rel: Release version 1.1.2 (#545)

Signed-off-by: bitliu <bitliu@tencent.com>

.github/workflows/build-and-test.yaml

@@ -107,7 +107,7 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
-  ingress-conformance-test:
+  higress-conformance-test:
     runs-on: ubuntu-latest
     needs: [build]
     steps:
@@ -141,12 +141,16 @@ jobs:
           
     - run: git stash # restore patch
 
-    - name: "Run Ingress Conformance Tests"
-      run: GOPROXY="https://proxy.golang.org,direct" make ingress-conformance-test
+    - name: "Run Higress E2E Conformance Tests"
+      run: GOPROXY="https://proxy.golang.org,direct" make higress-conformance-test
       
-  ingress-wasmplugin-test:
+  higress-wasmplugin-test:
     runs-on: ubuntu-latest
     needs: [build]
+    strategy:
+      matrix:
+        # TODO(Xunzhuo): Enable C WASM Filters in CI
+        wasmPluginType: [ GO ]
     steps:
     - uses: actions/checkout@v3
       
@@ -179,10 +183,10 @@ jobs:
     - run: git stash # restore patch
 
     - name: "Run Ingress WasmPlugins Tests"
-      run: GOPROXY="https://proxy.golang.org,direct" make ingress-wasmplugin-test
+      run: GOPROXY="https://proxy.golang.org,direct" PLUGIN_TYPE=${{ matrix.wasmPluginType }} make higress-wasmplugin-test
 
   publish:
     runs-on: ubuntu-latest
-    needs: [ingress-conformance-test,gateway-conformance-test,ingress-wasmplugin-test]
+    needs: [higress-conformance-test,gateway-conformance-test,higress-wasmplugin-test]
     steps:
     - uses: actions/checkout@v3

.github/workflows/build-image-and-push.yaml

@@ -0,0 +1,207 @@
+name: Build Docker Images and Push to Image Registry
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  build-controller-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-controller
+    env:
+      CONTROLLER_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      CONTROLLER_IMAGE_NAME: ${{ vars.CONTROLLER_IMAGE_NAME || 'higress/higress' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            envoy
+            istio
+            .git/modules
+          key: ${{ runner.os }}-submodules-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-new
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.CONTROLLER_IMAGE_REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.CONTROLLER_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Docker Image and Push
+        run: |
+          GOPROXY="https://proxy.golang.org,direct" make docker-buildx-push
+          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress"
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
+          done
+
+  build-pilot-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-pilot
+    env:
+      PILOT_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      PILOT_IMAGE_NAME: ${{ vars.PILOT_IMAGE_NAME || 'higress/pilot' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            envoy
+            istio
+            .git/modules
+          key: ${{ runner.os }}-submodules-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-new
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.PILOT_IMAGE_REGISTRY }}/${{ env.PILOT_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.PILOT_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Pilot-Discovery Image and Push
+        run: |
+          GOPROXY="https://proxy.golang.org,direct" make build-istio
+          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/pilot"
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
+          done
+
+
+  build-gateway-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-pilot
+    env:
+      GATEWAY_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      GATEWAY_IMAGE_NAME: ${{ vars.GATEWAY_IMAGE_NAME || 'higress/gateway' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            envoy
+            istio
+            .git/modules
+          key: ${{ runner.os }}-submodules-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-new
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.GATEWAY_IMAGE_REGISTRY }}/${{ env.GATEWAY_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.GATEWAY_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}            
+          
+      - name: Build Gateway Image and Push
+        run: |
+          GOPROXY="https://proxy.golang.org,direct" make build-gateway
+          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/proxyv2"
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
+          done

.github/workflows/deploy-standalone-to-oss.yaml

@@ -0,0 +1,37 @@
+name: Deploy Standalone to OSS
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  deploy-to-oss:
+    runs-on: ubuntu-latest
+    environment:
+      name: oss
+    steps:
+      # Step 1
+      - name: Checkout
+        uses: actions/checkout@v3
+      # Step 2
+      - id: package
+        name: Prepare Standalone Package
+        run: |
+          mkdir ./artifact
+          cp ./tools/get-higress.sh ./artifact
+          LOCAL_RELEASE_URL="https://github.com/higress-group/higress-standalone/releases"
+          VERSION=$(curl -Ls $LOCAL_RELEASE_URL | grep 'href="/higress-group/higress-standalone/releases/tag/v[0-9]*.[0-9]*.[0-9]*\"' | sed -E 's/.*\/higress-group\/higress-standalone\/releases\/tag\/(v[0-9\.]+)".*/\1/g' | head -1)
+          DOWNLOAD_URL="https://github.com/higress-group/higress-standalone/archive/refs/tags/${VERSION}.tar.gz"
+          curl -SsL "$DOWNLOAD_URL" -o "./artifact/higress-${VERSION}.tar.gz"
+          echo -n "$VERSION" > ./artifact/VERSION
+          echo "Version=$VERSION"
+      # Step 3
+      - name: Upload to OSS
+        uses: doggycool/ossutil-github-action@master
+        with:
+          ossArgs: 'cp -r -u ./artifact/ oss://higress-website-cn-hongkong/standalone/'
+          accessKey: ${{ secrets.ACCESS_KEYID }}
+          accessSecret: ${{ secrets.ACCESS_KEYSECRET }}
+          endpoint: oss-cn-hongkong.aliyuncs.com

.github/workflows/deploy-to-oss.yaml

@@ -4,10 +4,13 @@ on:
   push:
     tags:
     - "v*.*.*"
+  workflow_dispatch: ~
 
 jobs:
   deploy-to-oss:
     runs-on: ubuntu-latest
+    environment:
+      name: oss
     steps:
       # Step 1
       - name: Checkout
@@ -33,11 +36,14 @@ jobs:
         with:
           helmv3: 3.7.2
           command: |
+            cp api/kubernetes/customresourcedefinitions.gen.yaml helm/core/crds
             helmv3 repo add higress.io https://higress.io/helm-charts
             helmv3 package helm/core --debug --app-version ${{steps.calc-version.outputs.version}} --version ${{steps.calc-version.outputs.version}} -d ./artifact
             helmv3 dependency build helm/higress
             helmv3 package helm/higress --debug --app-version ${{steps.calc-version.outputs.version}} --version ${{steps.calc-version.outputs.version}} -d ./artifact
             helmv3 repo index --url https://higress.io/helm-charts/ --merge ./artifact/index.yaml ./artifact
+            cp ./artifact/index.yaml ./artifact/cn-index.yaml
+            sed -i 's/higress\.io/higress\.cn/g' ./artifact/cn-index.yaml
       # Step 5
       - name: Upload to OSS
         uses: doggycool/ossutil-github-action@master

.gitignore

@@ -13,4 +13,5 @@ bazel-testlogs
 bazel-wasm-cpp
 tools/bin/
 helm/**/charts/**.tgz
+target/
 tools/hack/cluster.conf

Makefile.core.mk

@@ -17,6 +17,8 @@ GO ?= go
 
 export GOPROXY ?= https://proxy.golang.com.cn,direct
 
+TARGET_ARCH ?= amd64
+
 GOARCH_LOCAL := $(TARGET_ARCH)
 GOOS_LOCAL := $(TARGET_OS)
 RELEASE_LDFLAGS='$(GO_LDFLAGS) -extldflags -static -s -w'
@@ -24,6 +26,8 @@ RELEASE_LDFLAGS='$(GO_LDFLAGS) -extldflags -static -s -w'
 export OUT:=$(TARGET_OUT)
 export OUT_LINUX:=$(TARGET_OUT_LINUX)
 
+BUILDX_PLATFORM ?=
+
 # If tag not explicitly set in users' .istiorc.mk or command line, default to the git sha.
 TAG ?= $(shell git rev-parse --verify HEAD)
 ifeq ($(TAG),)
@@ -49,6 +53,7 @@ $(OUT):
 submodule:
 	git submodule update --init
 
+.PHONY: prebuild
 prebuild: submodule
 	./tools/hack/prebuild.sh
 
@@ -67,6 +72,12 @@ build: prebuild $(OUT)
 build-linux: prebuild $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT_LINUX)/ $(HIGRESS_BINARIES)
 
+$(AMD64_OUT_LINUX)/higress:
+	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_amd64/ $(HIGRESS_BINARIES)
+
+$(ARM64_OUT_LINUX)/higress:
+	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HIGRESS_BINARIES)
+
 .PHONY: build-hgctl
 build-hgctl: $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT)/ $(HGCTL_BINARIES)
@@ -114,19 +125,34 @@ include docker/docker.mk
 
 docker-build: docker.higress ## Build and push docker images to registry defined by $HUB and $TAG
 
+docker-buildx-push: clean-env docker.higress-buildx
+
+docker-build-base:
+	docker buildx build --no-cache --platform linux/amd64,linux/arm64 -t ${HUB}/base:${BASE_VERSION} -f docker/Dockerfile.base . --push
+
 export PARENT_GIT_TAG:=$(shell cat VERSION)
 export PARENT_GIT_REVISION:=$(TAG)
 
 export ENVOY_TAR_PATH:=/home/package/envoy.tar.gz
 
-external/package/envoy.tar.gz:
-	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
+external/package/envoy-amd64.tar.gz:
+#	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
+	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.0.0/envoy-amd64.tar.gz"
 
-build-gateway: prebuild external/package/envoy.tar.gz
-	cd external/istio; rm -rf out; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
+external/package/envoy-arm64.tar.gz:
+#	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
+	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.0.0/envoy-arm64.tar.gz"
 
-build-istio: prebuild
-	cd external/istio; rm -rf out; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
+
+build-pilot:
+	cd external/istio; rm -rf out/linux_amd64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 make build-linux
+	cd external/istio; rm -rf out/linux_arm64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=arm64 BUILD_WITH_CONTAINER=1 make build-linux
+
+build-gateway: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz build-pilot
+	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
+
+build-istio: prebuild build-pilot
+	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker	
 
 build-wasmplugins: 
 	./tools/hack/build-wasm-plugins.sh
@@ -142,14 +168,13 @@ install: pre-install
 	cd helm/higress; helm dependency build
 	helm install higress helm/higress -n higress-system --create-namespace --set 'global.local=true'
 
-ENVOY_LATEST_IMAGE_TAG ?= 1.0.0
-ISTIO_LATEST_IMAGE_TAG ?= 1.0.0
+ENVOY_LATEST_IMAGE_TAG ?= 1.1.1
+ISTIO_LATEST_IMAGE_TAG ?= 1.1.1
 
 install-dev: pre-install
-	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
-
+	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
 install-dev-wasmplugin: build-wasmplugins pre-install
-	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true'
+	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true'
 
 uninstall:
 	helm uninstall higress -n higress-system
@@ -199,13 +224,13 @@ include tools/lint.mk
 .PHONY: gateway-conformance-test
 gateway-conformance-test:
 
-# ingress-conformance-test runs ingress api conformance tests.
-.PHONY: ingress-conformance-test
-ingress-conformance-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev run-ingress-e2e-test delete-cluster
+# higress-conformance-test runs ingress api conformance tests.
+.PHONY: higress-conformance-test
+higress-conformance-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev run-higress-e2e-test delete-cluster
 
-# ingress-wasmplugin-test runs ingress wasmplugin tests.
-.PHONY: ingress-wasmplugin-test
-ingress-wasmplugin-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin run-ingress-e2e-test-wasmplugin delete-cluster
+# higress-wasmplugin-test runs ingress wasmplugin tests.
+.PHONY: higress-wasmplugin-test
+higress-wasmplugin-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin run-higress-e2e-test-wasmplugin delete-cluster
 
 # create-cluster creates a kube cluster with kind.
 .PHONY: create-cluster
@@ -218,26 +243,40 @@ delete-cluster: $(tools/kind) ## Delete kind cluster.
 	$(tools/kind) delete cluster --name higress
 
 # kube-load-image loads a local built docker image into kube cluster.
+# dubbo-provider-demo和nacos-standlone-rc3的镜像已经上传到阿里云镜像库，第一次需要先拉到本地
+# docker pull registry.cn-hangzhou.aliyuncs.com/hinsteny/dubbo-provider-demo:0.0.1
+# docker pull registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3:1.0.0-RC3
 .PHONY: kube-load-image
 kube-load-image: $(tools/kind) ## Install the Higress image to a kind cluster using the provided $IMAGE and $TAG.
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress $(TAG)
-
-# run-ingress-e2e-test starts to run ingress e2e tests.
-.PHONY: run-ingress-e2e-test
-run-ingress-e2e-test:
+	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/dubbo-provider-demo 0.0.1
+	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/docker-pull-image.sh docker.io/hashicorp/consul 1.16.0
+	tools/hack/docker-pull-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
+	tools/hack/docker-pull-image.sh docker.io/bitinit/eureka latest
+	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
+	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/dubbo-provider-demo 0.0.1
+	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/kind-load-image.sh docker.io/hashicorp/consul 1.16.0
+	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
+	tools/hack/kind-load-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
+	tools/hack/kind-load-image.sh docker.io/bitinit/eureka latest
+# run-higress-e2e-test starts to run ingress e2e tests.
+.PHONY: run-higress-e2e-test
+run-higress-e2e-test:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
 	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true
 
-# run-ingress-e2e-test starts to run ingress e2e tests.
-.PHONY: run-ingress-e2e-test-wasmplugin
-run-ingress-e2e-test-wasmplugin:
+# run-higress-e2e-test starts to run ingress e2e tests.
+.PHONY: run-higress-e2e-test-wasmplugin
+run-higress-e2e-test-wasmplugin:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
 	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/ingress/e2e_test.go -isWasmPluginTest=true --ingress-class=higress --debug=true
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true

README.md

@@ -125,7 +125,7 @@ Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源
 
 社区交流群: 
 
-![image](https://img.alicdn.com/imgextra/i1/O1CN01d7LmWu1rMB71rfRhA_!!6000000005616-2-tps-720-405.png)
+![image](https://img.alicdn.com/imgextra/i1/O1CN01KWonlE1DkpqaYVTiC_!!6000000000255-0-tps-720-405.jpg)
 
 
 开发者群：

README_EN.md

@@ -32,6 +32,7 @@ Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.co
 - [**Use Cases**](#use-cases)
 - [**Higress Features**](#higress-features)
 - [**Quick Start**](https://higress.io/en-us/docs/user/quickstart)
+- [**Community**](#community)
 - [**Thanks**](#thanks)
 
 ## Use Cases
@@ -74,6 +75,10 @@ Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.co
 
   Provides JWT, OIDC, custom authentication and authentication, deeply integrates open source web application firewall.
 
+## Community
+
+[Slack](https://w1689142780-euk177225.slack.com/archives/C05GEL4TGTG): to get invited go [here](https://communityinviter.com/apps/w1689142780-euk177225/higress).
+
 ### Thanks
 
 Higress would not be possible without the valuable open-source work of projects in the community. We would like to extend a special thank-you to Envoy and Istio.

VERSION

@@ -1 +1 @@
-v1.0.1
+v1.1.2

api/extensions/v1alpha1/wasm.pb.go

@@ -171,7 +171,7 @@ type WasmPlugin struct {
 	DefaultConfig *types.Struct `protobuf:"bytes,101,opt,name=default_config,json=defaultConfig,proto3" json:"default_config,omitempty"`
 	// Extended by Higress, matching rules take effect
 	MatchRules []*MatchRule `protobuf:"bytes,102,rep,name=match_rules,json=matchRules,proto3" json:"match_rules,omitempty"`
-	// diable the default config
+	// disable the default config
 	DefaultConfigDisable bool     `protobuf:"varint,103,opt,name=default_config_disable,json=defaultConfigDisable,proto3" json:"default_config_disable,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`

api/extensions/v1alpha1/wasm.proto

@@ -104,7 +104,7 @@ message WasmPlugin {
   google.protobuf.Struct default_config = 101;
   // Extended by Higress, matching rules take effect
   repeated MatchRule match_rules = 102;
-  // diable the default config
+  // disable the default config
   bool default_config_disable = 103;
 }
 

api/kubernetes/customresourcedefinitions.gen.yaml

@@ -104,6 +104,88 @@ spec:
     subresources:
       status: {}
 
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: http2rpcs.networking.higress.io
+spec:
+  group: networking.higress.io
+  names:
+    categories:
+    - higress-io
+    kind: Http2Rpc
+    listKind: Http2RpcList
+    plural: http2rpcs
+    singular: http2rpc
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            oneOf:
+            - not:
+                anyOf:
+                - required:
+                  - dubbo
+                - required:
+                  - grpc
+            - required:
+              - dubbo
+            - required:
+              - grpc
+            properties:
+              dubbo:
+                properties:
+                  group:
+                    type: string
+                  methods:
+                    items:
+                      properties:
+                        headersAttach:
+                          type: string
+                        httpMethods:
+                          items:
+                            type: string
+                          type: array
+                        httpPath:
+                          type: string
+                        params:
+                          items:
+                            properties:
+                              paramKey:
+                                type: string
+                              paramSource:
+                                type: string
+                              paramType:
+                                type: string
+                            type: object
+                          type: array
+                        serviceMethod:
+                          type: string
+                      type: object
+                    type: array
+                  service:
+                    type: string
+                  version:
+                    type: string
+                type: object
+              grpc:
+                type: object
+            type: object
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -131,8 +213,17 @@ spec:
               registries:
                 items:
                   properties:
+                    authSecretName:
+                      type: string
+                    consulDatacenter:
+                      type: string
                     consulNamespace:
                       type: string
+                    consulRefreshInterval:
+                      format: int64
+                      type: integer
+                    consulServiceTag:
+                      type: string
                     domain:
                       type: string
                     nacosAccessKey:

api/networking/v1/http_2_rpc.proto

@@ -0,0 +1,74 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//  
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//  
+//      http://www.apache.org/licenses/LICENSE-2.0
+//  
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+import "google/api/field_behavior.proto";
+
+// $schema: higress.networking.v1.Http2Rpc
+// $title: Http2Rpc
+// $description: Configuration affecting service discovery from multi registries
+// $mode: none
+
+package higress.networking.v1;
+
+option go_package = "github.com/alibaba/higress/api/networking/v1";
+
+// <!-- crd generation tags
+// +cue-gen:Http2Rpc:groupName:networking.higress.io
+// +cue-gen:Http2Rpc:version:v1
+// +cue-gen:Http2Rpc:storageVersion
+// +cue-gen:Http2Rpc:annotations:helm.sh/resource-policy=keep
+// +cue-gen:Http2Rpc:subresource:status
+// +cue-gen:Http2Rpc:scope:Namespaced
+// +cue-gen:Http2Rpc:resource:categories=higress-io,plural=http2rpcs
+// +cue-gen:Http2Rpc:preserveUnknownFields:false
+// -->
+//
+// <!-- go code generation tags
+// +kubetype-gen
+// +kubetype-gen:groupVersion=networking.higress.io/v1
+// +genclient
+// +k8s:deepcopy-gen=true
+// -->
+message Http2Rpc {
+  oneof destination {
+    DubboService dubbo = 1;
+    GrpcService  grpc = 2;
+ }
+}
+
+message DubboService {
+  string service = 1 [(google.api.field_behavior) = REQUIRED];
+  string version = 2 [(google.api.field_behavior) = REQUIRED];
+  string group = 3 [(google.api.field_behavior) = OPTIONAL];
+  repeated Method methods = 4 [(google.api.field_behavior) = REQUIRED];
+}
+
+message Method {
+  string service_method = 1 [(google.api.field_behavior) = REQUIRED];
+  string headers_attach = 2 [(google.api.field_behavior) = OPTIONAL];
+  string http_path = 3 [(google.api.field_behavior) = REQUIRED];
+  repeated string http_methods = 4 [(google.api.field_behavior) = REQUIRED];
+  repeated Param params = 5;
+}
+
+message Param {
+  string param_source = 1 [(google.api.field_behavior) = REQUIRED];
+  string param_key = 2 [(google.api.field_behavior) = REQUIRED];
+  string param_type = 3 [(google.api.field_behavior) = REQUIRED];
+}
+
+message GrpcService {
+}

api/networking/v1/http_2_rpc_deepcopy.gen.go

@@ -0,0 +1,121 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: networking/v1/http_2_rpc.proto
+
+package v1
+
+import (
+	fmt "fmt"
+	proto "github.com/gogo/protobuf/proto"
+	_ "istio.io/gogo-genproto/googleapis/google/api"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// DeepCopyInto supports using Http2Rpc within kubernetes types, where deepcopy-gen is used.
+func (in *Http2Rpc) DeepCopyInto(out *Http2Rpc) {
+	p := proto.Clone(in).(*Http2Rpc)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2Rpc. Required by controller-gen.
+func (in *Http2Rpc) DeepCopy() *Http2Rpc {
+	if in == nil {
+		return nil
+	}
+	out := new(Http2Rpc)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Http2Rpc. Required by controller-gen.
+func (in *Http2Rpc) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using DubboService within kubernetes types, where deepcopy-gen is used.
+func (in *DubboService) DeepCopyInto(out *DubboService) {
+	p := proto.Clone(in).(*DubboService)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DubboService. Required by controller-gen.
+func (in *DubboService) DeepCopy() *DubboService {
+	if in == nil {
+		return nil
+	}
+	out := new(DubboService)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new DubboService. Required by controller-gen.
+func (in *DubboService) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using Method within kubernetes types, where deepcopy-gen is used.
+func (in *Method) DeepCopyInto(out *Method) {
+	p := proto.Clone(in).(*Method)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Method. Required by controller-gen.
+func (in *Method) DeepCopy() *Method {
+	if in == nil {
+		return nil
+	}
+	out := new(Method)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Method. Required by controller-gen.
+func (in *Method) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using Param within kubernetes types, where deepcopy-gen is used.
+func (in *Param) DeepCopyInto(out *Param) {
+	p := proto.Clone(in).(*Param)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Param. Required by controller-gen.
+func (in *Param) DeepCopy() *Param {
+	if in == nil {
+		return nil
+	}
+	out := new(Param)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Param. Required by controller-gen.
+func (in *Param) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
+// DeepCopyInto supports using GrpcService within kubernetes types, where deepcopy-gen is used.
+func (in *GrpcService) DeepCopyInto(out *GrpcService) {
+	p := proto.Clone(in).(*GrpcService)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GrpcService. Required by controller-gen.
+func (in *GrpcService) DeepCopy() *GrpcService {
+	if in == nil {
+		return nil
+	}
+	out := new(GrpcService)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new GrpcService. Required by controller-gen.
+func (in *GrpcService) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}

api/networking/v1/http_2_rpc_json.gen.go

@@ -0,0 +1,78 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: networking/v1/http_2_rpc.proto
+
+package v1
+
+import (
+	bytes "bytes"
+	fmt "fmt"
+	github_com_gogo_protobuf_jsonpb "github.com/gogo/protobuf/jsonpb"
+	proto "github.com/gogo/protobuf/proto"
+	_ "istio.io/gogo-genproto/googleapis/google/api"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// MarshalJSON is a custom marshaler for Http2Rpc
+func (this *Http2Rpc) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Http2Rpc
+func (this *Http2Rpc) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for DubboService
+func (this *DubboService) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for DubboService
+func (this *DubboService) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Method
+func (this *Method) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Method
+func (this *Method) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Param
+func (this *Param) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Param
+func (this *Param) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for GrpcService
+func (this *GrpcService) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for GrpcService
+func (this *GrpcService) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+var (
+	Http_2RpcMarshaler   = &github_com_gogo_protobuf_jsonpb.Marshaler{}
+	Http_2RpcUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{AllowUnknownFields: true}
+)

api/networking/v1/mcp_bridge.pb.go

@@ -88,22 +88,26 @@ func (m *McpBridge) GetRegistries() []*RegistryConfig {
 }
 
 type RegistryConfig struct {
-	Type                 string   `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
-	Name                 string   `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
-	Domain               string   `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
-	Port                 uint32   `protobuf:"varint,4,opt,name=port,proto3" json:"port,omitempty"`
-	NacosAddressServer   string   `protobuf:"bytes,5,opt,name=nacosAddressServer,proto3" json:"nacosAddressServer,omitempty"`
-	NacosAccessKey       string   `protobuf:"bytes,6,opt,name=nacosAccessKey,proto3" json:"nacosAccessKey,omitempty"`
-	NacosSecretKey       string   `protobuf:"bytes,7,opt,name=nacosSecretKey,proto3" json:"nacosSecretKey,omitempty"`
-	NacosNamespaceId     string   `protobuf:"bytes,8,opt,name=nacosNamespaceId,proto3" json:"nacosNamespaceId,omitempty"`
-	NacosNamespace       string   `protobuf:"bytes,9,opt,name=nacosNamespace,proto3" json:"nacosNamespace,omitempty"`
-	NacosGroups          []string `protobuf:"bytes,10,rep,name=nacosGroups,proto3" json:"nacosGroups,omitempty"`
-	NacosRefreshInterval int64    `protobuf:"varint,11,opt,name=nacosRefreshInterval,proto3" json:"nacosRefreshInterval,omitempty"`
-	ConsulNamespace      string   `protobuf:"bytes,12,opt,name=consulNamespace,proto3" json:"consulNamespace,omitempty"`
-	ZkServicesPath       []string `protobuf:"bytes,13,rep,name=zkServicesPath,proto3" json:"zkServicesPath,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Type                  string   `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
+	Name                  string   `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	Domain                string   `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
+	Port                  uint32   `protobuf:"varint,4,opt,name=port,proto3" json:"port,omitempty"`
+	NacosAddressServer    string   `protobuf:"bytes,5,opt,name=nacosAddressServer,proto3" json:"nacosAddressServer,omitempty"`
+	NacosAccessKey        string   `protobuf:"bytes,6,opt,name=nacosAccessKey,proto3" json:"nacosAccessKey,omitempty"`
+	NacosSecretKey        string   `protobuf:"bytes,7,opt,name=nacosSecretKey,proto3" json:"nacosSecretKey,omitempty"`
+	NacosNamespaceId      string   `protobuf:"bytes,8,opt,name=nacosNamespaceId,proto3" json:"nacosNamespaceId,omitempty"`
+	NacosNamespace        string   `protobuf:"bytes,9,opt,name=nacosNamespace,proto3" json:"nacosNamespace,omitempty"`
+	NacosGroups           []string `protobuf:"bytes,10,rep,name=nacosGroups,proto3" json:"nacosGroups,omitempty"`
+	NacosRefreshInterval  int64    `protobuf:"varint,11,opt,name=nacosRefreshInterval,proto3" json:"nacosRefreshInterval,omitempty"`
+	ConsulNamespace       string   `protobuf:"bytes,12,opt,name=consulNamespace,proto3" json:"consulNamespace,omitempty"`
+	ZkServicesPath        []string `protobuf:"bytes,13,rep,name=zkServicesPath,proto3" json:"zkServicesPath,omitempty"`
+	ConsulDatacenter      string   `protobuf:"bytes,14,opt,name=consulDatacenter,proto3" json:"consulDatacenter,omitempty"`
+	ConsulServiceTag      string   `protobuf:"bytes,15,opt,name=consulServiceTag,proto3" json:"consulServiceTag,omitempty"`
+	ConsulRefreshInterval int64    `protobuf:"varint,16,opt,name=consulRefreshInterval,proto3" json:"consulRefreshInterval,omitempty"`
+	AuthSecretName        string   `protobuf:"bytes,17,opt,name=authSecretName,proto3" json:"authSecretName,omitempty"`
+	XXX_NoUnkeyedLiteral  struct{} `json:"-"`
+	XXX_unrecognized      []byte   `json:"-"`
+	XXX_sizecache         int32    `json:"-"`
 }
 
 func (m *RegistryConfig) Reset()         { *m = RegistryConfig{} }
@@ -230,6 +234,34 @@ func (m *RegistryConfig) GetZkServicesPath() []string {
 	return nil
 }
 
+func (m *RegistryConfig) GetConsulDatacenter() string {
+	if m != nil {
+		return m.ConsulDatacenter
+	}
+	return ""
+}
+
+func (m *RegistryConfig) GetConsulServiceTag() string {
+	if m != nil {
+		return m.ConsulServiceTag
+	}
+	return ""
+}
+
+func (m *RegistryConfig) GetConsulRefreshInterval() int64 {
+	if m != nil {
+		return m.ConsulRefreshInterval
+	}
+	return 0
+}
+
+func (m *RegistryConfig) GetAuthSecretName() string {
+	if m != nil {
+		return m.AuthSecretName
+	}
+	return ""
+}
+
 func init() {
 	proto.RegisterType((*McpBridge)(nil), "higress.networking.v1.McpBridge")
 	proto.RegisterType((*RegistryConfig)(nil), "higress.networking.v1.RegistryConfig")
@@ -238,34 +270,37 @@ func init() {
 func init() { proto.RegisterFile("networking/v1/mcp_bridge.proto", fileDescriptor_3fcc59a15c34642d) }
 
 var fileDescriptor_3fcc59a15c34642d = []byte{
-	// 421 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x92, 0xd1, 0x8a, 0xd4, 0x30,
-	0x14, 0x86, 0xc9, 0x76, 0x1c, 0x9d, 0x8c, 0xbb, 0x4a, 0x50, 0x08, 0x22, 0x63, 0x59, 0x50, 0x8a,
-	0x48, 0xcb, 0xae, 0x77, 0xde, 0xed, 0x88, 0xc8, 0x22, 0x8a, 0x74, 0xef, 0xbc, 0x59, 0xd2, 0xf4,
-	0x4c, 0x1a, 0xb6, 0x4d, 0x42, 0x92, 0xa9, 0x8c, 0x4f, 0xe8, 0xa5, 0x8f, 0x20, 0x7d, 0x04, 0x9f,
-	0x40, 0x9a, 0x59, 0xbb, 0x9d, 0x71, 0xee, 0xda, 0xef, 0x7c, 0xf9, 0x73, 0x08, 0x3f, 0x5e, 0x28,
-	0xf0, 0xdf, 0xb5, 0xbd, 0x91, 0x4a, 0x64, 0xed, 0x59, 0xd6, 0x70, 0x73, 0x5d, 0x58, 0x59, 0x0a,
-	0x48, 0x8d, 0xd5, 0x5e, 0x93, 0xa7, 0x95, 0x14, 0x16, 0x9c, 0x4b, 0xef, 0xbc, 0xb4, 0x3d, 0x7b,
-	0xf6, 0x42, 0x68, 0x2d, 0x6a, 0xc8, 0x98, 0x91, 0xd9, 0x4a, 0x42, 0x5d, 0x5e, 0x17, 0x50, 0xb1,
-	0x56, 0x6a, 0xbb, 0x3d, 0x77, 0x9a, 0xe3, 0xd9, 0x67, 0x6e, 0x96, 0x21, 0x8a, 0x7c, 0xc0, 0xd8,
-	0x82, 0x90, 0xce, 0x5b, 0x09, 0x8e, 0xa2, 0x38, 0x4a, 0xe6, 0xe7, 0x2f, 0xd3, 0x83, 0xc9, 0x69,
-	0xbe, 0x15, 0x37, 0xef, 0xb5, 0x5a, 0x49, 0x91, 0x8f, 0x0e, 0x9e, 0xfe, 0x89, 0xf0, 0xc9, 0xee,
-	0x98, 0x50, 0x3c, 0xf1, 0x1b, 0x03, 0x14, 0xc5, 0x28, 0x99, 0x2d, 0x27, 0xdd, 0x05, 0x3a, 0xca,
-	0x03, 0x21, 0x04, 0x4f, 0x14, 0x6b, 0x80, 0x1e, 0xf5, 0x93, 0x3c, 0x7c, 0x93, 0xe7, 0x78, 0x5a,
-	0xea, 0x86, 0x49, 0x45, 0xa3, 0x91, 0x7f, 0xcb, 0xfa, 0x2c, 0xa3, 0xad, 0xa7, 0x93, 0x18, 0x25,
-	0xc7, 0xff, 0xb2, 0x7a, 0x42, 0x52, 0x4c, 0x14, 0xe3, 0xda, 0x5d, 0x94, 0x65, 0xbf, 0xf1, 0x15,
-	0xd8, 0x16, 0x2c, 0xbd, 0x17, 0x92, 0x0f, 0x4c, 0xc8, 0x2b, 0x7c, 0xb2, 0xa5, 0x9c, 0x83, 0x73,
-	0x9f, 0x60, 0x43, 0xa7, 0xc1, 0xdd, 0xa3, 0x83, 0x77, 0x05, 0xdc, 0x82, 0xef, 0xbd, 0xfb, 0x23,
-	0x6f, 0xa0, 0xe4, 0x35, 0x7e, 0x1c, 0xc8, 0x17, 0xd6, 0x80, 0x33, 0x8c, 0xc3, 0x65, 0x49, 0x1f,
-	0x04, 0xf3, 0x3f, 0x3e, 0x64, 0x0e, 0x8c, 0xce, 0x46, 0x99, 0x03, 0x25, 0x31, 0x9e, 0x07, 0xf2,
-	0xd1, 0xea, 0xb5, 0x71, 0x14, 0xc7, 0x51, 0x32, 0xcb, 0xc7, 0x88, 0x9c, 0xe3, 0x27, 0xe1, 0x37,
-	0x87, 0x95, 0x05, 0x57, 0x5d, 0x2a, 0x0f, 0xb6, 0x65, 0x35, 0x9d, 0xc7, 0x28, 0x89, 0xf2, 0x83,
-	0x33, 0x92, 0xe0, 0x47, 0x5c, 0x2b, 0xb7, 0xae, 0xef, 0xae, 0x7f, 0x18, 0xae, 0xdf, 0xc7, 0xfd,
-	0x9e, 0x3f, 0x6e, 0xfa, 0xf7, 0x92, 0x1c, 0xdc, 0x57, 0xe6, 0x2b, 0x7a, 0x1c, 0x56, 0xd8, 0xa3,
-	0xcb, 0x77, 0x3f, 0xbb, 0x05, 0xfa, 0xd5, 0x2d, 0xd0, 0xef, 0x6e, 0x81, 0xbe, 0xbd, 0x11, 0xd2,
-	0x57, 0xeb, 0x22, 0xe5, 0xba, 0xc9, 0x58, 0x2d, 0x0b, 0x56, 0xb0, 0xec, 0xb6, 0x47, 0xa1, 0x8b,
-	0x3b, 0x6d, 0x2e, 0xa6, 0xa1, 0x8b, 0x6f, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xb9, 0x6f, 0xf7,
-	0xf0, 0xe5, 0x02, 0x00, 0x00,
+	// 477 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x93, 0xd1, 0x6e, 0xd3, 0x30,
+	0x14, 0x86, 0x95, 0xb5, 0x2b, 0xd4, 0x65, 0xdd, 0xb0, 0x98, 0x64, 0x21, 0x54, 0xa2, 0x49, 0xa0,
+	0x08, 0xa1, 0x44, 0x1b, 0x5c, 0x71, 0xb7, 0x02, 0x42, 0x13, 0x02, 0xa1, 0x8c, 0x2b, 0x6e, 0x26,
+	0xc7, 0x39, 0x75, 0xac, 0x26, 0x71, 0x64, 0xbb, 0x41, 0xe5, 0x89, 0x78, 0x14, 0x2e, 0x79, 0x04,
+	0xd4, 0x27, 0x41, 0x76, 0x4a, 0x9a, 0x86, 0xde, 0x25, 0xdf, 0xf9, 0xfd, 0x9f, 0xf3, 0x3b, 0x39,
+	0x68, 0x56, 0x82, 0xf9, 0x2e, 0xd5, 0x52, 0x94, 0x3c, 0xaa, 0x2f, 0xa3, 0x82, 0x55, 0x77, 0x89,
+	0x12, 0x29, 0x87, 0xb0, 0x52, 0xd2, 0x48, 0x7c, 0x9e, 0x09, 0xae, 0x40, 0xeb, 0x70, 0xa7, 0x0b,
+	0xeb, 0xcb, 0xc7, 0x4f, 0xb9, 0x94, 0x3c, 0x87, 0x88, 0x56, 0x22, 0x5a, 0x08, 0xc8, 0xd3, 0xbb,
+	0x04, 0x32, 0x5a, 0x0b, 0xa9, 0x9a, 0x73, 0x17, 0x31, 0x1a, 0x7f, 0x62, 0xd5, 0xdc, 0x59, 0xe1,
+	0xf7, 0x08, 0x29, 0xe0, 0x42, 0x1b, 0x25, 0x40, 0x13, 0xcf, 0x1f, 0x04, 0x93, 0xab, 0x67, 0xe1,
+	0x41, 0xe7, 0x30, 0x6e, 0x84, 0xeb, 0xb7, 0xb2, 0x5c, 0x08, 0x1e, 0x77, 0x0e, 0x5e, 0xfc, 0x3c,
+	0x46, 0xd3, 0xfd, 0x32, 0x26, 0x68, 0x68, 0xd6, 0x15, 0x10, 0xcf, 0xf7, 0x82, 0xf1, 0x7c, 0xb8,
+	0xb9, 0xf6, 0x8e, 0x62, 0x47, 0x30, 0x46, 0xc3, 0x92, 0x16, 0x40, 0x8e, 0x6c, 0x25, 0x76, 0xcf,
+	0xf8, 0x09, 0x1a, 0xa5, 0xb2, 0xa0, 0xa2, 0x24, 0x83, 0x8e, 0x7e, 0xcb, 0xac, 0x57, 0x25, 0x95,
+	0x21, 0x43, 0xdf, 0x0b, 0x4e, 0xfe, 0x79, 0x59, 0x82, 0x43, 0x84, 0x4b, 0xca, 0xa4, 0xbe, 0x4e,
+	0x53, 0x3b, 0xf1, 0x2d, 0xa8, 0x1a, 0x14, 0x39, 0x76, 0xce, 0x07, 0x2a, 0xf8, 0x39, 0x9a, 0x36,
+	0x94, 0x31, 0xd0, 0xfa, 0x23, 0xac, 0xc9, 0xc8, 0x69, 0x7b, 0xb4, 0xd5, 0xdd, 0x02, 0x53, 0x60,
+	0xac, 0xee, 0x5e, 0x47, 0xd7, 0x52, 0xfc, 0x02, 0x9d, 0x39, 0xf2, 0x99, 0x16, 0xa0, 0x2b, 0xca,
+	0xe0, 0x26, 0x25, 0xf7, 0x9d, 0xf2, 0x3f, 0xde, 0x7a, 0xb6, 0x8c, 0x8c, 0x3b, 0x9e, 0x2d, 0xc5,
+	0x3e, 0x9a, 0x38, 0xf2, 0x41, 0xc9, 0x55, 0xa5, 0x09, 0xf2, 0x07, 0xc1, 0x38, 0xee, 0x22, 0x7c,
+	0x85, 0x1e, 0xb9, 0xd7, 0x18, 0x16, 0x0a, 0x74, 0x76, 0x53, 0x1a, 0x50, 0x35, 0xcd, 0xc9, 0xc4,
+	0xf7, 0x82, 0x41, 0x7c, 0xb0, 0x86, 0x03, 0x74, 0xca, 0x64, 0xa9, 0x57, 0xf9, 0xae, 0xfd, 0x03,
+	0xd7, 0xbe, 0x8f, 0xed, 0x9c, 0x3f, 0x96, 0xf6, 0xbe, 0x04, 0x03, 0xfd, 0x85, 0x9a, 0x8c, 0x9c,
+	0xb8, 0x11, 0x7a, 0xd4, 0x66, 0x6f, 0x8e, 0xbe, 0xa3, 0x86, 0x32, 0xb0, 0x8d, 0xc8, 0xb4, 0xc9,
+	0xde, 0xe7, 0x3b, 0xed, 0xd6, 0xe1, 0x2b, 0xe5, 0xe4, 0xb4, 0xab, 0xdd, 0x71, 0xfc, 0x1a, 0x9d,
+	0x37, 0xac, 0x1f, 0xef, 0xcc, 0xc5, 0x3b, 0x5c, 0xb4, 0x53, 0xd3, 0x95, 0xc9, 0x9a, 0x4f, 0x63,
+	0xc3, 0x90, 0x87, 0xcd, 0xed, 0xee, 0xd3, 0xf9, 0x9b, 0x5f, 0x9b, 0x99, 0xf7, 0x7b, 0x33, 0xf3,
+	0xfe, 0x6c, 0x66, 0xde, 0xb7, 0x97, 0x5c, 0x98, 0x6c, 0x95, 0x84, 0x4c, 0x16, 0x11, 0xcd, 0x45,
+	0x42, 0x13, 0x1a, 0x6d, 0xff, 0x7e, 0xb7, 0x41, 0x7b, 0x3b, 0x98, 0x8c, 0xdc, 0x06, 0xbd, 0xfa,
+	0x1b, 0x00, 0x00, 0xff, 0xff, 0x21, 0x2e, 0x82, 0x0a, 0x9b, 0x03, 0x00, 0x00,
 }
 
 func (m *McpBridge) Marshal() (dAtA []byte, err error) {
@@ -333,6 +368,36 @@ func (m *RegistryConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.AuthSecretName) > 0 {
+		i -= len(m.AuthSecretName)
+		copy(dAtA[i:], m.AuthSecretName)
+		i = encodeVarintMcpBridge(dAtA, i, uint64(len(m.AuthSecretName)))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0x8a
+	}
+	if m.ConsulRefreshInterval != 0 {
+		i = encodeVarintMcpBridge(dAtA, i, uint64(m.ConsulRefreshInterval))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0x80
+	}
+	if len(m.ConsulServiceTag) > 0 {
+		i -= len(m.ConsulServiceTag)
+		copy(dAtA[i:], m.ConsulServiceTag)
+		i = encodeVarintMcpBridge(dAtA, i, uint64(len(m.ConsulServiceTag)))
+		i--
+		dAtA[i] = 0x7a
+	}
+	if len(m.ConsulDatacenter) > 0 {
+		i -= len(m.ConsulDatacenter)
+		copy(dAtA[i:], m.ConsulDatacenter)
+		i = encodeVarintMcpBridge(dAtA, i, uint64(len(m.ConsulDatacenter)))
+		i--
+		dAtA[i] = 0x72
+	}
 	if len(m.ZkServicesPath) > 0 {
 		for iNdEx := len(m.ZkServicesPath) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.ZkServicesPath[iNdEx])
@@ -516,6 +581,21 @@ func (m *RegistryConfig) Size() (n int) {
 			n += 1 + l + sovMcpBridge(uint64(l))
 		}
 	}
+	l = len(m.ConsulDatacenter)
+	if l > 0 {
+		n += 1 + l + sovMcpBridge(uint64(l))
+	}
+	l = len(m.ConsulServiceTag)
+	if l > 0 {
+		n += 1 + l + sovMcpBridge(uint64(l))
+	}
+	if m.ConsulRefreshInterval != 0 {
+		n += 2 + sovMcpBridge(uint64(m.ConsulRefreshInterval))
+	}
+	l = len(m.AuthSecretName)
+	if l > 0 {
+		n += 2 + l + sovMcpBridge(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -1032,6 +1112,121 @@ func (m *RegistryConfig) Unmarshal(dAtA []byte) error {
 			}
 			m.ZkServicesPath = append(m.ZkServicesPath, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConsulDatacenter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcpBridge
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ConsulDatacenter = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConsulServiceTag", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcpBridge
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ConsulServiceTag = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 16:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConsulRefreshInterval", wireType)
+			}
+			m.ConsulRefreshInterval = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcpBridge
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ConsulRefreshInterval |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 17:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AuthSecretName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcpBridge
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthMcpBridge
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AuthSecretName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipMcpBridge(dAtA[iNdEx:])

api/networking/v1/mcp_bridge.proto

@@ -60,4 +60,8 @@ message RegistryConfig {
   int64 nacosRefreshInterval = 11;
   string consulNamespace = 12;
   repeated string zkServicesPath = 13;
+  string consulDatacenter  = 14;
+  string consulServiceTag = 15;
+  int64  consulRefreshInterval = 16;
+  string authSecretName = 17;
 }

client/pkg/apis/networking/v1/register.gen.go

@@ -41,6 +41,8 @@ func Resource(resource string) schema.GroupResource {
 
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Http2Rpc{},
+		&Http2RpcList{},
 		&McpBridge{},
 		&McpBridgeList{},
 	)

client/pkg/apis/networking/v1/types.gen.go

@@ -25,6 +25,48 @@ import (
 // please upgrade the proto package
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
+// <!-- crd generation tags
+// +cue-gen:Http2Rpc:groupName:networking.higress.io
+// +cue-gen:Http2Rpc:version:v1
+// +cue-gen:Http2Rpc:storageVersion
+// +cue-gen:Http2Rpc:annotations:helm.sh/resource-policy=keep
+// +cue-gen:Http2Rpc:subresource:status
+// +cue-gen:Http2Rpc:scope:Namespaced
+// +cue-gen:Http2Rpc:resource:categories=higress-io,plural=http2rpcs
+// +cue-gen:Http2Rpc:preserveUnknownFields:false
+// -->
+//
+// <!-- go code generation tags
+// +kubetype-gen
+// +kubetype-gen:groupVersion=networking.higress.io/v1
+// +genclient
+// +k8s:deepcopy-gen=true
+// -->
+type Http2Rpc struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the implementation of this definition.
+	// +optional
+	Spec networkingv1.Http2Rpc `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	Status v1alpha1.IstioStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Http2RpcList is a collection of Http2Rpcs.
+type Http2RpcList struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	Items           []Http2Rpc `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// please upgrade the proto package
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
 // <!-- crd generation tags
 // +cue-gen:McpBridge:groupName:networking.higress.io
 // +cue-gen:McpBridge:version:v1

client/pkg/apis/networking/v1/zz_generated.deepcopy.gen.go

@@ -23,6 +23,67 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Http2Rpc) DeepCopyInto(out *Http2Rpc) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2Rpc.
+func (in *Http2Rpc) DeepCopy() *Http2Rpc {
+	if in == nil {
+		return nil
+	}
+	out := new(Http2Rpc)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Http2Rpc) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Http2RpcList) DeepCopyInto(out *Http2RpcList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Http2Rpc, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2RpcList.
+func (in *Http2RpcList) DeepCopy() *Http2RpcList {
+	if in == nil {
+		return nil
+	}
+	out := new(Http2RpcList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Http2RpcList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *McpBridge) DeepCopyInto(out *McpBridge) {
 	*out = *in

client/pkg/clientset/versioned/typed/networking/v1/fake/fake_http2rpc.gen.go

@@ -0,0 +1,140 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	networkingv1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeHttp2Rpcs implements Http2RpcInterface
+type FakeHttp2Rpcs struct {
+	Fake *FakeNetworkingV1
+	ns   string
+}
+
+var http2rpcsResource = schema.GroupVersionResource{Group: "networking.higress.io", Version: "v1", Resource: "http2rpcs"}
+
+var http2rpcsKind = schema.GroupVersionKind{Group: "networking.higress.io", Version: "v1", Kind: "Http2Rpc"}
+
+// Get takes name of the http2Rpc, and returns the corresponding http2Rpc object, and an error if there is any.
+func (c *FakeHttp2Rpcs) Get(ctx context.Context, name string, options v1.GetOptions) (result *networkingv1.Http2Rpc, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(http2rpcsResource, c.ns, name), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}
+
+// List takes label and field selectors, and returns the list of Http2Rpcs that match those selectors.
+func (c *FakeHttp2Rpcs) List(ctx context.Context, opts v1.ListOptions) (result *networkingv1.Http2RpcList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(http2rpcsResource, http2rpcsKind, c.ns, opts), &networkingv1.Http2RpcList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &networkingv1.Http2RpcList{ListMeta: obj.(*networkingv1.Http2RpcList).ListMeta}
+	for _, item := range obj.(*networkingv1.Http2RpcList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested http2Rpcs.
+func (c *FakeHttp2Rpcs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(http2rpcsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a http2Rpc and creates it.  Returns the server's representation of the http2Rpc, and an error, if there is any.
+func (c *FakeHttp2Rpcs) Create(ctx context.Context, http2Rpc *networkingv1.Http2Rpc, opts v1.CreateOptions) (result *networkingv1.Http2Rpc, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(http2rpcsResource, c.ns, http2Rpc), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}
+
+// Update takes the representation of a http2Rpc and updates it. Returns the server's representation of the http2Rpc, and an error, if there is any.
+func (c *FakeHttp2Rpcs) Update(ctx context.Context, http2Rpc *networkingv1.Http2Rpc, opts v1.UpdateOptions) (result *networkingv1.Http2Rpc, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(http2rpcsResource, c.ns, http2Rpc), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeHttp2Rpcs) UpdateStatus(ctx context.Context, http2Rpc *networkingv1.Http2Rpc, opts v1.UpdateOptions) (*networkingv1.Http2Rpc, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(http2rpcsResource, "status", c.ns, http2Rpc), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}
+
+// Delete takes name of the http2Rpc and deletes it. Returns an error if one occurs.
+func (c *FakeHttp2Rpcs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(http2rpcsResource, c.ns, name), &networkingv1.Http2Rpc{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeHttp2Rpcs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(http2rpcsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &networkingv1.Http2RpcList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched http2Rpc.
+func (c *FakeHttp2Rpcs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *networkingv1.Http2Rpc, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(http2rpcsResource, c.ns, name, pt, data, subresources...), &networkingv1.Http2Rpc{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*networkingv1.Http2Rpc), err
+}

client/pkg/clientset/versioned/typed/networking/v1/fake/fake_networking_client.gen.go

@@ -26,6 +26,10 @@ type FakeNetworkingV1 struct {
 	*testing.Fake
 }
 
+func (c *FakeNetworkingV1) Http2Rpcs(namespace string) v1.Http2RpcInterface {
+	return &FakeHttp2Rpcs{c, namespace}
+}
+
 func (c *FakeNetworkingV1) McpBridges(namespace string) v1.McpBridgeInterface {
 	return &FakeMcpBridges{c, namespace}
 }

client/pkg/clientset/versioned/typed/networking/v1/generated_expansion.gen.go

@@ -16,4 +16,6 @@
 
 package v1
 
+type Http2RpcExpansion interface{}
+
 type McpBridgeExpansion interface{}

client/pkg/clientset/versioned/typed/networking/v1/http2rpc.gen.go

@@ -0,0 +1,193 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	"context"
+	"time"
+
+	v1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	scheme "github.com/alibaba/higress/client/pkg/clientset/versioned/scheme"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// Http2RpcsGetter has a method to return a Http2RpcInterface.
+// A group's client should implement this interface.
+type Http2RpcsGetter interface {
+	Http2Rpcs(namespace string) Http2RpcInterface
+}
+
+// Http2RpcInterface has methods to work with Http2Rpc resources.
+type Http2RpcInterface interface {
+	Create(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.CreateOptions) (*v1.Http2Rpc, error)
+	Update(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.UpdateOptions) (*v1.Http2Rpc, error)
+	UpdateStatus(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.UpdateOptions) (*v1.Http2Rpc, error)
+	Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
+	Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Http2Rpc, error)
+	List(ctx context.Context, opts metav1.ListOptions) (*v1.Http2RpcList, error)
+	Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *v1.Http2Rpc, err error)
+	Http2RpcExpansion
+}
+
+// http2Rpcs implements Http2RpcInterface
+type http2Rpcs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newHttp2Rpcs returns a Http2Rpcs
+func newHttp2Rpcs(c *NetworkingV1Client, namespace string) *http2Rpcs {
+	return &http2Rpcs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the http2Rpc, and returns the corresponding http2Rpc object, and an error if there is any.
+func (c *http2Rpcs) Get(ctx context.Context, name string, options metav1.GetOptions) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Http2Rpcs that match those selectors.
+func (c *http2Rpcs) List(ctx context.Context, opts metav1.ListOptions) (result *v1.Http2RpcList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1.Http2RpcList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested http2Rpcs.
+func (c *http2Rpcs) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a http2Rpc and creates it.  Returns the server's representation of the http2Rpc, and an error, if there is any.
+func (c *http2Rpcs) Create(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.CreateOptions) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(http2Rpc).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a http2Rpc and updates it. Returns the server's representation of the http2Rpc, and an error, if there is any.
+func (c *http2Rpcs) Update(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.UpdateOptions) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(http2Rpc.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(http2Rpc).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *http2Rpcs) UpdateStatus(ctx context.Context, http2Rpc *v1.Http2Rpc, opts metav1.UpdateOptions) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(http2Rpc.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(http2Rpc).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the http2Rpc and deletes it. Returns an error if one occurs.
+func (c *http2Rpcs) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *http2Rpcs) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched http2Rpc.
+func (c *http2Rpcs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *v1.Http2Rpc, err error) {
+	result = &v1.Http2Rpc{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("http2rpcs").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

client/pkg/clientset/versioned/typed/networking/v1/networking_client.gen.go

@@ -24,6 +24,7 @@ import (
 
 type NetworkingV1Interface interface {
 	RESTClient() rest.Interface
+	Http2RpcsGetter
 	McpBridgesGetter
 }
 
@@ -32,6 +33,10 @@ type NetworkingV1Client struct {
 	restClient rest.Interface
 }
 
+func (c *NetworkingV1Client) Http2Rpcs(namespace string) Http2RpcInterface {
+	return newHttp2Rpcs(c, namespace)
+}
+
 func (c *NetworkingV1Client) McpBridges(namespace string) McpBridgeInterface {
 	return newMcpBridges(c, namespace)
 }

client/pkg/informers/externalversions/generic.gen.go

@@ -56,6 +56,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Extensions().V1alpha1().WasmPlugins().Informer()}, nil
 
 		// Group=networking.higress.io, Version=v1
+	case v1.SchemeGroupVersion.WithResource("http2rpcs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Networking().V1().Http2Rpcs().Informer()}, nil
 	case v1.SchemeGroupVersion.WithResource("mcpbridges"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Networking().V1().McpBridges().Informer()}, nil
 

client/pkg/informers/externalversions/networking/v1/http2rpc.gen.go

@@ -0,0 +1,88 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	"context"
+	time "time"
+
+	networkingv1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	versioned "github.com/alibaba/higress/client/pkg/clientset/versioned"
+	internalinterfaces "github.com/alibaba/higress/client/pkg/informers/externalversions/internalinterfaces"
+	v1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// Http2RpcInformer provides access to a shared informer and lister for
+// Http2Rpcs.
+type Http2RpcInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1.Http2RpcLister
+}
+
+type http2RpcInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewHttp2RpcInformer constructs a new informer for Http2Rpc type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewHttp2RpcInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredHttp2RpcInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredHttp2RpcInformer constructs a new informer for Http2Rpc type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredHttp2RpcInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.NetworkingV1().Http2Rpcs(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.NetworkingV1().Http2Rpcs(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&networkingv1.Http2Rpc{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *http2RpcInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredHttp2RpcInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *http2RpcInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&networkingv1.Http2Rpc{}, f.defaultInformer)
+}
+
+func (f *http2RpcInformer) Lister() v1.Http2RpcLister {
+	return v1.NewHttp2RpcLister(f.Informer().GetIndexer())
+}

client/pkg/informers/externalversions/networking/v1/interface.gen.go

@@ -22,6 +22,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// Http2Rpcs returns a Http2RpcInformer.
+	Http2Rpcs() Http2RpcInformer
 	// McpBridges returns a McpBridgeInformer.
 	McpBridges() McpBridgeInformer
 }
@@ -37,6 +39,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// Http2Rpcs returns a Http2RpcInformer.
+func (v *version) Http2Rpcs() Http2RpcInformer {
+	return &http2RpcInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // McpBridges returns a McpBridgeInformer.
 func (v *version) McpBridges() McpBridgeInformer {
 	return &mcpBridgeInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

client/pkg/listers/networking/v1/expansion_generated.gen.go

@@ -16,6 +16,14 @@
 
 package v1
 
+// Http2RpcListerExpansion allows custom methods to be added to
+// Http2RpcLister.
+type Http2RpcListerExpansion interface{}
+
+// Http2RpcNamespaceListerExpansion allows custom methods to be added to
+// Http2RpcNamespaceLister.
+type Http2RpcNamespaceListerExpansion interface{}
+
 // McpBridgeListerExpansion allows custom methods to be added to
 // McpBridgeLister.
 type McpBridgeListerExpansion interface{}

client/pkg/listers/networking/v1/http2rpc.gen.go

@@ -0,0 +1,92 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	v1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// Http2RpcLister helps list Http2Rpcs.
+type Http2RpcLister interface {
+	// List lists all Http2Rpcs in the indexer.
+	List(selector labels.Selector) (ret []*v1.Http2Rpc, err error)
+	// Http2Rpcs returns an object that can list and get Http2Rpcs.
+	Http2Rpcs(namespace string) Http2RpcNamespaceLister
+	Http2RpcListerExpansion
+}
+
+// http2RpcLister implements the Http2RpcLister interface.
+type http2RpcLister struct {
+	indexer cache.Indexer
+}
+
+// NewHttp2RpcLister returns a new Http2RpcLister.
+func NewHttp2RpcLister(indexer cache.Indexer) Http2RpcLister {
+	return &http2RpcLister{indexer: indexer}
+}
+
+// List lists all Http2Rpcs in the indexer.
+func (s *http2RpcLister) List(selector labels.Selector) (ret []*v1.Http2Rpc, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1.Http2Rpc))
+	})
+	return ret, err
+}
+
+// Http2Rpcs returns an object that can list and get Http2Rpcs.
+func (s *http2RpcLister) Http2Rpcs(namespace string) Http2RpcNamespaceLister {
+	return http2RpcNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// Http2RpcNamespaceLister helps list and get Http2Rpcs.
+type Http2RpcNamespaceLister interface {
+	// List lists all Http2Rpcs in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1.Http2Rpc, err error)
+	// Get retrieves the Http2Rpc from the indexer for a given namespace and name.
+	Get(name string) (*v1.Http2Rpc, error)
+	Http2RpcNamespaceListerExpansion
+}
+
+// http2RpcNamespaceLister implements the Http2RpcNamespaceLister
+// interface.
+type http2RpcNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all Http2Rpcs in the indexer for a given namespace.
+func (s http2RpcNamespaceLister) List(selector labels.Selector) (ret []*v1.Http2Rpc, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1.Http2Rpc))
+	})
+	return ret, err
+}
+
+// Get retrieves the Http2Rpc from the indexer for a given namespace and name.
+func (s http2RpcNamespaceLister) Get(name string) (*v1.Http2Rpc, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1.Resource("http2rpc"), name)
+	}
+	return obj.(*v1.Http2Rpc), nil
+}

docker/Dockerfile.base

@@ -0,0 +1,33 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Do not add more stuff to this list that isn't small or critically useful.
+# If you occasionally need something on the container do
+# sudo apt-get update && apt-get whichever
+
+# hadolint ignore=DL3005,DL3008
+RUN apt-get update && \
+  apt-get install --no-install-recommends -y \
+  ca-certificates \
+  curl \
+  iptables \
+  iproute2 \
+  iputils-ping \
+  knot-dnsutils \
+  netcat \
+  tcpdump \
+  conntrack \
+  bsdmainutils \
+  net-tools \
+  lsof \
+  sudo \
+  && apt-get upgrade -y \
+  && apt-get clean \
+  && rm -rf /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old \
+  && update-alternatives --set iptables /usr/sbin/iptables-legacy \
+  && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+
+# Sudoers used to allow tcpdump and other debug utilities.
+RUN useradd -m --uid 1337 istio-proxy && \
+  echo "istio-proxy ALL=NOPASSWD: ALL" >> /etc/sudoers

docker/Dockerfile.higress

@@ -11,6 +11,7 @@ ARG HUB
 FROM ${HUB}/base:${BASE_VERSION}
 
 ARG TARGETARCH
+
 COPY ${TARGETARCH:-amd64}/higress /usr/local/bin/higress
 
 USER 1337:1337

docker/docker.mk

@@ -17,6 +17,12 @@ docker.higress: $(OUT_LINUX)/higress
 docker.higress: docker/Dockerfile.higress
 	$(HIGRESS_DOCKER_RULE)
 
+docker.higress-buildx: BUILD_ARGS=--build-arg BASE_VERSION=${BASE_VERSION} --build-arg HUB=${HUB}
+docker.higress-buildx: $(AMD64_OUT_LINUX)/higress
+docker.higress-buildx: $(ARM64_OUT_LINUX)/higress
+docker.higress-buildx: docker/Dockerfile.higress
+	$(HIGRESS_DOCKER_BUILDX_RULE)
+
 # DOCKER_BUILD_VARIANTS ?=debug distroless
 # Base images have two different forms:
 # * "debug", suffixed as -debug. This is a ubuntu based image with a bunch of debug tools
@@ -28,4 +34,7 @@ DOCKER_ALL_VARIANTS ?= debug distroless
 # This can be done with DOCKER_BUILD_VARIANTS="default debug" as well, but at the expense of building twice vs building once and tagging twice
 INCLUDE_UNTAGGED_DEFAULT ?= false
 DEFAULT_DISTRIBUTION=debug
-HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/$(subst docker.,,$@):$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile$(suffix $@) . ); )
+
+HIGRESS_DOCKER_BUILDX_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker buildx create --name higress --node higress0 --platform linux/amd64,linux/arm64 --use && docker buildx build --no-cache --platform linux/amd64,linux/arm64 $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/higress:$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . --push  ); )
+HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/higress:$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . ); )
+

go.mod

@@ -17,20 +17,23 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
 
 require (
 	github.com/agiledragon/gomonkey/v2 v2.9.0
+	github.com/avast/retry-go/v4 v4.3.4
 	github.com/dubbogo/go-zookeeper v1.0.4-0.20211212162352-f9d2183d89d5
 	github.com/dubbogo/gost v1.13.1
 	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.5.2
-	github.com/google/go-cmp v0.5.8
+	github.com/google/go-cmp v0.5.9
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
+	github.com/hashicorp/consul/api v1.23.0
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hudl/fargo v1.4.0
 	github.com/nacos-group/nacos-sdk-go v1.0.8
 	github.com/nacos-group/nacos-sdk-go/v2 v2.1.2
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.3
 	go.uber.org/atomic v1.9.0
 	google.golang.org/grpc v1.48.0
 	google.golang.org/protobuf v1.28.0
@@ -69,6 +72,7 @@ require (
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1704 // indirect
+	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/aws/aws-sdk-go v1.41.7 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
@@ -76,10 +80,11 @@ require (
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
+	github.com/clbanning/mxj v1.8.4 // indirect
 	github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect
 	github.com/containerd/continuity v0.1.0 // indirect
 	github.com/coreos/go-oidc/v3 v3.1.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect
 	github.com/docker/cli v20.10.7+incompatible // indirect
 	github.com/docker/distribution v2.7.1+incompatible // indirect
@@ -90,6 +95,8 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/fatih/color v1.14.1 // indirect
+	github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
@@ -113,9 +120,14 @@ require (
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.5.0 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-version v1.3.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/serf v0.10.1 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
@@ -133,9 +145,14 @@ require (
 	github.com/lestrrat/go-strftime v0.0.0-20180220042222-ba3bf9c1d042 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/miekg/dns v1.1.43 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
@@ -143,12 +160,13 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/natefinch/lumberjack v2.0.0+incompatible // indirect
+	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.1 // indirect
 	github.com/opencontainers/runc v1.0.2 // indirect
 	github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.12.2 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
@@ -167,13 +185,14 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
+	golang.org/x/net v0.12.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/sync v0.2.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect
@@ -181,10 +200,12 @@ require (
 	google.golang.org/api v0.59.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20211020151524-b7c3a969101a // indirect
+	gopkg.in/gcfg.v1 v1.2.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.22.2 // indirect
 	k8s.io/component-base v0.22.2 // indirect

go.sum

@@ -103,6 +103,7 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
+github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd h1:sjQovDkwrZp8u+gxLtPgKGjk5hCxuy2hrRejBTA9xFU=
 github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd/go.mod h1:64YHyfSL2R96J44Nlwm39UHepQbyR5q10x7iYa1ks2E=
@@ -179,11 +180,16 @@ github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
+github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA=
+github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
+github.com/avast/retry-go/v4 v4.3.4 h1:pHLkL7jvCvP317I8Ge+Km2Yhntv3SdkJm7uekkqbKhM=
+github.com/avast/retry-go/v4 v4.3.4/go.mod h1:rv+Nla6Vk3/ilU0H51VHddWHiwimzX66yZ0JT6T+UvE=
 github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
@@ -246,6 +252,10 @@ github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX
 github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
+github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
+github.com/clbanning/mxj v1.8.4 h1:HuhwZtbyvyOw+3Z1AowPkU87JkJUSv751ELWaiTpj8I=
+github.com/clbanning/mxj v1.8.4/go.mod h1:BVjHeAH+rl9rs6f+QIpeRl0tfu10SXn1pUSa5PVGJng=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
@@ -385,8 +395,9 @@ github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW
 github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
 github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/daviddengcn/go-colortext v0.0.0-20160507010035-511bcaf42ccd/go.mod h1:dv4zxwHi5C/8AeI+4gX4dCWOIvNi7I6JCSX0HvlKPgE=
 github.com/decred/dcrd/chaincfg/chainhash v1.0.2/go.mod h1:BpbrGgrPTr3YJYRN3Bm+D9NuaFd+zGyNeIKgrhCXK60=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
@@ -447,9 +458,12 @@ github.com/fastly/go-utils v0.0.0-20180712184237-d95a45783239 h1:Ghm4eQYC0nEPnSJ
 github.com/fastly/go-utils v0.0.0-20180712184237-d95a45783239/go.mod h1:Gdwt2ce0yfBxPvZrHkprdPPTTS3N5rwmLE8T22KBXlw=
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
+github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
+github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/florianl/go-nflog/v2 v2.0.1/go.mod h1:g+SOgM/SuePn9bvS/eo3Ild7J71nSb29OzbxR+7cln0=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
@@ -457,6 +471,9 @@ github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoD
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=
+github.com/franela/goblin v0.0.0-20210519012713-85d372ac71e2 h1:cZqz+yOJ/R64LcKjNQOdARott/jP7BnUQ9Ah7KaZCvw=
+github.com/franela/goblin v0.0.0-20210519012713-85d372ac71e2/go.mod h1:VzmDKDJVZI3aJmnRI9VjAn9nJ8qPPsN1fqzr9dqInIo=
+github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8 h1:a9ENSRDFBUPkJ5lCgVZh26+ZbGyoVJG7yb5SSzF5H54=
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -646,8 +663,8 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.6.0 h1:niQ+8XD//kKgArIFwDVBXsWVWbde16LPdHMyNwSC8h4=
 github.com/google/go-containerregistry v0.6.0/go.mod h1:euCCtNbZ6tKqi1E72vwDj2xZcN5ttKpZLfa/wSo5iLw=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
@@ -698,6 +715,7 @@ github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2c
 github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
@@ -725,22 +743,40 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t
 github.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
+github.com/hashicorp/consul/api v1.23.0 h1:L6e4v1AfoumqAHq/Rrsmuulev+nd7vltM3k8H329tyI=
+github.com/hashicorp/consul/api v1.23.0/go.mod h1:SfvUIT74b0EplDuNgAJQ/FVqSO6KyK2ia80UI39/Ye8=
 github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/consul/sdk v0.14.0 h1:Hly+BMNMssVzoWddbBnBFi3W+Fzytvm0haSkihhj3GU=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
+github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
+github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
+github.com/hashicorp/go-msgpack v0.5.5 h1:i9R9JSrqIz0QVLz3sz+i3YJdT7TTSLcfLLzJi9aZTuI=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
+github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.3.0 h1:McDWVJIU/y+u1BRV06dPaLfLCaT7fUTJLp5r04x7iNw=
 github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
@@ -752,13 +788,20 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
+github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
+github.com/hashicorp/memberlist v0.5.0 h1:EtYPN8DpAURiapus508I4n9CzHs2W+8NZGbmmR/prTM=
+github.com/hashicorp/memberlist v0.5.0/go.mod h1:yvyXLpo0QaGE59Y7hDTsTzDD25JYBZ4mHgHUZ8lrOI0=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hashicorp/serf v0.10.1 h1:Z1H2J60yRKvfDYAOZLd2MU0ND4AH/WDz7xYHDWQsIPY=
+github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
 github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
+github.com/hudl/fargo v1.4.0 h1:ZDDILMbB37UlAVLlWcJ2Iz1XuahZZTDZfdCKeclfq2s=
+github.com/hudl/fargo v1.4.0/go.mod h1:9Ai6uvFy5fQNq6VPKtg+Ceq1+eTY4nKUlR2JElEOcDo=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
@@ -810,6 +853,7 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
@@ -902,14 +946,23 @@ github.com/marten-seemann/qtls-go1-17 v0.1.0 h1:P9ggrs5xtwiqXv/FHNwntmuLMNq3KaSI
 github.com/marten-seemann/qtls-go1-17 v0.1.0/go.mod h1:fz4HIxByo+LlWcreM4CZOYNuz3taBQ8rN2X6FqvaWo8=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-oci8 v0.1.1/go.mod h1:wjDx6Xm9q7dFtHJvIlrI99JytznLw5wQ4R+9mNXJwGI=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
@@ -937,10 +990,14 @@ github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqA
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
+github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
+github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI=
 github.com/mitchellh/cli v1.1.2/go.mod h1:6iaV0fGdElS6dPBx0EApTxHrcWvmJphyh2n8YBLPPZ4=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.1.1/go.mod h1:EBArHfARyrSWO/+Wyr9zwEkc6XMFB9XyNgFNmRkZZU4=
@@ -956,6 +1013,8 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
@@ -1040,6 +1099,7 @@ github.com/onsi/gomega v1.14.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+t
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/onsi/gomega v1.16.0 h1:6gjqkI8iiRHMvdccRJM8rVKjCWk6ZIm6FTm3ddIe4/c=
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -1081,6 +1141,8 @@ github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnh
 github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
 github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
+github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
@@ -1097,9 +1159,11 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -1108,6 +1172,7 @@ github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
+github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
 github.com/prometheus/client_golang v1.5.1/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.9.0/go.mod h1:FqZLKOZnGdFAhOK4nqGHa7D66IdsO+O441Eve7ptJDU=
@@ -1176,6 +1241,7 @@ github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiB
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw=
+github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
@@ -1216,8 +1282,10 @@ github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrf
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/soheilhy/cmux v0.1.5-0.20210205191134-5ec6847320e5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
@@ -1269,9 +1337,11 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
+github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
@@ -1286,6 +1356,7 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/toolkits/concurrent v0.0.0-20150624120057-a4371d70e3e3 h1:kF/7m/ZU+0D4Jj5eZ41Zm3IH/J8OElK1Qtd7tVKAwLk=
 github.com/toolkits/concurrent v0.0.0-20150624120057-a4371d70e3e3/go.mod h1:QDlpd3qS71vYtakd2hmdpqhJ9nwv6mD6A30bQ1BPBFE=
+github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
@@ -1421,6 +1492,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -1438,8 +1510,8 @@ golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38=
-golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1451,6 +1523,8 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1477,8 +1551,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.1-0.20200828183125-ce943fd02449/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1509,6 +1583,7 @@ golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -1543,6 +1618,7 @@ golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -1550,8 +1626,8 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1585,8 +1661,9 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
+golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1622,6 +1699,8 @@ golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1709,16 +1788,20 @@ golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211020174200-9d6173849985/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1728,8 +1811,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1763,6 +1846,7 @@ golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1814,12 +1898,11 @@ golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5 h1:ouewzE6p+/VEB31YYnTbEJdi8pFqKp4P4n85vwo3DHA=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
 gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
@@ -2017,6 +2100,7 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/gcfg.v1 v1.2.3 h1:m8OOJ4ccYHnx2f4gQwpno8nAX5OGOh7RLaaz0pj3Ogs=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/gorp.v1 v1.7.2/go.mod h1:Wo3h+DBQZIxATwftsglhdD/62zRFPhGhTiu5jUJmCaw=
@@ -2035,6 +2119,7 @@ gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

helm/core/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.0.0
+appVersion: 1.1.2
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -10,4 +10,4 @@ name: higress-core
 sources:
 - http://github.com/alibaba/higress
 type: application
-version: 1.0.0
+version: 1.1.2

helm/core/crds/customresourcedefinitions.gen.yaml

@@ -104,6 +104,88 @@ spec:
     subresources:
       status: {}
 
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: http2rpcs.networking.higress.io
+spec:
+  group: networking.higress.io
+  names:
+    categories:
+    - higress-io
+    kind: Http2Rpc
+    listKind: Http2RpcList
+    plural: http2rpcs
+    singular: http2rpc
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            oneOf:
+            - not:
+                anyOf:
+                - required:
+                  - dubbo
+                - required:
+                  - grpc
+            - required:
+              - dubbo
+            - required:
+              - grpc
+            properties:
+              dubbo:
+                properties:
+                  group:
+                    type: string
+                  methods:
+                    items:
+                      properties:
+                        headersAttach:
+                          type: string
+                        httpMethods:
+                          items:
+                            type: string
+                          type: array
+                        httpPath:
+                          type: string
+                        params:
+                          items:
+                            properties:
+                              paramKey:
+                                type: string
+                              paramSource:
+                                type: string
+                              paramType:
+                                type: string
+                            type: object
+                          type: array
+                        serviceMethod:
+                          type: string
+                      type: object
+                    type: array
+                  service:
+                    type: string
+                  version:
+                    type: string
+                type: object
+              grpc:
+                type: object
+            type: object
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -131,8 +213,17 @@ spec:
               registries:
                 items:
                   properties:
+                    authSecretName:
+                      type: string
+                    consulDatacenter:
+                      type: string
                     consulNamespace:
                       type: string
+                    consulRefreshInterval:
+                      format: int64
+                      type: integer
+                    consulServiceTag:
+                      type: string
                     domain:
                       type: string
                     nacosAccessKey:

helm/core/templates/controller-clusterrole.yaml

@@ -46,6 +46,10 @@ rules:
     resources: ["wasmplugins"]
     verbs: ["get", "list", "watch"]
 
+  - apiGroups: ["networking.higress.io"]
+    resources: ["http2rpcs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
   - apiGroups: [""]
     resources: ["services"]
     verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]

helm/core/templates/controller-deployment.yaml

@@ -33,7 +33,7 @@ spec:
 {{- if contains "/" .Values.pilot.image }}
           image: "{{ .Values.pilot.image }}"
 {{- else }}
-          image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
+          image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Chart.AppVersion }}"
 {{- end }}
 {{- if .Values.global.imagePullPolicy }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy }}
@@ -73,6 +73,8 @@ spec:
             periodSeconds: 3
             timeoutSeconds: 5
           env:
+          - name: PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
+            value: "true"
           - name: HIGRESS_CONTROLLER_SVC
             value: "127.0.0.1"
           - name: HIGRESS_CONTROLLER_PORT
@@ -200,6 +202,8 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: spec.serviceAccountName
+          - name: DOMAIN_SUFFIX
+            value: {{ .Values.global.proxy.clusterDomain }}
           {{- if .Values.controller.env }}
           {{- range $key, $val := .Values.controller.env }}
           - name: {{ $key }}

helm/core/values.yaml

@@ -44,8 +44,6 @@ global:
   # Releases are published to docker hub under 'istio' project.
   # Dev builds from prow are on gcr.io
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
-  # Default tag for Istio images.
-  tag: 1.0.0
 
   # Specify image pull policy if default behavior isn't desired.
   # Default behavior: latest images will be Always else IfNotPresent.
@@ -369,7 +367,7 @@ gateway:
   name: "higress-gateway"
   replicas: 2
   image: gateway
-  tag: "1.0.0"
+  tag: ""
   # revision declares which revision this gateway is a part of
   revision: ""
 
@@ -457,7 +455,7 @@ controller:
   name: "higress-controller"
   replicas: 1
   image: higress
-  tag: "1.0.0"
+  tag: ""
   env: {}
 
   labels: {}
@@ -547,7 +545,7 @@ pilot:
   rollingMaxUnavailable: 25%
 
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
-  tag: 1.0.0
+  tag: ""
 
   # Can be a full hub/image:tag
   image: pilot
@@ -560,7 +558,7 @@ pilot:
       memory: 2048Mi
 
   env:
-    PILOT_SCOPE_GATEWAY_TO_NAMESPACE: "true"
+    PILOT_SCOPE_GATEWAY_TO_NAMESPACE: "false"
     PILOT_ENABLE_METADATA_EXCHANGE: "false"
     PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY: "false"
     VALIDATION_ENABLED: "false"
@@ -583,7 +581,7 @@ pilot:
   jwksResolverExtraRootCA: ""
 
   # This is used to set the source of configuration for
-  # the associated address in configSource, if nothing is specificed
+  # the associated address in configSource, if nothing is specified
   # the default MCP is assumed.
   configSource:
     subscribedResources: []

helm/higress/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: higress-core
   repository: file://../core
-  version: 1.0.0
+  version: 1.1.2
 - name: higress-console
   repository: https://higress.io/helm-charts/
-  version: 1.0.1
-digest: sha256:cb0808ac6feff2bebf1184969defe5d0b7bf6d12d45e9bd39751df94af731dc0
-generated: "2023-06-16T10:15:54.5326712+08:00"
+  version: 1.1.2
+digest: sha256:8fc099c4ad77bcdc4b9dde2ef14f89b2159b6fdcc49a3dc7e1cccb01a7ed99b9
+generated: "2023-09-19T21:46:20.2567789+08:00"

helm/higress/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.0.1
+appVersion: 1.1.2
 description: Helm chart for deploying Higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -12,9 +12,9 @@ sources:
 dependencies:
 - name: higress-core
   repository: "file://../core"
-  version: 1.0.0
+  version: 1.1.2
 - name: higress-console
   repository: "https://higress.io/helm-charts/"
-  version: 1.0.1
+  version: 1.1.2
 type: application
-version: 1.0.1
+version: 1.1.2

istio/1.12/patches/istio/20221027-init.patch

@@ -140,7 +140,7 @@ index 25479439b7..bd34442260 100755
  
  # This script builds and version stamps the output
  
-+export GOPROXY="https://proxy.golang.com.cn,direct"
++export GOPROXY=${GOPROXY:-"https://proxy.golang.com.cn,direct"}
 +
  VERBOSE=${VERBOSE:-"0"}
  V=""
@@ -215,10 +215,11 @@ index 271fe77a2d..c9e625efdc 100755
      --init \
      --sig-proxy=true \
      ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \
-@@ -55,7 +59,15 @@ read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
+@@ -55,7 +59,16 @@ read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
      --env-file <(env | grep -v ${ENV_BLOCKLIST}) \
      -e IN_BUILD_CONTAINER=1 \
      -e TZ="${TIMEZONE:-$TZ}" \
++    -e GOPROXY="${GOPROXY}" \
 +    -e HUB="${HUB}" \
 +    -e ENVOY_TAR_PATH="${ENVOY_TAR_PATH}" \
 +    --mount "type=bind,source=${MOUNT_PACKAGE_SOURCE},destination=/home/package" \

istio/1.12/patches/istio/20230618-debug-api-anonymous.patch

@@ -0,0 +1,30 @@
+diff --color -Naur istio/pilot/pkg/features/pilot.go istio_new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2023-06-18 20:13:57.715044832 +0800
++++ istio_new/pilot/pkg/features/pilot.go	2023-06-18 20:11:40.310406690 +0800
+@@ -359,6 +359,9 @@
+ 	EnableUnsafeAdminEndpoints = env.RegisterBoolVar("UNSAFE_ENABLE_ADMIN_ENDPOINTS", false,
+ 		"If this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.").Get()
+ 
++	DebugAuth = env.RegisterBoolVar("DEBUG_AUTH", true,
++		"If this is set to false, the debug interface will allow all anonymous request from any remote host, which is not recommended for production").Get()
++
+ 	XDSAuth = env.RegisterBoolVar("XDS_AUTH", true,
+ 		"If true, will authenticate XDS clients.").Get()
+ 
+diff --color -Naur istio/pilot/pkg/xds/debug.go istio_new/pilot/pkg/xds/debug.go
+--- istio/pilot/pkg/xds/debug.go	2023-06-18 20:13:57.695044739 +0800
++++ istio_new/pilot/pkg/xds/debug.go	2023-06-18 20:11:40.286406579 +0800
+@@ -218,8 +218,12 @@
+ 	if internalMux != nil {
+ 		internalMux.HandleFunc(path, handler)
+ 	}
++	handlerFunc := http.HandlerFunc(handler)
++	if features.DebugAuth {
++		handlerFunc = s.allowAuthenticatedOrLocalhost(handlerFunc)
++	}
+ 	// Add handler with auth; this is expose on an HTTP server
+-	mux.HandleFunc(path, s.allowAuthenticatedOrLocalhost(http.HandlerFunc(handler)))
++	mux.HandleFunc(path, handlerFunc)
+ }
+ 
+ func (s *DiscoveryServer) allowAuthenticatedOrLocalhost(next http.Handler) http.HandlerFunc {

istio/1.12/patches/istio/20230627-debug-fix-configz.patch

@@ -0,0 +1,15 @@
+diff -Naur istio/pilot/pkg/xds/debug.go istio-new/pilot/pkg/xds/debug.go
+--- istio/pilot/pkg/xds/debug.go	2023-06-27 14:08:00.000000000 +0800
++++ istio-new/pilot/pkg/xds/debug.go	2023-06-27 14:07:04.000000000 +0800
+@@ -469,6 +469,11 @@
+ 	s.Env.IstioConfigStore.Schemas().ForEach(func(schema collection.Schema) bool {
+ 		cfg, _ := s.Env.IstioConfigStore.List(schema.Resource().GroupVersionKind(), "")
+ 		// Added by ingress
++		copied := make([]config.Config, len(cfg))
++		for i := range copied {
++			copied[i] = cfg[i].DeepCopy()
++		}
++		cfg = copied
+ 		switch schema.Resource().GroupVersionKind().String() {
+ 		case gvk.Gateway.String():
+ 			cfg = model.GatewayFilter(cfg)

istio/1.12/patches/istio/20230815-multi-arch.patch

@@ -0,0 +1,124 @@
+diff -Naur istio/bin/init.sh istio-new/bin/init.sh
+--- istio/bin/init.sh	2023-08-15 21:01:53.601636573 +0800
++++ istio-new/bin/init.sh	2023-08-15 21:04:56.144783484 +0800
+@@ -151,7 +151,8 @@
+ # download_envoy_if_necessary "${ISTIO_ENVOY_LINUX_RELEASE_URL}" "$ISTIO_ENVOY_LINUX_RELEASE_PATH" "${SIDECAR}"
+ # download_envoy_if_necessary "${ISTIO_ENVOY_CENTOS_RELEASE_URL}" "$ISTIO_ENVOY_CENTOS_LINUX_RELEASE_PATH" "${SIDECAR}-centos"
+ 
+-untar_envoy_if_necessary "${ENVOY_TAR_PATH}" "$ISTIO_ENVOY_LINUX_RELEASE_PATH" "${SIDECAR}"
++untar_envoy_if_necessary "${ENVOY_TAR_DIR}/envoy-arm64.tar.gz" "$ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH" "${SIDECAR}"
++untar_envoy_if_necessary "${ENVOY_TAR_DIR}/envoy-amd64.tar.gz" "$ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH" "${SIDECAR}"
+ 
+ if [[ "$GOOS_LOCAL" == "darwin" ]]; then
+   # Download and extract the Envoy macOS release binary
+diff -Naur istio/common/scripts/run.sh istio-new/common/scripts/run.sh
+--- istio/common/scripts/run.sh	2023-08-15 21:01:53.601636573 +0800
++++ istio-new/common/scripts/run.sh	2023-08-15 17:37:57.754600731 +0800
+@@ -36,7 +36,7 @@
+ 
+ HUB="${HUB:-istio}"
+ MOUNT_SOURCE="${MOUNT_SOURCE:-${PWD}}"
+-ENVOY_TAR_PATH="${ENVOY_TAR_PATH:-/home/package/envoy.tar.gz}"
++ENVOY_TAR_DIR="${ENVOY_TAR_DIR:-/home/package}"
+ MOUNT_DEST="${MOUNT_DEST:-/work}"
+ MOUNT_ROOT_SOURCE="${MOUNT_ROOT_SOURCE:-`cd $MOUNT_SOURCE/..;pwd`}"
+ MOUNT_PACKAGE_SOURCE="${MOUNT_PACKAGE_SOURCE:-`cd $MOUNT_SOURCE/../package;pwd`}"
+@@ -61,7 +61,7 @@
+     -e TZ="${TIMEZONE:-$TZ}" \
+     -e GOPROXY="${GOPROXY}" \
+     -e HUB="${HUB}" \
+-    -e ENVOY_TAR_PATH="${ENVOY_TAR_PATH}" \
++    -e ENVOY_TAR_DIR="${ENVOY_TAR_DIR}" \
+     --mount "type=bind,source=${MOUNT_PACKAGE_SOURCE},destination=/home/package" \
+     --mount "type=bind,source=${MOUNT_SOURCE},destination=/work" \
+     --mount "type=bind,source=${MOUNT_ROOT_SOURCE}/..,destination=/parent" \
+diff -Naur istio/common/scripts/setup_env.sh istio-new/common/scripts/setup_env.sh
+--- istio/common/scripts/setup_env.sh	2023-08-15 21:01:53.601636573 +0800
++++ istio-new/common/scripts/setup_env.sh	2023-08-15 20:15:23.292391629 +0800
+@@ -81,6 +81,9 @@
+ export TARGET_OUT="${TARGET_OUT:-$(pwd)/out/${TARGET_OS}_${TARGET_ARCH}}"
+ export TARGET_OUT_LINUX="${TARGET_OUT_LINUX:-$(pwd)/out/linux_${TARGET_ARCH}}"
+ 
++export ARM64_OUT_LINUX=/work/out/linux_arm64
++export AMD64_OUT_LINUX=/work/out/linux_amd64
++
+ export CONTAINER_TARGET_OUT="${CONTAINER_TARGET_OUT:-/work/out/${TARGET_OS}_${TARGET_ARCH}}"
+ export CONTAINER_TARGET_OUT_LINUX="${CONTAINER_TARGET_OUT_LINUX:-/work/out/linux_${TARGET_ARCH}}"
+ 
+diff -Naur istio/Makefile.core.mk istio-new/Makefile.core.mk
+--- istio/Makefile.core.mk	2023-08-15 21:01:53.601636573 +0800
++++ istio-new/Makefile.core.mk	2023-08-15 20:03:25.384280274 +0800
+@@ -150,6 +150,11 @@
+ export ISTIO_ENVOY_CENTOS_LINUX_RELEASE_NAME ?= envoy-centos-${ISTIO_ENVOY_LINUX_VERSION}
+ export ISTIO_ENVOY_CENTOS_LINUX_RELEASE_PATH ?= ${ISTIO_ENVOY_LINUX_RELEASE_DIR}/${ISTIO_ENVOY_CENTOS_LINUX_RELEASE_NAME}
+ 
++export ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR ?= ${ARM64_OUT_LINUX}/release
++export ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH ?= ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${ISTIO_ENVOY_LINUX_RELEASE_NAME}
++export ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR ?= ${AMD64_OUT_LINUX}/release
++export ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH ?= ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${ISTIO_ENVOY_LINUX_RELEASE_NAME}
++
+ # Envoy macOS vars.
+ # TODO Change url when official envoy release for macOS is available
+ export ISTIO_ENVOY_MACOS_VERSION ?= 1.0.2
+@@ -240,6 +245,8 @@
+ ${ISTIO_ENVOY_LINUX_DEBUG_PATH}: init
+ ${ISTIO_ENVOY_LINUX_RELEASE_PATH}: init
+ ${ISTIO_ENVOY_MACOS_RELEASE_PATH}: init
++${ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH}: init
++${ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH}: init
+ 
+ # Pull dependencies, based on the checked in Gopkg.lock file.
+ # Developers must manually run `dep ensure` if adding new deps
+@@ -312,8 +319,8 @@
+ # various platform images.
+ .PHONY: build-linux
+ build-linux: depend
+-	GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) common/scripts/gobuild.sh $(ISTIO_OUT_LINUX)/ $(STANDARD_BINARIES)
+-	GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) common/scripts/gobuild.sh $(ISTIO_OUT_LINUX)/ -tags=agent $(AGENT_BINARIES)
++	GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) GOBUILDFLAGS='-buildvcs=false' common/scripts/gobuild.sh $(ISTIO_OUT_LINUX)/ $(STANDARD_BINARIES)
++	GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) GOBUILDFLAGS='-buildvcs=false' common/scripts/gobuild.sh $(ISTIO_OUT_LINUX)/ -tags=agent $(AGENT_BINARIES)
+ 
+ # Create targets for ISTIO_OUT_LINUX/binary
+ # There are two use cases here:
+diff -Naur istio/tools/istio-docker.mk istio-new/tools/istio-docker.mk
+--- istio/tools/istio-docker.mk	2023-08-15 21:01:53.621637356 +0800
++++ istio-new/tools/istio-docker.mk	2023-08-15 20:02:11.881402098 +0800
+@@ -77,6 +77,14 @@
+ ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_PATH}
+ 	cp ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_PATH} ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json
+ 
++${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH}
++	mkdir -p $(DOCKER_BUILD_TOP)/proxyv2
++	cp ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH} ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}
++
++${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH}
++	mkdir -p $(DOCKER_BUILD_TOP)/proxyv2
++	cp ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH} ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}
++
+ # rule for wasm extensions.
+ $(ISTIO_ENVOY_LINUX_RELEASE_DIR)/stats-filter.wasm: init
+ $(ISTIO_ENVOY_LINUX_RELEASE_DIR)/stats-filter.compiled.wasm: init
+@@ -88,7 +96,8 @@
+ docker.proxyv2: BUILD_ARGS=--build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} --build-arg istio_version=${VERSION} --build-arg BASE_VERSION=${BASE_VERSION} --build-arg SIDECAR=${SIDECAR} --build-arg HUB=${HUB}
+ docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json
+ docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/gcp_envoy_bootstrap.json
+-docker.proxyv2: $(ISTIO_ENVOY_LINUX_RELEASE_DIR)/${SIDECAR}
++docker.proxyv2: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}
++docker.proxyv2: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}
+ docker.proxyv2: $(ISTIO_OUT_LINUX)/pilot-agent
+ docker.proxyv2: pilot/docker/Dockerfile.proxyv2
+ # docker.proxyv2: $(ISTIO_ENVOY_LINUX_RELEASE_DIR)/stats-filter.wasm
+@@ -324,7 +333,13 @@
+ # This can be done with DOCKER_BUILD_VARIANTS="default debug" as well, but at the expense of building twice vs building once and tagging twice
+ INCLUDE_UNTAGGED_DEFAULT ?= false
+ DEFAULT_DISTRIBUTION=debug
++
++
++ifeq ($(BUILDX_PLATFORM), true)
++DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./tools/docker-copy.sh $^ $(DOCKER_BUILD_TOP)/$@ && cd $(DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker buildx create --use && docker buildx build --no-cache --platform linux/amd64,linux/arm64 $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/$(subst docker.,,$@):$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile$(suffix $@) . --push  ); )
++else
+ DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./tools/docker-copy.sh $^ $(DOCKER_BUILD_TOP)/$@ && cd $(DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/$(subst docker.,,$@):$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile$(suffix $@) . ); )
++endif
+ RENAME_TEMPLATE ?= mkdir -p $(DOCKER_BUILD_TOP)/$@ && cp $(ECHO_DOCKER)/$(VM_OS_DOCKERFILE_TEMPLATE) $(DOCKER_BUILD_TOP)/$@/Dockerfile$(suffix $@)
+ 
+ # This target will package all docker images used in test and release, without re-building

pkg/cmd/server.go

@@ -33,7 +33,7 @@ var (
 	loggingOptions = log.DefaultOptions()
 
 	serverProvider = func(args *bootstrap.ServerArgs) (bootstrap.ServerInterface, error) {
-		return bootstrap.NewServer(serverArgs)
+		return bootstrap.NewServer(args)
 	}
 
 	waitForMonitorSignal = func(stop chan struct{}) {

pkg/ingress/config/ingress_config.go

@@ -15,6 +15,7 @@
 package config
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -25,8 +26,10 @@ import (
 	wasm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3"
 	httppb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/wasm/v3"
+	"github.com/gogo/protobuf/jsonpb"
 	"github.com/gogo/protobuf/types"
 	"github.com/golang/protobuf/ptypes/wrappers"
+	"go.uber.org/atomic"
 	"google.golang.org/protobuf/types/known/anypb"
 	extensions "istio.io/api/extensions/v1alpha1"
 	networking "istio.io/api/networking/v1alpha3"
@@ -42,10 +45,13 @@ import (
 	"k8s.io/client-go/tools/cache"
 
 	higressext "github.com/alibaba/higress/api/extensions/v1alpha1"
+	higressv1 "github.com/alibaba/higress/api/networking/v1"
 	extlisterv1 "github.com/alibaba/higress/client/pkg/listers/extensions/v1alpha1"
 	netlisterv1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
 	"github.com/alibaba/higress/pkg/ingress/kube/annotations"
 	"github.com/alibaba/higress/pkg/ingress/kube/common"
+	"github.com/alibaba/higress/pkg/ingress/kube/configmap"
+	"github.com/alibaba/higress/pkg/ingress/kube/http2rpc"
 	"github.com/alibaba/higress/pkg/ingress/kube/ingress"
 	"github.com/alibaba/higress/pkg/ingress/kube/ingressv1"
 	"github.com/alibaba/higress/pkg/ingress/kube/mcpbridge"
@@ -54,12 +60,30 @@ import (
 	"github.com/alibaba/higress/pkg/ingress/kube/wasmplugin"
 	. "github.com/alibaba/higress/pkg/ingress/log"
 	"github.com/alibaba/higress/pkg/kube"
+	"github.com/alibaba/higress/registry/memory"
 	"github.com/alibaba/higress/registry/reconcile"
 )
 
 var (
-	_ model.ConfigStoreCache = &IngressConfig{}
-	_ model.IngressStore     = &IngressConfig{}
+	_                 model.ConfigStoreCache = &IngressConfig{}
+	_                 model.IngressStore     = &IngressConfig{}
+	Http2RpcMethodMap                        = func() map[string]string {
+		return map[string]string{
+			"GET":    "ALL_GET",
+			"POST":   "ALL_POST",
+			"PUT":    "ALL_PUT",
+			"DELETE": "ALL_DELETE",
+			"PATCH":  "ALL_PATCH",
+		}
+	}
+	Http2RpcParamSourceMap = func() map[string]string {
+		return map[string]string{
+			"QUERY":  "ALL_QUERY_PARAMETER",
+			"HEADER": "ALL_HEADER",
+			"PATH":   "ALL_PATH",
+			"BODY":   "ALL_BODY",
+		}
+	}
 )
 
 type IngressConfig struct {
@@ -86,7 +110,7 @@ type IngressConfig struct {
 
 	RegistryReconciler *reconcile.Reconciler
 
-	mcpbridgeReconciled bool
+	mcpbridgeReconciled *atomic.Bool
 
 	mcpbridgeController mcpbridge.McpBridgeController
 
@@ -98,6 +122,14 @@ type IngressConfig struct {
 
 	wasmPlugins map[string]*extensions.WasmPlugin
 
+	http2rpcController http2rpc.Http2RpcController
+
+	http2rpcLister netlisterv1.Http2RpcLister
+
+	http2rpcs map[string]*higressv1.Http2Rpc
+
+	configmapMgr *configmap.ConfigmapMgr
+
 	XDSUpdater model.XDSUpdater
 
 	annotationHandler annotations.AnnotationHandler
@@ -123,8 +155,9 @@ func NewIngressConfig(localKubeClient kube.Client, XDSUpdater model.XDSUpdater,
 			common.CreateConvertedName(clusterId, "global"),
 		watchedSecretSet:    sets.NewSet(),
 		namespace:           namespace,
-		mcpbridgeReconciled: true,
+		mcpbridgeReconciled: atomic.NewBool(true),
 		wasmPlugins:         make(map[string]*extensions.WasmPlugin),
+		http2rpcs:           make(map[string]*higressv1.Http2Rpc),
 	}
 	mcpbridgeController := mcpbridge.NewController(localKubeClient, clusterId)
 	mcpbridgeController.AddEventHandler(config.AddOrUpdateMcpBridge, config.DeleteMcpBridge)
@@ -135,6 +168,15 @@ func NewIngressConfig(localKubeClient kube.Client, XDSUpdater model.XDSUpdater,
 	wasmPluginController.AddEventHandler(config.AddOrUpdateWasmPlugin, config.DeleteWasmPlugin)
 	config.wasmPluginController = wasmPluginController
 	config.wasmPluginLister = wasmPluginController.Lister()
+
+	http2rpcController := http2rpc.NewController(localKubeClient, clusterId)
+	http2rpcController.AddEventHandler(config.AddOrUpdateHttp2Rpc, config.DeleteHttp2Rpc)
+	config.http2rpcController = http2rpcController
+	config.http2rpcLister = http2rpcController.Lister()
+
+	higressConfigController := configmap.NewController(localKubeClient, clusterId, namespace)
+	config.configmapMgr = configmap.NewConfigmapMgr(XDSUpdater, namespace, higressConfigController, higressConfigController.Lister())
+
 	return config
 }
 
@@ -207,8 +249,24 @@ func (m *IngressConfig) List(typ config.GroupVersionKind, namespace string) ([]c
 	if typ == gvk.EnvoyFilter {
 		m.mutex.RLock()
 		defer m.mutex.RUnlock()
-		IngressLog.Infof("resource type %s, configs number %d", typ, len(m.cachedEnvoyFilters))
-		return m.cachedEnvoyFilters, nil
+		var envoyFilters []config.Config
+		// Build configmap envoy filters
+		configmapEnvoyFilters, err := m.configmapMgr.ConstructEnvoyFilters()
+		if err != nil {
+			IngressLog.Errorf("Construct configmap EnvoyFilters error %v", err)
+		} else {
+			for _, envoyFilter := range configmapEnvoyFilters {
+				envoyFilters = append(envoyFilters, *envoyFilter)
+			}
+			IngressLog.Infof("Append %d configmap EnvoyFilters", len(configmapEnvoyFilters))
+		}
+		if len(envoyFilters) == 0 {
+			IngressLog.Infof("resource type %s, configs number %d", typ, len(m.cachedEnvoyFilters))
+			return m.cachedEnvoyFilters, nil
+		}
+		envoyFilters = append(envoyFilters, m.cachedEnvoyFilters...)
+		IngressLog.Infof("resource type %s, configs number %d", typ, len(envoyFilters))
+		return envoyFilters, nil
 	}
 
 	var configs []config.Config
@@ -425,6 +483,9 @@ func (m *IngressConfig) convertVirtualService(configs []common.WrapperConfig) []
 		vs := wrapperVS.VirtualService
 		vs.Gateways = gateways
 
+		// Sort, exact -> prefix -> regex
+		common.SortHTTPRoutes(routes)
+
 		for _, route := range routes {
 			vs.Http = append(vs.Http, route.HTTPRoute)
 		}
@@ -458,6 +519,18 @@ func (m *IngressConfig) convertEnvoyFilter(convertOptions *common.ConvertOptions
 				continue
 			}
 
+			http2rpc := route.WrapperConfig.AnnotationsConfig.Http2Rpc
+			if http2rpc != nil {
+				IngressLog.Infof("Found http2rpc for name %s", http2rpc.Name)
+				envoyFilter, err := m.constructHttp2RpcEnvoyFilter(http2rpc, route, m.namespace)
+				if err != nil {
+					IngressLog.Errorf("Construct http2rpc EnvoyFilter error %v", err)
+				} else {
+					IngressLog.Infof("Append http2rpc EnvoyFilter for name %s", http2rpc.Name)
+					envoyFilters = append(envoyFilters, *envoyFilter)
+				}
+			}
+
 			auth := route.WrapperConfig.AnnotationsConfig.Auth
 			if auth == nil {
 				continue
@@ -521,6 +594,7 @@ func (m *IngressConfig) convertServiceEntry([]common.WrapperConfig) []config.Con
 		return nil
 	}
 	serviceEntries := m.RegistryReconciler.GetAllServiceEntryWrapper()
+	IngressLog.Infof("Found http2rpc serviceEntries %s", serviceEntries)
 	out := make([]config.Config, 0, len(serviceEntries))
 	for _, se := range serviceEntries {
 		out = append(out, config.Config{
@@ -874,9 +948,7 @@ func (m *IngressConfig) AddOrUpdateMcpBridge(clusterNamespacedName util.ClusterN
 			clusterNamespacedName.Namespace, clusterNamespacedName.Name)
 		return
 	}
-	m.mutex.Lock()
-	m.mcpbridgeReconciled = false
-	m.mutex.Unlock()
+	m.mcpbridgeReconciled.Store(false)
 	if m.RegistryReconciler == nil {
 		m.RegistryReconciler = reconcile.NewReconciler(func() {
 			metadata := config.Meta{
@@ -890,15 +962,15 @@ func (m *IngressConfig) AddOrUpdateMcpBridge(clusterNamespacedName util.ClusterN
 				IngressLog.Debug("McpBridge triggerd serviceEntry update")
 				f(config.Config{Meta: metadata}, config.Config{Meta: metadata}, model.EventUpdate)
 			}
-		})
+		}, m.localKubeClient, m.namespace)
 	}
 	reconciler := m.RegistryReconciler
-	go func() {
-		reconciler.Reconcile(mcpbridge)
-		m.mutex.Lock()
-		m.mcpbridgeReconciled = true
-		m.mutex.Unlock()
-	}()
+	err = reconciler.Reconcile(mcpbridge)
+	if err != nil {
+		IngressLog.Errorf("Mcpbridge reconcile failed, err:%v", err)
+		return
+	}
+	m.mcpbridgeReconciled.Store(true)
 }
 
 func (m *IngressConfig) DeleteMcpBridge(clusterNamespacedName util.ClusterNamespacedName) {
@@ -912,6 +984,38 @@ func (m *IngressConfig) DeleteMcpBridge(clusterNamespacedName util.ClusterNamesp
 	}
 }
 
+func (m *IngressConfig) AddOrUpdateHttp2Rpc(clusterNamespacedName util.ClusterNamespacedName) {
+	if clusterNamespacedName.Namespace != m.namespace {
+		return
+	}
+	http2rpc, err := m.http2rpcLister.Http2Rpcs(clusterNamespacedName.Namespace).Get(clusterNamespacedName.Name)
+	if err != nil {
+		IngressLog.Errorf("http2rpc is not found, namespace:%s, name:%s",
+			clusterNamespacedName.Namespace, clusterNamespacedName.Name)
+		return
+	}
+	m.mutex.Lock()
+	m.http2rpcs[clusterNamespacedName.Name] = &http2rpc.Spec
+	m.mutex.Unlock()
+	IngressLog.Infof("AddOrUpdateHttp2Rpc http2rpc ingress name %s", clusterNamespacedName.Name)
+}
+
+func (m *IngressConfig) DeleteHttp2Rpc(clusterNamespacedName util.ClusterNamespacedName) {
+	if clusterNamespacedName.Namespace != m.namespace {
+		return
+	}
+	var hit bool
+	m.mutex.Lock()
+	if _, ok := m.http2rpcs[clusterNamespacedName.Name]; ok {
+		delete(m.http2rpcs, clusterNamespacedName.Name)
+		hit = true
+	}
+	m.mutex.Unlock()
+	if hit {
+		IngressLog.Debugf("Http2Rpc triggerd deleted %s", clusterNamespacedName.Name)
+	}
+}
+
 func (m *IngressConfig) ReflectSecretChanges(clusterNamespacedName util.ClusterNamespacedName) {
 	var hit bool
 	m.mutex.RLock()
@@ -996,6 +1100,188 @@ func (m *IngressConfig) applyCanaryIngresses(convertOptions *common.ConvertOptio
 	}
 }
 
+func (m *IngressConfig) constructHttp2RpcEnvoyFilter(http2rpcConfig *annotations.Http2RpcConfig, route *common.WrapperHTTPRoute, namespace string) (*config.Config, error) {
+	mappings := m.http2rpcs
+	IngressLog.Infof("Found http2rpc mappings %v", mappings)
+	if _, exist := mappings[http2rpcConfig.Name]; !exist {
+		IngressLog.Errorf("Http2RpcConfig name %s, not found Http2Rpc CRD", http2rpcConfig.Name)
+		return nil, errors.New("invalid http2rpcConfig has no useable http2rpc")
+	}
+	http2rpcCRD := mappings[http2rpcConfig.Name]
+
+	if http2rpcCRD.GetDubbo() == nil {
+		IngressLog.Errorf("Http2RpcConfig name %s, only support Http2Rpc CRD Dubbo Service type", http2rpcConfig.Name)
+		return nil, errors.New("invalid http2rpcConfig has no useable http2rpc")
+	}
+
+	httpRoute := route.HTTPRoute
+	httpRouteDestination := httpRoute.Route[0]
+	typeStruct, err := m.constructHttp2RpcMethods(http2rpcCRD.GetDubbo())
+	if err != nil {
+		return nil, errors.New(err.Error())
+	}
+
+	return &config.Config{
+		Meta: config.Meta{
+			GroupVersionKind: gvk.EnvoyFilter,
+			Name:             common.CreateConvertedName(constants.IstioIngressGatewayName, http2rpcConfig.Name),
+			Namespace:        namespace,
+		},
+		Spec: &networking.EnvoyFilter{
+			ConfigPatches: []*networking.EnvoyFilter_EnvoyConfigObjectPatch{
+				{
+					ApplyTo: networking.EnvoyFilter_HTTP_FILTER,
+					Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+						Context: networking.EnvoyFilter_GATEWAY,
+						ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Listener{
+							Listener: &networking.EnvoyFilter_ListenerMatch{
+								FilterChain: &networking.EnvoyFilter_ListenerMatch_FilterChainMatch{
+									Filter: &networking.EnvoyFilter_ListenerMatch_FilterMatch{
+										Name: "envoy.filters.network.http_connection_manager",
+										SubFilter: &networking.EnvoyFilter_ListenerMatch_SubFilterMatch{
+											Name: "envoy.filters.http.router",
+										},
+									},
+								},
+							},
+						},
+					},
+					Patch: &networking.EnvoyFilter_Patch{
+						Operation: networking.EnvoyFilter_Patch_INSERT_BEFORE,
+						Value: buildPatchStruct(`{
+							"name":"envoy.filters.http.http_dubbo_transcoder",
+							"typed_config":{
+								"@type":"type.googleapis.com/udpa.type.v1.TypedStruct",
+								"type_url":"type.googleapis.com/envoy.extensions.filters.http.http_dubbo_transcoder.v3.HttpDubboTranscoder"
+							}
+						}`),
+					},
+				},
+				{
+					ApplyTo: networking.EnvoyFilter_HTTP_ROUTE,
+					Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+						Context: networking.EnvoyFilter_GATEWAY,
+						ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_RouteConfiguration{
+							RouteConfiguration: &networking.EnvoyFilter_RouteConfigurationMatch{
+								Vhost: &networking.EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch{
+									Route: &networking.EnvoyFilter_RouteConfigurationMatch_RouteMatch{
+										Name: httpRoute.Name,
+									},
+								},
+							},
+						},
+					},
+					Patch: &networking.EnvoyFilter_Patch{
+						Operation: networking.EnvoyFilter_Patch_MERGE,
+						Value:     typeStruct,
+					},
+				},
+				{
+					ApplyTo: networking.EnvoyFilter_CLUSTER,
+					Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+						Context: networking.EnvoyFilter_GATEWAY,
+						ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Cluster{
+							Cluster: &networking.EnvoyFilter_ClusterMatch{
+								Service: httpRouteDestination.Destination.Host,
+							},
+						},
+					},
+					Patch: &networking.EnvoyFilter_Patch{
+						Operation: networking.EnvoyFilter_Patch_MERGE,
+						Value: buildPatchStruct(`{
+							"upstream_config": {
+								"name":"envoy.upstreams.http.dubbo_tcp",
+								"typed_config":{
+									"@type":"type.googleapis.com/udpa.type.v1.TypedStruct",
+									"type_url":"type.googleapis.com/envoy.extensions.upstreams.http.dubbo_tcp.v3.DubboTcpConnectionPoolProto"
+								}
+							}
+						}`),
+					},
+				},
+			},
+		},
+	}, nil
+}
+
+func (m *IngressConfig) constructHttp2RpcMethods(dubbo *higressv1.DubboService) (*types.Struct, error) {
+	httpRouterTemplate := `{
+		"route": {
+			"upgrade_configs": [
+				{
+					"connect_config": {
+						"allow_post": true
+					},
+					"upgrade_type": "CONNECT"
+				}
+			]
+		},
+		"typed_per_filter_config": {
+			"envoy.filters.http.http_dubbo_transcoder": {
+				"@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
+				"type_url": "type.googleapis.com/envoy.extensions.filters.http.http_dubbo_transcoder.v3.HttpDubboTranscoder",
+				"value": {
+					"request_validation_options": {
+						"reject_unknown_method": true,
+						"reject_unknown_query_parameters": true
+					},
+					"services_mapping": %s,
+					"url_unescape_spec": "ALL_CHARACTERS_EXCEPT_RESERVED"
+				}
+			}
+		}
+	}`
+	var methods []interface{}
+	for _, serviceMethod := range dubbo.GetMethods() {
+		var method = make(map[string]interface{})
+		method["name"] = serviceMethod.GetServiceMethod()
+		var params []interface{}
+		for _, methodParam := range serviceMethod.GetParams() {
+			var param = make(map[string]interface{})
+			param["extract_key"] = methodParam.GetParamKey()
+			param["extract_key_spec"] = Http2RpcParamSourceMap()[methodParam.GetParamSource()]
+			param["mapping_type"] = methodParam.GetParamType()
+			params = append(params, param)
+		}
+		method["parameter_mapping"] = params
+		var path_matcher = make(map[string]interface{})
+		path_matcher["match_http_method_spec"] = Http2RpcMethodMap()[serviceMethod.HttpMethods[0]]
+		path_matcher["match_pattern"] = serviceMethod.GetHttpPath()
+		method["path_matcher"] = path_matcher
+		var passthrough_setting = make(map[string]interface{})
+		var headersAttach = serviceMethod.GetHeadersAttach()
+		if headersAttach == "" {
+			passthrough_setting["passthrough_all_headers"] = false
+		} else if headersAttach == "*" {
+			passthrough_setting["passthrough_all_headers"] = true
+		} else {
+			passthrough_setting["passthrough_headers"] = headersAttach
+		}
+		method["passthrough_setting"] = passthrough_setting
+		methods = append(methods, method)
+	}
+	var serviceMapping = make(map[string]interface{})
+	var dubboServiceGroup = dubbo.GetGroup()
+	if dubboServiceGroup != "" {
+		serviceMapping["group"] = dubboServiceGroup
+	}
+	serviceMapping["name"] = dubbo.GetService()
+	serviceMapping["version"] = dubbo.GetVersion()
+	serviceMapping["method_mapping"] = methods
+	strBuffer := new(bytes.Buffer)
+	serviceMappingJsonStr, _ := json.Marshal(serviceMapping)
+	fmt.Fprintf(strBuffer, httpRouterTemplate, string(serviceMappingJsonStr))
+	IngressLog.Infof("Found http2rpc buildHttp2RpcMethods %s", strBuffer.String())
+	result := buildPatchStruct(strBuffer.String())
+	return result, nil
+}
+
+func buildPatchStruct(config string) *types.Struct {
+	val := &types.Struct{}
+	_ = jsonpb.Unmarshal(strings.NewReader(config), val)
+	return val
+}
+
 func constructBasicAuthEnvoyFilter(rules *common.BasicAuthRules, namespace string) (*config.Config, error) {
 	rulesStr, err := json.Marshal(rules)
 	if err != nil {
@@ -1079,9 +1365,35 @@ func constructBasicAuthEnvoyFilter(rules *common.BasicAuthRules, namespace strin
 	}, nil
 }
 
+func QueryByName(serviceEntries []*memory.ServiceEntryWrapper, serviceName string) (*memory.ServiceEntryWrapper, error) {
+	IngressLog.Infof("Found http2rpc serviceEntries %s", serviceEntries)
+	for _, se := range serviceEntries {
+		if se.ServiceName == serviceName {
+			return se, nil
+		}
+	}
+	return nil, fmt.Errorf("can't find ServiceEntry by serviceName:%v", serviceName)
+}
+
+func QueryRpcServiceVersion(serviceEntry *memory.ServiceEntryWrapper, serviceName string) (string, error) {
+	IngressLog.Infof("Found http2rpc serviceEntry %s", serviceEntry)
+	IngressLog.Infof("Found http2rpc ServiceEntry %s", serviceEntry.ServiceEntry)
+	IngressLog.Infof("Found http2rpc WorkloadSelector %s", serviceEntry.ServiceEntry.WorkloadSelector)
+	IngressLog.Infof("Found http2rpc Labels %s", serviceEntry.ServiceEntry.WorkloadSelector.Labels)
+	labels := (*serviceEntry).ServiceEntry.WorkloadSelector.Labels
+	for key, value := range labels {
+		if key == "version" {
+			return value, nil
+		}
+	}
+	return "", fmt.Errorf("can't get RpcServiceVersion for serviceName:%v", serviceName)
+}
+
 func (m *IngressConfig) Run(stop <-chan struct{}) {
 	go m.mcpbridgeController.Run(stop)
 	go m.wasmPluginController.Run(stop)
+	go m.http2rpcController.Run(stop)
+	go m.configmapMgr.HigressConfigController.Run(stop)
 }
 
 func (m *IngressConfig) HasSynced() bool {
@@ -1092,12 +1404,18 @@ func (m *IngressConfig) HasSynced() bool {
 			return false
 		}
 	}
-	if !m.mcpbridgeController.HasSynced() || !m.mcpbridgeReconciled {
+	if !m.mcpbridgeController.HasSynced() || !m.mcpbridgeReconciled.Load() {
 		return false
 	}
 	if !m.wasmPluginController.HasSynced() {
 		return false
 	}
+	if !m.http2rpcController.HasSynced() {
+		return false
+	}
+	if !m.configmapMgr.HigressConfigController.HasSynced() {
+		return false
+	}
 	IngressLog.Info("Ingress config controller synced.")
 	return true
 }

pkg/ingress/kube/annotations/annotations.go

@@ -69,6 +69,8 @@ type Ingress struct {
 	Match *MatchConfig
 
 	HeaderControl *HeaderControlConfig
+
+	Http2Rpc *Http2RpcConfig
 }
 
 func (i *Ingress) NeedRegexMatch() bool {
@@ -149,6 +151,7 @@ func NewAnnotationHandlerManager() AnnotationHandler {
 			ignoreCaseMatching{},
 			match{},
 			headerControl{},
+			http2rpc{},
 		},
 		gatewayHandlers: []GatewayHandler{
 			downstreamTLS{},

pkg/ingress/kube/annotations/http2rpc.go

@@ -0,0 +1,53 @@
+// Copyright (c) 2023 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	. "github.com/alibaba/higress/pkg/ingress/log"
+)
+
+const (
+	http2rpcKey        = "http2rpc-name"
+	rpcDestinationName = "rpc-destination-name"
+)
+
+// help to conform http2rpc implements method of Parse
+var _ Parser = http2rpc{}
+
+type Http2RpcConfig struct {
+	Name string
+}
+
+type http2rpc struct{}
+
+func (a http2rpc) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
+	if !needHttp2RpcConfig(annotations) {
+		return nil
+	}
+	value, err := annotations.ParseStringForHigress(rpcDestinationName)
+	IngressLog.Infof("Parse http2rpc ingress name %s", value)
+	if err != nil {
+		IngressLog.Errorf("parse http2rpc error %v within ingress %s/%s", err, config.Namespace, config.Name)
+		return nil
+	}
+	config.Http2Rpc = &Http2RpcConfig{
+		Name: value,
+	}
+	return nil
+}
+
+func needHttp2RpcConfig(annotations Annotations) bool {
+	return annotations.HasHigress(rpcDestinationName)
+}

pkg/ingress/kube/annotations/http2rpc_test.go

@@ -0,0 +1,59 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestHttp2RpcParse(t *testing.T) {
+	parser := http2rpc{}
+
+	testCases := []struct {
+		input  Annotations
+		expect *Http2RpcConfig
+	}{
+		{
+			input:  Annotations{},
+			expect: nil,
+		},
+		{
+			input: Annotations{
+				buildHigressAnnotationKey(rpcDestinationName): "",
+			},
+			expect: nil,
+		},
+		{
+			input: Annotations{
+				buildHigressAnnotationKey(rpcDestinationName): "http-dubbo-alibaba-nacos-example-DemoService",
+			},
+			expect: &Http2RpcConfig{
+				Name: "http-dubbo-alibaba-nacos-example-DemoService",
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run("", func(t *testing.T) {
+			config := &Ingress{}
+			_ = parser.Parse(testCase.input, config, nil)
+			if diff := cmp.Diff(config.Http2Rpc, testCase.expect); diff != "" {
+				t.Fatalf("TestHttp2RpcParse() mismatch: (-want +got)\n%s", diff)
+			}
+		})
+	}
+}

pkg/ingress/kube/common/tool.go

@@ -170,7 +170,14 @@ func SortHTTPRoutes(routes []*WrapperHTTPRoute) {
 
 	isAllCatch := func(route *WrapperHTTPRoute) bool {
 		if route.OriginPathType == Prefix && route.OriginPath == "/" {
-			return true
+			if route.HTTPRoute.Match == nil {
+				return true
+			}
+
+			match := route.HTTPRoute.Match[0]
+			if len(match.Headers) == 0 && len(match.QueryParams) == 0 && match.Method == nil {
+				return true
+			}
 		}
 		return false
 	}

pkg/ingress/kube/configmap/config.go

@@ -0,0 +1,50 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package configmap
+
+import (
+	"encoding/json"
+)
+
+type Result int32
+
+const (
+	ResultNothing Result = iota
+	ResultReplace
+	ResultDelete
+
+	HigressConfigMapName = "higress-config"
+	HigressConfigMapKey  = "higress"
+
+	ModelUpdatedReason = "higress configmap updated"
+)
+
+type ItemEventHandler = func(name string)
+
+type HigressConfig struct {
+	Tracing *Tracing `json:"tracing,omitempty"`
+}
+
+func NewDefaultHigressConfig() *HigressConfig {
+	higressConfig := &HigressConfig{
+		Tracing: NewDefaultTracing(),
+	}
+	return higressConfig
+}
+
+func GetHigressConfigString(higressConfig *HigressConfig) string {
+	bytes, _ := json.Marshal(higressConfig)
+	return string(bytes)
+}

pkg/ingress/kube/configmap/controller.go

@@ -0,0 +1,202 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package configmap
+
+import (
+	"reflect"
+	"sync/atomic"
+
+	"github.com/alibaba/higress/pkg/ingress/kube/controller"
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	. "github.com/alibaba/higress/pkg/ingress/log"
+	"istio.io/istio/pilot/pkg/model"
+	"istio.io/istio/pkg/config"
+	"istio.io/istio/pkg/config/schema/gvk"
+	kubeclient "istio.io/istio/pkg/kube"
+	"istio.io/istio/pkg/kube/controllers"
+	"k8s.io/apimachinery/pkg/types"
+	listersv1 "k8s.io/client-go/listers/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+type HigressConfigController controller.Controller[listersv1.ConfigMapNamespaceLister]
+
+func NewController(client kubeclient.Client, clusterId string, namespace string) HigressConfigController {
+	informer := client.KubeInformer().Core().V1().ConfigMaps().Informer()
+	return controller.NewCommonController("higressConfig", client.KubeInformer().Core().V1().ConfigMaps().Lister().ConfigMaps(namespace),
+		informer, GetConfigmap, clusterId)
+}
+
+func GetConfigmap(lister listersv1.ConfigMapNamespaceLister, namespacedName types.NamespacedName) (controllers.Object, error) {
+	return lister.Get(namespacedName.Name)
+}
+
+type ItemController interface {
+	GetName() string
+	AddOrUpdateHigressConfig(name util.ClusterNamespacedName, old *HigressConfig, new *HigressConfig) error
+	ValidHigressConfig(higressConfig *HigressConfig) error
+	ConstructEnvoyFilters() ([]*config.Config, error)
+	RegisterItemEventHandler(eventHandler ItemEventHandler)
+}
+
+type ConfigmapMgr struct {
+	Namespace               string
+	HigressConfigController HigressConfigController
+	HigressConfigLister     listersv1.ConfigMapNamespaceLister
+	higressConfig           atomic.Value
+	ItemControllers         []ItemController
+	XDSUpdater              model.XDSUpdater
+}
+
+func NewConfigmapMgr(XDSUpdater model.XDSUpdater, namespace string, higressConfigController HigressConfigController, higressConfigLister listersv1.ConfigMapNamespaceLister) *ConfigmapMgr {
+
+	configmapMgr := &ConfigmapMgr{
+		XDSUpdater:              XDSUpdater,
+		Namespace:               namespace,
+		HigressConfigController: higressConfigController,
+		HigressConfigLister:     higressConfigLister,
+		higressConfig:           atomic.Value{},
+	}
+	configmapMgr.HigressConfigController.AddEventHandler(configmapMgr.AddOrUpdateHigressConfig)
+	configmapMgr.SetHigressConfig(NewDefaultHigressConfig())
+
+	tracingController := NewTracingController(namespace)
+	configmapMgr.AddItemControllers(tracingController)
+	configmapMgr.initEventHandlers()
+
+	return configmapMgr
+}
+
+func (c *ConfigmapMgr) SetHigressConfig(higressConfig *HigressConfig) {
+	c.higressConfig.Store(higressConfig)
+}
+
+func (c *ConfigmapMgr) GetHigressConfig() *HigressConfig {
+	value := c.higressConfig.Load()
+	if value != nil {
+		if higressConfig, ok := value.(*HigressConfig); ok {
+			return higressConfig
+		}
+	}
+	return nil
+}
+
+func (c *ConfigmapMgr) AddItemControllers(controllers ...ItemController) {
+	c.ItemControllers = append(c.ItemControllers, controllers...)
+}
+
+func (c *ConfigmapMgr) AddOrUpdateHigressConfig(name util.ClusterNamespacedName) {
+	if name.Namespace != c.Namespace || name.Name != HigressConfigMapName {
+		return
+	}
+
+	IngressLog.Infof("configmapMgr AddOrUpdateHigressConfig")
+	higressConfigmap, err := c.HigressConfigLister.Get(HigressConfigMapName)
+	if err != nil {
+		IngressLog.Errorf("higress-config configmap is not found, namespace:%s, name:%s",
+			name.Namespace, name.Name)
+		return
+	}
+
+	if _, ok := higressConfigmap.Data[HigressConfigMapKey]; !ok {
+		return
+	}
+
+	newHigressConfig := NewDefaultHigressConfig()
+	if err = yaml.Unmarshal([]byte(higressConfigmap.Data[HigressConfigMapKey]), newHigressConfig); err != nil {
+		IngressLog.Errorf("data:%s,  convert to higress config error, error: %+v", higressConfigmap.Data[HigressConfigMapKey], err)
+		return
+	}
+
+	for _, itemController := range c.ItemControllers {
+		if itemErr := itemController.ValidHigressConfig(newHigressConfig); itemErr != nil {
+			IngressLog.Errorf("configmap %s controller valid higress config error, error: %+v", itemController.GetName(), itemErr)
+			return
+		}
+	}
+
+	oldHigressConfig := c.GetHigressConfig()
+	IngressLog.Infof("configmapMgr oldHigressConfig: %s", GetHigressConfigString(oldHigressConfig))
+	IngressLog.Infof("configmapMgr newHigressConfig: %s", GetHigressConfigString(newHigressConfig))
+	result, _ := c.CompareHigressConfig(oldHigressConfig, newHigressConfig)
+	IngressLog.Infof("configmapMgr CompareHigressConfig reuslt is %d", result)
+
+	if result == ResultNothing {
+		return
+	}
+
+	if result == ResultDelete {
+		newHigressConfig = NewDefaultHigressConfig()
+	}
+
+	if result == ResultReplace || result == ResultDelete {
+		// Pass AddOrUpdateHigressConfig to itemControllers
+		for _, itemController := range c.ItemControllers {
+			IngressLog.Infof("configmap %s controller AddOrUpdateHigressConfig", itemController.GetName())
+			if itemErr := itemController.AddOrUpdateHigressConfig(name, oldHigressConfig, newHigressConfig); itemErr != nil {
+				IngressLog.Errorf("configmap %s controller AddOrUpdateHigressConfig error, error: %+v", itemController.GetName(), itemErr)
+			}
+		}
+		c.SetHigressConfig(newHigressConfig)
+		IngressLog.Infof("configmapMgr higress config AddOrUpdate success, reuslt is %d", result)
+		// Call updateConfig
+	}
+
+}
+
+func (c *ConfigmapMgr) ConstructEnvoyFilters() ([]*config.Config, error) {
+	configs := make([]*config.Config, 0)
+	for _, itemController := range c.ItemControllers {
+		IngressLog.Infof("controller %s ConstructEnvoyFilters", itemController.GetName())
+		if itemConfigs, err := itemController.ConstructEnvoyFilters(); err != nil {
+			IngressLog.Errorf("controller %s ConstructEnvoyFilters error, error: %+v", itemController.GetName(), err)
+		} else {
+			configs = append(configs, itemConfigs...)
+		}
+	}
+	return configs, nil
+}
+
+func (c *ConfigmapMgr) CompareHigressConfig(old *HigressConfig, new *HigressConfig) (Result, error) {
+	if old == nil || new == nil {
+		return ResultNothing, nil
+	}
+
+	if !reflect.DeepEqual(old, new) {
+		return ResultReplace, nil
+	}
+
+	return ResultNothing, nil
+}
+
+func (c *ConfigmapMgr) initEventHandlers() error {
+	itemEventHandler := func(name string) {
+		c.XDSUpdater.ConfigUpdate(&model.PushRequest{
+			Full: true,
+			ConfigsUpdated: map[model.ConfigKey]struct{}{{
+				Kind:      gvk.EnvoyFilter,
+				Name:      name,
+				Namespace: c.Namespace,
+			}: {}},
+			Reason: []model.TriggerReason{ModelUpdatedReason},
+		})
+	}
+
+	for _, itemController := range c.ItemControllers {
+		itemController.RegisterItemEventHandler(itemEventHandler)
+	}
+
+	return nil
+}

pkg/ingress/kube/configmap/tracing.go

@@ -0,0 +1,408 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package configmap
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"reflect"
+	"sync/atomic"
+
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	. "github.com/alibaba/higress/pkg/ingress/log"
+	networking "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pkg/config"
+	"istio.io/istio/pkg/config/schema/gvk"
+)
+
+const (
+	higressTracingEnvoyFilterName = "higress-config-tracing"
+	defaultTimeout                = 500
+	defaultSampling               = 100.0
+)
+
+type Tracing struct {
+	// Flag to control trace
+	Enable bool `json:"enable,omitempty"`
+	// The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
+	// if not requested by the client or not forced. Default is 100.0.
+	Sampling float64 `json:"sampling,omitempty"`
+	// The timeout for the gRPC request. Default is 500ms
+	Timeout int32 `json:"timeout,omitempty"`
+	// The tracer implementation to be used by Envoy.
+	//
+	// Types that are assignable to Tracer:
+	Zipkin        *Zipkin        `json:"zipkin,omitempty"`
+	Skywalking    *Skywalking    `json:"skywalking,omitempty"`
+	OpenTelemetry *OpenTelemetry `json:"opentelemetry,omitempty"`
+}
+
+// Zipkin defines configuration for a Zipkin tracer.
+type Zipkin struct {
+	// Address of the Zipkin service (e.g. _zipkin:9411_).
+	Service string `json:"service,omitempty"`
+	Port    string `json:"port,omitempty"`
+}
+
+// Skywalking Defines configuration for a Skywalking tracer.
+type Skywalking struct {
+	// Address of the Skywalking tracer.
+	Service string `json:"service,omitempty"`
+	Port    string `json:"port,omitempty"`
+	// The access token
+	AccessToken string `json:"access_token,omitempty"`
+}
+
+// OpenTelemetry Defines configuration for a OpenTelemetry tracer.
+type OpenTelemetry struct {
+	// Address of OpenTelemetry tracer.
+	Service string `json:"service,omitempty"`
+	Port    string `json:"port,omitempty"`
+}
+
+func validServiceAndPort(service string, port string) bool {
+	if len(service) == 0 || len(port) == 0 {
+		return false
+	}
+	return true
+}
+
+func validTracing(t *Tracing) error {
+	if t == nil {
+		return nil
+	}
+	if t.Timeout <= 0 {
+		return errors.New("timeout can not be less than zero")
+	}
+
+	if t.Sampling < 0 || t.Sampling > 100 {
+		return errors.New("sampling must be in (0.0 - 100.0)")
+	}
+
+	tracerNum := 0
+	if t.Zipkin != nil {
+		if validServiceAndPort(t.Zipkin.Service, t.Zipkin.Port) {
+			tracerNum++
+		} else {
+			return errors.New("zipkin service and port can not be empty")
+		}
+	}
+
+	if t.Skywalking != nil {
+		if validServiceAndPort(t.Skywalking.Service, t.Skywalking.Port) {
+			tracerNum++
+		} else {
+			return errors.New("skywalking service and port can not be empty")
+		}
+	}
+
+	if t.OpenTelemetry != nil {
+		if validServiceAndPort(t.OpenTelemetry.Service, t.OpenTelemetry.Port) {
+			tracerNum++
+		} else {
+			return errors.New("opentelemetry service and port can not be empty")
+		}
+	}
+
+	if tracerNum != 1 {
+		return errors.New("only one of skywalking，zipkin and opentelemetry configuration can be set")
+	}
+	return nil
+}
+
+func compareTracing(old *Tracing, new *Tracing) (Result, error) {
+	if old == nil && new == nil {
+		return ResultNothing, nil
+	}
+
+	if new == nil {
+		return ResultDelete, nil
+	}
+
+	if !reflect.DeepEqual(old, new) {
+		return ResultReplace, nil
+	}
+
+	return ResultNothing, nil
+}
+
+func deepCopyTracing(tracing *Tracing) (*Tracing, error) {
+	newTracing := NewDefaultTracing()
+	bytes, err := json.Marshal(tracing)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(bytes, newTracing)
+	return newTracing, err
+}
+
+func NewDefaultTracing() *Tracing {
+	tracing := &Tracing{
+		Enable:   false,
+		Timeout:  defaultTimeout,
+		Sampling: defaultSampling,
+	}
+	return tracing
+}
+
+type TracingController struct {
+	Namespace    string
+	tracing      atomic.Value
+	Name         string
+	eventHandler ItemEventHandler
+}
+
+func NewTracingController(namespace string) *TracingController {
+	tracingMgr := &TracingController{
+		Namespace: namespace,
+		tracing:   atomic.Value{},
+		Name:      "tracing",
+	}
+	tracingMgr.SetTracing(NewDefaultTracing())
+	return tracingMgr
+}
+
+func (t *TracingController) SetTracing(tracing *Tracing) {
+	t.tracing.Store(tracing)
+}
+
+func (t *TracingController) GetTracing() *Tracing {
+	value := t.tracing.Load()
+	if value != nil {
+		if tracing, ok := value.(*Tracing); ok {
+			return tracing
+		}
+	}
+	return nil
+}
+
+func (t *TracingController) GetName() string {
+	return t.Name
+}
+
+func (t *TracingController) AddOrUpdateHigressConfig(name util.ClusterNamespacedName, old *HigressConfig, new *HigressConfig) error {
+	if err := validTracing(new.Tracing); err != nil {
+		IngressLog.Errorf("data:%+v convert to tracing , error: %+v", new.Tracing, err)
+		return nil
+	}
+
+	result, _ := compareTracing(old.Tracing, new.Tracing)
+
+	switch result {
+	case ResultReplace:
+		if newTracing, err := deepCopyTracing(new.Tracing); err != nil {
+			IngressLog.Infof("tracing deepcopy error:%v", err)
+		} else {
+			t.SetTracing(newTracing)
+			IngressLog.Infof("AddOrUpdate Higress config tracing")
+			t.eventHandler(higressTracingEnvoyFilterName)
+			IngressLog.Infof("send event with filter name:%s", higressTracingEnvoyFilterName)
+		}
+	case ResultDelete:
+		t.SetTracing(NewDefaultTracing())
+		IngressLog.Infof("Delete Higress config tracing")
+		t.eventHandler(higressTracingEnvoyFilterName)
+		IngressLog.Infof("send event with filter name:%s", higressTracingEnvoyFilterName)
+	}
+
+	return nil
+}
+
+func (t *TracingController) ValidHigressConfig(higressConfig *HigressConfig) error {
+	if higressConfig == nil {
+		return nil
+	}
+	if higressConfig.Tracing == nil {
+		return nil
+	}
+
+	return validTracing(higressConfig.Tracing)
+}
+
+func (t *TracingController) RegisterItemEventHandler(eventHandler ItemEventHandler) {
+	t.eventHandler = eventHandler
+}
+
+func (t *TracingController) ConstructEnvoyFilters() ([]*config.Config, error) {
+	configs := make([]*config.Config, 0)
+	tracing := t.GetTracing()
+	namespace := t.Namespace
+
+	if tracing == nil {
+		return configs, nil
+	}
+
+	if tracing.Enable == false {
+		return configs, nil
+	}
+
+	tracingConfig := t.constructTracingTracer(tracing, namespace)
+	if len(tracingConfig) == 0 {
+		return configs, nil
+	}
+
+	config := &config.Config{
+		Meta: config.Meta{
+			GroupVersionKind: gvk.EnvoyFilter,
+			Name:             higressTracingEnvoyFilterName,
+			Namespace:        namespace,
+		},
+		Spec: &networking.EnvoyFilter{
+			ConfigPatches: []*networking.EnvoyFilter_EnvoyConfigObjectPatch{
+				{
+					ApplyTo: networking.EnvoyFilter_NETWORK_FILTER,
+					Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+						Context: networking.EnvoyFilter_GATEWAY,
+						ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Listener{
+							Listener: &networking.EnvoyFilter_ListenerMatch{
+								FilterChain: &networking.EnvoyFilter_ListenerMatch_FilterChainMatch{
+									Filter: &networking.EnvoyFilter_ListenerMatch_FilterMatch{
+										Name: "envoy.filters.network.http_connection_manager",
+									},
+								},
+							},
+						},
+					},
+					Patch: &networking.EnvoyFilter_Patch{
+						Operation: networking.EnvoyFilter_Patch_MERGE,
+						Value:     util.BuildPatchStruct(tracingConfig),
+					},
+				},
+				{
+					ApplyTo: networking.EnvoyFilter_HTTP_FILTER,
+					Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+						Context: networking.EnvoyFilter_GATEWAY,
+						ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Listener{
+							Listener: &networking.EnvoyFilter_ListenerMatch{
+								FilterChain: &networking.EnvoyFilter_ListenerMatch_FilterChainMatch{
+									Filter: &networking.EnvoyFilter_ListenerMatch_FilterMatch{
+										Name: "envoy.filters.network.http_connection_manager",
+										SubFilter: &networking.EnvoyFilter_ListenerMatch_SubFilterMatch{
+											Name: "envoy.filters.http.router",
+										},
+									},
+								},
+							},
+						},
+					},
+					Patch: &networking.EnvoyFilter_Patch{
+						Operation: networking.EnvoyFilter_Patch_MERGE,
+						Value: util.BuildPatchStruct(`{
+							"name":"envoy.filters.http.router",
+							"typed_config":{
+								"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router",
+								"start_child_span": true
+							}
+						}`),
+					},
+				},
+			},
+		},
+	}
+
+	configs = append(configs, config)
+	return configs, nil
+}
+
+func (t *TracingController) constructTracingTracer(tracing *Tracing, namespace string) string {
+	tracingConfig := ""
+	timeout := float32(tracing.Timeout) / 1000
+	if tracing.Skywalking != nil {
+		skywalking := tracing.Skywalking
+		tracingConfig = fmt.Sprintf(`{
+	"name": "envoy.filters.network.http_connection_manager",
+	"typed_config": {
+		"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+		"tracing": {
+			"provider": {
+				"name": "envoy.tracers.skywalking",
+				"typed_config": {
+					"@type": "type.googleapis.com/envoy.config.trace.v3.SkyWalkingConfig",
+					"client_config": {
+						"service_name": "higress-gateway.%s",
+                        "backend_token": "%s"
+					},
+					"grpc_service": {
+						"envoy_grpc": {
+							"cluster_name": "outbound|%s||%s"
+						},
+						"timeout": "%.3fs"
+					}
+				}
+			},
+			"random_sampling": {
+				"value": %.1f
+			}
+		}
+	}
+}`, namespace, skywalking.AccessToken, skywalking.Port, skywalking.Service, timeout, tracing.Sampling)
+	}
+
+	if tracing.Zipkin != nil {
+		zipkin := tracing.Zipkin
+		tracingConfig = fmt.Sprintf(`{
+	"name": "envoy.filters.network.http_connection_manager",
+	"typed_config": {
+		"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+		"tracing": {
+			"provider": {
+				"name": "envoy.tracers.zipkin",
+				"typed_config": {
+					"@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig",
+                    "collector_cluster": "outbound|%s||%s",
+                    "collector_endpoint": "/api/v2/spans",
+                    "collector_hostname": "higress-gateway",
+                    "collector_endpoint_version": "HTTP_JSON",
+                    "split_spans_for_request": true
+				}
+			},
+			"random_sampling": {
+				"value": %.1f
+			}
+		}
+	}
+}`, zipkin.Port, zipkin.Service, tracing.Sampling)
+	}
+
+	if tracing.OpenTelemetry != nil {
+		opentelemetry := tracing.OpenTelemetry
+		tracingConfig = fmt.Sprintf(`{
+	"name": "envoy.filters.network.http_connection_manager",
+	"typed_config": {
+		"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+		"tracing": {
+			"provider": {
+				"name": "envoy.tracers.opentelemetry",
+				"typed_config": {
+					"@type": "type.googleapis.com/envoy.config.trace.v3.OpenTelemetryConfig",
+					"service_name": "higress-gateway.%s"
+					"grpc_service": {
+						"envoy_grpc": {
+							"cluster_name": "outbound|%s||%s"
+						},
+						"timeout": "%.3fs"
+					}
+				}
+			},
+			"random_sampling": {
+				"value": %.1f
+			}
+		}
+	}
+}`, namespace, opentelemetry.Port, opentelemetry.Service, timeout, tracing.Sampling)
+	}
+	return tracingConfig
+}

pkg/ingress/kube/http2rpc/controller.go

@@ -0,0 +1,36 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package http2rpc
+
+import (
+	"istio.io/istio/pkg/kube/controllers"
+	"k8s.io/apimachinery/pkg/types"
+
+	listersv1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
+	"github.com/alibaba/higress/pkg/ingress/kube/controller"
+	kubeclient "github.com/alibaba/higress/pkg/kube"
+)
+
+type Http2RpcController controller.Controller[listersv1.Http2RpcLister]
+
+func NewController(client kubeclient.Client, clusterId string) Http2RpcController {
+	informer := client.HigressInformer().Networking().V1().Http2Rpcs().Informer()
+	return controller.NewCommonController("http2rpc", client.HigressInformer().Networking().V1().Http2Rpcs().Lister(),
+		informer, GetHttp2Rpc, clusterId)
+}
+
+func GetHttp2Rpc(lister listersv1.Http2RpcLister, namespacedName types.NamespacedName) (controllers.Object, error) {
+	return lister.Http2Rpcs(namespacedName.Namespace).Get(namespacedName.Name)
+}

pkg/ingress/kube/ingress/controller.go

@@ -293,8 +293,9 @@ func (c *controller) HasSynced() bool {
 }
 
 func (c *controller) List() []config.Config {
+	c.mutex.RLock()
 	out := make([]config.Config, 0, len(c.ingresses))
-
+	c.mutex.RUnlock()
 	for _, raw := range c.ingressInformer.GetStore().List() {
 		ing, ok := raw.(*ingress.Ingress)
 		if !ok {

pkg/ingress/kube/ingressv1/controller.go

@@ -599,11 +599,6 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra
 		} else {
 			convertOptions.HTTPRoutes[rule.Host] = wrapperHttpRoutes
 		}
-
-		// Sort, exact -> prefix -> regex
-		routes := convertOptions.HTTPRoutes[rule.Host]
-		IngressLog.Debugf("routes of host %s is %v", rule.Host, routes)
-		common.SortHTTPRoutes(routes)
 	}
 
 	return nil

pkg/ingress/kube/mcpbridge/controller.go

@@ -15,16 +15,9 @@
 package mcpbridge
 
 import (
-	"time"
-
 	"istio.io/istio/pkg/kube/controllers"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/tools/cache"
 
-	v1 "github.com/alibaba/higress/client/pkg/apis/networking/v1"
-	"github.com/alibaba/higress/client/pkg/clientset/versioned"
-	informersv1 "github.com/alibaba/higress/client/pkg/informers/externalversions/networking/v1"
 	listersv1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
 	"github.com/alibaba/higress/pkg/ingress/kube/controller"
 	kubeclient "github.com/alibaba/higress/pkg/kube"
@@ -33,11 +26,8 @@ import (
 type McpBridgeController controller.Controller[listersv1.McpBridgeLister]
 
 func NewController(client kubeclient.Client, clusterId string) McpBridgeController {
-	informer := client.HigressInformer().InformerFor(&v1.McpBridge{}, func(k versioned.Interface, resync time.Duration) cache.SharedIndexInformer {
-		return informersv1.NewMcpBridgeInformer(k, metav1.NamespaceAll, resync,
-			cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
-	})
-	return controller.NewCommonController("mcpbridge", listersv1.NewMcpBridgeLister(informer.GetIndexer()),
+	informer := client.HigressInformer().Networking().V1().McpBridges().Informer()
+	return controller.NewCommonController("mcpbridge", client.HigressInformer().Networking().V1().McpBridges().Lister(),
 		informer, GetMcpBridge, clusterId)
 }
 

pkg/ingress/kube/util/util.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"path"
 	"strings"
+	"os"
 
 	"github.com/gogo/protobuf/types"
 	"github.com/golang/protobuf/jsonpb"
@@ -30,6 +31,7 @@ import (
 )
 
 const DefaultDomainSuffix = "cluster.local"
+var domainSuffix = os.Getenv("DOMAIN_SUFFIX")
 
 type ClusterNamespacedName struct {
 	model.NamespacedName
@@ -80,5 +82,14 @@ func MessageToGoGoStruct(msg proto.Message) (*types.Struct, error) {
 }
 
 func CreateServiceFQDN(namespace, name string) string {
-	return fmt.Sprintf("%s.%s.svc.%s", name, namespace, DefaultDomainSuffix)
+        if domainSuffix == "" {
+        	domainSuffix = DefaultDomainSuffix
+        }
+	return fmt.Sprintf("%s.%s.svc.%s", name, namespace, domainSuffix)
+}
+
+func BuildPatchStruct(config string) *types.Struct {
+	val := &types.Struct{}
+	_ = jsonpb.Unmarshal(strings.NewReader(config), val)
+	return val
 }

pkg/ingress/kube/wasmplugin/controller.go

@@ -15,16 +15,9 @@
 package wasmplugin
 
 import (
-	"time"
-
 	"istio.io/istio/pkg/kube/controllers"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/tools/cache"
 
-	v1 "github.com/alibaba/higress/client/pkg/apis/extensions/v1alpha1"
-	"github.com/alibaba/higress/client/pkg/clientset/versioned"
-	informersv1 "github.com/alibaba/higress/client/pkg/informers/externalversions/extensions/v1alpha1"
 	listersv1 "github.com/alibaba/higress/client/pkg/listers/extensions/v1alpha1"
 	"github.com/alibaba/higress/pkg/ingress/kube/controller"
 	kubeclient "github.com/alibaba/higress/pkg/kube"
@@ -33,11 +26,8 @@ import (
 type WasmPluginController controller.Controller[listersv1.WasmPluginLister]
 
 func NewController(client kubeclient.Client, clusterId string) WasmPluginController {
-	informer := client.HigressInformer().InformerFor(&v1.WasmPlugin{}, func(k versioned.Interface, resync time.Duration) cache.SharedIndexInformer {
-		return informersv1.NewWasmPluginInformer(k, metav1.NamespaceAll, resync,
-			cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
-	})
-	return controller.NewCommonController("wasmplugin", listersv1.NewWasmPluginLister(informer.GetIndexer()),
+	informer := client.HigressInformer().Extensions().V1alpha1().WasmPlugins().Informer()
+	return controller.NewCommonController("wasmplugin", client.HigressInformer().Extensions().V1alpha1().WasmPlugins().Lister(),
 		informer, GetWasmPlugin, clusterId)
 }
 

plugins/wasm-cpp/Dockerfile

@@ -0,0 +1,16 @@
+ARG BUILDER=higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/build-tools-proxy:release-1.12-2021-12-09T23-01-43
+FROM $BUILDER as builder
+
+ARG PLUGIN_NAME
+
+WORKDIR /workspace
+
+COPY . .
+
+RUN bazel build //extensions/$PLUGIN_NAME:$PLUGIN_NAME.wasm
+
+FROM scratch as output
+
+ARG PLUGIN_NAME
+
+COPY --from=builder /workspace/bazel-bin/extensions/$PLUGIN_NAME/$PLUGIN_NAME.wasm plugin.wasm

plugins/wasm-cpp/Makefile

@@ -0,0 +1,14 @@
+PLUGIN_NAME ?= key_auth
+BUILD_TIME := $(shell date "+%Y%m%d-%H%M%S")
+COMMIT_ID := $(shell git rev-parse --short HEAD 2>/dev/null)
+IMAGE_TAG = $(if $(strip $(PLUGIN_VERSION)),${PLUGIN_VERSION},${BUILD_TIME}-${COMMIT_ID})
+IMG ?= ${REGISTRY}${PLUGIN_NAME}:${IMAGE_TAG}
+
+.PHONY: build
+build:
+	DOCKER_BUILDKIT=1 docker build --build-arg PLUGIN_NAME=${PLUGIN_NAME} \
+	                            -t ${IMG} \
+	                            --output extensions/${PLUGIN_NAME} \
+	                            .
+	@echo ""
+	@echo "output wasm file: extensions/${PLUGIN_NAME}/plugin.wasm"

plugins/wasm-cpp/README.md

@@ -0,0 +1,170 @@
+[English](./README_EN.md)
+
+## 介绍
+
+此 SDK 用于使用 CPP 语言开发 Higress 的 Wasm 插件。
+
+## 使用 Higress wasm-cpp builder 快速构建
+
+使用以下命令可以快速构建 wasm-cpp 插件:
+
+```bash
+$ PLUGIN_NAME=request_block make build
+```
+
+<details>
+<summary>输出结果</summary>
+<pre><code>
+DOCKER_BUILDKIT=1 docker build --build-arg PLUGIN_NAME=request_block \
+                                    -t request_block:20230721-141120-aa17e95 \
+                                    --output extensions/request_block \
+                                    .
+[+] Building 2.3s (10/10) FINISHED 
+
+output wasm file: extensions/request_block/plugin.wasm
+</code></pre>
+</details>
+
+该命令最终构建出一个 wasm 文件和一个 Docker image。
+这个本地的 wasm 文件被输出到了指定的插件的目录下，可以直接用于调试。
+
+### 参数说明
+
+| 参数名称          | 可选/必须 | 默认值                                       | 含义                                                          |
+|---------------|-------|-------------------------------------------|----------------------------------------------------------------------|
+| `PLUGIN_NAME` | 可选的   | hello-world                               | 要构建的插件名称。                                                    |
+| `IMG`         | 可选的   | 如不设置则根据仓库地址、插件名称、构建时间以及 git commit id 生成。 | 生成的镜像名称。如非空，则会覆盖`REGISTRY` 参           |
+
+## 创建 WasmPlugin 资源使插件生效
+
+编写 WasmPlugin 资源如下：
+
+```yaml
+apiVersion: extensions.higress.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: request-block
+  namespace: higress-system
+spec:
+  defaultConfig:
+    block_urls:
+    - "swagger.html"
+  url: oci://<your_registry_hub>/request_block:1.0.0  # 之前构建和推送的 image 地址
+```
+
+使用 `kubectl apply -f <your-wasm-plugin-yaml>` 使资源生效。
+资源生效后，如果请求url携带 `swagger.html`, 则这个请求就会被拒绝，例如：
+
+```bash
+curl <your_gateway_address>/api/user/swagger.html
+```
+
+```text
+HTTP/1.1 403 Forbidden
+date: Wed, 09 Nov 2022 12:12:32 GMT
+server: istio-envoy
+content-length: 0
+```
+
+如果需要进一步控制插件的执行阶段和顺序
+
+可以阅读此 [文档](https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/) 了解更多关于 wasmplugin 的配置
+
+## 路由级或域名级生效
+
+```yaml
+apiVersion: extensions.higress.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: request-block
+  namespace: higress-system
+spec:
+  defaultConfig:
+   # 跟上面例子一样，这个配置会全局生效，但如果被下面规则匹配到，则会改为执行命中规则的配置
+   block_urls:
+   - "swagger.html"
+  matchRules:
+   # 路由级生效配置
+  - ingress:
+    - default/foo
+     # default 命名空间下名为 foo 的 ingress 会执行下面这个配置
+    config:
+      block_bodies:
+      - "foo"
+  - ingress:
+    - default/bar
+    # default 命名空间下名为 bar 的 ingress 会执行下面这个配置
+    config:
+      block_bodies:
+      - "bar"
+   # 域名级生效配置
+  - domain:
+    - "*.example.com"
+    # 若请求匹配了上面的域名, 会执行下面这个配置
+    config:
+      block_bodies:
+      - "foo"
+      - "bar"
+  url: oci://<your_registry_hub>/request_block:1.0.0
+```
+
+所有规则会按上面配置的顺序一次执行匹配，当有一个规则匹配时，就停止匹配，并选择匹配的配置执行插件逻辑。
+
+## E2E测试
+
+当你完成一个GO语言的插件功能时, 可以同时创建关联的e2e test cases, 并在本地对插件功能完成测试验证。
+
+### step1. 编写 test cases
+在目录./test/e2e/conformance下面, 分别添加xxx.yaml文件和xxx.go文件, 比如测试插件request-block
+
+./test/e2e/conformance/tests/cpp-request_block.yaml
+```
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+...
+...
+spec:
+  defaultConfig:
+    block_urls:
+    - "swagger.html"
+  url: file:///opt/plugins/wasm-cpp/extensions/request_block/plugin.wasm
+```
+`其中url中extensions后面的'request-block'为插件所在文件夹名称`
+
+./test/e2e/conformance/tests/cpp-request_block.go
+
+### step2. 添加 test cases
+将上述所写test cases添加到e2e测试列表中,
+
+./test/e2e/e2e_test.go
+
+```
+...
+cSuite.Setup(t)
+	var higressTests []suite.ConformanceTest
+
+	if *isWasmPluginTest {
+		if strings.Compare(*wasmPluginType, "CPP") == 0 {
+			m := make(map[string]suite.ConformanceTest)
+			m["request_block"] = tests.CPPWasmPluginsRequestBlock
+			m["key_auth"] = tests.CPPWasmPluginsKeyAuth
+        //这里新增你新写的case方法名称
+
+			higressTests = []suite.ConformanceTest{
+				m[*wasmPluginName],
+			}
+		} else {
+			higressTests = []suite.ConformanceTest{
+				tests.WasmPluginsRequestBlock,
+			}
+		}
+	} else {
+...
+```
+
+### step3. 编译插件并执行 test cases
+考虑到本地构建wasm比较耗时, 我们支持只构建需要测试的插件(同时你也可以临时修改上面第二小步的测试cases列表, 只执行你新写的case)。
+
+```bash
+PLUGIN_TYPE=CPP PLUGIN_NAME=request_block make higress-wasmplugin-test
+```

plugins/wasm-cpp/README_EN.md

@@ -0,0 +1,172 @@
+## Intro
+
+This SDK is used to develop the WASM Plugins for Higress in Go.
+
+## Quick build with Higress wasm-go builder
+
+The wasm-go plugin can be built quickly with the following command:
+
+```bash
+$ PLUGIN_NAME=request_block make build
+```
+
+<details>
+<summary>Output</summary>
+<pre><code>
+
+DOCKER_BUILDKIT=1 docker build --build-arg PLUGIN_NAME=request_block \
+                                    -t request_block:20230721-141120-aa17e95 \
+                                    --output extensions/request_block \
+                                    .
+[+] Building 2.3s (10/10) FINISHED 
+
+output wasm file: extensions/request_block/plugin.wasm
+</code></pre>
+</details>
+
+This command eventually builds a wasm file and a Docker image.
+This local wasm file is exported to the specified plugin's directory and can be used directly for debugging.
+
+### Environmental parameters
+
+| Name          | Optional/Required | Default                                                                                                      | meaning                                                                                                                                            |
+|---------------|---------------|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|
+| `PLUGIN_NAME` | Optional      | hello-world                                                              | The name of the plugin to build.      |
+| `IMG`         | Optional      | If it is empty, it is generated based on the repository address, plugin name, build time, and git commit id. | The generated image tag will override the `REGISTRY` parameter if it is not empty. |
+
+## Apply WasmPlugin API
+
+Read this [document](https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/) to learn more about wasmplugin.
+
+Create a WasmPlugin API resource:
+
+```yaml
+apiVersion: extensions.higress.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: request-block
+  namespace: higress-system
+spec:
+  defaultConfig:
+    block_urls:
+    - "swagger.html"
+  url: oci://<your_registry_hub>/request-block:1.0.0
+```
+
+When the resource is applied on the Kubernetes cluster with `kubectl apply -f <your-wasm-plugin-yaml>`,
+the request will be blocked if the string `swagger.html` in the url. 
+
+```bash
+curl <your_gateway_address>/api/user/swagger.html
+```
+
+```text
+HTTP/1.1 403 Forbidden
+date: Wed, 09 Nov 2022 12:12:32 GMT
+server: istio-envoy
+content-length: 0
+```
+
+## route-level & domain-level takes effect
+
+```yaml
+apiVersion: extensions.higress.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: request-block
+  namespace: higress-system
+spec:
+  defaultConfig:
+   # this config will take effect globally (all incoming requests not matched by rules below)
+   block_urls:
+   - "swagger.html"
+  matchRules:
+  # ingress-level takes effect
+  - ingress:
+    - default/foo
+    # the ingress foo in namespace default will use this config
+    config:
+      block_bodies:
+      - "foo"
+  - ingress:
+    - default/bar
+    # the ingress bar in namespace default will use this config
+    config:
+      block_bodies:
+      - "bar"
+  # domain-level takes effect
+  - domain:
+    - "*.example.com"
+    # if the request's domain matched, this config will be used
+    config:
+      block_bodies:
+       - "foo"
+       - "bar"
+  url: oci://<your_registry_hub>/request-block:1.0.0
+```
+
+The rules will be matched in the order of configuration. If one match is found, it will stop, and the matching configuration will take effect.
+
+## E2E test
+
+When you complete a GO plug-in function, you can create associated e2e test cases at the same time, and complete the test verification of the plug-in function locally.
+
+### step1. write test cases
+
+In the directory of `./ test/e2e/conformance/tests/`, add the xxx.yaml file and xxx.go file. Such as test for `request-block` wasm-plugin,
+
+./test/e2e/conformance/tests/request-block.yaml
+
+``` yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+...
+...
+spec:
+  defaultConfig:
+    block_urls:
+    - "swagger.html"
+  url: file:///opt/plugins/wasm-go/extensions/request-block/plugin.wasm
+```
+
+`Above of the url, the name of after extensions indicates the name of the folder where the plug-in resides.`
+
+./test/e2e/conformance/tests/request-block.go
+
+### step2. add test cases
+
+Add the test cases written above to the e2e test list,
+
+./test/e2e/e2e_test.go
+
+```go
+...
+cSuite.Setup(t)
+	var higressTests []suite.ConformanceTest
+
+	if *isWasmPluginTest {
+		if strings.Compare(*wasmPluginType, "CPP") == 0 {
+			m := make(map[string]suite.ConformanceTest)
+			m["request_block"] = tests.CPPWasmPluginsRequestBlock
+			m["key_auth"] = tests.CPPWasmPluginsKeyAuth
+        //Add your newly written case method name here
+
+			higressTests = []suite.ConformanceTest{
+				m[*wasmPluginName],
+			}
+		} else {
+			higressTests = []suite.ConformanceTest{
+				tests.WasmPluginsRequestBlock,
+			}
+		}
+	} else {
+...
+```
+
+### step3. compile and run test cases
+
+Considering that building wasm locally is time-consuming, we support building only the plug-ins that need to be tested (at the same time, you can also temporarily modify the list of test cases in the second small step above, and only execute your newly written cases).
+
+```bash
+PLUGIN_TYPE=CPP PLUGIN_NAME=request_block make higress-wasmplugin-test
+```

plugins/wasm-go/Dockerfile

@@ -1,4 +1,4 @@
-ARG BUILDER=higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-go-builder:go1.19-tinygo0.25.0-oras1.0.0
+ARG BUILDER=higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-go-builder:go1.19-tinygo0.28.1-oras1.0.0
 FROM $BUILDER as builder
 
 
@@ -14,7 +14,7 @@ COPY . .
 WORKDIR /workspace/extensions/$PLUGIN_NAME
 
 RUN go mod tidy
-RUN tinygo build -o /main.wasm -scheduler=none -target=wasi ./main.go
+RUN tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./main.go
 
 FROM scratch as output
 

plugins/wasm-go/Makefile

@@ -1,11 +1,12 @@
 PLUGIN_NAME ?= hello-world
-REGISTRY ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/
+BUILDER_REGISTRY ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/
+REGISTRY ?=
 GO_VERSION ?= 1.19
-TINYGO_VERSION ?= 0.25.0
+TINYGO_VERSION ?= 0.28.1
 ORAS_VERSION ?= 1.0.0
 HIGRESS_VERSION ?= 1.0.0-rc
 USE_HIGRESS_TINYGO ?= true
-BUILDER ?= ${REGISTRY}wasm-go-builder:go${GO_VERSION}-tinygo${TINYGO_VERSION}-oras${ORAS_VERSION}
+BUILDER ?= ${BUILDER_REGISTRY}wasm-go-builder:go${GO_VERSION}-tinygo${TINYGO_VERSION}-oras${ORAS_VERSION}
 BUILD_TIME := $(shell date "+%Y%m%d-%H%M%S")
 COMMIT_ID := $(shell git rev-parse --short HEAD 2>/dev/null)
 IMAGE_TAG = $(if $(strip $(PLUGIN_VERSION)),${PLUGIN_VERSION},${BUILD_TIME}-${COMMIT_ID})

plugins/wasm-go/README.md

@@ -45,14 +45,14 @@ output wasm file: extensions/request-block/plugin.wasm
 
 - Go 版本: >= 1.18 (需要支持范型特性)
 
-- TinyGo 版本: >= 0.25.0
+- TinyGo 版本: >= 0.28.1
 
 下面是本地多步骤构建 [request-block](extensions/request-block) 的例子。
 
 ### step1. 编译 wasm
 
 ```bash
-tinygo build -o main.wasm -scheduler=none -target=wasi ./extensions/request-block/main.go
+tinygo build -o main.wasm -scheduler=none -target=wasi -gc=custom -tags='custommalloc nottinygc_finalizer' ./extensions/request-block/main.go
 ```
 
 ### step2. 构建并推送插件的 docker 镜像
@@ -143,3 +143,62 @@ spec:
 ```
 
 所有规则会按上面配置的顺序一次执行匹配，当有一个规则匹配时，就停止匹配，并选择匹配的配置执行插件逻辑。
+
+## E2E测试
+
+当你完成一个GO语言的插件功能时, 可以同时创建关联的e2e test cases, 并在本地对插件功能完成测试验证。
+
+### step1. 编写 test cases
+在目录./test/e2e/conformance/tests/下面, 分别添加xxx.yaml文件和xxx.go文件, 比如测试插件request-block
+
+./test/e2e/conformance/tests/request-block.yaml
+```
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+...
+...
+spec:
+  defaultConfig:
+    block_urls:
+    - "swagger.html"
+  url: file:///opt/plugins/wasm-go/extensions/request-block/plugin.wasm
+```
+`其中url中extensions后面的'request-block'为插件所在文件夹名称`
+
+./test/e2e/conformance/tests/request-block.go
+
+### step2. 添加 test cases
+将上述所写test cases添加到e2e测试列表中,
+
+./test/e2e/e2e_test.go
+
+```
+...
+cSuite.Setup(t)
+	var higressTests []suite.ConformanceTest
+
+	if *isWasmPluginTest {
+		if strings.Compare(*wasmPluginType, "CPP") == 0 {
+			m := make(map[string]suite.ConformanceTest)
+			m["request_block"] = tests.CPPWasmPluginsRequestBlock
+			m["key_auth"] = tests.CPPWasmPluginsKeyAuth
+
+			higressTests = []suite.ConformanceTest{
+				m[*wasmPluginName],
+			}
+		} else {
+			higressTests = []suite.ConformanceTest{
+				tests.WasmPluginsRequestBlock,
+        //这里新增你新写的case方法名称
+			}
+		}
+	} else {
+...
+```
+
+### step3. 编译插件并执行 test cases
+考虑到本地构建wasm比较耗时, 我们支持只构建需要测试的插件(同时你也可以临时修改上面第二小步的测试cases列表, 只执行你新写的case)。
+
+```bash
+PLUGIN_NAME=request-block make higress-wasmplugin-test
+```

plugins/wasm-go/README_EN.md

@@ -29,11 +29,11 @@ You can also use `make build-push` to build and push the image at the same time.
 
 ### Environmental parameters
 
-| Name          | Optional/Required | Default                                                                                                      | 含义                                                                                                                                  |
-|---------------|-------------------|--------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
-| `PLUGIN_NAME` | Optional          | hello-world                                                                                                  | The name of the plugin to build.                                                                                                    |
-| `REGISTRY`    | Optional          | empty                                                                                                        | The regitstry address of the generated image, e.g. `example.registry.io/my-name/`.  Note that the REGISTRY value should end with /. |
-| `IMG`         | Optional          | If it is empty, it is generated based on the repository address, plugin name, build time, and git commit id. | The generated image tag will override the `REGISTRY` parameter if it is not empty.                                                  |
+| Name          | Optional/Required | Default                                                                                                      | meaning                                                                                                                              |
+|---------------|---------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| `PLUGIN_NAME` | Optional      | hello-world                                                                                                  | The name of the plugin to build.                                                                                                     |
+| `REGISTRY`    | Optional      | empty                                                                                                        | The registry address of the generated image, e.g. `example.registry.io/my-name/`.  Note that the REGISTRY value should end with /.   |
+| `IMG`         | Optional      | If it is empty, it is generated based on the repository address, plugin name, build time, and git commit id. | The generated image tag will override the `REGISTRY` parameter if it is not empty.                                                   |
 
 ## Build on local yourself
 
@@ -138,3 +138,62 @@ spec:
 
 The rules will be matched in the order of configuration. If one match is found, it will stop, and the matching configuration will take effect.
 
+
+## E2E test
+
+When you complete a GO plug-in function, you can create associated e2e test cases at the same time, and complete the test verification of the plug-in function locally.
+
+### step1. write test cases
+In the directory of `./ test/e2e/conformance/tests/`, add the xxx.yaml file and xxx.go file. Such as test for `request-block` wasm-plugin,
+
+./test/e2e/conformance/tests/request-block.yaml
+```
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+...
+...
+spec:
+  defaultConfig:
+    block_urls:
+    - "swagger.html"
+  url: file:///opt/plugins/wasm-go/extensions/request-block/plugin.wasm
+```
+`Above of the url, the name of after extensions indicates the name of the folder where the plug-in resides.`
+
+./test/e2e/conformance/tests/request-block.go
+
+### step2. add test cases
+Add the test cases written above to the e2e test list,
+
+./test/e2e/e2e_test.go
+
+```
+...
+cSuite.Setup(t)
+	var higressTests []suite.ConformanceTest
+
+	if *isWasmPluginTest {
+		if strings.Compare(*wasmPluginType, "CPP") == 0 {
+			m := make(map[string]suite.ConformanceTest)
+			m["request_block"] = tests.CPPWasmPluginsRequestBlock
+			m["key_auth"] = tests.CPPWasmPluginsKeyAuth
+
+			higressTests = []suite.ConformanceTest{
+				m[*wasmPluginName],
+			}
+		} else {
+			higressTests = []suite.ConformanceTest{
+				tests.WasmPluginsRequestBlock,
+        //Add your newly written case method name here
+			}
+		}
+	} else {
+...
+```
+
+### step3. compile and run test cases
+Considering that building wasm locally is time-consuming, we support building only the plug-ins that need to be tested (at the same time, you can also temporarily modify the list of test cases in the second small step above, and only execute your newly written cases).
+
+```bash
+PLUGIN_NAME=request-block make higress-wasmplugin-test
+```

plugins/wasm-go/extensions/basic-auth/README.md

@@ -0,0 +1,114 @@
+---
+title: Basic 认证
+keywords: [higress,basic auth]
+description: Basic 认证插件配置参考
+---
+
+## 功能说明
+`basic-auth`插件实现了基于 HTTP Basic Auth 标准进行认证鉴权的功能
+
+## 运行属性
+
+插件执行阶段：`认证阶段`
+插件执行优先级：`320`
+
+## 配置字段
+
+### 全局配置
+
+| 名称        | 数据类型        | 填写要求 | 默认值 | 描述                                                 |
+| ----------- | --------------- | -------- | ------ | ---------------------------------------------------- |
+| `consumers` | array of object | 必填     | -      | 配置服务的调用者，用于对请求进行认证                 |
+| `global_auth` | bool | 选填     | -      | 若配置为true，则全局生效认证机制; 若配置为false，则只对做了配置的域名和路由生效认证机制; 若不配置则仅当没有域名和路由配置时全局生效（兼容机制）  |
+
+`consumers`中每一项的配置字段说明如下：
+
+| 名称         | 数据类型 | 填写要求 | 默认值 | 描述                     |
+| ------------ | -------- | -------- | ------ | ------------------------ |
+| `credential` | string   | 必填     | -      | 配置该consumer的访问凭证 |
+| `name`       | string   | 必填     | -      | 配置该consumer的名称     |
+
+### 域名和路由级配置
+
+| 名称             | 数据类型        | 填写要求                                          | 默认值 | 描述                                               |
+| ---------------- | --------------- | ------------------------------------------------- | ------ | -------------------------------------------------- |
+| `allow`          | array of string | 必填                                              | -      | 对于符合匹配条件的请求，配置允许访问的consumer名称 |
+
+**注意：**
+- 对于通过认证鉴权的请求，请求的header会被添加一个`X-Mse-Consumer`字段，用以标识调用者的名称。
+
+## 配置示例
+
+### 对特定路由或域名开启认证和鉴权
+
+以下配置将对网关特定路由或域名开启 Basic Auth 认证和鉴权，注意凭证信息中的用户名和密码之间使用":"分隔，`credential`字段不能重复
+
+**全局配置**
+
+```yaml
+consumers:
+- credential: 'admin:123456'
+  name: consumer1
+- credential: 'guest:abc'
+  name: consumer2
+global_auth: false
+```
+
+
+**路由级配置**
+
+对 route-a 和 route-b 这两个路由做如下配置：
+
+```yaml
+allow: 
+- consumer1
+```
+
+对 *.example.com 和 test.com 在这两个域名做如下配置:
+
+```yaml
+allow:
+- consumer2
+```
+
+若是在控制台进行配置，此例指定的 `route-a` 和 `route-b` 即在控制台创建路由时填写的路由名称，当匹配到这两个路由时，将允许`name`为`consumer1`的调用者访问，其他调用者不允许访问；
+
+此例指定的 `*.example.com` 和 `test.com` 用于匹配请求的域名，当发现域名匹配时，将允许`name`为`consumer2`的调用者访问，其他调用者不允许访问。
+
+#### 根据该配置，下列请求可以允许访问：
+
+**请求指定用户名密码**
+
+```bash
+# 假设以下请求将会匹配到route-a路由
+# 使用 curl 的 -u 参数指定
+curl -u admin:123456  http://xxx.hello.com/test
+# 或者直接指定 Authorization 请求头，用户名密码使用 base64 编码
+curl -H 'Authorization: Basic YWRtaW46MTIzNDU2'  http://xxx.hello.com/test
+```
+
+认证鉴权通过后，请求的header中会被添加一个`X-Mse-Consumer`字段，在此例中其值为`consumer1`，用以标识调用方的名称
+
+#### 下列请求将拒绝访问：
+
+**请求未提供用户名密码，返回401**
+```bash
+curl  http://xxx.hello.com/test
+```
+**请求提供的用户名密码错误，返回401**
+```bash
+curl -u admin:abc  http://xxx.hello.com/test
+```
+**根据请求的用户名和密码匹配到的调用者无访问权限，返回403**
+```bash
+# consumer2不在route-a的allow列表里
+curl -u guest:abc  http://xxx.hello.com/test
+```
+
+## 相关错误码
+
+| HTTP 状态码 | 出错信息                                                                           | 原因说明               |
+| ----------- |--------------------------------------------------------------------------------| ---------------------- |
+| 401         | Request denied by Basic Auth check. No Basic Authentication information found. | 请求未提供凭证         |
+| 401         | Request denied by Basic Auth check. Invalid username and/or password.          | 请求凭证无效           |
+| 403         | Request denied by Basic Auth check. Unauthorized consumer.                     | 请求的调用方无访问权限 |

plugins/wasm-go/extensions/basic-auth/README_EN.md

@@ -0,0 +1,119 @@
+---
+title: Basic Auth
+keywords: [higress, basic auth]
+description: Basic authentication plug-in configuration reference
+---
+
+## Description
+`basic-auth` plugin implements the function of authentication based on the HTTP Basic Auth standard.
+
+## Configuration Fields
+
+| Name        | Type            | Requirement | Default Value | Description                                                 |
+| ----------- | --------------- | -------- | ------ | ---------------------------------------------------- |
+| `consumers` | array of object | Required     | -      | Caller of the service for authentication of requests |
+| `_rules_`   | array of object | Optional     | -      | Configure access permission list for specific routes or domains to authenticate requests |
+
+Filed descriptions of `consumers` items:
+
+| Name         | Type   | Requirement | Default Value | Description                           |
+| ------------ | ------ | ----------- | ------------- | ------------------------------------- |
+| `credential` | string | Required    | -             | Credential for this consumer's access |
+| `name`       | string | Required    | -             | Name of this consumer                 |
+
+Configuration field descriptions for each item in `_rules_` are as follows:
+
+| Field Name            | Data Type        | Requirement                                          | Default | Description                                               |
+| ---------------- | --------------- | ------------------------------------------------- | ------ | -------------------------------------------------- |
+| `_match_route_`  | array of string | One of `_match_route_` or `_match_domain_` | -      | Configure the routes to match for request authorization                               |
+| `_match_domain_` | array of string | One of `_match_route_` , `_match_domain_` | -      | Configure the domains to match for request authorization                                   |
+| `allow`          | array of string | Required                                              | -      | Configure the consumer names allowed to access requests that match the match condition |
+
+**Note:**
+
+- If the `_rules_` field is not configured, authentication is enabled for all routes of the current gateway instance by default;
+- For authenticated requests,  `X-Mse-Consumer` field will be added to the request header to identify the name of the caller.
+
+## Configuration Samples
+
+### Enable Authentication and Authorization for specific routes or domains
+
+The following configuration will enable Basic Auth authentication and authorization for specific routes or domains of the gateway. Note that the username and password in the credential information are separated by a ":", and the `credential` field cannot be repeated.
+
+
+
+```yaml
+# use the _rules_ field for fine-grained rule configuration.
+consumers:
+- credential: 'admin:123456'
+  name: consumer1
+- credential: 'guest:abc'
+  name: consumer2
+_rules_:
+# rule 1: match by the route name.
+  - _match_route_:
+    - route-a
+    - route-b
+    allow:
+    - consumer1
+# rule 2: match by the domain.
+  - _match_domain_:
+    - "*.example.com"
+    - test.com
+    allow:
+    - consumer2
+```
+In this sample, `route-a` and `route-b` specified in `_match_route_` are the route names filled in when creating gateway routes. When these two routes are matched, the caller with `name` as `consumer1` is allowed to access, and other callers are not allowed to access.
+
+The `*.example.com` and `test.com` specified in `_match_domain_` are used to match the domain name of the request. When the domain name is matched, the caller with `name` as `consumer2` is allowed to access, and other callers are not allowed to access.
+
+
+#### According to this configuration, the following requests are allowed:
+
+**Requests with specified username and password**
+
+```bash
+# Assuming the following request will match with route-a
+# Use -u option of curl to specify the credentials
+curl -u admin:123456  http://xxx.hello.com/test
+# Or specify the Authorization request header directly with the credentials in base64 encoding
+curl -H 'Authorization: Basic YWRtaW46MTIzNDU2'  http://xxx.hello.com/test
+```
+
+A `X-Mse-Consumer` field will be added to the headers of the request, and its value in this example is `consumer1`, used to identify the name of the caller when passed authentication and authorization.
+
+#### The following requests will be denied:
+
+**Requests without providing username and password, returning 401**
+```bash
+curl  http://xxx.hello.com/test
+```
+**Requests with incorrect username or password, returning 401**
+```bash
+curl -u admin:abc  http://xxx.hello.com/test
+```
+**Requests matched with a caller who has no access permission, returning 403**
+```bash
+# consumer2 is not in the allow list of route-a
+curl -u guest:abc  http://xxx.hello.com/test
+```
+
+### Enable basic auth for gateway instance
+
+The following configuration does not specify the `_rules_` field, so Basic Auth authentication will be effective for the whole gateway instance.
+
+```yaml
+consumers:
+- credential: 'admin:123456'
+  name: consumer1
+- credential: 'guest:abc'
+  name: consumer2
+```
+
+## Error Codes
+
+| HTTP Status Code | Error Info                                                                     | Reason               |
+| ----------- |--------------------------------------------------------------------------------| ---------------------- |
+| 401         | Request denied by Basic Auth check. No Basic Authentication information found. | Credentials not provided in the request        |
+| 401         | Request denied by Basic Auth check. Invalid username and/or password.          | Invalid username and/or password           |
+| 403         | Request denied by Basic Auth check. Unauthorized consumer.                     | Unauthorized consumer |

plugins/wasm-go/extensions/basic-auth/VERSION

@@ -0,0 +1 @@
+1.0.0

plugins/wasm-go/extensions/basic-auth/go.mod

@@ -0,0 +1,22 @@
+module github.com/alibaba/higress/plugins/wasm-go/extensions/basic-auth
+
+go 1.19
+
+
+replace github.com/alibaba/higress/plugins/wasm-go => ../..
+
+
+require (
+	github.com/alibaba/higress/plugins/wasm-go v0.0.0
+	github.com/pkg/errors v0.9.1
+	github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0
+	github.com/tidwall/gjson v1.14.3
+)
+
+require (
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/magefile/mage v1.14.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/wasilibs/nottinygc v0.3.0 // indirect
+)

plugins/wasm-go/extensions/basic-auth/go.sum

@@ -0,0 +1,9 @@
+github.com/WeixinX/higress/plugins/wasm-go v0.0.0-20230911073755-f281286d0cdb/go.mod h1:shD9qvrDS6xklAVjKYho8kHIVdW4A1vhNEOAL2miEEE=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0/go.mod h1:qkW5MBz2jch2u8bS59wws65WC+Gtx3x0aPUX5JL7CXI=
+github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/wasilibs/nottinygc v0.3.0/go.mod h1:oDcIotskuYNMpqMF23l7Z8uzD4TC0WXHK8jetlB3HIo=

plugins/wasm-go/extensions/basic-auth/main.go

@@ -0,0 +1,330 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// The 'Basic' HTTP Authentication Scheme: https://datatracker.ietf.org/doc/html/rfc7617
+
+package main
+
+import (
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
+
+	"github.com/pkg/errors"
+	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
+	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types"
+	"github.com/tidwall/gjson"
+)
+
+func main() {
+	wrapper.SetCtx(
+		"basic-auth",
+		wrapper.ParseOverrideConfigBy(parseGlobalConfig, parseOverrideRuleConfig),
+		wrapper.ProcessRequestHeadersBy(onHttpRequestHeaders),
+	)
+}
+
+// @Name basic-auth
+// @Category auth
+// @Phase AUTHN
+// @Priority 320
+// @Title zh-CN Basic Auth
+// @Description zh-CN 本插件实现了基于 HTTP Basic Auth 标准进行认证鉴权的功能。
+// @Description en-US This plugin implements an authentication function based on HTTP Basic Auth standard.
+// @IconUrl https://img.alicdn.com/imgextra/i4/O1CN01BPFGlT1pGZ2VDLgaH_!!6000000005333-2-tps-42-42.png
+// @Version 1.0.0
+//
+// @Contact.name Higress Team
+// @Contact.url http://higress.io/
+// @Contact.email admin@higress.io
+//
+// @Example
+// global_auth: false
+// consumers:
+//   - name: consumer1
+//     credential: admin:123456
+//   - name: consumer2
+//     credential: guest:abc
+//
+// @End
+type BasicAuthConfig struct {
+	// @Title 是否开启全局认证
+	// @Title en-US Enable Global Auth
+	// @Description 若不开启全局认证，则全局配置只提供凭证信息。只有在域名或路由上进行了配置才会启用认证。
+	// @Description en-US If set to false, only consumer info will be accepted from the global config. Auth feature shall only be enabled if the corresponding domain or route is configured.
+	// @Scope GLOBAL
+	globalAuth *bool `yaml:"global_auth"`
+
+	// @Title 调用方列表
+	// @Title en-US Consumer List
+	// @Description 服务调用方列表，用于对请求进行认证。
+	// @Description en-US List of service consumers which will be used in request authentication.
+	// @Scope GLOBAL
+	consumers []Consumer `yaml:"consumers"`
+
+	// @Title 授权访问的调用方列表
+	// @Title en-US Allowed Consumers
+	// @Description 对于匹配上述条件的请求，允许访问的调用方列表。
+	// @Description en-US Consumers to be allowed for matched requests.
+	allow []string `yaml:"allow"`
+
+	credential2Name map[string]string `yaml:"-"`
+	username2Passwd map[string]string `yaml:"-"`
+}
+
+type Consumer struct {
+	// @Title 名称
+	// @Title en-US Name
+	// @Description 该调用方的名称。
+	// @Description en-US The name of the consumer.
+	name string `yaml:"name"`
+
+	// @Title 访问凭证
+	// @Title en-US Credential
+	// @Description 该调用方的访问凭证。
+	// @Description en-US The credential of the consumer.
+	// @Scope GLOBAL
+	credential string `yaml:"credential"`
+}
+
+var (
+	ruleSet         bool            // 插件是否至少在一个 domain 或 route 上生效
+	protectionSpace = "MSE Gateway" // 认证失败时，返回响应头 WWW-Authenticate: Basic realm=MSE Gateway
+)
+
+func parseGlobalConfig(json gjson.Result, global *BasicAuthConfig, log wrapper.Log) error {
+	// log.Debug("global config")
+	ruleSet = false
+	global.credential2Name = make(map[string]string)
+	global.username2Passwd = make(map[string]string)
+
+	consumers := json.Get("consumers")
+	if !consumers.Exists() {
+		return errors.New("consumers is required")
+	}
+	if len(consumers.Array()) == 0 {
+		return errors.New("consumers cannot be empty")
+	}
+
+	for _, item := range consumers.Array() {
+		name := item.Get("name")
+		if !name.Exists() || name.String() == "" {
+			return errors.New("consumer name is required")
+		}
+		credential := item.Get("credential")
+		if !credential.Exists() || credential.String() == "" {
+			return errors.New("consumer credential is required")
+		}
+		if _, ok := global.credential2Name[credential.String()]; ok {
+			return errors.Errorf("duplicate consumer credential: %s", credential.String())
+		}
+		userAndPasswd := strings.Split(credential.String(), ":")
+		if len(userAndPasswd) != 2 {
+			return errors.Errorf("invalid credential format: %s", credential.String())
+		}
+
+		consumer := Consumer{
+			name:       name.String(),
+			credential: credential.String(),
+		}
+		global.consumers = append(global.consumers, consumer)
+		global.credential2Name[consumer.credential] = consumer.name
+		global.username2Passwd[userAndPasswd[0]] = userAndPasswd[1]
+	}
+
+	globalAuth := json.Get("global_auth")
+	if globalAuth.Exists() {
+		ga := globalAuth.Bool()
+		global.globalAuth = &ga
+	}
+
+	return nil
+}
+
+func parseOverrideRuleConfig(json gjson.Result, global BasicAuthConfig, config *BasicAuthConfig, log wrapper.Log) error {
+	log.Debug("domain/route config")
+	// override config via global
+	*config = global
+
+	allow := json.Get("allow")
+	if !allow.Exists() {
+		return errors.New("allow is required")
+	}
+	if len(allow.Array()) == 0 {
+		return errors.New("allow cannot be empty")
+	}
+
+	for _, item := range allow.Array() {
+		config.allow = append(config.allow, item.String())
+	}
+	ruleSet = true
+
+	return nil
+}
+
+// basic-auth 插件认证逻辑：
+// - global_auth == true 开启全局生效：
+//   - 若当前 domain/route 未配置 allow 列表，即未配置该插件：则在所有 consumers 中查找，如果找到则认证通过，否则认证失败 (1*)
+//   - 若当前 domain/route 配置了该插件：则在 allow 列表中查找，如果找到则认证通过，否则认证失败
+//
+// - global_auth == false 非全局生效：(2*)
+//   - 若当前 domain/route 未配置该插件：则直接放行
+//   - 若当前 domain/route 配置了该插件：则在 allow 列表中查找，如果找到则认证通过，否则认证失败
+//
+// - global_auth 未设置：
+//   - 若没有一个 domain/route 配置该插件：则遵循 (1*)
+//   - 若有至少一个 domain/route 配置该插件：则遵循 (2*)
+func onHttpRequestHeaders(ctx wrapper.HttpContext, config BasicAuthConfig, log wrapper.Log) types.Action {
+	var (
+		noAllow            = len(config.allow) == 0 // 未配置 allow 列表，表示插件在该 domain/route 未生效
+		globalAuthNoSet    = config.globalAuth == nil
+		globalAuthSetTrue  = !globalAuthNoSet && *config.globalAuth
+		globalAuthSetFalse = !globalAuthNoSet && !*config.globalAuth
+	)
+	// log.Debugf("global auth set: %t", !globalAuthNoSet)
+	// log.Debugf("rule set: %t", ruleSet)
+	// log.Debugf("config: %+v", config)
+
+	// 不需要认证而直接放行的情况：
+	// - global_auth == false 且 当前 domain/route 未配置该插件
+	// - global_auth 未设置 且 有至少一个 domain/route 配置该插件 且 当前 domain/route 未配置该插件
+	if globalAuthSetFalse || (globalAuthNoSet && ruleSet) {
+		if noAllow {
+			log.Info("authorization is not required")
+			return types.ActionContinue
+		}
+	}
+
+	// 以下为需要认证的情况：
+	auth, err := proxywasm.GetHttpRequestHeader("Authorization")
+	if err != nil {
+		log.Warnf("failed to get authorization: %v", err)
+		return deniedNoBasicAuthData()
+	}
+	if auth == "" {
+		log.Warnf("authorization is empty")
+		return deniedNoBasicAuthData()
+	}
+	if !strings.HasPrefix(auth, "Basic ") {
+		log.Warnf("authorization has no prefix 'Basic '")
+		return deniedNoBasicAuthData()
+	}
+
+	encodedCredential := strings.TrimPrefix(auth, "Basic ")
+	credentialByte, err := base64.StdEncoding.DecodeString(encodedCredential)
+	if err != nil {
+		log.Warnf("failed to decode authorization %q: %v", string(credentialByte), err)
+		return deniedInvalidCredentials()
+	}
+
+	credential := string(credentialByte)
+	userAndPasswd := strings.Split(credential, ":")
+	if len(userAndPasswd) != 2 {
+		log.Warnf("invalid credential format: %s", credential)
+		return deniedInvalidCredentials()
+	}
+
+	user, passwd := userAndPasswd[0], userAndPasswd[1]
+	if correctPasswd, ok := config.username2Passwd[user]; !ok {
+		log.Warnf("credential username %q is not configured", user)
+		return deniedInvalidCredentials()
+	} else {
+		if passwd != correctPasswd {
+			log.Warnf("credential password is not correct for username %q", user)
+			return deniedInvalidCredentials()
+		}
+	}
+
+	// 以下为 username 和 password 正确的情况：
+	name, ok := config.credential2Name[credential]
+	if !ok { // 理论上该分支永远不可达，因为 username 和 password 都是从 credential 中获取的
+		log.Warnf("credential %q is not configured", credential)
+		return deniedUnauthorizedConsumer()
+	}
+
+	// 全局生效：
+	// - global_auth == true 且 当前 domain/route 未配置该插件
+	// - global_auth 未设置 且 没有任何一个 domain/route 配置该插件
+	if (globalAuthSetTrue && noAllow) || (globalAuthNoSet && !ruleSet) {
+		// log.Debug("authenticated case 1")
+		log.Infof("consumer %q authenticated", name)
+		return authenticated(name)
+	}
+
+	// 全局生效，但当前 domain/route 配置了 allow 列表
+	if globalAuthSetTrue && !noAllow {
+		if !contains(config.allow, name) {
+			log.Warnf("consumer %q is not allowed", name)
+			return deniedUnauthorizedConsumer()
+		}
+		// log.Debug("authenticated case 2")
+		log.Infof("consumer %q authenticated", name)
+		return authenticated(name)
+	}
+
+	// 非全局生效
+	if globalAuthSetFalse || (globalAuthNoSet && ruleSet) {
+		if !noAllow { // 配置了 allow 列表
+			if !contains(config.allow, name) {
+				log.Warnf("consumer %q is not allowed", name)
+				return deniedUnauthorizedConsumer()
+			}
+			// log.Debug("authenticated case 3")
+			log.Infof("consumer %q authenticated", name)
+			return authenticated(name)
+		}
+	}
+
+	return types.ActionContinue
+}
+
+func deniedNoBasicAuthData() types.Action {
+	_ = proxywasm.SendHttpResponse(401, WWWAuthenticateHeader(protectionSpace),
+		[]byte("Request denied by Basic Auth check. No Basic Authentication information found."), -1)
+	return types.ActionContinue
+}
+
+func deniedInvalidCredentials() types.Action {
+	_ = proxywasm.SendHttpResponse(401, WWWAuthenticateHeader(protectionSpace),
+		[]byte("Request denied by Basic Auth check. Invalid username and/or password."), -1)
+	return types.ActionContinue
+}
+
+func deniedUnauthorizedConsumer() types.Action {
+	_ = proxywasm.SendHttpResponse(403, WWWAuthenticateHeader(protectionSpace),
+		[]byte("Request denied by Basic Auth check. Unauthorized consumer."), -1)
+	return types.ActionContinue
+}
+
+func authenticated(name string) types.Action {
+	_ = proxywasm.AddHttpRequestHeader("X-Mse-Consumer", name)
+	return types.ActionContinue
+}
+
+func WWWAuthenticateHeader(realm string) [][2]string {
+	return [][2]string{
+		{"WWW-Authenticate", fmt.Sprintf("Basic realm=%s", realm)},
+	}
+}
+
+func contains(arr []string, item string) bool {
+	for _, i := range arr {
+		if i == item {
+			return true
+		}
+	}
+	return false
+}

plugins/wasm-go/extensions/chatgpt-proxy/README.md

@@ -0,0 +1,21 @@
+# 功能说明
+`chatgpt-proxy`插件实现了代理请求AI大语言模型服务的功能。
+
+# 配置字段
+
+| 名称 | 数据类型 | 填写要求 |  默认值 | 描述 |
+| -------- | -------- | -------- | -------- | -------- |
+|  model     |  string     | 选填   |   text-davinci-003  |  配置使用的模型模型名称   |
+|  apiKey   |  string     | 必填   |   -  |  配置使用的OpenAI API密钥   |
+|  promptParam     |  string     | 选填  |   prompt  |  配置prompt的来源字段名称，URL参数   |
+|  chatgptUri     |  string     | 选填     |  api.openai.com/v1/completions   |  配置调用AI模型服务的URL路径，默认值为OPENAI的API调用路径   |
+# 配置示例
+
+## 进行OpenAI curie模型的调用
+```yaml
+apiKey: "xxxxxxxxxxxxxx",
+promptParam: "text",
+model: "curie"
+```
+
+

plugins/wasm-go/extensions/chatgpt-proxy/go.mod

@@ -0,0 +1,17 @@
+module chatgpt-proxy
+
+go 1.19
+
+replace github.com/alibaba/higress/plugins/wasm-go => ../..
+
+require (
+	github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230629030002-81e467b6242d
+	github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0
+	github.com/tidwall/gjson v1.14.4
+)
+
+require (
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+)

plugins/wasm-go/extensions/chatgpt-proxy/go.sum

@@ -0,0 +1,22 @@
+github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230619024848-7d2a05ef1c35 h1:9xBMl8mJ5CGE1ebqtx9s11zrKJHs0559Yf/QWFh0WIQ=
+github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230619024848-7d2a05ef1c35/go.mod h1:AzSnkuon5c26nIePTiJQIAFsKdhkNdncLcTuahpGtQs=
+github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230629030002-81e467b6242d h1:PyBnIfssGRMKvBf6wKH11Z1t+X1Z7qegD1pAO60sFrk=
+github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230629030002-81e467b6242d/go.mod h1:AzSnkuon5c26nIePTiJQIAFsKdhkNdncLcTuahpGtQs=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220822060051-f9d179a57f8c h1:OCUFXVGixHLfNjg6/QYEhv+jHJ5mRGhpEUVFv9eWPJE=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220822060051-f9d179a57f8c/go.mod h1:5t/pWFNJ9eMyu/K/Z+OeGhDJ9sN9eCo8fc2pyM/Qjg4=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 h1:kS7BvMKN+FiptV4pfwiNX8e3q14evxAWkhYbxt8EI1M=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0/go.mod h1:qkW5MBz2jch2u8bS59wws65WC+Gtx3x0aPUX5JL7CXI=
+github.com/tidwall/gjson v1.14.3 h1:9jvXn7olKEHU1S9vwoMGliaT8jq1vJ7IH/n9zD9Dnlw=
+github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
+github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

plugins/wasm-go/extensions/chatgpt-proxy/main.go

@@ -0,0 +1,128 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
+	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
+	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types"
+	"github.com/tidwall/gjson"
+)
+
+func main() {
+	wrapper.SetCtx(
+		"chatgpt-proxy",
+		wrapper.ParseConfigBy(parseConfig),
+		wrapper.ProcessRequestHeadersBy(onHttpRequestHeaders),
+	)
+}
+
+type MyConfig struct {
+	Model       string
+	ApiKey      string
+	PromptParam string
+	ChatgptPath string
+	HumainId    string
+	AIId        string
+	client      wrapper.HttpClient
+}
+
+func parseConfig(json gjson.Result, config *MyConfig, log wrapper.Log) error {
+	chatgptUri := json.Get("chatgptUri").String()
+	var chatgptHost string
+	if chatgptUri == "" {
+		config.ChatgptPath = "/v1/completions"
+		chatgptHost = "api.openai.com"
+	} else {
+		cp, err := url.Parse(chatgptUri)
+		if err != nil {
+			return err
+		}
+		config.ChatgptPath = cp.Path
+		chatgptHost = cp.Host
+	}
+	if config.ChatgptPath == "" {
+		return errors.New("not found path in chatgptUri")
+	}
+	if chatgptHost == "" {
+		return errors.New("not found host in chatgptUri")
+	}
+	config.client = wrapper.NewClusterClient(wrapper.RouteCluster{
+		Host: chatgptHost,
+	})
+	config.Model = json.Get("model").String()
+	if config.Model == "" {
+		config.Model = "text-davinci-003"
+	}
+	config.ApiKey = json.Get("apiKey").String()
+	if config.ApiKey == "" {
+		return errors.New("no apiKey found in config")
+	}
+	config.PromptParam = json.Get("promptParam").String()
+	if config.PromptParam == "" {
+		config.PromptParam = "prompt"
+	}
+	config.HumainId = json.Get("HumainId").String()
+	if config.HumainId == "" {
+		config.HumainId = "Humain:"
+	}
+	config.AIId = json.Get("AIId").String()
+	if config.AIId == "" {
+		config.AIId = "AI:"
+	}
+	return nil
+}
+
+const bodyTemplate string = `
+{
+"model":"%s",
+"prompt":"%s",
+"temperature":0.9,
+"max_tokens": 150,
+"top_p": 1,
+"frequency_penalty": 0.0,
+"presence_penalty": 0.6,
+"stop": [" %s", " %s"]
+}
+`
+
+func onHttpRequestHeaders(ctx wrapper.HttpContext, config MyConfig, log wrapper.Log) types.Action {
+	pairs := strings.SplitN(ctx.Path(), "?", 2)
+	
+	if len(pairs) < 2 {
+		proxywasm.SendHttpResponse(400, nil, []byte("1-need prompt param"), -1)
+		return types.ActionContinue
+	}
+	querys, err := url.ParseQuery(pairs[1])
+	if err != nil {
+		proxywasm.SendHttpResponse(400, nil, []byte("2-need prompt param"), -1)
+		return types.ActionContinue
+	}
+	var prompt []string
+	var ok bool
+	if prompt, ok = querys[config.PromptParam]; !ok || len(prompt) == 0 {
+		proxywasm.SendHttpResponse(400, nil, []byte("3-need prompt param"), -1)
+		return types.ActionContinue
+	}
+	body := fmt.Sprintf(bodyTemplate, config.Model, prompt[0], config.HumainId, config.AIId)
+	err = config.client.Post(config.ChatgptPath, [][2]string{
+		{"Content-Type", "application/json"},
+		{"Authorization", "Bearer " + config.ApiKey},
+	}, []byte(body),
+		func(statusCode int, responseHeaders http.Header, responseBody []byte) {
+			var headers [][2]string
+			for key, value := range responseHeaders {
+				headers = append(headers, [2]string{key, value[0]})
+			}
+			proxywasm.SendHttpResponse(uint32(statusCode), headers, responseBody, -1)
+		}, 10000)
+	if err != nil {
+		proxywasm.SendHttpResponse(500, nil, []byte("Internel Error: "+err.Error()), -1)
+		return types.ActionContinue
+	}
+	return types.ActionPause
+}

plugins/wasm-go/extensions/gw-error-format/go.mod

@@ -2,6 +2,8 @@ module wasm-demo
 
 go 1.18
 
+replace github.com/alibaba/higress/plugins/wasm-go => ../..
+
 require (
 	github.com/mse-group/wasm-extensions-go v1.0.1
 	github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220822060051-f9d179a57f8c

plugins/wasm-go/extensions/jwt-auth/README.md

@@ -0,0 +1,15 @@
+# 功能说明
+`jwt-auth`插件基于wasm-go实现了Token解析认证功能，可以判断Token是否有效，如果Token有效则继续访问后端微服务，Token无效或不存在直接拒绝并返回401
+
+# 配置字段
+|  名称 |  数据类型 | 填写要求  | 描述  |
+| ------------ | ------------ | ------------ | ------------ |
+|  token_secret_key | string  | 必填  |   配置Token解析使用的SecretKey|
+|  token_headers | string  | 必填  |   配置获取Token请求头名称|
+
+# 配置示例
+```yaml
+token_secret_key: Dav7kfq3iA8S!JUj8&CUkdnQe72E@Cw6
+token_headers: token
+```
+此例`token_secret_key`中指定的是认证服务生成Token的SecretKey;`token_headers`是携带Token访问的请求头名称；

plugins/wasm-go/extensions/jwt-auth/VERSION

@@ -0,0 +1 @@
+1.0.0

plugins/wasm-go/extensions/jwt-auth/go.mod

@@ -0,0 +1,18 @@
+module jwt-auth
+
+go 1.19
+
+require (
+	github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230811015533-49269b43032f
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0
+	github.com/tidwall/gjson v1.16.0
+)
+
+require (
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/magefile/mage v1.14.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/wasilibs/nottinygc v0.3.0 // indirect
+)

plugins/wasm-go/extensions/jwt-auth/go.sum

@@ -0,0 +1,22 @@
+github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230811015533-49269b43032f h1:H+2fEuroddobcGs2Vom+osc8CE3SBHLz+JbM036Lo9w=
+github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230811015533-49269b43032f/go.mod h1:shD9qvrDS6xklAVjKYho8kHIVdW4A1vhNEOAL2miEEE=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo=
+github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 h1:kS7BvMKN+FiptV4pfwiNX8e3q14evxAWkhYbxt8EI1M=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0/go.mod h1:qkW5MBz2jch2u8bS59wws65WC+Gtx3x0aPUX5JL7CXI=
+github.com/tidwall/gjson v1.16.0 h1:SyXa+dsSPpUlcwEDuKuEBJEz5vzTvOea+9rjyYodQFg=
+github.com/tidwall/gjson v1.16.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/wasilibs/nottinygc v0.3.0 h1:0L1jsJ1MsyN5tdinmFbLfuEA0TnHRcqaBM9pDTJVJmU=
+github.com/wasilibs/nottinygc v0.3.0/go.mod h1:oDcIotskuYNMpqMF23l7Z8uzD4TC0WXHK8jetlB3HIo=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

plugins/wasm-go/extensions/jwt-auth/main.go

@@ -0,0 +1,76 @@
+package main
+
+import (
+	"encoding/json"
+	"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
+	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
+	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types"
+	"github.com/tidwall/gjson"
+)
+
+// 自定义插件配置
+
+func main() {
+	wrapper.SetCtx(
+		"jwt-auth", // 配置插件名称
+		wrapper.ParseConfigBy(parseConfig),
+		wrapper.ProcessRequestHeadersBy(onHttpRequestHeaders),
+	)
+}
+
+type Config struct {
+	TokenSecretKey string // 解析Token SecretKey
+	TokenHeaders   string // 定义获取Token请求头名称
+}
+
+type Res struct {
+	Code int    `json:"code"` // 返回状态码
+	Msg  string `json:"msg"`  // 返回信息
+}
+
+func parseConfig(json gjson.Result, config *Config, log wrapper.Log) error {
+	// 解析出配置，更新到config中
+	config.TokenSecretKey = json.Get("token_secret_key").String()
+	config.TokenHeaders = json.Get("token_headers").String()
+	return nil
+}
+
+func onHttpRequestHeaders(ctx wrapper.HttpContext, config Config, log wrapper.Log) types.Action {
+	var res Res
+	if config.TokenHeaders == "" || config.TokenSecretKey == "" {
+		res.Code = 401
+		res.Msg = "参数不足"
+		data, _ := json.Marshal(res)
+		_ = proxywasm.SendHttpResponse(401, nil, data, -1)
+		return types.ActionContinue
+	}
+
+	token, err := proxywasm.GetHttpRequestHeader(config.TokenHeaders)
+	if err != nil {
+		res.Code = 401
+		res.Msg = "认证失败"
+		data, _ := json.Marshal(res)
+		_ = proxywasm.SendHttpResponse(401, nil, data, -1)
+		return types.ActionContinue
+	}
+	valid := ParseTokenValid(token, config.TokenSecretKey)
+	if valid {
+		_ = proxywasm.ResumeHttpRequest()
+		return types.ActionPause
+	} else {
+		res.Code = 401
+		res.Msg = "认证失败"
+		data, _ := json.Marshal(res)
+		_ = proxywasm.SendHttpResponse(401, nil, data, -1)
+		return types.ActionContinue
+	}
+}
+
+func ParseTokenValid(tokenString, TokenSecretKey string) bool {
+	token, _ := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		// 在这里提供用于验证签名的密钥
+		return []byte(TokenSecretKey), nil
+	})
+	return token.Valid
+}

plugins/wasm-go/extensions/waf/Dockerfile

@@ -0,0 +1,3 @@
+FROM scratch
+
+COPY local/main.wasm /plugin.wasm

plugins/wasm-go/extensions/waf/README.md

@@ -0,0 +1,52 @@
+# 功能说明
+waf插件实现了基于ModSecurity的规则防护引擎，可以根据用户配置的规则屏蔽可疑请求，并支持OWASP CRS，为站点提供基础的防护功能。
+
+# 配置字段
+| 名称 | 数据类型 | 填写要求 |  默认值 | 描述 |
+| -------- | -------- | -------- | -------- | -------- |
+| useCRS | bool | 选填 | false | 是否开启OWASP CRS，详情可参考[coreruleset](https://github.com/coreruleset/coreruleset/tree/v3.3.2) |
+| secRules | array of string | 选填 | - | 用户自定义的waf防护规则，语法规则可参考[ModSecurity中文手册](http://www.modsecurity.cn/chm/) |
+
+# 配置示例
+```yaml
+useCRS: true
+secRules: 
+  - "SecDebugLogLevel 3"
+  - "SecRuleEngine On"
+  - "SecAction \"id:100,phase:1,pass\""
+  - "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\""
+  - "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\""
+```
+
+根据该配置，以下请求将被禁止访问：
+```bash
+curl http://example.com/admin
+curl http://example.com -d "maliciouspayload"
+```
+
+# 对特定路由或域名开启
+```yaml
+useCRS: true
+secRules: 
+  - "SecDebugLogLevel 3"
+  - "SecRuleEngine On"
+  - "SecAction \"id:100,phase:1,pass\""
+  - "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\""
+  - "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\""
+_rules_:
+- _match_route_:
+    - "route-1"
+  secRules:
+    - "SecDebugLogLevel 3"
+    - "SecRuleEngine On"
+    - "SecAction \"id:102,phase:1,deny\""
+- _match_domain_:
+    - "*.example.com"
+    - test.com
+  secRules:
+    - "SecDebugLogLevel 3"
+    - "SecRuleEngine On"
+    - "SecAction \"id:102,phase:1,pass\""
+```
+
+此例 `_match_route_` 中指定的 `route-1` 即在创建网关路由时填写的路由名称，当匹配到这两个路由时，将使用此段配置； 此例 `_match_domain_` 中指定的 `*.example.com` 和 `test.com` 用于匹配请求的域名，当发现域名匹配时，将使用此段配置； 配置的匹配生效顺序，将按照 `_rules_` 下规则的排列顺序，匹配第一个规则后生效对应配置，后续规则将被忽略。

plugins/wasm-go/extensions/waf/go.mod

@@ -0,0 +1,29 @@
+module github.com/corazawaf/coraza-proxy-wasm
+
+go 1.19
+
+require (
+	github.com/alibaba/higress/plugins/wasm-go v0.0.0
+	github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503
+	github.com/corazawaf/coraza/v3 v3.0.0-rc.1.0.20230407165813-a18681b1ec28
+	github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0
+	github.com/tidwall/gjson v1.14.4
+)
+
+require (
+	github.com/corazawaf/libinjection-go v0.1.2 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/magefile/mage v1.14.0 // indirect
+	github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 // indirect
+	github.com/tetratelabs/wazero v1.0.1 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/wasilibs/go-aho-corasick v0.3.0 // indirect
+	github.com/wasilibs/go-libinjection v0.2.1 // indirect
+	github.com/wasilibs/go-re2 v1.0.0 // indirect
+	github.com/wasilibs/nottinygc v0.4.0 // indirect
+	golang.org/x/net v0.9.0 // indirect
+	rsc.io/binaryregexp v0.2.0 // indirect
+)
+
+replace github.com/alibaba/higress/plugins/wasm-go => ../..

plugins/wasm-go/extensions/waf/go.sum

@@ -0,0 +1,44 @@
+github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503 h1:hGXspDwUBHQUne1NT2D6PmkR9wFCXsibjaJpz7xhf+g=
+github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503/go.mod h1:bTc+NV7T2wQevFQHDDWhD/+IAA5bvKbbK4CxzfvJx/o=
+github.com/corazawaf/coraza/v3 v3.0.0-rc.1.0.20230407165813-a18681b1ec28 h1:Jrlvhe4YCR/PMCazDEBeun/XTYhlzczBN0WN4/ejORo=
+github.com/corazawaf/coraza/v3 v3.0.0-rc.1.0.20230407165813-a18681b1ec28/go.mod h1:TKREBLh55w3SiBbLsQpH9EFzjBAmEUH4KRaZ/kFYz20=
+github.com/corazawaf/libinjection-go v0.1.2 h1:oeiV9pc5rvJ+2oqOqXEAMJousPpGiup6f7Y3nZj5GoM=
+github.com/corazawaf/libinjection-go v0.1.2/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo=
+github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
+github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 h1:lL+y4Xv20pVlCGyLzNHRC0I0rIHhIL1lTvHizoS/dU8=
+github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9/go.mod h1:EHPiTAKtiFmrMldLUNswFwfZ2eJIYBHktdaUTZxYWRw=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 h1:kS7BvMKN+FiptV4pfwiNX8e3q14evxAWkhYbxt8EI1M=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0/go.mod h1:qkW5MBz2jch2u8bS59wws65WC+Gtx3x0aPUX5JL7CXI=
+github.com/tetratelabs/wazero v1.0.1 h1:xyWBoGyMjYekG3mEQ/W7xm9E05S89kJ/at696d/9yuc=
+github.com/tetratelabs/wazero v1.0.1/go.mod h1:wYx2gNRg8/WihJfSDxA1TIL8H+GkfLYm+bIfbblu9VQ=
+github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
+github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/wasilibs/go-aho-corasick v0.3.0 h1:ScfPQhAwop/ELIkwY0dfMTFb/bwOdYI/MB3mkX2WOZI=
+github.com/wasilibs/go-aho-corasick v0.3.0/go.mod h1:LKW6EW9NWuWYE8PII+sFpRbbY3UcrMUgfUTkGaoWyMY=
+github.com/wasilibs/go-libinjection v0.2.1 h1:1aSwyE4oNpPGpFw3i3hoM15sF3qn1s4P0jC2jgFM2Qk=
+github.com/wasilibs/go-libinjection v0.2.1/go.mod h1:ZUoVe+HLQYq+QPBNTSgg3fxGvZsvXiDbi0UomBlsGzo=
+github.com/wasilibs/go-re2 v1.0.0 h1:pvrqtMzZgTMHVPfXJrk4YZwiqIXOKdfo5aed6CzUAW4=
+github.com/wasilibs/go-re2 v1.0.0/go.mod h1:8g69JapfgjSCx49dKOQij1dqA3sOvoH5NteaUy1X0SA=
+github.com/wasilibs/nottinygc v0.4.0 h1:h1TJMihMC4neN6Zq+WKpLxgd9xCFMw7O9ETLwY2exJQ=
+github.com/wasilibs/nottinygc v0.4.0/go.mod h1:oDcIotskuYNMpqMF23l7Z8uzD4TC0WXHK8jetlB3HIo=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

plugins/wasm-go/extensions/waf/init_tinygo.go

@@ -0,0 +1,30 @@
+// Copyright The OWASP Coraza contributors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build tinygo
+
+package main
+
+import (
+	"unsafe"
+)
+
+// Some host functions that are not implemented by Envoy end up getting imported anyways
+// by code that gets compiled but not executed at runtime. Because we know they are not
+// executed, we can stub them out to allow functioning on Envoy. Note, these match the
+// names and signatures of wasi-libc, used by TinyGo, not WASI ABI. Review these exports when either
+// the minimum supported version of Envoy changes or the maximum version of TinyGo.
+
+// fdopendir is re-exported to avoid TinyGo 0.28's import of wasi_snapshot_preview1.fd_readdir.
+//
+//export fdopendir
+func fdopendir(fd int32) unsafe.Pointer {
+	return nil
+}
+
+// readdir is re-exported to avoid TinyGo 0.28's import of wasi_snapshot_preview1.fd_readdir.
+//
+//export readdir
+func readdir(unsafe.Pointer) unsafe.Pointer {
+	return nil
+}

plugins/wasm-go/extensions/waf/local/Dockerfile

@@ -0,0 +1,3 @@
+FROM liuxr25/flask-helloworld:latest
+
+COPY app.py /work/app.py

plugins/wasm-go/extensions/waf/local/app.py

@@ -0,0 +1,14 @@
+from flask import Flask, request
+
+app = Flask(__name__)
+
+@app.route("/flask/test1", methods=["GET", "POST"])
+def test1():
+    return "body normal", 200, [("test-header", "hahaha")]
+
+@app.route("/flask/test2", methods=["GET", "POST"])
+def test2():
+    return "body attack", 200, []
+
+if __name__ == "__main__":
+    app.run("0.0.0.0", 5000)

plugins/wasm-go/extensions/waf/local/docker-compose.yaml

@@ -0,0 +1,96 @@
+services:
+  httpbin:
+    image: kennethreitz/httpbin
+    environment:
+      - MAX_BODY_SIZE=15728640 # 15 MiB
+    ports:
+      - 8083:8080
+    command:
+      - "gunicorn"
+      - "-b"
+      - "0.0.0.0:8080"
+      - "httpbin:app"
+      - "-k"
+      - "gevent"
+      - --log-file
+      - /home/envoy/logs/httpbin.log
+    volumes:
+      - logs:/home/envoy/logs:rw
+
+  flask:
+    # image: liuxr25/flask-helloworld:latest
+    build: .
+    environment:
+      - MAX_BODY_SIZE=15728640 # 15 MiB
+    ports:
+      - 8084:5000
+
+  chown:
+    image: alpine:3.16
+    command:
+      - /bin/sh
+      - -c
+      - chown -R 101:101 /home/envoy/logs
+    volumes:
+      - logs:/home/envoy/logs:rw
+
+  envoy:
+    depends_on:
+      - chown
+      - httpbin
+      - flask
+    image: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/envoy:1.20
+    command:
+      - -c
+      - /conf/envoy-config.yaml
+      - --log-level
+      - info
+      - --component-log-level
+      - wasm:debug
+      - --log-format [%Y-%m-%d %T.%f][%t][%l][%n] [%g:%#] %v
+      - --log-path
+      - /home/envoy/logs/envoy.log
+    volumes:
+      - .:/build
+      - .:/conf
+      - logs:/home/envoy/logs:rw
+    ports:
+      - 8080:8080
+      - 8082:8082
+
+  # envoy-logs:
+  #   depends_on:
+  #     - envoy
+  #     - wasm-logs
+  #   image: debian:11-slim
+  #   entrypoint: bash
+  #   command:
+  #     - -c
+  #     - tail -c +0 -f /home/envoy/logs/envoy.log
+  #   volumes:
+  #     - logs:/home/envoy/logs:ro
+
+  wasm-logs:
+    depends_on:
+      - envoy
+    image: debian:11-slim
+    entrypoint: bash
+    command:
+      - -c
+      - tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "[critical][wasm]"
+    volumes:
+      - logs:/home/envoy/logs:ro
+
+  # debug-logs:
+  #   depends_on:
+  #     - envoy
+  #   image: debian:11-slim
+  #   entrypoint: bash
+  #   command:
+  #     - -c
+  #     - tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "unreachable"
+  #   volumes:
+  #     - logs:/home/envoy/logs:ro
+
+volumes:
+  logs:

plugins/wasm-go/extensions/waf/local/envoy-config.yaml

@@ -0,0 +1,143 @@
+stats_config:
+  stats_tags:
+    # Envoy extracts the first matching group as a value.
+    # See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig.
+    - tag_name: phase
+      regex: "(_phase=([a-z_]+))"
+    - tag_name: rule_id
+      regex: "(_ruleid=([0-9]+))"
+
+static_resources:
+  listeners:
+    - address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8080
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                codec_type: auto
+                route_config:
+                  virtual_hosts:
+                    - name: local_route
+                      domains:
+                        - "*"
+                      routes:
+                        - name: "route_1"
+                          match:
+                            path: "/headers"
+                          route:
+                            cluster: httpbin_server
+                        - name: "route_2"
+                          match:
+                            path: "/user-agent"
+                          route:
+                            cluster: httpbin_server
+                        - name: "route_flask"
+                          match:
+                            prefix: "/flask"
+                          route:
+                            cluster: flask_server
+                        - name: "route_httpbin"
+                          match:
+                            prefix: "/"
+                          route:
+                            cluster: httpbin_server
+                        # - name: "route_mock"
+                        #   match:
+                        #     prefix: "/"
+                        #   direct_response:
+                        #     status: 200
+                        #     body:
+                        #       inline_string: "mock response\n"
+                http_filters:
+                  - name: envoy.filters.http.wasm
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+                      config:
+                        name: "coraza-filter"
+                        root_id: ""
+                        configuration:
+                          "@type": "type.googleapis.com/google.protobuf.StringValue"
+                          value: |
+                            {
+                              "useCRS": true,
+                              "secRules": [
+                                "SecDebugLogLevel 3",
+                                "SecRuleEngine On",
+                                "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\"",
+                                "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\"",
+                                "SecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\"",
+                                "SecRule RESPONSE_HEADERS:test-header \"@streq hahaha\" \"id:104,phase:3,t:lowercase,deny\"",
+                                "SecRule RESPONSE_BODY \"@rx attack\" \"id:105,phase:4,t:lowercase,deny\""
+                              ],
+                              "_rules_": [
+                                {
+                                  "_match_route_": [
+                                    "route_1"
+                                  ],
+                                  "secRules": [
+                                    "SecDebugLogLevel 3",
+                                    "SecRuleEngine On",
+                                    "SecAction \"id:102,phase:1,deny\""
+                                  ]
+                                },
+                                {
+                                  "_match_route_": [
+                                    "route_2"
+                                  ],
+                                  "secRules": [
+                                    "SecDebugLogLevel 3",
+                                    "SecRuleEngine On",
+                                    "SecAction \"id:102,phase:1,pass\""
+                                  ]
+                                }
+                              ]
+                            }
+                        vm_config:
+                          runtime: "envoy.wasm.runtime.v8"
+                          vm_id: "10086"
+                          code:
+                            local:
+                              filename: "build/main.wasm"
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+    - name: httpbin_server
+      connect_timeout: 6000s
+      type: STRICT_DNS
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: httpbin_server
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: httpbin
+                      port_value: 8080
+    - name: flask_server
+      connect_timeout: 6000s
+      type: STRICT_DNS
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: flask_server
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: flask
+                      port_value: 5000
+
+admin:
+  access_log_path: "/dev/null"
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: 8082

plugins/wasm-go/extensions/waf/mage.go

@@ -0,0 +1,16 @@
+//go:build ignore
+// +build ignore
+
+// Entrypoint to mage for running without needing to install the command.
+// https://magefile.org/zeroinstall/
+package main
+
+import (
+	"os"
+
+	"github.com/magefile/mage/mage"
+)
+
+func main() {
+	os.Exit(mage.Main())
+}

plugins/wasm-go/extensions/waf/magefiles/go.mod

@@ -0,0 +1,8 @@
+module github.com/corazawaf/coraza-proxy-wasm/magefiles
+
+go 1.19
+
+require (
+	github.com/magefile/mage v1.14.0
+	github.com/tetratelabs/wabin v0.0.0-20220927005300-3b0fbf39a46a
+)

plugins/wasm-go/extensions/waf/magefiles/go.sum

@@ -0,0 +1,8 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo=
+github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/tetratelabs/wabin v0.0.0-20220927005300-3b0fbf39a46a h1:P0R3+CTAT7daT8ig5gh9GEd/eDQ5md1xl4pkYMcwOqg=
+github.com/tetratelabs/wabin v0.0.0-20220927005300-3b0fbf39a46a/go.mod h1:m9ymHTgNSEjuxvw8E7WWe4Pl4hZQHXONY8wE6dMLaRk=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

plugins/wasm-go/extensions/waf/magefiles/magefile.go

@@ -0,0 +1,155 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/magefile/mage/sh"
+	"github.com/tetratelabs/wabin/binary"
+	"github.com/tetratelabs/wabin/wasm"
+)
+
+var minGoVersion = "1.19"
+var tinygoMinorVersion = "0.28"
+var Default = Build
+
+func init() {
+	for _, check := range []func() error{
+		checkTinygoVersion,
+		checkGoVersion,
+	} {
+		if err := check(); err != nil {
+			fmt.Printf("Error: %v\n", err)
+			os.Exit(1)
+		}
+	}
+}
+
+// checkGoVersion checks the minimum version of Go is supported.
+func checkGoVersion() error {
+	v, err := sh.Output("go", "version")
+	if err != nil {
+		return fmt.Errorf("unexpected go error: %v", err)
+	}
+
+	// Version can/cannot include patch version e.g.
+	// - go version go1.19 darwin/arm64
+	// - go version go1.19.2 darwin/amd64
+	versionRegex := regexp.MustCompile("go([0-9]+).([0-9]+).?([0-9]+)?")
+	compare := versionRegex.FindStringSubmatch(v)
+	if len(compare) != 4 {
+		return fmt.Errorf("unexpected go semver: %q", v)
+	}
+	compare = compare[1:]
+	if compare[2] == "" {
+		compare[2] = "0"
+	}
+
+	base := strings.SplitN(minGoVersion, ".", 3)
+	if len(base) == 2 {
+		base = append(base, "0")
+	}
+	for i := 0; i < 3; i++ {
+		baseN, _ := strconv.Atoi(base[i])
+		compareN, _ := strconv.Atoi(compare[i])
+		if baseN > compareN {
+			return fmt.Errorf("unexpected go version, minimum want %q, have %q", minGoVersion, strings.Join(compare, "."))
+		}
+	}
+	return nil
+}
+
+// checkTinygoVersion checks that exactly the right tinygo version is supported because
+// tinygo isn't stable yet.
+func checkTinygoVersion() error {
+	v, err := sh.Output("tinygo", "version")
+	if err != nil {
+		return fmt.Errorf("unexpected tinygo error: %v", err)
+	}
+
+	// Assume a dev build is valid.
+	if strings.Contains(v, "-dev") {
+		return nil
+	}
+
+	if !strings.HasPrefix(v, fmt.Sprintf("tinygo version %s", tinygoMinorVersion)) {
+		return fmt.Errorf("unexpected tinygo version, wanted %s", tinygoMinorVersion)
+	}
+
+	return nil
+}
+
+// Build builds the Coraza wasm plugin.
+func Build() error {
+	if err := os.MkdirAll("local", 0755); err != nil {
+		return err
+	}
+
+	buildTags := []string{"custommalloc", "no_fs_access"}
+	if os.Getenv("TIMING") == "true" {
+		buildTags = append(buildTags, "timing", "proxywasm_timing")
+	}
+	if os.Getenv("MEMSTATS") == "true" {
+		buildTags = append(buildTags, "memstats")
+	}
+
+	buildTagArg := fmt.Sprintf("-tags='%s'", strings.Join(buildTags, " "))
+
+	// ~100MB initial heap
+	initialPages := 2100
+	if ipEnv := os.Getenv("INITIAL_PAGES"); ipEnv != "" {
+		if ip, err := strconv.Atoi(ipEnv); err != nil {
+			return err
+		} else {
+			initialPages = ip
+		}
+	}
+
+	if err := sh.RunV("tinygo", "build", "-gc=custom", "-opt=2", "-o", filepath.Join("local", "mainraw.wasm"), "-scheduler=none", "-target=wasi", buildTagArg); err != nil {
+		return err
+	}
+
+	if err := patchWasm(filepath.Join("local", "mainraw.wasm"), filepath.Join("local", "main.wasm"), initialPages); err != nil {
+		return err
+	}
+
+	if err := sh.RunV("rm", filepath.Join("local", "mainraw.wasm")); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func patchWasm(inPath, outPath string, initialPages int) error {
+	raw, err := os.ReadFile(inPath)
+	if err != nil {
+		return err
+	}
+	mod, err := binary.DecodeModule(raw, wasm.CoreFeaturesV2)
+	if err != nil {
+		return err
+	}
+
+	mod.MemorySection.Min = uint32(initialPages)
+
+	for _, imp := range mod.ImportSection {
+		switch {
+		case imp.Name == "fd_filestat_get":
+			imp.Name = "fd_fdstat_get"
+		case imp.Name == "path_filestat_get":
+			imp.Module = "env"
+			imp.Name = "proxy_get_header_map_value"
+		}
+	}
+
+	out := binary.EncodeModule(mod)
+	if err = os.WriteFile(outPath, out, 0644); err != nil {
+		return err
+	}
+
+	return nil
+}