path: /foo
-        pathType: Prefix
-        backend:
-          service:
-            name: test
-            port:
-              number: 80  
-```
-
-```bash
-curl "$(k get svc -n higress-system higress-gateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')"/foo -H 'host: foo.bar.com'
-```
-
-#### Clean-Up
-
-```bash
-helm uninstall higress -n higress-system
-
-kubectl delete ns higress-system
-```
+[Slack](https://w1689142780-euk177225.slack.com/archives/C05GEL4TGTG): to get invited go [here](https://communityinviter.com/apps/w1689142780-euk177225/higress).
 
 ### Thanks
 

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Please report any security issue or Higress crash report to [ASRC](https://security.alibaba.com/)(Alibaba Security Response Center) where the issue will be triaged appropriately. 
+
+Thank you in advance for helping to keep Higress secure.

VERSION

@@ -1 +1 @@
-v0.6.1
+v1.3.1

api/extensions/v1alpha1/wasm.pb.go

@@ -170,10 +170,12 @@ type WasmPlugin struct {
 	// Extended by Higress, the default configuration takes effect globally
 	DefaultConfig *types.Struct `protobuf:"bytes,101,opt,name=default_config,json=defaultConfig,proto3" json:"default_config,omitempty"`
 	// Extended by Higress, matching rules take effect
-	MatchRules           []*MatchRule `protobuf:"bytes,102,rep,name=match_rules,json=matchRules,proto3" json:"match_rules,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}     `json:"-"`
-	XXX_unrecognized     []byte       `json:"-"`
-	XXX_sizecache        int32        `json:"-"`
+	MatchRules []*MatchRule `protobuf:"bytes,102,rep,name=match_rules,json=matchRules,proto3" json:"match_rules,omitempty"`
+	// disable the default config
+	DefaultConfigDisable bool     `protobuf:"varint,103,opt,name=default_config_disable,json=defaultConfigDisable,proto3" json:"default_config_disable,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
 }
 
 func (m *WasmPlugin) Reset()         { *m = WasmPlugin{} }
@@ -286,11 +288,19 @@ func (m *WasmPlugin) GetMatchRules() []*MatchRule {
 	return nil
 }
 
+func (m *WasmPlugin) GetDefaultConfigDisable() bool {
+	if m != nil {
+		return m.DefaultConfigDisable
+	}
+	return false
+}
+
 // Extended by Higress
 type MatchRule struct {
 	Ingress              []string      `protobuf:"bytes,1,rep,name=ingress,proto3" json:"ingress,omitempty"`
 	Domain               []string      `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
 	Config               *types.Struct `protobuf:"bytes,3,opt,name=config,proto3" json:"config,omitempty"`
+	ConfigDisable        bool          `protobuf:"varint,4,opt,name=config_disable,json=configDisable,proto3" json:"config_disable,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
 	XXX_unrecognized     []byte        `json:"-"`
 	XXX_sizecache        int32         `json:"-"`
@@ -350,6 +360,13 @@ func (m *MatchRule) GetConfig() *types.Struct {
 	return nil
 }
 
+func (m *MatchRule) GetConfigDisable() bool {
+	if m != nil {
+		return m.ConfigDisable
+	}
+	return false
+}
+
 func init() {
 	proto.RegisterEnum("higress.extensions.v1alpha1.PluginPhase", PluginPhase_name, PluginPhase_value)
 	proto.RegisterEnum("higress.extensions.v1alpha1.PullPolicy", PullPolicy_name, PullPolicy_value)
@@ -360,43 +377,46 @@ func init() {
 func init() { proto.RegisterFile("extensions/v1alpha1/wasm.proto", fileDescriptor_4d60b240916c4e18) }
 
 var fileDescriptor_4d60b240916c4e18 = []byte{
-	// 576 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x93, 0xdd, 0x6e, 0xd3, 0x30,
-	0x14, 0xc7, 0x97, 0x76, 0xeb, 0xd6, 0xd3, 0x6d, 0x64, 0x96, 0x18, 0xd6, 0x86, 0x4a, 0xb5, 0x0b,
-	0x28, 0xbb, 0x48, 0xb4, 0x02, 0xe3, 0x06, 0x4d, 0x74, 0xa3, 0xb0, 0x0a, 0x28, 0x51, 0xb2, 0x81,
-	0xd8, 0x4d, 0xe5, 0x66, 0x6e, 0x6a, 0xe1, 0xc4, 0x91, 0xed, 0x6c, 0xf4, 0xf9, 0xb8, 0xe1, 0x92,
-	0x47, 0x40, 0x7b, 0x12, 0x54, 0x27, 0xd9, 0x07, 0xa0, 0xde, 0x9d, 0x8f, 0xdf, 0x39, 0xf9, 0xff,
-	0x8f, 0x1c, 0x68, 0xd2, 0xef, 0x9a, 0x26, 0x8a, 0x89, 0x44, 0xb9, 0x17, 0x7b, 0x84, 0xa7, 0x13,
-	0xb2, 0xe7, 0x5e, 0x12, 0x15, 0x3b, 0xa9, 0x14, 0x5a, 0xa0, 0xed, 0x09, 0x8b, 0x24, 0x55, 0xca,
-	0xb9, 0xe1, 0x9c, 0x92, 0xdb, 0x6a, 0x46, 0x42, 0x44, 0x9c, 0xba, 0x06, 0x1d, 0x65, 0x63, 0xf7,
-	0x52, 0x92, 0x34, 0xa5, 0x52, 0xe5, 0xc3, 0x5b, 0x0f, 0xff, 0xee, 0x2b, 0x2d, 0xb3, 0x50, 0xe7,
-	0xdd, 0x9d, 0x1f, 0x8b, 0x00, 0x5f, 0x88, 0x8a, 0x3d, 0x9e, 0x45, 0x2c, 0x41, 0x36, 0x54, 0x33,
-	0xc9, 0x71, 0xa5, 0x65, 0xb5, 0xeb, 0xfe, 0x2c, 0x44, 0x9b, 0x50, 0x53, 0x13, 0xd2, 0x79, 0xb1,
-	0x8f, 0xab, 0xa6, 0x58, 0x64, 0x28, 0x80, 0x0d, 0x16, 0x93, 0x88, 0x0e, 0xd3, 0x8c, 0xf3, 0x61,
-	0x2a, 0x38, 0x0b, 0xa7, 0x78, 0xb1, 0x65, 0xb5, 0xd7, 0x3b, 0x4f, 0x9c, 0x39, 0x7a, 0x1d, 0x2f,
-	0xe3, 0xdc, 0x33, 0xb8, 0x7f, 0xcf, 0x6c, 0xb8, 0x29, 0xa0, 0xdd, 0x3b, 0x4b, 0x15, 0x0d, 0x25,
-	0xd5, 0x78, 0xc9, 0x7c, 0xf7, 0x86, 0x0d, 0x4c, 0x19, 0x3d, 0x05, 0xfb, 0x82, 0x4a, 0x36, 0x66,
-	0x21, 0xd1, 0x4c, 0x24, 0xc3, 0x6f, 0x74, 0x8a, 0x6b, 0x39, 0x7a, 0xbb, 0xfe, 0x9e, 0x4e, 0xd1,
-	0x2b, 0x58, 0x4b, 0x8d, 0xbf, 0x61, 0x28, 0x92, 0x31, 0x8b, 0xf0, 0x72, 0xcb, 0x6a, 0x37, 0x3a,
-	0x0f, 0x9c, 0xfc, 0x34, 0x4e, 0x79, 0x1a, 0x27, 0x30, 0xa7, 0xf1, 0x57, 0x73, 0xfa, 0xc8, 0xc0,
-	0xe8, 0x11, 0x34, 0x8a, 0xe9, 0x84, 0xc4, 0x14, 0xaf, 0x98, 0x6f, 0x40, 0x5e, 0x1a, 0x90, 0x98,
-	0xa2, 0x03, 0x58, 0x4a, 0x27, 0x44, 0x51, 0x5c, 0x37, 0xf6, 0xdb, 0xf3, 0xed, 0x9b, 0x39, 0x6f,
-	0xc6, 0xfb, 0xf9, 0x18, 0x7a, 0x09, 0x2b, 0xa9, 0x64, 0x42, 0x32, 0x3d, 0xc5, 0x60, 0x94, 0x6d,
-	0xff, 0xa3, 0xac, 0x9f, 0xe8, 0xfd, 0xe7, 0x9f, 0x09, 0xcf, 0xa8, 0x7f, 0x0d, 0xa3, 0x03, 0x58,
-	0x3f, 0xa7, 0x63, 0x92, 0x71, 0x5d, 0x1a, 0xa3, 0xf3, 0x8d, 0xad, 0x15, 0x78, 0xe1, 0xec, 0x1d,
-	0x34, 0x62, 0xa2, 0xc3, 0xc9, 0x50, 0x66, 0x9c, 0x2a, 0x3c, 0x6e, 0x55, 0xdb, 0x8d, 0xce, 0xe3,
-	0xb9, 0xf2, 0x3f, 0xce, 0x78, 0x3f, 0xe3, 0xd4, 0x87, 0xb8, 0x0c, 0xd5, 0x4e, 0x02, 0xf5, 0xeb,
-	0x06, 0xc2, 0xb0, 0xcc, 0x12, 0xb3, 0x01, 0x5b, 0xad, 0x6a, 0xbb, 0xee, 0x97, 0xe9, 0xec, 0x2d,
-	0x9d, 0x8b, 0x98, 0xb0, 0x04, 0x57, 0x4c, 0xa3, 0xc8, 0x90, 0x0b, 0xb5, 0x42, 0x7f, 0x75, 0xbe,
-	0xfe, 0x02, 0xdb, 0xed, 0x41, 0xe3, 0xd6, 0x1d, 0xd1, 0x7d, 0xd8, 0x38, 0x1d, 0x04, 0x5e, 0xef,
-	0xa8, 0xff, 0xb6, 0xdf, 0x7b, 0x33, 0xf4, 0x8e, 0xbb, 0x41, 0xcf, 0x5e, 0x40, 0x75, 0x58, 0xea,
-	0x9e, 0x9e, 0x1c, 0x0f, 0x6c, 0xab, 0x0c, 0xcf, 0xec, 0xca, 0x2c, 0x0c, 0x4e, 0xba, 0x27, 0x81,
-	0x5d, 0xdd, 0x3d, 0x04, 0xb8, 0xf5, 0xf8, 0x36, 0x01, 0xdd, 0xd9, 0xf2, 0xe9, 0x43, 0xff, 0xe8,
-	0xab, 0xbd, 0x80, 0x6c, 0x58, 0xed, 0x8f, 0x07, 0x42, 0x7b, 0x92, 0x2a, 0x9a, 0x68, 0xdb, 0x42,
-	0x00, 0xb5, 0x2e, 0xbf, 0x24, 0x53, 0x65, 0x57, 0x0e, 0x5f, 0xff, 0xbc, 0x6a, 0x5a, 0xbf, 0xae,
-	0x9a, 0xd6, 0xef, 0xab, 0xa6, 0x75, 0xd6, 0x89, 0x98, 0x9e, 0x64, 0x23, 0x27, 0x14, 0xb1, 0x4b,
-	0x38, 0x1b, 0x91, 0x11, 0x71, 0x8b, 0x73, 0xba, 0x24, 0x65, 0xee, 0x7f, 0x7e, 0xf4, 0x51, 0xcd,
-	0xb8, 0x7c, 0xf6, 0x27, 0x00, 0x00, 0xff, 0xff, 0xb2, 0xe0, 0x3d, 0x06, 0x06, 0x04, 0x00, 0x00,
+	// 617 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdf, 0x4e, 0x13, 0x41,
+	0x14, 0xc6, 0xd9, 0x16, 0x0a, 0x3d, 0x05, 0x5c, 0x26, 0x8a, 0x13, 0x30, 0xb5, 0x21, 0x51, 0x57,
+	0x2e, 0x76, 0x43, 0x45, 0xbc, 0x31, 0xc4, 0x02, 0x55, 0x1a, 0xb5, 0x6e, 0x76, 0x41, 0x23, 0x37,
+	0x9b, 0xe9, 0x32, 0xdd, 0x4e, 0x9c, 0xfd, 0x93, 0x9d, 0x59, 0xb0, 0x0f, 0xe2, 0x3b, 0x79, 0xe9,
+	0x23, 0x18, 0xde, 0xc2, 0x3b, 0xd3, 0xd9, 0x2d, 0x6d, 0xd1, 0xf4, 0x6e, 0xe6, 0x9c, 0xdf, 0x39,
+	0xe7, 0xfb, 0xce, 0x4e, 0x16, 0xea, 0xf4, 0xbb, 0xa4, 0x91, 0x60, 0x71, 0x24, 0xac, 0xab, 0x3d,
+	0xc2, 0x93, 0x01, 0xd9, 0xb3, 0xae, 0x89, 0x08, 0xcd, 0x24, 0x8d, 0x65, 0x8c, 0xb6, 0x07, 0x2c,
+	0x48, 0xa9, 0x10, 0xe6, 0x84, 0x33, 0xc7, 0xdc, 0x56, 0x3d, 0x88, 0xe3, 0x80, 0x53, 0x4b, 0xa1,
+	0xbd, 0xac, 0x6f, 0x5d, 0xa7, 0x24, 0x49, 0x68, 0x2a, 0xf2, 0xe2, 0xad, 0x47, 0x77, 0xf3, 0x42,
+	0xa6, 0x99, 0x2f, 0xf3, 0xec, 0xce, 0x9f, 0x45, 0x80, 0x2f, 0x44, 0x84, 0x36, 0xcf, 0x02, 0x16,
+	0x21, 0x1d, 0xca, 0x59, 0xca, 0x71, 0xa9, 0xa1, 0x19, 0x55, 0x67, 0x74, 0x44, 0x9b, 0x50, 0x11,
+	0x03, 0xd2, 0x7c, 0x79, 0x80, 0xcb, 0x2a, 0x58, 0xdc, 0x90, 0x0b, 0x1b, 0x2c, 0x24, 0x01, 0xf5,
+	0x92, 0x8c, 0x73, 0x2f, 0x89, 0x39, 0xf3, 0x87, 0x78, 0xb1, 0xa1, 0x19, 0xeb, 0xcd, 0x67, 0xe6,
+	0x1c, 0xbd, 0xa6, 0x9d, 0x71, 0x6e, 0x2b, 0xdc, 0xb9, 0xa7, 0x3a, 0x4c, 0x02, 0x68, 0x77, 0xa6,
+	0xa9, 0xa0, 0x7e, 0x4a, 0x25, 0x5e, 0x52, 0x73, 0x27, 0xac, 0xab, 0xc2, 0xe8, 0x39, 0xe8, 0x57,
+	0x34, 0x65, 0x7d, 0xe6, 0x13, 0xc9, 0xe2, 0xc8, 0xfb, 0x46, 0x87, 0xb8, 0x92, 0xa3, 0xd3, 0xf1,
+	0xf7, 0x74, 0x88, 0x5e, 0xc3, 0x5a, 0xa2, 0xfc, 0x79, 0x7e, 0x1c, 0xf5, 0x59, 0x80, 0x97, 0x1b,
+	0x9a, 0x51, 0x6b, 0x3e, 0x34, 0xf3, 0xd5, 0x98, 0xe3, 0xd5, 0x98, 0xae, 0x5a, 0x8d, 0xb3, 0x9a,
+	0xd3, 0xc7, 0x0a, 0x46, 0x8f, 0xa1, 0x56, 0x54, 0x47, 0x24, 0xa4, 0x78, 0x45, 0xcd, 0x80, 0x3c,
+	0xd4, 0x25, 0x21, 0x45, 0x87, 0xb0, 0x94, 0x0c, 0x88, 0xa0, 0xb8, 0xaa, 0xec, 0x1b, 0xf3, 0xed,
+	0xab, 0x3a, 0x7b, 0xc4, 0x3b, 0x79, 0x19, 0x7a, 0x05, 0x2b, 0x49, 0xca, 0xe2, 0x94, 0xc9, 0x21,
+	0x06, 0xa5, 0x6c, 0xfb, 0x1f, 0x65, 0x9d, 0x48, 0x1e, 0xec, 0x7f, 0x26, 0x3c, 0xa3, 0xce, 0x2d,
+	0x8c, 0x0e, 0x61, 0xfd, 0x92, 0xf6, 0x49, 0xc6, 0xe5, 0xd8, 0x18, 0x9d, 0x6f, 0x6c, 0xad, 0xc0,
+	0x0b, 0x67, 0xef, 0xa0, 0x16, 0x12, 0xe9, 0x0f, 0xbc, 0x34, 0xe3, 0x54, 0xe0, 0x7e, 0xa3, 0x6c,
+	0xd4, 0x9a, 0x4f, 0xe7, 0xca, 0xff, 0x38, 0xe2, 0x9d, 0x8c, 0x53, 0x07, 0xc2, 0xf1, 0x51, 0xa0,
+	0x7d, 0xd8, 0x9c, 0x15, 0xe2, 0x5d, 0x32, 0x41, 0x7a, 0x9c, 0xe2, 0xa0, 0xa1, 0x19, 0x2b, 0xce,
+	0xfd, 0x99, 0xb9, 0x27, 0x79, 0x6e, 0xe7, 0x87, 0x06, 0xd5, 0xdb, 0x7e, 0x08, 0xc3, 0x32, 0x8b,
+	0xd4, 0x60, 0xac, 0x35, 0xca, 0x46, 0xd5, 0x19, 0x5f, 0x47, 0x4f, 0xf0, 0x32, 0x0e, 0x09, 0x8b,
+	0x70, 0x49, 0x25, 0x8a, 0x1b, 0xb2, 0xa0, 0x52, 0xd8, 0x2e, 0xcf, 0xb7, 0x5d, 0x60, 0xe8, 0x09,
+	0xac, 0xdf, 0x91, 0xb7, 0xa8, 0xe4, 0xad, 0xf9, 0xd3, 0xba, 0x76, 0xdb, 0x50, 0x9b, 0xfa, 0x4a,
+	0xe8, 0x01, 0x6c, 0x9c, 0x77, 0x5d, 0xbb, 0x7d, 0xdc, 0x79, 0xdb, 0x69, 0x9f, 0x78, 0xf6, 0x69,
+	0xcb, 0x6d, 0xeb, 0x0b, 0xa8, 0x0a, 0x4b, 0xad, 0xf3, 0xb3, 0xd3, 0xae, 0xae, 0x8d, 0x8f, 0x17,
+	0x7a, 0x69, 0x74, 0x74, 0xcf, 0x5a, 0x67, 0xae, 0x5e, 0xde, 0x3d, 0x02, 0x98, 0x7a, 0xda, 0x9b,
+	0x80, 0x66, 0xba, 0x7c, 0xfa, 0xd0, 0x39, 0xfe, 0xaa, 0x2f, 0x20, 0x1d, 0x56, 0x3b, 0xfd, 0x6e,
+	0x2c, 0xed, 0x94, 0x0a, 0x1a, 0x49, 0x5d, 0x43, 0x00, 0x95, 0x16, 0xbf, 0x26, 0x43, 0xa1, 0x97,
+	0x8e, 0xde, 0xfc, 0xbc, 0xa9, 0x6b, 0xbf, 0x6e, 0xea, 0xda, 0xef, 0x9b, 0xba, 0x76, 0xd1, 0x0c,
+	0x98, 0x1c, 0x64, 0x3d, 0xd3, 0x8f, 0x43, 0x8b, 0x70, 0xd6, 0x23, 0x3d, 0x62, 0x15, 0x1f, 0xcb,
+	0x22, 0x09, 0xb3, 0xfe, 0xf3, 0x1b, 0xe9, 0x55, 0xd4, 0x32, 0x5e, 0xfc, 0x0d, 0x00, 0x00, 0xff,
+	0xff, 0x48, 0x74, 0xbe, 0xc1, 0x64, 0x04, 0x00, 0x00,
 }
 
 func (m *WasmPlugin) Marshal() (dAtA []byte, err error) {
@@ -423,6 +443,18 @@ func (m *WasmPlugin) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.DefaultConfigDisable {
+		i--
+		if m.DefaultConfigDisable {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x6
+		i--
+		dAtA[i] = 0xb8
+	}
 	if len(m.MatchRules) > 0 {
 		for iNdEx := len(m.MatchRules) - 1; iNdEx >= 0; iNdEx-- {
 			{
@@ -549,6 +581,16 @@ func (m *MatchRule) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.ConfigDisable {
+		i--
+		if m.ConfigDisable {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x20
+	}
 	if m.Config != nil {
 		{
 			size, err := m.Config.MarshalToSizedBuffer(dAtA[:i])
@@ -643,6 +685,9 @@ func (m *WasmPlugin) Size() (n int) {
 			n += 2 + l + sovWasm(uint64(l))
 		}
 	}
+	if m.DefaultConfigDisable {
+		n += 3
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -671,6 +716,9 @@ func (m *MatchRule) Size() (n int) {
 		l = m.Config.Size()
 		n += 1 + l + sovWasm(uint64(l))
 	}
+	if m.ConfigDisable {
+		n += 2
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -1052,6 +1100,26 @@ func (m *WasmPlugin) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 103:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultConfigDisable", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWasm
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.DefaultConfigDisable = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipWasm(dAtA[iNdEx:])
@@ -1203,6 +1271,26 @@ func (m *MatchRule) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConfigDisable", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWasm
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ConfigDisable = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipWasm(dAtA[iNdEx:])

api/extensions/v1alpha1/wasm.proto

@@ -104,6 +104,8 @@ message WasmPlugin {
   google.protobuf.Struct default_config = 101;
   // Extended by Higress, matching rules take effect
   repeated MatchRule match_rules = 102;
+  // disable the default config
+  bool default_config_disable = 103;
 }
 
 // Extended by Higress
@@ -111,6 +113,7 @@ message MatchRule {
   repeated string ingress = 1;
   repeated string domain = 2;
   google.protobuf.Struct config = 3;
+  bool config_disable = 4;
 }
 
 // The phase in the filter chain where the plugin will be injected.

api/kubernetes/customresourcedefinitions.gen.yaml

@@ -35,6 +35,8 @@ spec:
               defaultConfig:
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              defaultConfigDisable:
+                type: boolean
               imagePullPolicy:
                 description: The pull behaviour to be applied when fetching an OCI
                   image.
@@ -52,6 +54,8 @@ spec:
                     config:
                       type: object
                       x-kubernetes-preserve-unknown-fields: true
+                    configDisable:
+                      type: boolean
                     domain:
                       items:
                         type: string
@@ -100,6 +104,88 @@ spec:
     subresources:
       status: {}
 
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: http2rpcs.networking.higress.io
+spec:
+  group: networking.higress.io
+  names:
+    categories:
+    - higress-io
+    kind: Http2Rpc
+    listKind: Http2RpcList
+    plural: http2rpcs
+    singular: http2rpc
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            oneOf:
+            - not:
+                anyOf:
+                - required:
+                  - dubbo
+                - required:
+                  - grpc
+            - required:
+              - dubbo
+            - required:
+              - grpc
+            properties:
+              dubbo:
+                properties:
+                  group:
+                    type: string
+                  methods:
+                    items:
+                      properties:
+                        headersAttach:
+                          type: string
+                        httpMethods:
+                          items:
+                            type: string
+                          type: array
+                        httpPath:
+                          type: string
+                        params:
+                          items:
+                            properties:
+                              paramKey:
+                                type: string
+                              paramSource:
+                                type: string
+                              paramType:
+                                type: string
+                            type: object
+                          type: array
+                        serviceMethod:
+                          type: string
+                      type: object
+                    type: array
+                  service:
+                    type: string
+                  version:
+                    type: string
+                type: object
+              grpc:
+                type: object
+            type: object
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -127,8 +213,17 @@ spec:
               registries:
                 items:
                   properties:
+                    authSecretName:
+                      type: string
+                    consulDatacenter:
+                      type: string
                     consulNamespace:
                       type: string
+                    consulRefreshInterval:
+                      format: int64
+                      type: integer
+                    consulServiceTag:
+                      type: string
                     domain:
                       type: string
                     nacosAccessKey:

api/networking/v1/http_2_rpc.proto

@@ -0,0 +1,74 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//  
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//  
+//      http://www.apache.org/licenses/LICENSE-2.0
+//  
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+import "google/api/field_behavior.proto";
+
+// $schema: higress.networking.v1.Http2Rpc
+// $title: Http2Rpc
+// $description: Configuration affecting service discovery from multi registries
+// $mode: none
+
+package higress.networking.v1;
+
+option go_package = "github.com/alibaba/higress/api/networking/v1";
+
+// <!-- crd generation tags
+// +cue-gen:Http2Rpc:groupName:networking.higress.io
+// +cue-gen:Http2Rpc:version:v1
+// +cue-gen:Http2Rpc:storageVersion
+// +cue-gen:Http2Rpc:annotations:helm.sh/resource-policy=keep
+// +cue-gen:Http2Rpc:subresource:status
+// +cue-gen:Http2Rpc:scope:Namespaced
+// +cue-gen:Http2Rpc:resource:categories=higress-io,plural=http2rpcs
+// +cue-gen:Http2Rpc:preserveUnknownFields:false
+// -->
+//
+// <!-- go code generation tags
+// +kubetype-gen
+// +kubetype-gen:groupVersion=networking.higress.io/v1
+// +genclient
+// +k8s:deepcopy-gen=true
+// -->
+message Http2Rpc {
+  oneof destination {
+    DubboService dubbo = 1;
+    GrpcService  grpc = 2;
+ }
+}
+
+message DubboService {
+  string service = 1 [(google.api.field_behavior) = REQUIRED];
+  string version = 2 [(google.api.field_behavior) = REQUIRED];
+  string group = 3 [(google.api.field_behavior) = OPTIONAL];
+  repeated Method methods = 4 [(google.api.field_behavior) = REQUIRED];
+}
+
+message Method {
+  string service_method = 1 [(google.api.field_behavior) = REQUIRED];
+  string headers_attach = 2 [(google.api.field_behavior) = OPTIONAL];
+  string http_path = 3 [(google.api.field_behavior) = REQUIRED];
+  repeated string http_methods = 4 [(google.api.field_behavior) = REQUIRED];
+  repeated Param params = 5;
+}
+
+message Param {
+  string param_source = 1 [(google.api.field_behavior) = REQUIRED];
+  string param_key = 2 [(google.api.field_behavior) = REQUIRED];
+  string param_type = 3 [(google.api.field_behavior) = REQUIRED];
+}
+
+message GrpcService {
+}

api/networking/v1/http_2_rpc_deepcopy.gen.go

@@ -0,0 +1,121 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: networking/v1/http_2_rpc.proto
+
+package v1
+
+import (
+	fmt "fmt"
+	proto "github.com/gogo/protobuf/proto"
+	_ "istio.io/gogo-genproto/googleapis/google/api"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// DeepCopyInto supports using Http2Rpc within kubernetes types, where deepcopy-gen is used.
+func (in *Http2Rpc) DeepCopyInto(out *Http2Rpc) {
+	p := proto.Clone(in).(*Http2Rpc)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2Rpc. Required by controller-gen.
+func (in *Http2Rpc) DeepCopy() *Http2Rpc {
+	if in == nil {
+		return nil
+	}
+	out := new(Http2Rpc)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Http2Rpc. Required by controller-gen.
+func (in *Http2Rpc) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using DubboService within kubernetes types, where deepcopy-gen is used.
+func (in *DubboService) DeepCopyInto(out *DubboService) {
+	p := proto.Clone(in).(*DubboService)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DubboService. Required by controller-gen.
+func (in *DubboService) DeepCopy() *DubboService {
+	if in == nil {
+		return nil
+	}
+	out := new(DubboService)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new DubboService. Required by controller-gen.
+func (in *DubboService) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using Method within kubernetes types, where deepcopy-gen is used.
+func (in *Method) DeepCopyInto(out *Method) {
+	p := proto.Clone(in).(*Method)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Method. Required by controller-gen.
+func (in *Method) DeepCopy() *Method {
+	if in == nil {
+		return nil
+	}
+	out := new(Method)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Method. Required by controller-gen.
+func (in *Method) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using Param within kubernetes types, where deepcopy-gen is used.
+func (in *Param) DeepCopyInto(out *Param) {
+	p := proto.Clone(in).(*Param)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Param. Required by controller-gen.
+func (in *Param) DeepCopy() *Param {
+	if in == nil {
+		return nil
+	}
+	out := new(Param)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Param. Required by controller-gen.
+func (in *Param) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using GrpcService within kubernetes types, where deepcopy-gen is used.
+func (in *GrpcService) DeepCopyInto(out *GrpcService) {
+	p := proto.Clone(in).(*GrpcService)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GrpcService. Required by controller-gen.
+func (in *GrpcService) DeepCopy() *GrpcService {
+	if in == nil {
+		return nil
+	}
+	out := new(GrpcService)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new GrpcService. Required by controller-gen.
+func (in *GrpcService) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}

api/networking/v1/http_2_rpc_json.gen.go

@@ -0,0 +1,78 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: networking/v1/http_2_rpc.proto
+
+package v1
+
+import (
+	bytes "bytes"
+	fmt "fmt"
+	github_com_gogo_protobuf_jsonpb "github.com/gogo/protobuf/jsonpb"
+	proto "github.com/gogo/protobuf/proto"
+	_ "istio.io/gogo-genproto/googleapis/google/api"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// MarshalJSON is a custom marshaler for Http2Rpc
+func (this *Http2Rpc) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Http2Rpc
+func (this *Http2Rpc) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for DubboService
+func (this *DubboService) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for DubboService
+func (this *DubboService) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Method
+func (this *Method) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Method
+func (this *Method) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Param
+func (this *Param) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Param
+func (this *Param) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for GrpcService
+func (this *GrpcService) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for GrpcService
+func (this *GrpcService) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+var (
+	Http_2RpcMarshaler   = &github_com_gogo_protobuf_jsonpb.Marshaler{}
+	Http_2RpcUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{AllowUnknownFields: true}
+)

api/networking/v1/mcp_bridge.pb.go

@@ -88,22 +88,26 @@ func (m *McpBridge) GetRegistries() []*RegistryConfig {
 }
 
 type RegistryConfig struct {
-	Type                 string   `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
-	Name                 string   `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
-	Domain               string   `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
-	Port                 uint32   `protobuf:"varint,4,opt,name=port,proto3" json:"port,omitempty"`
-	NacosAddressServer   string   `protobuf:"bytes,5,opt,name=nacosAddressServer,proto3" json:"nacosAddressServer,omitempty"`
-	NacosAccessKey       string   `protobuf:"bytes,6,opt,name=nacosAccessKey,proto3" json:"nacosAccessKey,omitempty"`
-	NacosSecretKey       string   `protobuf:"bytes,7,opt,name=nacosSecretKey,proto3" json:"nacosSecretKey,omitempty"`
-	NacosNamespaceId     string   `protobuf:"bytes,8,opt,name=nacosNamespaceId,proto3" json:"nacosNamespaceId,omitempty"`
-	NacosNamespace       string   `protobuf:"bytes,9,opt,name=nacosNamespace,proto3" json:"nacosNamespace,omitempty"`
-	NacosGroups          []string `protobuf:"bytes,10,rep,name=nacosGroups,proto3" json:"nacosGroups,omitempty"`
-	NacosRefreshInterval int64    `protobuf:"varint,11,opt,name=nacosRefreshInterval,proto3" json:"nacosRefreshInterval,omitempty"`
-	ConsulNamespace      string   `protobuf:"bytes,12,opt,name=consulNamespace,proto3" json:"consulNamespace,omitempty"`
-	ZkServicesPath       []string `protobuf:"bytes,13,rep,name=zkServicesPath,proto3" json:"zkServicesPath,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Type                  string   `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
+	Name                  string   `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	Domain                string   `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
+	Port                  uint32   `protobuf:"varint,4,opt,name=port,proto3" json:"port,omitempty"`
+	NacosAddressServer    string   `protobuf:"bytes,5,opt,name=nacosAddressServer,proto3" json:"nacosAddressServer,omitempty"`
+	NacosAccessKey        string   `protobuf:"bytes,6,opt,name=nacosAccessKey,proto3" json:"nacosAccessKey,omitempty"`
+	NacosSecretKey        string   `protobuf:"bytes,7,opt,name=nacosSecretKey,proto3" json:"nacosSecretKey,omitempty"`
+	NacosNamespaceId      string   `protobuf:"bytes,8,opt,name=nacosNamespaceId,proto3" json:"nacosNamespaceId,omitempty"`
+	NacosNamespace        string   `protobuf:"bytes,9,opt,name=nacosNamespace,proto3" json:"nacosNamespace,omitempty"`
+	NacosGroups           []string `protobuf:"bytes,10,rep,name=nacosGroups,proto3" json:"nacosGroups,omitempty"`
+	NacosRefreshInterval  int64    `protobuf:"varint,11,opt,name=nacosRefreshInterval,proto3" json:"nacosRefreshInterval,omitempty"`
+	ConsulNamespace       string   `protobuf:"bytes,12,opt,name=consulNamespace,proto3" json:"consulNamespace,omitempty"`
+	ZkServicesPath        []string `protobuf:"bytes,13,rep,name=zkServicesPath,proto3" json:"zkServicesPath,omitempty"`
+	ConsulDatacenter      string   `protobuf:"bytes,14,opt,name=consulDatacenter,proto3" json:"consulDatacenter,omitempty"`
+	ConsulServiceTag      string   `protobuf:"bytes,15,opt,name=consulServiceTag,proto3" json:"consulServiceTag,omitempty"`
+	ConsulRefreshInterval int64    `protobuf:"varint,16,opt,name=consulRefreshInterval,proto3" json:"consulRefreshInterval,omitempty"`
+	AuthSecretName        string   `protobuf:"bytes,17,opt,name=authSecretName,proto3" json:"authSecretName,omitempty"`
+	XXX_NoUnkeyedLiteral  struct{} `json:"-"`
+	XXX_unrecognized      []byte   `json:"-"`
+	XXX_sizecache         int32    `json:"-"`
 }
 
 func (m *RegistryConfig) Reset()         { *m = RegistryConfig{} }
@@ -230,6 +234,34 @@ func (m *RegistryConfig) GetZkServicesPath() []string {
 	return nil
 }
 
+func (m *RegistryConfig) GetConsulDatacenter() string {
+	if m != nil {
+		return m.ConsulDatacenter
+	}
+	return ""
+}
+
+func (m *RegistryConfig) GetConsulServiceTag() string {
+	if m != nil {
+		return m.ConsulServiceTag
+	}
+	return ""
+}
+
+func (m *RegistryConfig) GetConsulRefreshInterval() int64 {
+	if m != nil {
+		return m.ConsulRefreshInterval
+	}
+	return 0
+}
+
+func (m *RegistryConfig) GetAuthSecretName() string {
+	if m != nil {
+		return m.AuthSecretName
+	}
+	return ""
+}
+
 func init() {
 	proto.RegisterType((*McpBridge)(nil), "higress.networking.v1.McpBridge")
 	proto.RegisterType((*RegistryConfig)(nil), "higress.networking.v1.RegistryConfig")
@@ -238,34 +270,37 @@ func init() {
 func init() { proto.RegisterFile("networking/v1/mcp_bridge.proto", fileDescriptor_3fcc59a15c34642d) }
 
 var fileDescriptor_3fcc59a15c34642d = []byte{
-	// 421 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x92, 0xd1, 0x8a, 0xd4, 0x30,
-	0x14, 0x86, 0xc9, 0x76, 0x1c, 0x9d, 0x8c, 0xbb, 0x4a, 0x50, 0x08, 0x22, 0x63, 0x59, 0x50, 0x8a,
-	0x48, 0xcb, 0xae, 0x77, 0xde, 0xed, 0x88, 0xc8, 0x22, 0x8a, 0x74, 0xef, 0xbc, 0x59, 0xd2, 0xf4,
-	0x4c, 0x1a, 0xb6, 0x4d, 0x42, 0x92, 0xa9, 0x8c, 0x4f, 0xe8, 0xa5, 0x8f, 0x20, 0x7d, 0x04, 0x9f,
-	0x40, 0x9a, 0x59, 0xbb, 0x9d, 0x71, 0xee, 0xda, 0xef, 0x7c, 0xf9, 0x73, 0x08, 0x3f, 0x5e, 0x28,
-	0xf0, 0xdf, 0xb5, 0xbd, 0x91, 0x4a, 0x64, 0xed, 0x59, 0xd6, 0x70, 0x73, 0x5d, 0x58, 0x59, 0x0a,
-	0x48, 0x8d, 0xd5, 0x5e, 0x93, 0xa7, 0x95, 0x14, 0x16, 0x9c, 0x4b, 0xef, 0xbc, 0xb4, 0x3d, 0x7b,
-	0xf6, 0x42, 0x68, 0x2d, 0x6a, 0xc8, 0x98, 0x91, 0xd9, 0x4a, 0x42, 0x5d, 0x5e, 0x17, 0x50, 0xb1,
-	0x56, 0x6a, 0xbb, 0x3d, 0x77, 0x9a, 0xe3, 0xd9, 0x67, 0x6e, 0x96, 0x21, 0x8a, 0x7c, 0xc0, 0xd8,
-	0x82, 0x90, 0xce, 0x5b, 0x09, 0x8e, 0xa2, 0x38, 0x4a, 0xe6, 0xe7, 0x2f, 0xd3, 0x83, 0xc9, 0x69,
-	0xbe, 0x15, 0x37, 0xef, 0xb5, 0x5a, 0x49, 0x91, 0x8f, 0x0e, 0x9e, 0xfe, 0x89, 0xf0, 0xc9, 0xee,
-	0x98, 0x50, 0x3c, 0xf1, 0x1b, 0x03, 0x14, 0xc5, 0x28, 0x99, 0x2d, 0x27, 0xdd, 0x05, 0x3a, 0xca,
-	0x03, 0x21, 0x04, 0x4f, 0x14, 0x6b, 0x80, 0x1e, 0xf5, 0x93, 0x3c, 0x7c, 0x93, 0xe7, 0x78, 0x5a,
-	0xea, 0x86, 0x49, 0x45, 0xa3, 0x91, 0x7f, 0xcb, 0xfa, 0x2c, 0xa3, 0xad, 0xa7, 0x93, 0x18, 0x25,
-	0xc7, 0xff, 0xb2, 0x7a, 0x42, 0x52, 0x4c, 0x14, 0xe3, 0xda, 0x5d, 0x94, 0x65, 0xbf, 0xf1, 0x15,
-	0xd8, 0x16, 0x2c, 0xbd, 0x17, 0x92, 0x0f, 0x4c, 0xc8, 0x2b, 0x7c, 0xb2, 0xa5, 0x9c, 0x83, 0x73,
-	0x9f, 0x60, 0x43, 0xa7, 0xc1, 0xdd, 0xa3, 0x83, 0x77, 0x05, 0xdc, 0x82, 0xef, 0xbd, 0xfb, 0x23,
-	0x6f, 0xa0, 0xe4, 0x35, 0x7e, 0x1c, 0xc8, 0x17, 0xd6, 0x80, 0x33, 0x8c, 0xc3, 0x65, 0x49, 0x1f,
-	0x04, 0xf3, 0x3f, 0x3e, 0x64, 0x0e, 0x8c, 0xce, 0x46, 0x99, 0x03, 0x25, 0x31, 0x9e, 0x07, 0xf2,
-	0xd1, 0xea, 0xb5, 0x71, 0x14, 0xc7, 0x51, 0x32, 0xcb, 0xc7, 0x88, 0x9c, 0xe3, 0x27, 0xe1, 0x37,
-	0x87, 0x95, 0x05, 0x57, 0x5d, 0x2a, 0x0f, 0xb6, 0x65, 0x35, 0x9d, 0xc7, 0x28, 0x89, 0xf2, 0x83,
-	0x33, 0x92, 0xe0, 0x47, 0x5c, 0x2b, 0xb7, 0xae, 0xef, 0xae, 0x7f, 0x18, 0xae, 0xdf, 0xc7, 0xfd,
-	0x9e, 0x3f, 0x6e, 0xfa, 0xf7, 0x92, 0x1c, 0xdc, 0x57, 0xe6, 0x2b, 0x7a, 0x1c, 0x56, 0xd8, 0xa3,
-	0xcb, 0x77, 0x3f, 0xbb, 0x05, 0xfa, 0xd5, 0x2d, 0xd0, 0xef, 0x6e, 0x81, 0xbe, 0xbd, 0x11, 0xd2,
-	0x57, 0xeb, 0x22, 0xe5, 0xba, 0xc9, 0x58, 0x2d, 0x0b, 0x56, 0xb0, 0xec, 0xb6, 0x47, 0xa1, 0x8b,
-	0x3b, 0x6d, 0x2e, 0xa6, 0xa1, 0x8b, 0x6f, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xb9, 0x6f, 0xf7,
-	0xf0, 0xe5, 0x02, 0x00, 0x00,
+	// 477 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x93, 0xd1, 0x6e, 0xd3, 0x30,
+	0x14, 0x86, 0x95, 0xb5, 0x2b, 0xd4, 0x65, 0xdd, 0xb0, 0x98, 0x64, 0x21, 0x54, 0xa2, 0x49, 0xa0,
+	0x08, 0xa1, 0x44, 0x1b, 0x5c, 0x71, 0xb7, 0x02, 0x42, 0x13, 0x02, 0xa1, 0x8c, 0x2b, 0x6e, 0x26,
+	0xc7, 0x39, 0x75, 0xac, 0x26, 0x71, 0x64, 0xbb, 0x41, 0xe5, 0x89, 0x78, 0x14, 0x2e, 0x79, 0x04,
+	0xd4, 0x27, 0x41, 0x76, 0x4a, 0x9a, 0x86, 0xde, 0x25, 0xdf, 0xf9, 0xfd, 0x9f, 0xf3, 0x3b, 0x39,
+	0x68, 0x56, 0x82, 0xf9, 0x2e, 0xd5, 0x52, 0x94, 0x3c, 0xaa, 0x2f, 0xa3, 0x82, 0x55, 0x77, 0x89,
+	0x12, 0x29, 0x87, 0xb0, 0x52, 0xd2, 0x48, 0x7c, 0x9e, 0x09, 0xae, 0x40, 0xeb, 0x70, 0xa7, 0x0b,
+	0xeb, 0xcb, 0xc7, 0x4f, 0xb9, 0x94, 0x3c, 0x87, 0x88, 0x56, 0x22, 0x5a, 0x08, 0xc8, 0xd3, 0xbb,
+	0x04, 0x32, 0x5a, 0x0b, 0xa9, 0x9a, 0x73, 0x17, 0x31, 0x1a, 0x7f, 0x62, 0xd5, 0xdc, 0x59, 0xe1,
+	0xf7, 0x08, 0x29, 0xe0, 0x42, 0x1b, 0x25, 0x40, 0x13, 0xcf, 0x1f, 0x04, 0x93, 0xab, 0x67, 0xe1,
+	0x41, 0xe7, 0x30, 0x6e, 0x84, 0xeb, 0xb7, 0xb2, 0x5c, 0x08, 0x1e, 0x77, 0x0e, 0x5e, 0xfc, 0x3c,
+	0x46, 0xd3, 0xfd, 0x32, 0x26, 0x68, 0x68, 0xd6, 0x15, 0x10, 0xcf, 0xf7, 0x82, 0xf1, 0x7c, 0xb8,
+	0xb9, 0xf6, 0x8e, 0x62, 0x47, 0x30, 0x46, 0xc3, 0x92, 0x16, 0x40, 0x8e, 0x6c, 0x25, 0x76, 0xcf,
+	0xf8, 0x09, 0x1a, 0xa5, 0xb2, 0xa0, 0xa2, 0x24, 0x83, 0x8e, 0x7e, 0xcb, 0xac, 0x57, 0x25, 0x95,
+	0x21, 0x43, 0xdf, 0x0b, 0x4e, 0xfe, 0x79, 0x59, 0x82, 0x43, 0x84, 0x4b, 0xca, 0xa4, 0xbe, 0x4e,
+	0x53, 0x3b, 0xf1, 0x2d, 0xa8, 0x1a, 0x14, 0x39, 0x76, 0xce, 0x07, 0x2a, 0xf8, 0x39, 0x9a, 0x36,
+	0x94, 0x31, 0xd0, 0xfa, 0x23, 0xac, 0xc9, 0xc8, 0x69, 0x7b, 0xb4, 0xd5, 0xdd, 0x02, 0x53, 0x60,
+	0xac, 0xee, 0x5e, 0x47, 0xd7, 0x52, 0xfc, 0x02, 0x9d, 0x39, 0xf2, 0x99, 0x16, 0xa0, 0x2b, 0xca,
+	0xe0, 0x26, 0x25, 0xf7, 0x9d, 0xf2, 0x3f, 0xde, 0x7a, 0xb6, 0x8c, 0x8c, 0x3b, 0x9e, 0x2d, 0xc5,
+	0x3e, 0x9a, 0x38, 0xf2, 0x41, 0xc9, 0x55, 0xa5, 0x09, 0xf2, 0x07, 0xc1, 0x38, 0xee, 0x22, 0x7c,
+	0x85, 0x1e, 0xb9, 0xd7, 0x18, 0x16, 0x0a, 0x74, 0x76, 0x53, 0x1a, 0x50, 0x35, 0xcd, 0xc9, 0xc4,
+	0xf7, 0x82, 0x41, 0x7c, 0xb0, 0x86, 0x03, 0x74, 0xca, 0x64, 0xa9, 0x57, 0xf9, 0xae, 0xfd, 0x03,
+	0xd7, 0xbe, 0x8f, 0xed, 0x9c, 0x3f, 0x96, 0xf6, 0xbe, 0x04, 0x03, 0xfd, 0x85, 0x9a, 0x8c, 0x9c,
+	0xb8, 0x11, 0x7a, 0xd4, 0x66, 0x6f, 0x8e, 0xbe, 0xa3, 0x86, 0x32, 0xb0, 0x8d, 0xc8, 0xb4, 0xc9,
+	0xde, 0xe7, 0x3b, 0xed, 0xd6, 0xe1, 0x2b, 0xe5, 0xe4, 0xb4, 0xab, 0xdd, 0x71, 0xfc, 0x1a, 0x9d,
+	0x37, 0xac, 0x1f, 0xef, 0xcc, 0xc5, 0x3b, 0x5c, 0xb4, 0x53, 0xd3, 0x95, 0xc9, 0x9a, 0x4f, 0x63,
+	0xc3, 0x90, 0x87, 0xcd, 0xed, 0xee, 0xd3, 0xf9, 0x9b, 0x5f, 0x9b, 0x99, 0xf7, 0x7b, 0x33, 0xf3,
+	0xfe, 0x6c, 0x66, 0xde, 0xb7, 0x97, 0x5c, 0x98, 0x6c, 0x95, 0x84, 0x4c, 0x16, 0x11, 0xcd, 0x45,
+	0x42, 0x13, 0x1a, 0x6d, 0xff, 0x7e, 0xb7, 0x41, 0x7b, 0x3b, 0x98, 0x8c, 0xdc, 0x06, 0xbd, 0xfa,
+	0x1b, 0x00, 0x00, 0xff, 0xff, 0x21, 0x2e, 0x82, 0x0a, 0x9b, 0x03, 0x00, 0x00,
 }
 
 func (m *McpBridge) Marshal() (dAtA []byte, err error) {
@@ -333,6 +368,36 @@ func (m *RegistryConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.AuthSecretName) > 0 {
+		i -= len(m.AuthSecretName)
+		copy(dAtA[i:], m.AuthSecretName)
+		i = encodeVarintMcpBridge(dAtA, i, uint64(len(m.AuthSecretName)))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0x8a
+	}
+	if m.ConsulRefreshInterval != 0 {
+		i = encodeVarintMcpBridge(dAtA, i, uint64(m.ConsulRefreshInterval))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0x80
+	}
+	if len(m.ConsulServiceTag) > 0 {
+		i -= len(m.ConsulServiceTag)
+		copy(dAtA[i:], m.ConsulServiceTag)
+		i = encodeVarintMcpBridge(dAtA, i, uint64(len(m.ConsulServiceTag)))
+		i--
+		dAtA[i] = 0x7a
+	}
+	if len(m.ConsulDatacenter) > 0 {
+		i -= len(m.ConsulDatacenter)
+		copy(dAtA[i:], m.ConsulDatacenter)
+		i = encodeVarintMcpBridge(dAtA, i, uint64(len(m.ConsulDatacenter)))
+		i--
+		dAtA[i] = 0x72
+	}
 	if len(m.ZkServicesPath) > 0 {
 		for iNdEx := len(m.ZkServicesPath) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.ZkServicesPath[iNdEx])
@@ -516,6 +581,21 @@ func (m *RegistryConfig) Size() (n int) {
 			n += 1 + l + sovMcpBridge(uint64(l))
 		}
 	}
+	l = len(m.ConsulDatacenter)
+	if l > 0 {
+		n += 1 + l + sovMcpBridge(uint64(l))
+	}
+	l = len(m.ConsulServiceTag)
+	if l > 0 {
+		n += 1 + l + sovMcpBridge(uint64(l))
+	}
+	if m.ConsulRefreshInterval != 0 {
+		n += 2 + sovMcpBridge(uint64(m.ConsulRefreshInterval))
+	}
+	l = len(m.AuthSecretName)
+	if l > 0 {
+		n += 2 + l + sovMcpBridge(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -1032,6 +1112,121 @@ func (m *RegistryConfig) Unmarshal(dAtA []byte) error {
 			}
 			m.ZkServicesPath = append(m.ZkServicesPath, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConsulDatacenter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcpBridge
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ConsulDatacenter = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConsulServiceTag", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcpBridge
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ConsulServiceTag = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 16:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConsulRefreshInterval", wireType)
+			}
+			m.ConsulRefreshInterval = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcpBridge
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ConsulRefreshInterval |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 17:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AuthSecretName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcpBridge
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AuthSecretName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipMcpBridge(dAtA[iNdEx:])

api/networking/v1/mcp_bridge.proto

@@ -60,4 +60,8 @@ message RegistryConfig {
   int64 nacosRefreshInterval = 11;
   string consulNamespace = 12;
   repeated string zkServicesPath = 13;
+  string consulDatacenter  = 14;
+  string consulServiceTag = 15;
+  int64  consulRefreshInterval = 16;
+  string authSecretName = 17;
 }

client/pkg/apis/networking/v1/register.gen.go

@@ -41,6 +41,8 @@ func Resource(resource string) schema.GroupResource {
 
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Http2Rpc{},
+		&Http2RpcList{},
 		&McpBridge{},
 		&McpBridgeList{},
 	)

client/pkg/apis/networking/v1/types.gen.go

@@ -25,6 +25,48 @@ import (
 // please upgrade the proto package
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
+// <!-- crd generation tags
+// +cue-gen:Http2Rpc:groupName:networking.higress.io
+// +cue-gen:Http2Rpc:version:v1
+// +cue-gen:Http2Rpc:storageVersion
+// +cue-gen:Http2Rpc:annotations:helm.sh/resource-policy=keep
+// +cue-gen:Http2Rpc:subresource:status
+// +cue-gen:Http2Rpc:scope:Namespaced
+// +cue-gen:Http2Rpc:resource:categories=higress-io,plural=http2rpcs
+// +cue-gen:Http2Rpc:preserveUnknownFields:false
+// -->
+//
+// <!-- go code generation tags
+// +kubetype-gen
+// +kubetype-gen:groupVersion=networking.higress.io/v1
+// +genclient
+// +k8s:deepcopy-gen=true
+// -->
+type Http2Rpc struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the implementation of this definition.
+	// +optional
+	Spec networkingv1.Http2Rpc `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	Status v1alpha1.IstioStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Http2RpcList is a collection of Http2Rpcs.
+type Http2RpcList struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	Items           []Http2Rpc `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// please upgrade the proto package
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
 // <!-- crd generation tags
 // +cue-gen:McpBridge:groupName:networking.higress.io
 // +cue-gen:McpBridge:version:v1

client/pkg/apis/networking/v1/zz_generated.deepcopy.gen.go

@@ -23,6 +23,67 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Http2Rpc) DeepCopyInto(out *Http2Rpc) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2Rpc.
+func (in *Http2Rpc) DeepCopy() *Http2Rpc {
+	if in == nil {
+		return nil
+	}
+	out := new(Http2Rpc)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Http2Rpc) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Http2RpcList) DeepCopyInto(out *Http2RpcList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Http2Rpc, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2RpcList.
+func (in *Http2RpcList) DeepCopy() *Http2RpcList {
+	if in == nil {
+		return nil
+	}
+	out := new(Http2RpcList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Http2RpcList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *McpBridge) DeepCopyInto(out *McpBridge) {
 	*out = *in

client/pkg/clientset/versioned/typed/networking/v1/fake/fake_http2rpc.gen.go

@@ -0,0 +1,140 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	networkingv1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeHttp2Rpcs implements Http2RpcInterface
+type FakeHttp2Rpcs struct {
+	Fake *FakeNetworkingV1
+	ns   string
+}
+
+var http2rpcsResource = schema.GroupVersionResource{Group: "networking.higress.io", Version: "v1", Resource: "http2rpcs"}
+
+var http2rpcsKind = schema.GroupVersionKind{Group: "networking.higress.io", Version: "v1", Kind: "Http2Rpc"}
+
+// Get takes name of the http2Rpc, and returns the corresponding http2Rpc object, and an error if there is any.
+func (c *FakeHttp2Rpcs) Get(ctx context.Context, name string, options v1.GetOptions) (result *networkingv1.Http2Rpc, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(http2rpcsResource, c.ns, name), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}
+
+// List takes label and field selectors, and returns the list of Http2Rpcs that match those selectors.
+func (c *FakeHttp2Rpcs) List(ctx context.Context, opts v1.ListOptions) (result *networkingv1.Http2RpcList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(http2rpcsResource, http2rpcsKind, c.ns, opts), &networkingv1.Http2RpcList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &networkingv1.Http2RpcList{ListMeta: obj.(*networkingv1.Http2RpcList).ListMeta}
+	for _, item := range obj.(*networkingv1.Http2RpcList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested http2Rpcs.
+func (c *FakeHttp2Rpcs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(http2rpcsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a http2Rpc and creates it.  Returns the server's representation of the http2Rpc, and an error, if there is any.
+func (c *FakeHttp2Rpcs) Create(ctx context.Context, http2Rpc *networkingv1.Http2Rpc, opts v1.CreateOptions) (result *networkingv1.Http2Rpc, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(http2rpcsResource, c.ns, http2Rpc), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}
+
+// Update takes the representation of a http2Rpc and updates it. Returns the server's representation of the http2Rpc, and an error, if there is any.
+func (c *FakeHttp2Rpcs) Update(ctx context.Context, http2Rpc *networkingv1.Http2Rpc, opts v1.UpdateOptions) (result *networkingv1.Http2Rpc, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(http2rpcsResource, c.ns, http2Rpc), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeHttp2Rpcs) UpdateStatus(ctx context.Context, http2Rpc *networkingv1.Http2Rpc, opts v1.UpdateOptions) (*networkingv1.Http2Rpc, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(http2rpcsResource, "status", c.ns, http2Rpc), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}
+
+// Delete takes name of the http2Rpc and deletes it. Returns an error if one occurs.
+func (c *FakeHttp2Rpcs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(http2rpcsResource, c.ns, name), &networkingv1.Http2Rpc{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeHttp2Rpcs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(http2rpcsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &networkingv1.Http2RpcList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched http2Rpc.
+func (c *FakeHttp2Rpcs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *networkingv1.Http2Rpc, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(http2rpcsResource, c.ns, name, pt, data, subresources...), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}

client/pkg/clientset/versioned/typed/networking/v1/fake/fake_networking_client.gen.go

@@ -26,6 +26,10 @@ type FakeNetworkingV1 struct {
 	*testing.Fake
 }
 
+func (c *FakeNetworkingV1) Http2Rpcs(namespace string) v1.Http2RpcInterface {
+	return &FakeHttp2Rpcs{c, namespace}
+}
+
 func (c *FakeNetworkingV1) McpBridges(namespace string) v1.McpBridgeInterface {
 	return &FakeMcpBridges{c, namespace}
 }

client/pkg/clientset/versioned/typed/networking/v1/generated_expansion.gen.go

@@ -16,4 +16,6 @@
 
 package v1
 
+type Http2RpcExpansion interface{}
+
 type McpBridgeExpansion interface{}

client/pkg/clientset/versioned/typed/networking/v1/http2rpc.gen.go

@@ -0,0 +1,193 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	"context"
+	"time"
+
+	v1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	scheme "github.com/alibaba/higress/client/pkg/clientset/versioned/scheme"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// Http2RpcsGetter has a method to return a Http2RpcInterface.
+// A group's client should implement this interface.
+type Http2RpcsGetter interface {
+	Http2Rpcs(namespace string) Http2RpcInterface
+}
+
+// Http2RpcInterface has methods to work with Http2Rpc resources.
+type Http2RpcInterface interface {
+	Create(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.CreateOptions) (*v1.Http2Rpc, error)
+	Update(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.UpdateOptions) (*v1.Http2Rpc, error)
+	UpdateStatus(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.UpdateOptions) (*v1.Http2Rpc, error)
+	Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
+	Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Http2Rpc, error)
+	List(ctx context.Context, opts metav1.ListOptions) (*v1.Http2RpcList, error)
+	Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *v1.Http2Rpc, err error)
+	Http2RpcExpansion
+}
+
+// http2Rpcs implements Http2RpcInterface
+type http2Rpcs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newHttp2Rpcs returns a Http2Rpcs
+func newHttp2Rpcs(c *NetworkingV1Client, namespace string) *http2Rpcs {
+	return &http2Rpcs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the http2Rpc, and returns the corresponding http2Rpc object, and an error if there is any.
+func (c *http2Rpcs) Get(ctx context.Context, name string, options metav1.GetOptions) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Http2Rpcs that match those selectors.
+func (c *http2Rpcs) List(ctx context.Context, opts metav1.ListOptions) (result *v1.Http2RpcList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1.Http2RpcList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested http2Rpcs.
+func (c *http2Rpcs) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a http2Rpc and creates it.  Returns the server's representation of the http2Rpc, and an error, if there is any.
+func (c *http2Rpcs) Create(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.CreateOptions) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(http2Rpc).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a http2Rpc and updates it. Returns the server's representation of the http2Rpc, and an error, if there is any.
+func (c *http2Rpcs) Update(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.UpdateOptions) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(http2Rpc.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(http2Rpc).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *http2Rpcs) UpdateStatus(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.UpdateOptions) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(http2Rpc.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(http2Rpc).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the http2Rpc and deletes it. Returns an error if one occurs.
+func (c *http2Rpcs) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *http2Rpcs) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched http2Rpc.
+func (c *http2Rpcs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

client/pkg/clientset/versioned/typed/networking/v1/networking_client.gen.go

@@ -24,6 +24,7 @@ import (
 
 type NetworkingV1Interface interface {
 	RESTClient() rest.Interface
+	Http2RpcsGetter
 	McpBridgesGetter
 }
 
@@ -32,6 +33,10 @@ type NetworkingV1Client struct {
 	restClient rest.Interface
 }
 
+func (c *NetworkingV1Client) Http2Rpcs(namespace string) Http2RpcInterface {
+	return newHttp2Rpcs(c, namespace)
+}
+
 func (c *NetworkingV1Client) McpBridges(namespace string) McpBridgeInterface {
 	return newMcpBridges(c, namespace)
 }

client/pkg/informers/externalversions/generic.gen.go

@@ -56,6 +56,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().V1alpha1().WasmPlugins().Informer()}, nil
 
 		// Group=networking.higress.io, Version=v1
+	case v1.SchemeGroupVersion.WithResource("http2rpcs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Networking().V1().Http2Rpcs().Informer()}, nil
 	case v1.SchemeGroupVersion.WithResource("mcpbridges"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Networking().V1().McpBridges().Informer()}, nil
 

client/pkg/informers/externalversions/networking/v1/http2rpc.gen.go

@@ -0,0 +1,88 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	"context"
+	time "time"
+
+	networkingv1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	versioned "github.com/alibaba/higress/client/pkg/clientset/versioned"
+	internalinterfaces "github.com/alibaba/higress/client/pkg/informers/externalversions/internalinterfaces"
+	v1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// Http2RpcInformer provides access to a shared informer and lister for
+// Http2Rpcs.
+type Http2RpcInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1.Http2RpcLister
+}
+
+type http2RpcInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewHttp2RpcInformer constructs a new informer for Http2Rpc type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewHttp2RpcInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredHttp2RpcInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredHttp2RpcInformer constructs a new informer for Http2Rpc type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredHttp2RpcInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.NetworkingV1().Http2Rpcs(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.NetworkingV1().Http2Rpcs(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&networkingv1.Http2Rpc{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *http2RpcInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredHttp2RpcInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *http2RpcInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&networkingv1.Http2Rpc{}, f.defaultInformer)
+}
+
+func (f *http2RpcInformer) Lister() v1.Http2RpcLister {
+	return v1.NewHttp2RpcLister(f.Informer().GetIndexer())
+}

client/pkg/informers/externalversions/networking/v1/interface.gen.go

@@ -22,6 +22,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// Http2Rpcs returns a Http2RpcInformer.
+	Http2Rpcs() Http2RpcInformer
 	// McpBridges returns a McpBridgeInformer.
 	McpBridges() McpBridgeInformer
 }
@@ -37,6 +39,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// Http2Rpcs returns a Http2RpcInformer.
+func (v *version) Http2Rpcs() Http2RpcInformer {
+	return &http2RpcInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // McpBridges returns a McpBridgeInformer.
 func (v *version) McpBridges() McpBridgeInformer {
 	return &mcpBridgeInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

client/pkg/listers/networking/v1/expansion_generated.gen.go

@@ -16,6 +16,14 @@
 
 package v1
 
+// Http2RpcListerExpansion allows custom methods to be added to
+// Http2RpcLister.
+type Http2RpcListerExpansion interface{}
+
+// Http2RpcNamespaceListerExpansion allows custom methods to be added to
+// Http2RpcNamespaceLister.
+type Http2RpcNamespaceListerExpansion interface{}
+
 // McpBridgeListerExpansion allows custom methods to be added to
 // McpBridgeLister.
 type McpBridgeListerExpansion interface{}

client/pkg/listers/networking/v1/http2rpc.gen.go

@@ -0,0 +1,92 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	v1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// Http2RpcLister helps list Http2Rpcs.
+type Http2RpcLister interface {
+	// List lists all Http2Rpcs in the indexer.
+	List(selector labels.Selector) (ret []*v1.Http2Rpc, err error)
+	// Http2Rpcs returns an object that can list and get Http2Rpcs.
+	Http2Rpcs(namespace string) Http2RpcNamespaceLister
+	Http2RpcListerExpansion
+}
+
+// http2RpcLister implements the Http2RpcLister interface.
+type http2RpcLister struct {
+	indexer cache.Indexer
+}
+
+// NewHttp2RpcLister returns a new Http2RpcLister.
+func NewHttp2RpcLister(indexer cache.Indexer) Http2RpcLister {
+	return &http2RpcLister{indexer: indexer}
+}
+
+// List lists all Http2Rpcs in the indexer.
+func (s *http2RpcLister) List(selector labels.Selector) (ret []*v1.Http2Rpc, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1.Http2Rpc))
+	})
+	return ret, err
+}
+
+// Http2Rpcs returns an object that can list and get Http2Rpcs.
+func (s *http2RpcLister) Http2Rpcs(namespace string) Http2RpcNamespaceLister {
+	return http2RpcNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// Http2RpcNamespaceLister helps list and get Http2Rpcs.
+type Http2RpcNamespaceLister interface {
+	// List lists all Http2Rpcs in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1.Http2Rpc, err error)
+	// Get retrieves the Http2Rpc from the indexer for a given namespace and name.
+	Get(name string) (*v1.Http2Rpc, error)
+	Http2RpcNamespaceListerExpansion
+}
+
+// http2RpcNamespaceLister implements the Http2RpcNamespaceLister
+// interface.
+type http2RpcNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all Http2Rpcs in the indexer for a given namespace.
+func (s http2RpcNamespaceLister) List(selector labels.Selector) (ret []*v1.Http2Rpc, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1.Http2Rpc))
+	})
+	return ret, err
+}
+
+// Get retrieves the Http2Rpc from the indexer for a given namespace and name.
+func (s http2RpcNamespaceLister) Get(name string) (*v1.Http2Rpc, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1.Resource("http2rpc"), name)
+	}
+	return obj.(*v1.Http2Rpc), nil
+}

cmd/hgctl/main.go

@@ -12,16 +12,18 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package flags
+package main
 
 import (
-	"flag"
+	"fmt"
+	"os"
+
+	"github.com/alibaba/higress/pkg/cmd/hgctl"
 )
 
-var (
-	IngressClassName     = flag.String("ingress-class", "higress", "Name of IngressClass to use for tests")
-	ShowDebug            = flag.Bool("debug", false, "Whether to print debug logs")
-	CleanupBaseResources = flag.Bool("cleanup-base-resources", true, "Whether to cleanup base test resources after the run")
-	SupportedFeatures    = flag.String("supported-features", "", "Supported features included in conformance tests suites")
-	ExemptFeatures       = flag.String("exempt-features", "", "Exempt Features excluded from conformance tests suites")
-)
+func main() {
+	if err := hgctl.GetRootCommand().Execute(); err != nil {
+		_, _ = fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}

cmd/higress/main.go

@@ -17,119 +17,13 @@ package main
 import (
 	"fmt"
 	"os"
-	"time"
 
-	"github.com/spf13/cobra"
-	"istio.io/istio/pilot/pkg/features"
-	"istio.io/istio/pkg/cmd"
-	"istio.io/istio/pkg/config/constants"
-	"istio.io/istio/pkg/keepalive"
-	"istio.io/pkg/log"
-	"istio.io/pkg/version"
-
-	"github.com/alibaba/higress/pkg/bootstrap"
-	innerconstants "github.com/alibaba/higress/pkg/config/constants"
+	"github.com/alibaba/higress/pkg/cmd"
 )
 
-var (
-	serverArgs     *bootstrap.ServerArgs
-	loggingOptions = log.DefaultOptions()
-
-	serverProvider = func(args *bootstrap.ServerArgs) (bootstrap.ServerInterface, error) {
-		return bootstrap.NewServer(serverArgs)
-	}
-
-	waitForMonitorSignal = func(stop chan struct{}) {
-		cmd.WaitSignal(stop)
-	}
-
-	rootCmd = &cobra.Command{
-		Use: "higress",
-	}
-
-	serveCmd = &cobra.Command{
-		Use:     "serve",
-		Aliases: []string{"serve"},
-		Short:   "Starts the higress ingress controller",
-		Example: "higress serve",
-		PreRunE: func(c *cobra.Command, args []string) error {
-			return log.Configure(loggingOptions)
-		},
-		RunE: func(c *cobra.Command, args []string) error {
-			cmd.PrintFlags(c.Flags())
-			log.Infof("Version %s", version.Info.String())
-
-			stop := make(chan struct{})
-
-			server, err := serverProvider(serverArgs)
-			if err != nil {
-				return fmt.Errorf("fail to create higress server: %v", err)
-			}
-
-			if err := server.Start(stop); err != nil {
-				return fmt.Errorf("fail to start higress server: %v", err)
-			}
-
-			waitForMonitorSignal(stop)
-
-			server.WaitUntilCompletion()
-			return nil
-		},
-	}
-)
-
-func init() {
-	serverArgs = &bootstrap.ServerArgs{
-		Debug:                true,
-		NativeIstio:          true,
-		HttpAddress:          ":8888",
-		GrpcAddress:          ":15051",
-		GrpcKeepAliveOptions: keepalive.DefaultOption(),
-		XdsOptions: bootstrap.XdsOptions{
-			DebounceAfter:     features.DebounceAfter,
-			DebounceMax:       features.DebounceMax,
-			EnableEDSDebounce: features.EnableEDSDebounce,
-		},
-	}
-
-	serveCmd.PersistentFlags().StringVar(&serverArgs.GatewaySelectorKey, "gatewaySelectorKey", "higress", "gateway resource selector label key")
-	serveCmd.PersistentFlags().StringVar(&serverArgs.GatewaySelectorValue, "gatewaySelectorValue", "higress-gateway", "gateway resource selector label value")
-	serveCmd.PersistentFlags().BoolVar(&serverArgs.EnableStatus, "enableStatus", true, "enable the ingress status syncer which use to update the ip in ingress's status")
-	serveCmd.PersistentFlags().StringVar(&serverArgs.IngressClass, "ingressClass", innerconstants.DefaultIngressClass, "if not empty, only watch the ingresses have the specified class, otherwise watch all ingresses")
-	serveCmd.PersistentFlags().StringVar(&serverArgs.WatchNamespace, "watchNamespace", "", "if not empty, only wath the ingresses in the specified namespace, otherwise watch in all namespacees")
-	serveCmd.PersistentFlags().BoolVar(&serverArgs.Debug, "debug", serverArgs.Debug, "if true, enables more debug http api")
-	serveCmd.PersistentFlags().StringVar(&serverArgs.HttpAddress, "httpAddress", serverArgs.HttpAddress, "the http address")
-	serveCmd.PersistentFlags().StringVar(&serverArgs.GrpcAddress, "grpcAddress", serverArgs.GrpcAddress, "the grpc address")
-	serveCmd.PersistentFlags().BoolVar(&serverArgs.KeepStaleWhenEmpty, "keepStaleWhenEmpty", false, "keep the stale service entry when there are no endpoints in the service")
-	serveCmd.PersistentFlags().StringVar(&serverArgs.RegistryOptions.ClusterRegistriesNamespace, "clusterRegistriesNamespace",
-		serverArgs.RegistryOptions.ClusterRegistriesNamespace, "Namespace for ConfigMap which stores clusters configs")
-	serveCmd.PersistentFlags().StringVar(&serverArgs.RegistryOptions.KubeConfig, "kubeconfig", "",
-		"Use a Kubernetes configuration file instead of in-cluster configuration")
-	// RegistryOptions Controller options
-	serveCmd.PersistentFlags().DurationVar(&serverArgs.RegistryOptions.KubeOptions.ResyncPeriod, "resync", 60*time.Second,
-		"Controller resync interval")
-	serveCmd.PersistentFlags().StringVar(&serverArgs.RegistryOptions.KubeOptions.DomainSuffix, "domain", constants.DefaultKubernetesDomain,
-		"DNS domain suffix")
-	serveCmd.PersistentFlags().StringVar((*string)(&serverArgs.RegistryOptions.KubeOptions.ClusterID), "clusterID", "Kubernetes",
-		"The ID of the cluster that this instance resides")
-	serveCmd.PersistentFlags().StringToStringVar(&serverArgs.RegistryOptions.KubeOptions.ClusterAliases, "clusterAliases", map[string]string{},
-		"Alias names for clusters")
-	serveCmd.PersistentFlags().Float32Var(&serverArgs.RegistryOptions.KubeOptions.KubernetesAPIQPS, "kubernetesApiQPS", 80.0,
-		"Maximum QPS when communicating with the kubernetes API")
-
-	serveCmd.PersistentFlags().IntVar(&serverArgs.RegistryOptions.KubeOptions.KubernetesAPIBurst, "kubernetesApiBurst", 160,
-		"Maximum burst for throttle when communicating with the kubernetes API")
-
-	loggingOptions.AttachCobraFlags(serveCmd)
-	serverArgs.GrpcKeepAliveOptions.AttachCobraFlags(serveCmd)
-
-	rootCmd.AddCommand(serveCmd)
-}
-
 func main() {
-	log.EnableKlogWithCobra()
-	if err := rootCmd.Execute(); err != nil {
-		log.Error(err)
-		os.Exit(-1)
+	if err := cmd.GetRootCommand().Execute(); err != nil {
+		_, _ = fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
 	}
 }

docker/Dockerfile.base

@@ -0,0 +1,33 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Do not add more stuff to this list that isn't small or critically useful.
+# If you occasionally need something on the container do
+# sudo apt-get update && apt-get whichever
+
+# hadolint ignore=DL3005,DL3008
+RUN apt-get update && \
+  apt-get install --no-install-recommends -y \
+  ca-certificates \
+  curl \
+  iptables \
+  iproute2 \
+  iputils-ping \
+  knot-dnsutils \
+  netcat \
+  tcpdump \
+  conntrack \
+  bsdmainutils \
+  net-tools \
+  lsof \
+  sudo \
+  && apt-get upgrade -y \
+  && apt-get clean \
+  && rm -rf /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old \
+  && update-alternatives --set iptables /usr/sbin/iptables-legacy \
+  && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+
+# Sudoers used to allow tcpdump and other debug utilities.
+RUN useradd -m --uid 1337 istio-proxy && \
+  echo "istio-proxy ALL=NOPASSWD: ALL" >> /etc/sudoers

docker/Dockerfile.higress

@@ -7,9 +7,11 @@ ARG BASE_VERSION=latest
 ARG HUB
 
 # The following section is used as base image if BASE_DISTRIBUTION=debug
+# This base image is provided by istio, see: https://github.com/istio/istio/blob/master/docker/Dockerfile.base
 FROM ${HUB}/base:${BASE_VERSION}
 
 ARG TARGETARCH
+
 COPY ${TARGETARCH:-amd64}/higress /usr/local/bin/higress
 
 USER 1337:1337

docker/docker.mk

@@ -17,6 +17,12 @@ docker.higress: $(OUT_LINUX)/higress
 docker.higress: docker/Dockerfile.higress
 	$(HIGRESS_DOCKER_RULE)
 
+docker.higress-buildx: BUILD_ARGS=--build-arg BASE_VERSION=${BASE_VERSION} --build-arg HUB=${HUB}
+docker.higress-buildx: $(AMD64_OUT_LINUX)/higress
+docker.higress-buildx: $(ARM64_OUT_LINUX)/higress
+docker.higress-buildx: docker/Dockerfile.higress
+	$(HIGRESS_DOCKER_BUILDX_RULE)
+
 # DOCKER_BUILD_VARIANTS ?=debug distroless
 # Base images have two different forms:
 # * "debug", suffixed as -debug. This is a ubuntu based image with a bunch of debug tools
@@ -28,4 +34,7 @@ DOCKER_ALL_VARIANTS ?= debug distroless
 # This can be done with DOCKER_BUILD_VARIANTS="default debug" as well, but at the expense of building twice vs building once and tagging twice
 INCLUDE_UNTAGGED_DEFAULT ?= false
 DEFAULT_DISTRIBUTION=debug
-HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/$(subst docker.,,$@):$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile$(suffix $@) . ); )
+
+HIGRESS_DOCKER_BUILDX_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker buildx create --name higress --node higress0 --platform linux/amd64,linux/arm64 --use && docker buildx build --no-cache --platform linux/amd64,linux/arm64 $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/higress:$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . --push  ); )
+HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/higress:$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . ); )
+

envoy/1.20/patches/envoy/20230408-basic-auth.patch

@@ -0,0 +1,55 @@
+diff -Naur envoy/bazel/envoy_binary.bzl envoy-new/bazel/envoy_binary.bzl
+--- envoy/bazel/envoy_binary.bzl	2023-04-08 20:52:57.041729111 +0800
++++ envoy-new/bazel/envoy_binary.bzl	2023-04-08 20:50:53.657603065 +0800
+@@ -80,7 +80,7 @@
+         "@envoy//bazel:boringssl_fips": [],
+         "@envoy//bazel:windows_x86_64": [],
+         "//conditions:default": ["-pie"],
+-    }) + _envoy_select_exported_symbols(["-Wl,-E"])
++    }) + _envoy_select_exported_symbols(["-Wl,-E"]) + envoy_select_alimesh(["-lcrypt"])
+ 
+ def _envoy_stamped_deps():
+     return select({
+diff -Naur envoy/bazel/repositories.bzl envoy-new/bazel/repositories.bzl
+--- envoy/bazel/repositories.bzl	2023-04-08 20:52:57.085730582 +0800
++++ envoy-new/bazel/repositories.bzl	2023-04-08 20:27:20.110335884 +0800
+@@ -272,6 +272,8 @@
+         actual = "@bazel_tools//tools/cpp/runfiles",
+     )
+ 
++    _com_github_higress_wasm_extensions()
++
+ def _boringssl():
+     external_http_archive(
+         name = "boringssl",
+@@ -1066,6 +1068,17 @@
+         actual = "@com_github_wasm_c_api//:wasmtime_lib",
+     )
+ 
++def _com_github_higress_wasm_extensions():
++    native.local_repository(
++        name = "com_github_higress_wasm_extensions",
++        path = "../../wasm-cpp",
++    )
++
++    native.bind(
++        name = "basic_auth_lib",
++        actual = "@com_github_higress_wasm_extensions//extensions/basic_auth:basic_auth_lib",
++    )
++    
+ def _rules_fuzzing():
+     external_http_archive(
+         name = "rules_fuzzing",
+diff -Naur envoy/source/exe/BUILD envoy-new/source/exe/BUILD
+--- envoy/source/exe/BUILD	2023-04-08 20:52:57.053729512 +0800
++++ envoy-new/source/exe/BUILD	2023-04-08 19:48:37.420667254 +0800
+@@ -43,6 +43,9 @@
+         "//bazel:darwin": envoy_all_extensions(DARWIN_SKIP_TARGETS),
+         "//conditions:default": envoy_all_extensions(),
+     }),
++    alimesh_deps = [
++        "//external:basic_auth_lib",
++    ],
+ )
+ 
+ envoy_cc_library(

envoy/1.20/patches/envoy/20231008-fallback-origin-cluster.patch

@@ -0,0 +1,111 @@
+diff -Naur envoy/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc envoy-new/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc
+--- envoy/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc	2023-10-08 15:01:21.960871500 +0800
++++ envoy-new/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc	2023-09-27 17:03:41.613256338 +0800
+@@ -60,7 +60,7 @@
+ 
+   for (const auto& cluster_name : first_item->second) {
+     if (hasHealthHost(cluster_name)) {
+-      return base.clone(cluster_name);
++      return base.clone(cluster_name, first_item->first);
+     }
+   }
+ 
+@@ -75,7 +75,8 @@
+ 
+   auto search = clusters_config_.find(route_entry.clusterName());
+   if (search == clusters_config_.end()) {
+-    ENVOY_LOG(warn, "there is no fallback cluster config, the original routing cluster is returned");
++    ENVOY_LOG(warn,
++              "there is no fallback cluster config, the original routing cluster is returned");
+     return cluster_entry.getRouteConstSharedPtr();
+   }
+ 
+@@ -87,7 +88,7 @@
+ 
+   for (const auto& cluster_name : search->second) {
+     if (hasHealthHost(cluster_name)) {
+-      return cluster_entry.clone(cluster_name);
++      return cluster_entry.clone(cluster_name, search->first);
+     }
+   }
+ 
+diff -Naur envoy/source/common/http/headers.h envoy-new/source/common/http/headers.h
+--- envoy/source/common/http/headers.h	2023-10-08 15:01:21.968871828 +0800
++++ envoy-new/source/common/http/headers.h	2023-09-27 18:48:50.059419606 +0800
+@@ -124,6 +124,7 @@
+     const LowerCaseString TriStartTime{"req-start-time"};
+     const LowerCaseString TriRespStartTime{"resp-start-time"};
+     const LowerCaseString EnvoyOriginalHost{"original-host"};
++    const LowerCaseString HigressOriginalService{"x-higress-original-service"};
+   } AliExtendedValues;
+ #endif
+ };
+diff -Naur envoy/source/common/router/config_impl.cc envoy-new/source/common/router/config_impl.cc
+--- envoy/source/common/router/config_impl.cc	2023-10-08 15:01:21.968871828 +0800
++++ envoy-new/source/common/router/config_impl.cc	2023-09-27 18:49:18.656592237 +0800
+@@ -563,7 +563,6 @@
+         route.name());
+   }
+   // End Added
+-
+ }
+ 
+ bool RouteEntryImplBase::evaluateRuntimeMatch(const uint64_t random_value) const {
+@@ -662,6 +661,10 @@
+   }
+ 
+ #if defined(ALIMESH)
++  if (!origin_cluster_name_.empty()) {
++    headers.addCopy(Http::CustomHeaders::get().AliExtendedValues.HigressOriginalService,
++                    origin_cluster_name_);
++  }
+   headers.setReferenceKey(Http::CustomHeaders::get().AliExtendedValues.EnvoyOriginalHost,
+                           headers.getHostValue());
+ #endif
+diff -Naur envoy/source/common/router/config_impl.h envoy-new/source/common/router/config_impl.h
+--- envoy/source/common/router/config_impl.h	2023-10-08 15:01:21.968871828 +0800
++++ envoy-new/source/common/router/config_impl.h	2023-09-27 18:59:11.196893507 +0800
+@@ -584,9 +584,13 @@
+     return internal_active_redirect_policy_;
+   }
+ 
+-  RouteConstSharedPtr clone(const std::string& name) const {
+-    return std::make_shared<DynamicRouteEntry>(this, name);
++  RouteConstSharedPtr clone(const std::string& name, const std::string& origin_cluster = "") const {
++    auto entry = std::make_shared<DynamicRouteEntry>(this, name);
++    entry->setOriginClusterName(origin_cluster);
++    return entry;
+   }
++
++  void setOriginClusterName(const std::string& name) const { origin_cluster_name_ = name; }
+ #endif
+   uint32_t retryShadowBufferLimit() const override { return retry_shadow_buffer_limit_; }
+   const std::vector<ShadowPolicyPtr>& shadowPolicies() const override { return shadow_policies_; }
+@@ -787,11 +791,17 @@
+       return parent_->internalActiveRedirectPolicy();
+     }
+ 
+-    RouteConstSharedPtr clone(const std::string& name) const {
+-      return std::make_shared<Envoy::Router::RouteEntryImplBase::DynamicRouteEntry>(parent_, name);
++    RouteConstSharedPtr clone(const std::string& name,
++                              const std::string& origin_cluster = "") const {
++      auto entry =
++          std::make_shared<Envoy::Router::RouteEntryImplBase::DynamicRouteEntry>(parent_, name);
++      entry->setOriginClusterName(origin_cluster);
++      return entry;
+     }
+ 
+     virtual RouteConstSharedPtr getRouteConstSharedPtr() const { return shared_from_this(); }
++
++    void setOriginClusterName(const std::string& name) { parent_->setOriginClusterName(name); }
+ #endif
+ 
+   private:
+@@ -1039,6 +1049,7 @@
+ 
+ #if defined(ALIMESH)
+   const InternalActiveRedirectPoliciesImpl internal_active_redirect_policy_;
++  mutable std::string origin_cluster_name_;
+ #endif
+ };
+ 

go.mod

@@ -10,40 +10,61 @@ replace github.com/chzyer/logex => github.com/chzyer/logex v1.1.11-0.20170329064
 // Avoid pulling in incompatible libraries
 replace github.com/docker/distribution => github.com/docker/distribution v0.0.0-20191216044856-a8371794149d
 
-replace github.com/docker/docker => github.com/moby/moby v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible
-
 // Client-go does not handle different versions of mergo due to some breaking changes - use the matching version
 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
 
 require (
+	github.com/AlecAivazis/survey/v2 v2.3.6
 	github.com/agiledragon/gomonkey/v2 v2.9.0
+	github.com/avast/retry-go/v4 v4.3.4
+	github.com/compose-spec/compose-go v1.8.2
+	github.com/docker/cli v20.10.20+incompatible
+	github.com/docker/compose/v2 v2.0.0-00010101000000-000000000000
+	github.com/docker/docker v20.10.20+incompatible
 	github.com/dubbogo/go-zookeeper v1.0.4-0.20211212162352-f9d2183d89d5
 	github.com/dubbogo/gost v1.13.1
 	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1
+	github.com/fatih/color v1.14.1
+	github.com/fatih/structtag v1.2.0
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.5.2
+	github.com/google/go-cmp v0.5.9
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
+	github.com/hashicorp/consul/api v1.23.0
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hudl/fargo v1.4.0
+	github.com/iancoleman/orderedmap v0.3.0
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nacos-group/nacos-sdk-go v1.0.8
 	github.com/nacos-group/nacos-sdk-go/v2 v2.1.2
-	github.com/spf13/cobra v1.2.1
-	github.com/stretchr/testify v1.8.1
+	github.com/pkg/errors v0.9.1
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
+	github.com/spf13/cobra v1.6.1
+	github.com/spf13/pflag v1.0.5
+	github.com/spf13/viper v1.8.1
+	github.com/stretchr/testify v1.8.3
 	go.uber.org/atomic v1.9.0
 	google.golang.org/grpc v1.48.0
-	google.golang.org/protobuf v1.28.0
+	google.golang.org/protobuf v1.28.1
+	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 	istio.io/api v0.0.0-20211122181927-8da52c66ff23
 	istio.io/client-go v1.12.0-rc.1.0.20211118171212-b744b6f111e4
 	istio.io/gogo-genproto v0.0.0-20211115195057-0e34bdd2be67
 	istio.io/istio v0.0.0
 	istio.io/pkg v0.0.0-20211115195056-e379f31ee62a
-	k8s.io/api v0.22.2
-	k8s.io/apimachinery v0.22.2
-	k8s.io/client-go v0.22.2
+	k8s.io/api v0.24.1
+	k8s.io/apimachinery v0.24.1
+	k8s.io/cli-runtime v0.22.2
+	k8s.io/client-go v0.24.1
+	k8s.io/kubectl v0.22.2
 	sigs.k8s.io/controller-runtime v0.10.2
+	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
-	cloud.google.com/go v0.97.0 // indirect
+	cloud.google.com/go v0.98.0 // indirect
 	cloud.google.com/go/logging v1.4.2 // indirect
 	contrib.go.opencensus.io/exporter/prometheus v0.4.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -53,70 +74,108 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/BurntSushi/toml v0.3.1 // indirect
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
-	github.com/Microsoft/go-winio v0.5.0 // indirect
-	github.com/Microsoft/hcsshim v0.8.21 // indirect
+	github.com/Masterminds/squirrel v1.5.0 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/Microsoft/hcsshim v0.9.6 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/RageCage64/multilinediff v0.2.0 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1704 // indirect
-	github.com/aws/aws-sdk-go v1.41.7 // indirect
+	github.com/armon/go-metrics v0.4.1 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
+	github.com/aws/aws-sdk-go v1.43.16 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect
+	github.com/braydonk/yaml v0.7.0 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
+	github.com/clbanning/mxj v1.8.4 // indirect
+	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
 	github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect
-	github.com/containerd/continuity v0.1.0 // indirect
+	github.com/compose-spec/godotenv v1.1.1 // indirect
+	github.com/containerd/cgroups v1.0.4 // indirect
+	github.com/containerd/console v1.0.3 // indirect
+	github.com/containerd/containerd v1.6.14 // indirect
+	github.com/containerd/continuity v0.3.0 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/coreos/go-oidc/v3 v3.1.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect
-	github.com/docker/cli v20.10.7+incompatible // indirect
-	github.com/docker/distribution v2.7.1+incompatible // indirect
-	github.com/docker/docker v20.10.7+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.3 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
+	github.com/distribution/distribution/v3 v3.0.0-20221201083218-92d136e113cf // indirect
+	github.com/docker/buildx v0.9.1 // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v0.1.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/fvbommel/sortorder v1.0.1 // indirect
+	github.com/fvbommel/sortorder v1.0.2 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-kit/log v0.1.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.0 // indirect
-	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.4.8 // indirect
+	github.com/gofrs/flock v0.8.0 // indirect
+	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/go-containerregistry v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
-	github.com/hashicorp/go-version v1.3.0 // indirect
+	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.5.0 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/serf v0.10.1 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/jaguilar/vt100 v0.0.0-20150826170717-2703a27b14ea // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jmoiron/sqlx v1.3.1 // indirect
 	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.7 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.0 // indirect
@@ -125,77 +184,106 @@ require (
 	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/lestrrat/go-file-rotatelogs v0.0.0-20180223000712-d3151e2a480f // indirect
 	github.com/lestrrat/go-strftime v0.0.0-20180220042222-ba3bf9c1d042 // indirect
+	github.com/lib/pq v1.10.0 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-runewidth v0.0.12 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/miekg/dns v1.1.43 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/buildkit v0.10.4 // indirect
+	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
+	github.com/moby/sys/mount v0.3.0 // indirect
+	github.com/moby/sys/mountinfo v0.6.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/moby/sys/symlink v0.2.0 // indirect
+	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/natefinch/lumberjack v2.0.0+incompatible // indirect
+	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
-	github.com/opencontainers/runc v1.0.2 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/opencontainers/runc v1.1.3 // indirect
 	github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.12.2 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/prometheus/statsd_exporter v0.21.0 // indirect
-	github.com/russross/blackfriday v1.5.2 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.6.1 // indirect
+	github.com/rubenv/sql-migrate v0.0.0-20210614095031-55d5740dbbcc // indirect
+	github.com/russross/blackfriday v1.6.0 // indirect
+	github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
+	github.com/spf13/afero v1.2.2 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/theupdateframework/notary v0.7.0 // indirect
+	github.com/tonistiigi/fsutil v0.0.0-20220930225714-4638ad635be5 // indirect
+	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/toolkits/concurrent v0.0.0-20150624120057-a4371d70e3e3 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
 	github.com/yl2chen/cidranger v1.0.2 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.12.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
+	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/oauth2 v0.6.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect
 	gomodules.xyz/orderedmap v0.1.0 // indirect
-	google.golang.org/api v0.59.0 // indirect
+	google.golang.org/api v0.61.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211020151524-b7c3a969101a // indirect
+	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
+	gopkg.in/gcfg.v1 v1.2.3 // indirect
+	gopkg.in/gorp.v1 v1.7.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.22.2 // indirect
-	k8s.io/cli-runtime v0.22.2 // indirect
-	k8s.io/component-base v0.22.2 // indirect
-	k8s.io/klog/v2 v2.10.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20211020163157-7327e2aaee2b // indirect
-	k8s.io/kubectl v0.22.2 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	k8s.io/apiserver v0.22.5 // indirect
+	k8s.io/component-base v0.22.5 // indirect
+	k8s.io/klog/v2 v2.60.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c // indirect
 	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	oras.land/oras-go v0.4.0 // indirect
 	sigs.k8s.io/gateway-api v0.4.0 // indirect
 	sigs.k8s.io/kustomize/api v0.8.11 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
 	sigs.k8s.io/mcs-api v0.1.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 replace github.com/dubbogo/gost => github.com/johnlanni/gost v1.11.23-0.20220713132522-0967a24036c6
@@ -209,3 +297,59 @@ replace istio.io/pkg => ./external/pkg
 replace istio.io/client-go => ./external/client-go
 
 replace istio.io/istio => ./external/istio
+
+require (
+	github.com/evanphx/json-patch/v5 v5.6.0
+	github.com/google/yamlfmt v0.10.0
+	github.com/kylelemons/godebug v1.1.0
+	helm.sh/helm/v3 v3.7.1
+	k8s.io/apiextensions-apiserver v0.25.4
+	knative.dev/networking v0.0.0-20220302134042-e8b2eb995165
+	knative.dev/pkg v0.0.0-20220301181942-2fdd5f232e77
+)
+
+replace (
+	github.com/Sirupsen/logrus => github.com/sirupsen/logrus v1.9.3
+	github.com/go-logr/logr => github.com/go-logr/logr v0.4.0
+
+	k8s.io/api => k8s.io/api v0.22.2
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.22.2
+	k8s.io/apimachinery => k8s.io/apimachinery v0.22.2
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.22.2
+	k8s.io/client-go => k8s.io/client-go v0.22.2
+	k8s.io/code-generator => k8s.io/code-generator v0.22.2
+	k8s.io/component-base => k8s.io/component-base v0.22.2
+	k8s.io/component-helpers => k8s.io/component-helpers v0.22.2
+	k8s.io/klog/v2 => k8s.io/klog/v2 v2.10.0
+	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
+	k8s.io/kubectl => k8s.io/kubectl v0.22.2
+	k8s.io/metrics => k8s.io/metrics v0.22.2
+
+	k8s.io/utils => k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.8.11 // indirect
+	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
+)
+
+// for pkg/cmd/hgctl/docker/compose.go
+// TODO(WeixinX): Wait for the dependency library to upgrade, such as github.com/go-logr/logr from v0.4.0 to v1.2+
+// replace (
+// github.com/compose-spec/compose-go => github.com/compose-spec/compose-go v1.8.2
+// github.com/cucumber/godog => github.com/laurazard/godog v0.0.0-20220922095256-4c4b17abdae7
+// github.com/docker/buildx => github.com/docker/buildx v0.9.1
+// github.com/docker/cli => github.com/docker/cli v20.10.3-0.20221013132413-1d6c6e2367e2+incompatible
+// github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.15.1
+// github.com/docker/docker => github.com/moby/moby v20.10.3-0.20221021173910-5aac513617f0+incompatible
+// github.com/moby/buildkit => github.com/moby/buildkit v0.10.1-0.20220816171719-55ba9d14360a
+// )
+
+replace (
+	github.com/compose-spec/compose-go => github.com/compose-spec/compose-go v1.0.8
+	github.com/docker/buildx => github.com/docker/buildx v0.5.2-0.20210422185057-908a856079fc
+	github.com/docker/cli => github.com/docker/cli v20.10.7+incompatible
+	github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.2.0
+	github.com/docker/docker => github.com/docker/docker v20.10.3+incompatible
+	github.com/jaguilar/vt100 => github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305
+	github.com/moby/buildkit => github.com/moby/buildkit v0.8.2-0.20210401015549-df49b648c8bf
+	github.com/tonistiigi/fsutil => github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85
+	sigs.k8s.io/gateway-api => github.com/johnlanni/gateway-api v0.0.0-20231031082632-72137664e7c7
+)

helm/base/Chart.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-appVersion: 1.12.0
-description: Helm chart for deploying Istio cluster resources and CRDs
-name: base
-sources:
-- http://github.com/alibaba/higress
-version: 1.12.0

helm/base/templates/endpoints.yaml

@@ -1,30 +0,0 @@
-{{- if .Values.global.remotePilotAddress }}
-  {{- if not .Values.global.externalIstiod }}
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: istiod-remote
-  namespace: {{ .Release.Namespace }}
-subsets:
-- addresses:
-  - ip: {{ .Values.global.remotePilotAddress }}
-  ports:
-  - port: 15012
-    name: tcp-istiod
-    protocol: TCP
-  {{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: istiod
-  namespace: {{ .Release.Namespace }}
-subsets:
-- addresses:
-  - ip: {{ .Values.global.remotePilotAddress }}
-  ports:
-  - port: 15012
-    name: tcp-istiod
-    protocol: TCP
-  {{- end }}
----
-{{- end }}

helm/base/templates/services.yaml

@@ -1,37 +0,0 @@
-{{- if .Values.global.remotePilotAddress }}
-  {{- if not .Values.global.externalIstiod }}
-# when istiod is enabled in remote cluster, we can't use istiod service name
-apiVersion: v1
-kind: Service
-metadata:
-  name: istiod-remote
-  namespace: {{ .Release.Namespace }}
-spec:
-  ports:
-  - port: 15012
-    name: tcp-istiod
-    protocol: TCP
-  clusterIP: None
-  {{- else }}
-# when istiod isn't enabled in remote cluster, we can use istiod service name
-apiVersion: v1
-kind: Service
-metadata:
-  name: istiod
-  namespace: {{ .Release.Namespace }}
-spec:
-  ports:
-  - port: 15012
-    name: tcp-istiod
-    protocol: TCP
-  # if the remotePilotAddress is IP addr, we use clusterIP: None.
-  # else, we use externalName
-  {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
-  clusterIP: None
-  {{- else }}
-  type: ExternalName
-  externalName: {{ .Values.global.remotePilotAddress }}
-  {{- end }}
-  {{- end }}
----
-{{- end }}

helm/core/.helmignore

@@ -0,0 +1 @@
+crds/customresourcedefinitions.gen_lt1.16.yaml

helm/core/Chart.yaml

@@ -1,16 +1,13 @@
 apiVersion: v2
-appVersion: 0.6.1
+appVersion: 1.3.1
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
+home: http://higress.io/
 keywords:
 - higress
 - gateways
-name: higress-local
+name: higress-core
 sources:
 - http://github.com/alibaba/higress
-dependencies:
-- name: higress
-  repository: "file://../../higress"
-  version: 0.6.1
 type: application
-version: 0.6.1
+version: 1.3.1

helm/core/LICENSE

@@ -0,0 +1,407 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+========================================================================
+Higress Subcomponents:
+
+The Higress project contains subcomponents with separate copyright
+notices and license terms. Your use of the source code for the these
+subcomponents is subject to the terms and conditions of the following
+licenses.
+========================================================================
+Apache-2.0 licenses
+========================================================================
+
+    cloud.google.com/go v0.97.0 Apache-2.0
+    cloud.google.com/go/logging v1.4.2 Apache-2.0
+    contrib.go.opencensus.io/exporter/prometheus v0.4.0 Apache-2.0
+    github.com/Azure/go-autorest v14.2.0+incompatible Apache-2.0
+    github.com/Azure/go-autorest/autorest v0.11.20 Apache-2.0
+    github.com/Azure/go-autorest/autorest/adal v0.9.15 Apache-2.0
+    github.com/Azure/go-autorest/autorest/date v0.3.0 Apache-2.0
+    github.com/Azure/go-autorest/logger v0.2.1 Apache-2.0
+    github.com/Azure/go-autorest/tracing v0.6.0 Apache-2.0
+    github.com/Masterminds/goutils v1.1.1 Apache-2.0
+    github.com/aws/aws-sdk-go v1.41.7 Apache-2.0
+    github.com/census-instrumentation/opencensus-proto v0.3.0 Apache-2.0
+    github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa Apache-2.0
+    github.com/containerd/continuity v0.1.0 Apache-2.0
+    github.com/docker/cli v20.10.7+incompatible Apache-2.0
+    github.com/docker/distribution v0.0.0-20191216044856-a8371794149d Apache-2.0
+    github.com/docker/go-units v0.4.0 Apache-2.0
+    github.com/envoyproxy/protoc-gen-validate v0.1.0 Apache-2.0
+    github.com/go-logr/logr v0.4.0 Apache-2.0
+    github.com/go-openapi/jsonpointer v0.19.5 Apache-2.0
+    github.com/go-openapi/jsonreference v0.19.5 Apache-2.0
+    github.com/go-openapi/swag v0.19.14 Apache-2.0
+    github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da Apache-2.0
+    github.com/google/btree v1.0.1 Apache-2.0
+    github.com/google/go-containerregistry v0.6.0 Apache-2.0
+    github.com/google/gofuzz v1.2.0 Apache-2.0
+    github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 Apache-2.0
+    github.com/googleapis/gnostic v0.5.5 Apache-2.0
+    github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 Apache-2.0
+    github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 Apache-2.0
+    github.com/inconshreveable/mousetrap v1.0.0 Apache-2.0
+    github.com/jmespath/go-jmespath v0.4.0 Apache-2.0
+    github.com/jonboulle/clockwork v0.2.2 Apache-2.0
+    github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 Apache-2.0
+    github.com/moby/moby v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible Apache-2.0
+    github.com/moby/spdystream v0.2.0 Apache-2.0
+    github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 Apache-2.0
+    github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd Apache-2.0
+    github.com/modern-go/reflect2 v1.0.1 Apache-2.0
+    github.com/opencontainers/go-digest v1.0.0 Apache-2.0
+    github.com/opencontainers/image-spec v1.0.1 Apache-2.0
+    github.com/opencontainers/runc v1.0.2 Apache-2.0
+    github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd Apache-2.0
+    github.com/prometheus/client_golang v1.11.0 Apache-2.0
+    github.com/prometheus/client_model v0.2.0 Apache-2.0
+    github.com/prometheus/common v0.32.1 Apache-2.0
+    github.com/prometheus/procfs v0.6.0 Apache-2.0
+    github.com/prometheus/statsd_exporter v0.21.0 Apache-2.0
+    github.com/spf13/cobra v1.2.1 Apache-2.0
+    go.opencensus.io v0.23.0 Apache-2.0
+    go.opentelemetry.io/proto/otlp v0.7.0 Apache-2.0
+    gomodules.xyz/jsonpatch/v2 v2.2.0 Apache-2.0
+    gomodules.xyz/jsonpatch/v3 v3.0.1 Apache-2.0
+    google.golang.org/appengine v1.6.7 Apache-2.0
+    google.golang.org/genproto v0.0.0-20211020151524-b7c3a969101a Apache-2.0
+    google.golang.org/grpc v1.42.0 Apache-2.0
+    gopkg.in/square/go-jose.v2 v2.6.0 Apache-2.0
+    gopkg.in/yaml.v2 v2.4.0 Apache-2.0
+    istio.io/gogo-genproto v0.0.0-20211115195057-0e34bdd2be67 Apache-2.0
+    k8s.io/api v0.22.2 Apache-2.0
+    k8s.io/apiextensions-apiserver v0.22.2 Apache-2.0
+    k8s.io/apimachinery v0.22.2 Apache-2.0
+    k8s.io/cli-runtime v0.22.2 Apache-2.0
+    k8s.io/client-go v0.22.2 Apache-2.0
+    k8s.io/component-base v0.22.2 Apache-2.0
+    k8s.io/klog/v2 v2.10.0 Apache-2.0
+    k8s.io/kube-openapi v0.0.0-20211020163157-7327e2aaee2b Apache-2.0
+    k8s.io/kubectl v0.22.2 Apache-2.0
+    k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b Apache-2.0
+    sigs.k8s.io/controller-runtime v0.10.2 Apache-2.0
+    sigs.k8s.io/gateway-api v0.4.0 Apache-2.0
+    sigs.k8s.io/kustomize/api v0.8.11 Apache-2.0
+    sigs.k8s.io/kustomize/kyaml v0.11.0 Apache-2.0
+    sigs.k8s.io/mcs-api v0.1.0 Apache-2.0
+    sigs.k8s.io/structured-merge-diff/v4 v4.1.2 Apache-2.0
+
+========================================================================
+BSD-2-Clause licenses
+========================================================================
+
+    github.com/pkg/errors v0.9.1 BSD-2-Clause
+    github.com/russross/blackfriday v1.5.2 BSD-2-Clause
+
+========================================================================
+BSD-3-Clause licenses
+========================================================================
+
+    github.com/PuerkitoBio/purell v1.1.1 BSD-3-Clause
+    github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 BSD-3-Clause
+    github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 BSD-3-Clause
+    github.com/evanphx/json-patch v4.11.0+incompatible BSD-3-Clause
+    github.com/evanphx/json-patch/v5 v5.6.0 BSD-3-Clause
+    github.com/fsnotify/fsnotify v1.5.1 BSD-3-Clause
+    github.com/gogo/protobuf v1.3.2 BSD-3-Clause
+    github.com/golang/protobuf v1.5.2 BSD-3-Clause
+    github.com/google/go-cmp v0.5.6 BSD-3-Clause
+    github.com/google/uuid v1.3.0 BSD-3-Clause
+    github.com/googleapis/gax-go/v2 v2.1.1 BSD-3-Clause
+    github.com/imdario/mergo v0.3.5 BSD-3-Clause
+    github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de BSD-3-Clause
+    github.com/pmezard/go-difflib v1.0.0 BSD-3-Clause
+    github.com/spaolacci/murmur3 v1.1.0 BSD-3-Clause
+    github.com/spf13/pflag v1.0.5 BSD-3-Clause
+    go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 BSD-3-Clause
+    golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 BSD-3-Clause
+    golang.org/x/net v0.0.0-20211020060615-d418f374d309 BSD-3-Clause
+    golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 BSD-3-Clause
+    golang.org/x/sync v0.0.0-20210220032951-036812b2e83c BSD-3-Clause
+    golang.org/x/sys v0.0.0-20211020174200-9d6173849985 BSD-3-Clause
+    golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d BSD-3-Clause
+    golang.org/x/text v0.3.6 BSD-3-Clause
+    golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac BSD-3-Clause
+    golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 BSD-3-Clause
+    google.golang.org/api v0.59.0 BSD-3-Clause
+    google.golang.org/protobuf v1.27.1 BSD-3-Clause
+    gopkg.in/inf.v0 v0.9.1 BSD-3-Clause
+
+========================================================================
+ISC licenses
+========================================================================
+
+    github.com/davecgh/go-spew v1.1.1 ISC
+    github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 ISC
+
+========================================================================
+MIT licenses
+========================================================================
+
+    github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 MIT
+    github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd MIT
+    github.com/Masterminds/semver/v3 v3.1.1 MIT
+    github.com/Masterminds/sprig/v3 v3.2.2 MIT
+    github.com/Microsoft/go-winio v0.5.0 MIT
+    github.com/Microsoft/hcsshim v0.8.21 MIT
+    github.com/beorn7/perks v1.0.1 MIT
+    github.com/cenkalti/backoff/v4 v4.1.1 MIT
+    github.com/cespare/xxhash/v2 v2.1.1 MIT
+    github.com/docker/docker-credential-helpers v0.6.3 MIT
+    github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d MIT
+    github.com/fvbommel/sortorder v1.0.1 MIT
+    github.com/go-errors/errors v1.0.1 MIT
+    github.com/go-kit/log v0.1.0 MIT
+    github.com/go-logfmt/logfmt v0.5.0 MIT
+    github.com/goccy/go-json v0.4.8 MIT
+    github.com/golang-jwt/jwt/v4 v4.0.0 MIT
+    github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 MIT
+    github.com/huandu/xstrings v1.3.2 MIT
+    github.com/josharian/intern v1.0.0 MIT
+    github.com/json-iterator/go v1.1.11 MIT
+    github.com/lestrrat-go/backoff/v2 v2.0.7 MIT
+    github.com/lestrrat-go/blackmagic v1.0.0 MIT
+    github.com/lestrrat-go/httpcc v1.0.0 MIT
+    github.com/lestrrat-go/iter v1.0.1 MIT
+    github.com/lestrrat-go/jwx v1.2.0 MIT
+    github.com/lestrrat-go/option v1.0.0 MIT
+    github.com/mailru/easyjson v0.7.6 MIT
+    github.com/mitchellh/copystructure v1.2.0 MIT
+    github.com/mitchellh/go-wordwrap v1.0.0 MIT
+    github.com/mitchellh/reflectwalk v1.0.2 MIT
+    github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 MIT
+    github.com/natefinch/lumberjack v2.0.0+incompatible MIT
+    github.com/peterbourgon/diskv v2.0.1+incompatible MIT
+    github.com/shopspring/decimal v1.2.0 MIT
+    github.com/sirupsen/logrus v1.8.1 MIT
+    github.com/spf13/cast v1.3.1 MIT
+    github.com/stretchr/testify v1.7.0 MIT
+    github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca MIT
+    github.com/yl2chen/cidranger v1.0.2 MIT
+    go.uber.org/atomic v1.9.0 MIT
+    go.uber.org/multierr v1.7.0 MIT
+    go.uber.org/zap v1.19.1 MIT
+    gomodules.xyz/orderedmap v0.1.0 MIT
+
+========================================================================
+MIT and Apache-2.0 licenses
+========================================================================
+
+    gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b MIT and Apache-2.0
+
+========================================================================
+MIT and BSD-3-Clause licenses
+========================================================================
+
+    github.com/ghodss/yaml v1.0.0 MIT and BSD-3-Clause
+    sigs.k8s.io/yaml v1.3.0 MIT and BSD-3-Clause
+
+========================================================================
+MPL-2.0 licenses
+========================================================================
+
+    github.com/hashicorp/errwrap v1.0.0 MPL-2.0
+    github.com/hashicorp/go-multierror v1.1.1 MPL-2.0
+    github.com/hashicorp/go-version v1.3.0 MPL-2.0
+    github.com/hashicorp/golang-lru v0.5.4 MPL-2.0

helm/core/README.md

@@ -0,0 +1,5 @@
+# Higress Core Helm Chart
+
+Installs the core components of cloud-native gateway [Higress](http://higress.io/)
+
+**Note:** It is highly recommended to install the whole package of Higress. Please visit https://higress.io/docs/user/quickstart/ for details.

helm/core/crds/customresourcedefinitions.gen.yaml

@@ -35,6 +35,8 @@ spec:
               defaultConfig:
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              defaultConfigDisable:
+                type: boolean
               imagePullPolicy:
                 description: The pull behaviour to be applied when fetching an OCI
                   image.
@@ -52,6 +54,8 @@ spec:
                     config:
                       type: object
                       x-kubernetes-preserve-unknown-fields: true
+                    configDisable:
+                      type: boolean
                     domain:
                       items:
                         type: string
@@ -100,6 +104,88 @@ spec:
     subresources:
       status: {}
 
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: http2rpcs.networking.higress.io
+spec:
+  group: networking.higress.io
+  names:
+    categories:
+    - higress-io
+    kind: Http2Rpc
+    listKind: Http2RpcList
+    plural: http2rpcs
+    singular: http2rpc
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            oneOf:
+            - not:
+                anyOf:
+                - required:
+                  - dubbo
+                - required:
+                  - grpc
+            - required:
+              - dubbo
+            - required:
+              - grpc
+            properties:
+              dubbo:
+                properties:
+                  group:
+                    type: string
+                  methods:
+                    items:
+                      properties:
+                        headersAttach:
+                          type: string
+                        httpMethods:
+                          items:
+                            type: string
+                          type: array
+                        httpPath:
+                          type: string
+                        params:
+                          items:
+                            properties:
+                              paramKey:
+                                type: string
+                              paramSource:
+                                type: string
+                              paramType:
+                                type: string
+                            type: object
+                          type: array
+                        serviceMethod:
+                          type: string
+                      type: object
+                    type: array
+                  service:
+                    type: string
+                  version:
+                    type: string
+                type: object
+              grpc:
+                type: object
+            type: object
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -127,8 +213,17 @@ spec:
               registries:
                 items:
                   properties:
+                    authSecretName:
+                      type: string
+                    consulDatacenter:
+                      type: string
                     consulNamespace:
                       type: string
+                    consulRefreshInterval:
+                      format: int64
+                      type: integer
+                    consulServiceTag:
+                      type: string
                     domain:
                       type: string
                     nacosAccessKey:

helm/core/crds/customresourcedefinitions.gen_lt1.16.yaml

@@ -0,0 +1,176 @@
+# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: wasmplugins.extensions.higress.io
+spec:
+  group: extensions.higress.io
+  names:
+    categories:
+    - higress-io
+    - extensions-higress-io
+    kind: WasmPlugin
+    listKind: WasmPluginList
+    plural: wasmplugins
+    singular: wasmplugin
+  scope: Namespaced
+  additionalPrinterColumns:
+  - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+    JSONPath: .metadata.creationTimestamp
+    name: Age
+    type: date
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+  version: v1alpha1
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          properties:
+            defaultConfig:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+            defaultConfigDisable:
+              type: boolean
+            imagePullPolicy:
+              description: The pull behaviour to be applied when fetching an OCI
+                image.
+              enum:
+              - UNSPECIFIED_POLICY
+              - IfNotPresent
+              - Always
+              type: string
+            imagePullSecret:
+              description: Credentials to use for OCI image pulling.
+              type: string
+            matchRules:
+              items:
+                properties:
+                  config:
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                  configDisable:
+                    type: boolean
+                  domain:
+                    items:
+                      type: string
+                    type: array
+                  ingress:
+                    items:
+                      type: string
+                    type: array
+                type: object
+              type: array
+            phase:
+              description: Determines where in the filter chain this `WasmPlugin`
+                is to be injected.
+              enum:
+              - UNSPECIFIED_PHASE
+              - AUTHN
+              - AUTHZ
+              - STATS
+              type: string
+            pluginConfig:
+              description: The configuration that will be passed on to the plugin.
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+            pluginName:
+              type: string
+            priority:
+              description: Determines ordering of `WasmPlugins` in the same `phase`.
+              nullable: true
+              type: integer
+            sha256:
+              description: SHA256 checksum that will be used to verify Wasm module
+                or OCI container.
+              type: string
+            url:
+              description: URL of a Wasm module or OCI container.
+              type: string
+            verificationKey:
+              type: string
+          type: object
+        status:
+          type: object
+          x-kubernetes-preserve-unknown-fields: true
+      type: object
+  subresources:
+    status: {}
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: mcpbridges.networking.higress.io
+spec:
+  group: networking.higress.io
+  names:
+    categories:
+    - higress-io
+    kind: McpBridge
+    listKind: McpBridgeList
+    plural: mcpbridges
+    singular: mcpbridge
+  scope: Namespaced
+  versions:
+  - name: v1
+    served: true
+    storage: true
+  version: v1
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          properties:
+            registries:
+              items:
+                properties:
+                  consulNamespace:
+                    type: string
+                  domain:
+                    type: string
+                  nacosAccessKey:
+                    type: string
+                  nacosAddressServer:
+                    type: string
+                  nacosGroups:
+                    items:
+                      type: string
+                    type: array
+                  nacosNamespace:
+                    type: string
+                  nacosNamespaceId:
+                    type: string
+                  nacosRefreshInterval:
+                    format: int64
+                    type: integer
+                  nacosSecretKey:
+                    type: string
+                  name:
+                    type: string
+                  port:
+                    type: integer
+                  type:
+                    type: string
+                  zkServicesPath:
+                    items:
+                      type: string
+                    type: array
+                type: object
+              type: array
+          type: object
+          type: object
+          x-kubernetes-preserve-unknown-fields: true
+      type: object
+  subresources:
+    status: {}
+---

helm/core/templates/_helpers.tpl

@@ -86,4 +86,18 @@ higress: {{ include "controller.name" . }}
 {{- else }}
 {{- .Values.controller.serviceAccount.name | default "default" }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+{{- define "controller.jwtPolicy" -}}
+{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion }}
+{{- .Values.global.jwtPolicy | default "third-party-jwt" }}
+{{- else }}
+{{- print "first-party-jwt" }}
+{{- end }}
+{{- end }}
+
+{{- define "skywalking.enabled" -}}
+{{- if and .Values.skywalking.enabled .Values.skywalking.service.address }}
+true
+{{- end }}
+{{- end }}

helm/core/templates/configmap.yaml

@@ -4,6 +4,7 @@
     trustDomain: "cluster.local"
     accessLogEncoding: TEXT
     accessLogFile: "/dev/stdout"
+    ingressControllerMode: "OFF"
     accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
 
     '
@@ -15,7 +16,7 @@
     # When processing a leaf namespace Istio will search for declarations in that namespace first
     # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
     # is processed as if it were declared in the leaf namespace.
-    {{- if .Values.global.enableMesh }}
+    {{- if .Values.global.enableHigressIstio }}
     rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
     {{- else }}
     rootNamespace: {{ .Release.Namespace }}
@@ -23,8 +24,14 @@
 
     configSources:
       - address: "xds://127.0.0.1:15051"
+    {{- if or .Values.global.enableIstioAPI .Values.global.enableGatewayAPI }}
+      - address: "k8s://"
+    {{- end }}
 
     defaultConfig:
+      {{- if .Values.global.disableAlpnH2 }}
+      disableAlpnH2: true
+      {{- end }}
       {{- if .Values.global.meshID }}
       meshId: {{ .Values.global.meshID }}
       {{- end }}
@@ -74,7 +81,7 @@
       discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
       {{- end }}
       {{- else }}
-      {{- if .Values.global.enableMesh }}
+      {{- if .Values.global.enableHigressIstio }}
       discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012
       {{- else }}
       discoveryAddress: higress-controller.{{.Release.Namespace}}.svc:15012
@@ -115,4 +122,63 @@ data:
 {{- include "mesh" . }}
 {{- end }}
 ---
-
+{{- if include "skywalking.enabled" . }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: higress-custom-bootstrap
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+data:
+  custom_bootstrap.json: |-
+    {
+      "stats_sinks": [
+        {
+          "name": "envoy.metrics_service",
+          "typed_config": {
+            "@type": "type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig",
+            "transport_api_version": "V3",
+            "grpc_service": {
+              "envoy_grpc": {
+                "cluster_name": "service_skywalking"
+              }
+            }
+          }
+        }
+      ],
+      "static_resources": {
+        "clusters": [
+          {
+            "name": "service_skywalking",
+            "type": "LOGICAL_DNS",
+            "connect_timeout": "5s",
+            "http2_protocol_options": {
+            },
+            "dns_lookup_family": "V4_ONLY",
+            "lb_policy": "ROUND_ROBIN",
+            "load_assignment": {
+              "cluster_name": "service_skywalking",
+              "endpoints": [
+                {
+                  "lb_endpoints": [
+                    {
+                      "endpoint": {
+                        "address": {
+                          "socket_address": {
+                            "address": "{{ .Values.skywalking.service.address }}",
+                            "port_value": "{{ .Values.skywalking.service.port }}"
+                          }
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          }
+        ]
+      }
+    }
+---
+{{- end }}

helm/core/templates/controller-clusterrole.yaml

@@ -46,6 +46,10 @@ rules:
     resources: ["wasmplugins"]
     verbs: ["get", "list", "watch"]
 
+  - apiGroups: ["networking.higress.io"]
+    resources: ["http2rpcs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
   - apiGroups: [""]
     resources: ["services"]
     verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
@@ -106,3 +110,17 @@ rules:
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations"]
     verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+  # knative KIngress configuration
+  - apiGroups: ["networking.internal.knative.dev"]
+    verbs: ["get","list","watch"]
+    resources: ["ingresses"]
+  - apiGroups: ["networking.internal.knative.dev"]
+    resources: ["ingresses/status"]
+    verbs: ["get","patch","update"]

helm/core/templates/controller-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "controller.name" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "controller.labels" . | nindent 4 }}
 spec:
@@ -28,12 +29,12 @@ spec:
       securityContext:
         {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
       containers:
-{{- if not .Values.global.enableMesh }}
+{{- if not .Values.global.enableHigressIstio }}
         - name: discovery
 {{- if contains "/" .Values.pilot.image }}
           image: "{{ .Values.pilot.image }}"
 {{- else }}
-          image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
+          image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Chart.AppVersion }}"
 {{- end }}
 {{- if .Values.global.imagePullPolicy }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy }}
@@ -73,6 +74,8 @@ spec:
             periodSeconds: 3
             timeoutSeconds: 5
           env:
+          - name: PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
+            value: "{{ .Values.global.onlyPushRouteCluster }}"
           - name: HIGRESS_CONTROLLER_SVC
             value: "127.0.0.1"
           - name: HIGRESS_CONTROLLER_PORT
@@ -80,7 +83,7 @@ spec:
           - name: REVISION
             value: "{{ .Values.revision | default `default` }}"
           - name: JWT_POLICY
-            value: {{ .Values.global.jwtPolicy }}
+            value: {{ include "controller.jwtPolicy" . }}
           - name: PILOT_CERT_PROVIDER
             value: "istiod"
           - name: POD_NAME
@@ -100,6 +103,10 @@ spec:
                 fieldPath: spec.serviceAccountName
           - name: KUBECONFIG
             value: /var/run/secrets/remote/config
+          - name: PRIORITIZED_LEADER_ELECTION
+            value: "false"
+          - name: INJECT_ENABLED
+            value: "false"
           {{- if .Values.pilot.env }}
           {{- range $key, $val := .Values.pilot.env }}
           - name: {{ $key }}
@@ -120,11 +127,24 @@ spec:
             value: "{{ .Values.global.istiod.enableAnalysis }}"
           - name: CLUSTER_ID
             value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
-          {{- if not .Values.global.enableMesh }}
+          # HIGRESS_ENABLE_ISTIO_API is only used to restart the controller pod after the config change
+          {{- if .Values.global.enableIstioAPI }}
+          - name: HIGRESS_ENABLE_ISTIO_API
+            value: "true"
+          {{- end }}
+          {{- if .Values.global.enableGatewayAPI }}
+          - name: PILOT_ENABLE_GATEWAY_API
+            value: "true"
+          - name: PILOT_ENABLE_GATEWAY_API_STATUS
+            value: "true"
+          - name: PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER
+            value: "false"
+          {{- end }}
+          {{- if not .Values.global.enableHigressIstio }}
           - name: CUSTOM_CA_CERT_NAME
             value: "higress-ca-root-cert"
           {{- end }}
-          {{- if not .Values.global.kind  }}
+          {{- if not (or .Values.global.local .Values.global.kind) }}
           resources:
 {{- if .Values.pilot.resources }}
 {{ toYaml .Values.pilot.resources | trim | indent 12 }}
@@ -143,7 +163,7 @@ spec:
           volumeMounts:
           - name: config
             mountPath: /etc/istio/config
-          {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+          {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
             readOnly: true
@@ -169,12 +189,12 @@ spec:
           - "serve"
           - --gatewaySelectorKey=higress
           - --gatewaySelectorValue={{ .Release.Namespace }}-{{ include "gateway.name" . }}
-          {{- if not .Values.enableStatus }}
-          - --enableStatus={{ .Values.enableStatus }}
+          {{- if not .Values.global.enableStatus }}
+          - --enableStatus={{ .Values.global.enableStatus }}
           {{- end }}
-          - --ingressClass={{ .Values.ingressClass }}
-          {{- if .Values.watchNamespace }}
-          - --watchNamespace={{ .Values.watchNamespace }}
+          - --ingressClass={{ .Values.global.ingressClass }}
+          {{- if .Values.global.watchNamespace }}
+          - --watchNamespace={{ .Values.global.watchNamespace }}
           {{- end }}
           env:
           - name: POD_NAME
@@ -192,6 +212,8 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: spec.serviceAccountName
+          - name: DOMAIN_SUFFIX
+            value: {{ .Values.global.proxy.clusterDomain }}
           {{- if .Values.controller.env }}
           {{- range $key, $val := .Values.controller.env }}
           - name: {{ $key }}
@@ -206,7 +228,7 @@ spec:
             {{- end }}
           readinessProbe:
             {{- toYaml .Values.controller.probe | nindent 12 }}
-          {{- if not .Values.global.kind  }}
+          {{- if not (or .Values.global.local .Values.global.kind) }}
           resources:
             {{- toYaml .Values.controller.resources | nindent 12 }}
           {{- end }}
@@ -228,7 +250,7 @@ spec:
       volumes:
       - name: log
         emptyDir: {}
-      {{- if not .Values.global.enableMesh }}
+      {{- if not .Values.global.enableHigressIstio }}
       - name: config
         configMap:
           name: higress-config
@@ -237,7 +259,7 @@ spec:
       - emptyDir:
           medium: Memory
         name: local-certs
-      {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+      {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
       - name: istio-token
         projected:
           sources:
@@ -245,6 +267,7 @@ spec:
                 audience: {{ .Values.global.sds.token.aud }}
                 expirationSeconds: 43200
                 path: istio-token
+      {{- end }}
       # Optional: user-generated root
       - name: cacerts
         secret:
@@ -260,4 +283,3 @@ spec:
           name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- end }}
       {{- end }}
-      {{- end }}

helm/core/templates/controller-service.yaml

@@ -2,13 +2,14 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "controller.name" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "controller.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.controller.service.type }}
   ports:
     {{- toYaml .Values.controller.ports | nindent 4 }}
-    {{- if not .Values.global.enableMesh }}
+    {{- if not .Values.global.enableHigressIstio }}
     - port: 15010
       name: grpc-xds # plaintext
       protocol: TCP

helm/core/templates/deployment.yaml

@@ -1,3 +1,13 @@
+{{- $unprivilegedPortSupported := true }}
+{{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
+    {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
+    {{- if $kernelVersion }}
+      {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }}
+      {{- if and $kernelVersion (semverCompare "<4.11.0" $kernelVersion) }}
+      {{-   $unprivilegedPortSupported = false }}
+      {{- end }}
+    {{- end }}
+{{- end -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -9,7 +19,7 @@ metadata:
     {{- .Values.gateway.annotations | toYaml | nindent 4 }}
 spec:
   {{- if not .Values.gateway.autoscaling.enabled }}
-  {{- if not .Values.global.kind }}
+  {{- if not (or .Values.global.local .Values.global.kind) }}
   replicas: {{ .Values.gateway.replicas }}
   {{- else }}
   replicas: 1
@@ -21,7 +31,7 @@ spec:
   strategy:
     rollingUpdate:
       maxSurge: {{ .Values.gateway.rollingMaxSurge }}
-      {{- if .Values.global.kind }}
+      {{- if or .Values.global.local .Values.global.kind }}
       maxUnavailable: 100%
       {{- else }}
       maxUnavailable: {{ .Values.gateway.rollingMaxUnavailable }}
@@ -29,8 +39,8 @@ spec:
   template:
     metadata:
       annotations:
-      {{- if .Values.global.enableMesh }}
-        "enableMesh": "true"
+      {{- if .Values.global.enableHigressIstio }}
+        "enableHigressIstio": "true"
       {{- end }}
       {{- if .Values.gateway.podAnnotations }}
         {{- toYaml .Values.gateway.podAnnotations | nindent 8 }}
@@ -50,7 +60,7 @@ spec:
       securityContext:
       {{- if .Values.gateway.securityContext }}
         {{- toYaml .Values.gateway.securityContext | nindent 8 }}
-      {{- else if and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
+      {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
         # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
         sysctls:
         - name: net.ipv4.ip_unprivileged_port_start
@@ -71,7 +81,7 @@ spec:
           securityContext:
           {{- if .Values.gateway.containerSecurityContext }}
             {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
-          {{- else if and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
+          {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
             # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
             capabilities:
               drop:
@@ -124,18 +134,24 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: spec.serviceAccountName
+          - name: PILOT_XDS_SEND_TIMEOUT
+            value: 60s
           - name: PROXY_XDS_VIA_AGENT
             value: "true"
           - name: ENABLE_INGRESS_GATEWAY_SDS
             value: "false"
           - name: JWT_POLICY
-            value: {{ .Values.global.jwtPolicy }}
+            value: {{ include "controller.jwtPolicy" . }}
           - name: ISTIO_META_HTTP10
             value: "1"
           - name: ISTIO_META_CLUSTER_ID
             value: "{{ $.Values.clusterName | default `Kubernetes` }}"
           - name: INSTANCE_NAME
             value: "higress-gateway"
+          {{- if include "skywalking.enabled" . }}
+          - name: ISTIO_BOOTSTRAP_OVERRIDE
+            value: /etc/istio/custom-bootstrap/custom_bootstrap.json
+          {{- end }}
           {{- with .Values.gateway.networkGateway }}
           - name: ISTIO_META_REQUESTED_NETWORK_VIEW
             value: "{{.}}"
@@ -148,7 +164,7 @@ spec:
           - containerPort: 15090
             protocol: TCP
             name: http-envoy-prom
-          {{- if .Values.global.kind }}
+          {{- if or .Values.global.local .Values.global.kind }}
           - containerPort: 80
             hostPort: 80
             name: http
@@ -168,12 +184,12 @@ spec:
             periodSeconds: 2
             successThreshold: 1
             timeoutSeconds: 3
-          {{- if not .Values.global.kind  }}
+          {{- if not (or .Values.global.local .Values.global.kind) }}
           resources:
             {{- toYaml .Values.gateway.resources | nindent 12 }}
           {{- end }}
           volumeMounts:
-          {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+          {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
             readOnly: true
@@ -188,6 +204,14 @@ spec:
             mountPath: /etc/istio/pod
           - name: proxy-socket
             mountPath: /etc/istio/proxy
+          {{- if include "skywalking.enabled" . }}
+          - mountPath: /etc/istio/custom-bootstrap
+            name: custom-bootstrap-volume
+          {{- end }}
+          {{- if .Values.global.volumeWasmPlugins }}
+          - mountPath: /opt/plugins
+            name: local-wasmplugins-volume
+          {{- end }}
       {{- if .Values.gateway.hostNetwork }}
       hostNetwork: {{ .Values.gateway.hostNetwork }}
       dnsPolicy: ClusterFirstWithHostNet
@@ -205,7 +229,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-      {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+      {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
       - name: istio-token
         projected:
           sources:
@@ -216,7 +240,7 @@ spec:
       {{- end }}
       - name: istio-ca-root-cert
         configMap:
-      {{- if .Values.global.enableMesh }}
+      {{- if .Values.global.enableHigressIstio }}
           name: istio-ca-root-cert
       {{- else }}
           name: higress-ca-root-cert
@@ -224,7 +248,13 @@ spec:
       - name: config
         configMap:
           name: higress-config
-      - name: istio-data          
+      {{- if include "skywalking.enabled" . }}
+      - configMap:
+          defaultMode: 420
+          name: higress-custom-bootstrap
+        name: custom-bootstrap-volume
+      {{- end }}
+      - name: istio-data
         emptyDir: {}
       - name: proxy-socket
         emptyDir: {}
@@ -250,3 +280,9 @@ spec:
               containerName: higress-gateway
               divisor: 1m
               resource: limits.cpu
+      {{- if .Values.global.volumeWasmPlugins }}
+      - name: local-wasmplugins-volume
+        hostPath:
+          path: /opt/plugins
+          type: Directory
+      {{- end }}

helm/core/values.yaml

@@ -1,9 +1,26 @@
+revision: ""
 global:
+  onlyPushRouteCluster: true
+  # IngressClass filters which ingress resources the higress controller watches.
+  # The default ingress class is higress.
+  # There are some special cases for special ingress class.
+  # 1. When the ingress class is set as nginx, the higress controller will watch ingress
+  # resources with the nginx ingress class or without any ingress class.
+  # 2. When the ingress class is set empty, the higress controller will watch all ingress
+  # resources in the k8s cluster.
+  ingressClass: "higress"
+  watchNamespace: ""
+  disableAlpnH2: true
+  enableStatus: true
   # whether to use autoscaling/v2 template for HPA settings
   # for internal usage only, not to be configured by users.
   autoscalingv2API: true
-  kind: false
-  enableMesh: false
+  local: false # When deploying to a local cluster (e.g.: kind cluster), set this to true.
+  kind: false # Deprecated. Please use "global.local" instead. Will be removed later.
+  enableIstioAPI: false
+  enableGatewayAPI: false
+  # Deprecated
+  enableHigressIstio: false
   # Used to locate istiod.
   istioNamespace: istio-system
   # enable pod disruption budget for the control plane, which is used to
@@ -29,8 +46,6 @@ global:
   # Releases are published to docker hub under 'istio' project.
   # Dev builds from prow are on gcr.io
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
-  # Default tag for Istio images.
-  tag: 0.6.1
 
   # Specify image pull policy if default behavior isn't desired.
   # Default behavior: latest images will be Always else IfNotPresent.
@@ -319,16 +334,6 @@ global:
   caName: ""
 hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
 
-# IngressClass filters which ingress resources the higress controller watches.
-# The default ingress class is higress.
-# There are some special cases for special ingress class.
-# 1. When the ingress class is set as nginx, the higress controller will watch ingress
-# resources with the nginx ingress class or without any ingress class.
-# 2. When the ingress class is set empty, the higress controller will watch all ingress
-# resources in the k8s cluster.
-ingressClass: "higress"
-watchNamespace: ""
-enableStatus: true
 clusterName: ""
 # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
 # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
@@ -364,7 +369,7 @@ gateway:
   name: "higress-gateway"
   replicas: 2
   image: gateway
-  tag: "0.6.1"
+  tag: ""
   # revision declares which revision this gateway is a part of
   revision: ""
 
@@ -409,10 +414,6 @@ gateway:
     # Type of service. Set to "None" to disable the service entirely
     type: LoadBalancer
     ports:
-    - name: status-port
-      port: 15021
-      protocol: TCP
-      targetPort: 15021
     - name: http2
       port: 80
       protocol: TCP
@@ -456,7 +457,7 @@ controller:
   name: "higress-controller"
   replicas: 1
   image: higress
-  tag: "0.6.1"
+  tag: ""
   env: {}
 
   labels: {}
@@ -546,7 +547,7 @@ pilot:
   rollingMaxUnavailable: 25%
 
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
-  tag: 0.6.1
+  tag: ""
 
   # Can be a full hub/image:tag
   image: pilot
@@ -559,7 +560,7 @@ pilot:
       memory: 2048Mi
 
   env:
-    PILOT_SCOPE_GATEWAY_TO_NAMESPACE: "true"
+    PILOT_SCOPE_GATEWAY_TO_NAMESPACE: "false"
     PILOT_ENABLE_METADATA_EXCHANGE: "false"
     PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY: "false"
     VALIDATION_ENABLED: "false"
@@ -582,7 +583,7 @@ pilot:
   jwksResolverExtraRootCA: ""
 
   # This is used to set the source of configuration for
-  # the associated address in configSource, if nothing is specificed
+  # the associated address in configSource, if nothing is specified
   # the default MCP is assumed.
   configSource:
     subscribedResources: []
@@ -606,3 +607,11 @@ pilot:
 
   # Additional labels to apply on the pod level for monitoring and logging configuration.
   podLabels: {}
+
+
+# Skywalking config settings
+skywalking:
+  enabled: false
+  service:
+    address: ~
+    port: 11800

helm/higress/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: higress-core
+  repository: file://../core
+  version: 1.3.1
+- name: higress-console
+  repository: https://higress.io/helm-charts/
+  version: 1.3.1
+digest: sha256:980abd3f62b107970555051be7e57dd8d8b69821fe163daa9f3c84521881a05b
+generated: "2023-11-16T11:09:23.463473+08:00"

helm/higress/Chart.yaml

@@ -1,12 +1,20 @@
 apiVersion: v2
-appVersion: 0.6.1
-description: Helm chart for deploying higress gateways
+appVersion: 1.3.1
+description: Helm chart for deploying Higress gateways
 icon: https://higress.io/img/higress_logo_small.png
+home: http://higress.io/
 keywords:
 - higress
 - gateways
 name: higress
 sources:
 - http://github.com/alibaba/higress
+dependencies:
+- name: higress-core
+  repository: "file://../core"
+  version: 1.3.1
+- name: higress-console
+  repository: "https://higress.io/helm-charts/"
+  version: 1.3.1
 type: application
-version: 0.6.1
+version: 1.3.1

helm/higress/LICENSE

@@ -0,0 +1,407 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+========================================================================
+Higress Subcomponents:
+
+The Higress project contains subcomponents with separate copyright
+notices and license terms. Your use of the source code for the these
+subcomponents is subject to the terms and conditions of the following
+licenses.
+========================================================================
+Apache-2.0 licenses
+========================================================================
+
+    cloud.google.com/go v0.97.0 Apache-2.0
+    cloud.google.com/go/logging v1.4.2 Apache-2.0
+    contrib.go.opencensus.io/exporter/prometheus v0.4.0 Apache-2.0
+    github.com/Azure/go-autorest v14.2.0+incompatible Apache-2.0
+    github.com/Azure/go-autorest/autorest v0.11.20 Apache-2.0
+    github.com/Azure/go-autorest/autorest/adal v0.9.15 Apache-2.0
+    github.com/Azure/go-autorest/autorest/date v0.3.0 Apache-2.0
+    github.com/Azure/go-autorest/logger v0.2.1 Apache-2.0
+    github.com/Azure/go-autorest/tracing v0.6.0 Apache-2.0
+    github.com/Masterminds/goutils v1.1.1 Apache-2.0
+    github.com/aws/aws-sdk-go v1.41.7 Apache-2.0
+    github.com/census-instrumentation/opencensus-proto v0.3.0 Apache-2.0
+    github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa Apache-2.0
+    github.com/containerd/continuity v0.1.0 Apache-2.0
+    github.com/docker/cli v20.10.7+incompatible Apache-2.0
+    github.com/docker/distribution v0.0.0-20191216044856-a8371794149d Apache-2.0
+    github.com/docker/go-units v0.4.0 Apache-2.0
+    github.com/envoyproxy/protoc-gen-validate v0.1.0 Apache-2.0
+    github.com/go-logr/logr v0.4.0 Apache-2.0
+    github.com/go-openapi/jsonpointer v0.19.5 Apache-2.0
+    github.com/go-openapi/jsonreference v0.19.5 Apache-2.0
+    github.com/go-openapi/swag v0.19.14 Apache-2.0
+    github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da Apache-2.0
+    github.com/google/btree v1.0.1 Apache-2.0
+    github.com/google/go-containerregistry v0.6.0 Apache-2.0
+    github.com/google/gofuzz v1.2.0 Apache-2.0
+    github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 Apache-2.0
+    github.com/googleapis/gnostic v0.5.5 Apache-2.0
+    github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 Apache-2.0
+    github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 Apache-2.0
+    github.com/inconshreveable/mousetrap v1.0.0 Apache-2.0
+    github.com/jmespath/go-jmespath v0.4.0 Apache-2.0
+    github.com/jonboulle/clockwork v0.2.2 Apache-2.0
+    github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 Apache-2.0
+    github.com/moby/moby v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible Apache-2.0
+    github.com/moby/spdystream v0.2.0 Apache-2.0
+    github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 Apache-2.0
+    github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd Apache-2.0
+    github.com/modern-go/reflect2 v1.0.1 Apache-2.0
+    github.com/opencontainers/go-digest v1.0.0 Apache-2.0
+    github.com/opencontainers/image-spec v1.0.1 Apache-2.0
+    github.com/opencontainers/runc v1.0.2 Apache-2.0
+    github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd Apache-2.0
+    github.com/prometheus/client_golang v1.11.0 Apache-2.0
+    github.com/prometheus/client_model v0.2.0 Apache-2.0
+    github.com/prometheus/common v0.32.1 Apache-2.0
+    github.com/prometheus/procfs v0.6.0 Apache-2.0
+    github.com/prometheus/statsd_exporter v0.21.0 Apache-2.0
+    github.com/spf13/cobra v1.2.1 Apache-2.0
+    go.opencensus.io v0.23.0 Apache-2.0
+    go.opentelemetry.io/proto/otlp v0.7.0 Apache-2.0
+    gomodules.xyz/jsonpatch/v2 v2.2.0 Apache-2.0
+    gomodules.xyz/jsonpatch/v3 v3.0.1 Apache-2.0
+    google.golang.org/appengine v1.6.7 Apache-2.0
+    google.golang.org/genproto v0.0.0-20211020151524-b7c3a969101a Apache-2.0
+    google.golang.org/grpc v1.42.0 Apache-2.0
+    gopkg.in/square/go-jose.v2 v2.6.0 Apache-2.0
+    gopkg.in/yaml.v2 v2.4.0 Apache-2.0
+    istio.io/gogo-genproto v0.0.0-20211115195057-0e34bdd2be67 Apache-2.0
+    k8s.io/api v0.22.2 Apache-2.0
+    k8s.io/apiextensions-apiserver v0.22.2 Apache-2.0
+    k8s.io/apimachinery v0.22.2 Apache-2.0
+    k8s.io/cli-runtime v0.22.2 Apache-2.0
+    k8s.io/client-go v0.22.2 Apache-2.0
+    k8s.io/component-base v0.22.2 Apache-2.0
+    k8s.io/klog/v2 v2.10.0 Apache-2.0
+    k8s.io/kube-openapi v0.0.0-20211020163157-7327e2aaee2b Apache-2.0
+    k8s.io/kubectl v0.22.2 Apache-2.0
+    k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b Apache-2.0
+    sigs.k8s.io/controller-runtime v0.10.2 Apache-2.0
+    sigs.k8s.io/gateway-api v0.4.0 Apache-2.0
+    sigs.k8s.io/kustomize/api v0.8.11 Apache-2.0
+    sigs.k8s.io/kustomize/kyaml v0.11.0 Apache-2.0
+    sigs.k8s.io/mcs-api v0.1.0 Apache-2.0
+    sigs.k8s.io/structured-merge-diff/v4 v4.1.2 Apache-2.0
+
+========================================================================
+BSD-2-Clause licenses
+========================================================================
+
+    github.com/pkg/errors v0.9.1 BSD-2-Clause
+    github.com/russross/blackfriday v1.5.2 BSD-2-Clause
+
+========================================================================
+BSD-3-Clause licenses
+========================================================================
+
+    github.com/PuerkitoBio/purell v1.1.1 BSD-3-Clause
+    github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 BSD-3-Clause
+    github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 BSD-3-Clause
+    github.com/evanphx/json-patch v4.11.0+incompatible BSD-3-Clause
+    github.com/evanphx/json-patch/v5 v5.6.0 BSD-3-Clause
+    github.com/fsnotify/fsnotify v1.5.1 BSD-3-Clause
+    github.com/gogo/protobuf v1.3.2 BSD-3-Clause
+    github.com/golang/protobuf v1.5.2 BSD-3-Clause
+    github.com/google/go-cmp v0.5.6 BSD-3-Clause
+    github.com/google/uuid v1.3.0 BSD-3-Clause
+    github.com/googleapis/gax-go/v2 v2.1.1 BSD-3-Clause
+    github.com/imdario/mergo v0.3.5 BSD-3-Clause
+    github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de BSD-3-Clause
+    github.com/pmezard/go-difflib v1.0.0 BSD-3-Clause
+    github.com/spaolacci/murmur3 v1.1.0 BSD-3-Clause
+    github.com/spf13/pflag v1.0.5 BSD-3-Clause
+    go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 BSD-3-Clause
+    golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 BSD-3-Clause
+    golang.org/x/net v0.0.0-20211020060615-d418f374d309 BSD-3-Clause
+    golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 BSD-3-Clause
+    golang.org/x/sync v0.0.0-20210220032951-036812b2e83c BSD-3-Clause
+    golang.org/x/sys v0.0.0-20211020174200-9d6173849985 BSD-3-Clause
+    golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d BSD-3-Clause
+    golang.org/x/text v0.3.6 BSD-3-Clause
+    golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac BSD-3-Clause
+    golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 BSD-3-Clause
+    google.golang.org/api v0.59.0 BSD-3-Clause
+    google.golang.org/protobuf v1.27.1 BSD-3-Clause
+    gopkg.in/inf.v0 v0.9.1 BSD-3-Clause
+
+========================================================================
+ISC licenses
+========================================================================
+
+    github.com/davecgh/go-spew v1.1.1 ISC
+    github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 ISC
+
+========================================================================
+MIT licenses
+========================================================================
+
+    github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 MIT
+    github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd MIT
+    github.com/Masterminds/semver/v3 v3.1.1 MIT
+    github.com/Masterminds/sprig/v3 v3.2.2 MIT
+    github.com/Microsoft/go-winio v0.5.0 MIT
+    github.com/Microsoft/hcsshim v0.8.21 MIT
+    github.com/beorn7/perks v1.0.1 MIT
+    github.com/cenkalti/backoff/v4 v4.1.1 MIT
+    github.com/cespare/xxhash/v2 v2.1.1 MIT
+    github.com/docker/docker-credential-helpers v0.6.3 MIT
+    github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d MIT
+    github.com/fvbommel/sortorder v1.0.1 MIT
+    github.com/go-errors/errors v1.0.1 MIT
+    github.com/go-kit/log v0.1.0 MIT
+    github.com/go-logfmt/logfmt v0.5.0 MIT
+    github.com/goccy/go-json v0.4.8 MIT
+    github.com/golang-jwt/jwt/v4 v4.0.0 MIT
+    github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 MIT
+    github.com/huandu/xstrings v1.3.2 MIT
+    github.com/josharian/intern v1.0.0 MIT
+    github.com/json-iterator/go v1.1.11 MIT
+    github.com/lestrrat-go/backoff/v2 v2.0.7 MIT
+    github.com/lestrrat-go/blackmagic v1.0.0 MIT
+    github.com/lestrrat-go/httpcc v1.0.0 MIT
+    github.com/lestrrat-go/iter v1.0.1 MIT
+    github.com/lestrrat-go/jwx v1.2.0 MIT
+    github.com/lestrrat-go/option v1.0.0 MIT
+    github.com/mailru/easyjson v0.7.6 MIT
+    github.com/mitchellh/copystructure v1.2.0 MIT
+    github.com/mitchellh/go-wordwrap v1.0.0 MIT
+    github.com/mitchellh/reflectwalk v1.0.2 MIT
+    github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 MIT
+    github.com/natefinch/lumberjack v2.0.0+incompatible MIT
+    github.com/peterbourgon/diskv v2.0.1+incompatible MIT
+    github.com/shopspring/decimal v1.2.0 MIT
+    github.com/sirupsen/logrus v1.8.1 MIT
+    github.com/spf13/cast v1.3.1 MIT
+    github.com/stretchr/testify v1.7.0 MIT
+    github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca MIT
+    github.com/yl2chen/cidranger v1.0.2 MIT
+    go.uber.org/atomic v1.9.0 MIT
+    go.uber.org/multierr v1.7.0 MIT
+    go.uber.org/zap v1.19.1 MIT
+    gomodules.xyz/orderedmap v0.1.0 MIT
+
+========================================================================
+MIT and Apache-2.0 licenses
+========================================================================
+
+    gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b MIT and Apache-2.0
+
+========================================================================
+MIT and BSD-3-Clause licenses
+========================================================================
+
+    github.com/ghodss/yaml v1.0.0 MIT and BSD-3-Clause
+    sigs.k8s.io/yaml v1.3.0 MIT and BSD-3-Clause
+
+========================================================================
+MPL-2.0 licenses
+========================================================================
+
+    github.com/hashicorp/errwrap v1.0.0 MPL-2.0
+    github.com/hashicorp/go-multierror v1.1.1 MPL-2.0
+    github.com/hashicorp/go-version v1.3.0 MPL-2.0
+    github.com/hashicorp/golang-lru v0.5.4 MPL-2.0

helm/higress/README.md

@@ -0,0 +1,57 @@
+# Higress Helm Chart
+
+Installs the cloud-native gateway [Higress](http://higress.io/)
+
+## Get Repo Info
+
+```console
+helm repo add higress.io https://higress.io/helm-charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `higress`:
+
+```console
+helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the higress deployment:
+
+```console
+helm delete higress -n higress-system
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Configuration
+
+| **Parameter** | **Description** | **Default** |
+|---|---|---|
+| **Global Parameters** |  |  |
+| global.local | Set to `true` if installing to a local K8s cluster (e.g.: Kind, Rancher Desktop, etc.) | false |
+| global.ingressClass | [IngressClass](https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/#ingress-class) which is used to filter Ingress resources Higress Controller watches.<br />If there are multiple gateway instances deployed in the cluster, this parameter can be used to distinguish the scope of each gateway instance.<br />There are some special cases for special IngressClass values:<br />1. If set to "nginx", Higress Controller will watch Ingress resources with the `nginx` IngressClass or without any Ingress class.<br />2. If set to empty, Higress Controller will watch all Ingress resources in the K8s cluster. | higress |
+| global.watchNamespace | If not empty, Higress Controller will only watch resources in the specified namespace. When isolating different business systems using K8s namespace, if each namespace requires a standalone gateway instance, this parameter can be used to confine the Ingress watching of Higress within the given namespace. | "" |
+| global.disableAlpnH2 | Whether to disable HTTP/2 in ALPN | true |
+| global.enableStatus | If `true`, Higress Controller will update the `status` field of Ingress resources.<br />When migrating from Nginx Ingress, in order to avoid `status` field of Ingress objects being overwritten, this parameter needs to be set to false, so Higress won't write the entry IP to the `status` field of the corresponding Ingress object. | true |
+| global.enableIstioAPI | If `true`, Higress Controller will monitor istio resources as well | false |
+| global.enableGatewayAPI | If `true`, Higress Controller will monitor Gateway API resources as well | false |
+| global.istioNamespace | The namespace istio is installed to | istio-system |
+| **Core Paramters** |  |  |
+| higress-core.gateway.replicas | Number of Higress Gateway pods | 2 |
+| higress-core.controller.replicas | Number of Higress Controller pods | 1 |
+| **Console Paramters** |  |  |
+| higress-console.replicaCount | Number of Higress Console pods | 1 |
+| higress-console.service.type | K8s service type used by Higress Console | ClusterIP |
+| higress-console.domain | Domain used to access Higress Console | console.higress.io |
+| higress-console.tlsSecretName | Name of Secret resource used by TLS connections. | "" |
+| higress-console.web.login.prompt | Prompt message to be displayed on the login page | "" |
+| higress-console.admin.password.value | If not empty, the admin password will be configured to the specified value. | "" |
+| higress-console.admin.password.length | The length of random admin password generated during installation. Only works when `higress-console.admin.password.value` is not set. | 8 |
+| higress-console.o11y.enabled | If `true`, o11y suite (Grafana + Promethues) will be installed. | false |
+| higress-console.pvc.rwxSupported | Set to `false` when installing to a standard K8s cluster and the target cluster doesn't support the ReadWriteMany access mode of PersistentVolumeClaim. | true |

helm/istio/Chart.lock

@@ -1,9 +0,0 @@
-dependencies:
-- name: base
-  repository: file://../base
-  version: 1.12.0
-- name: istiod
-  repository: file://../istiod
-  version: 1.12.0
-digest: sha256:12dd680ac6eee11750941f56aab434cc35c5df09ac784a5ef8f5b84e0984f8c7
-generated: "2022-10-31T14:49:23.29643+08:00"

helm/istio/Chart.yaml

@@ -1,15 +0,0 @@
-apiVersion: v2
-appVersion: 1.12.4
-description: Helm chart for deploying higress istio
-name: istio
-sources:
-- http://github.com/alibaba/higress
-dependencies:
-- name: base
-  repository: "file://../base"
-  version: 1.12.0
-- name: istiod
-  repository: "file://../istiod"
-  version: 1.12.0
-type: application
-version: 1.12.4

helm/istiod/Chart.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-appVersion: 1.12.0
-description: Helm chart for istio control plane
-name: istiod
-sources:
-- http://github.com/alibaba/higress
-version: 1.12.0

helm/istiod/files/gateway-injection-template.yaml

@@ -1,215 +0,0 @@
-{{- $containers := list }}
-{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
-metadata:
-  labels:
-    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
-    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
-    istio.io/rev: {{ .Revision | default "default" | quote }}
-  annotations: {
-    {{- if eq (len $containers) 1 }}
-    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
-    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
-    {{ end }}
-  }
-spec:
-  containers:
-  - name: istio-proxy
-  {{- if contains "/" .Values.global.proxy.image }}
-    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
-  {{- else }}
-    image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
-  {{- end }}
-    ports:
-    - containerPort: 15090
-      protocol: TCP
-      name: http-envoy-prom
-    args:
-    - proxy
-    - router
-    - --domain
-    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
-    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
-    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
-    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
-  {{- if .Values.global.sts.servicePort }}
-    - --stsPort={{ .Values.global.sts.servicePort }}
-  {{- end }}
-  {{- if .Values.global.logAsJson }}
-    - --log_as_json
-  {{- end }}
-  {{- if .Values.global.proxy.lifecycle }}
-    lifecycle:
-      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
-  {{- end }}
-    env:
-    - name: JWT_POLICY
-      value: {{ .Values.global.jwtPolicy }}
-    - name: PILOT_CERT_PROVIDER
-      value: {{ .Values.global.pilotCertProvider }}
-    - name: CA_ADDR
-    {{- if .Values.global.caAddress }}
-      value: {{ .Values.global.caAddress }}
-    {{- else }}
-      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
-    {{- end }}
-    - name: POD_NAME
-      valueFrom:
-        fieldRef:
-          fieldPath: metadata.name
-    - name: POD_NAMESPACE
-      valueFrom:
-        fieldRef:
-          fieldPath: metadata.namespace
-    - name: INSTANCE_IP
-      valueFrom:
-        fieldRef:
-          fieldPath: status.podIP
-    - name: SERVICE_ACCOUNT
-      valueFrom:
-        fieldRef:
-          fieldPath: spec.serviceAccountName
-    - name: HOST_IP
-      valueFrom:
-        fieldRef:
-          fieldPath: status.hostIP
-    - name: PROXY_CONFIG
-      value: |
-             {{ protoToJSON .ProxyConfig }}
-    - name: ISTIO_META_POD_PORTS
-      value: |-
-        [
-        {{- $first := true }}
-        {{- range $index1, $c := .Spec.Containers }}
-          {{- range $index2, $p := $c.Ports }}
-            {{- if (structToJSON $p) }}
-            {{if not $first}},{{end}}{{ structToJSON $p }}
-            {{- $first = false }}
-            {{- end }}
-          {{- end}}
-        {{- end}}
-        ]
-    - name: ISTIO_META_APP_CONTAINERS
-      value: "{{ $containers | join "," }}"
-    - name: ISTIO_META_CLUSTER_ID
-      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
-    - name: ISTIO_META_INTERCEPTION_MODE
-      value: "{{ .ProxyConfig.InterceptionMode.String }}"
-    {{- if .Values.global.network }}
-    - name: ISTIO_META_NETWORK
-      value: "{{ .Values.global.network }}"
-    {{- end }}
-    {{- if .DeploymentMeta.Name }}
-    - name: ISTIO_META_WORKLOAD_NAME
-      value: "{{ .DeploymentMeta.Name }}"
-    {{ end }}
-    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
-    - name: ISTIO_META_OWNER
-      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
-    {{- end}}
-    {{- if .Values.global.meshID }}
-    - name: ISTIO_META_MESH_ID
-      value: "{{ .Values.global.meshID }}"
-    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
-    - name: ISTIO_META_MESH_ID
-      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
-    {{- end }}
-    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
-    - name: TRUST_DOMAIN
-      value: "{{ . }}"
-    {{- end }}
-    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
-    - name: {{ $key }}
-      value: "{{ $value }}"
-    {{- end }}
-    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
-    readinessProbe:
-      httpGet:
-        path: /healthz/ready
-        port: 15021
-      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
-      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
-      timeoutSeconds: 3
-      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
-    volumeMounts:
-    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
-    - name: gke-workload-certificate
-      mountPath: /var/run/secrets/workload-spiffe-credentials
-      readOnly: true
-    {{- end }}
-    {{- if eq .Values.global.pilotCertProvider "istiod" }}
-    - mountPath: /var/run/secrets/istio
-      name: istiod-ca-cert
-    {{- end }}
-    - mountPath: /var/lib/istio/data
-      name: istio-data
-    # SDS channel between istioagent and Envoy
-    - mountPath: /etc/istio/proxy
-      name: istio-envoy
-    {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
-    - mountPath: /var/run/secrets/tokens
-      name: istio-token
-    {{- end }}
-    {{- if .Values.global.mountMtlsCerts }}
-    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
-    - mountPath: /etc/certs/
-      name: istio-certs
-      readOnly: true
-    {{- end }}
-    - name: istio-podinfo
-      mountPath: /etc/istio/pod
-  volumes:
-  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
-  - name: gke-workload-certificate
-    csi:
-      driver: workloadcertificates.security.cloud.google.com
-  {{- end }}
-  # SDS channel between istioagent and Envoy
-  - emptyDir:
-      medium: Memory
-    name: istio-envoy
-  - name: istio-data
-    emptyDir: {}
-  - name: istio-podinfo
-    downwardAPI:
-      items:
-        - path: "labels"
-          fieldRef:
-            fieldPath: metadata.labels
-        - path: "annotations"
-          fieldRef:
-            fieldPath: metadata.annotations
-  {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
-  - name: istio-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: istio-token
-          expirationSeconds: 43200
-          audience: {{ .Values.global.sds.token.aud }}
-  {{- end }}
-  {{- if eq .Values.global.pilotCertProvider "istiod" }}
-  - name: istiod-ca-cert
-    configMap:
-      name: istio-ca-root-cert
-  {{- end }}
-  {{- if .Values.global.mountMtlsCerts }}
-  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
-  - name: istio-certs
-    secret:
-      optional: true
-      {{ if eq .Spec.ServiceAccountName "" }}
-      secretName: istio.default
-      {{ else -}}
-      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
-      {{  end -}}
-  {{- end }}
-  {{- if .Values.global.imagePullSecrets }}
-  imagePullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
-    {{- end }}
-  {{- end }}
-  {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
-  securityContext:
-    fsGroup: 1337
-  {{- end }}

helm/istiod/files/grpc-agent.yaml

@@ -1,233 +0,0 @@
-{{- $containers := list }}
-{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
-metadata:
-  annotations: {
-    {{- if eq (len $containers) 1 }}
-    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
-    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
-    {{ end }}
-    sidecar.istio.io/rewriteAppHTTPProbers: "false",
-  }
-spec:
-  containers:
-  {{- range $index, $container := .Spec.Containers  }}
-  {{ if not (eq $container.Name "istio-proxy") }}
-  - name: {{ $container.Name }}
-    env:
-    - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
-      value: "true"
-    - name: "GRPC_XDS_BOOTSTRAP"
-      value: "/etc/istio/proxy/grpc-bootstrap.json"
-    volumeMounts:
-    - mountPath: /var/lib/istio/data
-      name: istio-data
-    # UDS channel between istioagent and gRPC client for XDS/SDS
-    - mountPath: /etc/istio/proxy
-      name: istio-xds
-  {{- end }}
-  {{- end }}
-  - name: istio-proxy
-  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
-    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
-  {{- else }}
-    image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
-  {{- end }}
-    args:
-    - proxy
-    - sidecar
-    - --domain
-    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
-    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
-  {{- if .Values.global.sts.servicePort }}
-    - --stsPort={{ .Values.global.sts.servicePort }}
-  {{- end }}
-  {{- if .Values.global.logAsJson }}
-    - --log_as_json
-  {{- end }}
-    env:
-    - name: ISTIO_META_GENERATOR
-      value: grpc
-    - name: OUTPUT_CERTS
-      value: /var/lib/istio/data
-    {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
-    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
-      value: "true"
-    {{- end }}
-    - name: JWT_POLICY
-      value: {{ .Values.global.jwtPolicy }}
-    - name: PILOT_CERT_PROVIDER
-      value: {{ .Values.global.pilotCertProvider }}
-    - name: CA_ADDR
-    {{- if .Values.global.caAddress }}
-      value: {{ .Values.global.caAddress }}
-    {{- else }}
-      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
-    {{- end }}
-    - name: POD_NAME
-      valueFrom:
-        fieldRef:
-          fieldPath: metadata.name
-    - name: POD_NAMESPACE
-      valueFrom:
-        fieldRef:
-          fieldPath: metadata.namespace
-    - name: INSTANCE_IP
-      valueFrom:
-        fieldRef:
-          fieldPath: status.podIP
-    - name: SERVICE_ACCOUNT
-      valueFrom:
-        fieldRef:
-          fieldPath: spec.serviceAccountName
-    - name: HOST_IP
-      valueFrom:
-        fieldRef:
-          fieldPath: status.hostIP
-    - name: PROXY_CONFIG
-      value: |
-             {{ protoToJSON .ProxyConfig }}
-    - name: ISTIO_META_POD_PORTS
-      value: |-
-        [
-        {{- $first := true }}
-        {{- range $index1, $c := .Spec.Containers }}
-          {{- range $index2, $p := $c.Ports }}
-            {{- if (structToJSON $p) }}
-            {{if not $first}},{{end}}{{ structToJSON $p }}
-            {{- $first = false }}
-            {{- end }}
-          {{- end}}
-        {{- end}}
-        ]
-    - name: ISTIO_META_APP_CONTAINERS
-      value: "{{ $containers | join "," }}"
-    - name: ISTIO_META_CLUSTER_ID
-      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
-    - name: ISTIO_META_INTERCEPTION_MODE
-      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
-    {{- if .Values.global.network }}
-    - name: ISTIO_META_NETWORK
-      value: "{{ .Values.global.network }}"
-    {{- end }}
-    {{- if .DeploymentMeta.Name }}
-    - name: ISTIO_META_WORKLOAD_NAME
-      value: "{{ .DeploymentMeta.Name }}"
-    {{ end }}
-    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
-    - name: ISTIO_META_OWNER
-      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
-    {{- end}}
-    {{- if .Values.global.meshID }}
-    - name: ISTIO_META_MESH_ID
-      value: "{{ .Values.global.meshID }}"
-    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
-    - name: ISTIO_META_MESH_ID
-      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
-    {{- end }}
-    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
-    - name: TRUST_DOMAIN
-      value: "{{ . }}"
-    {{- end }}
-    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
-    - name: {{ $key }}
-      value: "{{ $value }}"
-    {{- end }}
-    # grpc uses xds:/// to resolve – no need to resolve VIP
-    - name: ISTIO_META_DNS_CAPTURE
-      value: "false"
-    - name: DISABLE_ENVOY
-      value: "true"
-    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
-    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
-    readinessProbe:
-      httpGet:
-        path: /healthz/ready
-        port: {{ .Values.global.proxy.statusPort }}
-      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
-      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
-      timeoutSeconds: 3
-      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
-    {{ end -}}
-    resources:
-  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
-    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
-      requests:
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
-        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
-        {{ end }}
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
-        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
-        {{ end }}
-    {{- end }}
-    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
-      limits:
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
-        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
-        {{ end }}
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
-        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
-        {{ end }}
-    {{- end }}
-  {{- else }}
-    {{- if .Values.global.proxy.resources }}
-      {{ toYaml .Values.global.proxy.resources | indent 6 }}
-    {{- end }}
-  {{- end }}
-    volumeMounts:
-    {{- if eq .Values.global.pilotCertProvider "istiod" }}
-    - mountPath: /var/run/secrets/istio
-      name: istiod-ca-cert
-    {{- end }}
-    - mountPath: /var/lib/istio/data
-      name: istio-data
-    # UDS channel between istioagent and gRPC client for XDS/SDS
-    - mountPath: /etc/istio/proxy
-      name: istio-xds
-    {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
-    - mountPath: /var/run/secrets/tokens
-      name: istio-token
-    {{- end }}
-    - name: istio-podinfo
-      mountPath: /etc/istio/pod
-    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
-    {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
-    - name: "{{  $index }}"
-    {{ toYaml $value | indent 6 }}
-    {{ end }}
-    {{- end }}
-  volumes:
-  # UDS channel between istioagent and gRPC client for XDS/SDS
-  - emptyDir:
-      medium: Memory
-    name: istio-xds
-  - name: istio-data
-    emptyDir: {}
-  - name: istio-podinfo
-    downwardAPI:
-      items:
-        - path: "labels"
-          fieldRef:
-            fieldPath: metadata.labels
-        - path: "annotations"
-          fieldRef:
-            fieldPath: metadata.annotations
-{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
-  - name: istio-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: istio-token
-          expirationSeconds: 43200
-          audience: {{ .Values.global.sds.token.aud }}
-{{- end }}
-  {{- if eq .Values.global.pilotCertProvider "istiod" }}
-  - name: istiod-ca-cert
-    configMap:
-      name: istio-ca-root-cert
-  {{- end }}
-  {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
-  {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
-  - name: "{{ $index }}"
-  {{ toYaml $value | indent 4 }}
-  {{ end }}
-  {{ end }}

helm/istiod/files/grpc-simple.yaml

@@ -1,64 +0,0 @@
-metadata:
-  sidecar.istio.io/rewriteAppHTTPProbers: "false"
-spec:
-  initContainers:
-    - name: grpc-bootstrap-init
-      image: busybox:1.28
-      volumeMounts:
-        - mountPath: /var/lib/grpc/data/
-          name: grpc-io-proxyless-bootstrap
-      env:
-        - name: INSTANCE_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: ISTIO_NAMESPACE
-          value: |
-             {{ .Values.global.istioNamespace }}
-      command:
-        - sh
-        - "-c"
-        - |-
-          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
-          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
-          echo '
-          {
-            "xds_servers": [
-              {
-                "server_uri": "'${SERVER_URI}'",
-                "channel_creds": [{"type": "insecure"}],
-                "server_features" : ["xds_v3"]
-              }
-            ],
-            "node": {
-              "id": "'${NODE_ID}'",
-              "metadata": {
-                "GENERATOR": "grpc"
-              }
-            }
-          }' > /var/lib/grpc/data/bootstrap.json
-  containers:
-  {{- range $index, $container := .Spec.Containers }}
-  - name: {{ $container.Name }}
-    env:
-      - name: GRPC_XDS_BOOTSTRAP
-        value: /var/lib/grpc/data/bootstrap.json
-      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
-        value: "99"
-      - name: GRPC_GO_LOG_SEVERITY_LEVEL
-        value: info
-    volumeMounts:
-      - mountPath: /var/lib/grpc/data/
-        name: grpc-io-proxyless-bootstrap
-  {{- end }}
-  volumes:
-    - name: grpc-io-proxyless-bootstrap
-      emptyDir: {}

helm/istiod/files/injection-template.yaml

@@ -1,491 +0,0 @@
-{{- $containers := list }}
-{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
-metadata:
-  labels:
-    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
-    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
-    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
-  annotations: {
-    {{- if eq (len $containers) 1 }}
-    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
-    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
-    {{ end }}
-{{- if .Values.istio_cni.enabled }}
-    {{- if not .Values.istio_cni.chained }}
-    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
-    {{- end }}
-    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
-    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
-    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
-    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}",
-    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
-    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
-    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
-    {{- end }}
-    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
-    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
-    {{- end }}
-    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
-{{- end }}
-  }
-spec:
-  {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
-  initContainers:
-  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
-  {{ if .Values.istio_cni.enabled -}}
-  - name: istio-validation
-  {{ else -}}
-  - name: istio-init
-  {{ end -}}
-  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
-    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
-  {{- else }}
-    image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
-  {{- end }}
-    args:
-    - istio-iptables
-    - "-p"
-    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
-    - "-z"
-    - "15006"
-    - "-u"
-    - "1337"
-    - "-m"
-    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
-    - "-i"
-    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
-    - "-x"
-    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
-    - "-b"
-    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
-    - "-d"
-  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
-    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
-  {{- else }}
-    - "15090,15021"
-  {{- end }}
-    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
-    - "-q"
-    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
-    {{ end -}}
-    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
-    - "-o"
-    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
-    {{ end -}}
-    {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
-    - "-k"
-    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
-    {{ end -}}
-    {{ if .Values.istio_cni.enabled -}}
-    - "--run-validation"
-    - "--skip-rule-apply"
-    {{ end -}}
-    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
-  {{- if .ProxyConfig.ProxyMetadata }}
-    env:
-    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
-    - name: {{ $key }}
-      value: "{{ $value }}"
-    {{- end }}
-  {{- end }}
-    resources:
-  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
-    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
-      requests:
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
-        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
-        {{ end }}
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
-        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
-        {{ end }}
-    {{- end }}
-    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
-      limits:
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
-        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
-        {{ end }}
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
-        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
-        {{ end }}
-    {{- end }}
-  {{- else }}
-    {{- if .Values.global.proxy.resources }}
-      {{ toYaml .Values.global.proxy.resources | indent 6 }}
-    {{- end }}
-  {{- end }}
-    securityContext:
-      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
-      privileged: {{ .Values.global.proxy.privileged }}
-      capabilities:
-    {{- if not .Values.istio_cni.enabled }}
-        add:
-        - NET_ADMIN
-        - NET_RAW
-    {{- end }}
-        drop:
-        - ALL
-    {{- if not .Values.istio_cni.enabled }}
-      readOnlyRootFilesystem: false
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
-    {{- else }}
-      readOnlyRootFilesystem: true
-      runAsGroup: 1337
-      runAsUser: 1337
-      runAsNonRoot: true
-    {{- end }}
-    restartPolicy: Always
-  {{ end -}}
-  {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
-  - name: enable-core-dump
-    args:
-    - -c
-    - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
-    command:
-      - /bin/sh
-  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
-    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
-  {{- else }}
-    image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
-  {{- end }}
-    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: true
-      capabilities:
-        add:
-        - SYS_ADMIN
-        drop:
-        - ALL
-      privileged: true
-      readOnlyRootFilesystem: false
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
-  {{ end }}
-  containers:
-  - name: istio-proxy
-  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
-    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
-  {{- else }}
-    image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
-  {{- end }}
-    ports:
-    - containerPort: 15090
-      protocol: TCP
-      name: http-envoy-prom
-    args:
-    - proxy
-    - sidecar
-    - --domain
-    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
-    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
-    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
-    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
-  {{- if .Values.global.sts.servicePort }}
-    - --stsPort={{ .Values.global.sts.servicePort }}
-  {{- end }}
-  {{- if .Values.global.logAsJson }}
-    - --log_as_json
-  {{- end }}
-  {{- if gt .EstimatedConcurrency 0 }}
-    - --concurrency
-    - "{{ .EstimatedConcurrency }}"
-  {{- end -}}
-  {{- if .Values.global.proxy.lifecycle }}
-    lifecycle:
-      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
-  {{- else if $holdProxy }}
-    lifecycle:
-      postStart:
-        exec:
-          command:
-          - pilot-agent
-          - wait
-  {{- end }}
-    env:
-    {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
-    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
-      value: "true"
-    {{- end }}
-    - name: JWT_POLICY
-      value: {{ .Values.global.jwtPolicy }}
-    - name: PILOT_CERT_PROVIDER
-      value: {{ .Values.global.pilotCertProvider }}
-    - name: CA_ADDR
-    {{- if .Values.global.caAddress }}
-      value: {{ .Values.global.caAddress }}
-    {{- else }}
-      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
-    {{- end }}
-    - name: POD_NAME
-      valueFrom:
-        fieldRef:
-          fieldPath: metadata.name
-    - name: POD_NAMESPACE
-      valueFrom:
-        fieldRef:
-          fieldPath: metadata.namespace
-    - name: INSTANCE_IP
-      valueFrom:
-        fieldRef:
-          fieldPath: status.podIP
-    - name: SERVICE_ACCOUNT
-      valueFrom:
-        fieldRef:
-          fieldPath: spec.serviceAccountName
-    - name: HOST_IP
-      valueFrom:
-        fieldRef:
-          fieldPath: status.hostIP
-    - name: PROXY_CONFIG
-      value: |
-             {{ protoToJSON .ProxyConfig }}
-    - name: ISTIO_META_POD_PORTS
-      value: |-
-        [
-        {{- $first := true }}
-        {{- range $index1, $c := .Spec.Containers }}
-          {{- range $index2, $p := $c.Ports }}
-            {{- if (structToJSON $p) }}
-            {{if not $first}},{{end}}{{ structToJSON $p }}
-            {{- $first = false }}
-            {{- end }}
-          {{- end}}
-        {{- end}}
-        ]
-    - name: ISTIO_META_APP_CONTAINERS
-      value: "{{ $containers | join "," }}"
-    - name: ISTIO_META_CLUSTER_ID
-      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
-    - name: ISTIO_META_INTERCEPTION_MODE
-      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
-    {{- if .Values.global.network }}
-    - name: ISTIO_META_NETWORK
-      value: "{{ .Values.global.network }}"
-    {{- end }}
-    {{- if .DeploymentMeta.Name }}
-    - name: ISTIO_META_WORKLOAD_NAME
-      value: "{{ .DeploymentMeta.Name }}"
-    {{ end }}
-    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
-    - name: ISTIO_META_OWNER
-      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
-    {{- end}}
-    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
-    - name: ISTIO_BOOTSTRAP_OVERRIDE
-      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
-    {{- end }}
-    {{- if .Values.global.meshID }}
-    - name: ISTIO_META_MESH_ID
-      value: "{{ .Values.global.meshID }}"
-    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
-    - name: ISTIO_META_MESH_ID
-      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
-    {{- end }}
-    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
-    - name: TRUST_DOMAIN
-      value: "{{ . }}"
-    {{- end }}
-    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
-    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
-    - name: {{ $key }}
-      value: "{{ $value }}"
-    {{- end }}
-    {{- end }}
-    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
-    - name: {{ $key }}
-      value: "{{ $value }}"
-    {{- end }}
-    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
-    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
-    readinessProbe:
-      httpGet:
-        path: /healthz/ready
-        port: 15021
-      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
-      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
-      timeoutSeconds: 3
-      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
-    {{ end -}}
-    securityContext:
-      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
-      allowPrivilegeEscalation: true
-      capabilities:
-        add:
-        - NET_ADMIN
-        drop:
-        - ALL
-      privileged: true
-      readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
-      runAsGroup: 1337
-      fsGroup: 1337
-      runAsNonRoot: false
-      runAsUser: 0
-      {{- else }}
-      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
-      capabilities:
-        {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
-        add:
-        {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
-        - NET_ADMIN
-        {{- end }}
-        {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
-        - NET_BIND_SERVICE
-        {{- end }}
-        {{- end }}
-        drop:
-        - ALL
-      privileged: {{ .Values.global.proxy.privileged }}
-      readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
-      runAsGroup: 1337
-      fsGroup: 1337
-      {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
-      runAsNonRoot: false
-      runAsUser: 0
-      {{- else -}}
-      runAsNonRoot: true
-      runAsUser: 1337
-      {{- end }}
-      {{- end }}
-    resources:
-  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
-    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
-      requests:
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
-        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
-        {{ end }}
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
-        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
-        {{ end }}
-    {{- end }}
-    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
-      limits:
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
-        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
-        {{ end }}
-        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
-        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
-        {{ end }}
-    {{- end }}
-  {{- else }}
-    {{- if .Values.global.proxy.resources }}
-      {{ toYaml .Values.global.proxy.resources | indent 6 }}
-    {{- end }}
-  {{- end }}
-    volumeMounts:
-    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
-    - name: gke-workload-certificate
-      mountPath: /var/run/secrets/workload-spiffe-credentials
-      readOnly: true
-    {{- end }}
-    {{- if eq .Values.global.pilotCertProvider "istiod" }}
-    - mountPath: /var/run/secrets/istio
-      name: istiod-ca-cert
-    {{- end }}
-    - mountPath: /var/lib/istio/data
-      name: istio-data
-    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
-    - mountPath: /etc/istio/custom-bootstrap
-      name: custom-bootstrap-volume
-    {{- end }}
-    # SDS channel between istioagent and Envoy
-    - mountPath: /etc/istio/proxy
-      name: istio-envoy
-    {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
-    - mountPath: /var/run/secrets/tokens
-      name: istio-token
-    {{- end }}
-    {{- if .Values.global.mountMtlsCerts }}
-    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
-    - mountPath: /etc/certs/
-      name: istio-certs
-      readOnly: true
-    {{- end }}
-    - name: istio-podinfo
-      mountPath: /etc/istio/pod
-     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
-    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
-      name: lightstep-certs
-      readOnly: true
-    {{- end }}
-      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
-      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
-    - name: "{{  $index }}"
-      {{ toYaml $value | indent 6 }}
-      {{ end }}
-      {{- end }}
-  volumes:
-  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
-  - name: gke-workload-certificate
-    csi:
-      driver: workloadcertificates.security.cloud.google.com
-  {{- end }}
-  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
-  - name: custom-bootstrap-volume
-    configMap:
-      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
-  {{- end }}
-  # SDS channel between istioagent and Envoy
-  - emptyDir:
-      medium: Memory
-    name: istio-envoy
-  - name: istio-data
-    emptyDir: {}
-  - name: istio-podinfo
-    downwardAPI:
-      items:
-        - path: "labels"
-          fieldRef:
-            fieldPath: metadata.labels
-        - path: "annotations"
-          fieldRef:
-            fieldPath: metadata.annotations
-  {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
-  - name: istio-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: istio-token
-          expirationSeconds: 43200
-          audience: {{ .Values.global.sds.token.aud }}
-  {{- end }}
-  {{- if eq .Values.global.pilotCertProvider "istiod" }}
-  - name: istiod-ca-cert
-    configMap:
-      name: istio-ca-root-cert
-  {{- end }}
-  {{- if .Values.global.mountMtlsCerts }}
-  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
-  - name: istio-certs
-    secret:
-      optional: true
-      {{ if eq .Spec.ServiceAccountName "" }}
-      secretName: istio.default
-      {{ else -}}
-      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
-      {{  end -}}
-  {{- end }}
-    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
-    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
-  - name: "{{ $index }}"
-    {{ toYaml $value | indent 4 }}
-    {{ end }}
-    {{ end }}
-  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
-  - name: lightstep-certs
-    secret:
-      optional: true
-      secretName: lightstep.cacert
-  {{- end }}
-  {{- if .Values.global.imagePullSecrets }}
-  imagePullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
-    {{- end }}
-  {{- end }}
-  {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
-  securityContext:
-    fsGroup: 1337
-  {{- end }}

helm/istiod/templates/NOTES.txt

@@ -1,21 +0,0 @@
-"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
-
-To learn more about the release, try:
-  $ helm status {{ .Release.Name }}
-  $ helm get all {{ .Release.Name }}
-
-Next steps:
-  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
-  * Try out our tasks to get started on common configurations:
-    * https://istio.io/latest/docs/tasks/traffic-management
-    * https://istio.io/latest/docs/tasks/security/
-    * https://istio.io/latest/docs/tasks/policy-enforcement/
-    * https://istio.io/latest/docs/tasks/policy-enforcement/
-  * Review the list of actively supported releases, CVE publications and our hardening guide:
-    * https://istio.io/latest/docs/releases/supported-releases/
-    * https://istio.io/latest/news/security/
-    * https://istio.io/latest/docs/ops/best-practices/security/
-
-For further documentation see https://istio.io website
-
-Tell us how your install/upgrade experience went at https://forms.gle/FegQbc9UvePd4Z9z7

helm/istiod/templates/autoscale.yaml

@@ -1,59 +0,0 @@
-{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
-{{- if not .Values.extra.autoscalingv2API }}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
-  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: istiod
-    release: {{ .Release.Name }}
-    istio.io/rev: {{ .Values.revision | default "default" }}
-    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
-    operator.istio.io/component: "Pilot"
-spec:
-  maxReplicas: {{ .Values.pilot.autoscaleMax }}
-  minReplicas: {{ .Values.pilot.autoscaleMin }}
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-  metrics:
-  - type: Resource
-    resource:
-      name: cpu
-      targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
----
-{{- else }}
-{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
-apiVersion: autoscaling/v2
-{{- else }}
-apiVersion: autoscaling/v2beta2
-{{- end }}
-kind: HorizontalPodAutoscaler
-metadata:
-  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: istiod
-    release: {{ .Release.Name }}
-    istio.io/rev: {{ .Values.revision | default "default" }}
-    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
-    operator.istio.io/component: "Pilot"
-spec:
-  maxReplicas: {{ .Values.pilot.autoscaleMax }}
-  minReplicas: {{ .Values.pilot.autoscaleMin }}
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-  metrics:
-  - type: Resource
-    resource:
-      name: cpu
-      target:
-        type: Utilization
-        averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
----
-{{- end }}
-{{- end }}

helm/istiod/templates/clusterrole.yaml

@@ -1,134 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-  labels:
-    app: istiod
-    release: {{ .Release.Name }}
-rules:
-  # sidecar injection controller
-  - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["mutatingwebhookconfigurations"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-
-  # configuration validation webhook controller
-  - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["validatingwebhookconfigurations"]
-    verbs: ["get", "list", "watch", "update"]
-
-  # istio configuration
-  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
-  # please proceed with caution
-  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
-    verbs: ["get", "watch", "list"]
-    resources: ["*"]
-{{- if .Values.global.istiod.enableAnalysis }}
-  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
-    verbs: ["update"]
-    # TODO: should be on just */status but wildcard is not supported
-    resources: ["*"]
-{{- end }}
-  - apiGroups: ["networking.istio.io"]
-    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
-    resources: [ "workloadentries" ]
-  - apiGroups: ["networking.istio.io"]
-    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
-    resources: [ "workloadentries/status" ]
-
-  # auto-detect installed CRD definitions
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get", "list", "watch"]
-
-  # discovery and routing
-  - apiGroups: [""]
-    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["discovery.k8s.io"]
-    resources: ["endpointslices"]
-    verbs: ["get", "list", "watch"]
-
-  # ingress controller
-{{- if .Values.global.istiod.enableAnalysis }}
-  - apiGroups: ["extensions", "networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["extensions", "networking.k8s.io"]
-    resources: ["ingresses/status"]
-    verbs: ["*"]
-{{- end}}
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses", "ingressclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses/status"]
-    verbs: ["*"]
-
-  # required for CA's namespace controller
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["create", "get", "list", "watch", "update"]
-
-  # Istiod and bootstrap.
-  - apiGroups: ["certificates.k8s.io"]
-    resources:
-      - "certificatesigningrequests"
-      - "certificatesigningrequests/approval"
-      - "certificatesigningrequests/status"
-    verbs: ["update", "create", "get", "delete", "watch"]
-  - apiGroups: ["certificates.k8s.io"]
-    resources:
-      - "signers"
-    resourceNames:
-    - "kubernetes.io/legacy-unknown"
-    verbs: ["approve"]
-
-  # Used by Istiod to verify the JWT tokens
-  - apiGroups: ["authentication.k8s.io"]
-    resources: ["tokenreviews"]
-    verbs: ["create"]
-
-  # Used by Istiod to verify gateway SDS
-  - apiGroups: ["authorization.k8s.io"]
-    resources: ["subjectaccessreviews"]
-    verbs: ["create"]
-
-  # Use for Kubernetes Service APIs
-  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
-    resources: ["*"]
-    verbs: ["get", "watch", "list"]
-  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
-    resources: ["*"] # TODO: should be on just */status but wildcard is not supported
-    verbs: ["update", "patch"]
-
-  # Needed for multicluster secret reading, possibly ingress certs in the future
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "watch", "list"]
-
-  # Used for MCS serviceexport management
-  - apiGroups: ["multicluster.x-k8s.io"]
-    resources: ["serviceexports"]
-    verbs: [ "get", "watch", "list", "create", "delete"]
-
-  # Used for MCS serviceimport management
-  - apiGroups: ["multicluster.x-k8s.io"]
-    resources: ["serviceimports"]
-    verbs: ["get", "watch", "list"]
----
-{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-  labels:
-    app: istiod
-    release: {{ .Release.Name }}
-rules:
-  - apiGroups: ["apps"]
-    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
-    resources: [ "deployments" ]
-  - apiGroups: [""]
-    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
-    resources: [ "services" ]
-{{- end }}

helm/istiod/templates/clusterrolebinding.yaml

@@ -1,33 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-  labels:
-    app: istiod
-    release: {{ .Release.Name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
-    namespace: {{ .Values.global.istioNamespace }}
----
-{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-  labels:
-    app: istiod
-    release: {{ .Release.Name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
-subjects:
-- kind: ServiceAccount
-  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
-  namespace: {{ .Values.global.istioNamespace }}
-{{- end }}

helm/istiod/templates/configmap-jwks.yaml

@@ -1,14 +0,0 @@
-{{- if .Values.pilot.jwksResolverExtraRootCA }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    release: {{ .Release.Name }}
-    istio.io/rev: {{ .Values.revision | default "default" }}
-    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
-    operator.istio.io/component: "Pilot"
-data:
-  extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
-{{- end }}

helm/istiod/templates/configmap.yaml

@@ -1,115 +0,0 @@
-{{- define "mesh" }}
-    # The trust domain corresponds to the trust root of a system.
-    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
-    trustDomain: "cluster.local"
-    accessLogEncoding: TEXT
-    accessLogFile: "/dev/stdout"
-    accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
-
-    '
-    dnsRefreshRate: 200s
-    enableAutoMtls: false
-    enablePrometheusMerge: false
-    protocolDetectionTimeout: 100ms
-    # The namespace to treat as the administrative root namespace for Istio configuration.
-    # When processing a leaf namespace Istio will search for declarations in that namespace first
-    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
-    # is processed as if it were declared in the leaf namespace.
-    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
-
-    configSources:
-      - address: k8s://
-      - address: {{ printf "xds://%s.%s:%s" .Values.extra.higressName .Values.extra.higressNamespace .Values.extra.higressPort }}
-
-    defaultConfig:
-      {{- if .Values.global.meshID }}
-      meshId: {{ .Values.global.meshID }}
-      {{- end }}
-      tracing:
-      {{- if eq .Values.global.proxy.tracer "lightstep" }}
-        lightstep:
-          # Address of the LightStep Satellite pool
-          address: {{ .Values.global.tracer.lightstep.address }}
-          # Access Token used to communicate with the Satellite pool
-          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
-      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
-        zipkin:
-          # Address of the Zipkin collector
-          address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
-      {{- else if eq .Values.global.proxy.tracer "datadog" }}
-        datadog:
-          # Address of the Datadog Agent
-          address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
-      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
-        stackdriver:
-          # enables trace output to stdout.
-        {{- if $.Values.global.tracer.stackdriver.debug }}
-          debug: {{ $.Values.global.tracer.stackdriver.debug }}
-        {{- end }}
-        {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
-          # The global default max number of attributes per span.
-          maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
-        {{- end }}
-        {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
-          # The global default max number of annotation events per span.
-          maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
-        {{- end }}
-        {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
-          # The global default max number of message events per span.
-          maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
-        {{- end }}
-      {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
-      {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
-{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
-      {{- else }}
-        {}
-      {{- end }}
-      {{- if .Values.global.remotePilotAddress }}
-      {{- if not .Values.global.externalIstiod }}
-      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
-      {{- else }}
-      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
-      {{- end }}
-      {{- else }}
-      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
-      {{- end }}
-      proxyStatsMatcher:
-        inclusionRegexps:
-        - ".*"
-{{- end }}
-
-{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
-{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
-{{- $originalMesh := include "mesh" . | fromYaml }}
-{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
-
-{{- if .Values.pilot.configMap }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    istio.io/rev: {{ .Values.revision | default "default" }}
-    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
-    operator.istio.io/component: "Pilot"
-    release: {{ .Release.Name }}
-data:
-
-  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
-  meshNetworks: |-
-  {{- if .Values.global.meshNetworks }}
-    networks:
-{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
-  {{- else }}
-    networks: {}
-  {{- end }}
-
-  mesh: |-
-{{- if .Values.meshConfig }}
-{{ $mesh | toYaml | indent 4 }}
-{{- else }}
-{{- include "mesh" . }}
-{{- end }}
----
-{{- end }}