rel: Release v1.4.0 (#1014)

Co-authored-by: Kent Dong <ch3cho@qq.com>

.github/workflows/build-and-test-plugin.yaml

@@ -0,0 +1,84 @@
+name: "Build and Test Plugins"
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'plugins/**'
+      - 'test/**'
+  pull_request:
+    branches: [ "*" ]
+    paths:
+      - 'plugins/**'
+      - 'test/**'
+  workflow_dispatch: ~      
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+    # There are too many lint errors in current code bases
+    # uncomment when we decide what lint should be addressed or ignored.
+    # - run: make lint
+
+  higress-wasmplugin-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # TODO(Xunzhuo): Enable C WASM Filters in CI
+        wasmPluginType: [ GO ]
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true      
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            .git/modules
+          key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-cache
+
+      - run: git stash # restore patch
+
+      - name: "Run Ingress WasmPlugins Tests"
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 25
+          max_attempts: 3
+          retry_on: error
+          command: GOPROXY="https://proxy.golang.org,direct" PLUGIN_TYPE=${{ matrix.wasmPluginType }} make higress-wasmplugin-test
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: [ higress-wasmplugin-test ]
+    steps:
+      - uses: actions/checkout@v3

.github/workflows/build-and-test.yaml

@@ -36,12 +36,9 @@ jobs:
       uses: actions/cache@v3
       with:
         path: |-
-            envoy
-            istio
-            external
             .git/modules
-        key: ${{ runner.os }}-submodules-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules
+        key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-cache
     
     - run: git stash # restore patch
 
@@ -51,7 +48,7 @@ jobs:
     - name: Upload coverage to Codecov
       uses: codecov/codecov-action@v3
       with:
-        fail_ci_if_error: true
+        fail_ci_if_error: false
         files: ./coverage.xml
         verbose: true
 
@@ -83,12 +80,9 @@ jobs:
         uses: actions/cache@v3
         with:
           path: |-
-            envoy
-            istio
-            external
             .git/modules
-          key: ${{ runner.os }}-submodules-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-submodules
+          key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-cache
 
       - run: git stash # restore patch
 
@@ -132,61 +126,17 @@ jobs:
       uses: actions/cache@v3
       with:
         path: |-
-            envoy
-            istio
-            external
             .git/modules
-        key: ${{ runner.os }}-submodules-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules
+        key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-cache
           
     - run: git stash # restore patch
 
     - name: "Run Higress E2E Conformance Tests"
       run: GOPROXY="https://proxy.golang.org,direct" make higress-conformance-test
       
-  higress-wasmplugin-test:
-    runs-on: ubuntu-latest
-    needs: [build]
-    strategy:
-      matrix:
-        # TODO(Xunzhuo): Enable C WASM Filters in CI
-        wasmPluginType: [ GO ]
-    steps:
-    - uses: actions/checkout@v3
-      
-    - name: "Setup Go"
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-
-    - name: Setup Golang Caches
-      uses: actions/cache@v3
-      with:
-        path: |-
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ github.run_id }}
-        restore-keys: |
-          ${{ runner.os }}-go
-      
-    - name: Setup Submodule Caches
-      uses: actions/cache@v3
-      with:
-        path: |-
-            envoy
-            istio
-            external
-            .git/modules
-        key: ${{ runner.os }}-submodules-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules
-          
-    - run: git stash # restore patch
-
-    - name: "Run Ingress WasmPlugins Tests"
-      run: GOPROXY="https://proxy.golang.org,direct" PLUGIN_TYPE=${{ matrix.wasmPluginType }} make higress-wasmplugin-test
-
   publish:
     runs-on: ubuntu-latest
-    needs: [higress-conformance-test,gateway-conformance-test,higress-wasmplugin-test]
+    needs: [higress-conformance-test,gateway-conformance-test]
     steps:
     - uses: actions/checkout@v3

.github/workflows/build-image-and-push.yaml

@@ -20,6 +20,16 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
       - name: "Setup Go"
         uses: actions/setup-go@v3
         with:
@@ -41,7 +51,7 @@ jobs:
             envoy
             istio
             .git/modules
-          key: ${{ runner.os }}-submodules-${{ github.run_id }}
+          key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
           restore-keys: ${{ runner.os }}-submodules-new
 
       - name: Calculate Docker metadata
@@ -86,6 +96,16 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
       - name: "Setup Go"
         uses: actions/setup-go@v3
         with:
@@ -153,6 +173,16 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
       - name: "Setup Go"
         uses: actions/setup-go@v3
         with:

.github/workflows/latest-release.yaml

@@ -18,6 +18,8 @@ jobs:
         tar -zcvf hgctl_latest_linux_arm64.tar.gz out/linux_arm64/
         tar -zcvf hgctl_latest_darwin_amd64.tar.gz out/darwin_amd64/
         tar -zcvf hgctl_latest_darwin_arm64.tar.gz out/darwin_arm64/
+        zip -q -r hgctl_latest_windows_amd64.zip out/windows_amd64/
+        zip -q -r hgctl_latest_windows_arm64.zip out/windows_arm64/
 
     # Ignore the error when we delete the latest release, it might not exist.
 
@@ -54,6 +56,8 @@ jobs:
           hgctl_latest_linux_arm64.tar.gz
           hgctl_latest_darwin_amd64.tar.gz
           hgctl_latest_darwin_arm64.tar.gz
+          hgctl_latest_windows_amd64.zip
+          hgctl_latest_windows_arm64.zip
         body: |
           This is the "latest" release of **Higress**, which contains the most recent commits from the main branch.
           

.github/workflows/release-hgctl.yaml

@@ -0,0 +1,37 @@
+name: Release hgctl to GitHub
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  release-hgctl:
+    runs-on: ubuntu-latest
+    env:
+      HGCTL_VERSION: ${{github.ref_name}}
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Build hgctl latest multiarch binaries
+      run: |
+        GOPROXY="https://proxy.golang.org,direct" make build-hgctl-multiarch
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_linux_amd64.tar.gz out/linux_amd64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_linux_arm64.tar.gz out/linux_arm64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_darwin_amd64.tar.gz out/darwin_amd64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_darwin_arm64.tar.gz out/darwin_arm64/
+        zip -q -r hgctl_${{ env.HGCTL_VERSION }}_windows_amd64.zip out/windows_amd64/
+        zip -q -r hgctl_${{ env.HGCTL_VERSION }}_windows_arm64.zip out/windows_arm64/
+
+    - name: Upload hgctl packages to the GitHub release
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: |
+          hgctl_${{ env.HGCTL_VERSION }}_linux_amd64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_linux_arm64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_darwin_amd64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_darwin_arm64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_windows_amd64.zip
+          hgctl_${{ env.HGCTL_VERSION }}_windows_arm64.zip

.licenserc.yaml

@@ -26,7 +26,9 @@ header:
     - 'VERSION'
     - 'tools/'
     - 'test/README.md'
-    - 'pkg/cmd/hgctl/testdata/config'
+    - 'test/README_CN.md'
+    - 'cmd/hgctl/config/testdata/config'
+    - 'pkg/cmd/hgctl/manifests'
 
   comment: on-failure
 dependency:

CODEOWNERS

@@ -1,10 +1,10 @@
-/api @johnlanni 
-/envoy @gengleilei @johnlanni @Lynskylate
+/api @johnlanni @CH3CHO
+/envoy @gengleilei @johnlanni
 /istio @SpecialYang @johnlanni
-/pkg @SpecialYang @johnlanni @Charlie17Li @Xunzhuo
-/plugins @johnlanni
-/registry @NameHaibinZhang @johnlanni
-/test @Xunzhuo
-/tools @johnlanni @Xunzhuo
+/pkg @SpecialYang @johnlanni @CH3CHO
+/plugins @johnlanni @WeixinX @CH3CHO
+/registry @NameHaibinZhang @2456868764 @johnlanni
+/test @Xunzhuo @2456868764 @CH3CHO
+/tools @johnlanni @Xunzhuo @2456868764
 
 

CONTRIBUTING_CN.md

@@ -73,6 +73,7 @@
 * [分支定义](#分支定义)
 * [提交规则](#提交规则)
 * [PR说明](#PR说明)
+* [开发前准备](#开发前准备)
 
 ### 工作区准备
 
@@ -168,6 +169,12 @@ git config --get user.email
 
 PR 是更改 Higress 项目文件的唯一方法。为了帮助审查人更好地理解你的目的，PR 描述不能太详细。我们鼓励贡献者遵循 [PR 模板](./.github/PULL_REQUEST_TEMPLATE.md) 来完成拉取请求。
 
+### 开发前准备
+
+```shell
+make prebuild && go mod tidy
+```
+
 ## 测试用例贡献
 
 任何测试用例都会受到欢迎。目前，Higress 功能测试用例是高优先级的。

CONTRIBUTING_EN.md

@@ -169,6 +169,12 @@ No matter commit message, or commit content, we do take more emphasis on code re
 
 PR is the only way to make change to Higress project files. To help reviewers better get your purpose, PR description could not be too detailed. We encourage contributors to follow the [PR template](./.github/PULL_REQUEST_TEMPLATE.md) to finish the pull request.
 
+### Pre-development preparation
+
+```shell
+make prebuild && go mod tidy
+```
+
 ## Test case contribution
 
 Any test case would be welcomed. Currently, Higress function test cases are high priority.

Makefile.core.mk

@@ -15,7 +15,7 @@ GO_LDFLAGS += -X $(VERSION_PACKAGE).higressVersion=$(shell cat VERSION) \
 
 GO ?= go
 
-export GOPROXY ?= https://proxy.golang.com.cn,direct
+export GOPROXY ?= https://proxy.golang.org,direct
 
 TARGET_ARCH ?= amd64
 
@@ -79,20 +79,21 @@ $(ARM64_OUT_LINUX)/higress:
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HIGRESS_BINARIES)
 
 .PHONY: build-hgctl
-build-hgctl: $(OUT)
+build-hgctl: prebuild $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT)/ $(HGCTL_BINARIES)
 
 .PHONY: build-linux-hgctl
-build-linux-hgctl: $(OUT)
+build-linux-hgctl: prebuild $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT_LINUX)/ $(HGCTL_BINARIES)
 
 .PHONY: build-hgctl-multiarch
-build-hgctl-multiarch: $(OUT)
+build-hgctl-multiarch: prebuild $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_amd64/ $(HGCTL_BINARIES)
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HGCTL_BINARIES)
 	GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/darwin_amd64/ $(HGCTL_BINARIES)
 	GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/darwin_arm64/ $(HGCTL_BINARIES)
-
+	GOPROXY=$(GOPROXY) GOOS=windows GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/windows_amd64/ $(HGCTL_BINARIES)
+	GOPROXY=$(GOPROXY) GOOS=windows GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/windows_arm64/ $(HGCTL_BINARIES)
 # Create targets for OUT_LINUX/binary
 # There are two use cases here:
 # * Building all docker images (generally in CI). In this case we want to build everything at once, so they share work
@@ -137,24 +138,32 @@ export ENVOY_TAR_PATH:=/home/package/envoy.tar.gz
 
 external/package/envoy-amd64.tar.gz:
 #	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
-	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.0.0/envoy-amd64.tar.gz"
+	cd external/package; wget -O envoy-amd64.tar.gz "https://github.com/alibaba/higress/releases/download/v1.4.0-rc.1/envoy-symbol-amd64.tar.gz"
 
 external/package/envoy-arm64.tar.gz:
 #	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
-	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.0.0/envoy-arm64.tar.gz"
-
+	cd external/package; wget -O envoy-arm64.tar.gz "https://github.com/alibaba/higress/releases/download/v1.4.0-rc.1/envoy-symbol-arm64.tar.gz"
 
 build-pilot:
 	cd external/istio; rm -rf out/linux_amd64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 make build-linux
 	cd external/istio; rm -rf out/linux_arm64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=arm64 BUILD_WITH_CONTAINER=1 make build-linux
 
+build-pilot-local:
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=${GOARCH_LOCAL} BUILD_WITH_CONTAINER=1 make build-linux
+
 build-gateway: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz build-pilot
 	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
 
-build-istio: prebuild build-pilot
-	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker	
+build-gateway-local: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
 
-build-wasmplugins: 
+build-istio: prebuild build-pilot
+	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
+
+build-istio-local: prebuild
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
+
+build-wasmplugins:
 	./tools/hack/build-wasm-plugins.sh
 
 pre-install:
@@ -168,13 +177,13 @@ install: pre-install
 	cd helm/higress; helm dependency build
 	helm install higress helm/higress -n higress-system --create-namespace --set 'global.local=true'
 
-ENVOY_LATEST_IMAGE_TAG ?= 1.1.1
-ISTIO_LATEST_IMAGE_TAG ?= 1.1.1
+ENVOY_LATEST_IMAGE_TAG ?= sha-93966bf
+ISTIO_LATEST_IMAGE_TAG ?= sha-b00f79f
 
 install-dev: pre-install
 	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
 install-dev-wasmplugin: build-wasmplugins pre-install
-	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true'
+	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true' --set 'global.onlyPushRouteCluster=false'
 
 uninstall:
 	helm uninstall higress -n higress-system
@@ -224,14 +233,30 @@ include tools/lint.mk
 .PHONY: gateway-conformance-test
 gateway-conformance-test:
 
+# higress-conformance-test-prepare prepares the environment for higress conformance tests.
+.PHONY: higress-conformance-test-prepare
+higress-conformance-test-prepare: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev
+
 # higress-conformance-test runs ingress api conformance tests.
 .PHONY: higress-conformance-test
 higress-conformance-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev run-higress-e2e-test delete-cluster
 
+# higress-conformance-test-clean cleans the environment for higress conformance tests.
+.PHONY: higress-conformance-test-clean
+higress-conformance-test-clean: $(tools/kind) delete-cluster
+
+# higress-wasmplugin-test-prepare prepares the environment for higress wasmplugin tests.
+.PHONY: higress-wasmplugin-test-prepare
+higress-wasmplugin-test-prepare: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin
+
 # higress-wasmplugin-test runs ingress wasmplugin tests.
 .PHONY: higress-wasmplugin-test
 higress-wasmplugin-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin run-higress-e2e-test-wasmplugin delete-cluster
 
+# higress-wasmplugin-test-clean cleans the environment for higress wasmplugin tests.
+.PHONY: higress-wasmplugin-test-clean
+higress-wasmplugin-test-clean: $(tools/kind) delete-cluster
+
 # create-cluster creates a kube cluster with kind.
 .PHONY: create-cluster
 create-cluster: $(tools/kind)
@@ -249,18 +274,29 @@ delete-cluster: $(tools/kind) ## Delete kind cluster.
 .PHONY: kube-load-image
 kube-load-image: $(tools/kind) ## Install the Higress image to a kind cluster using the provided $IMAGE and $TAG.
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress $(TAG)
-	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/dubbo-provider-demo 0.0.1
-	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/dubbo-provider-demo 0.0.3-x86
+	tools/hack/docker-pull-image.sh docker.io/alihigress/nacos-standlone-rc3 1.0.0-RC3
 	tools/hack/docker-pull-image.sh docker.io/hashicorp/consul 1.16.0
 	tools/hack/docker-pull-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
 	tools/hack/docker-pull-image.sh docker.io/bitinit/eureka latest
-	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
-	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/dubbo-provider-demo 0.0.1
-	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/docker-pull-image.sh docker.io/alihigress/httpbin 1.0.2
+	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/dubbo-provider-demo 0.0.3-x86
+	tools/hack/kind-load-image.sh docker.io/alihigress/nacos-standlone-rc3 1.0.0-RC3
 	tools/hack/kind-load-image.sh docker.io/hashicorp/consul 1.16.0
-	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
+	tools/hack/kind-load-image.sh docker.io/alihigress/httpbin 1.0.2
 	tools/hack/kind-load-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
 	tools/hack/kind-load-image.sh docker.io/bitinit/eureka latest
+
+# run-higress-e2e-test-setup starts to setup ingress e2e tests.
+.PHONT: run-higress-e2e-test-setup
+run-higress-e2e-test-setup:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=setup
+
 # run-higress-e2e-test starts to run ingress e2e tests.
 .PHONY: run-higress-e2e-test
 run-higress-e2e-test:
@@ -269,9 +305,39 @@ run-higress-e2e-test:
 	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=all --execute-tests=$(TEST_SHORTNAME)
 
-# run-higress-e2e-test starts to run ingress e2e tests.
+# run-higress-e2e-test-run starts to run ingress e2e conformance tests.
+.PHONY: run-higress-e2e-test-run
+run-higress-e2e-test-run:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=run --execute-tests=$(TEST_SHORTNAME)
+
+# run-higress-e2e-test-clean starts to clean ingress e2e tests.
+.PHONY: run-higress-e2e-test-clean
+run-higress-e2e-test-clean:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=clean
+
+# run-higress-e2e-test-wasmplugin-setup starts to prepare ingress e2e tests.
+.PHONY: run-higress-e2e-test-wasmplugin-setup
+run-higress-e2e-test-wasmplugin-setup:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=setup
+
+# run-higress-e2e-test-wasmplugin starts to run ingress e2e tests.
 .PHONY: run-higress-e2e-test-wasmplugin
 run-higress-e2e-test-wasmplugin:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
@@ -279,4 +345,24 @@ run-higress-e2e-test-wasmplugin:
 	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=all --execute-tests=$(TEST_SHORTNAME)
+
+# run-higress-e2e-test-wasmplugin-run starts to run ingress e2e conformance tests.
+.PHONY: run-higress-e2e-test-wasmplugin-run
+run-higress-e2e-test-wasmplugin-run:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=run --execute-tests=$(TEST_SHORTNAME)
+
+# run-higress-e2e-test-wasmplugin-clean starts to clean ingress e2e tests.
+.PHONY: run-higress-e2e-test-wasmplugin-clean
+run-higress-e2e-test-wasmplugin-clean:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=clean

README.md

@@ -1,10 +1,10 @@
 <h1 align="center">
     <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
   <br>
-  Next-generation Cloud Native Gateway
+  Cloud Native API Gateway
 </h1>
 
-[![Build Status](https://github.com/alibaba/higress/workflows/build%20and%20codecov/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
 
 [**官网**](https://higress.io/) &nbsp; |
@@ -19,7 +19,7 @@
 </p>
 
 
-Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源 [Istio](https://github.com/istio/istio) 与 [Envoy](https://github.com/envoyproxy/envoy) 为核心构建的下一代云原生网关。Higress 实现了安全防护网关、流量网关、微服务网关三层网关合一，可以显著降低网关的部署和运维成本。
+Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源 [Istio](https://github.com/istio/istio) 与 [Envoy](https://github.com/envoyproxy/envoy) 为核心构建的云原生 API 网关。Higress 实现了安全防护网关、流量网关、微服务网关三层网关合一，可以显著降低网关的部署和运维成本。
 
 ![arch](https://img.alicdn.com/imgextra/i1/O1CN01iO9ph825juHbOIg75_!!6000000007563-2-tps-2483-2024.png)
 
@@ -119,15 +119,13 @@ Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源
 
 如果没有 Envoy 和 Istio 的开源工作，Higress 就不可能实现，在这里向这两个项目献上最诚挚的敬意。
 
-### 联系我们
+### 交流群
 
-- Mailing list: higress@googlegroups.com
+![image](https://img.alicdn.com/imgextra/i2/O1CN01qPd7Ix1uZPVEsWjWp_!!6000000006051-0-tps-720-405.jpg)
 
-社区交流群: 
+### 技术分享
 
-![image](https://img.alicdn.com/imgextra/i1/O1CN01KWonlE1DkpqaYVTiC_!!6000000000255-0-tps-720-405.jpg)
+微信公众号：
 
+![](https://img.alicdn.com/imgextra/i1/O1CN01WnQt0q1tcmqVDU73u_!!6000000005923-0-tps-258-258.jpg)
 
-开发者群：
-
-![image](https://img.alicdn.com/imgextra/i2/O1CN010jFMgn1qTDaHqeIgH_!!6000000005496-2-tps-406-531.png)

README_EN.md

@@ -1,10 +1,10 @@
 <h1 align="center">
     <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
   <br>
-  Next-generation Cloud Native Gateway
+  Cloud Native API Gateway
 </h1>
 
-[![Build Status](https://github.com/alibaba/higress/workflows/build%20and%20codecov/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
 
 [**Official Site**](https://higress.io/en-us/) &nbsp; |
@@ -18,7 +18,7 @@
    English | <a href="README.md">中文<a/>
 </p>
 
-Higress is a next-generation cloud-native gateway based on Alibaba's internal gateway practices. 
+Higress is a cloud-native api gateway based on Alibaba's internal gateway practices. 
 
 Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.com/envoyproxy/envoy), Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.
 

VERSION

@@ -1 +1 @@
-v1.1.2
+v1.4.0

api/extensions/v1alpha1/wasm.pb.go

@@ -166,7 +166,7 @@ type WasmPlugin struct {
 	// If `priority` is not set, or two `WasmPlugins` exist with the same
 	// value, the ordering will be deterministically derived from name and
 	// namespace of the `WasmPlugins`. Defaults to `0`.
-	Priority *types.Int64Value `protobuf:"bytes,10,opt,name=priority,proto3" json:"priority,omitempty"`
+	Priority *types.Int32Value `protobuf:"bytes,10,opt,name=priority,proto3" json:"priority,omitempty"`
 	// Extended by Higress, the default configuration takes effect globally
 	DefaultConfig *types.Struct `protobuf:"bytes,101,opt,name=default_config,json=defaultConfig,proto3" json:"default_config,omitempty"`
 	// Extended by Higress, matching rules take effect
@@ -267,7 +267,7 @@ func (m *WasmPlugin) GetPhase() PluginPhase {
 	return PluginPhase_UNSPECIFIED_PHASE
 }
 
-func (m *WasmPlugin) GetPriority() *types.Int64Value {
+func (m *WasmPlugin) GetPriority() *types.Int32Value {
 	if m != nil {
 		return m.Priority
 	}
@@ -377,46 +377,46 @@ func init() {
 func init() { proto.RegisterFile("extensions/v1alpha1/wasm.proto", fileDescriptor_4d60b240916c4e18) }
 
 var fileDescriptor_4d60b240916c4e18 = []byte{
-	// 617 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdf, 0x4e, 0x13, 0x41,
-	0x14, 0xc6, 0xd9, 0x16, 0x0a, 0x3d, 0x05, 0x5c, 0x26, 0x8a, 0x13, 0x30, 0xb5, 0x21, 0x51, 0x57,
-	0x2e, 0x76, 0x43, 0x45, 0xbc, 0x31, 0xc4, 0x02, 0x55, 0x1a, 0xb5, 0x6e, 0x76, 0x41, 0x23, 0x37,
-	0x9b, 0xe9, 0x32, 0xdd, 0x4e, 0x9c, 0xfd, 0x93, 0x9d, 0x59, 0xb0, 0x0f, 0xe2, 0x3b, 0x79, 0xe9,
-	0x23, 0x18, 0xde, 0xc2, 0x3b, 0xd3, 0xd9, 0x2d, 0x6d, 0xd1, 0xf4, 0x6e, 0xe6, 0x9c, 0xdf, 0x39,
-	0xe7, 0xfb, 0xce, 0x4e, 0x16, 0xea, 0xf4, 0xbb, 0xa4, 0x91, 0x60, 0x71, 0x24, 0xac, 0xab, 0x3d,
-	0xc2, 0x93, 0x01, 0xd9, 0xb3, 0xae, 0x89, 0x08, 0xcd, 0x24, 0x8d, 0x65, 0x8c, 0xb6, 0x07, 0x2c,
-	0x48, 0xa9, 0x10, 0xe6, 0x84, 0x33, 0xc7, 0xdc, 0x56, 0x3d, 0x88, 0xe3, 0x80, 0x53, 0x4b, 0xa1,
-	0xbd, 0xac, 0x6f, 0x5d, 0xa7, 0x24, 0x49, 0x68, 0x2a, 0xf2, 0xe2, 0xad, 0x47, 0x77, 0xf3, 0x42,
-	0xa6, 0x99, 0x2f, 0xf3, 0xec, 0xce, 0x9f, 0x45, 0x80, 0x2f, 0x44, 0x84, 0x36, 0xcf, 0x02, 0x16,
-	0x21, 0x1d, 0xca, 0x59, 0xca, 0x71, 0xa9, 0xa1, 0x19, 0x55, 0x67, 0x74, 0x44, 0x9b, 0x50, 0x11,
-	0x03, 0xd2, 0x7c, 0x79, 0x80, 0xcb, 0x2a, 0x58, 0xdc, 0x90, 0x0b, 0x1b, 0x2c, 0x24, 0x01, 0xf5,
-	0x92, 0x8c, 0x73, 0x2f, 0x89, 0x39, 0xf3, 0x87, 0x78, 0xb1, 0xa1, 0x19, 0xeb, 0xcd, 0x67, 0xe6,
-	0x1c, 0xbd, 0xa6, 0x9d, 0x71, 0x6e, 0x2b, 0xdc, 0xb9, 0xa7, 0x3a, 0x4c, 0x02, 0x68, 0x77, 0xa6,
-	0xa9, 0xa0, 0x7e, 0x4a, 0x25, 0x5e, 0x52, 0x73, 0x27, 0xac, 0xab, 0xc2, 0xe8, 0x39, 0xe8, 0x57,
-	0x34, 0x65, 0x7d, 0xe6, 0x13, 0xc9, 0xe2, 0xc8, 0xfb, 0x46, 0x87, 0xb8, 0x92, 0xa3, 0xd3, 0xf1,
-	0xf7, 0x74, 0x88, 0x5e, 0xc3, 0x5a, 0xa2, 0xfc, 0x79, 0x7e, 0x1c, 0xf5, 0x59, 0x80, 0x97, 0x1b,
-	0x9a, 0x51, 0x6b, 0x3e, 0x34, 0xf3, 0xd5, 0x98, 0xe3, 0xd5, 0x98, 0xae, 0x5a, 0x8d, 0xb3, 0x9a,
-	0xd3, 0xc7, 0x0a, 0x46, 0x8f, 0xa1, 0x56, 0x54, 0x47, 0x24, 0xa4, 0x78, 0x45, 0xcd, 0x80, 0x3c,
-	0xd4, 0x25, 0x21, 0x45, 0x87, 0xb0, 0x94, 0x0c, 0x88, 0xa0, 0xb8, 0xaa, 0xec, 0x1b, 0xf3, 0xed,
-	0xab, 0x3a, 0x7b, 0xc4, 0x3b, 0x79, 0x19, 0x7a, 0x05, 0x2b, 0x49, 0xca, 0xe2, 0x94, 0xc9, 0x21,
-	0x06, 0xa5, 0x6c, 0xfb, 0x1f, 0x65, 0x9d, 0x48, 0x1e, 0xec, 0x7f, 0x26, 0x3c, 0xa3, 0xce, 0x2d,
-	0x8c, 0x0e, 0x61, 0xfd, 0x92, 0xf6, 0x49, 0xc6, 0xe5, 0xd8, 0x18, 0x9d, 0x6f, 0x6c, 0xad, 0xc0,
-	0x0b, 0x67, 0xef, 0xa0, 0x16, 0x12, 0xe9, 0x0f, 0xbc, 0x34, 0xe3, 0x54, 0xe0, 0x7e, 0xa3, 0x6c,
-	0xd4, 0x9a, 0x4f, 0xe7, 0xca, 0xff, 0x38, 0xe2, 0x9d, 0x8c, 0x53, 0x07, 0xc2, 0xf1, 0x51, 0xa0,
-	0x7d, 0xd8, 0x9c, 0x15, 0xe2, 0x5d, 0x32, 0x41, 0x7a, 0x9c, 0xe2, 0xa0, 0xa1, 0x19, 0x2b, 0xce,
-	0xfd, 0x99, 0xb9, 0x27, 0x79, 0x6e, 0xe7, 0x87, 0x06, 0xd5, 0xdb, 0x7e, 0x08, 0xc3, 0x32, 0x8b,
-	0xd4, 0x60, 0xac, 0x35, 0xca, 0x46, 0xd5, 0x19, 0x5f, 0x47, 0x4f, 0xf0, 0x32, 0x0e, 0x09, 0x8b,
-	0x70, 0x49, 0x25, 0x8a, 0x1b, 0xb2, 0xa0, 0x52, 0xd8, 0x2e, 0xcf, 0xb7, 0x5d, 0x60, 0xe8, 0x09,
-	0xac, 0xdf, 0x91, 0xb7, 0xa8, 0xe4, 0xad, 0xf9, 0xd3, 0xba, 0x76, 0xdb, 0x50, 0x9b, 0xfa, 0x4a,
-	0xe8, 0x01, 0x6c, 0x9c, 0x77, 0x5d, 0xbb, 0x7d, 0xdc, 0x79, 0xdb, 0x69, 0x9f, 0x78, 0xf6, 0x69,
-	0xcb, 0x6d, 0xeb, 0x0b, 0xa8, 0x0a, 0x4b, 0xad, 0xf3, 0xb3, 0xd3, 0xae, 0xae, 0x8d, 0x8f, 0x17,
-	0x7a, 0x69, 0x74, 0x74, 0xcf, 0x5a, 0x67, 0xae, 0x5e, 0xde, 0x3d, 0x02, 0x98, 0x7a, 0xda, 0x9b,
-	0x80, 0x66, 0xba, 0x7c, 0xfa, 0xd0, 0x39, 0xfe, 0xaa, 0x2f, 0x20, 0x1d, 0x56, 0x3b, 0xfd, 0x6e,
-	0x2c, 0xed, 0x94, 0x0a, 0x1a, 0x49, 0x5d, 0x43, 0x00, 0x95, 0x16, 0xbf, 0x26, 0x43, 0xa1, 0x97,
-	0x8e, 0xde, 0xfc, 0xbc, 0xa9, 0x6b, 0xbf, 0x6e, 0xea, 0xda, 0xef, 0x9b, 0xba, 0x76, 0xd1, 0x0c,
-	0x98, 0x1c, 0x64, 0x3d, 0xd3, 0x8f, 0x43, 0x8b, 0x70, 0xd6, 0x23, 0x3d, 0x62, 0x15, 0x1f, 0xcb,
-	0x22, 0x09, 0xb3, 0xfe, 0xf3, 0x1b, 0xe9, 0x55, 0xd4, 0x32, 0x5e, 0xfc, 0x0d, 0x00, 0x00, 0xff,
-	0xff, 0x48, 0x74, 0xbe, 0xc1, 0x64, 0x04, 0x00, 0x00,
+	// 619 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdd, 0x4e, 0xdb, 0x4c,
+	0x10, 0x86, 0x71, 0x02, 0x81, 0x4c, 0x80, 0xcf, 0xac, 0xbe, 0xd2, 0x15, 0x54, 0x69, 0x84, 0xd4,
+	0xd6, 0xe5, 0xc0, 0x16, 0xa1, 0x3f, 0x27, 0x15, 0x6a, 0x80, 0xb4, 0x44, 0x6d, 0x53, 0xcb, 0x86,
+	0x56, 0xe5, 0xc4, 0xda, 0x98, 0x8d, 0xb3, 0xea, 0xfa, 0x47, 0xde, 0x35, 0x34, 0x17, 0xd2, 0x7b,
+	0xea, 0x61, 0x2f, 0xa1, 0xe2, 0x2e, 0x7a, 0x56, 0x65, 0x6d, 0x43, 0x42, 0xab, 0x9c, 0xed, 0xce,
+	0x3c, 0x33, 0xf3, 0xbe, 0xe3, 0x95, 0xa1, 0x49, 0xbf, 0x49, 0x1a, 0x09, 0x16, 0x47, 0xc2, 0xba,
+	0xdc, 0x23, 0x3c, 0x19, 0x91, 0x3d, 0xeb, 0x8a, 0x88, 0xd0, 0x4c, 0xd2, 0x58, 0xc6, 0x68, 0x7b,
+	0xc4, 0x82, 0x94, 0x0a, 0x61, 0xde, 0x72, 0x66, 0xc9, 0x6d, 0x35, 0x83, 0x38, 0x0e, 0x38, 0xb5,
+	0x14, 0x3a, 0xc8, 0x86, 0xd6, 0x55, 0x4a, 0x92, 0x84, 0xa6, 0x22, 0x2f, 0xde, 0x7a, 0x70, 0x37,
+	0x2f, 0x64, 0x9a, 0xf9, 0x32, 0xcf, 0xee, 0xfc, 0x5e, 0x04, 0xf8, 0x4c, 0x44, 0x68, 0xf3, 0x2c,
+	0x60, 0x11, 0xd2, 0xa1, 0x9a, 0xa5, 0x1c, 0x57, 0x5a, 0x9a, 0x51, 0x77, 0x26, 0x47, 0xb4, 0x09,
+	0x35, 0x31, 0x22, 0xed, 0xe7, 0x2f, 0x70, 0x55, 0x05, 0x8b, 0x1b, 0x72, 0x61, 0x83, 0x85, 0x24,
+	0xa0, 0x5e, 0x92, 0x71, 0xee, 0x25, 0x31, 0x67, 0xfe, 0x18, 0x2f, 0xb6, 0x34, 0x63, 0xbd, 0xfd,
+	0xc4, 0x9c, 0xa3, 0xd7, 0xb4, 0x33, 0xce, 0x6d, 0x85, 0x3b, 0xff, 0xa9, 0x0e, 0xb7, 0x01, 0xb4,
+	0x3b, 0xd3, 0x54, 0x50, 0x3f, 0xa5, 0x12, 0x2f, 0xa9, 0xb9, 0xb7, 0xac, 0xab, 0xc2, 0xe8, 0x29,
+	0xe8, 0x97, 0x34, 0x65, 0x43, 0xe6, 0x13, 0xc9, 0xe2, 0xc8, 0xfb, 0x4a, 0xc7, 0xb8, 0x96, 0xa3,
+	0xd3, 0xf1, 0x77, 0x74, 0x8c, 0x5e, 0xc1, 0x5a, 0xa2, 0xfc, 0x79, 0x7e, 0x1c, 0x0d, 0x59, 0x80,
+	0x97, 0x5b, 0x9a, 0xd1, 0x68, 0xdf, 0x37, 0xf3, 0xd5, 0x98, 0xe5, 0x6a, 0x4c, 0x57, 0xad, 0xc6,
+	0x59, 0xcd, 0xe9, 0x23, 0x05, 0xa3, 0x87, 0xd0, 0x28, 0xaa, 0x23, 0x12, 0x52, 0xbc, 0xa2, 0x66,
+	0x40, 0x1e, 0xea, 0x93, 0x90, 0xa2, 0x03, 0x58, 0x4a, 0x46, 0x44, 0x50, 0x5c, 0x57, 0xf6, 0x8d,
+	0xf9, 0xf6, 0x55, 0x9d, 0x3d, 0xe1, 0x9d, 0xbc, 0x0c, 0xbd, 0x84, 0x95, 0x24, 0x65, 0x71, 0xca,
+	0xe4, 0x18, 0x83, 0x52, 0xb6, 0xfd, 0x97, 0xb2, 0x5e, 0x24, 0xf7, 0xdb, 0x9f, 0x08, 0xcf, 0xa8,
+	0x73, 0x03, 0xa3, 0x03, 0x58, 0xbf, 0xa0, 0x43, 0x92, 0x71, 0x59, 0x1a, 0xa3, 0xf3, 0x8d, 0xad,
+	0x15, 0x78, 0xe1, 0xec, 0x2d, 0x34, 0x42, 0x22, 0xfd, 0x91, 0x97, 0x66, 0x9c, 0x0a, 0x3c, 0x6c,
+	0x55, 0x8d, 0x46, 0xfb, 0xf1, 0x5c, 0xf9, 0x1f, 0x26, 0xbc, 0x93, 0x71, 0xea, 0x40, 0x58, 0x1e,
+	0x05, 0x7a, 0x06, 0x9b, 0xb3, 0x42, 0xbc, 0x0b, 0x26, 0xc8, 0x80, 0x53, 0x1c, 0xb4, 0x34, 0x63,
+	0xc5, 0xf9, 0x7f, 0x66, 0xee, 0x71, 0x9e, 0xdb, 0xf9, 0xae, 0x41, 0xfd, 0xa6, 0x1f, 0xc2, 0xb0,
+	0xcc, 0x22, 0x35, 0x18, 0x6b, 0xad, 0xaa, 0x51, 0x77, 0xca, 0xeb, 0xe4, 0x09, 0x5e, 0xc4, 0x21,
+	0x61, 0x11, 0xae, 0xa8, 0x44, 0x71, 0x43, 0x16, 0xd4, 0x0a, 0xdb, 0xd5, 0xf9, 0xb6, 0x0b, 0x0c,
+	0x3d, 0x82, 0xf5, 0x3b, 0xf2, 0x16, 0x95, 0xbc, 0x35, 0x7f, 0x5a, 0xd7, 0x6e, 0x17, 0x1a, 0x53,
+	0x5f, 0x09, 0xdd, 0x83, 0x8d, 0xb3, 0xbe, 0x6b, 0x77, 0x8f, 0x7a, 0x6f, 0x7a, 0xdd, 0x63, 0xcf,
+	0x3e, 0xe9, 0xb8, 0x5d, 0x7d, 0x01, 0xd5, 0x61, 0xa9, 0x73, 0x76, 0x7a, 0xd2, 0xd7, 0xb5, 0xf2,
+	0x78, 0xae, 0x57, 0x26, 0x47, 0xf7, 0xb4, 0x73, 0xea, 0xea, 0xd5, 0xdd, 0x43, 0x80, 0xa9, 0xa7,
+	0xbd, 0x09, 0x68, 0xa6, 0xcb, 0xc7, 0xf7, 0xbd, 0xa3, 0x2f, 0xfa, 0x02, 0xd2, 0x61, 0xb5, 0x37,
+	0xec, 0xc7, 0xd2, 0x4e, 0xa9, 0xa0, 0x91, 0xd4, 0x35, 0x04, 0x50, 0xeb, 0xf0, 0x2b, 0x32, 0x16,
+	0x7a, 0xe5, 0xf0, 0xf5, 0x8f, 0xeb, 0xa6, 0xf6, 0xf3, 0xba, 0xa9, 0xfd, 0xba, 0x6e, 0x6a, 0xe7,
+	0xed, 0x80, 0xc9, 0x51, 0x36, 0x30, 0xfd, 0x38, 0xb4, 0x08, 0x67, 0x03, 0x32, 0x20, 0x56, 0xf1,
+	0xb1, 0x2c, 0x92, 0x30, 0xeb, 0x1f, 0xbf, 0x91, 0x41, 0x4d, 0x2d, 0x63, 0xff, 0x4f, 0x00, 0x00,
+	0x00, 0xff, 0xff, 0xb9, 0xf2, 0x67, 0xbe, 0x64, 0x04, 0x00, 0x00,
 }
 
 func (m *WasmPlugin) Marshal() (dAtA []byte, err error) {
@@ -1024,7 +1024,7 @@ func (m *WasmPlugin) Unmarshal(dAtA []byte) error {
 				return io.ErrUnexpectedEOF
 			}
 			if m.Priority == nil {
-				m.Priority = &types.Int64Value{}
+				m.Priority = &types.Int32Value{}
 			}
 			if err := m.Priority.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err

api/extensions/v1alpha1/wasm.proto

@@ -98,7 +98,7 @@ message WasmPlugin {
   // If `priority` is not set, or two `WasmPlugins` exist with the same
   // value, the ordering will be deterministically derived from name and
   // namespace of the `WasmPlugins`. Defaults to `0`.
-  google.protobuf.Int64Value priority = 10;
+  google.protobuf.Int32Value priority = 10;
 
   // Extended by Higress, the default configuration takes effect globally
   google.protobuf.Struct default_config = 101;

api/kubernetes/customresourcedefinitions.gen.yaml

@@ -154,6 +154,11 @@ spec:
                           type: array
                         httpPath:
                           type: string
+                        paramFromEntireBody:
+                          properties:
+                            paramType:
+                              type: string
+                          type: object
                         params:
                           items:
                             properties:

api/networking/v1/http_2_rpc.pb.go

@@ -200,14 +200,15 @@ func (m *DubboService) GetMethods() []*Method {
 }
 
 type Method struct {
-	ServiceMethod        string   `protobuf:"bytes,1,opt,name=service_method,json=serviceMethod,proto3" json:"service_method,omitempty"`
-	HeadersAttach        string   `protobuf:"bytes,2,opt,name=headers_attach,json=headersAttach,proto3" json:"headers_attach,omitempty"`
-	HttpPath             string   `protobuf:"bytes,3,opt,name=http_path,json=httpPath,proto3" json:"http_path,omitempty"`
-	HttpMethods          []string `protobuf:"bytes,4,rep,name=http_methods,json=httpMethods,proto3" json:"http_methods,omitempty"`
-	Params               []*Param `protobuf:"bytes,5,rep,name=params,proto3" json:"params,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	ServiceMethod        string               `protobuf:"bytes,1,opt,name=service_method,json=serviceMethod,proto3" json:"service_method,omitempty"`
+	HeadersAttach        string               `protobuf:"bytes,2,opt,name=headers_attach,json=headersAttach,proto3" json:"headers_attach,omitempty"`
+	HttpPath             string               `protobuf:"bytes,3,opt,name=http_path,json=httpPath,proto3" json:"http_path,omitempty"`
+	HttpMethods          []string             `protobuf:"bytes,4,rep,name=http_methods,json=httpMethods,proto3" json:"http_methods,omitempty"`
+	Params               []*Param             `protobuf:"bytes,5,rep,name=params,proto3" json:"params,omitempty"`
+	ParamFromEntireBody  *ParamFromEntireBody `protobuf:"bytes,6,opt,name=paramFromEntireBody,proto3" json:"paramFromEntireBody,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
+	XXX_unrecognized     []byte               `json:"-"`
+	XXX_sizecache        int32                `json:"-"`
 }
 
 func (m *Method) Reset()         { *m = Method{} }
@@ -278,6 +279,13 @@ func (m *Method) GetParams() []*Param {
 	return nil
 }
 
+func (m *Method) GetParamFromEntireBody() *ParamFromEntireBody {
+	if m != nil {
+		return m.ParamFromEntireBody
+	}
+	return nil
+}
+
 type Param struct {
 	ParamSource          string   `protobuf:"bytes,1,opt,name=param_source,json=paramSource,proto3" json:"param_source,omitempty"`
 	ParamKey             string   `protobuf:"bytes,2,opt,name=param_key,json=paramKey,proto3" json:"param_key,omitempty"`
@@ -341,6 +349,53 @@ func (m *Param) GetParamType() string {
 	return ""
 }
 
+type ParamFromEntireBody struct {
+	ParamType            string   `protobuf:"bytes,1,opt,name=param_type,json=paramType,proto3" json:"param_type,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ParamFromEntireBody) Reset()         { *m = ParamFromEntireBody{} }
+func (m *ParamFromEntireBody) String() string { return proto.CompactTextString(m) }
+func (*ParamFromEntireBody) ProtoMessage()    {}
+func (*ParamFromEntireBody) Descriptor() ([]byte, []int) {
+	return fileDescriptor_dc706c3b890c1c84, []int{4}
+}
+func (m *ParamFromEntireBody) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *ParamFromEntireBody) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_ParamFromEntireBody.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *ParamFromEntireBody) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ParamFromEntireBody.Merge(m, src)
+}
+func (m *ParamFromEntireBody) XXX_Size() int {
+	return m.Size()
+}
+func (m *ParamFromEntireBody) XXX_DiscardUnknown() {
+	xxx_messageInfo_ParamFromEntireBody.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ParamFromEntireBody proto.InternalMessageInfo
+
+func (m *ParamFromEntireBody) GetParamType() string {
+	if m != nil {
+		return m.ParamType
+	}
+	return ""
+}
+
 type GrpcService struct {
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@@ -351,7 +406,7 @@ func (m *GrpcService) Reset()         { *m = GrpcService{} }
 func (m *GrpcService) String() string { return proto.CompactTextString(m) }
 func (*GrpcService) ProtoMessage()    {}
 func (*GrpcService) Descriptor() ([]byte, []int) {
-	return fileDescriptor_dc706c3b890c1c84, []int{4}
+	return fileDescriptor_dc706c3b890c1c84, []int{5}
 }
 func (m *GrpcService) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -385,42 +440,46 @@ func init() {
 	proto.RegisterType((*DubboService)(nil), "higress.networking.v1.DubboService")
 	proto.RegisterType((*Method)(nil), "higress.networking.v1.Method")
 	proto.RegisterType((*Param)(nil), "higress.networking.v1.Param")
+	proto.RegisterType((*ParamFromEntireBody)(nil), "higress.networking.v1.ParamFromEntireBody")
 	proto.RegisterType((*GrpcService)(nil), "higress.networking.v1.GrpcService")
 }
 
 func init() { proto.RegisterFile("networking/v1/http_2_rpc.proto", fileDescriptor_dc706c3b890c1c84) }
 
 var fileDescriptor_dc706c3b890c1c84 = []byte{
-	// 463 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x53, 0xcf, 0x8a, 0xd3, 0x40,
-	0x18, 0x77, 0xba, 0x6d, 0xb7, 0xfb, 0x65, 0xeb, 0x61, 0x40, 0x08, 0x8b, 0xc6, 0x35, 0x7b, 0x70,
-	0x41, 0x49, 0xd8, 0xea, 0x41, 0x14, 0x0f, 0x5b, 0x04, 0x17, 0x44, 0x58, 0xb2, 0x9e, 0xbc, 0x84,
-	0x49, 0x32, 0x66, 0x86, 0x6d, 0x33, 0xc3, 0xcc, 0x34, 0xda, 0xb7, 0xf0, 0x35, 0x7c, 0x13, 0x8f,
-	0x3e, 0x82, 0x14, 0x1f, 0x44, 0x32, 0x93, 0x6e, 0x13, 0xb1, 0xb7, 0xf0, 0xfb, 0x33, 0xdf, 0xef,
-	0xc7, 0xf7, 0x05, 0x82, 0x8a, 0x9a, 0xaf, 0x42, 0xdd, 0xf2, 0xaa, 0x8c, 0xeb, 0x8b, 0x98, 0x19,
-	0x23, 0xd3, 0x59, 0xaa, 0x64, 0x1e, 0x49, 0x25, 0x8c, 0xc0, 0x0f, 0x18, 0x2f, 0x15, 0xd5, 0x3a,
-	0xda, 0xe9, 0xa2, 0xfa, 0xe2, 0xe4, 0x71, 0x29, 0x44, 0xb9, 0xa0, 0x31, 0x91, 0x3c, 0xfe, 0xc2,
-	0xe9, 0xa2, 0x48, 0x33, 0xca, 0x48, 0xcd, 0x85, 0x72, 0xbe, 0xf0, 0x3b, 0x82, 0xc9, 0x95, 0x31,
-	0x72, 0x96, 0xc8, 0x1c, 0xbf, 0x81, 0x51, 0xb1, 0xca, 0x32, 0xe1, 0xa3, 0x53, 0x74, 0xee, 0xcd,
-	0xce, 0xa2, 0xff, 0x3e, 0x1a, 0xbd, 0x6b, 0x34, 0x37, 0x54, 0xd5, 0x3c, 0xa7, 0x57, 0xf7, 0x12,
-	0xe7, 0xc1, 0xaf, 0x60, 0x58, 0x2a, 0x99, 0xfb, 0x03, 0xeb, 0x0d, 0xf7, 0x78, 0xdf, 0x2b, 0x99,
-	0xef, 0xac, 0xd6, 0x31, 0x9f, 0x82, 0x57, 0x50, 0x6d, 0x78, 0x45, 0x0c, 0x17, 0x55, 0xf8, 0x03,
-	0xc1, 0x71, 0x77, 0x04, 0x0e, 0xe0, 0x50, 0xbb, 0x4f, 0x1b, 0xec, 0x68, 0x3e, 0xdc, 0x5c, 0xa2,
-	0x41, 0xb2, 0x05, 0x1b, 0xbe, 0xa6, 0x4a, 0x73, 0x51, 0xd9, 0xe1, 0x77, 0x7c, 0x0b, 0xe2, 0x13,
-	0x18, 0x95, 0x4a, 0xac, 0xa4, 0x7f, 0x70, 0xc7, 0xa2, 0xc4, 0x41, 0xf8, 0x2d, 0x1c, 0x2e, 0xa9,
-	0x61, 0xa2, 0xd0, 0xfe, 0xf0, 0xf4, 0xe0, 0xdc, 0x9b, 0x3d, 0xda, 0x13, 0xfc, 0xa3, 0x55, 0x6d,
-	0x9f, 0x6e, 0x3d, 0xe1, 0x1f, 0x04, 0x63, 0xc7, 0xe0, 0x67, 0x70, 0xbf, 0x0d, 0x94, 0x3a, 0xb6,
-	0x17, 0x76, 0xda, 0x72, 0x3b, 0x31, 0xa3, 0xa4, 0xa0, 0x4a, 0xa7, 0xc4, 0x18, 0x92, 0xb3, 0x4e,
-	0x72, 0x94, 0x4c, 0x5b, 0xee, 0xd2, 0x52, 0xf8, 0x09, 0x1c, 0xd9, 0x7d, 0x4b, 0x62, 0x58, 0xa7,
-	0xc3, 0x20, 0x99, 0x34, 0xf0, 0x35, 0x31, 0x0c, 0x3f, 0x85, 0x63, 0x2b, 0xe9, 0x76, 0xd9, 0xaa,
-	0xbc, 0x86, 0x71, 0x73, 0x35, 0x7e, 0x09, 0x63, 0x49, 0x14, 0x59, 0x6a, 0x7f, 0x64, 0xeb, 0x3e,
-	0xdc, 0x53, 0xf7, 0xba, 0x11, 0x25, 0xad, 0x36, 0xfc, 0x06, 0x23, 0x0b, 0x34, 0x73, 0x2c, 0x94,
-	0x6a, 0xb1, 0x52, 0xff, 0xec, 0xc3, 0xb3, 0xcc, 0x8d, 0x25, 0x9a, 0xcc, 0x4e, 0x78, 0x4b, 0xd7,
-	0xbd, 0xad, 0x4c, 0x2c, 0xfc, 0x81, 0xae, 0xf1, 0x19, 0x80, 0x93, 0x98, 0xb5, 0xa4, 0xbd, 0x5e,
-	0xce, 0xfa, 0x69, 0x2d, 0x69, 0x38, 0x05, 0xaf, 0x73, 0x32, 0xf3, 0xd7, 0x3f, 0x37, 0x01, 0xfa,
-	0xb5, 0x09, 0xd0, 0xef, 0x4d, 0x80, 0x3e, 0x3f, 0x2f, 0xb9, 0x61, 0xab, 0x2c, 0xca, 0xc5, 0x32,
-	0x26, 0x0b, 0x9e, 0x91, 0x8c, 0xc4, 0x6d, 0x1d, 0x7b, 0xf1, 0xbd, 0x7f, 0x26, 0x1b, 0xdb, 0x8b,
-	0x7f, 0xf1, 0x37, 0x00, 0x00, 0xff, 0xff, 0x75, 0x5c, 0x9e, 0x28, 0x4b, 0x03, 0x00, 0x00,
+	// 506 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x93, 0xdf, 0x6e, 0xd3, 0x30,
+	0x14, 0xc6, 0x71, 0xd7, 0x76, 0xdd, 0xc9, 0xca, 0x85, 0x27, 0xa4, 0x68, 0x82, 0x32, 0xb2, 0x0b,
+	0x26, 0x40, 0x89, 0x56, 0xb8, 0x40, 0x43, 0x5c, 0xac, 0xe2, 0xcf, 0x24, 0x84, 0x34, 0x65, 0x5c,
+	0x71, 0x13, 0x39, 0x89, 0x49, 0xac, 0xb5, 0xb1, 0x65, 0xbb, 0x85, 0xbc, 0x05, 0xaf, 0xc1, 0x9b,
+	0xec, 0x92, 0x47, 0x40, 0x7d, 0x12, 0x14, 0x3b, 0x5d, 0x93, 0xa9, 0xdd, 0x5d, 0x74, 0xbe, 0xef,
+	0x77, 0x7c, 0x3e, 0x9f, 0x18, 0x46, 0x05, 0xd5, 0x3f, 0xb9, 0xbc, 0x66, 0x45, 0x16, 0x2c, 0x4e,
+	0x83, 0x5c, 0x6b, 0x11, 0x8d, 0x23, 0x29, 0x12, 0x5f, 0x48, 0xae, 0x39, 0x7e, 0x94, 0xb3, 0x4c,
+	0x52, 0xa5, 0xfc, 0xb5, 0xcf, 0x5f, 0x9c, 0x1e, 0x3e, 0xcd, 0x38, 0xcf, 0xa6, 0x34, 0x20, 0x82,
+	0x05, 0x3f, 0x18, 0x9d, 0xa6, 0x51, 0x4c, 0x73, 0xb2, 0x60, 0x5c, 0x5a, 0xce, 0xfb, 0x8d, 0x60,
+	0x70, 0xa1, 0xb5, 0x18, 0x87, 0x22, 0xc1, 0xef, 0xa0, 0x97, 0xce, 0xe3, 0x98, 0xbb, 0xe8, 0x08,
+	0x9d, 0x38, 0xe3, 0x63, 0x7f, 0x63, 0x53, 0xff, 0x43, 0xe5, 0xb9, 0xa2, 0x72, 0xc1, 0x12, 0x7a,
+	0xf1, 0x20, 0xb4, 0x0c, 0x7e, 0x0b, 0xdd, 0x4c, 0x8a, 0xc4, 0xed, 0x18, 0xd6, 0xdb, 0xc2, 0x7e,
+	0x96, 0x22, 0x59, 0xa3, 0x86, 0x98, 0x0c, 0xc1, 0x49, 0xa9, 0xd2, 0xac, 0x20, 0x9a, 0xf1, 0xc2,
+	0xfb, 0x83, 0x60, 0xbf, 0x79, 0x04, 0x1e, 0xc1, 0xae, 0xb2, 0x9f, 0x66, 0xb0, 0xbd, 0x49, 0x77,
+	0x79, 0x8e, 0x3a, 0xe1, 0xaa, 0x58, 0xe9, 0x0b, 0x2a, 0x15, 0xe3, 0x85, 0x39, 0xfc, 0x56, 0xaf,
+	0x8b, 0xf8, 0x10, 0x7a, 0x99, 0xe4, 0x73, 0xe1, 0xee, 0xdc, 0xaa, 0x28, 0xb4, 0x25, 0xfc, 0x1e,
+	0x76, 0x67, 0x54, 0xe7, 0x3c, 0x55, 0x6e, 0xf7, 0x68, 0xe7, 0xc4, 0x19, 0x3f, 0xd9, 0x32, 0xf8,
+	0x57, 0xe3, 0x5a, 0xb5, 0xae, 0x19, 0xef, 0xa6, 0x03, 0x7d, 0xab, 0xe0, 0x97, 0xf0, 0xb0, 0x1e,
+	0x28, 0xb2, 0x6a, 0x6b, 0xd8, 0x61, 0xad, 0xad, 0xcd, 0x39, 0x25, 0x29, 0x95, 0x2a, 0x22, 0x5a,
+	0x93, 0x24, 0x6f, 0x4c, 0x8e, 0xc2, 0x61, 0xad, 0x9d, 0x1b, 0x09, 0x3f, 0x83, 0x3d, 0xb3, 0x6f,
+	0x41, 0x74, 0xde, 0xc8, 0xd0, 0x09, 0x07, 0x55, 0xf9, 0x92, 0xe8, 0x1c, 0x3f, 0x87, 0x7d, 0x63,
+	0x69, 0x66, 0x59, 0xb9, 0x9c, 0x4a, 0xb1, 0xe7, 0x2a, 0xfc, 0x06, 0xfa, 0x82, 0x48, 0x32, 0x53,
+	0x6e, 0xcf, 0xc4, 0x7d, 0xbc, 0x25, 0xee, 0x65, 0x65, 0x0a, 0x6b, 0x2f, 0x8e, 0xe1, 0xc0, 0x7c,
+	0x7d, 0x92, 0x7c, 0xf6, 0xb1, 0xd0, 0x4c, 0xd2, 0x09, 0x4f, 0x4b, 0xb7, 0x6f, 0x56, 0xfd, 0xe2,
+	0xbe, 0x16, 0x6d, 0xa2, 0xce, 0xb7, 0xa9, 0x99, 0xf7, 0x0b, 0x7a, 0x86, 0xa8, 0xb2, 0x18, 0x3d,
+	0x52, 0x7c, 0x2e, 0xef, 0xec, 0xdc, 0x31, 0xca, 0x95, 0x11, 0xaa, 0x7b, 0xb1, 0xc6, 0x6b, 0x5a,
+	0xb6, 0x36, 0x3f, 0x30, 0xe5, 0x2f, 0xb4, 0xc4, 0xc7, 0x00, 0xd6, 0xa2, 0x4b, 0x41, 0x5b, 0x77,
+	0x67, 0xd1, 0x6f, 0xa5, 0xa0, 0xde, 0x19, 0x1c, 0x6c, 0x98, 0xf5, 0x0e, 0x8b, 0x36, 0xb3, 0x43,
+	0x70, 0x1a, 0xbf, 0xf4, 0xe4, 0xec, 0x66, 0x39, 0x42, 0x7f, 0x97, 0x23, 0xf4, 0x6f, 0x39, 0x42,
+	0xdf, 0x5f, 0x65, 0x4c, 0xe7, 0xf3, 0xd8, 0x4f, 0xf8, 0x2c, 0x20, 0x53, 0x16, 0x93, 0x98, 0x04,
+	0xf5, 0x5d, 0x99, 0x17, 0xd9, 0x7a, 0xd3, 0x71, 0xdf, 0xbc, 0xc8, 0xd7, 0xff, 0x03, 0x00, 0x00,
+	0xff, 0xff, 0x30, 0xef, 0x3d, 0xa9, 0xeb, 0x03, 0x00, 0x00,
 }
 
 func (m *Http2Rpc) Marshal() (dAtA []byte, err error) {
@@ -587,6 +646,18 @@ func (m *Method) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.ParamFromEntireBody != nil {
+		{
+			size, err := m.ParamFromEntireBody.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintHttp_2Rpc(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x32
+	}
 	if len(m.Params) > 0 {
 		for iNdEx := len(m.Params) - 1; iNdEx >= 0; iNdEx-- {
 			{
@@ -682,6 +753,40 @@ func (m *Param) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *ParamFromEntireBody) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ParamFromEntireBody) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *ParamFromEntireBody) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if len(m.ParamType) > 0 {
+		i -= len(m.ParamType)
+		copy(dAtA[i:], m.ParamType)
+		i = encodeVarintHttp_2Rpc(dAtA, i, uint64(len(m.ParamType)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func (m *GrpcService) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -819,6 +924,10 @@ func (m *Method) Size() (n int) {
 			n += 1 + l + sovHttp_2Rpc(uint64(l))
 		}
 	}
+	if m.ParamFromEntireBody != nil {
+		l = m.ParamFromEntireBody.Size()
+		n += 1 + l + sovHttp_2Rpc(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -849,6 +958,22 @@ func (m *Param) Size() (n int) {
 	return n
 }
 
+func (m *ParamFromEntireBody) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.ParamType)
+	if l > 0 {
+		n += 1 + l + sovHttp_2Rpc(uint64(l))
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
 func (m *GrpcService) Size() (n int) {
 	if m == nil {
 		return 0
@@ -1360,6 +1485,42 @@ func (m *Method) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ParamFromEntireBody", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowHttp_2Rpc
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ParamFromEntireBody == nil {
+				m.ParamFromEntireBody = &ParamFromEntireBody{}
+			}
+			if err := m.ParamFromEntireBody.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipHttp_2Rpc(dAtA[iNdEx:])
@@ -1529,6 +1690,89 @@ func (m *Param) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *ParamFromEntireBody) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowHttp_2Rpc
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ParamFromEntireBody: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ParamFromEntireBody: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ParamType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowHttp_2Rpc
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ParamType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipHttp_2Rpc(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *GrpcService) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0

api/networking/v1/http_2_rpc.proto

@@ -62,6 +62,7 @@ message Method {
   string http_path = 3 [(google.api.field_behavior) = REQUIRED];
   repeated string http_methods = 4 [(google.api.field_behavior) = REQUIRED];
   repeated Param params = 5;
+  ParamFromEntireBody paramFromEntireBody = 6 [(google.api.field_behavior) = OPTIONAL];
 }
 
 message Param {
@@ -70,5 +71,9 @@ message Param {
   string param_type = 3 [(google.api.field_behavior) = REQUIRED];
 }
 
+message ParamFromEntireBody {
+  string param_type = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
 message GrpcService {
 }

api/networking/v1/http_2_rpc_deepcopy.gen.go

@@ -99,6 +99,27 @@ func (in *Param) DeepCopyInterface() interface{} {
 	return in.DeepCopy()
 }
 
+// DeepCopyInto supports using ParamFromEntireBody within kubernetes types, where deepcopy-gen is used.
+func (in *ParamFromEntireBody) DeepCopyInto(out *ParamFromEntireBody) {
+	p := proto.Clone(in).(*ParamFromEntireBody)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParamFromEntireBody. Required by controller-gen.
+func (in *ParamFromEntireBody) DeepCopy() *ParamFromEntireBody {
+	if in == nil {
+		return nil
+	}
+	out := new(ParamFromEntireBody)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ParamFromEntireBody. Required by controller-gen.
+func (in *ParamFromEntireBody) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
 // DeepCopyInto supports using GrpcService within kubernetes types, where deepcopy-gen is used.
 func (in *GrpcService) DeepCopyInto(out *GrpcService) {
 	p := proto.Clone(in).(*GrpcService)

api/networking/v1/http_2_rpc_json.gen.go

@@ -61,6 +61,17 @@ func (this *Param) UnmarshalJSON(b []byte) error {
 	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }
 
+// MarshalJSON is a custom marshaler for ParamFromEntireBody
+func (this *ParamFromEntireBody) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ParamFromEntireBody
+func (this *ParamFromEntireBody) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
 // MarshalJSON is a custom marshaler for GrpcService
 func (this *GrpcService) MarshalJSON() ([]byte, error) {
 	str, err := Http_2RpcMarshaler.MarshalToString(this)

cmd/hgctl/config/gateway_config.go

@@ -0,0 +1,236 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/alibaba/higress/pkg/cmd/hgctl/kubernetes"
+	"github.com/alibaba/higress/pkg/cmd/options"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/yaml"
+)
+
+var (
+	BootstrapEnvoyConfigType EnvoyConfigType = "bootstrap"
+	ClusterEnvoyConfigType   EnvoyConfigType = "cluster"
+	EndpointEnvoyConfigType  EnvoyConfigType = "endpoint"
+	ListenerEnvoyConfigType  EnvoyConfigType = "listener"
+	RouteEnvoyConfigType     EnvoyConfigType = "route"
+	AllEnvoyConfigType       EnvoyConfigType = "all"
+)
+
+const (
+	defaultProxyAdminPort = 15000
+)
+
+type EnvoyConfigType string
+
+type GetEnvoyConfigOptions struct {
+	IncludeEds      bool
+	PodName         string
+	PodNamespace    string
+	BindAddress     string
+	Output          string
+	EnvoyConfigType EnvoyConfigType
+}
+
+func NewDefaultGetEnvoyConfigOptions() *GetEnvoyConfigOptions {
+	return &GetEnvoyConfigOptions{
+		IncludeEds:      true,
+		PodName:         "",
+		PodNamespace:    "higress-system",
+		BindAddress:     "localhost",
+		Output:          "json",
+		EnvoyConfigType: AllEnvoyConfigType,
+	}
+}
+
+func GetEnvoyConfig(config *GetEnvoyConfigOptions) ([]byte, error) {
+	configDump, err := retrieveConfigDump(config.PodName, config.PodNamespace, config.BindAddress, config.IncludeEds)
+	if err != nil {
+		return nil, err
+	}
+	if config.EnvoyConfigType == AllEnvoyConfigType {
+		return configDump, nil
+	}
+	resource, err := getXDSResource(config.EnvoyConfigType, configDump)
+	if err != nil {
+		return nil, err
+	}
+	return formatGatewayConfig(resource, config.Output)
+}
+
+func retrieveConfigDump(podName, podNamespace, bindAddress string, includeEds bool) ([]byte, error) {
+	if podNamespace == "" {
+		return nil, fmt.Errorf("pod namespace is required")
+	}
+
+	if podName == "" {
+		c, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
+		if err != nil {
+			return nil, fmt.Errorf("failed to build kubernetes client: %w", err)
+		}
+		podList, err := c.PodsForSelector(podNamespace, "app=higress-gateway")
+		if err != nil {
+			return nil, err
+		}
+		if len(podList.Items) == 0 {
+			return nil, fmt.Errorf("higress gateway pod is not existed in namespace %s", podNamespace)
+		}
+
+		podName = podList.Items[0].GetName()
+	}
+
+	fw, err := portForwarder(types.NamespacedName{
+		Namespace: podNamespace,
+		Name:      podName,
+	}, bindAddress)
+	if err != nil {
+		return nil, err
+	}
+	if err := fw.Start(); err != nil {
+		return nil, err
+	}
+	defer fw.Stop()
+
+	configDump, err := fetchGatewayConfig(fw, includeEds)
+	if err != nil {
+		return nil, err
+	}
+
+	return configDump, nil
+}
+
+func portForwarder(nn types.NamespacedName, bindAddress string) (kubernetes.PortForwarder, error) {
+	c, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
+	if err != nil {
+		return nil, fmt.Errorf("build CLI client fail: %w", err)
+	}
+
+	pod, err := c.Pod(nn)
+	if err != nil {
+		return nil, fmt.Errorf("get pod %s fail: %w", nn, err)
+	}
+	if pod.Status.Phase != "Running" {
+		return nil, fmt.Errorf("pod %s is not running", nn)
+	}
+
+	fw, err := kubernetes.NewLocalPortForwarder(c, nn, 0, defaultProxyAdminPort, bindAddress)
+	if err != nil {
+		return nil, err
+	}
+
+	return fw, nil
+}
+
+func formatGatewayConfig(configDump any, output string) ([]byte, error) {
+	out, err := json.MarshalIndent(configDump, "", "  ")
+	if err != nil {
+		return nil, err
+	}
+
+	if output == "yaml" {
+		out, err = yaml.JSONToYAML(out)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return out, nil
+}
+
+func fetchGatewayConfig(fw kubernetes.PortForwarder, includeEds bool) ([]byte, error) {
+	out, err := configDumpRequest(fw.Address(), includeEds)
+	if err != nil {
+		return nil, err
+	}
+
+	return out, nil
+}
+
+func configDumpRequest(address string, includeEds bool) ([]byte, error) {
+	url := fmt.Sprintf("http://%s/config_dump", address)
+	if includeEds {
+		url = fmt.Sprintf("%s?include_eds", url)
+	}
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	return io.ReadAll(resp.Body)
+}
+
+func getXDSResource(resourceType EnvoyConfigType, configDump []byte) (any, error) {
+	cd := map[string]any{}
+	if err := json.Unmarshal(configDump, &cd); err != nil {
+		return nil, err
+	}
+	if resourceType == AllEnvoyConfigType {
+		return cd, nil
+	}
+	configs := cd["configs"]
+	globalConfigs := configs.([]any)
+
+	switch resourceType {
+	case BootstrapEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.BootstrapConfigDump" {
+				return config, nil
+			}
+		}
+	case EndpointEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.EndpointsConfigDump" {
+				return config, nil
+			}
+		}
+
+	case ClusterEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.ClustersConfigDump" {
+				return config, nil
+			}
+		}
+	case ListenerEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.ListenersConfigDump" {
+				return config, nil
+			}
+		}
+	case RouteEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.RoutesConfigDump" {
+				return config, nil
+			}
+		}
+	default:
+		return nil, fmt.Errorf("unknown resourceType %s", resourceType)
+	}
+
+	return nil, fmt.Errorf("unknown resourceType %s", resourceType)
+}

cmd/hgctl/config/gateway_config_test.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package hgctl
+package config
 
 import (
 	"fmt"
@@ -34,10 +34,11 @@ type fakePortForwarder struct {
 	localPort    int
 	l            net.Listener
 	mux          *http.ServeMux
+	stopCh       chan struct{}
 }
 
 func newFakePortForwarder(b []byte) (kubernetes.PortForwarder, error) {
-	p, err := kubernetes.LocalAvailablePort()
+	p, err := kubernetes.LocalAvailablePort("localhost")
 	if err != nil {
 		return nil, err
 	}
@@ -46,6 +47,7 @@ func newFakePortForwarder(b []byte) (kubernetes.PortForwarder, error) {
 		responseBody: b,
 		localPort:    p,
 		mux:          http.NewServeMux(),
+		stopCh:       make(chan struct{}),
 	}
 	fw.mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		_, _ = w.Write(fw.responseBody)
@@ -54,6 +56,10 @@ func newFakePortForwarder(b []byte) (kubernetes.PortForwarder, error) {
 	return fw, nil
 }
 
+func (fw *fakePortForwarder) WaitForStop() {
+	<-fw.stopCh
+}
+
 func (fw *fakePortForwarder) Start() error {
 	l, err := net.Listen("tcp", fw.Address())
 	if err != nil {
@@ -103,7 +109,7 @@ func TestExtractAllConfigDump(t *testing.T) {
 		t.Run(tc.output, func(t *testing.T) {
 			configDump, err := fetchGatewayConfig(fw, true)
 			assert.NoError(t, err)
-			data, err := GetXDSResource(AllEnvoyConfigType, configDump)
+			data, err := getXDSResource(AllEnvoyConfigType, configDump)
 			assert.NoError(t, err)
 			got, err := formatGatewayConfig(data, tc.output)
 			assert.NoError(t, err)
@@ -131,7 +137,7 @@ func TestExtractSubResourcesConfigDump(t *testing.T) {
 	cases := []struct {
 		output       string
 		expected     string
-		resourceType envoyConfigType
+		resourceType EnvoyConfigType
 	}{
 		{
 			output:       "json",
@@ -186,7 +192,7 @@ func TestExtractSubResourcesConfigDump(t *testing.T) {
 		t.Run(tc.output, func(t *testing.T) {
 			configDump, err := fetchGatewayConfig(fw, false)
 			assert.NoError(t, err)
-			resource, err := GetXDSResource(tc.resourceType, configDump)
+			resource, err := getXDSResource(tc.resourceType, configDump)
 			assert.NoError(t, err)
 			got, err := formatGatewayConfig(resource, tc.output)
 			assert.NoError(t, err)

cmd/higress/main.go

@@ -18,10 +18,13 @@ import (
 	"fmt"
 	"os"
 
+	"istio.io/pkg/log"
+
 	"github.com/alibaba/higress/pkg/cmd"
 )
 
 func main() {
+	log.EnableKlogWithCobra()
 	if err := cmd.GetRootCommand().Execute(); err != nil {
 		_, _ = fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)

codecov.yml

@@ -2,7 +2,11 @@ codecov:
   require_ci_to_pass: yes
 coverage:
   status:
-    patch: no
+    patch: 
+      default:
+        target: 50%
+        threshold: 0%
+        if_ci_failed: error # success, failure, error, ignore
     project:
       default:
         target: auto
@@ -17,4 +21,4 @@ ignore:
 comment:
   layout: "reach,diff,flags,tree"
   behavior: default
-  require_changes: no
+  require_changes: no

envoy/1.20/patches/envoy/20231008-fallback-origin-cluster.patch

@@ -0,0 +1,111 @@
+diff -Naur envoy/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc envoy-new/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc
+--- envoy/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc	2023-10-08 15:01:21.960871500 +0800
++++ envoy-new/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc	2023-09-27 17:03:41.613256338 +0800
+@@ -60,7 +60,7 @@
+ 
+   for (const auto& cluster_name : first_item->second) {
+     if (hasHealthHost(cluster_name)) {
+-      return base.clone(cluster_name);
++      return base.clone(cluster_name, first_item->first);
+     }
+   }
+ 
+@@ -75,7 +75,8 @@
+ 
+   auto search = clusters_config_.find(route_entry.clusterName());
+   if (search == clusters_config_.end()) {
+-    ENVOY_LOG(warn, "there is no fallback cluster config, the original routing cluster is returned");
++    ENVOY_LOG(warn,
++              "there is no fallback cluster config, the original routing cluster is returned");
+     return cluster_entry.getRouteConstSharedPtr();
+   }
+ 
+@@ -87,7 +88,7 @@
+ 
+   for (const auto& cluster_name : search->second) {
+     if (hasHealthHost(cluster_name)) {
+-      return cluster_entry.clone(cluster_name);
++      return cluster_entry.clone(cluster_name, search->first);
+     }
+   }
+ 
+diff -Naur envoy/source/common/http/headers.h envoy-new/source/common/http/headers.h
+--- envoy/source/common/http/headers.h	2023-10-08 15:01:21.968871828 +0800
++++ envoy-new/source/common/http/headers.h	2023-09-27 18:48:50.059419606 +0800
+@@ -124,6 +124,7 @@
+     const LowerCaseString TriStartTime{"req-start-time"};
+     const LowerCaseString TriRespStartTime{"resp-start-time"};
+     const LowerCaseString EnvoyOriginalHost{"original-host"};
++    const LowerCaseString HigressOriginalService{"x-higress-original-service"};
+   } AliExtendedValues;
+ #endif
+ };
+diff -Naur envoy/source/common/router/config_impl.cc envoy-new/source/common/router/config_impl.cc
+--- envoy/source/common/router/config_impl.cc	2023-10-08 15:01:21.968871828 +0800
++++ envoy-new/source/common/router/config_impl.cc	2023-09-27 18:49:18.656592237 +0800
+@@ -563,7 +563,6 @@
+         route.name());
+   }
+   // End Added
+-
+ }
+ 
+ bool RouteEntryImplBase::evaluateRuntimeMatch(const uint64_t random_value) const {
+@@ -662,6 +661,10 @@
+   }
+ 
+ #if defined(ALIMESH)
++  if (!origin_cluster_name_.empty()) {
++    headers.addCopy(Http::CustomHeaders::get().AliExtendedValues.HigressOriginalService,
++                    origin_cluster_name_);
++  }
+   headers.setReferenceKey(Http::CustomHeaders::get().AliExtendedValues.EnvoyOriginalHost,
+                           headers.getHostValue());
+ #endif
+diff -Naur envoy/source/common/router/config_impl.h envoy-new/source/common/router/config_impl.h
+--- envoy/source/common/router/config_impl.h	2023-10-08 15:01:21.968871828 +0800
++++ envoy-new/source/common/router/config_impl.h	2023-09-27 18:59:11.196893507 +0800
+@@ -584,9 +584,13 @@
+     return internal_active_redirect_policy_;
+   }
+ 
+-  RouteConstSharedPtr clone(const std::string& name) const {
+-    return std::make_shared<DynamicRouteEntry>(this, name);
++  RouteConstSharedPtr clone(const std::string& name, const std::string& origin_cluster = "") const {
++    auto entry = std::make_shared<DynamicRouteEntry>(this, name);
++    entry->setOriginClusterName(origin_cluster);
++    return entry;
+   }
++
++  void setOriginClusterName(const std::string& name) const { origin_cluster_name_ = name; }
+ #endif
+   uint32_t retryShadowBufferLimit() const override { return retry_shadow_buffer_limit_; }
+   const std::vector<ShadowPolicyPtr>& shadowPolicies() const override { return shadow_policies_; }
+@@ -787,11 +791,17 @@
+       return parent_->internalActiveRedirectPolicy();
+     }
+ 
+-    RouteConstSharedPtr clone(const std::string& name) const {
+-      return std::make_shared<Envoy::Router::RouteEntryImplBase::DynamicRouteEntry>(parent_, name);
++    RouteConstSharedPtr clone(const std::string& name,
++                              const std::string& origin_cluster = "") const {
++      auto entry =
++          std::make_shared<Envoy::Router::RouteEntryImplBase::DynamicRouteEntry>(parent_, name);
++      entry->setOriginClusterName(origin_cluster);
++      return entry;
+     }
+ 
+     virtual RouteConstSharedPtr getRouteConstSharedPtr() const { return shared_from_this(); }
++
++    void setOriginClusterName(const std::string& name) { parent_->setOriginClusterName(name); }
+ #endif
+ 
+   private:
+@@ -1039,6 +1049,7 @@
+ 
+ #if defined(ALIMESH)
+   const InternalActiveRedirectPoliciesImpl internal_active_redirect_policy_;
++  mutable std::string origin_cluster_name_;
+ #endif
+ };
+ 

envoy/1.20/patches/envoy/20231124-rds-optimize.patch

@@ -0,0 +1,315 @@
+diff -Naur envoy/envoy/router/rds.h envoy-new/envoy/router/rds.h
+--- envoy/envoy/router/rds.h	2023-11-24 10:52:39.914235488 +0800
++++ envoy-new/envoy/router/rds.h	2023-11-24 10:47:36.293873127 +0800
+@@ -51,12 +51,6 @@
+   virtual void onConfigUpdate() PURE;
+ 
+   /**
+-   * Validate if the route configuration can be applied to the context of the route config provider.
+-   */
+-  virtual void
+-  validateConfig(const envoy::config::route::v3::RouteConfiguration& config) const PURE;
+-
+-  /**
+    * Callback used to request an update to the route configuration from the management server.
+    * @param for_domain supplies the domain name that virtual hosts must match on
+    * @param thread_local_dispatcher thread-local dispatcher
+diff -Naur envoy/envoy/router/route_config_update_receiver.h envoy-new/envoy/router/route_config_update_receiver.h
+--- envoy/envoy/router/route_config_update_receiver.h	2023-11-24 10:52:39.918235651 +0800
++++ envoy-new/envoy/router/route_config_update_receiver.h	2023-11-24 10:47:36.293873127 +0800
+@@ -27,6 +27,7 @@
+    * @param rc supplies the RouteConfiguration.
+    * @param version_info supplies RouteConfiguration version.
+    * @return bool whether RouteConfiguration has been updated.
++   * @throw EnvoyException if the new config can't be applied.
+    */
+   virtual bool onRdsUpdate(const envoy::config::route::v3::RouteConfiguration& rc,
+                            const std::string& version_info) PURE;
+diff -Naur envoy/source/common/router/rds_impl.cc envoy-new/source/common/router/rds_impl.cc
+--- envoy/source/common/router/rds_impl.cc	2023-11-24 10:52:40.194246888 +0800
++++ envoy-new/source/common/router/rds_impl.cc	2023-11-24 10:47:36.293873127 +0800
+@@ -122,9 +122,6 @@
+     throw EnvoyException(fmt::format("Unexpected RDS configuration (expecting {}): {}",
+                                      route_config_name_, route_config.name()));
+   }
+-  if (route_config_provider_opt_.has_value()) {
+-    route_config_provider_opt_.value()->validateConfig(route_config);
+-  }
+   std::unique_ptr<Init::ManagerImpl> noop_init_manager;
+   std::unique_ptr<Cleanup> resume_rds;
+   if (config_update_info_->onRdsUpdate(route_config, version_info)) {
+@@ -292,12 +289,6 @@
+   }
+ }
+ 
+-void RdsRouteConfigProviderImpl::validateConfig(
+-    const envoy::config::route::v3::RouteConfiguration& config) const {
+-  // TODO(lizan): consider cache the config here until onConfigUpdate.
+-  ConfigImpl validation_config(config, optional_http_filters_, factory_context_, validator_, false);
+-}
+-
+ // Schedules a VHDS request on the main thread and queues up the callback to use when the VHDS
+ // response has been propagated to the worker thread that was the request origin.
+ void RdsRouteConfigProviderImpl::requestVirtualHostsUpdate(
+diff -Naur envoy/source/common/router/rds_impl.h envoy-new/source/common/router/rds_impl.h
+--- envoy/source/common/router/rds_impl.h	2023-11-24 10:52:40.194246888 +0800
++++ envoy-new/source/common/router/rds_impl.h	2023-11-24 10:47:36.293873127 +0800
+@@ -81,7 +81,6 @@
+   }
+   SystemTime lastUpdated() const override { return last_updated_; }
+   void onConfigUpdate() override {}
+-  void validateConfig(const envoy::config::route::v3::RouteConfiguration&) const override {}
+   void requestVirtualHostsUpdate(const std::string&, Event::Dispatcher&,
+                                  std::weak_ptr<Http::RouteConfigUpdatedCallback>) override {
+     NOT_IMPLEMENTED_GCOVR_EXCL_LINE;
+@@ -209,7 +208,6 @@
+   void requestVirtualHostsUpdate(
+       const std::string& for_domain, Event::Dispatcher& thread_local_dispatcher,
+       std::weak_ptr<Http::RouteConfigUpdatedCallback> route_config_updated_cb) override;
+-  void validateConfig(const envoy::config::route::v3::RouteConfiguration& config) const override;
+ 
+ private:
+   struct ThreadLocalConfig : public ThreadLocal::ThreadLocalObject {
+diff -Naur envoy/source/common/router/route_config_update_receiver_impl.cc envoy-new/source/common/router/route_config_update_receiver_impl.cc
+--- envoy/source/common/router/route_config_update_receiver_impl.cc	2023-11-24 10:52:40.194246888 +0800
++++ envoy-new/source/common/router/route_config_update_receiver_impl.cc	2023-11-24 10:47:36.297873290 +0800
+@@ -1,6 +1,7 @@
+ #include "source/common/router/route_config_update_receiver_impl.h"
+ 
+ #include <string>
++#include <utility>
+ 
+ #include "envoy/config/route/v3/route.pb.h"
+ #include "envoy/service/discovery/v3/discovery.pb.h"
+@@ -14,23 +15,49 @@
+ namespace Envoy {
+ namespace Router {
+ 
++namespace {
++
++// Resets 'route_config::virtual_hosts' by merging VirtualHost contained in
++// 'rds_vhosts' and 'vhds_vhosts'.
++void rebuildRouteConfigVirtualHosts(
++    const std::map<std::string, envoy::config::route::v3::VirtualHost>& rds_vhosts,
++    const std::map<std::string, envoy::config::route::v3::VirtualHost>& vhds_vhosts,
++    envoy::config::route::v3::RouteConfiguration& route_config) {
++  route_config.clear_virtual_hosts();
++  for (const auto& vhost : rds_vhosts) {
++    route_config.mutable_virtual_hosts()->Add()->CopyFrom(vhost.second);
++  }
++  for (const auto& vhost : vhds_vhosts) {
++    route_config.mutable_virtual_hosts()->Add()->CopyFrom(vhost.second);
++  }
++}
++
++} // namespace
++
+ bool RouteConfigUpdateReceiverImpl::onRdsUpdate(
+     const envoy::config::route::v3::RouteConfiguration& rc, const std::string& version_info) {
+   const uint64_t new_hash = MessageUtil::hash(rc);
+   if (new_hash == last_config_hash_) {
+     return false;
+   }
+-  route_config_proto_ = std::make_unique<envoy::config::route::v3::RouteConfiguration>(rc);
+-  last_config_hash_ = new_hash;
+   const uint64_t new_vhds_config_hash = rc.has_vhds() ? MessageUtil::hash(rc.vhds()) : 0ul;
++  std::map<std::string, envoy::config::route::v3::VirtualHost> rds_virtual_hosts;
++  for (const auto& vhost : rc.virtual_hosts()) {
++    rds_virtual_hosts.emplace(vhost.name(), vhost);
++  }
++  envoy::config::route::v3::RouteConfiguration new_route_config = rc;
++  rebuildRouteConfigVirtualHosts(rds_virtual_hosts, *vhds_virtual_hosts_, new_route_config);
++  auto new_config = std::make_shared<ConfigImpl>(
++      new_route_config, optional_http_filters_, factory_context_,
++      factory_context_.messageValidationContext().dynamicValidationVisitor(), false);
++  // If the above validation/validation doesn't raise exception, update the
++  // other cached config entries.
++  config_ = new_config;
++  rds_virtual_hosts_ = std::move(rds_virtual_hosts);
++  last_config_hash_ = new_hash;
++  *route_config_proto_ = std::move(new_route_config);
+   vhds_configuration_changed_ = new_vhds_config_hash != last_vhds_config_hash_;
+   last_vhds_config_hash_ = new_vhds_config_hash;
+-  initializeRdsVhosts(*route_config_proto_);
+-
+-  rebuildRouteConfig(rds_virtual_hosts_, *vhds_virtual_hosts_, *route_config_proto_);
+-  config_ = std::make_shared<ConfigImpl>(
+-      *route_config_proto_, optional_http_filters_, factory_context_,
+-      factory_context_.messageValidationContext().dynamicValidationVisitor(), false);
+ 
+   onUpdateCommon(version_info);
+   return true;
+@@ -50,8 +77,8 @@
+   auto route_config_after_this_update =
+       std::make_unique<envoy::config::route::v3::RouteConfiguration>();
+   route_config_after_this_update->CopyFrom(*route_config_proto_);
+-  rebuildRouteConfig(rds_virtual_hosts_, *vhosts_after_this_update,
+-                     *route_config_after_this_update);
++  rebuildRouteConfigVirtualHosts(rds_virtual_hosts_, *vhosts_after_this_update,
++                                 *route_config_after_this_update);
+ 
+   auto new_config = std::make_shared<ConfigImpl>(
+       *route_config_after_this_update, optional_http_filters_, factory_context_,
+@@ -73,14 +100,6 @@
+   config_info_.emplace(RouteConfigProvider::ConfigInfo{*route_config_proto_, last_config_version_});
+ }
+ 
+-void RouteConfigUpdateReceiverImpl::initializeRdsVhosts(
+-    const envoy::config::route::v3::RouteConfiguration& route_configuration) {
+-  rds_virtual_hosts_.clear();
+-  for (const auto& vhost : route_configuration.virtual_hosts()) {
+-    rds_virtual_hosts_.emplace(vhost.name(), vhost);
+-  }
+-}
+-
+ bool RouteConfigUpdateReceiverImpl::removeVhosts(
+     std::map<std::string, envoy::config::route::v3::VirtualHost>& vhosts,
+     const Protobuf::RepeatedPtrField<std::string>& removed_vhost_names) {
+@@ -110,18 +129,5 @@
+   return vhosts_added;
+ }
+ 
+-void RouteConfigUpdateReceiverImpl::rebuildRouteConfig(
+-    const std::map<std::string, envoy::config::route::v3::VirtualHost>& rds_vhosts,
+-    const std::map<std::string, envoy::config::route::v3::VirtualHost>& vhds_vhosts,
+-    envoy::config::route::v3::RouteConfiguration& route_config) {
+-  route_config.clear_virtual_hosts();
+-  for (const auto& vhost : rds_vhosts) {
+-    route_config.mutable_virtual_hosts()->Add()->CopyFrom(vhost.second);
+-  }
+-  for (const auto& vhost : vhds_vhosts) {
+-    route_config.mutable_virtual_hosts()->Add()->CopyFrom(vhost.second);
+-  }
+-}
+-
+ } // namespace Router
+ } // namespace Envoy
+diff -Naur envoy/source/common/router/route_config_update_receiver_impl.h envoy-new/source/common/router/route_config_update_receiver_impl.h
+--- envoy/source/common/router/route_config_update_receiver_impl.h	2023-11-24 10:52:40.194246888 +0800
++++ envoy-new/source/common/router/route_config_update_receiver_impl.h	2023-11-24 10:47:36.297873290 +0800
+@@ -27,15 +27,10 @@
+             std::make_unique<std::map<std::string, envoy::config::route::v3::VirtualHost>>()),
+         vhds_configuration_changed_(true), optional_http_filters_(optional_http_filters) {}
+ 
+-  void initializeRdsVhosts(const envoy::config::route::v3::RouteConfiguration& route_configuration);
+   bool removeVhosts(std::map<std::string, envoy::config::route::v3::VirtualHost>& vhosts,
+                     const Protobuf::RepeatedPtrField<std::string>& removed_vhost_names);
+   bool updateVhosts(std::map<std::string, envoy::config::route::v3::VirtualHost>& vhosts,
+                     const VirtualHostRefVector& added_vhosts);
+-  void rebuildRouteConfig(
+-      const std::map<std::string, envoy::config::route::v3::VirtualHost>& rds_vhosts,
+-      const std::map<std::string, envoy::config::route::v3::VirtualHost>& vhds_vhosts,
+-      envoy::config::route::v3::RouteConfiguration& route_config);
+   bool onDemandFetchFailed(const envoy::service::discovery::v3::Resource& resource) const;
+   void onUpdateCommon(const std::string& version_info);
+ 
+diff -Naur envoy/source/server/admin/admin.h envoy-new/source/server/admin/admin.h
+--- envoy/source/server/admin/admin.h	2023-11-24 10:52:41.358294284 +0800
++++ envoy-new/source/server/admin/admin.h	2023-11-24 10:47:36.297873290 +0800
+@@ -234,7 +234,6 @@
+     absl::optional<ConfigInfo> configInfo() const override { return {}; }
+     SystemTime lastUpdated() const override { return time_source_.systemTime(); }
+     void onConfigUpdate() override {}
+-    void validateConfig(const envoy::config::route::v3::RouteConfiguration&) const override {}
+     void requestVirtualHostsUpdate(const std::string&, Event::Dispatcher&,
+                                    std::weak_ptr<Http::RouteConfigUpdatedCallback>) override {
+       NOT_IMPLEMENTED_GCOVR_EXCL_LINE;
+diff -Naur envoy/test/common/router/rds_impl_test.cc envoy-new/test/common/router/rds_impl_test.cc
+--- envoy/test/common/router/rds_impl_test.cc	2023-11-24 10:52:40.714268062 +0800
++++ envoy-new/test/common/router/rds_impl_test.cc	2023-11-24 10:47:36.297873290 +0800
+@@ -528,34 +528,66 @@
+   rds_callbacks_->onConfigUpdate(decoded_resources.refvec_, response1.version_info());
+ }
+ 
+-// Validate behavior when the config is delivered but it fails PGV validation.
++// Validates behavior when the config is delivered but it fails PGV validation.
++// The invalid config won't affect existing valid config.
+ TEST_F(RdsImplTest, FailureInvalidConfig) {
+   InSequence s;
+ 
+   setup();
++  EXPECT_CALL(init_watcher_, ready());
+ 
+-  const std::string response1_json = R"EOF(
++  const std::string valid_json = R"EOF(
+ {
+   "version_info": "1",
+   "resources": [
+     {
+       "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration",
+-      "name": "INVALID_NAME_FOR_route_config",
++      "name": "foo_route_config",
+       "virtual_hosts": null
+     }
+   ]
+ }
+ )EOF";
++
+   auto response1 =
+-      TestUtility::parseYaml<envoy::service::discovery::v3::DiscoveryResponse>(response1_json);
++      TestUtility::parseYaml<envoy::service::discovery::v3::DiscoveryResponse>(valid_json);
+   const auto decoded_resources =
+       TestUtility::decodeResources<envoy::config::route::v3::RouteConfiguration>(response1);
++  EXPECT_NO_THROW(
++      rds_callbacks_->onConfigUpdate(decoded_resources.refvec_, response1.version_info()));
++  // Sadly the RdsRouteConfigSubscription privately inherited from
++  // SubscriptionCallbacks, so we has to use reinterpret_cast here.
++  RdsRouteConfigSubscription* rds_subscription =
++      reinterpret_cast<RdsRouteConfigSubscription*>(rds_callbacks_);
++  auto config_impl_pointer = rds_subscription->routeConfigProvider().value()->config();
++  // Now send an invalid config update.
++  const std::string invalid_json =
++      R"EOF(
++{
++  "version_info": "1",
++  "resources": [
++    {
++      "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration",
++      "name": "INVALID_NAME_FOR_route_config",
++      "virtual_hosts": null
++    }
++  ]
++}
++)EOF";
++
++  auto response2 =
++      TestUtility::parseYaml<envoy::service::discovery::v3::DiscoveryResponse>(invalid_json);
++  const auto decoded_resources_2 =
++      TestUtility::decodeResources<envoy::config::route::v3::RouteConfiguration>(response2);
+ 
+-  EXPECT_CALL(init_watcher_, ready());
+   EXPECT_THROW_WITH_MESSAGE(
+-      rds_callbacks_->onConfigUpdate(decoded_resources.refvec_, response1.version_info()),
++      rds_callbacks_->onConfigUpdate(decoded_resources_2.refvec_, response2.version_info()),
+       EnvoyException,
+-      "Unexpected RDS configuration (expecting foo_route_config): INVALID_NAME_FOR_route_config");
++      "Unexpected RDS configuration (expecting foo_route_config): "
++      "INVALID_NAME_FOR_route_config");
++
++  // Verify that the config is still the old value.
++  ASSERT_EQ(config_impl_pointer, rds_subscription->routeConfigProvider().value()->config());
+ }
+ 
+ // rds and vhds configurations change together
+diff -Naur envoy/test/mocks/router/mocks.h envoy-new/test/mocks/router/mocks.h
+--- envoy/test/mocks/router/mocks.h	2023-11-24 10:52:41.370294773 +0800
++++ envoy-new/test/mocks/router/mocks.h	2023-11-24 10:47:36.301873453 +0800
+@@ -538,7 +538,6 @@
+   MOCK_METHOD(absl::optional<ConfigInfo>, configInfo, (), (const));
+   MOCK_METHOD(SystemTime, lastUpdated, (), (const));
+   MOCK_METHOD(void, onConfigUpdate, ());
+-  MOCK_METHOD(void, validateConfig, (const envoy::config::route::v3::RouteConfiguration&), (const));
+   MOCK_METHOD(void, requestVirtualHostsUpdate,
+               (const std::string&, Event::Dispatcher&,
+                std::weak_ptr<Http::RouteConfigUpdatedCallback> route_config_updated_cb));
+diff -Naur envoy/tools/spelling/spelling_dictionary.txt envoy-new/tools/spelling/spelling_dictionary.txt
+--- envoy/tools/spelling/spelling_dictionary.txt	2023-11-24 10:52:41.370294773 +0800
++++ envoy-new/tools/spelling/spelling_dictionary.txt	2023-11-24 10:48:54.969076506 +0800
+@@ -1303,6 +1303,7 @@
+ ep
+ suri
+ transid
++vhosts
+ WAF
+ TRI
+ tmd

envoy/1.20/patches/envoy/20240104-enhance-srds.patch

@@ -0,0 +1,483 @@
+diff -Naur envoy/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto envoy-new/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
+--- envoy/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto	2024-01-04 21:07:40.000000000 +0800
++++ envoy-new/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto	2024-01-04 21:09:13.000000000 +0800
+@@ -888,11 +888,31 @@
+         }
+       }
+ 
++      message HostValueExtractor {
++        option (udpa.annotations.versioning).previous_message_type =
++            "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
++            "FragmentBuilder.HostValueExtractor";
++
++        // The maximum number of host superset recomputes. If not specified, defaults to 100.
++        google.protobuf.UInt32Value max_recompute_num = 1;
++      }
++
++      message LocalPortValueExtractor {
++        option (udpa.annotations.versioning).previous_message_type =
++            "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
++            "FragmentBuilder.LocalPortValueExtractor";
++      }
++
++
+       oneof type {
+         option (validate.required) = true;
+ 
+         // Specifies how a header field's value should be extracted.
+         HeaderValueExtractor header_value_extractor = 1;
++
++        HostValueExtractor host_value_extractor = 101;
++
++        LocalPortValueExtractor local_port_value_extractor = 102;
+       }
+     }
+ 
+diff -Naur envoy/envoy/router/scopes.h envoy-new/envoy/router/scopes.h
+--- envoy/envoy/router/scopes.h	2024-01-04 21:07:38.000000000 +0800
++++ envoy-new/envoy/router/scopes.h	2024-01-04 21:09:13.000000000 +0800
+@@ -92,7 +92,12 @@
+    * @param headers the request headers to match the scoped routing configuration against.
+    * @return ConfigConstSharedPtr the router's Config matching the request headers.
+    */
++#if defined ALIMESH
++  virtual ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers,
++                                              const StreamInfo::StreamInfo& info) const PURE;
++#else
+   virtual ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers) const PURE;
++#endif
+ 
+   /**
+    * Based on the incoming HTTP request headers, returns the hash value of its scope key.
+@@ -100,6 +105,12 @@
+    * @return unique_ptr of the scope key computed from header.
+    */
+   virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap&) const { return {}; }
++
++#if defined(ALIMESH)
++  virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap&, const StreamInfo::StreamInfo&) const {
++    return {};
++  };
++#endif
+ };
+ 
+ using ScopedConfigConstSharedPtr = std::shared_ptr<const ScopedConfig>;
+diff -Naur envoy/source/common/http/conn_manager_impl.cc envoy-new/source/common/http/conn_manager_impl.cc
+--- envoy/source/common/http/conn_manager_impl.cc	2024-01-04 21:07:41.000000000 +0800
++++ envoy-new/source/common/http/conn_manager_impl.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -577,8 +577,13 @@
+     requestVhdsUpdate(host_header, thread_local_dispatcher, std::move(route_config_updated_cb));
+     return;
+   } else if (parent_.snapped_scoped_routes_config_ != nullptr) {
++#if defined(ALIMESH)
++    Router::ScopeKeyPtr scope_key = parent_.snapped_scoped_routes_config_->computeScopeKey(
++        *parent_.request_headers_, parent_.connection()->streamInfo());
++#else
+     Router::ScopeKeyPtr scope_key =
+         parent_.snapped_scoped_routes_config_->computeScopeKey(*parent_.request_headers_);
++#endif
+     // If scope_key is not null, the scope exists but RouteConfiguration is not initialized.
+     if (scope_key != nullptr) {
+       requestSrdsUpdate(std::move(scope_key), thread_local_dispatcher,
+@@ -1197,7 +1202,13 @@
+ void ConnectionManagerImpl::ActiveStream::snapScopedRouteConfig() {
+   // NOTE: if a RDS subscription hasn't got a RouteConfiguration back, a Router::NullConfigImpl is
+   // returned, in that case we let it pass.
++#if defined(ALIMESH)
++  snapped_route_config_ =
++      snapped_scoped_routes_config_->getRouteConfig(*request_headers_, connection()->streamInfo());
++#else
+   snapped_route_config_ = snapped_scoped_routes_config_->getRouteConfig(*request_headers_);
++
++#endif
+   if (snapped_route_config_ == nullptr) {
+     ENVOY_STREAM_LOG(trace, "can't find SRDS scope.", *this);
+     // TODO(stevenzzzz): Consider to pass an error message to router filter, so that it can
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-04 21:07:36.000000000 +0800
++++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -6,6 +6,160 @@
+ namespace Envoy {
+ namespace Router {
+ 
++#if defined(ALIMESH)
++namespace {
++
++std::string maskFirstDNSLabel(absl::string_view host) {
++  if (host == "*") {
++    return std::string(host);
++  }
++  if (host.size() < 2) {
++    return "*";
++  }
++  size_t start_pos = (host[0] == '*' && host[1] == '.') ? 2 : 0;
++  size_t dot_pos = host.find('.', start_pos);
++  if (dot_pos != absl::string_view::npos) {
++    return absl::StrCat("*", absl::string_view(host.data() + dot_pos, host.size() - dot_pos));
++  }
++  return "*";
++}
++
++} // namespace
++
++LocalPortValueExtractorImpl::LocalPortValueExtractorImpl(
++    ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config)
++    : FragmentBuilderBase(std::move(config)) {
++  ASSERT(config_.type_case() ==
++             ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kLocalPortValueExtractor,
++         "local_port_value_extractor is not set.");
++}
++
++std::unique_ptr<ScopeKeyFragmentBase> LocalPortValueExtractorImpl::computeFragment(
++    const Http::HeaderMap&, const StreamInfo::StreamInfo& info, ReComputeCbPtr&) const {
++  auto port = info.downstreamAddressProvider().localAddress()->ip()->port();
++  return std::make_unique<StringKeyFragment>(std::to_string(long(port)));
++}
++
++HostValueExtractorImpl::HostValueExtractorImpl(
++    ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config)
++    : FragmentBuilderBase(std::move(config)),
++      host_value_extractor_config_(config_.host_value_extractor()),
++      max_recompute_num_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(
++          host_value_extractor_config_, max_recompute_num, DefaultMaxRecomputeNum)) {
++  ASSERT(config_.type_case() == ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHostValueExtractor,
++         "host_value_extractor is not set.");
++}
++
++std::unique_ptr<ScopeKeyFragmentBase>
++HostValueExtractorImpl::reComputeHelper(const std::string& host, ReComputeCbPtr& next_recompute,
++                                        uint32_t recompute_seq) const {
++  if (recompute_seq == max_recompute_num_) {
++    ENVOY_LOG_MISC(warn,
++                   "recompute host fragment failed, maximum number of recalculations exceeded");
++    return nullptr;
++  }
++  if (host == "*") {
++    *next_recompute = nullptr;
++    return nullptr;
++  }
++  auto masked_host = maskFirstDNSLabel(host);
++  *next_recompute = [this, masked_host, recompute_seq,
++                     next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
++    return reComputeHelper(masked_host, next_recompute, recompute_seq + 1);
++  };
++  return std::make_unique<StringKeyFragment>(masked_host);
++}
++
++std::unique_ptr<ScopeKeyFragmentBase>
++HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
++                                        const StreamInfo::StreamInfo&,
++                                        ReComputeCbPtr& recompute) const {
++  auto fragment = computeFragment(headers);
++  auto host = static_cast<const Http::RequestHeaderMap&>(headers).getHostValue();
++  *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
++    return reComputeHelper(std::string(host), recompute, 0);
++  };
++  return fragment;
++}
++
++std::unique_ptr<ScopeKeyFragmentBase>
++HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers) const {
++  return std::make_unique<StringKeyFragment>(
++      static_cast<const Http::RequestHeaderMap&>(headers).getHostValue());
++}
++
++std::unique_ptr<ScopeKeyFragmentBase>
++HeaderValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
++                                          const StreamInfo::StreamInfo&, ReComputeCbPtr&) const {
++  return computeFragment(headers);
++}
++
++ScopeKeyPtr ScopeKeyBuilderImpl::computeScopeKey(const Http::HeaderMap& headers,
++                                                 const StreamInfo::StreamInfo& info,
++                                                 std::function<ScopeKeyPtr()>& recompute) const {
++  ScopeKey key;
++  bool recomputeable = false;
++  auto recompute_cbs = std::make_shared<std::vector<ReComputeCbPtr>>();
++  for (const auto& builder : fragment_builders_) {
++    // returns nullopt if a null fragment is found.
++    ReComputeCbPtr recompute_fragment_cb = std::make_shared<ReComputeCb>();
++    std::unique_ptr<ScopeKeyFragmentBase> fragment =
++        builder->computeFragment(headers, info, recompute_fragment_cb);
++    if (fragment == nullptr) {
++      return nullptr;
++    }
++    if (*recompute_fragment_cb == nullptr) {
++      auto key_fragment = static_cast<StringKeyFragment*>(fragment.get());
++      auto copied_fragment = std::make_shared<StringKeyFragment>(*key_fragment);
++      auto recompute_cb =
++          std::make_shared<ReComputeCb>([copied_fragment]() -> std::unique_ptr<StringKeyFragment> {
++            return std::make_unique<StringKeyFragment>(*copied_fragment);
++          });
++      recompute_cbs->push_back(recompute_cb);
++    } else {
++      recomputeable = true;
++      recompute_cbs->push_back(recompute_fragment_cb);
++    }
++    key.addFragment(std::move(fragment));
++  }
++  if (recomputeable) {
++    recompute = [&recompute, recompute_cbs]() mutable -> ScopeKeyPtr {
++      ScopeKey new_key;
++      for (auto& cb : *recompute_cbs) {
++        auto new_fragment = (*cb)();
++        if (new_fragment == nullptr) {
++          return nullptr;
++        }
++        if (*cb == nullptr) {
++          recompute = nullptr;
++        }
++        new_key.addFragment(std::move(new_fragment));
++      }
++      return std::make_unique<ScopeKey>(std::move(new_key));
++    };
++  }
++  return std::make_unique<ScopeKey>(std::move(key));
++}
++
++ScopeKeyPtr ScopedConfigImpl::computeScopeKey(const Http::HeaderMap& headers,
++                                              const StreamInfo::StreamInfo& info) const {
++  std::function<Router::ScopeKeyPtr()> recompute;
++  ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers, info, recompute);
++  if (scope_key == nullptr) {
++    return nullptr;
++  }
++  decltype(scoped_route_info_by_key_.begin()) iter;
++  do {
++    iter = scoped_route_info_by_key_.find(scope_key->hash());
++    if (iter != scoped_route_info_by_key_.end()) {
++      return scope_key;
++    }
++  } while (recompute != nullptr && (scope_key = recompute()));
++  return nullptr;
++}
++
++#endif
++
+ bool ScopeKey::operator!=(const ScopeKey& other) const { return !(*this == other); }
+ 
+ bool ScopeKey::operator==(const ScopeKey& other) const {
+@@ -95,6 +249,16 @@
+     : ScopeKeyBuilderBase(std::move(config)) {
+   for (const auto& fragment_builder : config_.fragments()) {
+     switch (fragment_builder.type_case()) {
++#if defined(ALIMESH)
++    case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHostValueExtractor:
++      fragment_builders_.emplace_back(std::make_unique<HostValueExtractorImpl>(
++          ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
++      break;
++    case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kLocalPortValueExtractor:
++      fragment_builders_.emplace_back(std::make_unique<LocalPortValueExtractorImpl>(
++          ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
++      break;
++#endif
+     case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHeaderValueExtractor:
+       fragment_builders_.emplace_back(std::make_unique<HeaderValueExtractorImpl>(
+           ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
+@@ -143,6 +307,22 @@
+ }
+ 
+ Router::ConfigConstSharedPtr
++#if defined(ALIMESH)
++ScopedConfigImpl::getRouteConfig(const Http::HeaderMap& headers,
++                                 const StreamInfo::StreamInfo& info) const {
++  std::function<ScopeKeyPtr()> recompute;
++  ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers, info, recompute);
++  if (scope_key == nullptr) {
++    return nullptr;
++  }
++  decltype(scoped_route_info_by_key_.begin()) iter;
++  do {
++    iter = scoped_route_info_by_key_.find(scope_key->hash());
++    if (iter != scoped_route_info_by_key_.end()) {
++      return iter->second->routeConfig();
++    }
++  } while (recompute != nullptr && (scope_key = recompute()));
++#else
+ ScopedConfigImpl::getRouteConfig(const Http::HeaderMap& headers) const {
+   ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers);
+   if (scope_key == nullptr) {
+@@ -152,6 +332,7 @@
+   if (iter != scoped_route_info_by_key_.end()) {
+     return iter->second->routeConfig();
+   }
++#endif
+   return nullptr;
+ }
+ 
+diff -Naur envoy/source/common/router/scoped_config_impl.h envoy-new/source/common/router/scoped_config_impl.h
+--- envoy/source/common/router/scoped_config_impl.h	2024-01-04 21:07:36.000000000 +0800
++++ envoy-new/source/common/router/scoped_config_impl.h	2024-01-04 21:09:13.000000000 +0800
+@@ -22,6 +22,11 @@
+ 
+ using envoy::extensions::filters::network::http_connection_manager::v3::ScopedRoutes;
+ 
++#if defined(ALIMESH)
++using ReComputeCb = std::function<std::unique_ptr<ScopeKeyFragmentBase>()>;
++using ReComputeCbPtr = std::shared_ptr<ReComputeCb>;
++#endif
++
+ /**
+  * Base class for fragment builders.
+  */
+@@ -36,6 +41,12 @@
+   virtual std::unique_ptr<ScopeKeyFragmentBase>
+   computeFragment(const Http::HeaderMap& headers) const PURE;
+ 
++#if defined(ALIMESH)
++  virtual std::unique_ptr<ScopeKeyFragmentBase>
++  computeFragment(const Http::HeaderMap& headers, const StreamInfo::StreamInfo& info,
++                  ReComputeCbPtr& recompute) const PURE;
++#endif
++
+ protected:
+   const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder config_;
+ };
+@@ -47,11 +58,54 @@
+   std::unique_ptr<ScopeKeyFragmentBase>
+   computeFragment(const Http::HeaderMap& headers) const override;
+ 
++#if defined(ALIMESH)
++  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
++                                                        const StreamInfo::StreamInfo& info,
++                                                        ReComputeCbPtr& recompute) const override;
++#endif
++
+ private:
+   const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::HeaderValueExtractor&
+       header_value_extractor_config_;
+ };
+ 
++#if defined(ALIMESH)
++class HostValueExtractorImpl : public FragmentBuilderBase {
++public:
++  explicit HostValueExtractorImpl(ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config);
++
++  std::unique_ptr<ScopeKeyFragmentBase>
++  computeFragment(const Http::HeaderMap& headers) const override;
++
++  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
++                                                        const StreamInfo::StreamInfo& info,
++                                                        ReComputeCbPtr& recompute) const override;
++
++private:
++  std::unique_ptr<ScopeKeyFragmentBase> reComputeHelper(const std::string& host,
++                                                        ReComputeCbPtr& next_recompute,
++                                                        uint32_t recompute_seq) const;
++
++  static constexpr uint32_t DefaultMaxRecomputeNum = 100;
++
++  const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::HostValueExtractor&
++      host_value_extractor_config_;
++  const uint32_t max_recompute_num_;
++};
++
++class LocalPortValueExtractorImpl : public FragmentBuilderBase {
++public:
++  explicit LocalPortValueExtractorImpl(ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config);
++
++  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap&) const override {
++    return nullptr;
++  };
++
++  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
++                                                        const StreamInfo::StreamInfo& info,
++                                                        ReComputeCbPtr& recompute) const override;
++};
++#endif
+ /**
+  * Base class for ScopeKeyBuilder implementations.
+  */
+@@ -64,6 +118,12 @@
+   // Computes scope key for given headers, returns nullptr if a key can't be computed.
+   virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const PURE;
+ 
++#if defined(ALIMESH)
++  virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers,
++                                      const StreamInfo::StreamInfo& info,
++                                      std::function<ScopeKeyPtr()>& recompute) const PURE;
++#endif
++
+ protected:
+   const ScopedRoutes::ScopeKeyBuilder config_;
+ };
+@@ -74,6 +134,11 @@
+ 
+   ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const override;
+ 
++#if defined(ALIMESH)
++  ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers, const StreamInfo::StreamInfo& info,
++                              std::function<ScopeKeyPtr()>& recompute) const override;
++#endif
++
+ private:
+   std::vector<std::unique_ptr<FragmentBuilderBase>> fragment_builders_;
+ };
+@@ -118,10 +183,20 @@
+   void removeRoutingScopes(const std::vector<std::string>& scope_names);
+ 
+   // Envoy::Router::ScopedConfig
++#if defined(ALIMESH)
++  Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers,
++                                              const StreamInfo::StreamInfo& info) const override;
++#else
+   Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers) const override;
++#endif
+   // The return value is not null only if the scope corresponding to the header exists.
+   ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const override;
+ 
++#if defined(ALIMESH)
++  ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers,
++                              const StreamInfo::StreamInfo& info) const override;
++#endif
++
+ private:
+   ScopeKeyBuilderImpl scope_key_builder_;
+   // From scope name to cached ScopedRouteInfo.
+@@ -135,9 +210,16 @@
+  */
+ class NullScopedConfigImpl : public ScopedConfig {
+ public:
++#if defined(ALIMESH)
++  Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap&,
++                                              const StreamInfo::StreamInfo&) const override {
++    return std::make_shared<const NullConfigImpl>();
++  }
++#else
+   Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap&) const override {
+     return std::make_shared<const NullConfigImpl>();
+   }
++#endif
+ };
+ 
+ } // namespace Router
+diff -Naur envoy/source/extensions/filters/http/on_demand/on_demand_update.cc envoy-new/source/extensions/filters/http/on_demand/on_demand_update.cc
+--- envoy/source/extensions/filters/http/on_demand/on_demand_update.cc	2024-01-04 21:07:33.000000000 +0800
++++ envoy-new/source/extensions/filters/http/on_demand/on_demand_update.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -50,7 +50,11 @@
+ // This is the callback which is called when an update requested in requestRouteConfigUpdate()
+ // has been propagated to workers, at which point the request processing is restarted from the
+ // beginning.
++#if defined(ALIMESH)
++void OnDemandRouteUpdate::onRouteConfigUpdateCompletion(bool) {
++#else
+ void OnDemandRouteUpdate::onRouteConfigUpdateCompletion(bool route_exists) {
++#endif
+   filter_iteration_state_ = Http::FilterHeadersStatus::Continue;
+ 
+   // Don't call continueDecoding in the middle of decodeHeaders()
+@@ -58,12 +62,14 @@
+     return;
+   }
+ 
++#if !defined(ALIMESH)
+   if (route_exists &&                  // route can be resolved after an on-demand
+                                        // VHDS update
+       !callbacks_->decodingBuffer() && // Redirects with body not yet supported.
+       callbacks_->recreateStream(/*headers=*/nullptr)) {
+     return;
+   }
++#endif
+ 
+   // route cannot be resolved after an on-demand VHDS update or
+   // recreating stream failed, continue the filter-chain

envoy/1.20/patches/envoy/20240110-fix-srds.patch

@@ -0,0 +1,49 @@
+diff -Naur envoy/source/common/router/BUILD envoy-new/source/common/router/BUILD
+--- envoy/source/common/router/BUILD	2024-01-10 20:10:14.505600746 +0800
++++ envoy-new/source/common/router/BUILD	2024-01-10 20:07:25.960379955 +0800
+@@ -212,6 +212,7 @@
+         "//envoy/router:rds_interface",
+         "//envoy/router:scopes_interface",
+         "//envoy/thread_local:thread_local_interface",
++        "//source/common/http:header_utility_lib",
+         "@envoy_api//envoy/config/route/v3:pkg_cc_proto",
+         "@envoy_api//envoy/extensions/filters/network/http_connection_manager/v3:pkg_cc_proto",
+     ],
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-10 20:10:14.529600924 +0800
++++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-10 20:09:50.161422411 +0800
+@@ -3,6 +3,8 @@
+ #include "envoy/config/route/v3/scoped_route.pb.h"
+ #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h"
+ 
++#include "source/common/http/header_utility.h"
++
+ namespace Envoy {
+ namespace Router {
+ 
+@@ -74,18 +76,20 @@
+ HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
+                                         const StreamInfo::StreamInfo&,
+                                         ReComputeCbPtr& recompute) const {
+-  auto fragment = computeFragment(headers);
+   auto host = static_cast<const Http::RequestHeaderMap&>(headers).getHostValue();
++  auto port_start = Http::HeaderUtility::getPortStart(host);
++  if (port_start != absl::string_view::npos) {
++    host = host.substr(0, port_start);
++  }
+   *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+     return reComputeHelper(std::string(host), recompute, 0);
+   };
+-  return fragment;
++  return std::make_unique<StringKeyFragment>(host);
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>
+-HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers) const {
+-  return std::make_unique<StringKeyFragment>(
+-      static_cast<const Http::RequestHeaderMap&>(headers).getHostValue());
++HostValueExtractorImpl::computeFragment(const Http::HeaderMap&) const {
++  return nullptr;
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>

envoy/1.20/patches/envoy/20240111-fix-srds-compute.patch

@@ -0,0 +1,65 @@
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-11 16:23:55.407881263 +0800
++++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-11 16:23:42.311786814 +0800
+@@ -53,21 +53,26 @@
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>
+-HostValueExtractorImpl::reComputeHelper(const std::string& host, ReComputeCbPtr& next_recompute,
++HostValueExtractorImpl::reComputeHelper(const std::string& host,
++                                        ReComputeCbWeakPtr& weak_next_recompute,
+                                         uint32_t recompute_seq) const {
+   if (recompute_seq == max_recompute_num_) {
+     ENVOY_LOG_MISC(warn,
+                    "recompute host fragment failed, maximum number of recalculations exceeded");
+     return nullptr;
+   }
++  auto next_recompute = weak_next_recompute.lock();
++  if (!next_recompute) {
++    return nullptr;
++  }
+   if (host == "*") {
+     *next_recompute = nullptr;
+     return nullptr;
+   }
+   auto masked_host = maskFirstDNSLabel(host);
+   *next_recompute = [this, masked_host, recompute_seq,
+-                     next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+-    return reComputeHelper(masked_host, next_recompute, recompute_seq + 1);
++                     weak_next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
++    return reComputeHelper(masked_host, weak_next_recompute, recompute_seq + 1);
+   };
+   return std::make_unique<StringKeyFragment>(masked_host);
+ }
+@@ -81,8 +86,9 @@
+   if (port_start != absl::string_view::npos) {
+     host = host.substr(0, port_start);
+   }
+-  *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+-    return reComputeHelper(std::string(host), recompute, 0);
++  *recompute = [this, host, weak_recompute = ReComputeCbWeakPtr(recompute)]() mutable
++      -> std::unique_ptr<ScopeKeyFragmentBase> {
++    return reComputeHelper(std::string(host), weak_recompute, 0);
+   };
+   return std::make_unique<StringKeyFragment>(host);
+ }
+diff -Naur envoy/source/common/router/scoped_config_impl.h envoy-new/source/common/router/scoped_config_impl.h
+--- envoy/source/common/router/scoped_config_impl.h	2024-01-11 16:23:55.407881263 +0800
++++ envoy-new/source/common/router/scoped_config_impl.h	2024-01-11 16:23:42.311786814 +0800
+@@ -25,6 +25,7 @@
+ #if defined(ALIMESH)
+ using ReComputeCb = std::function<std::unique_ptr<ScopeKeyFragmentBase>()>;
+ using ReComputeCbPtr = std::shared_ptr<ReComputeCb>;
++using ReComputeCbWeakPtr = std::weak_ptr<ReComputeCb>;
+ #endif
+ 
+ /**
+@@ -83,7 +84,7 @@
+ 
+ private:
+   std::unique_ptr<ScopeKeyFragmentBase> reComputeHelper(const std::string& host,
+-                                                        ReComputeCbPtr& next_recompute,
++                                                        ReComputeCbWeakPtr& weak_next_recompute,
+                                                         uint32_t recompute_seq) const;
+ 
+   static constexpr uint32_t DefaultMaxRecomputeNum = 100;

envoy/1.20/patches/envoy/20240521-fix-wasm-host.patch

@@ -0,0 +1,14 @@
+diff -Naur envoy/bazel/repository_locations.bzl envoy-new/bazel/repository_locations.bzl
+--- envoy/bazel/repository_locations.bzl	2024-05-21 22:49:46.686598518 +0800
++++ envoy-new/bazel/repository_locations.bzl	2024-05-21 22:49:02.554597652 +0800
+@@ -1031,8 +1031,8 @@
+         project_name = "WebAssembly for Proxies (C++ host implementation)",
+         project_desc = "WebAssembly for Proxies (C++ host implementation)",
+         project_url = "https://github.com/higress-group/proxy-wasm-cpp-host",
+-        version = "f8b624dc6c37d4e0a3c1b332652746793e2031ad",
+-        sha256 = "ba20328101c91d0ae6383947ced99620cd9b4ea22ab2fda6b26f343b38c3be83",
++        version = "cad2eb04d402dbf559101f3cb4f44da0d9c5b0b0",
++        sha256 = "4efbcc97c58994fab92c9dc50c051ad16463647d4c0c6df36a7204d2984c1e63",
+         strip_prefix = "proxy-wasm-cpp-host-{version}",
+         urls = ["https://github.com/higress-group/proxy-wasm-cpp-host/archive/{version}.tar.gz"],
+         use_category = ["dataplane_ext"],

envoy/1.20/patches/envoy/20240527-fix-wasm-recover.patch

@@ -0,0 +1,25 @@
+diff -Naur envoy/bazel/repository_locations.bzl envoy-new/bazel/repository_locations.bzl
+--- envoy/bazel/repository_locations.bzl	2024-05-27 18:04:13.116443196 +0800
++++ envoy-new/bazel/repository_locations.bzl	2024-05-27 18:02:24.812441069 +0800
+@@ -1031,8 +1031,8 @@
+         project_name = "WebAssembly for Proxies (C++ host implementation)",
+         project_desc = "WebAssembly for Proxies (C++ host implementation)",
+         project_url = "https://github.com/higress-group/proxy-wasm-cpp-host",
+-        version = "cad2eb04d402dbf559101f3cb4f44da0d9c5b0b0",
+-        sha256 = "4efbcc97c58994fab92c9dc50c051ad16463647d4c0c6df36a7204d2984c1e63",
++        version = "28a33a5a3e6c1ff8f53128a74e89aeca47850f68",
++        sha256 = "1aaa5898c169aeff115eff2fedf58095b3509d2e59861ad498e661a990d78b3d",
+         strip_prefix = "proxy-wasm-cpp-host-{version}",
+         urls = ["https://github.com/higress-group/proxy-wasm-cpp-host/archive/{version}.tar.gz"],
+         use_category = ["dataplane_ext"],
+diff -Naur envoy/source/extensions/filters/http/wasm/wasm_filter.h envoy-new/source/extensions/filters/http/wasm/wasm_filter.h
+--- envoy/source/extensions/filters/http/wasm/wasm_filter.h	2024-05-27 18:04:13.112443196 +0800
++++ envoy-new/source/extensions/filters/http/wasm/wasm_filter.h	2024-05-27 18:03:25.360442258 +0800
+@@ -51,6 +51,7 @@
+       if (opt_ref->recover()) {
+         ENVOY_LOG(info, "wasm vm recover success");
+         wasm = opt_ref->handle()->wasmHandle()->wasm().get();
++        handle = opt_ref->handle();
+       } else {
+         ENVOY_LOG(info, "wasm vm recover failed");
+         failed = true;

envoy/1.20/patches/go-control-plane/20240104-enhance-srds.patch

@@ -0,0 +1,931 @@
+diff -Naur go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go
+--- go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go	2024-01-04 21:07:22.000000000 +0800
++++ go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go	2024-01-04 21:02:10.000000000 +0800
+@@ -2286,6 +2286,8 @@
+ 
+ 	// Types that are assignable to Type:
+ 	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_
++	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_
++	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_
+ 	Type isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type `protobuf_oneof:"type"`
+ }
+ 
+@@ -2335,6 +2337,20 @@
+ 	return nil
+ }
+ 
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder) GetHostValueExtractor() *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor {
++	if x, ok := x.GetType().(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_); ok {
++		return x.HostValueExtractor
++	}
++	return nil
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder) GetLocalPortValueExtractor() *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor {
++	if x, ok := x.GetType().(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_); ok {
++		return x.LocalPortValueExtractor
++	}
++	return nil
++}
++
+ type isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type interface {
+ 	isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type()
+ }
+@@ -2344,9 +2360,23 @@
+ 	HeaderValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor `protobuf:"bytes,1,opt,name=header_value_extractor,json=headerValueExtractor,proto3,oneof"`
+ }
+ 
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_ struct {
++	HostValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor `protobuf:"bytes,101,opt,name=host_value_extractor,json=hostValueExtractor,proto3,oneof"`
++}
++
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_ struct {
++	LocalPortValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor `protobuf:"bytes,102,opt,name=local_port_value_extractor,json=localPortValueExtractor,proto3,oneof"`
++}
++
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
+ }
+ 
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
++}
++
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
++}
++
+ // Specifies how the value of a header should be extracted.
+ // The following example maps the structure of a header to the fields in this message.
+ //
+@@ -2475,6 +2505,92 @@
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_Element) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_ExtractType() {
+ }
+ 
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor struct {
++	state         protoimpl.MessageState
++	sizeCache     protoimpl.SizeCache
++	unknownFields protoimpl.UnknownFields
++
++	// The maximum number of host superset recomputes. If not specified, defaults to 100.
++	MaxRecomputeNum *wrappers.UInt32Value `protobuf:"bytes,1,opt,name=max_recompute_num,json=maxRecomputeNum,proto3" json:"max_recompute_num,omitempty"`
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Reset() {
++	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor{}
++	if protoimpl.UnsafeEnabled {
++		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
++		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
++		ms.StoreMessageInfo(mi)
++	}
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) String() string {
++	return protoimpl.X.MessageStringOf(x)
++}
++
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) ProtoMessage() {}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) ProtoReflect() protoreflect.Message {
++	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
++	if protoimpl.UnsafeEnabled && x != nil {
++		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
++		if ms.LoadMessageInfo() == nil {
++			ms.StoreMessageInfo(mi)
++		}
++		return ms
++	}
++	return mi.MessageOf(x)
++}
++
++// Deprecated: Use ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.ProtoReflect.Descriptor instead.
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Descriptor() ([]byte, []int) {
++	return file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDescGZIP(), []int{5, 0, 0, 1}
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) GetMaxRecomputeNum() *wrappers.UInt32Value {
++	if x != nil {
++		return x.MaxRecomputeNum
++	}
++	return nil
++}
++
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor struct {
++	state         protoimpl.MessageState
++	sizeCache     protoimpl.SizeCache
++	unknownFields protoimpl.UnknownFields
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Reset() {
++	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor{}
++	if protoimpl.UnsafeEnabled {
++		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19]
++		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
++		ms.StoreMessageInfo(mi)
++	}
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) String() string {
++	return protoimpl.X.MessageStringOf(x)
++}
++
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) ProtoMessage() {}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) ProtoReflect() protoreflect.Message {
++	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19]
++	if protoimpl.UnsafeEnabled && x != nil {
++		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
++		if ms.LoadMessageInfo() == nil {
++			ms.StoreMessageInfo(mi)
++		}
++		return ms
++	}
++	return mi.MessageOf(x)
++}
++
++// Deprecated: Use ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.ProtoReflect.Descriptor instead.
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Descriptor() ([]byte, []int) {
++	return file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDescGZIP(), []int{5, 0, 0, 2}
++}
++
+ // Specifies a header field's key value pair to match on.
+ type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement struct {
+ 	state         protoimpl.MessageState
+@@ -2494,7 +2610,7 @@
+ func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) Reset() {
+ 	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement{}
+ 	if protoimpl.UnsafeEnabled {
+-		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
++		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20]
+ 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ 		ms.StoreMessageInfo(mi)
+ 	}
+@@ -2507,7 +2623,7 @@
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) ProtoMessage() {}
+ 
+ func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) ProtoReflect() protoreflect.Message {
+-	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
++	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20]
+ 	if protoimpl.UnsafeEnabled && x != nil {
+ 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ 		if ms.LoadMessageInfo() == nil {
+@@ -3079,7 +3195,7 @@
+ 	0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61,
+ 	0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52,
+ 	0x6f, 0x75, 0x74, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
+-	0x6e, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x22, 0xe9, 0x0e, 0x0a, 0x0c, 0x53, 0x63, 0x6f, 0x70, 0x65,
++	0x6e, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x22, 0xe1, 0x14, 0x0a, 0x0c, 0x53, 0x63, 0x6f, 0x70, 0x65,
+ 	0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
+ 	0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04,
+ 	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x8f, 0x01, 0x0a, 0x11, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x5f, 0x6b,
+@@ -3114,7 +3230,7 @@
+ 	0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+ 	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
+ 	0x64, 0x52, 0x64, 0x73, 0x48, 0x00, 0x52, 0x09, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64,
+-	0x73, 0x1a, 0xd9, 0x09, 0x0a, 0x0f, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
++	0x73, 0x1a, 0xd1, 0x0f, 0x0a, 0x0f, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
+ 	0x69, 0x6c, 0x64, 0x65, 0x72, 0x12, 0x91, 0x01, 0x0a, 0x09, 0x66, 0x72, 0x61, 0x67, 0x6d, 0x65,
+ 	0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x69, 0x2e, 0x65, 0x6e, 0x76, 0x6f,
+ 	0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c,
+@@ -3124,7 +3240,7 @@
+ 	0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69,
+ 	0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69,
+ 	0x6c, 0x64, 0x65, 0x72, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x09,
+-	0x66, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0xd5, 0x07, 0x0a, 0x0f, 0x46, 0x72,
++	0x66, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0xcd, 0x0d, 0x0a, 0x0f, 0x46, 0x72,
+ 	0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x12, 0xb6, 0x01,
+ 	0x0a, 0x16, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65,
+ 	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x7e,
+@@ -3137,131 +3253,178 @@
+ 	0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
+ 	0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x48, 0x00,
+ 	0x52, 0x14, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
+-	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a, 0x8f, 0x05, 0x0a, 0x14, 0x48, 0x65, 0x61, 0x64, 0x65,
+-	0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12,
+-	0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa,
+-	0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2b, 0x0a, 0x11,
+-	0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f,
+-	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+-	0x53, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x16, 0x0a, 0x05, 0x69, 0x6e, 0x64,
+-	0x65, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x05, 0x69, 0x6e, 0x64, 0x65,
+-	0x78, 0x12, 0xa5, 0x01, 0x0a, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20,
+-	0x01, 0x28, 0x0b, 0x32, 0x88, 0x01, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74,
+-	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e,
++	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0xb0, 0x01, 0x0a, 0x14, 0x68, 0x6f, 0x73, 0x74, 0x5f,
++	0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18,
++	0x65, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x7c, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78,
++	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73,
++	0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f,
++	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72,
++	0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
++	0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72,
++	0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72,
++	0x2e, 0x48, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63,
++	0x74, 0x6f, 0x72, 0x48, 0x00, 0x52, 0x12, 0x68, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65,
++	0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0xc1, 0x01, 0x0a, 0x1a, 0x6c, 0x6f,
++	0x63, 0x61, 0x6c, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65,
++	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x66, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x81,
++	0x01, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
++	0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
++	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
++	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63,
++	0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
++	0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d,
++	0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c,
++	0x50, 0x6f, 0x72, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74,
++	0x6f, 0x72, 0x48, 0x00, 0x52, 0x17, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f, 0x72, 0x74, 0x56,
++	0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a, 0x8f, 0x05,
++	0x0a, 0x14, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
++	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
++	0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e,
++	0x61, 0x6d, 0x65, 0x12, 0x2b, 0x0a, 0x11, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73,
++	0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10,
++	0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72,
++	0x12, 0x16, 0x0a, 0x05, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x48,
++	0x00, 0x52, 0x05, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x12, 0xa5, 0x01, 0x0a, 0x07, 0x65, 0x6c, 0x65,
++	0x6d, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x88, 0x01, 0x2e, 0x65, 0x6e,
++	0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66,
++	0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68,
++	0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d,
++	0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64,
++	0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42,
++	0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42,
++	0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c,
++	0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c,
++	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74,
++	0x1a, 0xdb, 0x01, 0x0a, 0x09, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x25,
++	0x0a, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
++	0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x09, 0x73, 0x65, 0x70, 0x61,
++	0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x19, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
++	0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x6b, 0x65, 0x79,
++	0x3a, 0x8b, 0x01, 0x9a, 0xc5, 0x88, 0x1e, 0x85, 0x01, 0x0a, 0x82, 0x01, 0x65, 0x6e, 0x76, 0x6f,
++	0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e,
+ 	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e,
+ 	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e,
+-	0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e,
++	0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e,
+ 	0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e,
+ 	0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e,
+ 	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61,
+-	0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x48, 0x00,
+-	0x52, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x1a, 0xdb, 0x01, 0x0a, 0x09, 0x4b, 0x76,
+-	0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x25, 0x0a, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72,
+-	0x61, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72,
+-	0x02, 0x10, 0x01, 0x52, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x19,
+-	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04,
+-	0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x3a, 0x8b, 0x01, 0x9a, 0xc5, 0x88, 0x1e,
+-	0x85, 0x01, 0x0a, 0x82, 0x01, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
++	0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x3a, 0x7f,
++	0x9a, 0xc5, 0x88, 0x1e, 0x7a, 0x0a, 0x78, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e,
++	0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
++	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
++	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63,
++	0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
++	0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d,
++	0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65,
++	0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x42,
++	0x0e, 0x0a, 0x0c, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x1a,
++	0xdd, 0x01, 0x0a, 0x12, 0x48, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
++	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x48, 0x0a, 0x11, 0x6d, 0x61, 0x78, 0x5f, 0x72, 0x65,
++	0x63, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x5f, 0x6e, 0x75, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28,
++	0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
++	0x62, 0x75, 0x66, 0x2e, 0x55, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
++	0x0f, 0x6d, 0x61, 0x78, 0x52, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x4e, 0x75, 0x6d,
++	0x3a, 0x7d, 0x9a, 0xc5, 0x88, 0x1e, 0x78, 0x0a, 0x76, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
++	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
++	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
++	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
++	0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f,
++	0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61,
++	0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x6f, 0x73,
++	0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a,
++	0x9e, 0x01, 0x0a, 0x17, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f, 0x72, 0x74, 0x56, 0x61, 0x6c,
++	0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x3a, 0x82, 0x01, 0x9a, 0xc5,
++	0x88, 0x1e, 0x7d, 0x0a, 0x7b, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+ 	0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+ 	0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+ 	0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70,
+ 	0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65,
+ 	0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e,
+-	0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56,
+-	0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76,
+-	0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x3a, 0x7f, 0x9a, 0xc5, 0x88, 0x1e, 0x7a, 0x0a, 0x78,
+-	0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c,
+-	0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70,
+-	0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61,
+-	0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75,
+-	0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c,
+-	0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c,
+-	0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45,
+-	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x42, 0x0e, 0x0a, 0x0c, 0x65, 0x78, 0x74, 0x72,
+-	0x61, 0x63, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x3a, 0x6a, 0x9a, 0xc5, 0x88, 0x1e, 0x65, 0x0a,
+-	0x63, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
+-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74,
+-	0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e,
+-	0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f,
+-	0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69,
+-	0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69,
+-	0x6c, 0x64, 0x65, 0x72, 0x42, 0x0b, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x03, 0xf8, 0x42,
+-	0x01, 0x3a, 0x5a, 0x9a, 0xc5, 0x88, 0x1e, 0x55, 0x0a, 0x53, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65,
+-	0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32,
+-	0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63,
+-	0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x3a, 0x4a, 0x9a,
+-	0xc5, 0x88, 0x1e, 0x45, 0x0a, 0x43, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+-	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+-	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f,
+-	0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x42, 0x17, 0x0a, 0x10, 0x63, 0x6f, 0x6e,
+-	0x66, 0x69, 0x67, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x03, 0xf8,
+-	0x42, 0x01, 0x22, 0xf1, 0x01, 0x0a, 0x09, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73,
+-	0x12, 0x65, 0x0a, 0x18, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x5f, 0x72, 0x64, 0x73, 0x5f, 0x63,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01,
+-	0x28, 0x0b, 0x32, 0x22, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+-	0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+-	0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01,
+-	0x52, 0x15, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+-	0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x34, 0x0a, 0x16, 0x73, 0x72, 0x64, 0x73, 0x5f,
+-	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f,
+-	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x73, 0x72, 0x64, 0x73, 0x52, 0x65, 0x73,
+-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x3a, 0x47, 0x9a,
+-	0xc5, 0x88, 0x1e, 0x42, 0x0a, 0x40, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+-	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+-	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f,
+-	0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x22, 0xcc, 0x02, 0x0a, 0x0a, 0x48, 0x74, 0x74, 0x70, 0x46,
+-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20,
+-	0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61,
+-	0x6d, 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x48, 0x00,
+-	0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x58, 0x0a,
+-	0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72,
+-	0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x45,
+-	0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f,
+-	0x75, 0x72, 0x63, 0x65, 0x48, 0x00, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69,
+-	0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x73, 0x5f, 0x6f, 0x70,
+-	0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x73,
+-	0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x3a, 0x48, 0x9a, 0xc5, 0x88, 0x1e, 0x43, 0x0a,
+-	0x41, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
+-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74,
+-	0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e,
+-	0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74,
+-	0x65, 0x72, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x79, 0x70,
+-	0x65, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x63,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x9f, 0x01, 0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+-	0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x37, 0x0a, 0x0c,
+-	0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01,
+-	0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x3a, 0x50, 0x9a, 0xc5, 0x88, 0x1e, 0x4b, 0x0a, 0x49, 0x65, 0x6e,
++	0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f,
++	0x72, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72,
++	0x3a, 0x6a, 0x9a, 0xc5, 0x88, 0x1e, 0x65, 0x0a, 0x63, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
++	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
++	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
++	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
++	0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f,
++	0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61,
++	0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x42, 0x0b, 0x0a, 0x04,
++	0x74, 0x79, 0x70, 0x65, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x3a, 0x5a, 0x9a, 0xc5, 0x88, 0x1e, 0x55,
++	0x0a, 0x53, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66,
++	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74,
++	0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61,
++	0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52,
++	0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
++	0x69, 0x6c, 0x64, 0x65, 0x72, 0x3a, 0x4a, 0x9a, 0xc5, 0x88, 0x1e, 0x45, 0x0a, 0x43, 0x65, 0x6e,
+ 	0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
+ 	0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63,
+ 	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+-	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78,
+-	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x8e, 0x01, 0x0a, 0x20, 0x45, 0x6e, 0x76, 0x6f,
+-	0x79, 0x4d, 0x6f, 0x62, 0x69, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x12, 0x6a, 0x0a, 0x06,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x52, 0x2e, 0x65,
+-	0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e,
+-	0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e,
+-	0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x43,
+-	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72,
+-	0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x71, 0x0a, 0x49, 0x69, 0x6f, 0x2e, 0x65,
+-	0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
+-	0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f,
+-	0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+-	0x65, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x1a, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74,
+-	0x6f, 0x50, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06, 0x02, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f,
+-	0x74, 0x6f, 0x33,
++	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65,
++	0x73, 0x42, 0x17, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x70, 0x65, 0x63,
++	0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x22, 0xf1, 0x01, 0x0a, 0x09, 0x53,
++	0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x12, 0x65, 0x0a, 0x18, 0x73, 0x63, 0x6f, 0x70,
++	0x65, 0x64, 0x5f, 0x72, 0x64, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x6f,
++	0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x65, 0x6e, 0x76,
++	0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76,
++	0x33, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x08,
++	0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01, 0x52, 0x15, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64,
++	0x52, 0x64, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12,
++	0x34, 0x0a, 0x16, 0x73, 0x72, 0x64, 0x73, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
++	0x73, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
++	0x14, 0x73, 0x72, 0x64, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x4c, 0x6f,
++	0x63, 0x61, 0x74, 0x6f, 0x72, 0x3a, 0x47, 0x9a, 0xc5, 0x88, 0x1e, 0x42, 0x0a, 0x40, 0x65, 0x6e,
++	0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
++	0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63,
++	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
++	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x22, 0xcc,
++	0x02, 0x0a, 0x0a, 0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x1b, 0x0a,
++	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04,
++	0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x74, 0x79,
++	0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
++	0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
++	0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x48, 0x00, 0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43,
++	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x58, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f,
++	0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
++	0x2b, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63,
++	0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
++	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x00, 0x52, 0x0f,
++	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x12,
++	0x1f, 0x0a, 0x0b, 0x69, 0x73, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x06,
++	0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x73, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c,
++	0x3a, 0x48, 0x9a, 0xc5, 0x88, 0x1e, 0x43, 0x0a, 0x41, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
++	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
++	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
++	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
++	0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x6f,
++	0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a,
++	0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x9f, 0x01,
++	0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e,
++	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x37, 0x0a, 0x0c, 0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f,
++	0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f,
++	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79,
++	0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x3a, 0x50, 0x9a,
++	0xc5, 0x88, 0x1e, 0x4b, 0x0a, 0x49, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
++	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
++	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
++	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x52, 0x65, 0x71,
++	0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x22,
++	0x8e, 0x01, 0x0a, 0x20, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x4d, 0x6f, 0x62, 0x69, 0x6c, 0x65, 0x48,
++	0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e,
++	0x61, 0x67, 0x65, 0x72, 0x12, 0x6a, 0x0a, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01,
++	0x20, 0x01, 0x28, 0x0b, 0x32, 0x52, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74,
++	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e,
++	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e,
++	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e,
++	0x76, 0x33, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
++	0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
++	0x42, 0x71, 0x0a, 0x49, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78,
++	0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
++	0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
++	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
++	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x1a, 0x48,
++	0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e,
++	0x61, 0x67, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06,
++	0x02, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ }
+ 
+ var (
+@@ -3277,7 +3440,7 @@
+ }
+ 
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+-var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
++var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes = make([]protoimpl.MessageInfo, 21)
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_goTypes = []interface{}{
+ 	(HttpConnectionManager_CodecType)(0),                                                // 0: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType
+ 	(HttpConnectionManager_ServerHeaderTransformation)(0),                               // 1: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation
+@@ -3302,102 +3465,107 @@
+ 	(*ScopedRoutes_ScopeKeyBuilder)(nil),                                                // 20: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder
+ 	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder)(nil),                                // 21: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder
+ 	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor)(nil),           // 22: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor
+-	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement)(nil), // 23: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
+-	(*v32.RouteConfiguration)(nil),                                                      // 24: envoy.config.route.v3.RouteConfiguration
+-	(*wrappers.BoolValue)(nil),                                                          // 25: google.protobuf.BoolValue
+-	(*v3.HttpProtocolOptions)(nil),                                                      // 26: envoy.config.core.v3.HttpProtocolOptions
+-	(*v3.Http1ProtocolOptions)(nil),                                                     // 27: envoy.config.core.v3.Http1ProtocolOptions
+-	(*v3.Http2ProtocolOptions)(nil),                                                     // 28: envoy.config.core.v3.Http2ProtocolOptions
+-	(*v3.Http3ProtocolOptions)(nil),                                                     // 29: envoy.config.core.v3.Http3ProtocolOptions
+-	(*v3.SchemeHeaderTransformation)(nil),                                               // 30: envoy.config.core.v3.SchemeHeaderTransformation
+-	(*wrappers.UInt32Value)(nil),                                                        // 31: google.protobuf.UInt32Value
+-	(*duration.Duration)(nil),                                                           // 32: google.protobuf.Duration
+-	(*v31.AccessLog)(nil),                                                               // 33: envoy.config.accesslog.v3.AccessLog
+-	(*v3.TypedExtensionConfig)(nil),                                                     // 34: envoy.config.core.v3.TypedExtensionConfig
+-	(*v3.SubstitutionFormatString)(nil),                                                 // 35: envoy.config.core.v3.SubstitutionFormatString
+-	(*v31.AccessLogFilter)(nil),                                                         // 36: envoy.config.accesslog.v3.AccessLogFilter
+-	(*v3.DataSource)(nil),                                                               // 37: envoy.config.core.v3.DataSource
+-	(*v3.HeaderValueOption)(nil),                                                        // 38: envoy.config.core.v3.HeaderValueOption
+-	(*v3.ConfigSource)(nil),                                                             // 39: envoy.config.core.v3.ConfigSource
+-	(*v32.ScopedRouteConfiguration)(nil),                                                // 40: envoy.config.route.v3.ScopedRouteConfiguration
+-	(*any.Any)(nil),                                                                     // 41: google.protobuf.Any
+-	(*v3.ExtensionConfigSource)(nil),                                                    // 42: envoy.config.core.v3.ExtensionConfigSource
+-	(*v33.Percent)(nil),                                                                 // 43: envoy.type.v3.Percent
+-	(*v34.CustomTag)(nil),                                                               // 44: envoy.type.tracing.v3.CustomTag
+-	(*v35.Tracing_Http)(nil),                                                            // 45: envoy.config.trace.v3.Tracing.Http
+-	(*v36.PathTransformation)(nil),                                                      // 46: envoy.type.http.v3.PathTransformation
++	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor)(nil),             // 23: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor
++	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor)(nil),        // 24: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.LocalPortValueExtractor
++	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement)(nil), // 25: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
++	(*v32.RouteConfiguration)(nil),                                                      // 26: envoy.config.route.v3.RouteConfiguration
++	(*wrappers.BoolValue)(nil),                                                          // 27: google.protobuf.BoolValue
++	(*v3.HttpProtocolOptions)(nil),                                                      // 28: envoy.config.core.v3.HttpProtocolOptions
++	(*v3.Http1ProtocolOptions)(nil),                                                     // 29: envoy.config.core.v3.Http1ProtocolOptions
++	(*v3.Http2ProtocolOptions)(nil),                                                     // 30: envoy.config.core.v3.Http2ProtocolOptions
++	(*v3.Http3ProtocolOptions)(nil),                                                     // 31: envoy.config.core.v3.Http3ProtocolOptions
++	(*v3.SchemeHeaderTransformation)(nil),                                               // 32: envoy.config.core.v3.SchemeHeaderTransformation
++	(*wrappers.UInt32Value)(nil),                                                        // 33: google.protobuf.UInt32Value
++	(*duration.Duration)(nil),                                                           // 34: google.protobuf.Duration
++	(*v31.AccessLog)(nil),                                                               // 35: envoy.config.accesslog.v3.AccessLog
++	(*v3.TypedExtensionConfig)(nil),                                                     // 36: envoy.config.core.v3.TypedExtensionConfig
++	(*v3.SubstitutionFormatString)(nil),                                                 // 37: envoy.config.core.v3.SubstitutionFormatString
++	(*v31.AccessLogFilter)(nil),                                                         // 38: envoy.config.accesslog.v3.AccessLogFilter
++	(*v3.DataSource)(nil),                                                               // 39: envoy.config.core.v3.DataSource
++	(*v3.HeaderValueOption)(nil),                                                        // 40: envoy.config.core.v3.HeaderValueOption
++	(*v3.ConfigSource)(nil),                                                             // 41: envoy.config.core.v3.ConfigSource
++	(*v32.ScopedRouteConfiguration)(nil),                                                // 42: envoy.config.route.v3.ScopedRouteConfiguration
++	(*any.Any)(nil),                                                                     // 43: google.protobuf.Any
++	(*v3.ExtensionConfigSource)(nil),                                                    // 44: envoy.config.core.v3.ExtensionConfigSource
++	(*v33.Percent)(nil),                                                                 // 45: envoy.type.v3.Percent
++	(*v34.CustomTag)(nil),                                                               // 46: envoy.type.tracing.v3.CustomTag
++	(*v35.Tracing_Http)(nil),                                                            // 47: envoy.config.trace.v3.Tracing.Http
++	(*v36.PathTransformation)(nil),                                                      // 48: envoy.type.http.v3.PathTransformation
+ }
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_depIdxs = []int32{
+ 	0,  // 0: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType
+ 	8,  // 1: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.rds:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.Rds
+-	24, // 2: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.route_config:type_name -> envoy.config.route.v3.RouteConfiguration
++	26, // 2: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.route_config:type_name -> envoy.config.route.v3.RouteConfiguration
+ 	10, // 3: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scoped_routes:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes
+ 	12, // 4: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_filters:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter
+-	25, // 5: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent:type_name -> google.protobuf.BoolValue
++	27, // 5: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent:type_name -> google.protobuf.BoolValue
+ 	15, // 6: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.tracing:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing
+-	26, // 7: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options:type_name -> envoy.config.core.v3.HttpProtocolOptions
+-	27, // 8: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_protocol_options:type_name -> envoy.config.core.v3.Http1ProtocolOptions
+-	28, // 9: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http2_protocol_options:type_name -> envoy.config.core.v3.Http2ProtocolOptions
+-	29, // 10: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http3_protocol_options:type_name -> envoy.config.core.v3.Http3ProtocolOptions
++	28, // 7: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options:type_name -> envoy.config.core.v3.HttpProtocolOptions
++	29, // 8: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_protocol_options:type_name -> envoy.config.core.v3.Http1ProtocolOptions
++	30, // 9: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http2_protocol_options:type_name -> envoy.config.core.v3.Http2ProtocolOptions
++	31, // 10: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http3_protocol_options:type_name -> envoy.config.core.v3.Http3ProtocolOptions
+ 	1,  // 11: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.server_header_transformation:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation
+-	30, // 12: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scheme_header_transformation:type_name -> envoy.config.core.v3.SchemeHeaderTransformation
+-	31, // 13: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.max_request_headers_kb:type_name -> google.protobuf.UInt32Value
+-	32, // 14: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_idle_timeout:type_name -> google.protobuf.Duration
+-	32, // 15: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_timeout:type_name -> google.protobuf.Duration
+-	32, // 16: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_headers_timeout:type_name -> google.protobuf.Duration
+-	32, // 17: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout:type_name -> google.protobuf.Duration
+-	32, // 18: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.delayed_close_timeout:type_name -> google.protobuf.Duration
+-	33, // 19: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.access_log:type_name -> envoy.config.accesslog.v3.AccessLog
+-	25, // 20: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address:type_name -> google.protobuf.BoolValue
+-	34, // 21: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions:type_name -> envoy.config.core.v3.TypedExtensionConfig
++	32, // 12: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scheme_header_transformation:type_name -> envoy.config.core.v3.SchemeHeaderTransformation
++	33, // 13: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.max_request_headers_kb:type_name -> google.protobuf.UInt32Value
++	34, // 14: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_idle_timeout:type_name -> google.protobuf.Duration
++	34, // 15: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_timeout:type_name -> google.protobuf.Duration
++	34, // 16: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_headers_timeout:type_name -> google.protobuf.Duration
++	34, // 17: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout:type_name -> google.protobuf.Duration
++	34, // 18: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.delayed_close_timeout:type_name -> google.protobuf.Duration
++	35, // 19: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.access_log:type_name -> envoy.config.accesslog.v3.AccessLog
++	27, // 20: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address:type_name -> google.protobuf.BoolValue
++	36, // 21: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions:type_name -> envoy.config.core.v3.TypedExtensionConfig
+ 	16, // 22: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig
+-	25, // 23: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.generate_request_id:type_name -> google.protobuf.BoolValue
++	27, // 23: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.generate_request_id:type_name -> google.protobuf.BoolValue
+ 	2,  // 24: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.forward_client_cert_details:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails
+ 	17, // 25: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.set_current_client_cert_details:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails
+ 	18, // 26: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.upgrade_configs:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig
+-	25, // 27: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path:type_name -> google.protobuf.BoolValue
++	27, // 27: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path:type_name -> google.protobuf.BoolValue
+ 	3,  // 28: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_with_escaped_slashes_action:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathWithEscapedSlashesAction
+ 	13, // 29: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_id_extension:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension
+ 	6,  // 30: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.local_reply_config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig
+-	25, // 31: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message:type_name -> google.protobuf.BoolValue
++	27, // 31: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message:type_name -> google.protobuf.BoolValue
+ 	19, // 32: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_normalization_options:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions
+ 	7,  // 33: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.mappers:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper
+-	35, // 34: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.body_format:type_name -> envoy.config.core.v3.SubstitutionFormatString
+-	36, // 35: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.filter:type_name -> envoy.config.accesslog.v3.AccessLogFilter
+-	31, // 36: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.status_code:type_name -> google.protobuf.UInt32Value
+-	37, // 37: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body:type_name -> envoy.config.core.v3.DataSource
+-	35, // 38: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body_format_override:type_name -> envoy.config.core.v3.SubstitutionFormatString
+-	38, // 39: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.headers_to_add:type_name -> envoy.config.core.v3.HeaderValueOption
+-	39, // 40: envoy.extensions.filters.network.http_connection_manager.v3.Rds.config_source:type_name -> envoy.config.core.v3.ConfigSource
+-	40, // 41: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList.scoped_route_configurations:type_name -> envoy.config.route.v3.ScopedRouteConfiguration
++	37, // 34: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.body_format:type_name -> envoy.config.core.v3.SubstitutionFormatString
++	38, // 35: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.filter:type_name -> envoy.config.accesslog.v3.AccessLogFilter
++	33, // 36: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.status_code:type_name -> google.protobuf.UInt32Value
++	39, // 37: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body:type_name -> envoy.config.core.v3.DataSource
++	37, // 38: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body_format_override:type_name -> envoy.config.core.v3.SubstitutionFormatString
++	40, // 39: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.headers_to_add:type_name -> envoy.config.core.v3.HeaderValueOption
++	41, // 40: envoy.extensions.filters.network.http_connection_manager.v3.Rds.config_source:type_name -> envoy.config.core.v3.ConfigSource
++	42, // 41: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList.scoped_route_configurations:type_name -> envoy.config.route.v3.ScopedRouteConfiguration
+ 	20, // 42: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scope_key_builder:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder
+-	39, // 43: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
++	41, // 43: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
+ 	9,  // 44: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scoped_route_configurations_list:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList
+ 	11, // 45: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scoped_rds:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds
+-	39, // 46: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds.scoped_rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
+-	41, // 47: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.typed_config:type_name -> google.protobuf.Any
+-	42, // 48: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.config_discovery:type_name -> envoy.config.core.v3.ExtensionConfigSource
+-	41, // 49: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension.typed_config:type_name -> google.protobuf.Any
++	41, // 46: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds.scoped_rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
++	43, // 47: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.typed_config:type_name -> google.protobuf.Any
++	44, // 48: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.config_discovery:type_name -> envoy.config.core.v3.ExtensionConfigSource
++	43, // 49: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension.typed_config:type_name -> google.protobuf.Any
+ 	5,  // 50: envoy.extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager.config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+-	43, // 51: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.client_sampling:type_name -> envoy.type.v3.Percent
+-	43, // 52: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.random_sampling:type_name -> envoy.type.v3.Percent
+-	43, // 53: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.overall_sampling:type_name -> envoy.type.v3.Percent
+-	31, // 54: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.max_path_tag_length:type_name -> google.protobuf.UInt32Value
+-	44, // 55: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.custom_tags:type_name -> envoy.type.tracing.v3.CustomTag
+-	45, // 56: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider:type_name -> envoy.config.trace.v3.Tracing.Http
+-	25, // 57: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
++	45, // 51: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.client_sampling:type_name -> envoy.type.v3.Percent
++	45, // 52: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.random_sampling:type_name -> envoy.type.v3.Percent
++	45, // 53: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.overall_sampling:type_name -> envoy.type.v3.Percent
++	33, // 54: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.max_path_tag_length:type_name -> google.protobuf.UInt32Value
++	46, // 55: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.custom_tags:type_name -> envoy.type.tracing.v3.CustomTag
++	47, // 56: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider:type_name -> envoy.config.trace.v3.Tracing.Http
++	27, // 57: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
+ 	12, // 58: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.filters:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter
+-	25, // 59: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.enabled:type_name -> google.protobuf.BoolValue
+-	46, // 60: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.forwarding_transformation:type_name -> envoy.type.http.v3.PathTransformation
+-	46, // 61: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.http_filter_transformation:type_name -> envoy.type.http.v3.PathTransformation
++	27, // 59: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.enabled:type_name -> google.protobuf.BoolValue
++	48, // 60: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.forwarding_transformation:type_name -> envoy.type.http.v3.PathTransformation
++	48, // 61: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.http_filter_transformation:type_name -> envoy.type.http.v3.PathTransformation
+ 	21, // 62: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.fragments:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder
+ 	22, // 63: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.header_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor
+-	23, // 64: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.element:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
+-	65, // [65:65] is the sub-list for method output_type
+-	65, // [65:65] is the sub-list for method input_type
+-	65, // [65:65] is the sub-list for extension type_name
+-	65, // [65:65] is the sub-list for extension extendee
+-	0,  // [0:65] is the sub-list for field type_name
++	23, // 64: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.host_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor
++	24, // 65: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.local_port_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.LocalPortValueExtractor
++	25, // 66: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.element:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
++	33, // 67: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor.max_recompute_num:type_name -> google.protobuf.UInt32Value
++	68, // [68:68] is the sub-list for method output_type
++	68, // [68:68] is the sub-list for method input_type
++	68, // [68:68] is the sub-list for extension type_name
++	68, // [68:68] is the sub-list for extension extendee
++	0,  // [0:68] is the sub-list for field type_name
+ }
+ 
+ func init() {
+@@ -3625,6 +3793,30 @@
+ 			}
+ 		}
+ 		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18].Exporter = func(v interface{}, i int) interface{} {
++			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor); i {
++			case 0:
++				return &v.state
++			case 1:
++				return &v.sizeCache
++			case 2:
++				return &v.unknownFields
++			default:
++				return nil
++			}
++		}
++		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19].Exporter = func(v interface{}, i int) interface{} {
++			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor); i {
++			case 0:
++				return &v.state
++			case 1:
++				return &v.sizeCache
++			case 2:
++				return &v.unknownFields
++			default:
++				return nil
++			}
++		}
++		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20].Exporter = func(v interface{}, i int) interface{} {
+ 			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement); i {
+ 			case 0:
+ 				return &v.state
+@@ -3653,6 +3845,8 @@
+ 	}
+ 	file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[16].OneofWrappers = []interface{}{
+ 		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_)(nil),
++		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_)(nil),
++		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_)(nil),
+ 	}
+ 	file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[17].OneofWrappers = []interface{}{
+ 		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_Index)(nil),
+@@ -3664,7 +3858,7 @@
+ 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+ 			RawDescriptor: file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDesc,
+ 			NumEnums:      5,
+-			NumMessages:   19,
++			NumMessages:   21,
+ 			NumExtensions: 0,
+ 			NumServices:   0,
+ 		},
+diff -Naur go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go
+--- go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go	2024-01-04 21:07:22.000000000 +0800
++++ go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go	2024-01-04 21:02:10.000000000 +0800
+@@ -1986,6 +1986,30 @@
+ 			}
+ 		}
+ 
++	case *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_:
++
++		if v, ok := interface{}(m.GetHostValueExtractor()).(interface{ Validate() error }); ok {
++			if err := v.Validate(); err != nil {
++				return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
++					field:  "HostValueExtractor",
++					reason: "embedded message failed validation",
++					cause:  err,
++				}
++			}
++		}
++
++	case *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_:
++
++		if v, ok := interface{}(m.GetLocalPortValueExtractor()).(interface{ Validate() error }); ok {
++			if err := v.Validate(); err != nil {
++				return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
++					field:  "LocalPortValueExtractor",
++					reason: "embedded message failed validation",
++					cause:  err,
++				}
++			}
++		}
++
+ 	default:
+ 		return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
+ 			field:  "Type",
+@@ -2162,6 +2186,172 @@
+ } = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractorValidationError{}
+ 
+ // Validate checks the field values on
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor with the
++// rules defined in the proto definition for this message. If any rules are
++// violated, an error is returned.
++func (m *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Validate() error {
++	if m == nil {
++		return nil
++	}
++
++	if v, ok := interface{}(m.GetMaxRecomputeNum()).(interface{ Validate() error }); ok {
++		if err := v.Validate(); err != nil {
++			return ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{
++				field:  "MaxRecomputeNum",
++				reason: "embedded message failed validation",
++				cause:  err,
++			}
++		}
++	}
++
++	return nil
++}
++
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError
++// is the validation error returned by
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.Validate if
++// the designated constraints aren't met.
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError struct {
++	field  string
++	reason string
++	cause  error
++	key    bool
++}
++
++// Field function returns field value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Field() string {
++	return e.field
++}
++
++// Reason function returns reason value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Reason() string {
++	return e.reason
++}
++
++// Cause function returns cause value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Cause() error {
++	return e.cause
++}
++
++// Key function returns key value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Key() bool {
++	return e.key
++}
++
++// ErrorName returns error name.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) ErrorName() string {
++	return "ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError"
++}
++
++// Error satisfies the builtin error interface
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Error() string {
++	cause := ""
++	if e.cause != nil {
++		cause = fmt.Sprintf(" | caused by: %v", e.cause)
++	}
++
++	key := ""
++	if e.key {
++		key = "key for "
++	}
++
++	return fmt.Sprintf(
++		"invalid %sScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.%s: %s%s",
++		key,
++		e.field,
++		e.reason,
++		cause)
++}
++
++var _ error = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{}
++
++var _ interface {
++	Field() string
++	Reason() string
++	Key() bool
++	Cause() error
++	ErrorName() string
++} = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{}
++
++// Validate checks the field values on
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor with
++// the rules defined in the proto definition for this message. If any rules
++// are violated, an error is returned.
++func (m *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Validate() error {
++	if m == nil {
++		return nil
++	}
++
++	return nil
++}
++
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError
++// is the validation error returned by
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.Validate
++// if the designated constraints aren't met.
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError struct {
++	field  string
++	reason string
++	cause  error
++	key    bool
++}
++
++// Field function returns field value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Field() string {
++	return e.field
++}
++
++// Reason function returns reason value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Reason() string {
++	return e.reason
++}
++
++// Cause function returns cause value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Cause() error {
++	return e.cause
++}
++
++// Key function returns key value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Key() bool {
++	return e.key
++}
++
++// ErrorName returns error name.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) ErrorName() string {
++	return "ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError"
++}
++
++// Error satisfies the builtin error interface
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Error() string {
++	cause := ""
++	if e.cause != nil {
++		cause = fmt.Sprintf(" | caused by: %v", e.cause)
++	}
++
++	key := ""
++	if e.key {
++		key = "key for "
++	}
++
++	return fmt.Sprintf(
++		"invalid %sScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.%s: %s%s",
++		key,
++		e.field,
++		e.reason,
++		cause)
++}
++
++var _ error = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError{}
++
++var _ interface {
++	Field() string
++	Reason() string
++	Key() bool
++	Cause() error
++	ErrorName() string
++} = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError{}
++
++// Validate checks the field values on
+ // ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement
+ // with the rules defined in the proto definition for this message. If any
+ // rules are violated, an error is returned.

go.mod

@@ -10,17 +10,22 @@ replace github.com/chzyer/logex => github.com/chzyer/logex v1.1.11-0.20170329064
 // Avoid pulling in incompatible libraries
 replace github.com/docker/distribution => github.com/docker/distribution v0.0.0-20191216044856-a8371794149d
 
-replace github.com/docker/docker => github.com/moby/moby v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible
-
 // Client-go does not handle different versions of mergo due to some breaking changes - use the matching version
 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
 
 require (
-	github.com/agiledragon/gomonkey/v2 v2.9.0
+	github.com/AlecAivazis/survey/v2 v2.3.6
+	github.com/agiledragon/gomonkey/v2 v2.11.0
 	github.com/avast/retry-go/v4 v4.3.4
+	github.com/compose-spec/compose-go v1.8.2
+	github.com/docker/cli v20.10.20+incompatible
+	github.com/docker/compose/v2 v2.0.0-00010101000000-000000000000
+	github.com/docker/docker v20.10.20+incompatible
 	github.com/dubbogo/go-zookeeper v1.0.4-0.20211212162352-f9d2183d89d5
 	github.com/dubbogo/gost v1.13.1
 	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1
+	github.com/fatih/color v1.14.1
+	github.com/fatih/structtag v1.2.0
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-cmp v0.5.9
@@ -28,32 +33,38 @@ require (
 	github.com/hashicorp/consul/api v1.23.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hudl/fargo v1.4.0
+	github.com/iancoleman/orderedmap v0.3.0
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nacos-group/nacos-sdk-go v1.0.8
 	github.com/nacos-group/nacos-sdk-go/v2 v2.1.2
 	github.com/pkg/errors v0.9.1
-	github.com/spf13/cobra v1.2.1
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
+	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
+	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.8.3
-	go.uber.org/atomic v1.9.0
+	go.uber.org/atomic v1.11.0
 	google.golang.org/grpc v1.48.0
-	google.golang.org/protobuf v1.28.0
+	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 	istio.io/api v0.0.0-20211122181927-8da52c66ff23
-	istio.io/client-go v1.12.0-rc.1.0.20211118171212-b744b6f111e4
+	istio.io/client-go v1.12.0-rc.1.0.20211118171212-b744b6f111e4 // indirect
 	istio.io/gogo-genproto v0.0.0-20211115195057-0e34bdd2be67
 	istio.io/istio v0.0.0
 	istio.io/pkg v0.0.0-20211115195056-e379f31ee62a
-	k8s.io/api v0.22.2
-	k8s.io/apimachinery v0.22.2
+	k8s.io/api v0.24.1
+	k8s.io/apimachinery v0.24.1
 	k8s.io/cli-runtime v0.22.2
-	k8s.io/client-go v0.22.2
+	k8s.io/client-go v0.24.1
 	k8s.io/kubectl v0.22.2
 	sigs.k8s.io/controller-runtime v0.10.2
 	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
-	cloud.google.com/go v0.97.0 // indirect
+	cloud.google.com/go v0.98.0 // indirect
 	cloud.google.com/go/logging v1.4.2 // indirect
 	contrib.go.opencensus.io/exporter/prometheus v0.4.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -63,51 +74,69 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/BurntSushi/toml v0.3.1 // indirect
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
-	github.com/Microsoft/go-winio v0.5.0 // indirect
-	github.com/Microsoft/hcsshim v0.8.21 // indirect
+	github.com/Masterminds/squirrel v1.5.0 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/Microsoft/hcsshim v0.9.6 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/RageCage64/multilinediff v0.2.0 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1704 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
-	github.com/aws/aws-sdk-go v1.41.7 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
+	github.com/aws/aws-sdk-go v1.43.16 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect
+	github.com/braydonk/yaml v0.7.0 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
 	github.com/clbanning/mxj v1.8.4 // indirect
+	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
 	github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect
-	github.com/containerd/continuity v0.1.0 // indirect
+	github.com/compose-spec/godotenv v1.1.1 // indirect
+	github.com/containerd/cgroups v1.0.4 // indirect
+	github.com/containerd/console v1.0.3 // indirect
+	github.com/containerd/containerd v1.6.14 // indirect
+	github.com/containerd/continuity v0.3.0 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/coreos/go-oidc/v3 v3.1.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect
-	github.com/docker/cli v20.10.7+incompatible // indirect
-	github.com/docker/distribution v2.7.1+incompatible // indirect
-	github.com/docker/docker v20.10.7+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.3 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
+	github.com/distribution/distribution/v3 v3.0.0-20221201083218-92d136e113cf // indirect
+	github.com/docker/buildx v0.9.1 // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v0.1.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
-	github.com/fatih/color v1.14.1 // indirect
 	github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/fvbommel/sortorder v1.0.1 // indirect
+	github.com/fvbommel/sortorder v1.0.2 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-kit/log v0.1.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.0 // indirect
-	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.4.8 // indirect
+	github.com/gofrs/flock v0.8.0 // indirect
+	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0 // indirect
@@ -118,23 +147,36 @@ require (
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
+	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.5.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-version v1.3.0 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/jaguilar/vt100 v0.0.0-20150826170717-2703a27b14ea // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jmoiron/sqlx v1.3.1 // indirect
 	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.7 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.0 // indirect
@@ -143,28 +185,42 @@ require (
 	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/lestrrat/go-file-rotatelogs v0.0.0-20180223000712-d3151e2a480f // indirect
 	github.com/lestrrat/go-strftime v0.0.0-20180220042222-ba3bf9c1d042 // indirect
+	github.com/lib/pq v1.10.0 // indirect
+	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/miekg/dns v1.1.43 // indirect
+	github.com/mattn/go-runewidth v0.0.12 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/miekg/dns v1.1.55 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/buildkit v0.10.4 // indirect
+	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
+	github.com/moby/sys/mount v0.3.0 // indirect
+	github.com/moby/sys/mountinfo v0.6.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/moby/sys/symlink v0.2.0 // indirect
+	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/natefinch/lumberjack v2.0.0+incompatible // indirect
 	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
-	github.com/opencontainers/runc v1.0.2 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/opencontainers/runc v1.1.3 // indirect
 	github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.12.2 // indirect
@@ -172,46 +228,62 @@ require (
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/prometheus/statsd_exporter v0.21.0 // indirect
-	github.com/russross/blackfriday v1.5.2 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.6.1 // indirect
+	github.com/rubenv/sql-migrate v0.0.0-20210614095031-55d5740dbbcc // indirect
+	github.com/russross/blackfriday v1.6.0 // indirect
+	github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
+	github.com/spf13/afero v1.2.2 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/theupdateframework/notary v0.7.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/tonistiigi/fsutil v0.0.0-20220930225714-4638ad635be5 // indirect
+	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/toolkits/concurrent v0.0.0-20150624120057-a4371d70e3e3 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
 	github.com/yl2chen/cidranger v1.0.2 // indirect
+	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.12.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	go.uber.org/multierr v1.7.0 // indirect
-	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/oauth2 v0.6.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
+	golang.org/x/tools v0.10.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect
 	gomodules.xyz/orderedmap v0.1.0 // indirect
-	google.golang.org/api v0.59.0 // indirect
+	google.golang.org/api v0.61.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211020151524-b7c3a969101a // indirect
+	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
 	gopkg.in/gcfg.v1 v1.2.3 // indirect
+	gopkg.in/gorp.v1 v1.7.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.22.2 // indirect
-	k8s.io/component-base v0.22.2 // indirect
-	k8s.io/klog/v2 v2.10.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20211020163157-7327e2aaee2b // indirect
+	k8s.io/apiserver v0.22.5 // indirect
+	k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c // indirect
 	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	oras.land/oras-go v0.4.0 // indirect
 	sigs.k8s.io/gateway-api v0.4.0 // indirect
 	sigs.k8s.io/kustomize/api v0.8.11 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
@@ -230,3 +302,66 @@ replace istio.io/pkg => ./external/pkg
 replace istio.io/client-go => ./external/client-go
 
 replace istio.io/istio => ./external/istio
+
+replace github.com/caddyserver/certmagic => github.com/2456868764/certmagic v1.0.1
+
+require (
+	github.com/caddyserver/certmagic v0.20.0
+	github.com/evanphx/json-patch/v5 v5.6.0
+	github.com/google/yamlfmt v0.10.0
+	github.com/kylelemons/godebug v1.1.0
+	github.com/mholt/acmez v1.2.0
+	github.com/tidwall/gjson v1.17.0
+	helm.sh/helm/v3 v3.7.1
+	k8s.io/apiextensions-apiserver v0.25.4
+	k8s.io/component-base v0.22.5
+	k8s.io/klog/v2 v2.60.1
+	knative.dev/networking v0.0.0-20220302134042-e8b2eb995165
+	knative.dev/pkg v0.0.0-20220301181942-2fdd5f232e77
+)
+
+replace (
+	github.com/Sirupsen/logrus => github.com/sirupsen/logrus v1.9.3
+	github.com/go-logr/logr => github.com/go-logr/logr v0.4.0
+
+	k8s.io/api => k8s.io/api v0.22.2
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.22.2
+	k8s.io/apimachinery => k8s.io/apimachinery v0.22.2
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.22.2
+	k8s.io/client-go => k8s.io/client-go v0.22.2
+	k8s.io/code-generator => k8s.io/code-generator v0.22.2
+	k8s.io/component-base => k8s.io/component-base v0.22.2
+	k8s.io/component-helpers => k8s.io/component-helpers v0.22.2
+	k8s.io/klog/v2 => k8s.io/klog/v2 v2.10.0
+	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
+	k8s.io/kubectl => k8s.io/kubectl v0.22.2
+	k8s.io/metrics => k8s.io/metrics v0.22.2
+
+	k8s.io/utils => k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.8.11 // indirect
+	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
+)
+
+// for pkg/cmd/hgctl/docker/compose.go
+// TODO(WeixinX): Wait for the dependency library to upgrade, such as github.com/go-logr/logr from v0.4.0 to v1.2+
+// replace (
+// github.com/compose-spec/compose-go => github.com/compose-spec/compose-go v1.8.2
+// github.com/cucumber/godog => github.com/laurazard/godog v0.0.0-20220922095256-4c4b17abdae7
+// github.com/docker/buildx => github.com/docker/buildx v0.9.1
+// github.com/docker/cli => github.com/docker/cli v20.10.3-0.20221013132413-1d6c6e2367e2+incompatible
+// github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.15.1
+// github.com/docker/docker => github.com/moby/moby v20.10.3-0.20221021173910-5aac513617f0+incompatible
+// github.com/moby/buildkit => github.com/moby/buildkit v0.10.1-0.20220816171719-55ba9d14360a
+// )
+
+replace (
+	github.com/compose-spec/compose-go => github.com/compose-spec/compose-go v1.0.8
+	github.com/docker/buildx => github.com/docker/buildx v0.5.2-0.20210422185057-908a856079fc
+	github.com/docker/cli => github.com/docker/cli v20.10.7+incompatible
+	github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.2.0
+	github.com/docker/docker => github.com/docker/docker v20.10.3+incompatible
+	github.com/jaguilar/vt100 => github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305
+	github.com/moby/buildkit => github.com/moby/buildkit v0.8.2-0.20210401015549-df49b648c8bf
+	github.com/tonistiigi/fsutil => github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85
+	sigs.k8s.io/gateway-api => github.com/johnlanni/gateway-api v0.0.0-20231031082632-72137664e7c7
+)

helm/core/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.1.2
+appVersion: 1.4.0
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -10,4 +10,4 @@ name: higress-core
 sources:
 - http://github.com/alibaba/higress
 type: application
-version: 1.1.2
+version: 1.4.0

helm/core/crds/customresourcedefinitions.gen.yaml

@@ -154,6 +154,11 @@ spec:
                           type: array
                         httpPath:
                           type: string
+                        paramFromEntireBody:
+                          properties:
+                            paramType:
+                              type: string
+                          type: object
                         params:
                           items:
                             properties:

helm/core/templates/configmap.yaml

@@ -3,9 +3,13 @@
     # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
     trustDomain: "cluster.local"
     accessLogEncoding: TEXT
+    {{- if .Values.global.o11y.enabled }}
+    accessLogFile: "/var/log/proxy/access.log"
+    {{- else }}
     accessLogFile: "/dev/stdout"
+    {{- end }}
     ingressControllerMode: "OFF"
-    accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
+    accessLogFormat: '{"authority":"%REQ(X-ENVOY-ORIGINAL-HOST?:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
 
     '
     dnsRefreshRate: 200s
@@ -24,7 +28,7 @@
 
     configSources:
       - address: "xds://127.0.0.1:15051"
-    {{- if .Values.global.enableIstioAPI }}
+    {{- if or .Values.global.enableIstioAPI .Values.global.enableGatewayAPI }}
       - address: "k8s://"
     {{- end }}
 

helm/core/templates/controller-clusterrole.yaml

@@ -117,3 +117,10 @@ rules:
   - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
     verbs: ["get", "watch", "list"]
     resources: ["*"]
+  # knative KIngress configuration
+  - apiGroups: ["networking.internal.knative.dev"]
+    verbs: ["get","list","watch"]
+    resources: ["ingresses"]
+  - apiGroups: ["networking.internal.knative.dev"]
+    resources: ["ingresses/status"]
+    verbs: ["get","patch","update"]

helm/core/templates/controller-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "controller.name" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "controller.labels" . | nindent 4 }}
 spec:
@@ -30,11 +31,7 @@ spec:
       containers:
 {{- if not .Values.global.enableHigressIstio }}
         - name: discovery
-{{- if contains "/" .Values.pilot.image }}
-          image: "{{ .Values.pilot.image }}"
-{{- else }}
           image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Chart.AppVersion }}"
-{{- end }}
 {{- if .Values.global.imagePullPolicy }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy }}
 {{- end }}
@@ -73,8 +70,22 @@ spec:
             periodSeconds: 3
             timeoutSeconds: 5
           env:
+          - name: PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
+            value: "false"
+          - name: HIGRESS_SYSTEM_NS
+            value: "{{ .Release.Namespace }}"
+          - name: DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD
+            value: "{{ .Values.global.defaultUpstreamConcurrencyThreshold }}"
+          - name: ISTIO_GPRC_MAXRECVMSGSIZE
+            value: "{{ .Values.global.xdsMaxRecvMsgSize }}"
+          - name: ENBALE_SCOPED_RDS
+            value: "{{ .Values.global.enableSRDS }}"
+          - name: ON_DEMAND_RDS
+            value: "{{ .Values.global.onDemandRDS }}"
+          - name: HOST_RDS_MERGE_SUBSET
+            value: "{{ .Values.global.hostRDSMergeSubset }}"
           - name: PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
-            value: "true"
+            value: "{{ .Values.global.onlyPushRouteCluster }}"
           - name: HIGRESS_CONTROLLER_SVC
             value: "127.0.0.1"
           - name: HIGRESS_CONTROLLER_PORT
@@ -126,10 +137,19 @@ spec:
             value: "{{ .Values.global.istiod.enableAnalysis }}"
           - name: CLUSTER_ID
             value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          # HIGRESS_ENABLE_ISTIO_API is only used to restart the controller pod after the config change
           {{- if .Values.global.enableIstioAPI }}
           - name: HIGRESS_ENABLE_ISTIO_API
             value: "true"
           {{- end }}
+          {{- if .Values.global.enableGatewayAPI }}
+          - name: PILOT_ENABLE_GATEWAY_API
+            value: "true"
+          - name: PILOT_ENABLE_GATEWAY_API_STATUS
+            value: "true"
+          - name: PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER
+            value: "false"
+          {{- end }}
           {{- if not .Values.global.enableHigressIstio }}
           - name: CUSTOM_CA_CERT_NAME
             value: "higress-ca-root-cert"
@@ -174,11 +194,13 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.controller.securityContext | nindent 12 }}
-          image: "{{ .Values.hub }}/{{ .Values.controller.image }}:{{ .Values.controller.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.controller.hub | default .Values.global.hub }}/{{ .Values.controller.image | default "higress" }}:{{ .Values.controller.tag | default .Chart.AppVersion }}"
           args:
           - "serve"
           - --gatewaySelectorKey=higress
           - --gatewaySelectorValue={{ .Release.Namespace }}-{{ include "gateway.name" . }}
+          - --gatewayHttpPort={{ .Values.gateway.httpPort }}
+          - --gatewayHttpsPort={{ .Values.gateway.httpsPort }}
           {{- if not .Values.global.enableStatus }}
           - --enableStatus={{ .Values.global.enableStatus }}
           {{- end }}
@@ -186,6 +208,8 @@ spec:
           {{- if .Values.global.watchNamespace }}
           - --watchNamespace={{ .Values.global.watchNamespace }}
           {{- end }}
+          - --enableAutomaticHttps={{ .Values.controller.automaticHttps.enabled }}
+          - --automaticHttpsEmail={{ .Values.controller.automaticHttps.email }}
           env:
           - name: POD_NAME
             valueFrom:

helm/core/templates/controller-service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "controller.name" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "controller.labels" . | nindent 4 }}
 spec:

helm/core/templates/deployment.yaml

@@ -1,3 +1,4 @@
+{{- $o11y := .Values.global.o11y  }}
 {{- $unprivilegedPortSupported := true }}
 {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
     {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
@@ -67,8 +68,42 @@ spec:
           value: "0"
       {{- end }}
       containers:
+        {{- if $o11y.enabled }}
+          {{- $config := $o11y.promtail }}
+        - name: promtail
+          image: {{ $config.image.repository }}:{{ $config.image.tag }}
+          imagePullPolicy: IfNotPresent
+          args:
+            - -config.file=/etc/promtail/promtail.yaml
+          env:
+            - name: 'HOSTNAME'
+              valueFrom:
+                fieldRef:
+                  fieldPath: 'spec.nodeName'
+          ports:
+            - containerPort: {{ $config.port }}
+              name: http-metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ready
+              port: {{ $config.port }}
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: promtail-config
+              mountPath: "/etc/promtail"
+            - name: log
+              mountPath: /var/log/proxy
+            - name: tmp
+              mountPath: /tmp
+        {{- end }}
         - name: higress-gateway
-          image: "{{ .Values.hub }}/{{ .Values.gateway.image }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.gateway.hub | default .Values.global.hub }}/{{ .Values.gateway.image | default "gateway" }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
           args:
             - proxy
             - router
@@ -88,7 +123,10 @@ spec:
               - ALL
             allowPrivilegeEscalation: false
             privileged: false
+          # When enabling lite metrics, the configuration template files need to be replaced.
+          {{- if not .Values.global.liteMetrics }}
             readOnlyRootFilesystem: true
+          {{- end }}
             runAsUser: 1337
             runAsGroup: 1337
             runAsNonRoot: true
@@ -102,7 +140,6 @@ spec:
             runAsGroup: 1337
             runAsNonRoot: false
             allowPrivilegeEscalation: true
-            readOnlyRootFilesystem: true
           {{- end }}
           env:
           - name: NODE_NAME
@@ -134,6 +171,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: spec.serviceAccountName
+          - name: PILOT_XDS_SEND_TIMEOUT
+            value: 60s
           - name: PROXY_XDS_VIA_AGENT
             value: "true"
           - name: ENABLE_INGRESS_GATEWAY_SDS
@@ -146,6 +185,10 @@ spec:
             value: "{{ $.Values.clusterName | default `Kubernetes` }}"
           - name: INSTANCE_NAME
             value: "higress-gateway"
+          {{- if .Values.global.liteMetrics }}
+          - name: LITE_METRICS
+            value: "on"
+          {{- end }}
           {{- if include "skywalking.enabled" . }}
           - name: ISTIO_BOOTSTRAP_OVERRIDE
             value: /etc/istio/custom-bootstrap/custom_bootstrap.json
@@ -163,25 +206,25 @@ spec:
             protocol: TCP
             name: http-envoy-prom
           {{- if or .Values.global.local .Values.global.kind }}
-          - containerPort: 80
-            hostPort: 80
+          - containerPort: {{ .Values.gateway.httpPort }}
+            hostPort:  {{ .Values.gateway.httpPort }}
             name: http
             protocol: TCP
-          - containerPort: 443
-            hostPort: 443
+          - containerPort:  {{ .Values.gateway.httpsPort }}
+            hostPort:  {{ .Values.gateway.httpsPort }}
             name: https
             protocol: TCP
           {{- end }}
           readinessProbe:
-            failureThreshold: 30
+            failureThreshold: {{ .Values.gateway.readinessFailureThreshold }}
             httpGet:
               path: /healthz/ready
               port: 15021
               scheme: HTTP
-            initialDelaySeconds: 1
-            periodSeconds: 2
-            successThreshold: 1
-            timeoutSeconds: 3
+            initialDelaySeconds: {{ .Values.gateway.readinessInitialDelaySeconds }}
+            periodSeconds: {{ .Values.gateway.readinessPeriodSeconds }}
+            successThreshold: {{ .Values.gateway.readinessSuccessThreshold }}
+            timeoutSeconds: {{ .Values.gateway.readinessTimeoutSeconds }}
           {{- if not (or .Values.global.local .Values.global.kind) }}
           resources:
             {{- toYaml .Values.gateway.resources | nindent 12 }}
@@ -210,6 +253,10 @@ spec:
           - mountPath: /opt/plugins
             name: local-wasmplugins-volume
           {{- end }}
+          {{- if $o11y.enabled }}
+          - mountPath: /var/log/proxy
+            name: log
+          {{- end }}
       {{- if .Values.gateway.hostNetwork }}
       hostNetwork: {{ .Values.gateway.hostNetwork }}
       dnsPolicy: ClusterFirstWithHostNet
@@ -256,6 +303,15 @@ spec:
         emptyDir: {}
       - name: proxy-socket
         emptyDir: {}
+      {{- if $o11y.enabled }}
+      - name: log
+        emptyDir: {}
+      - name: tmp
+        emptyDir: {}
+      - name: promtail-config
+        configMap:
+          name: higress-promtail
+      {{- end }}
       - name: podinfo
         downwardAPI:
           defaultMode: 420

helm/core/templates/promtail.yaml

@@ -0,0 +1,64 @@
+{{- $o11y := .Values.global.o11y  }}
+{{- if $o11y.enabled }}
+{{- $config := $o11y.promtail }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: higress-promtail
+  namespace: {{ .Release.Namespace }}
+data:
+  promtail.yaml: |
+    server:
+      log_level: info
+      http_listen_port: {{ $config.port }}
+
+    clients:
+    - url: http://higress-console-loki.{{ .Release.Namespace }}:3100/loki/api/v1/push
+
+    positions:
+      filename: /tmp/promtail-positions.yaml
+    target_config:
+      sync_period: 10s
+    scrape_configs:
+    - job_name: access-logs
+      static_configs:
+      - targets:
+        - localhost
+        labels:
+          __path__: /var/log/proxy/access.log
+      pipeline_stages:
+      - json:
+          expressions:
+            authority:
+            method:
+            path:
+            protocol:
+            request_id:
+            response_code:
+            response_flags:
+            route_name:
+            trace_id:
+            upstream_cluster:
+            upstream_host:
+            upstream_transport_failure_reason:
+            user_agent:
+            x_forwarded_for:
+      - labels:
+          authority:
+          method:
+          path:
+          protocol:
+          request_id:
+          response_code:
+          response_flags:
+          route_name:
+          trace_id:
+          upstream_cluster:
+          upstream_host:
+          upstream_transport_failure_reason:
+          user_agent:
+          x_forwarded_for:
+      - timestamp:
+          source: timestamp
+          format: RFC3339Nano
+{{- end }}

helm/core/values.yaml

@@ -1,5 +1,12 @@
 revision: ""
 global:
+  liteMetrics: false
+  xdsMaxRecvMsgSize: "104857600"
+  defaultUpstreamConcurrencyThreshold: 10000
+  enableSRDS: true
+  onDemandRDS: false
+  hostRDSMergeSubset: false
+  onlyPushRouteCluster: true
   # IngressClass filters which ingress resources the higress controller watches.
   # The default ingress class is higress.
   # There are some special cases for special ingress class.
@@ -9,7 +16,7 @@ global:
   # resources in the k8s cluster.
   ingressClass: "higress"
   watchNamespace: ""
-  disableAlpnH2: true
+  disableAlpnH2: false
   enableStatus: true
   # whether to use autoscaling/v2 template for HPA settings
   # for internal usage only, not to be configured by users.
@@ -17,6 +24,7 @@ global:
   local: false # When deploying to a local cluster (e.g.: kind cluster), set this to true.
   kind: false # Deprecated. Please use "global.local" instead. Will be removed later.
   enableIstioAPI: false
+  enableGatewayAPI: false
   # Deprecated
   enableHigressIstio: false
   # Used to locate istiod.
@@ -146,12 +154,18 @@ global:
     # The number of successive failed probes before indicating readiness failure.
     readinessFailureThreshold: 30
 
+    # The number of successive successed probes before indicating readiness success.
+    readinessSuccessThreshold: 30
+
     # The initial delay for readiness probes in seconds.
     readinessInitialDelaySeconds: 1
 
     # The period between readiness probes.
     readinessPeriodSeconds: 2
 
+    # The readiness timeout seconds
+    readinessTimeoutSeconds: 3
+
     # Resources for the sidecar.
     resources:
       requests:
@@ -324,6 +338,20 @@ global:
   # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
   useMCP: false
 
+  # Observability (o11y) configurations
+  o11y:
+    enabled: false
+    promtail:
+      image:
+        repository: grafana/promtail
+        tag: 2.9.4
+      port: 3101
+      resources:
+        limits:
+          cpu: 500m
+          memory: 2Gi
+      securityContext: {}
+
   # The name of the CA for workload certificates.
   # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
   # will be used as the certificates for workloads.
@@ -367,6 +395,23 @@ gateway:
   name: "higress-gateway"
   replicas: 2
   image: gateway
+
+  # The number of successive failed probes before indicating readiness failure.
+  readinessFailureThreshold: 30
+
+  # The number of successive successed probes before indicating readiness success.
+  readinessSuccessThreshold: 1
+
+  # The initial delay for readiness probes in seconds.
+  readinessInitialDelaySeconds: 1
+
+  # The period between readiness probes.
+  readinessPeriodSeconds: 2
+
+  # The readiness timeout seconds
+  readinessTimeoutSeconds: 3
+
+  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
   tag: ""
   # revision declares which revision this gateway is a part of
   revision: ""
@@ -387,7 +432,8 @@ gateway:
 
   # Pod environment variables
   env: {}
-
+  httpPort: 80
+  httpsPort: 443
   hostNetwork: false
 
   # Labels to apply to all resources
@@ -455,6 +501,8 @@ controller:
   name: "higress-controller"
   replicas: 1
   image: higress
+
+  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
   tag: ""
   env: {}
 
@@ -496,6 +544,12 @@ controller:
       "port": 8888,
       "targetPort": 8888,
     },
+    {
+      "name": "http-solver",
+      "protocol": "TCP",
+      "port": 8889,
+      "targetPort": 8889,
+    },
     {
       "name": "grpc",
       "protocol": "TCP",
@@ -534,6 +588,9 @@ controller:
     minReplicas: 1
     maxReplicas: 5
     targetCPUUtilizationPercentage: 80
+  automaticHttps:
+    enabled: false
+    email: ""
   
 ## Discovery Settings
 pilot:

helm/higress/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: higress-core
   repository: file://../core
-  version: 1.1.2
+  version: 1.4.0
 - name: higress-console
   repository: https://higress.io/helm-charts/
-  version: 1.1.2
-digest: sha256:8fc099c4ad77bcdc4b9dde2ef14f89b2159b6fdcc49a3dc7e1cccb01a7ed99b9
-generated: "2023-09-19T21:46:20.2567789+08:00"
+  version: 1.4.0
+digest: sha256:bf4c58ac28d4691907eab44a13eee398fc05ade95cdae07cb91d7e20ce4ba382
+generated: "2024-05-29T21:18:32.791995+08:00"

helm/higress/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.1.2
+appVersion: 1.4.0
 description: Helm chart for deploying Higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -12,9 +12,9 @@ sources:
 dependencies:
 - name: higress-core
   repository: "file://../core"
-  version: 1.1.2
+  version: 1.4.0
 - name: higress-console
   repository: "https://higress.io/helm-charts/"
-  version: 1.1.2
+  version: 1.4.0
 type: application
-version: 1.1.2
+version: 1.4.0

helm/higress/README.md

@@ -40,6 +40,7 @@ The command removes all the Kubernetes components associated with the chart and
 | global.disableAlpnH2 | Whether to disable HTTP/2 in ALPN | true |
 | global.enableStatus | If `true`, Higress Controller will update the `status` field of Ingress resources.<br />When migrating from Nginx Ingress, in order to avoid `status` field of Ingress objects being overwritten, this parameter needs to be set to false, so Higress won't write the entry IP to the `status` field of the corresponding Ingress object. | true |
 | global.enableIstioAPI | If `true`, Higress Controller will monitor istio resources as well | false |
+| global.enableGatewayAPI | If `true`, Higress Controller will monitor Gateway API resources as well | false |
 | global.istioNamespace | The namespace istio is installed to | istio-system |
 | **Core Paramters** |  |  |
 | higress-core.gateway.replicas | Number of Higress Gateway pods | 2 |

istio/1.12/patches/istio/20230922-gateway-class.patch

@@ -0,0 +1,14 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio_new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-09-22 11:06:50.400535200 +0800
++++ istio_new/pilot/pkg/config/kube/gateway/conversion.go	2023-09-22 11:07:52.954982700 +0800
+@@ -37,8 +37,8 @@
+ )
+ 
+ const (
+-	DefaultClassName = "istio"
+-	ControllerName   = "istio.io/gateway-controller"
++	DefaultClassName = "higress"
++	ControllerName   = "higress.io/gateway-controller"
+ )
+ 
+ // KubernetesResources stores all inputs to our conversion

istio/1.12/patches/istio/20230925-gateway-httproute.patch

@@ -0,0 +1,71 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-09-25 17:26:32.000000000 +0800
++++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2023-09-25 17:25:27.000000000 +0800
+@@ -656,6 +656,16 @@
+ 			Port: &istio.PortSelector{Number: uint32(*to.Port)},
+ 		}, nil
+ 	}
++	if equal((*string)(to.Group), "networking.higress.io") && nilOrEqual((*string)(to.Kind), "Service") {
++		var port *istio.PortSelector
++		if to.Port != nil {
++			port = &istio.PortSelector{Number: uint32(*to.Port)}
++		}
++		return &istio.Destination{
++			Host: string(to.Name),
++			Port: port,
++		}, nil
++	}
+ 	return nil, &ConfigError{
+ 		Reason:  InvalidDestination,
+ 		Message: fmt.Sprintf("referencing unsupported backendRef: group %q kind %q", emptyIfNil((*string)(to.Group)), emptyIfNil((*string)(to.Kind))),
+@@ -912,7 +922,7 @@
+ 					ObservedGeneration: obj.Generation,
+ 					LastTransitionTime: metav1.Now(),
+ 					Reason:             string(k8s.GatewayClassConditionStatusAccepted),
+-					Message:            "Handled by Istio controller",
++					Message:            "Handled by Higress controller",
+ 				})
+ 				return gcs
+ 			})
+@@ -1371,6 +1381,10 @@
+ 	return d
+ }
+ 
++func equal(have *string, expected string) bool {
++	return have != nil && *have == expected
++}
++
+ func nilOrEqual(have *string, expected string) bool {
+ 	return have == nil || *have == expected
+ }
+diff -Naur istio/pilot/pkg/leaderelection/leaderelection.go istio-new/pilot/pkg/leaderelection/leaderelection.go
+--- istio/pilot/pkg/leaderelection/leaderelection.go	2023-09-25 17:26:31.000000000 +0800
++++ istio-new/pilot/pkg/leaderelection/leaderelection.go	2023-09-25 14:59:39.000000000 +0800
+@@ -35,20 +35,20 @@
+ 
+ // Various locks used throughout the code
+ const (
+-	NamespaceController     = "istio-namespace-controller-election"
+-	ServiceExportController = "istio-serviceexport-controller-election"
++	NamespaceController     = "higress-namespace-controller-election"
++	ServiceExportController = "higress-serviceexport-controller-election"
+ 	// This holds the legacy name to not conflict with older control plane deployments which are just
+ 	// doing the ingress syncing.
+-	IngressController = "istio-leader"
++	IngressController = "higress-leader"
+ 	// GatewayStatusController controls the status of gateway.networking.k8s.io objects. For the v1alpha1
+ 	// this was formally "istio-gateway-leader"; because they are a different API group we need a different
+ 	// election to ensure we do not only handle one or the other.
+-	GatewayStatusController = "istio-gateway-status-leader"
++	GatewayStatusController = "higress-gateway-status-leader"
+ 	// GatewayDeploymentController controls the Deployment/Service generation from Gateways. This is
+ 	// separate from GatewayStatusController to allow running in a separate process (for low priv).
+-	GatewayDeploymentController = "istio-gateway-deployment-leader"
+-	StatusController            = "istio-status-leader"
+-	AnalyzeController           = "istio-analyze-leader"
++	GatewayDeploymentController = "higress-gateway-deployment-leader"
++	StatusController            = "higress-status-leader"
++	AnalyzeController           = "higress-analyze-leader"
+ )
+ 
+ var ClusterScopedNamespaceController = NamespaceController

istio/1.12/patches/istio/20231008-gateway-fallback.patch

@@ -0,0 +1,90 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-10-08 19:54:47.000000000 +0800
++++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2023-09-27 16:10:42.000000000 +0800
+@@ -18,6 +18,7 @@
+ 	"fmt"
+ 	"regexp"
+ 	"sort"
++	"strconv"
+ 	"strings"
+ 
+ 	corev1 "k8s.io/api/core/v1"
+@@ -176,7 +177,9 @@
+ 	hosts := hostnameToStringList(route.Hostnames)
+ 	for _, r := range route.Rules {
+ 		// TODO: implement rewrite, timeout, mirror, corspolicy, retries
+-		vs := &istio.HTTPRoute{}
++		vs := &istio.HTTPRoute{
++			Name: obj.Name,
++		}
+ 		for _, match := range r.Matches {
+ 			uri, err := createURIMatch(match)
+ 			if err != nil {
+@@ -246,7 +249,9 @@
+ 			}}
+ 		}
+ 
+-		route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero)
++		fallbackCluster := obj.Annotations["higress.io/fallback-service"]
++
++		route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero, fallbackCluster)
+ 		if err != nil {
+ 			reportError(err)
+ 			return nil
+@@ -581,11 +586,33 @@
+ 	return r
+ }
+ 
+-func buildHTTPDestination(forwardTo []k8s.HTTPBackendRef, ns string, domain string, totalZero bool) ([]*istio.HTTPRouteDestination, *ConfigError) {
++func buildHTTPDestination(forwardTo []k8s.HTTPBackendRef, ns string, domain string, totalZero bool, fallbackCluster string) ([]*istio.HTTPRouteDestination, *ConfigError) {
+ 	if forwardTo == nil {
+ 		return nil, nil
+ 	}
+ 
++	var fallbackDest *istio.Destination
++	if fallbackCluster != "" {
++		var port uint64
++		host := fallbackCluster
++		colon := strings.LastIndex(fallbackCluster, ":")
++		if colon != -1 {
++			var err error
++			port, err = strconv.ParseUint(fallbackCluster[colon+1:], 10, 32)
++			if err == nil && port > 0 && port < 65536 {
++				host = fallbackCluster[:colon]
++			}
++		}
++		fallbackDest = &istio.Destination{
++			Host: host,
++		}
++		if port > 0 {
++			fallbackDest.Port = &istio.PortSelector{
++				Number: uint32(port),
++			}
++		}
++	}
++
+ 	weights := []int{}
+ 	action := []k8s.HTTPBackendRef{}
+ 	for i, w := range forwardTo {
+@@ -612,6 +639,9 @@
+ 			Destination: dst,
+ 			Weight:      int32(weights[i]),
+ 		}
++		if fallbackDest != nil {
++			rd.FallbackClusters = append(rd.FallbackClusters, fallbackDest)
++		}
+ 		for _, filter := range fwd.Filters {
+ 			switch filter.Type {
+ 			case k8s.HTTPRouteFilterRequestHeaderModifier:
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go
+--- istio/pilot/pkg/networking/core/v1alpha3/route/route.go	2023-10-08 19:54:46.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go	2023-09-27 16:18:16.000000000 +0800
+@@ -669,7 +669,7 @@
+ 		}
+ 		var singleClusterConfig *fallback.ClusterFallbackConfig
+ 		var weightedClusterConfig *fallback.ClusterFallbackConfig
+-		isSupportFallback := supportFallback(node)
++		isSupportFallback := true
+ 		// Added by ingress
+ 		if len(in.Route) == 1 {
+ 			route := in.Route[0]

istio/1.12/patches/istio/20231024-cds-add-fallback.patch

@@ -0,0 +1,13 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2023-10-24 10:55:51.000000000 +0800
++++ istio-new/pilot/pkg/model/push_context.go	2023-10-20 17:00:06.000000000 +0800
+@@ -704,6 +704,9 @@
+ 			if r.Destination != nil {
+ 				out = append(out, r.Destination.Host)
+ 			}
++			for _, d := range r.FallbackClusters {
++				out = append(out, d.Host)
++			}
+ 		}
+ 		if h.Mirror != nil {
+ 			out = append(out, h.Mirror.Host)

istio/1.12/patches/istio/20231103-gatewayapi-sort.patch

@@ -0,0 +1,377 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-11-03 17:18:56.000000000 +0800
++++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2023-11-03 17:14:50.000000000 +0800
+@@ -151,15 +151,113 @@
+ 		}
+ 	}
+ 
++	// for gateway routes, build one VS per gateway+host
++	gatewayRoutes := make(map[string]map[string]*config.Config)
++
+ 	for _, obj := range r.HTTPRoute {
+-		if vsConfig := buildHTTPVirtualServices(obj, gatewayMap, r.Domain); vsConfig != nil {
++		buildHTTPVirtualServices(r, obj, gatewayMap, gatewayRoutes, r.Domain)
++	}
++	for _, vsByHost := range gatewayRoutes {
++		for _, vsConfig := range vsByHost {
+ 			result = append(result, *vsConfig)
+ 		}
+ 	}
+ 	return result
+ }
+ 
+-func buildHTTPVirtualServices(obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, domain string) *config.Config {
++// getURIRank ranks a URI match type. Exact > Prefix > Regex
++func getURIRank(match *istio.HTTPMatchRequest) int {
++	if match.Uri == nil {
++		return -1
++	}
++	switch match.Uri.MatchType.(type) {
++	case *istio.StringMatch_Exact:
++		return 3
++	case *istio.StringMatch_Prefix:
++		return 2
++	case *istio.StringMatch_Regex:
++		// TODO optimize in new verison envoy
++		if strings.HasSuffix(match.Uri.GetRegex(), prefixMatchRegex) &&
++			!strings.ContainsAny(strings.TrimSuffix(match.Uri.GetRegex(), prefixMatchRegex), `\.+*?()|[]{}^$`) {
++			return 2
++		}
++		return 1
++	}
++	// should not happen
++	return -1
++}
++
++func getURILength(match *istio.HTTPMatchRequest) int {
++	if match.Uri == nil {
++		return 0
++	}
++	switch match.Uri.MatchType.(type) {
++	case *istio.StringMatch_Prefix:
++		return len(match.Uri.GetPrefix())
++	case *istio.StringMatch_Exact:
++		return len(match.Uri.GetExact())
++	case *istio.StringMatch_Regex:
++		return len(match.Uri.GetRegex())
++	}
++	// should not happen
++	return -1
++}
++
++// sortHTTPRoutes sorts generated vs routes to meet gateway-api requirements
++// see https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRouteRule
++func sortHTTPRoutes(routes []*istio.HTTPRoute) {
++	sort.SliceStable(routes, func(i, j int) bool {
++		if len(routes[i].Match) == 0 {
++			return false
++		} else if len(routes[j].Match) == 0 {
++			return true
++		}
++		// Only look at match[0], we always generate only one match
++		m1, m2 := routes[i].Match[0], routes[j].Match[0]
++		r1, r2 := getURIRank(m1), getURIRank(m2)
++		len1, len2 := getURILength(m1), getURILength(m2)
++		switch {
++		// 1: Exact/Prefix/Regex
++		case r1 != r2:
++			return r1 > r2
++		case len1 != len2:
++			return len1 > len2
++			// 2: method math
++		case (m1.Method == nil) != (m2.Method == nil):
++			return m1.Method != nil
++			// 3: number of header matches
++		case len(m1.Headers) != len(m2.Headers):
++			return len(m1.Headers) > len(m2.Headers)
++			// 4: number of query matches
++		default:
++			return len(m1.QueryParams) > len(m2.QueryParams)
++		}
++	})
++}
++
++func routeMeta(obj config.Config) map[string]string {
++	m := parentMeta(obj, nil)
++	m[constants.InternalRouteSemantics] = constants.RouteSemanticsGateway
++	return m
++}
++
++func filteredReferences(parents []routeParentReference) []routeParentReference {
++	ret := make([]routeParentReference, 0, len(parents))
++	for _, p := range parents {
++		if p.DeniedReason != nil {
++			// We should filter this out
++			continue
++		}
++		ret = append(ret, p)
++	}
++	// To ensure deterministic order, sort them
++	sort.Slice(ret, func(i, j int) bool {
++		return ret[i].InternalName < ret[j].InternalName
++	})
++	return ret
++}
++
++func buildHTTPVirtualServices(ctx *KubernetesResources, obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, gatewayRoutes map[string]map[string]*config.Config, domain string) {
+ 	route := obj.Spec.(*gatewayapiV1beta1.HTTPRouteSpec)
+ 
+ 	parentRefs := extractParentReferenceInfo(gateways, route.ParentRefs, route.Hostnames, gvk.HTTPRoute, obj.Namespace)
+@@ -172,10 +270,7 @@
+ 		})
+ 	}
+ 
+-	name := fmt.Sprintf("%s-%s", obj.Name, constants.KubernetesGatewayName)
+-
+ 	httproutes := []*istio.HTTPRoute{}
+-	hosts := hostnameToStringList(route.Hostnames)
+ 	for _, r := range route.Rules {
+ 		// TODO: implement rewrite, timeout, mirror, corspolicy, retries
+ 		vs := &istio.HTTPRoute{
+@@ -185,22 +280,22 @@
+ 			uri, err := createURIMatch(match)
+ 			if err != nil {
+ 				reportError(err)
+-				return nil
++				return
+ 			}
+ 			headers, err := createHeadersMatch(match)
+ 			if err != nil {
+ 				reportError(err)
+-				return nil
++				return
+ 			}
+ 			qp, err := createQueryParamsMatch(match)
+ 			if err != nil {
+ 				reportError(err)
+-				return nil
++				return
+ 			}
+ 			method, err := createMethodMatch(match)
+ 			if err != nil {
+ 				reportError(err)
+-				return nil
++				return
+ 			}
+ 			vs.Match = append(vs.Match, &istio.HTTPMatchRequest{
+ 				Uri:         uri,
+@@ -219,7 +314,7 @@
+ 				mirror, err := createMirrorFilter(filter.RequestMirror, obj.Namespace, domain)
+ 				if err != nil {
+ 					reportError(err)
+-					return nil
++					return
+ 				}
+ 				vs.Mirror = mirror
+ 			default:
+@@ -227,7 +322,7 @@
+ 					Reason:  InvalidFilter,
+ 					Message: fmt.Sprintf("unsupported filter type %q", filter.Type),
+ 				})
+-				return nil
++				return
+ 			}
+ 		}
+ 
+@@ -255,33 +350,65 @@
+ 		route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero, fallbackCluster)
+ 		if err != nil {
+ 			reportError(err)
+-			return nil
++			return
+ 		}
+ 		vs.Route = route
+ 
+ 		httproutes = append(httproutes, vs)
+ 	}
+ 	reportError(nil)
+-	gatewayNames := referencesToInternalNames(parentRefs)
+-	if len(gatewayNames) == 0 {
+-		return nil
++
++	count := 0
++	for _, parent := range filteredReferences(parentRefs) {
++		// for gateway routes, build one VS per gateway+host
++		routeMap := gatewayRoutes
++		routeKey := parent.InternalName
++		vsHosts := hostnameToStringList(route.Hostnames)
++		routes := httproutes
++		if len(routes) == 0 {
++			continue
++		}
++		if _, f := routeMap[routeKey]; !f {
++			routeMap[routeKey] = make(map[string]*config.Config)
++		}
++
++		// Create one VS per hostname with a single hostname.
++		// This ensures we can treat each hostname independently, as the spec requires
++		for _, h := range vsHosts {
++			if cfg := routeMap[routeKey][h]; cfg != nil {
++				// merge http routes
++				vs := cfg.Spec.(*istio.VirtualService)
++				vs.Http = append(vs.Http, routes...)
++				// append parents
++				cfg.Annotations[constants.InternalParentNames] = fmt.Sprintf("%s,%s/%s.%s",
++					cfg.Annotations[constants.InternalParentNames], obj.GroupVersionKind.Kind, obj.Name, obj.Namespace)
++			} else {
++				name := fmt.Sprintf("%s-%d-%s", obj.Name, count, constants.KubernetesGatewayName)
++				routeMap[routeKey][h] = &config.Config{
++					Meta: config.Meta{
++						CreationTimestamp: obj.CreationTimestamp,
++						GroupVersionKind:  gvk.VirtualService,
++						Name:              name,
++						Annotations:       routeMeta(obj),
++						Namespace:         obj.Namespace,
++						Domain:            ctx.Domain,
++					},
++					Spec: &istio.VirtualService{
++						Hosts:    []string{h},
++						Gateways: []string{parent.InternalName},
++						Http:     routes,
++					},
++				}
++				count++
++			}
++		}
+ 	}
+-	vsConfig := config.Config{
+-		Meta: config.Meta{
+-			CreationTimestamp: obj.CreationTimestamp,
+-			GroupVersionKind:  gvk.VirtualService,
+-			Name:              name,
+-			Annotations:       parentMeta(obj, nil),
+-			Namespace:         obj.Namespace,
+-			Domain:            domain,
+-		},
+-		Spec: &istio.VirtualService{
+-			Hosts:    hosts,
+-			Gateways: gatewayNames,
+-			Http:     httproutes,
+-		},
++	for _, vsByHost := range gatewayRoutes {
++		for _, cfg := range vsByHost {
++			vs := cfg.Spec.(*istio.VirtualService)
++			sortHTTPRoutes(vs.Http)
++		}
+ 	}
+-	return &vsConfig
+ }
+ 
+ func parentMeta(obj config.Config, sectionName *gatewayapiV1beta1.SectionName) map[string]string {
+@@ -1155,9 +1282,11 @@
+ 			}
+ 			gs.Addresses = make([]gatewayapiV1beta1.GatewayAddress, 0, len(addressesToReport))
+ 			for _, addr := range addressesToReport {
++				addrPairs := strings.Split(addr, ":")
+ 				gs.Addresses = append(gs.Addresses, gatewayapiV1beta1.GatewayAddress{
+-					Type:  &addrType,
+-					Value: addr,
++					Type: &addrType,
++					// strip the port
++					Value: addrPairs[0],
+ 				})
+ 			}
+ 			return gs
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2023-11-03 17:18:56.000000000 +0800
++++ istio-new/pilot/pkg/model/push_context.go	2023-11-03 17:05:47.000000000 +0800
+@@ -841,7 +841,19 @@
+ func (ps *PushContext) VirtualServicesForGateway(proxy *Proxy, gateway string) []config.Config {
+ 	res := ps.virtualServiceIndex.privateByNamespaceAndGateway[proxy.ConfigNamespace][gateway]
+ 	res = append(res, ps.virtualServiceIndex.exportedToNamespaceByGateway[proxy.ConfigNamespace][gateway]...)
+-	res = append(res, ps.virtualServiceIndex.publicByGateway[gateway]...)
++
++	// Favor same-namespace Gateway routes, to give the "consumer override" preference.
++	// We do 2 iterations here to avoid extra allocations.
++	for _, vs := range ps.virtualServiceIndex.publicByGateway[gateway] {
++		if UseGatewaySemantics(vs) && vs.Namespace == proxy.ConfigNamespace {
++			res = append(res, vs)
++		}
++	}
++	for _, vs := range ps.virtualServiceIndex.publicByGateway[gateway] {
++		if !(UseGatewaySemantics(vs) && vs.Namespace == proxy.ConfigNamespace) {
++			res = append(res, vs)
++		}
++	}
+ 	return res
+ }
+ 
+diff -Naur istio/pilot/pkg/model/virtualservice.go istio-new/pilot/pkg/model/virtualservice.go
+--- istio/pilot/pkg/model/virtualservice.go	2023-11-03 17:18:55.000000000 +0800
++++ istio-new/pilot/pkg/model/virtualservice.go	2023-11-03 15:19:08.000000000 +0800
+@@ -76,6 +76,11 @@
+ }
+ 
+ func resolveVirtualServiceShortnames(rule *networking.VirtualService, meta config.Meta) {
++	// Kubernetes Gateway API semantics support shortnames
++	// if UseGatewaySemantics(config.Config{Meta: meta}) {
++	// 	return
++	// }
++
+ 	// resolve top level hosts
+ 	for i, h := range rule.Hosts {
+ 		rule.Hosts[i] = string(ResolveShortnameToFQDN(h, meta))
+@@ -524,3 +529,10 @@
+ 	}
+ 	return false
+ }
++
++// UseGatewaySemantics determines which logic we should use for VirtualService
++// This allows gateway-api and VS to both be represented by VirtualService, but have different
++// semantics.
++func UseGatewaySemantics(cfg config.Config) bool {
++	return cfg.Annotations[constants.InternalRouteSemantics] == constants.RouteSemanticsGateway
++}
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go
+--- istio/pilot/pkg/networking/core/v1alpha3/route/route.go	2023-11-03 17:18:56.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go	2023-11-03 17:05:55.000000000 +0800
+@@ -408,7 +408,6 @@
+ 			break
+ 		}
+ 	}
+-
+ 	if len(out) == 0 {
+ 		return nil, fmt.Errorf("no routes matched")
+ 	}
+@@ -493,6 +492,14 @@
+ 			},
+ 		}
+ 
++		if model.UseGatewaySemantics(virtualService) {
++			if uri, isPrefixReplace := cutPrefix(redirect.Uri, "%PREFIX()%"); isPrefixReplace {
++				action.Redirect.PathRewriteSpecifier = &route.RedirectAction_PrefixRewrite{
++					PrefixRewrite: uri,
++				}
++			}
++		}
++
+ 		if redirect.Scheme != "" {
+ 			action.Redirect.SchemeRewriteSpecifier = &route.RedirectAction_SchemeRedirect{SchemeRedirect: redirect.Scheme}
+ 		}
+@@ -1616,3 +1623,10 @@
+ 	isSupport = curVersion.GreaterThan(notSupportFallback)
+ 	return
+ }
++
++func cutPrefix(s, prefix string) (after string, found bool) {
++	if !strings.HasPrefix(s, prefix) {
++		return s, false
++	}
++	return s[len(prefix):], true
++}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2023-11-03 17:18:54.000000000 +0800
++++ istio-new/pkg/config/constants/constants.go	2023-11-03 14:29:27.000000000 +0800
+@@ -15,6 +15,12 @@
+ package constants
+ 
+ const (
++	InternalParentNames = "internal.istio.io/parents"
++
++	InternalRouteSemantics = "internal.istio.io/route-semantics"
++
++	RouteSemanticsGateway = "gateway"
++
+ 	// UnspecifiedIP constant for empty IP address
+ 	UnspecifiedIP = "0.0.0.0"
+ 

istio/1.12/patches/istio/20231104-gatewayapi-catchall.patch

@@ -0,0 +1,50 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-11-03 20:09:38.000000000 +0800
++++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2023-11-03 20:02:26.000000000 +0800
+@@ -165,6 +165,34 @@
+ 	return result
+ }
+ 
++// isCatchAll returns true if HTTPMatchRequest is a catchall match otherwise
++// false. Note - this may not be exactly "catch all" as we don't know the full
++// class of possible inputs As such, this is used only for optimization.
++func isCatchAllMatch(m *istio.HTTPMatchRequest) bool {
++	catchall := false
++	if m.Uri != nil {
++		switch m := m.Uri.MatchType.(type) {
++		case *istio.StringMatch_Prefix:
++			catchall = m.Prefix == "/"
++		case *istio.StringMatch_Regex:
++			catchall = m.Regex == "*"
++		}
++	}
++	// A Match is catch all if and only if it has no match set
++	// and URI has a prefix / or regex *.
++	return catchall &&
++		len(m.Headers) == 0 &&
++		len(m.QueryParams) == 0 &&
++		len(m.SourceLabels) == 0 &&
++		len(m.WithoutHeaders) == 0 &&
++		len(m.Gateways) == 0 &&
++		m.Method == nil &&
++		m.Scheme == nil &&
++		m.Port == 0 &&
++		m.Authority == nil &&
++		m.SourceNamespace == ""
++}
++
+ // getURIRank ranks a URI match type. Exact > Prefix > Regex
+ func getURIRank(match *istio.HTTPMatchRequest) int {
+ 	if match.Uri == nil {
+@@ -212,6 +240,11 @@
+ 		} else if len(routes[j].Match) == 0 {
+ 			return true
+ 		}
++		if isCatchAllMatch(routes[i].Match[0]) {
++			return false
++		} else if isCatchAllMatch(routes[j].Match[0]) {
++			return true
++		}
+ 		// Only look at match[0], we always generate only one match
+ 		m1, m2 := routes[i].Match[0], routes[j].Match[0]
+ 		r1, r2 := getURIRank(m1), getURIRank(m2)

istio/1.12/patches/istio/20231115-optimize-xds-push.patch

@@ -0,0 +1,62 @@
+diff -Naur istio/pilot/pkg/xds/ads.go istio-new/pilot/pkg/xds/ads.go
+--- istio/pilot/pkg/xds/ads.go	2023-11-15 20:25:18.000000000 +0800
++++ istio-new/pilot/pkg/xds/ads.go	2023-11-15 20:24:20.000000000 +0800
+@@ -318,6 +318,27 @@
+ 	<-con.initialized
+ 
+ 	for {
++		// Go select{} statements are not ordered; the same channel can be chosen many times.
++		// For requests, these are higher priority (client may be blocked on startup until these are done)
++		// and often very cheap to handle (simple ACK), so we check it first.
++		select {
++		case req, ok := <-con.reqChan:
++			if ok {
++				if err := s.processRequest(req, con); err != nil {
++					return err
++				}
++			} else {
++				// Remote side closed connection or error processing the request.
++				return <-con.errorChan
++			}
++		case <-con.stop:
++			return nil
++		default:
++		}
++		// If there wasn't already a request, poll for requests and pushes. Note: if we have a huge
++		// amount of incoming requests, we may still send some pushes, as we do not `continue` above;
++		// however, requests will be handled ~2x as much as pushes. This ensures a wave of requests
++		// cannot completely starve pushes. However, this scenario is unlikely.
+ 		select {
+ 		case req, ok := <-con.reqChan:
+ 			if ok {
+diff -Naur istio/pilot/pkg/xds/delta.go istio-new/pilot/pkg/xds/delta.go
+--- istio/pilot/pkg/xds/delta.go	2023-11-15 20:25:18.000000000 +0800
++++ istio-new/pilot/pkg/xds/delta.go	2023-11-15 20:24:44.000000000 +0800
+@@ -102,6 +102,27 @@
+ 	<-con.initialized
+ 
+ 	for {
++		// Go select{} statements are not ordered; the same channel can be chosen many times.
++		// For requests, these are higher priority (client may be blocked on startup until these are done)
++		// and often very cheap to handle (simple ACK), so we check it first.
++		select {
++		case req, ok := <-con.deltaReqChan:
++			if ok {
++				if err := s.processDeltaRequest(req, con); err != nil {
++					return err
++				}
++			} else {
++				// Remote side closed connection or error processing the request.
++				return <-con.errorChan
++			}
++		case <-con.stop:
++			return nil
++		default:
++		}
++		// If there wasn't already a request, poll for requests and pushes. Note: if we have a huge
++		// amount of incoming requests, we may still send some pushes, as we do not `continue` above;
++		// however, requests will be handled ~2x as much as pushes. This ensures a wave of requests
++		// cannot completely starve pushes. However, this scenario is unlikely.
+ 		select {
+ 		case req, ok := <-con.deltaReqChan:
+ 			if ok {

istio/1.12/patches/istio/20240104-enhance-srds.patch

@@ -0,0 +1,633 @@
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-01-05 17:58:08.000000000 +0800
++++ istio-new/pilot/pkg/features/pilot.go	2024-01-04 21:20:00.000000000 +0800
+@@ -569,6 +569,12 @@
+ 	// Added by ingress
+ 	CustomCACertConfigMapName = env.RegisterStringVar("CUSTOM_CA_CERT_NAME", "",
+ 		"Defines the configmap's name of  istio's root ca certificate").Get()
++	HostRDSMergeSubset = env.RegisterBoolVar("HOST_RDS_MERGE_SUBSET", true,
++		"If enabled, if host A is a subset of B, then we merge B's routes into A's hostRDS").Get()
++	EnableScopedRDS = env.RegisterBoolVar("ENBALE_SCOPED_RDS", true,
++		"If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
++	OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
++		"If enabled, the on demand filter will be added to the HCM filters").Get()
+ 	// End added by ingress
+ )
+ 
+diff -Naur istio/pilot/pkg/networking/core/configgen.go istio-new/pilot/pkg/networking/core/configgen.go
+--- istio/pilot/pkg/networking/core/configgen.go	2024-01-05 17:58:02.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/configgen.go	2024-01-04 21:20:00.000000000 +0800
+@@ -17,6 +17,7 @@
+ import (
+ 	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+ 	listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
++	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+ 	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+ 
+ 	meshconfig "istio.io/api/mesh/v1alpha1"
+@@ -44,6 +45,10 @@
+ 	// BuildHTTPRoutes returns the list of HTTP routes for the given proxy. This is the RDS output
+ 	BuildHTTPRoutes(node *model.Proxy, req *model.PushRequest, routeNames []string) ([]*discovery.Resource, model.XdsLogDetails)
+ 
++	// Added by ingress
++	BuildScopedRoutes(node *model.Proxy, push *model.PushContext) []*route.ScopedRouteConfiguration
++	// End added by ingress
++
+ 	// BuildNameTable returns list of hostnames and the associated IPs
+ 	BuildNameTable(node *model.Proxy, push *model.PushContext) *dnsProto.NameTable
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-05 17:58:07.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-05 11:19:54.000000000 +0800
+@@ -41,7 +41,9 @@
+ 	"istio.io/istio/pilot/pkg/networking/plugin"
+ 	"istio.io/istio/pilot/pkg/networking/util"
+ 	authn_model "istio.io/istio/pilot/pkg/security/model"
++	"istio.io/istio/pilot/pkg/util/sets"
+ 	"istio.io/istio/pkg/config"
++	"istio.io/istio/pkg/config/constants"
+ 	"istio.io/istio/pkg/config/gateway"
+ 	"istio.io/istio/pkg/config/host"
+ 	"istio.io/istio/pkg/config/protocol"
+@@ -104,10 +106,15 @@
+ 			// We can also have QUIC on a given port along with HTTPS/TLS on a given port. It does not
+ 			// cause port-conflict as they use different transport protocols
+ 			opts := &buildListenerOpts{
+-				push:       builder.push,
+-				proxy:      builder.node,
+-				bind:       bind,
+-				port:       &model.Port{Port: int(port.Number)},
++				push:  builder.push,
++				proxy: builder.node,
++				bind:  bind,
++				port: &model.Port{
++					Port: int(port.Number),
++					// Added by ingress
++					Protocol: protocol.Parse(port.Protocol),
++					// End added by ingress
++				},
+ 				bindToPort: true,
+ 				class:      istionetworking.ListenerClassGateway,
+ 				transport:  transport,
+@@ -340,6 +347,269 @@
+ 	return nameToServiceMap
+ }
+ 
++// Added by ingress
++func (configgen *ConfigGeneratorImpl) BuildScopedRoutes(node *model.Proxy, push *model.PushContext) []*route.ScopedRouteConfiguration {
++	if node.MergedGateway == nil {
++		log.Warnf("buildScopedRoutes: no gateways for router %v", node.ID)
++		return nil
++	}
++	merged := node.MergedGateway
++	var out []*route.ScopedRouteConfiguration
++	gatewayVirtualServices := make(map[string][]config.Config)
++	serverIterator := func(listenerPort int, mergedServers map[model.ServerPort]*model.MergedServers) sets.Set {
++		hostSet := sets.NewSet()
++		for port, servers := range mergedServers {
++			if port.Number != uint32(listenerPort) {
++				continue
++			}
++			for _, server := range servers.Servers {
++				gatewayName := merged.GatewayNameForServer[server]
++
++				var virtualServices []config.Config
++				var exists bool
++
++				if virtualServices, exists = gatewayVirtualServices[gatewayName]; !exists {
++					virtualServices = push.VirtualServicesForGateway(node, gatewayName)
++					gatewayVirtualServices[gatewayName] = virtualServices
++				}
++				for _, virtualService := range virtualServices {
++					for _, host := range virtualService.Spec.(*networking.VirtualService).Hosts {
++						hostSet.Insert(host)
++					}
++				}
++			}
++		}
++		return hostSet
++	}
++	buildPortHostScopedRoute := func(listenerPort model.ServerPort) {
++		p := protocol.Parse(listenerPort.Protocol)
++		if !p.IsHTTP() && p != protocol.HTTPS {
++			return
++		}
++		port := strconv.Itoa(int(listenerPort.Number))
++		hostSet := serverIterator(int(listenerPort.Number), merged.MergedServers).
++			Union(serverIterator(int(listenerPort.Number), merged.MergedQUICTransportServers))
++		for host, _ := range hostSet {
++			portKey := &route.ScopedRouteConfiguration_Key_Fragment{
++				Type: &route.ScopedRouteConfiguration_Key_Fragment_StringKey{
++					StringKey: port,
++				},
++			}
++			hostKey := &route.ScopedRouteConfiguration_Key_Fragment{
++				Type: &route.ScopedRouteConfiguration_Key_Fragment_StringKey{
++					StringKey: host,
++				},
++			}
++			name := strings.Join([]string{port, host}, ".")
++			out = append(out, &route.ScopedRouteConfiguration{
++				OnDemand:               features.OnDemandRDS,
++				Name:                   name,
++				RouteConfigurationName: constants.HigressHostRDSNamePrefix + name,
++				Key: &route.ScopedRouteConfiguration_Key{
++					Fragments: []*route.ScopedRouteConfiguration_Key_Fragment{portKey, hostKey},
++				},
++			})
++		}
++	}
++	for _, port := range merged.ServerPorts {
++		buildPortHostScopedRoute(port)
++	}
++	return out
++}
++
++type virtualServiceContext struct {
++	virtualService config.Config
++	server         *networking.Server
++	gatewayName    string
++}
++
++func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(node *model.Proxy, push *model.PushContext,
++	routeName string) *route.RouteConfiguration {
++	var (
++		hostRDSPort string
++		hostRDSHost string
++	)
++	portAndHost := strings.SplitN(strings.TrimPrefix(routeName, constants.HigressHostRDSNamePrefix), ".", 2)
++	if len(portAndHost) != 2 {
++		log.Errorf("Invalid route %s when using Higress hostRDS", routeName)
++		return nil
++	}
++	hostRDSPort = portAndHost[0]
++	hostRDSHost = portAndHost[1]
++	merged := node.MergedGateway
++	log.Debugf("buildGatewayRoutes: gateways after merging: %v", merged)
++	rdsPort, err := strconv.Atoi(hostRDSPort)
++	if err != nil {
++		log.Errorf("Invalid port %s of route %s when using Higress hostRDS", hostRDSPort, routeName)
++		return nil
++	}
++	listenerPort := uint32(rdsPort)
++	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
++
++	isH3DiscoveryNeeded := false
++
++	// When this is true, we add alt-svc header to the response to tell the client
++	// that HTTP/3 over QUIC is available on the same port for this host. This is
++	// very important for discovering HTTP/3 services
++	for port, servers := range merged.MergedQUICTransportServers {
++		if port.Number == listenerPort && len(servers.Servers) > 0 {
++			isH3DiscoveryNeeded = true
++			break
++		}
++	}
++
++	gatewayRoutes := make(map[string]map[string][]*route.Route)
++	gatewayVirtualServices := make(map[string][]config.Config)
++	var selectedVirtualServices []virtualServiceContext
++	var vHost *route.VirtualHost
++	serverIterator := func(mergedServers map[model.ServerPort]*model.MergedServers) {
++		for port, servers := range mergedServers {
++			if port.Number != listenerPort {
++				continue
++			}
++			for _, server := range servers.Servers {
++				gatewayName := merged.GatewayNameForServer[server]
++
++				var virtualServices []config.Config
++				var exists bool
++
++				if virtualServices, exists = gatewayVirtualServices[gatewayName]; !exists {
++					virtualServices = push.VirtualServicesForGateway(node, gatewayName)
++					gatewayVirtualServices[gatewayName] = virtualServices
++				}
++				for _, virtualService := range virtualServices {
++					hostMatch := false
++					var selectHost string
++					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
++					for _, hostname := range virtualServiceHosts {
++						// exact match
++						if hostname == host.Name(hostRDSHost) {
++							hostMatch = true
++							selectHost = hostRDSHost
++							break
++						}
++						if features.HostRDSMergeSubset {
++							// subset match
++							if host.Name(hostRDSHost).SubsetOf(hostname) {
++								hostMatch = true
++								selectHost = string(hostname)
++							}
++						}
++					}
++					if !hostMatch {
++						continue
++					}
++					copiedVS := virtualService.DeepCopy()
++					copiedVS.Spec.(*networking.VirtualService).Hosts = []string{selectHost}
++					selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
++						virtualService: copiedVS,
++						server:         server,
++						gatewayName:    gatewayName,
++					})
++				}
++			}
++		}
++	}
++	serverIterator(merged.MergedServers)
++	serverIterator(merged.MergedQUICTransportServers)
++	// Sort by subset
++	// before: ["*.abc.com", "*.com", "www.abc.com"]
++	// after: ["www.abc.com", "*.abc.com", "*.com"]
++	sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
++		return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
++			host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
++	})
++	port := int(listenerPort)
++	for _, ctx := range selectedVirtualServices {
++		virtualService := ctx.virtualService
++		server := ctx.server
++		gatewayName := ctx.gatewayName
++		// Make sure we can obtain services which are visible to this virtualService as much as possible.
++		nameToServiceMap := buildNameToServiceMapForHTTPRoutes(node, push, virtualService)
++
++		var routes []*route.Route
++		var exists bool
++		var err error
++		if _, exists = gatewayRoutes[gatewayName]; !exists {
++			gatewayRoutes[gatewayName] = make(map[string][]*route.Route)
++		}
++
++		vskey := virtualService.Name + "/" + virtualService.Namespace
++
++		if routes, exists = gatewayRoutes[gatewayName][vskey]; !exists {
++			hashByDestination := istio_route.GetConsistentHashForVirtualService(push, node, virtualService, nameToServiceMap)
++			routes, err = istio_route.BuildHTTPRoutesForVirtualServiceWithHTTPFilters(node, virtualService, nameToServiceMap,
++				hashByDestination, port, map[string]bool{gatewayName: true}, isH3DiscoveryNeeded, push.Mesh, globalHTTPFilters)
++			if err != nil {
++				log.Debugf("%s omitting routes for virtual service %v/%v due to error: %v", node.ID, virtualService.Namespace, virtualService.Name, err)
++				continue
++			}
++			gatewayRoutes[gatewayName][vskey] = routes
++		}
++
++		if vHost != nil {
++			vHost.Routes = append(vHost.Routes, routes...)
++			if server.Tls != nil && server.Tls.HttpsRedirect {
++				vHost.RequireTls = route.VirtualHost_ALL
++			}
++		} else {
++			vHost = &route.VirtualHost{
++				Name:                       util.DomainName(hostRDSHost, port),
++				Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
++				Routes:                     routes,
++				IncludeRequestAttemptCount: true,
++				TypedPerFilterConfig:       mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
++			}
++			if server.Tls != nil && server.Tls.HttpsRedirect {
++				vHost.RequireTls = route.VirtualHost_ALL
++			}
++		}
++
++		// check all hostname if is not exist with HttpsRedirect set to true
++		// create VirtualHost to redirect
++		for _, hostname := range server.Hosts {
++			if !server.GetTls().GetHttpsRedirect() {
++				continue
++			}
++			if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
++				vHost.RequireTls = route.VirtualHost_ALL
++				continue
++			}
++			vHost = &route.VirtualHost{
++				Name:                       util.DomainName(hostname, port),
++				Domains:                    buildGatewayVirtualHostDomains(hostname, port),
++				IncludeRequestAttemptCount: true,
++				RequireTls:                 route.VirtualHost_ALL,
++			}
++		}
++
++	}
++	var virtualHosts []*route.VirtualHost
++	if vHost == nil {
++		log.Warnf("constructed http route config for route %s on port %d with no vhosts; Setting up a default 404 vhost", routeName, port)
++		virtualHosts = []*route.VirtualHost{{
++			Name:    util.DomainName("blackhole", port),
++			Domains: []string{"*"},
++			// Empty route list will cause Envoy to 404 NR any requests
++			Routes: []*route.Route{},
++		}}
++	} else {
++		vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
++		virtualHosts = append(virtualHosts, vHost)
++	}
++
++	routeCfg := &route.RouteConfiguration{
++		// Retain the routeName as its used by EnvoyFilter patching logic
++		Name:             routeName,
++		VirtualHosts:     virtualHosts,
++		ValidateClusters: proto.BoolFalse,
++	}
++
++	return routeCfg
++}
++
++// End added by ingress
++
+ func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Proxy, push *model.PushContext,
+ 	routeName string) *route.RouteConfiguration {
+ 	if node.MergedGateway == nil {
+@@ -351,6 +621,12 @@
+ 		}
+ 	}
+ 
++	// Added by ingress
++	if strings.HasPrefix(routeName, constants.HigressHostRDSNamePrefix) {
++		return configgen.buildHostRDSConfig(node, push, routeName)
++	}
++	// End added by ingress
++
+ 	merged := node.MergedGateway
+ 	log.Debugf("buildGatewayRoutes: gateways after merging: %v", merged)
+ 
+@@ -670,7 +946,9 @@
+ // TLS mode      | Mesh-wide SDS | Ingress SDS | Resulting Configuration
+ // SIMPLE/MUTUAL |    ENABLED    |   ENABLED   | support SDS at ingress gateway to terminate SSL communication outside the mesh
+ // ISTIO_MUTUAL  |    ENABLED    |   DISABLED  | support SDS at gateway to terminate workload mTLS, with internal workloads
+-// 											   | for egress or with another trusted cluster for ingress)
++//
++//	| for egress or with another trusted cluster for ingress)
++//
+ // ISTIO_MUTUAL  |    DISABLED   |   DISABLED  | use file-mounted secret paths to terminate workload mTLS from gateway
+ //
+ // Note that ISTIO_MUTUAL TLS mode and ingressSds should not be used simultaneously on the same ingress gateway.
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/listener.go istio-new/pilot/pkg/networking/core/v1alpha3/listener.go
+--- istio/pilot/pkg/networking/core/v1alpha3/listener.go	2024-01-05 17:58:07.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/listener.go	2024-01-05 17:31:10.000000000 +0800
+@@ -1279,8 +1279,48 @@
+ 
+ 	notimeout := durationpb.New(0 * time.Second)
+ 	connectionManager.StreamIdleTimeout = notimeout
+-
+-	if httpOpts.rds != "" {
++	// Added by ingress
++	enableSRDS := false
++	if features.EnableScopedRDS &&
++		(listenerOpts.port.Protocol.IsHTTP() || (listenerOpts.port.Protocol == protocol.HTTPS)) {
++		enableSRDS = true
++		portFragment := &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{
++			Type: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_{
++				LocalPortValueExtractor: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor{},
++			}}
++		hostFragment := &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{
++			Type: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_{
++				HostValueExtractor: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor{},
++			}}
++		scopedRoutes := &hcm.HttpConnectionManager_ScopedRoutes{
++			ScopedRoutes: &hcm.ScopedRoutes{
++				Name: constants.DefaultScopedRouteName,
++				ScopeKeyBuilder: &hcm.ScopedRoutes_ScopeKeyBuilder{
++					Fragments: []*hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{portFragment, hostFragment},
++				},
++				RdsConfigSource: &core.ConfigSource{
++					ConfigSourceSpecifier: &core.ConfigSource_Ads{
++						Ads: &core.AggregatedConfigSource{},
++					},
++					InitialFetchTimeout: durationpb.New(0),
++					ResourceApiVersion:  core.ApiVersion_V3,
++				},
++				ConfigSpecifier: &hcm.ScopedRoutes_ScopedRds{
++					ScopedRds: &hcm.ScopedRds{
++						ScopedRdsConfigSource: &core.ConfigSource{
++							ConfigSourceSpecifier: &core.ConfigSource_Ads{
++								Ads: &core.AggregatedConfigSource{},
++							},
++							InitialFetchTimeout: durationpb.New(0),
++							ResourceApiVersion:  core.ApiVersion_V3,
++						},
++					},
++				},
++			},
++		}
++		connectionManager.RouteSpecifier = scopedRoutes
++	} else if httpOpts.rds != "" {
++		// End added by ingress
+ 		rds := &hcm.HttpConnectionManager_Rds{
+ 			Rds: &hcm.Rds{
+ 				ConfigSource: &core.ConfigSource{
+@@ -1304,8 +1344,15 @@
+ 
+ 	filters := make([]*hcm.HttpFilter, len(httpFilters))
+ 	copy(filters, httpFilters)
+-	// Make sure cors filter always in the first.
+-	filters = append([]*hcm.HttpFilter{xdsfilters.Cors}, filters...)
++	// Added by ingress
++	// Now only support onDemandRDS when enable SRDS
++	if features.OnDemandRDS && enableSRDS {
++		filters = append([]*hcm.HttpFilter{xdsfilters.OnDemand, xdsfilters.Cors}, filters...)
++	} else {
++		// End added by ingress
++		// Make sure cors filter always in the first.
++		filters = append([]*hcm.HttpFilter{xdsfilters.Cors}, filters...)
++	}
+ 
+ 	if features.MetadataExchange {
+ 		filters = append(filters, xdsfilters.HTTPMx)
+diff -Naur istio/pilot/pkg/xds/ads.go istio-new/pilot/pkg/xds/ads.go
+--- istio/pilot/pkg/xds/ads.go	2024-01-05 17:58:08.000000000 +0800
++++ istio-new/pilot/pkg/xds/ads.go	2024-01-05 17:31:44.000000000 +0800
+@@ -797,15 +797,18 @@
+ 
+ // PushOrder defines the order that updates will be pushed in. Any types not listed here will be pushed in random
+ // order after the types listed here
+-var PushOrder = []string{v3.ClusterType, v3.EndpointType, v3.ListenerType, v3.RouteType, v3.SecretType}
++var PushOrder = []string{v3.ClusterType, v3.EndpointType, v3.ListenerType, v3.ScopedRouteType, v3.RouteType, v3.SecretType}
+ 
+ // KnownOrderedTypeUrls has typeUrls for which we know the order of push.
+ var KnownOrderedTypeUrls = map[string]struct{}{
+ 	v3.ClusterType:  {},
+ 	v3.EndpointType: {},
+ 	v3.ListenerType: {},
+-	v3.RouteType:    {},
+-	v3.SecretType:   {},
++	// Added by ingress
++	v3.ScopedRouteType: {},
++	// End added by ingress
++	v3.RouteType:  {},
++	v3.SecretType: {},
+ }
+ 
+ // orderWatchedResources orders the resources in accordance with known push order.
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-01-05 17:58:07.000000000 +0800
++++ istio-new/pilot/pkg/xds/discovery.go	2024-01-04 21:20:00.000000000 +0800
+@@ -589,6 +589,9 @@
+ 	s.Generators[v3.ClusterType] = &CdsGenerator{Server: s}
+ 	s.Generators[v3.ListenerType] = &LdsGenerator{Server: s}
+ 	s.Generators[v3.RouteType] = &RdsGenerator{Server: s}
++	// Added by ingress
++	s.Generators[v3.ScopedRouteType] = &SrdsGenerator{Server: s}
++	// End added by ingress
+ 	s.Generators[v3.EndpointType] = edsGen
+ 	s.Generators[v3.NameTableType] = &NdsGenerator{Server: s}
+ 	s.Generators[v3.ExtensionConfigurationType] = &EcdsGenerator{Server: s}
+diff -Naur istio/pilot/pkg/xds/filters/filters.go istio-new/pilot/pkg/xds/filters/filters.go
+--- istio/pilot/pkg/xds/filters/filters.go	2024-01-05 17:58:03.000000000 +0800
++++ istio-new/pilot/pkg/xds/filters/filters.go	2024-01-04 21:20:00.000000000 +0800
+@@ -21,6 +21,7 @@
+ 	fault "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3"
+ 	grpcstats "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3"
+ 	grpcweb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3"
++	ondemand "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/on_demand/v3"
+ 	router "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3"
+ 	httpwasm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3"
+ 	httpinspector "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3"
+@@ -54,6 +55,14 @@
+ // Define static filters to be reused across the codebase. This avoids duplicate marshaling/unmarshaling
+ // This should not be used for filters that will be mutated
+ var (
++	// Added by ingress
++	OnDemand = &hcm.HttpFilter{
++		Name: "envoy.filters.http.on_demand.v3.OnDemand",
++		ConfigType: &hcm.HttpFilter_TypedConfig{
++			TypedConfig: util.MessageToAny(&ondemand.OnDemand{}),
++		},
++	}
++	// End added by ingress
+ 	Cors = &hcm.HttpFilter{
+ 		Name: wellknown.CORS,
+ 		ConfigType: &hcm.HttpFilter_TypedConfig{
+diff -Naur istio/pilot/pkg/xds/srds.go istio-new/pilot/pkg/xds/srds.go
+--- istio/pilot/pkg/xds/srds.go	1970-01-01 08:00:00.000000000 +0800
++++ istio-new/pilot/pkg/xds/srds.go	2024-01-05 13:45:49.000000000 +0800
+@@ -0,0 +1,79 @@
++// Copyright Istio Authors
++//
++// Licensed under the Apache License, Version 2.0 (the "License");
++// you may not use this file except in compliance with the License.
++// You may obtain a copy of the License at
++//
++//     http://www.apache.org/licenses/LICENSE-2.0
++//
++// Unless required by applicable law or agreed to in writing, software
++// distributed under the License is distributed on an "AS IS" BASIS,
++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++// See the License for the specific language governing permissions and
++// limitations under the License.
++
++package xds
++
++import (
++	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
++	"istio.io/istio/pilot/pkg/features"
++	"istio.io/istio/pilot/pkg/model"
++	"istio.io/istio/pilot/pkg/networking/util"
++	"istio.io/istio/pkg/config"
++	"istio.io/istio/pkg/config/schema/gvk"
++)
++
++type SrdsGenerator struct {
++	Server *DiscoveryServer
++}
++
++var _ model.XdsResourceGenerator = &SrdsGenerator{}
++
++// Map of all configs that do not impact SRDS
++var skippedSrdsConfigs = map[config.GroupVersionKind]struct{}{
++	gvk.WorkloadEntry:         {},
++	gvk.WorkloadGroup:         {},
++	gvk.RequestAuthentication: {},
++	gvk.PeerAuthentication:    {},
++	gvk.Secret:                {},
++}
++
++func srdsNeedsPush(req *model.PushRequest) bool {
++	if !features.EnableScopedRDS {
++		return false
++	}
++	if req == nil {
++		return true
++	}
++	if !req.Full {
++		// SRDS only handles full push
++		return false
++	}
++	// If none set, we will always push
++	if len(req.ConfigsUpdated) == 0 {
++		return true
++	}
++	for config := range req.ConfigsUpdated {
++		if _, f := skippedSrdsConfigs[config.Kind]; !f {
++			return true
++		}
++	}
++	return false
++}
++
++func (s SrdsGenerator) Generate(proxy *model.Proxy, push *model.PushContext, w *model.WatchedResource,
++	req *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
++	if !srdsNeedsPush(req) {
++		return nil, model.DefaultXdsLogDetails, nil
++	}
++
++	scopedRoutes := s.Server.ConfigGenerator.BuildScopedRoutes(proxy, push)
++	resources := model.Resources{}
++	for _, sr := range scopedRoutes {
++		resources = append(resources, &discovery.Resource{
++			Name:     sr.Name,
++			Resource: util.MessageToAny(sr),
++		})
++	}
++	return resources, model.DefaultXdsLogDetails, nil
++}
+diff -Naur istio/pilot/pkg/xds/v3/model.go istio-new/pilot/pkg/xds/v3/model.go
+--- istio/pilot/pkg/xds/v3/model.go	2024-01-05 17:58:03.000000000 +0800
++++ istio-new/pilot/pkg/xds/v3/model.go	2024-01-05 16:55:49.000000000 +0800
+@@ -31,6 +31,10 @@
+ 	SecretType                 = resource.SecretType
+ 	ExtensionConfigurationType = resource.ExtensionConfigType
+ 
++	// Added by ingress
++	ScopedRouteType = apiTypePrefix + "envoy.config.route.v3.ScopedRouteConfiguration"
++	// End added by ingress
++
+ 	NameTableType   = apiTypePrefix + "istio.networking.nds.v1.NameTable"
+ 	HealthInfoType  = apiTypePrefix + "istio.v1.HealthInformation"
+ 	ProxyConfigType = apiTypePrefix + "istio.mesh.v1alpha1.ProxyConfig"
+@@ -61,6 +65,10 @@
+ 		return "PCDS"
+ 	case ExtensionConfigurationType:
+ 		return "ECDS"
++	// Added by ingress
++	case ScopedRouteType:
++		return "SRDS"
++	// End added by ingress
+ 	default:
+ 		return typeURL
+ 	}
+@@ -87,6 +95,10 @@
+ 		return "ecds"
+ 	case BootstrapType:
+ 		return "bds"
++	// Added by ingress
++	case ScopedRouteType:
++		return "srds"
++	// End added by ingress
+ 	default:
+ 		return typeURL
+ 	}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2024-01-05 17:58:08.000000000 +0800
++++ istio-new/pkg/config/constants/constants.go	2024-01-04 21:20:00.000000000 +0800
+@@ -143,4 +143,9 @@
+ 	// CertProviderNone does not create any certificates for the control plane. It is assumed that some external
+ 	// load balancer, such as an Istio Gateway, is terminating the TLS.
+ 	CertProviderNone = "none"
++
++	// Added by ingress
++	HigressHostRDSNamePrefix = "higress-rds-"
++	DefaultScopedRouteName   = "scoped-route"
++	// End added by ingress
+ )

istio/1.12/patches/istio/20240115-optimize-rds-cache.patch

@@ -0,0 +1,373 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2024-01-15 20:46:45.000000000 +0800
++++ istio-new/pilot/pkg/model/push_context.go	2024-01-15 19:20:45.000000000 +0800
+@@ -96,6 +96,9 @@
+ 	publicByGateway map[string][]config.Config
+ 	// root vs namespace/name ->delegate vs virtualservice gvk/namespace/name
+ 	delegates map[ConfigKey][]ConfigKey
++	// Added by ingress
++	byHost map[string][]config.Config
++	// End added by ingress
+ }
+ 
+ func newVirtualServiceIndex() virtualServiceIndex {
+@@ -104,6 +107,9 @@
+ 		privateByNamespaceAndGateway: map[string]map[string][]config.Config{},
+ 		exportedToNamespaceByGateway: map[string]map[string][]config.Config{},
+ 		delegates:                    map[ConfigKey][]ConfigKey{},
++		// Added by ingress
++		byHost: map[string][]config.Config{},
++		// End added by ingress
+ 	}
+ }
+ 
+@@ -857,6 +863,13 @@
+ 	return res
+ }
+ 
++// Added by ingress
++func (ps *PushContext) VirtualServicesForHost(proxy *Proxy, host string) []config.Config {
++	return ps.virtualServiceIndex.byHost[host]
++}
++
++// End added by ingress
++
+ // DelegateVirtualServicesConfigKey lists all the delegate virtual services configkeys associated with the provided virtual services
+ func (ps *PushContext) DelegateVirtualServicesConfigKey(vses []config.Config) []ConfigKey {
+ 	var out []ConfigKey
+@@ -1468,6 +1481,11 @@
+ 	for _, virtualService := range vservices {
+ 		ns := virtualService.Namespace
+ 		rule := virtualService.Spec.(*networking.VirtualService)
++		// Added by ingress
++		for _, host := range rule.Hosts {
++			ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
++		}
++		// End added by ingress
+ 		gwNames := getGatewayNames(rule)
+ 		if len(rule.ExportTo) == 0 {
+ 			// No exportTo in virtualService. Use the global default
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-15 20:46:45.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-15 20:04:05.000000000 +0800
+@@ -28,6 +28,7 @@
+ 	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+ 	hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+ 	tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
++	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+ 	"github.com/hashicorp/go-multierror"
+ 
+ 	meshconfig "istio.io/api/mesh/v1alpha1"
+@@ -35,6 +36,7 @@
+ 	"istio.io/istio/pilot/pkg/features"
+ 	"istio.io/istio/pilot/pkg/model"
+ 	istionetworking "istio.io/istio/pilot/pkg/networking"
++	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/envoyfilter"
+ 	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/extension"
+ 	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/mseingress"
+ 	istio_route "istio.io/istio/pilot/pkg/networking/core/v1alpha3/route"
+@@ -423,8 +425,15 @@
+ 	gatewayName    string
+ }
+ 
+-func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(node *model.Proxy, push *model.PushContext,
+-	routeName string) *route.RouteConfiguration {
++func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(
++	node *model.Proxy,
++	req *model.PushRequest,
++	routeName string,
++	vsCache map[int][]virtualServiceContext,
++	efw *model.EnvoyFilterWrapper,
++	efKeys []string,
++) (*discovery.Resource, bool) {
++	push := req.Push
+ 	var (
+ 		hostRDSPort string
+ 		hostRDSHost string
+@@ -432,7 +441,7 @@
+ 	portAndHost := strings.SplitN(strings.TrimPrefix(routeName, constants.HigressHostRDSNamePrefix), ".", 2)
+ 	if len(portAndHost) != 2 {
+ 		log.Errorf("Invalid route %s when using Higress hostRDS", routeName)
+-		return nil
++		return nil, false
+ 	}
+ 	hostRDSPort = portAndHost[0]
+ 	hostRDSHost = portAndHost[1]
+@@ -441,10 +450,24 @@
+ 	rdsPort, err := strconv.Atoi(hostRDSPort)
+ 	if err != nil {
+ 		log.Errorf("Invalid port %s of route %s when using Higress hostRDS", hostRDSPort, routeName)
+-		return nil
++		return nil, false
++	}
++
++	routeCache := &istio_route.Cache{
++		RouteName:    routeName,
++		ProxyVersion: node.Metadata.IstioVersion,
++		ListenerPort: rdsPort,
++		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
++		VirtualServices: push.VirtualServicesForHost(node, hostRDSHost),
++		EnvoyFilterKeys: efKeys,
++	}
++
++	resource, exist := configgen.Cache.Get(routeCache)
++	if exist {
++		return resource, true
+ 	}
++
+ 	listenerPort := uint32(rdsPort)
+-	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
+ 
+ 	isH3DiscoveryNeeded := false
+ 
+@@ -457,9 +480,9 @@
+ 			break
+ 		}
+ 	}
+-
+ 	gatewayRoutes := make(map[string]map[string][]*route.Route)
+ 	gatewayVirtualServices := make(map[string][]config.Config)
++	var listenerVirtualServices []virtualServiceContext
+ 	var selectedVirtualServices []virtualServiceContext
+ 	var vHost *route.VirtualHost
+ 	serverIterator := func(mergedServers map[model.ServerPort]*model.MergedServers) {
+@@ -478,31 +501,8 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
+-					hostMatch := false
+-					var selectHost string
+-					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
+-					for _, hostname := range virtualServiceHosts {
+-						// exact match
+-						if hostname == host.Name(hostRDSHost) {
+-							hostMatch = true
+-							selectHost = hostRDSHost
+-							break
+-						}
+-						if features.HostRDSMergeSubset {
+-							// subset match
+-							if host.Name(hostRDSHost).SubsetOf(hostname) {
+-								hostMatch = true
+-								selectHost = string(hostname)
+-							}
+-						}
+-					}
+-					if !hostMatch {
+-						continue
+-					}
+-					copiedVS := virtualService.DeepCopy()
+-					copiedVS.Spec.(*networking.VirtualService).Hosts = []string{selectHost}
+-					selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+-						virtualService: copiedVS,
++					listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
++						virtualService: virtualService,
+ 						server:         server,
+ 						gatewayName:    gatewayName,
+ 					})
+@@ -510,15 +510,63 @@
+ 			}
+ 		}
+ 	}
+-	serverIterator(merged.MergedServers)
+-	serverIterator(merged.MergedQUICTransportServers)
+-	// Sort by subset
+-	// before: ["*.abc.com", "*.com", "www.abc.com"]
+-	// after: ["www.abc.com", "*.abc.com", "*.com"]
+-	sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
+-		return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
+-			host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
+-	})
++	var vsExists bool
++	if listenerVirtualServices, vsExists = vsCache[rdsPort]; !vsExists {
++		serverIterator(merged.MergedServers)
++		serverIterator(merged.MergedQUICTransportServers)
++		vsCache[rdsPort] = listenerVirtualServices
++	}
++	for _, vsCtx := range listenerVirtualServices {
++		virtualService := vsCtx.virtualService
++		hostMatch := false
++		var selectHost string
++		for _, hostname := range virtualService.Spec.(*networking.VirtualService).Hosts {
++			// exact match
++			if hostname == hostRDSHost {
++				hostMatch = true
++				selectHost = hostRDSHost
++				break
++			}
++			if features.HostRDSMergeSubset {
++				// subset match
++				if host.Name(hostRDSHost).SubsetOf(host.Name(hostname)) {
++					hostMatch = true
++					selectHost = hostname
++				}
++			}
++		}
++		if !hostMatch {
++			continue
++		}
++		if len(virtualService.Spec.(*networking.VirtualService).Hosts) > 1 {
++			copiedVS := &networking.VirtualService{}
++			copiedVS = virtualService.Spec.(*networking.VirtualService)
++			copiedVS.Hosts = []string{selectHost}
++			selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
++				virtualService: config.Config{
++					Meta:   virtualService.Meta,
++					Spec:   copiedVS,
++					Status: virtualService.Status,
++				},
++				server:      vsCtx.server,
++				gatewayName: vsCtx.gatewayName,
++			})
++		} else {
++			selectedVirtualServices = append(selectedVirtualServices, vsCtx)
++		}
++	}
++	if features.HostRDSMergeSubset {
++		// Sort by subset
++		// before: ["*.abc.com", "*.com", "www.abc.com"]
++		// after: ["www.abc.com", "*.abc.com", "*.com"]
++		sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
++			return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
++				host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
++		})
++	}
++
++	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
++
+ 	port := int(listenerPort)
+ 	for _, ctx := range selectedVirtualServices {
+ 		virtualService := ctx.virtualService
+@@ -605,25 +653,42 @@
+ 		ValidateClusters: proto.BoolFalse,
+ 	}
+ 
+-	return routeCfg
++	routeCfg = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, routeCfg)
++	resource = &discovery.Resource{
++		Name:     routeName,
++		Resource: util.MessageToAny(routeCfg),
++	}
++
++	if features.EnableRDSCaching {
++		configgen.Cache.Add(routeCache, req, resource)
++	}
++
++	return resource, false
+ }
+ 
+ // End added by ingress
+ 
+-func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Proxy, push *model.PushContext,
+-	routeName string) *route.RouteConfiguration {
++// Modifed by ingress
++func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(
++	node *model.Proxy,
++	req *model.PushRequest,
++	routeName string,
++	vsCache map[int][]virtualServiceContext,
++	efw *model.EnvoyFilterWrapper,
++	efKeys []string,
++) (*discovery.Resource, bool) {
+ 	if node.MergedGateway == nil {
+ 		log.Warnf("buildGatewayRoutes: no gateways for router %v", node.ID)
+-		return &route.RouteConfiguration{
+-			Name:             routeName,
+-			VirtualHosts:     []*route.VirtualHost{},
+-			ValidateClusters: proto.BoolFalse,
+-		}
++		return nil, false
+ 	}
+-
+ 	// Added by ingress
++	push := req.Push
+ 	if strings.HasPrefix(routeName, constants.HigressHostRDSNamePrefix) {
+-		return configgen.buildHostRDSConfig(node, push, routeName)
++		resource, cacheHit := configgen.buildHostRDSConfig(node, req, routeName, vsCache, efw, efKeys)
++		if resource == nil {
++			return nil, false
++		}
++		return resource, cacheHit
+ 	}
+ 	// End added by ingress
+ 
+@@ -636,7 +701,7 @@
+ 
+ 		// This can happen when a gateway has recently been deleted. Envoy will still request route
+ 		// information due to the draining of listeners, so we should not return an error.
+-		return nil
++		return nil, false
+ 	}
+ 
+ 	servers := merged.ServersByRouteName[routeName]
+@@ -768,9 +833,16 @@
+ 		ValidateClusters: proto.BoolFalse,
+ 	}
+ 
+-	return routeCfg
++	routeCfg = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, routeCfg)
++	resource := &discovery.Resource{
++		Name:     routeName,
++		Resource: util.MessageToAny(routeCfg),
++	}
++	return resource, false
+ }
+ 
++// End modified by ingress
++
+ // hashRouteList returns a hash of a list of pointers
+ func hashRouteList(r []*route.Route) uint64 {
+ 	hash := md5.New()
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/httproute.go istio-new/pilot/pkg/networking/core/v1alpha3/httproute.go
+--- istio/pilot/pkg/networking/core/v1alpha3/httproute.go	2024-01-15 20:46:41.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/httproute.go	2024-01-15 10:29:09.000000000 +0800
+@@ -78,17 +78,30 @@
+ 			routeConfigurations = append(routeConfigurations, rc)
+ 		}
+ 	case model.Router:
++		// Modified by ingress
++		vsCache := make(map[int][]virtualServiceContext)
++		envoyfilterKeys := efw.Keys()
+ 		for _, routeName := range routeNames {
+-			rc := configgen.buildGatewayHTTPRouteConfig(node, req.Push, routeName)
+-			if rc != nil {
+-				rc = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, rc)
+-				resource := &discovery.Resource{
++			rc, cached := configgen.buildGatewayHTTPRouteConfig(node, req, routeName, vsCache, efw, envoyfilterKeys)
++			if cached && !features.EnableUnsafeAssertions {
++				hit++
++			} else {
++				miss++
++			}
++			if rc == nil {
++				emptyRoute := &route.RouteConfiguration{
++					Name:             routeName,
++					VirtualHosts:     []*route.VirtualHost{},
++					ValidateClusters: proto.BoolFalse,
++				}
++				rc = &discovery.Resource{
+ 					Name:     routeName,
+-					Resource: util.MessageToAny(rc),
++					Resource: util.MessageToAny(emptyRoute),
+ 				}
+-				routeConfigurations = append(routeConfigurations, resource)
+ 			}
++			routeConfigurations = append(routeConfigurations, rc)
+ 		}
++		// End modified by ingress
+ 	}
+ 	if !features.EnableRDSCaching {
+ 		return routeConfigurations, model.DefaultXdsLogDetails
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-01-15 20:46:45.000000000 +0800
++++ istio-new/pilot/pkg/xds/discovery.go	2024-01-12 19:56:02.000000000 +0800
+@@ -392,6 +392,9 @@
+ // ConfigUpdate implements ConfigUpdater interface, used to request pushes.
+ // It replaces the 'clear cache' from v1.
+ func (s *DiscoveryServer) ConfigUpdate(req *model.PushRequest) {
++	if req.Full {
++		log.Infof("full push happen, reason:%v", req.Reason)
++	}
+ 	inboundConfigUpdates.Increment()
+ 	s.InboundUpdates.Inc()
+ 	s.pushChannel <- req

istio/1.12/patches/istio/20240201-optimize-default-arg.patch

@@ -0,0 +1,60 @@
+diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
+--- istio/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-01 10:20:13.000000000 +0800
++++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go	2024-01-31 22:44:53.000000000 +0800
+@@ -73,7 +73,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, readyStatsRegex)
++	readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort)
+ 	stats, err := http.DoHTTPGetWithTimeout(readinessURL, readinessTimeout)
+ 	if err != nil {
+ 		return nil, false, err
+@@ -105,7 +105,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, updateStatsRegex))
++	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-02-01 10:20:17.000000000 +0800
++++ istio-new/pilot/pkg/features/pilot.go	2024-02-01 10:16:18.000000000 +0800
+@@ -575,6 +575,8 @@
+ 		"If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
+ 	OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
+ 		"If enabled, the on demand filter will be added to the HCM filters").Get()
++	DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
++		"The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
+ 	// End added by ingress
+ )
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/cluster.go istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go
+--- istio/pilot/pkg/networking/core/v1alpha3/cluster.go	2024-02-01 10:20:17.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go	2024-02-01 10:16:05.000000000 +0800
+@@ -61,6 +61,7 @@
+ 
+ // getDefaultCircuitBreakerThresholds returns a copy of the default circuit breaker thresholds for the given traffic direction.
+ func getDefaultCircuitBreakerThresholds() *cluster.CircuitBreakers_Thresholds {
++	// Modified by ingress
+ 	return &cluster.CircuitBreakers_Thresholds{
+ 		// DefaultMaxRetries specifies the default for the Envoy circuit breaker parameter max_retries. This
+ 		// defines the maximum number of parallel retries a given Envoy will allow to the upstream cluster. Envoy defaults
+@@ -68,11 +69,12 @@
+ 		// where multiple endpoints in a cluster are terminated. In these scenarios the circuit breaker can kick
+ 		// in before Pilot is able to deliver an updated endpoint list to Envoy, leading to client-facing 503s.
+ 		MaxRetries:         &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxRequests:        &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxConnections:     &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxPendingRequests: &wrappers.UInt32Value{Value: math.MaxUint32},
++		MaxRequests:        &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
++		MaxConnections:     &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
++		MaxPendingRequests: &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
+ 		TrackRemaining:     true,
+ 	}
++	// End modified by ingress
+ }
+ 
+ // BuildClusters returns the list of clusters for the given proxy. This is the CDS output

istio/1.12/patches/istio/20240201-virtual-host-allow-server-name.patch

@@ -0,0 +1,88 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-02-01 13:53:17.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-02-01 13:52:11.000000000 +0800
+@@ -501,6 +501,16 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
++					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
++					serverHosts := host.NamesForNamespace(server.Hosts, virtualService.Namespace)
++
++					// We have two cases here:
++					// 1. virtualService hosts are 1.foo.com, 2.foo.com, 3.foo.com and server hosts are ns/*.foo.com
++					// 2. virtualService hosts are *.foo.com, and server hosts are ns/1.foo.com, ns/2.foo.com, ns/3.foo.com
++					intersectingHosts := serverHosts.Intersection(virtualServiceHosts)
++					if len(intersectingHosts) == 0 {
++						continue
++					}
+ 					listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
+ 						virtualService: virtualService,
+ 						server:         server,
+@@ -615,22 +625,24 @@
+ 
+ 		// check all hostname if is not exist with HttpsRedirect set to true
+ 		// create VirtualHost to redirect
+-		for _, hostname := range server.Hosts {
+-			if !server.GetTls().GetHttpsRedirect() {
+-				continue
+-			}
+-			if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
++		if server.GetTls().GetHttpsRedirect() {
++			if vHost != nil {
+ 				vHost.RequireTls = route.VirtualHost_ALL
+-				continue
++			} else {
++				vHost = &route.VirtualHost{
++					Name:                       util.DomainName(hostRDSHost, port),
++					Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
++					IncludeRequestAttemptCount: true,
++					RequireTls:                 route.VirtualHost_ALL,
++				}
+ 			}
+-			vHost = &route.VirtualHost{
+-				Name:                       util.DomainName(hostname, port),
+-				Domains:                    buildGatewayVirtualHostDomains(hostname, port),
+-				IncludeRequestAttemptCount: true,
+-				RequireTls:                 route.VirtualHost_ALL,
++		} else if vHost != nil {
++			mode := server.GetTls().GetMode()
++			if mode == networking.ServerTLSSettings_MUTUAL ||
++				mode == networking.ServerTLSSettings_ISTIO_MUTUAL {
++				vHost.AllowServerNames = append(vHost.AllowServerNames, server.Hosts...)
+ 			}
+ 		}
+-
+ 	}
+ 	var virtualHosts []*route.VirtualHost
+ 	if vHost == nil {
+@@ -642,6 +654,30 @@
+ 			Routes: []*route.Route{},
+ 		}}
+ 	} else {
++		sort.SliceStable(vHost.AllowServerNames, func(i, j int) bool {
++			hostI := vHost.AllowServerNames[i]
++			hostJ := vHost.AllowServerNames[j]
++			if host.Name(hostI).SubsetOf(host.Name(hostJ)) {
++				return true
++			}
++			return hostI < hostJ
++		})
++		var uniqueServerNames []string
++		hasAllCatch := false
++		for i, name := range vHost.AllowServerNames {
++			if name == "*" {
++				hasAllCatch = true
++				break
++			}
++			if i == 0 || vHost.AllowServerNames[i-1] != name {
++				uniqueServerNames = append(uniqueServerNames, name)
++			}
++		}
++		if hasAllCatch {
++			vHost.AllowServerNames = nil
++		} else {
++			vHost.AllowServerNames = uniqueServerNames
++		}
+ 		vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
+ 		virtualHosts = append(virtualHosts, vHost)
+ 	}

istio/1.12/patches/istio/20240202-fix-rds-cache.patch

@@ -0,0 +1,41 @@
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-02-02 16:26:49.000000000 +0800
++++ istio-new/pilot/pkg/xds/discovery.go	2024-02-02 15:38:53.000000000 +0800
+@@ -18,6 +18,7 @@
+ 	"context"
+ 	"fmt"
+ 	"strconv"
++	"strings"
+ 	"sync"
+ 	"time"
+ 
+@@ -41,6 +42,7 @@
+ 	"istio.io/istio/pilot/pkg/util/sets"
+ 	v3 "istio.io/istio/pilot/pkg/xds/v3"
+ 	"istio.io/istio/pkg/cluster"
++	"istio.io/istio/pkg/config/constants"
+ 	"istio.io/istio/pkg/security"
+ )
+ 
+@@ -332,6 +334,21 @@
+ 	} else {
+ 		// Otherwise, just clear the updated configs
+ 		s.Cache.Clear(req.ConfigsUpdated)
++		//Added by ingress
++		trimKeyMap := make(map[model.ConfigKey]struct{})
++		for configKey := range req.ConfigsUpdated {
++			if strings.HasPrefix(configKey.Name, constants.IstioIngressGatewayName+"-") {
++				trimKeyMap[model.ConfigKey{
++					Kind:      configKey.Kind,
++					Name:      strings.TrimPrefix(configKey.Name, constants.IstioIngressGatewayName+"-"),
++					Namespace: configKey.Namespace,
++				}] = struct{}{}
++			}
++		}
++		if len(trimKeyMap) > 0 {
++			s.Cache.Clear(trimKeyMap)
++		}
++		//End added by ingress
+ 	}
+ }
+ 

istio/1.12/patches/istio/20240204-increase-healthcheck-timeout.patch

@@ -0,0 +1,21 @@
+diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
+--- istio/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-04 18:48:18.000000000 +0800
++++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-04 09:35:42.000000000 +0800
+@@ -37,7 +37,7 @@
+ 	updateStatsRegex   = "^(cluster_manager\\.cds|listener_manager\\.lds)\\.(update_success|update_rejected)$"
+ )
+ 
+-var readinessTimeout = time.Second * 3 // Default Readiness timeout. It is set the same in helm charts.
++var readinessTimeout = time.Second * 60 // Default Readiness timeout. It is set the same in helm charts.
+ 
+ type stat struct {
+ 	name  string
+@@ -105,7 +105,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
++	stats, err := http.DoHTTPGetWithTimeout(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort), readinessTimeout)
+ 	if err != nil {
+ 		return nil, err
+ 	}

istio/1.12/patches/istio/20240304-fix-gwapi-rds-cache.patch

@@ -0,0 +1,132 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2024-03-04 17:35:34.000000000 +0800
++++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2024-03-04 16:58:26.000000000 +0800
+@@ -450,7 +450,7 @@
+ 		name = fmt.Sprintf("%s/%s/%s.%s", obj.GroupVersionKind.Kind, obj.Name, *sectionName, obj.Namespace)
+ 	}
+ 	return map[string]string{
+-		constants.InternalParentName: name,
++		constants.InternalParentNames: name,
+ 	}
+ }
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-03-04 17:35:34.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-03-04 17:23:10.000000000 +0800
+@@ -49,6 +49,7 @@
+ 	"istio.io/istio/pkg/config/gateway"
+ 	"istio.io/istio/pkg/config/host"
+ 	"istio.io/istio/pkg/config/protocol"
++	"istio.io/istio/pkg/config/schema/gvk"
+ 	"istio.io/istio/pkg/config/security"
+ 	"istio.io/istio/pkg/proto"
+ 	"istio.io/istio/pkg/util/istiomultierror"
+@@ -453,12 +454,43 @@
+ 		return nil, false
+ 	}
+ 
++	hostVs := push.VirtualServicesForHost(node, hostRDSHost)
++
++	var httpRoutes []config.Config
++
++	for _, vs := range hostVs {
++		if len(vs.Annotations) == 0 {
++			continue
++		}
++		if parents, ok := vs.Annotations[constants.InternalParentNames]; ok {
++			typeNames := strings.Split(parents, ",")
++			for _, typeName := range typeNames {
++				if !strings.HasPrefix(typeName, "HTTPRoute/") {
++					continue
++				}
++				nsNameStr := strings.TrimPrefix(typeName, "HTTPRoute/")
++				nsName := strings.SplitN(nsNameStr, ".", 2)
++				if len(nsName) != 2 {
++					continue
++				}
++				httpRoutes = append(httpRoutes, config.Config{
++					Meta: config.Meta{
++						GroupVersionKind: gvk.HTTPRoute,
++						Name:             nsName[0],
++						Namespace:        nsName[1],
++					},
++				})
++			}
++		}
++	}
++
+ 	routeCache := &istio_route.Cache{
+ 		RouteName:    routeName,
+ 		ProxyVersion: node.Metadata.IstioVersion,
+ 		ListenerPort: rdsPort,
+ 		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
+-		VirtualServices: push.VirtualServicesForHost(node, hostRDSHost),
++		VirtualServices: hostVs,
++		HTTPRoutes:      httpRoutes,
+ 		EnvoyFilterKeys: efKeys,
+ 	}
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route_cache.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route_cache.go
+--- istio/pilot/pkg/networking/core/v1alpha3/route/route_cache.go	2024-03-04 17:35:30.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route_cache.go	2024-03-04 17:24:19.000000000 +0800
+@@ -43,9 +43,12 @@
+ 	// This depends on DNSCapture.
+ 	DNSAutoAllocate bool
+ 
+-	ListenerPort     int
+-	Services         []*model.Service
+-	VirtualServices  []config.Config
++	ListenerPort    int
++	Services        []*model.Service
++	VirtualServices []config.Config
++	// Added by ingress
++	HTTPRoutes []config.Config
++	// End added by ingress
+ 	DestinationRules []*config.Config
+ 	EnvoyFilterKeys  []string
+ }
+@@ -81,6 +84,11 @@
+ 	for _, vs := range r.VirtualServices {
+ 		configs = append(configs, model.ConfigKey{Kind: gvk.VirtualService, Name: vs.Name, Namespace: vs.Namespace})
+ 	}
++	// Added by ingress
++	for _, route := range r.HTTPRoutes {
++		configs = append(configs, model.ConfigKey{Kind: gvk.HTTPRoute, Name: route.Name, Namespace: route.Namespace})
++	}
++	// End added by ingress
+ 	for _, dr := range r.DestinationRules {
+ 		configs = append(configs, model.ConfigKey{Kind: gvk.DestinationRule, Name: dr.Name, Namespace: dr.Namespace})
+ 	}
+@@ -107,6 +115,11 @@
+ 	for _, vs := range r.VirtualServices {
+ 		params = append(params, vs.Name+"/"+vs.Namespace)
+ 	}
++	// Added by ingress
++	for _, route := range r.HTTPRoutes {
++		params = append(params, route.Name+"/"+route.Namespace)
++	}
++	// End added by ingress
+ 	for _, dr := range r.DestinationRules {
+ 		params = append(params, dr.Name+"/"+dr.Namespace)
+ 	}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2024-03-04 17:35:34.000000000 +0800
++++ istio-new/pkg/config/constants/constants.go	2024-03-04 16:58:05.000000000 +0800
+@@ -15,8 +15,6 @@
+ package constants
+ 
+ const (
+-	InternalParentNames = "internal.istio.io/parents"
+-
+ 	InternalRouteSemantics = "internal.istio.io/route-semantics"
+ 
+ 	RouteSemanticsGateway = "gateway"
+@@ -129,7 +127,7 @@
+ 	AlwaysPushLabel = "internal.istio.io/always-push"
+ 
+ 	// InternalParentName declares the original resource of an internally-generate config. This is used by the gateway-api.
+-	InternalParentName = "internal.istio.io/parent"
++	InternalParentNames = "internal.istio.io/parents"
+ 
+ 	// TrustworthyJWTPath is the default 3P token to authenticate with third party services
+ 	TrustworthyJWTPath = "./var/run/secrets/tokens/istio-token"

istio/1.12/patches/istio/20240308-fix-gateway-api-route-name.patch

@@ -0,0 +1,56 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2024-03-08 17:23:49.000000000 +0800
++++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2024-03-08 17:02:50.000000000 +0800
+@@ -16,6 +16,7 @@
+ 
+ import (
+ 	"fmt"
++	"path"
+ 	"regexp"
+ 	"sort"
+ 	"strconv"
+@@ -28,6 +29,7 @@
+ 	gatewayapiV1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+ 
+ 	istio "istio.io/api/networking/v1alpha3"
++	"istio.io/istio/pilot/pkg/features"
+ 	"istio.io/istio/pilot/pkg/model"
+ 	"istio.io/istio/pilot/pkg/model/credentials"
+ 	"istio.io/istio/pilot/pkg/model/kstatus"
+@@ -290,6 +292,16 @@
+ 	return ret
+ }
+ 
++// Added by ingress
++func generateRouteName(obj config.Config) string {
++	if obj.Namespace == features.HigressSystemNs {
++		return obj.Name
++	}
++	return path.Join(obj.Namespace, obj.Name)
++}
++
++// End added by ingress
++
+ func buildHTTPVirtualServices(ctx *KubernetesResources, obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, gatewayRoutes map[string]map[string]*config.Config, domain string) {
+ 	route := obj.Spec.(*gatewayapiV1beta1.HTTPRouteSpec)
+ 
+@@ -307,7 +319,7 @@
+ 	for _, r := range route.Rules {
+ 		// TODO: implement rewrite, timeout, mirror, corspolicy, retries
+ 		vs := &istio.HTTPRoute{
+-			Name: obj.Name,
++			Name: generateRouteName(obj),
+ 		}
+ 		for _, match := range r.Matches {
+ 			uri, err := createURIMatch(match)
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-03-08 17:23:49.000000000 +0800
++++ istio-new/pilot/pkg/features/pilot.go	2024-03-08 17:00:05.000000000 +0800
+@@ -577,6 +577,7 @@
+ 		"If enabled, the on demand filter will be added to the HCM filters").Get()
+ 	DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
+ 		"The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
++	HigressSystemNs = env.RegisterStringVar("HIGRESS_SYSTEM_NS", "higress-system", "The system namespace of Higress").Get()
+ 	// End added by ingress
+ )
+ 

istio/1.12/patches/istio/20240422-fix-copyvs.patch

@@ -0,0 +1,20 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-04-22 18:08:26.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-04-22 18:07:46.000000000 +0800
+@@ -581,13 +581,13 @@
+ 			continue
+ 		}
+ 		if len(virtualService.Spec.(*networking.VirtualService).Hosts) > 1 {
+-			copiedVS := &networking.VirtualService{}
+-			copiedVS = virtualService.Spec.(*networking.VirtualService)
++			copiedVS := networking.VirtualService{}
++			copiedVS = *(virtualService.Spec.(*networking.VirtualService))
+ 			copiedVS.Hosts = []string{selectHost}
+ 			selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+ 				virtualService: config.Config{
+ 					Meta:   virtualService.Meta,
+-					Spec:   copiedVS,
++					Spec:   &copiedVS,
+ 					Status: virtualService.Status,
+ 				},
+ 				server:      vsCtx.server,

istio/1.12/patches/istio/20240518-optimize-rds-cache.patch

@@ -0,0 +1,83 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-18 19:09:14.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-18 18:08:30.000000000 +0800
+@@ -457,8 +457,46 @@
+ 	hostVs := push.VirtualServicesForHost(node, hostRDSHost)
+ 
+ 	var httpRoutes []config.Config
++	var vsDependent []config.Config
++
++	cacheable := true
+ 
+ 	for _, vs := range hostVs {
++		vsSpec := vs.Spec.(*networking.VirtualService)
++		for _, vsHttpRoute := range vsSpec.Http {
++			// check if dynamic port exists, we should not cache RDS
++			for _, vsRoute := range vsHttpRoute.Route {
++				if vsRoute.Destination.Port == nil {
++					cacheable = false
++				}
++				for _, fallbackDestination := range vsRoute.FallbackClusters {
++					if fallbackDestination.Port == nil {
++						cacheable = false
++					}
++				}
++			}
++			if vsHttpRoute.Mirror != nil && vsHttpRoute.Mirror.Port == nil {
++				cacheable = false
++			}
++			if vsHttpRoute.Delegate != nil {
++				vsDependent = append(vsDependent, config.Config{
++					Meta: config.Meta{
++						GroupVersionKind: gvk.VirtualService,
++						Name:             vsHttpRoute.Delegate.Name,
++						Namespace:        vsHttpRoute.Delegate.Namespace,
++					},
++					Spec: networking.VirtualService{},
++				})
++			}
++		}
++		vsDependent = append(vsDependent, config.Config{
++			Meta: config.Meta{
++				GroupVersionKind: gvk.VirtualService,
++				Name:             vs.Name,
++				Namespace:        vs.Namespace,
++			},
++			Spec: vs.Spec,
++		})
+ 		if len(vs.Annotations) == 0 {
+ 			continue
+ 		}
+@@ -489,14 +527,19 @@
+ 		ProxyVersion: node.Metadata.IstioVersion,
+ 		ListenerPort: rdsPort,
+ 		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
+-		VirtualServices: hostVs,
++		VirtualServices: vsDependent,
+ 		HTTPRoutes:      httpRoutes,
+ 		EnvoyFilterKeys: efKeys,
+ 	}
+ 
+-	resource, exist := configgen.Cache.Get(routeCache)
+-	if exist {
+-		return resource, true
++	var resource *discovery.Resource
++	if cacheable {
++		resource, exist := configgen.Cache.Get(routeCache)
++		if exist {
++			return resource, true
++		}
++	} else {
++		log.Warnf("route cache is disabled for RDS:%s", routeName)
+ 	}
+ 
+ 	listenerPort := uint32(rdsPort)
+@@ -727,7 +770,7 @@
+ 		Resource: util.MessageToAny(routeCfg),
+ 	}
+ 
+-	if features.EnableRDSCaching {
++	if features.EnableRDSCaching && cacheable {
+ 		configgen.Cache.Add(routeCache, req, resource)
+ 	}
+ 

istio/1.12/patches/istio/20240519-proxy-start-script.patch

@@ -0,0 +1,752 @@
+diff -Naur istio/pilot/docker/Dockerfile.proxyv2 istio-new/pilot/docker/Dockerfile.proxyv2
+--- istio/pilot/docker/Dockerfile.proxyv2	2024-05-19 16:40:42.706769894 +0800
++++ istio-new/pilot/docker/Dockerfile.proxyv2	2024-05-19 16:07:20.630730574 +0800
+@@ -28,6 +28,7 @@
+ 
+ # Copy Envoy bootstrap templates used by pilot-agent
+ COPY envoy_bootstrap.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
++COPY envoy_bootstrap_lite.json /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json
+ COPY gcp_envoy_bootstrap.json /var/lib/istio/envoy/gcp_envoy_bootstrap_tmpl.json
+ 
+ # Install Envoy.
+@@ -47,5 +48,30 @@
+ # COPY metadata-exchange-filter.wasm /etc/istio/extensions/metadata-exchange-filter.wasm
+ # COPY metadata-exchange-filter.compiled.wasm /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
+ 
++RUN apt-get update && \
++  apt-get install --no-install-recommends -y \
++  logrotate \
++  cron \
++  && apt-get upgrade -y \
++  && apt-get clean
++
++# Latest releases available at https://github.com/aptible/supercronic/releases
++ENV SUPERCRONIC_URL=https://higress.io/release-binary/supercronic-linux-${TARGETARCH:-amd64} \
++    SUPERCRONIC=supercronic-linux-${TARGETARCH:-amd64}
++
++RUN curl -fsSLO "$SUPERCRONIC_URL" \
++ && chmod +x "$SUPERCRONIC" \
++ && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
++ && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
++
++
++COPY higress-proxy-start.sh /usr/local/bin/higress-proxy-start.sh
++
++COPY higress-proxy-container-init.sh /usr/local/bin/higress-proxy-container-init.sh
++
++RUN chmod a+x /usr/local/bin/higress-proxy-container-init.sh;/usr/local/bin/higress-proxy-container-init.sh
++
++RUN chmod a+x /usr/local/bin/higress-proxy-start.sh
++
+ # The pilot-agent will bootstrap Envoy.
+-ENTRYPOINT ["/usr/local/bin/pilot-agent"]
++ENTRYPOINT ["/usr/local/bin/higress-proxy-start.sh"]
+diff -Naur istio/tools/istio-docker.mk istio-new/tools/istio-docker.mk
+--- istio/tools/istio-docker.mk	2024-05-19 16:40:42.734769895 +0800
++++ istio-new/tools/istio-docker.mk	2024-05-19 16:02:43.222725126 +0800
+@@ -96,6 +96,9 @@
+ docker.proxyv2: BUILD_ARGS=--build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} --build-arg istio_version=${VERSION} --build-arg BASE_VERSION=${BASE_VERSION} --build-arg SIDECAR=${SIDECAR} --build-arg HUB=${HUB}
+ docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json
+ docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/gcp_envoy_bootstrap.json
++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-start.sh
++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-container-init.sh
++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap_lite.json
+ docker.proxyv2: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}
+ docker.proxyv2: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}
+ docker.proxyv2: $(ISTIO_OUT_LINUX)/pilot-agent
+diff -Naur istio/tools/packaging/common/envoy_bootstrap_lite.json istio-new/tools/packaging/common/envoy_bootstrap_lite.json
+--- istio/tools/packaging/common/envoy_bootstrap_lite.json	1970-01-01 08:00:00.000000000 +0800
++++ istio-new/tools/packaging/common/envoy_bootstrap_lite.json	2024-05-19 16:36:39.274765113 +0800
+@@ -0,0 +1,642 @@
++{
++  "node": {
++    "id": "{{ .nodeID }}",
++    "cluster": "{{ .cluster }}",
++    "locality": {
++      {{- if .region }}
++      "region": "{{ .region }}"
++      {{- end }}
++      {{- if .zone }}
++      {{- if .region }}
++      ,
++      {{- end }}
++      "zone": "{{ .zone }}"
++      {{- end }}
++      {{- if .sub_zone }}
++      {{- if or .region .zone }}
++      ,
++      {{- end }}
++      "sub_zone": "{{ .sub_zone }}"
++      {{- end }}
++    },
++    "metadata": {{ .meta_json_str }}
++  },
++  "layered_runtime": {
++      "layers": [
++          {
++            "name": "global config",
++            "static_layer": {{ .runtime_flags }}
++          },
++          {
++              "name": "admin",
++              "admin_layer": {}
++          }
++      ]
++  },
++  "stats_config": {
++    "use_all_default_tags": false,
++    "stats_tags": [
++      {
++        "tag_name": "response_code_class",
++        "regex": "_rq(_(\\dxx))$"
++      },
++      {
++        "tag_name": "listener_address",
++        "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
++      },
++      {
++        "tag_name": "http_conn_manager_prefix",
++        "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
++      },
++      {
++        "tag_name": "cluster_name",
++        "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
++      }
++    ],
++    "stats_matcher": {
++      "exclusion_list": {
++        "patterns": [
++          {
++            "prefix": "vhost"
++          },
++          {
++            "safe_regex": {"regex": "^http.*rds.*", "google_re2":{}}
++          }
++        ]
++      }
++    }
++  },
++  "admin": {
++    "access_log_path": "/dev/null",
++    "profile_path": "/var/lib/istio/data/envoy.prof",
++    "address": {
++      "socket_address": {
++        "address": "{{ .localhost }}",
++        "port_value": {{ .config.ProxyAdminPort }}
++      }
++    }
++  },
++  "dynamic_resources": {
++    "lds_config": {
++      "ads": {},
++      "initial_fetch_timeout": "0s",
++      "resource_api_version": "V3"
++    },
++    "cds_config": {
++      "ads": {},
++      "initial_fetch_timeout": "0s",
++      "resource_api_version": "V3"
++    },
++    "ads_config": {
++      "api_type": "{{ .xds_type }}",
++      "set_node_on_first_message_only": true,
++      "transport_api_version": "V3",
++      "grpc_services": [
++        {
++          "envoy_grpc": {
++            "cluster_name": "xds-grpc"
++          }
++        }
++      ]
++    }
++  },
++  "static_resources": {
++    "clusters": [
++      {
++        "name": "prometheus_stats",
++        "type": "STATIC",
++        "connect_timeout": "0.250s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "prometheus_stats",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {
++                    "protocol": "TCP",
++                    "address": "{{ .localhost }}",
++                    "port_value": {{ .config.ProxyAdminPort }}
++                  }
++                }
++              }
++            }]
++          }]
++        }
++      },
++      {
++        "name": "agent",
++        "type": "STATIC",
++        "connect_timeout": "0.250s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "agent",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {
++                    "protocol": "TCP",
++                    "address": "{{ .localhost }}",
++                    "port_value": {{ .config.StatusPort }}
++                  }
++                }
++              }
++            }]
++          }]
++        }
++      },
++      {
++        "name": "sds-grpc",
++        "type": "STATIC",
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        },
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "sds-grpc",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "pipe": {
++                    "path": "{{ .config.ConfigPath }}/SDS"
++                  }
++                }
++              }
++            }]
++          }]
++        }
++      },
++      {
++        "name": "xds-grpc",
++        "type" : "STATIC",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "xds-grpc",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "pipe": {
++                    "path": "{{ .config.ConfigPath }}/XDS"
++                  }
++                }
++              }
++            }]
++          }]
++        },
++        "circuit_breakers": {
++          "thresholds": [
++            {
++              "priority": "DEFAULT",
++              "max_connections": 100000,
++              "max_pending_requests": 100000,
++              "max_requests": 100000
++            },
++            {
++              "priority": "HIGH",
++              "max_connections": 100000,
++              "max_pending_requests": 100000,
++              "max_requests": 100000
++            }
++          ]
++        },
++        "upstream_connection_options": {
++          "tcp_keepalive": {
++            "keepalive_time": 300
++          }
++        },
++        "max_requests_per_connection": 1,
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        }
++      }
++      {{ if .zipkin }}
++      ,
++      {
++        "name": "zipkin",
++        {{- if .tracing_tls }}
++        "transport_socket": {{ .tracing_tls }},
++        {{- end }}
++        "type": "STRICT_DNS",
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "dns_refresh_rate": "30s",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "zipkin",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .zipkin }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ else if .lightstep }}
++      ,
++      {
++        "name": "lightstep",
++        {{- if .tracing_tls }}
++        "transport_socket": {{ .tracing_tls }},
++        {{- end }}
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        },
++        "type": "STRICT_DNS",
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "lightstep",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .lightstep }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ else if .datadog }}
++      ,
++      {
++        "name": "datadog_agent",
++        {{- if .tracing_tls }}
++        "transport_socket": {{ .tracing_tls }},
++        {{- end }}
++        "connect_timeout": "1s",
++        "type": "STRICT_DNS",
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "datadog_agent",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .datadog }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ end }}
++      {{- if .envoy_metrics_service_address }}
++      ,
++      {
++        "name": "envoy_metrics_service",
++        "type": "STRICT_DNS",
++      {{- if .envoy_metrics_service_tls }}
++        "transport_socket": {{ .envoy_metrics_service_tls }},
++      {{- end }}
++      {{- if .envoy_metrics_service_tcp_keepalive }}
++        "upstream_connection_options": {{ .envoy_metrics_service_tcp_keepalive }},
++      {{- end }}
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        },
++        "load_assignment": {
++          "cluster_name": "envoy_metrics_service",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .envoy_metrics_service_address }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ end }}
++      {{ if .envoy_accesslog_service_address }}
++      ,
++      {
++        "name": "envoy_accesslog_service",
++        "type": "STRICT_DNS",
++      {{- if .envoy_accesslog_service_tls }}
++        "transport_socket": {{ .envoy_accesslog_service_tls }},
++      {{- end }}
++      {{- if .envoy_accesslog_service_tcp_keepalive }}
++        "upstream_connection_options": {{ .envoy_accesslog_service_tcp_keepalive }},
++      {{ end }}
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        },
++        "load_assignment": {
++          "cluster_name": "envoy_accesslog_service",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .envoy_accesslog_service_address }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ end }}
++    ],
++    "listeners":[
++      {
++        "address": {
++          "socket_address": {
++            "protocol": "TCP",
++            "address": "{{ .wildcard }}",
++            "port_value": {{ .envoy_prometheus_port }}
++          }
++        },
++        "filter_chains": [
++          {
++            "filters": [
++              {
++                "name": "envoy.filters.network.http_connection_manager",
++                "typed_config": {
++                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
++                  "codec_type": "AUTO",
++                  "stat_prefix": "stats",
++                  "route_config": {
++                    "virtual_hosts": [
++                      {
++                        "name": "backend",
++                        "domains": [
++                          "*"
++                        ],
++                        "routes": [
++                          {
++                            "match": {
++                              "prefix": "/stats/prometheus"
++                            },
++                            "route": {
++                              "cluster": "prometheus_stats"
++                            }
++                          }
++                        ]
++                      }
++                    ]
++                  },
++                  "http_filters": [{
++                    "name": "envoy.filters.http.router",
++                    "typed_config": {
++                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
++                    }
++                  }]
++                }
++              }
++            ]
++          }
++        ]
++      },
++      {
++        "address": {
++           "socket_address": {
++             "protocol": "TCP",
++             "address": "{{ .wildcard }}",
++             "port_value": {{ .envoy_status_port }}
++           }
++        },
++        "filter_chains": [
++          {
++            "filters": [
++              {
++                "name": "envoy.filters.network.http_connection_manager",
++                "typed_config": {
++                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
++                  "codec_type": "AUTO",
++                  "stat_prefix": "agent",
++                  "route_config": {
++                    "virtual_hosts": [
++                      {
++                        "name": "backend",
++                        "domains": [
++                          "*"
++                        ],
++                        "routes": [
++                          {
++                            "match": {
++                              "prefix": "/healthz/ready"
++                            },
++                            "route": {
++                              "cluster": "agent"
++                            }
++                          }
++                        ]
++                      }
++                    ]
++                  },
++                  "http_filters": [{
++                    "name": "envoy.filters.http.router",
++                    "typed_config": {
++                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
++                    }
++                  }]
++                }
++              }
++            ]
++          }
++        ]
++      }
++    ]
++  }
++  {{- if .zipkin }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.zipkin",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig",
++        "collector_cluster": "zipkin",
++        "collector_endpoint": "/api/v2/spans",
++        "collector_endpoint_version": "HTTP_JSON",
++        "trace_id_128bit": true,
++        "shared_span_context": false
++      }
++    }
++  }
++  {{- else if .lightstep }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.lightstep",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.trace.v3.LightstepConfig",
++        "collector_cluster": "lightstep",
++        "access_token_file": "{{ .lightstepToken}}"
++      }
++    }
++  }
++  {{- else if .datadog }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.datadog",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.trace.v3.DatadogConfig",
++        "collector_cluster": "datadog_agent",
++        "service_name": "{{ .cluster }}"
++      }
++    }
++  }
++  {{- else if .openCensusAgent }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.opencensus",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig",
++        "ocagent_exporter_enabled": true,
++        "ocagent_address": "{{ .openCensusAgent }}",
++        "incoming_trace_context": {{ .openCensusAgentContexts }},
++        "outgoing_trace_context": {{ .openCensusAgentContexts }},
++        "trace_config": {
++          "constant_sampler": {
++            "decision": "ALWAYS_PARENT"
++          },
++          "max_number_of_annotations": 200,
++          "max_number_of_attributes": 200,
++          "max_number_of_message_events": 200,
++          "max_number_of_links": 200
++        }
++      }
++    }
++  }
++  {{- else if .stackdriver }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.opencensus",
++      "typed_config": {
++      "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig",
++      "stackdriver_exporter_enabled": true,
++      "stackdriver_project_id": "{{ .stackdriverProjectID }}",
++      {{ if .sts_port }}
++      "stackdriver_grpc_service": {
++        "google_grpc": {
++          "target_uri": "cloudtrace.googleapis.com",
++          "stat_prefix": "oc_stackdriver_tracer",
++          "channel_credentials": {
++            "ssl_credentials": {}
++          },
++          "call_credentials": [{
++            "sts_service": {
++              "token_exchange_service_uri": "http://localhost:{{ .sts_port }}/token",
++              "subject_token_path": "/var/run/secrets/tokens/istio-token",
++              "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
++              "scope": "https://www.googleapis.com/auth/cloud-platform"
++            }
++          }]
++        },
++        "initial_metadata": [
++        {{ if .gcp_project_id }}
++          {
++            "key": "x-goog-user-project",
++            "value": "{{ .gcp_project_id }}"
++          }
++        {{ end }}
++        ]
++      },
++      {{ end }}
++      "stdout_exporter_enabled": {{ .stackdriverDebug }},
++      "incoming_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"],
++      "outgoing_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"],
++      "trace_config":{
++        "constant_sampler":{
++          "decision": "ALWAYS_PARENT"
++        },
++        "max_number_of_annotations": {{ .stackdriverMaxAnnotations }},
++        "max_number_of_attributes": {{ .stackdriverMaxAttributes }},
++        "max_number_of_message_events": {{ .stackdriverMaxEvents }},
++        "max_number_of_links": 200
++       }
++     }
++  }}
++  {{ end }}
++  {{ if or .envoy_metrics_service_address .statsd }}
++  ,
++  "stats_sinks": [
++    {{ if .envoy_metrics_service_address }}
++    {
++      "name": "envoy.stat_sinks.metrics_service",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig",
++        "transport_api_version": "V3",
++        "grpc_service": {
++          "envoy_grpc": {
++            "cluster_name": "envoy_metrics_service"
++          }
++        }
++      }
++    }
++    {{ end }}
++    {{ if and .envoy_metrics_service_address .statsd }}
++    ,
++    {{ end }}
++    {{ if .statsd }}
++    {
++      "name": "envoy.stat_sinks.statsd",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.metrics.v3.StatsdSink",
++        "address": {
++          "socket_address": {{ .statsd }}
++        }
++      }
++    }
++    {{ end }}
++  ]
++  {{ end }}
++  {{ if .outlier_log_path }}
++  ,
++  "cluster_manager": {
++    "outlier_detection": {
++      "event_log_path": "{{ .outlier_log_path }}"
++    }
++  }
++  {{ end }}
++}
+diff -Naur istio/tools/packaging/common/higress-proxy-container-init.sh istio-new/tools/packaging/common/higress-proxy-container-init.sh
+--- istio/tools/packaging/common/higress-proxy-container-init.sh	1970-01-01 08:00:00.000000000 +0800
++++ istio-new/tools/packaging/common/higress-proxy-container-init.sh	2024-05-19 16:30:06.202757394 +0800
+@@ -0,0 +1,32 @@
++#!/bin/bash
++
++mkdir -p /var/log/proxy
++
++mkdir -p /var/lib/istio
++
++chown -R 1337.1337 /var/log/proxy
++
++chown -R 1337.1337 /var/lib/logrotate
++
++chown -R 1337.1337 /var/lib/istio
++
++cat <<EOF > /etc/logrotate.d/higress-logrotate
++/var/log/proxy/access.log
++{
++su 1337 1337
++rotate 5
++create 644 1337 1337
++nocompress
++notifempty
++minsize 100M
++postrotate
++    ps aux|grep "envoy -c"|grep -v "grep"|awk  '{print $2}'|xargs -i kill -SIGUSR1 {}
++endscript
++}
++EOF
++
++chmod -R 0644 /etc/logrotate.d/higress-logrotate
++
++cat <<EOF > /var/lib/istio/cron.txt
++* * * * * /usr/sbin/logrotate /etc/logrotate.d/higress-logrotate
++EOF
+diff -Naur istio/tools/packaging/common/higress-proxy-start.sh istio-new/tools/packaging/common/higress-proxy-start.sh
+--- istio/tools/packaging/common/higress-proxy-start.sh	1970-01-01 08:00:00.000000000 +0800
++++ istio-new/tools/packaging/common/higress-proxy-start.sh	2024-05-19 16:33:18.802761176 +0800
+@@ -0,0 +1,10 @@
++#!/bin/bash
++
++if [ -n "$LITE_METRICS" ]; then
++    cp /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
++fi
++
++nohup supercronic /var/lib/istio/cron.txt &> /dev/null &
++
++/usr/local/bin/pilot-agent $*
++

istio/1.12/patches/istio/20240521-optimize-bootstrap.patch

@@ -0,0 +1,83 @@
+diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio-new/tools/packaging/common/envoy_bootstrap.json
+--- istio/tools/packaging/common/envoy_bootstrap.json	2024-05-21 23:46:21.000000000 +0800
++++ istio-new/tools/packaging/common/envoy_bootstrap.json	2024-05-21 23:47:54.000000000 +0800
+@@ -37,55 +37,15 @@
+     "use_all_default_tags": false,
+     "stats_tags": [
+       {
+-        "tag_name": "phase",
+-        "regex": "(_phase=([a-z_]+))"
+-      },
+-      {
+-        "tag_name": "ruleid",
+-        "regex": "(_ruleid=([0-9]+))"
+-      },
+-      {
+-        "tag_name": "route",
+-        "regex": "^vhost\\..*?\\.route\\.([^\\.]+\\.)upstream"
+-      },
+-      {
+-        "tag_name": "ecds_name",
+-        "regex": "extension_config_discovery\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "rds_name",
+-        "regex": "rds\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "sds_name",
+-        "regex": "sds\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "vhost",
+-        "regex": "^vhost\\.((.*?)\\.)(vcluster|route)"
+-      },
+-      {
+-        "tag_name": "vcluster",
+-        "regex": "vcluster\\.((.*?)\\.)upstream"
+-      },
+-      {
+-        "tag_name": "dest_zone",
+-        "regex": "zone\\.[^\\.]+\\.([^\\.]+\\.)"
+-      },
+-      {
+-        "tag_name": "from_zone",
+-        "regex": "zone\\.([^\\.]+\\.)"
+-      },
+-      {
+         "tag_name": "cluster_name",
+-        "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
++        "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)"
+       },
+       {
+         "tag_name": "tcp_prefix",
+         "regex": "^tcp\\.((.*?)\\.)\\w+?$"
+       },
+       {
+-        "regex": "(response_code=\\.=(.+?);\\.;)|_rq(_(\\.d{3}))$",
++        "regex": "_rq(_(\\d{3}))$",
+         "tag_name": "response_code"
+       },
+       {
+@@ -98,7 +58,7 @@
+       },
+       {
+         "tag_name": "http_conn_manager_prefix",
+-        "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
++        "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
+       },
+       {
+         "tag_name": "listener_address",
+@@ -108,12 +68,6 @@
+         "tag_name": "mongo_prefix",
+         "regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$"
+       },
+-      {{- range $a, $tag := .extraStatTags }}
+-      {
+-        "regex": "({{ $tag }}=\\.=(.*?);\\.;)",
+-        "tag_name": "{{ $tag }}"
+-      },
+-      {{- end }}
+       {
+         "regex": "(cache\\.(.+?)\\.)",
+         "tag_name": "cache"

istio/1.12/patches/istio/20240527-fix-vs-merge.patch

@@ -0,0 +1,69 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2024-05-27 23:03:09.000000000 +0800
++++ istio-new/pilot/pkg/model/push_context.go	2024-05-27 21:33:45.000000000 +0800
+@@ -1482,8 +1482,14 @@
+ 		ns := virtualService.Namespace
+ 		rule := virtualService.Spec.(*networking.VirtualService)
+ 		// Added by ingress
+-		for _, host := range rule.Hosts {
+-			ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
++		if len(rule.Gateways) > 0 {
++			if len(rule.Hosts) == 0 {
++				ps.virtualServiceIndex.byHost[constants.GlobalWildcardHost] = append(ps.virtualServiceIndex.byHost[constants.GlobalWildcardHost], virtualService)
++			} else {
++				for _, host := range rule.Hosts {
++					ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
++				}
++			}
+ 		}
+ 		// End added by ingress
+ 		gwNames := getGatewayNames(rule)
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-27 23:03:09.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-27 22:58:33.000000000 +0800
+@@ -376,8 +376,15 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
+-					for _, host := range virtualService.Spec.(*networking.VirtualService).Hosts {
+-						hostSet.Insert(host)
++					rule := virtualService.Spec.(*networking.VirtualService)
++					if len(rule.Gateways) > 0 {
++						if len(rule.Hosts) == 0 {
++							hostSet.Insert(constants.GlobalWildcardHost)
++							break
++						}
++						for _, host := range rule.Hosts {
++							hostSet.Insert(host)
++						}
+ 					}
+ 				}
+ 			}
+@@ -689,7 +696,7 @@
+ 			vHost = &route.VirtualHost{
+ 				Name:                       util.DomainName(hostRDSHost, port),
+ 				Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
+-				Routes:                     routes,
++				Routes:                     append(routes[:0:0], routes...),
+ 				IncludeRequestAttemptCount: true,
+ 				TypedPerFilterConfig:       mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
+ 			}
+@@ -884,7 +891,7 @@
+ 					newVHost := &route.VirtualHost{
+ 						Name:                       util.DomainName(string(hostname), port),
+ 						Domains:                    buildGatewayVirtualHostDomains(string(hostname), port),
+-						Routes:                     routes,
++						Routes:                     append(routes[:0:0], routes...),
+ 						IncludeRequestAttemptCount: true,
+ 						TypedPerFilterConfig:       mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
+ 					}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2024-05-27 23:03:09.000000000 +0800
++++ istio-new/pkg/config/constants/constants.go	2024-05-27 21:31:58.000000000 +0800
+@@ -145,5 +145,6 @@
+ 	// Added by ingress
+ 	HigressHostRDSNamePrefix = "higress-rds-"
+ 	DefaultScopedRouteName   = "scoped-route"
++	GlobalWildcardHost       = "*"
+ 	// End added by ingress
+ )

istio/1.12/patches/istio/20240529-optimize-mcp-cds.patch

@@ -0,0 +1,17 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2024-05-29 19:29:45.000000000 +0800
++++ istio-new/pilot/pkg/model/push_context.go	2024-05-29 19:11:03.000000000 +0800
+@@ -769,6 +769,13 @@
+ 	for _, s := range svcs {
+ 		svcHost := string(s.Hostname)
+ 
++		// Added by ingress
++		if s.Attributes.Namespace == "mcp" {
++			gwSvcs = append(gwSvcs, s)
++			continue
++		}
++		// End added by ingress
++
+ 		if _, ok := hostsFromGateways[svcHost]; ok {
+ 			gwSvcs = append(gwSvcs, s)
+ 		}

istio/1.12/patches/proxy/20240519-v8-upgrade.patch

@@ -0,0 +1,38 @@
+diff -Naur proxy/scripts/release-binary.sh proxy-new/scripts/release-binary.sh
+--- proxy/scripts/release-binary.sh     2024-05-19 12:33:33.254478650 +0800
++++ proxy-new/scripts/release-binary.sh 2024-05-19 12:31:11.714475870 +0800
+@@ -112,7 +112,7 @@
+ # k8-opt is the output directory for x86_64 optimized builds (-c opt, so --config=release-symbol and --config=release).
+ # k8-dbg is the output directory for -c dbg builds.
+ #for config in release release-symbol debug
+-for config in release
++for config in release release-symbol
+ do
+   case $config in
+     "release" )
+diff -Naur proxy/scripts/release-binary.sh proxy-new/scripts/release-binary.sh
+--- proxy/scripts/release-binary.sh	2024-05-19 12:27:51.030471929 +0800
++++ proxy-new/scripts/release-binary.sh	2024-05-19 12:04:55.738444918 +0800
+@@ -152,10 +152,6 @@
+   echo "Building ${config} proxy"
+   BINARY_NAME="${HOME}/package/${BINARY_BASE_NAME}.tar.gz"
+   SHA256_NAME="${HOME}/${BINARY_BASE_NAME}-${SHA}.sha256"
+-  # All cores are used by com_googlesource_chromium_v8:build within. 
+-  # Prebuild this target to avoid stacking this ram intensive task with others.
+-  # shellcheck disable=SC2086
+-  bazel build ${BAZEL_BUILD_ARGS} ${CONFIG_PARAMS} @com_googlesource_chromium_v8//:build
+   # shellcheck disable=SC2086
+   bazel build ${BAZEL_BUILD_ARGS} ${CONFIG_PARAMS} //src/envoy:envoy_tar
+   BAZEL_TARGET="${BAZEL_OUT}/src/envoy/envoy_tar.tar.gz"
+diff -Naur proxy/tools/deb/test/build_docker.sh proxy-new/tools/deb/test/build_docker.sh
+--- proxy/tools/deb/test/build_docker.sh	2024-05-19 12:27:51.030471929 +0800
++++ proxy-new/tools/deb/test/build_docker.sh	2024-05-19 12:05:07.978445159 +0800
+@@ -20,8 +20,6 @@
+ # Script requires a working docker on the test machine
+ # It is run in the proxy dir, will create a docker image with proxy deb installed
+ 
+-
+-bazel build @com_googlesource_chromium_v8//:build
+ bazel build tools/deb:istio-proxy
+ 
+ PROJECT="istio-testing"

pkg/bootstrap/server.go

@@ -20,6 +20,11 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/alibaba/higress/pkg/cert"
+	"github.com/alibaba/higress/pkg/ingress/kube/common"
+	"github.com/alibaba/higress/pkg/ingress/mcp"
+	"github.com/alibaba/higress/pkg/ingress/translation"
+	higresskube "github.com/alibaba/higress/pkg/kube"
 	prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/reflection"
@@ -46,11 +51,6 @@ import (
 	"istio.io/pkg/log"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
-
-	ingressconfig "github.com/alibaba/higress/pkg/ingress/config"
-	"github.com/alibaba/higress/pkg/ingress/kube/common"
-	"github.com/alibaba/higress/pkg/ingress/mcp"
-	higresskube "github.com/alibaba/higress/pkg/kube"
 )
 
 type XdsOptions struct {
@@ -111,6 +111,11 @@ type ServerArgs struct {
 	KeepStaleWhenEmpty   bool
 	GatewaySelectorKey   string
 	GatewaySelectorValue string
+	GatewayHttpPort      uint32
+	GatewayHttpsPort     uint32
+	EnableAutomaticHttps bool
+	AutomaticHttpsEmail  string
+	CertHttpAddress      string
 }
 
 type readinessProbe func() (bool, error)
@@ -132,6 +137,7 @@ type Server struct {
 	xdsServer        *xds.DiscoveryServer
 	server           server.Instance
 	readinessProbes  map[string]readinessProbe
+	certServer       *cert.Server
 }
 
 var (
@@ -167,6 +173,7 @@ func NewServer(args *ServerArgs) (*Server, error) {
 		s.initConfigController,
 		s.initRegistryEventHandlers,
 		s.initAuthenticators,
+		s.initAutomaticHttps,
 	}
 
 	for _, f := range initFuncList {
@@ -221,13 +228,18 @@ func (s *Server) initConfigController() error {
 		SystemNamespace:      ns,
 		GatewaySelectorKey:   s.GatewaySelectorKey,
 		GatewaySelectorValue: s.GatewaySelectorValue,
+		GatewayHttpPort:      s.GatewayHttpPort,
+		GatewayHttpsPort:     s.GatewayHttpsPort,
 	}
 	if options.ClusterId == "Kubernetes" {
 		options.ClusterId = ""
 	}
-	ingressConfig := ingressconfig.NewIngressConfig(s.kubeClient, s.xdsServer, ns, options.ClusterId)
-	ingressController := ingressConfig.AddLocalCluster(options)
+
+	ingressConfig := translation.NewIngressTranslation(s.kubeClient, s.xdsServer, ns, options.ClusterId)
+	ingressController, kingressController := ingressConfig.AddLocalCluster(options)
+
 	s.configStores = append(s.configStores, ingressConfig)
+
 	// Wrap the config controller with a cache.
 	aggregateConfigController, err := configaggregate.MakeCache(s.configStores)
 	if err != nil {
@@ -242,7 +254,7 @@ func (s *Server) initConfigController() error {
 
 	// Defer starting the controller until after the service is created.
 	s.server.RunComponent(func(stop <-chan struct{}) error {
-		if err := ingressConfig.InitializeCluster(ingressController, stop); err != nil {
+		if err := ingressConfig.InitializeCluster(ingressController, kingressController, stop); err != nil {
 			return err
 		}
 		go s.configController.Run(stop)
@@ -281,6 +293,15 @@ func (s *Server) Start(stop <-chan struct{}) error {
 		}
 	}()
 
+	if s.EnableAutomaticHttps {
+		go func() {
+			log.Infof("starting Automatic Cert HTTP service at %s", s.CertHttpAddress)
+			if err := s.certServer.Run(stop); err != nil {
+				log.Errorf("error serving Automatic Cert HTTP server: %v", err)
+			}
+		}()
+	}
+
 	s.waitForShutDown(stop)
 	return nil
 }
@@ -364,6 +385,26 @@ func (s *Server) initAuthenticators() error {
 	return nil
 }
 
+func (s *Server) initAutomaticHttps() error {
+	certOption := &cert.Option{
+		Namespace:     PodNamespace,
+		ServerAddress: s.CertHttpAddress,
+		Email:         s.AutomaticHttpsEmail,
+	}
+	certServer, err := cert.NewServer(s.kubeClient.Kube(), certOption)
+	if err != nil {
+		return err
+	}
+	s.certServer = certServer
+	log.Infof("init cert default config")
+	s.certServer.InitDefaultConfig()
+	if !s.EnableAutomaticHttps {
+		log.Info("automatic https is disabled")
+		return nil
+	}
+	return s.certServer.InitServer()
+}
+
 func (s *Server) initKubeClient() error {
 	if s.kubeClient != nil {
 		// Already initialized by startup arguments
@@ -392,6 +433,7 @@ func (s *Server) initHttpServer() error {
 	}
 	s.xdsServer.AddDebugHandlers(s.httpMux, nil, true, nil)
 	s.httpMux.HandleFunc("/ready", s.readyHandler)
+	s.httpMux.HandleFunc("/registry/watcherStatus", s.registryWatcherStatusHandler)
 	return nil
 }
 
@@ -407,6 +449,43 @@ func (s *Server) readyHandler(w http.ResponseWriter, _ *http.Request) {
 	w.WriteHeader(http.StatusOK)
 }
 
+func (s *Server) registryWatcherStatusHandler(w http.ResponseWriter, _ *http.Request) {
+	ingressTranslation, ok := s.environment.IngressStore.(*translation.IngressTranslation)
+	if !ok {
+		http.Error(w, "IngressStore not found", http.StatusNotFound)
+		return
+	}
+
+	ingressConfig := ingressTranslation.GetIngressConfig()
+	if ingressConfig == nil {
+		http.Error(w, "IngressConfig not found", http.StatusNotFound)
+		return
+	}
+
+	registryReconciler := ingressConfig.RegistryReconciler
+	if registryReconciler == nil {
+		http.Error(w, "RegistryReconciler not found", http.StatusNotFound)
+		return
+	}
+
+	watcherStatusList := registryReconciler.GetRegistryWatcherStatusList()
+	writeJSON(w, watcherStatusList)
+}
+
+func writeJSON(w http.ResponseWriter, obj interface{}) {
+	w.Header().Set("Content-Type", "application/json")
+	b, err := config.ToJSON(obj)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		_, _ = w.Write([]byte(err.Error()))
+		return
+	}
+	_, err = w.Write(b)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+}
+
 // cachesSynced checks whether caches have been synced.
 func (s *Server) cachesSynced() bool {
 	return s.configController.HasSynced()

pkg/cert/certmgr.go

@@ -0,0 +1,219 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/mholt/acmez"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	EventCertObtained = "cert_obtained"
+)
+
+type CertMgr struct {
+	cfg           *certmagic.Config
+	client        kubernetes.Interface
+	namespace     string
+	mux           sync.RWMutex
+	storage       certmagic.Storage
+	cache         *certmagic.Cache
+	myACME        *certmagic.ACMEIssuer
+	ingressSolver acmez.Solver
+	configMgr     *ConfigMgr
+	secretMgr     *SecretMgr
+}
+
+func InitCertMgr(opts *Option, clientSet kubernetes.Interface, config *Config) (*CertMgr, error) {
+	CertLog.Infof("certmgr init config: %+v", config)
+	// Init certmagic config
+	// First make a pointer to a Cache as we need to reference the same Cache in
+	// GetConfigForCert below.
+	var cache *certmagic.Cache
+	var storage certmagic.Storage
+	storage, _ = NewConfigmapStorage(opts.Namespace, clientSet)
+	renewalWindowRatio := float64(config.RenewBeforeDays / RenewMaxDays)
+	magicConfig := certmagic.Config{
+		RenewalWindowRatio: renewalWindowRatio,
+		Storage:            storage,
+	}
+	cache = certmagic.NewCache(certmagic.CacheOptions{
+		GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
+			// Here we use New to get a valid Config associated with the same cache.
+			// The provided Config is used as a template and will be completed with
+			// any defaults that are set in the Default config.
+			return certmagic.New(cache, magicConfig), nil
+		},
+	})
+	// init certmagic
+	cfg := certmagic.New(cache, magicConfig)
+	// Init certmagic acme
+	issuer := config.GetIssuer(IssuerTypeLetsencrypt)
+	if issuer == nil {
+		// should never happen here
+		return nil, fmt.Errorf("there is no Letsencrypt Issuer found in config")
+	}
+
+	myACME := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
+		//CA:                      certmagic.LetsEncryptStagingCA,
+		CA:                      certmagic.LetsEncryptProductionCA,
+		Email:                   issuer.Email,
+		Agreed:                  true,
+		DisableHTTPChallenge:    false,
+		DisableTLSALPNChallenge: true,
+	})
+	// inject http01 solver
+	ingressSolver, _ := NewIngressSolver(opts.Namespace, clientSet, myACME)
+	myACME.Http01Solver = ingressSolver
+	// init issuers
+	cfg.Issuers = []certmagic.Issuer{myACME}
+
+	configMgr, _ := NewConfigMgr(opts.Namespace, clientSet)
+	secretMgr, _ := NewSecretMgr(opts.Namespace, clientSet)
+
+	certMgr := &CertMgr{
+		cfg:           cfg,
+		client:        clientSet,
+		namespace:     opts.Namespace,
+		myACME:        myACME,
+		ingressSolver: ingressSolver,
+		configMgr:     configMgr,
+		secretMgr:     secretMgr,
+		cache:         cache,
+	}
+	certMgr.cfg.OnEvent = certMgr.OnEvent
+	return certMgr, nil
+}
+func (s *CertMgr) Reconcile(ctx context.Context, oldConfig *Config, newConfig *Config) error {
+	CertLog.Infof("cermgr reconcile old config:%+v to new config:%+v", oldConfig, newConfig)
+	// sync email
+	if oldConfig != nil && newConfig != nil {
+		oldIssuer := oldConfig.GetIssuer(IssuerTypeLetsencrypt)
+		newIssuer := newConfig.GetIssuer(IssuerTypeLetsencrypt)
+		if oldIssuer.Email != newIssuer.Email {
+			// TODO before sync email, maybe need to clean up cache and account
+		}
+	}
+
+	// sync domains
+	newDomains := make([]string, 0)
+	newDomainsMap := make(map[string]string, 0)
+	removeDomains := make([]string, 0)
+
+	if newConfig != nil {
+		for _, config := range newConfig.CredentialConfig {
+			if config.TLSIssuer == IssuerTypeLetsencrypt {
+				for _, newDomain := range config.Domains {
+					newDomains = append(newDomains, newDomain)
+					newDomainsMap[newDomain] = newDomain
+				}
+
+			}
+		}
+	}
+
+	if oldConfig != nil {
+		for _, config := range oldConfig.CredentialConfig {
+			if config.TLSIssuer == IssuerTypeLetsencrypt {
+				for _, oldDomain := range config.Domains {
+					if _, ok := newDomainsMap[oldDomain]; !ok {
+						removeDomains = append(removeDomains, oldDomain)
+					}
+				}
+
+			}
+		}
+	}
+
+	if newConfig.AutomaticHttps == true {
+		newIssuer := newConfig.GetIssuer(IssuerTypeLetsencrypt)
+		// clean up  unused domains
+		s.cleanSync(context.Background(), removeDomains)
+		// sync email
+		s.myACME.Email = newIssuer.Email
+		// sync RenewalWindowRatio
+		s.cfg.RenewalWindowRatio = float64(newConfig.RenewBeforeDays / RenewMaxDays)
+		// start cache
+		s.cache.Start()
+		// sync domains
+		s.manageSync(context.Background(), newDomains)
+		s.configMgr.SetConfig(newConfig)
+	} else {
+		// stop cache  maintainAssets
+		s.cache.Stop()
+		s.configMgr.SetConfig(newConfig)
+	}
+
+	return nil
+}
+
+func (s *CertMgr) manageSync(ctx context.Context, domainNames []string) error {
+	CertLog.Infof("cert manage sync domains:%v", domainNames)
+	return s.cfg.ManageSync(ctx, domainNames)
+}
+
+func (s *CertMgr) cleanSync(ctx context.Context, domainNames []string) error {
+	//TODO implement clean up domains
+	CertLog.Infof("cert clean sync domains:%v", domainNames)
+	return nil
+}
+
+func (s *CertMgr) OnEvent(ctx context.Context, event string, data map[string]any) error {
+	CertLog.Infof("certmgr receive event:% data:%+v", event, data)
+	/**
+	event: cert_obtained
+	cfg.emit(ctx, "cert_obtained", map[string]any{
+		"renewal":          true,
+		"remaining":        timeLeft,
+		"identifier":       name,
+		"issuer":           issuerKey,
+		"storage_path":     StorageKeys.CertsSitePrefix(issuerKey, certKey),
+		"private_key_path": StorageKeys.SitePrivateKey(issuerKey, certKey),
+		"certificate_path": StorageKeys.SiteCert(issuerKey, certKey),
+		"metadata_path":    StorageKeys.SiteMeta(issuerKey, certKey),
+	})
+	*/
+	if event == EventCertObtained {
+		// obtain certificate and update secret
+		domain := data["identifier"].(string)
+		isRenew := data["renewal"].(bool)
+		privateKeyPath := data["private_key_path"].(string)
+		certificatePath := data["certificate_path"].(string)
+		privateKey, err := s.cfg.Storage.Load(context.Background(), privateKeyPath)
+		certificate, err := s.cfg.Storage.Load(context.Background(), certificatePath)
+		certChain, err := parseCertsFromPEMBundle(certificate)
+		if err != nil {
+			return err
+		}
+		notAfterTime := notAfter(certChain[0])
+		notBeforeTime := notBefore(certChain[0])
+		secretName := s.configMgr.GetConfig().GetSecretNameByDomain(IssuerTypeLetsencrypt, domain)
+		if len(secretName) == 0 {
+			CertLog.Errorf("can not find secret name for domain % in config", domain)
+			return nil
+		}
+		err2 := s.secretMgr.Update(domain, secretName, privateKey, certificate, notBeforeTime, notAfterTime, isRenew)
+		if err2 != nil {
+			CertLog.Errorf("update secretName %s for domain %s error: %v", secretName, domain, err2)
+		}
+		return err
+	}
+	return nil
+}

pkg/cert/config.go

@@ -0,0 +1,290 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"istio.io/istio/pkg/config/host"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	ConfigmapCertName      = "higress-https"
+	ConfigmapCertConfigKey = "cert"
+	DefaultRenewBeforeDays = 30
+	RenewMaxDays           = 90
+)
+
+type IssuerName string
+
+const (
+	IssuerTypeAliyunSSL   IssuerName = "aliyunssl"
+	IssuerTypeLetsencrypt IssuerName = "letsencrypt"
+)
+
+// Config is the configuration of automatic https.
+type Config struct {
+	AutomaticHttps   bool              `json:"automaticHttps"`
+	RenewBeforeDays  int               `json:"renewBeforeDays"`
+	CredentialConfig []CredentialEntry `json:"credentialConfig"`
+	ACMEIssuer       []ACMEIssuerEntry `json:"acmeIssuer"`
+	Version          string            `json:"version"`
+}
+
+func (c *Config) GetIssuer(issuerName IssuerName) *ACMEIssuerEntry {
+	for _, issuer := range c.ACMEIssuer {
+		if issuer.Name == issuerName {
+			return &issuer
+		}
+	}
+	return nil
+}
+
+func (c *Config) MatchSecretNameByDomain(domain string) string {
+	for _, credential := range c.CredentialConfig {
+		for _, credDomain := range credential.Domains {
+			if host.Name(strings.ToLower(domain)).SubsetOf(host.Name(strings.ToLower(credDomain))) {
+				return credential.TLSSecret
+			}
+		}
+	}
+	return ""
+}
+
+func (c *Config) GetSecretNameByDomain(issuerName IssuerName, domain string) string {
+	for _, credential := range c.CredentialConfig {
+		if credential.TLSIssuer == issuerName {
+			for _, credDomain := range credential.Domains {
+				if host.Name(strings.ToLower(domain)).SubsetOf(host.Name(strings.ToLower(credDomain))) {
+					return credential.TLSSecret
+				}
+			}
+		}
+	}
+	return ""
+}
+
+func (c *Config) Validate() error {
+	// check acmeIssuer
+	if len(c.ACMEIssuer) == 0 {
+		return fmt.Errorf("acmeIssuer is empty")
+	}
+	for _, issuer := range c.ACMEIssuer {
+		switch issuer.Name {
+		case IssuerTypeLetsencrypt:
+			if issuer.Email == "" {
+				return fmt.Errorf("acmeIssuer %s email is empty", issuer.Name)
+			}
+			if !ValidateEmail(issuer.Email) {
+				return fmt.Errorf("acmeIssuer %s email %s is invalid", issuer.Name, issuer.Email)
+			}
+		default:
+			return fmt.Errorf("acmeIssuer name %s is not supported", issuer.Name)
+		}
+	}
+	// check credentialConfig
+	for _, credential := range c.CredentialConfig {
+		if len(credential.Domains) == 0 {
+			return fmt.Errorf("credentialConfig domains is empty")
+		}
+		if credential.TLSSecret == "" {
+			return fmt.Errorf("credentialConfig tlsSecret is empty")
+		}
+		if credential.TLSIssuer == IssuerTypeLetsencrypt {
+			if len(credential.Domains) > 1 {
+				return fmt.Errorf("credentialConfig tlsIssuer %s only support one domain", credential.TLSIssuer)
+			}
+		}
+		if credential.TLSIssuer != IssuerTypeLetsencrypt && len(credential.TLSIssuer) > 0 {
+			return fmt.Errorf("credential tls issuer %s is not support", credential.TLSIssuer)
+		}
+	}
+
+	if c.RenewBeforeDays <= 0 {
+		return fmt.Errorf("RenewBeforeDays should be large than zero")
+	}
+
+	if c.RenewBeforeDays >= RenewMaxDays {
+		return fmt.Errorf("RenewBeforeDays should be less than %d", RenewMaxDays)
+	}
+	return nil
+}
+
+type CredentialEntry struct {
+	Domains      []string   `json:"domains"`
+	TLSIssuer    IssuerName `json:"tlsIssuer,omitempty"`
+	TLSSecret    string     `json:"tlsSecret,omitempty"`
+	CACertSecret string     `json:"cacertSecret,omitempty"`
+}
+
+type ACMEIssuerEntry struct {
+	Name  IssuerName `json:"name"`
+	Email string     `json:"email"`
+	AK    string     `json:"ak"` // Only applicable for certain issuers like 'aliyunssl'
+	SK    string     `json:"sk"` // Only applicable for certain issuers like 'aliyunssl'
+}
+type ConfigMgr struct {
+	client    kubernetes.Interface
+	config    atomic.Value
+	namespace string
+}
+
+func (c *ConfigMgr) SetConfig(config *Config) {
+	c.config.Store(config)
+}
+
+func (c *ConfigMgr) GetConfig() *Config {
+	value := c.config.Load()
+	if value != nil {
+		if config, ok := value.(*Config); ok {
+			return config
+		}
+	}
+	return nil
+}
+
+func (c *ConfigMgr) InitConfig(email string) (*Config, error) {
+	var defaultConfig *Config
+	cm, err := c.GetConfigmap()
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if len(strings.TrimSpace(email)) == 0 {
+				email = getRandEmail()
+			}
+			defaultConfig = newDefaultConfig(email)
+			err2 := c.ApplyConfigmap(defaultConfig)
+			if err2 != nil {
+				return nil, err2
+			}
+		}
+		return nil, err
+	} else {
+		defaultConfig, err = c.ParseConfigFromConfigmap(cm)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return defaultConfig, nil
+}
+
+func (c *ConfigMgr) ParseConfigFromConfigmap(configmap *v1.ConfigMap) (*Config, error) {
+	if _, ok := configmap.Data[ConfigmapCertConfigKey]; !ok {
+		return nil, fmt.Errorf("no cert key %s in configmap %s", ConfigmapCertConfigKey, configmap.Name)
+	}
+
+	config := newDefaultConfig("")
+	if err := yaml.Unmarshal([]byte(configmap.Data[ConfigmapCertConfigKey]), config); err != nil {
+		return nil, fmt.Errorf("data:%s,  convert to higress config error, error: %+v", configmap.Data[ConfigmapCertConfigKey], err)
+	}
+	// validate config
+	if err := config.Validate(); err != nil {
+		return nil, err
+	}
+	return config, nil
+}
+
+func (c *ConfigMgr) GetConfigFromConfigmap() (*Config, error) {
+	var config *Config
+	cm, err := c.GetConfigmap()
+	if err != nil {
+		return nil, err
+	} else {
+		config, err = c.ParseConfigFromConfigmap(cm)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return config, nil
+}
+
+func (c *ConfigMgr) GetConfigmap() (configmap *v1.ConfigMap, err error) {
+	configmapName := ConfigmapCertName
+	cm, err := c.client.CoreV1().ConfigMaps(c.namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
+	return cm, err
+}
+
+func (c *ConfigMgr) ApplyConfigmap(config *Config) error {
+	configmapName := ConfigmapCertName
+	cm := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: c.namespace,
+			Name:      configmapName,
+		},
+	}
+	bytes, err := yaml.Marshal(config)
+	if err != nil {
+		return err
+	}
+	cm.Data = make(map[string]string, 0)
+	cm.Data[ConfigmapCertConfigKey] = string(bytes)
+
+	_, err = c.client.CoreV1().ConfigMaps(c.namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if _, err = c.client.CoreV1().ConfigMaps(c.namespace).Create(context.Background(), cm, metav1.CreateOptions{}); err != nil {
+				return err
+			}
+		} else {
+			return err
+		}
+	} else {
+		if _, err = c.client.CoreV1().ConfigMaps(c.namespace).Update(context.Background(), cm, metav1.UpdateOptions{}); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func NewConfigMgr(namespace string, client kubernetes.Interface) (*ConfigMgr, error) {
+	configMgr := &ConfigMgr{
+		client:    client,
+		namespace: namespace,
+	}
+	return configMgr, nil
+}
+
+func newDefaultConfig(email string) *Config {
+
+	defaultIssuer := []ACMEIssuerEntry{
+		{
+			Name:  IssuerTypeLetsencrypt,
+			Email: email,
+		},
+	}
+	defaultCredentialConfig := make([]CredentialEntry, 0)
+	config := &Config{
+		AutomaticHttps:   true,
+		RenewBeforeDays:  DefaultRenewBeforeDays,
+		ACMEIssuer:       defaultIssuer,
+		CredentialConfig: defaultCredentialConfig,
+		Version:          time.Now().Format("20060102030405"),
+	}
+	return config
+}
+
+func getRandEmail() string {
+	num1 := rangeRandom(100, 100000)
+	num2 := rangeRandom(100, 100000)
+	return fmt.Sprintf("your%d@yours%d.com", num1, num2)
+}

pkg/cert/config_test.go

@@ -0,0 +1,122 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMatchSecretNameByDomain(t *testing.T) {
+	tests := []struct {
+		name          string
+		domain        string
+		credentialCfg []CredentialEntry
+		expected      string
+	}{
+		{
+			name:   "Exact match",
+			domain: "example.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"example.com"},
+					TLSSecret: "example-com-tls",
+				},
+			},
+			expected: "example-com-tls",
+		},
+
+		{
+			name:   "Exact match ignore case ",
+			domain: "eXample.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"example.com"},
+					TLSSecret: "example-com-tls",
+				},
+			},
+			expected: "example-com-tls",
+		},
+		{
+			name:   "Wildcard match",
+			domain: "sub.example.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"*.example.com"},
+					TLSSecret: "wildcard-example-com-tls",
+				},
+			},
+			expected: "wildcard-example-com-tls",
+		},
+
+		{
+			name:   "Wildcard match ignore case",
+			domain: "sub.Example.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"*.example.com"},
+					TLSSecret: "wildcard-example-com-tls",
+				},
+			},
+			expected: "wildcard-example-com-tls",
+		},
+		{
+			name:   "* match",
+			domain: "blog.example.co.uk",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"*"},
+					TLSSecret: "blog-co-uk-tls",
+				},
+			},
+			expected: "blog-co-uk-tls",
+		},
+		{
+			name:   "No match",
+			domain: "unknown.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"example.com"},
+					TLSSecret: "example-com-tls",
+				},
+			},
+			expected: "",
+		},
+		{
+			name:   "Multiple matches - first match wins",
+			domain: "example.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"example.com"},
+					TLSSecret: "example-com-tls",
+				},
+				{
+					Domains:   []string{"*.example.com"},
+					TLSSecret: "wildcard-example-com-tls",
+				},
+			},
+			expected: "example-com-tls",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := Config{CredentialConfig: tt.credentialCfg}
+			result := cfg.MatchSecretNameByDomain(tt.domain)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}

pkg/cert/controller.go

@@ -0,0 +1,165 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/informers"
+	v1informer "k8s.io/client-go/informers/core/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+)
+
+const (
+	workNum       = 1
+	maxRetry      = 2
+	configMapName = "higress-https"
+)
+
+type Controller struct {
+	namespace         string
+	ConfigMapInformer v1informer.ConfigMapInformer
+	client            kubernetes.Interface
+	queue             workqueue.RateLimitingInterface
+	configMgr         *ConfigMgr
+	server            *Server
+	certMgr           *CertMgr
+	factory           informers.SharedInformerFactory
+}
+
+func (c *Controller) addConfigmap(obj interface{}) {
+	key, err := cache.MetaNamespaceKeyFunc(obj)
+	if err != nil {
+		return
+	}
+	namespace, name, _ := cache.SplitMetaNamespaceKey(key)
+	if namespace != c.namespace || name != configMapName {
+		return
+	}
+	c.enqueue(name)
+
+}
+func (c *Controller) updateConfigmap(oldObj interface{}, newObj interface{}) {
+	key, err := cache.MetaNamespaceKeyFunc(oldObj)
+	if err != nil {
+		return
+	}
+	namespace, name, _ := cache.SplitMetaNamespaceKey(key)
+	if namespace != c.namespace || name != configMapName {
+		return
+	}
+	if reflect.DeepEqual(oldObj, newObj) {
+		return
+	}
+	c.enqueue(name)
+}
+
+func (c *Controller) enqueue(name string) {
+	c.queue.Add(name)
+}
+
+func (c *Controller) cachesSynced() bool {
+	return c.ConfigMapInformer.Informer().HasSynced()
+}
+
+func (c *Controller) Run(stopCh <-chan struct{}) error {
+	defer runtime.HandleCrash()
+	defer c.queue.ShutDown()
+	CertLog.Info("Waiting for informer caches to sync")
+	c.factory.Start(stopCh)
+	if ok := cache.WaitForCacheSync(stopCh, c.cachesSynced); !ok {
+		return fmt.Errorf("failed to wait for caches to sync")
+	}
+	CertLog.Info("Starting controller")
+	// Launch one workers to process configmap resources
+	for i := 0; i < workNum; i++ {
+		go wait.Until(c.worker, time.Minute, stopCh)
+	}
+	CertLog.Info("Started workers")
+	<-stopCh
+	CertLog.Info("Shutting down workers")
+
+	return nil
+}
+
+func (c *Controller) worker() {
+	for c.processNextItem() {
+
+	}
+}
+
+func (c *Controller) processNextItem() bool {
+	item, shutdown := c.queue.Get()
+	if shutdown {
+		return false
+	}
+	defer c.queue.Done(item)
+	key := item.(string)
+	CertLog.Infof("controller process item:%s", key)
+	err := c.syncConfigmap(key)
+	if err != nil {
+		c.handleError(key, err)
+	}
+	return true
+}
+
+func (c *Controller) syncConfigmap(key string) error {
+	configmap, err := c.ConfigMapInformer.Lister().ConfigMaps(c.namespace).Get(key)
+	if err != nil {
+		return err
+	}
+	newConfig, err := c.configMgr.ParseConfigFromConfigmap(configmap)
+	if err != nil {
+		return err
+	}
+	oldConfig := c.configMgr.GetConfig()
+	// reconcile old config and new config
+	return c.certMgr.Reconcile(context.Background(), oldConfig, newConfig)
+}
+
+func (c *Controller) handleError(key string, err error) {
+	runtime.HandleError(err)
+	CertLog.Errorf("%+v", err)
+	c.queue.Forget(key)
+}
+
+func NewController(client kubernetes.Interface, namespace string, certMgr *CertMgr, configMgr *ConfigMgr) (*Controller, error) {
+	kubeInformerFactory := informers.NewSharedInformerFactoryWithOptions(client, 0, informers.WithNamespace(namespace))
+	configmapInformer := kubeInformerFactory.Core().V1().ConfigMaps()
+	c := &Controller{
+		certMgr:           certMgr,
+		configMgr:         configMgr,
+		client:            client,
+		namespace:         namespace,
+		factory:           kubeInformerFactory,
+		ConfigMapInformer: configmapInformer,
+		queue:             workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "ingressManage"),
+	}
+
+	CertLog.Info("Setting up configmap informer event handlers")
+	configmapInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc:    c.addConfigmap,
+		UpdateFunc: c.updateConfigmap,
+	})
+
+	return c, nil
+}

pkg/cert/ingress.go

@@ -0,0 +1,158 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/mholt/acmez"
+	"github.com/mholt/acmez/acme"
+	v1 "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	IngressClassName   = "higress"
+	IngressServiceName = "higress-controller"
+	IngressNamePefix   = "higress-http-solver-"
+	IngressPathPrefix  = "/.well-known/acme-challenge/"
+	IngressServicePort = 8889
+)
+
+type IngressSolver struct {
+	client       kubernetes.Interface
+	acmeIssuer   *certmagic.ACMEIssuer
+	solversMu    sync.Mutex
+	namespace    string
+	ingressDelay time.Duration
+}
+
+func NewIngressSolver(namespace string, client kubernetes.Interface, acmeIssuer *certmagic.ACMEIssuer) (acmez.Solver, error) {
+	solver := &IngressSolver{
+		namespace:    namespace,
+		client:       client,
+		acmeIssuer:   acmeIssuer,
+		ingressDelay: 5 * time.Second,
+	}
+	return solver, nil
+}
+
+func (s *IngressSolver) Present(_ context.Context, challenge acme.Challenge) error {
+	CertLog.Infof("ingress solver present challenge:%+v", challenge)
+	s.solversMu.Lock()
+	defer s.solversMu.Unlock()
+	ingressName := s.getIngressName(challenge)
+	ingress := s.constructIngress(challenge)
+	CertLog.Infof("update ingress name:%s, ingress:%v", ingressName, ingress)
+	_, err := s.client.NetworkingV1().Ingresses(s.namespace).Get(context.Background(), ingressName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// create ingress
+			_, err2 := s.client.NetworkingV1().Ingresses(s.namespace).Create(context.Background(), ingress, metav1.CreateOptions{})
+			return err2
+		}
+		return err
+	}
+	_, err1 := s.client.NetworkingV1().Ingresses(s.namespace).Update(context.Background(), ingress, metav1.UpdateOptions{})
+	if err1 != nil {
+		return err1
+	}
+	return nil
+}
+
+func (s *IngressSolver) Wait(ctx context.Context, challenge acme.Challenge) error {
+	CertLog.Infof("ingress solver wait challenge:%+v", challenge)
+	// wait for ingress ready
+	if s.ingressDelay > 0 {
+		select {
+		case <-time.After(s.ingressDelay):
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	CertLog.Infof("ingress solver wait challenge done")
+	return nil
+}
+
+func (s *IngressSolver) CleanUp(_ context.Context, challenge acme.Challenge) error {
+	CertLog.Infof("ingress solver cleanup challenge:%+v", challenge)
+	s.solversMu.Lock()
+	defer s.solversMu.Unlock()
+	ingressName := s.getIngressName(challenge)
+	CertLog.Infof("cleanup ingress name:%s", ingressName)
+	err := s.client.NetworkingV1().Ingresses(s.namespace).Delete(context.Background(), ingressName, metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *IngressSolver) Delete(_ context.Context, challenge acme.Challenge) error {
+	s.solversMu.Lock()
+	defer s.solversMu.Unlock()
+	err := s.client.NetworkingV1().Ingresses(s.namespace).Delete(context.Background(), s.getIngressName(challenge), metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *IngressSolver) getIngressName(challenge acme.Challenge) string {
+	return IngressNamePefix + strings.ReplaceAll(challenge.Identifier.Value, ".", "-")
+}
+
+func (s *IngressSolver) constructIngress(challenge acme.Challenge) *v1.Ingress {
+	ingressClassName := IngressClassName
+	ingressDomain := challenge.Identifier.Value
+	ingressPath := IngressPathPrefix + challenge.Token
+	ingress := v1.Ingress{}
+	ingress.Name = s.getIngressName(challenge)
+	ingress.Namespace = s.namespace
+	pathType := v1.PathTypePrefix
+	ingress.Spec = v1.IngressSpec{
+		IngressClassName: &ingressClassName,
+		Rules: []v1.IngressRule{
+			{
+				Host: ingressDomain,
+				IngressRuleValue: v1.IngressRuleValue{
+					HTTP: &v1.HTTPIngressRuleValue{
+						Paths: []v1.HTTPIngressPath{
+							{
+								Path:     ingressPath,
+								PathType: &pathType,
+								Backend: v1.IngressBackend{
+									Service: &v1.IngressServiceBackend{
+										Name: IngressServiceName,
+										Port: v1.ServiceBackendPort{
+											Number: IngressServicePort,
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	return &ingress
+}

pkg/cert/log.go

@@ -0,0 +1,19 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import "istio.io/pkg/log"
+
+var CertLog = log.RegisterScope("cert", "Higress Cert process.", 0)

pkg/cert/secret.go

@@ -0,0 +1,108 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	SecretNamePrefix = "higress-secret-"
+)
+
+type SecretMgr struct {
+	client    kubernetes.Interface
+	namespace string
+}
+
+func NewSecretMgr(namespace string, client kubernetes.Interface) (*SecretMgr, error) {
+	secretMgr := &SecretMgr{
+		namespace: namespace,
+		client:    client,
+	}
+
+	return secretMgr, nil
+}
+
+func (s *SecretMgr) Update(domain string, secretName string, privateKey []byte, certificate []byte, notBefore time.Time, notAfter time.Time, isRenew bool) error {
+	//secretName := s.getSecretName(domain)
+	secret := s.constructSecret(domain, privateKey, certificate, notBefore, notAfter, isRenew)
+	_, err := s.client.CoreV1().Secrets(s.namespace).Get(context.Background(), secretName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// create secret
+			_, err2 := s.client.CoreV1().Secrets(s.namespace).Create(context.Background(), secret, metav1.CreateOptions{})
+			return err2
+		}
+		return err
+	}
+	// check secret annotations
+	if _, ok := secret.Annotations["higress.io/cert-domain"]; !ok {
+		return fmt.Errorf("the secret name %s is not automatic https secret name for the domain:%s, please rename it in config", secretName, domain)
+	}
+	_, err1 := s.client.CoreV1().Secrets(s.namespace).Update(context.Background(), secret, metav1.UpdateOptions{})
+	if err1 != nil {
+		return err1
+	}
+
+	return nil
+}
+
+func (s *SecretMgr) Delete(domain string) error {
+	secretName := s.getSecretName(domain)
+	err := s.client.CoreV1().Secrets(s.namespace).Delete(context.Background(), secretName, metav1.DeleteOptions{})
+	return err
+}
+
+func (s *SecretMgr) getSecretName(domain string) string {
+	return SecretNamePrefix + strings.ReplaceAll(strings.TrimSpace(domain), ".", "-")
+}
+
+func (s *SecretMgr) constructSecret(domain string, privateKey []byte, certificate []byte, notBefore time.Time, notAfter time.Time, isRenew bool) *v1.Secret {
+	secretName := s.getSecretName(domain)
+	annotationMap := make(map[string]string, 0)
+	annotationMap["higress.io/cert-domain"] = domain
+	annotationMap["higress.io/cert-notAfter"] = notAfter.Format("2006-01-02 15:04:05")
+	annotationMap["higress.io/cert-notBefore"] = notBefore.Format("2006-01-02 15:04:05")
+	annotationMap["higress.io/cert-renew"] = strconv.FormatBool(isRenew)
+	if isRenew {
+		annotationMap["higress.io/cert-renew-time"] = time.Now().Format("2006-01-02 15:04:05")
+	}
+	// Required fields:
+	// - Secret.Data["tls.key"] - TLS private key.
+	//   Secret.Data["tls.crt"] - TLS certificate.
+	dataMap := make(map[string][]byte, 0)
+	dataMap["tls.key"] = privateKey
+	dataMap["tls.crt"] = certificate
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        secretName,
+			Namespace:   s.namespace,
+			Annotations: annotationMap,
+		},
+		Type: v1.SecretTypeTLS,
+		Data: dataMap,
+	}
+	return secret
+}

pkg/cert/server.go

@@ -0,0 +1,115 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/caddyserver/certmagic"
+	"k8s.io/client-go/kubernetes"
+)
+
+type Option struct {
+	Namespace     string
+	ServerAddress string
+	Email         string
+}
+
+type Server struct {
+	httpServer *http.Server
+	opts       *Option
+	clientSet  kubernetes.Interface
+	controller *Controller
+	certMgr    *CertMgr
+}
+
+func NewServer(clientSet kubernetes.Interface, opts *Option) (*Server, error) {
+	server := &Server{
+		clientSet: clientSet,
+		opts:      opts,
+	}
+	return server, nil
+}
+
+func (s *Server) InitDefaultConfig() error {
+	configMgr, _ := NewConfigMgr(s.opts.Namespace, s.clientSet)
+	// init config if there is not existed
+	_, err := configMgr.InitConfig(s.opts.Email)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *Server) InitServer() error {
+	configMgr, _ := NewConfigMgr(s.opts.Namespace, s.clientSet)
+	// init config if there is not existed
+	defaultConfig, err := configMgr.InitConfig(s.opts.Email)
+	if err != nil {
+		return err
+	}
+	// init certmgr
+	certMgr, err := InitCertMgr(s.opts, s.clientSet, defaultConfig) // config and start
+	s.certMgr = certMgr
+	// init controller
+	controller, err := NewController(s.clientSet, s.opts.Namespace, certMgr, configMgr)
+	s.controller = controller
+	// init http server
+	s.initHttpServer()
+	return nil
+}
+
+func (s *Server) initHttpServer() error {
+	CertLog.Infof("server init http server")
+	ctx := context.Background()
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "Lookit my cool website over HTTPS!")
+	})
+	httpServer := &http.Server{
+		ReadHeaderTimeout: 5 * time.Second,
+		ReadTimeout:       5 * time.Second,
+		WriteTimeout:      5 * time.Second,
+		IdleTimeout:       5 * time.Second,
+		Addr:              s.opts.ServerAddress,
+		BaseContext:       func(listener net.Listener) context.Context { return ctx },
+	}
+	cfg := s.certMgr.cfg
+	if len(cfg.Issuers) > 0 {
+		if am, ok := cfg.Issuers[0].(*certmagic.ACMEIssuer); ok {
+			httpServer.Handler = am.HTTPChallengeHandler(mux)
+		}
+	} else {
+		httpServer.Handler = mux
+	}
+	s.httpServer = httpServer
+	return nil
+}
+
+func (s *Server) Run(stopCh <-chan struct{}) error {
+	go s.controller.Run(stopCh)
+	CertLog.Infof("server run")
+	go func() {
+		<-stopCh
+		CertLog.Infof("server http server shutdown now...")
+		s.httpServer.Shutdown(context.Background())
+	}()
+	err := s.httpServer.ListenAndServe()
+	return err
+}

pkg/cert/storage.go

@@ -0,0 +1,337 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/fs"
+	"path"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/caddyserver/certmagic"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	CertificatesPrefix              = "/certificates"
+	ConfigmapStoreCertficatesPrefix = "higress-cert-store-certificates-"
+	ConfigmapStoreDefaultName       = "higress-cert-store-default"
+)
+
+var _ certmagic.Storage = (*ConfigmapStorage)(nil)
+
+type ConfigmapStorage struct {
+	namespace string
+	client    kubernetes.Interface
+	mux       sync.RWMutex
+}
+
+type HashValue struct {
+	K string `json:"k,omitempty"`
+	V []byte `json:"v,omitempty"`
+}
+
+func NewConfigmapStorage(namespace string, client kubernetes.Interface) (certmagic.Storage, error) {
+	storage := &ConfigmapStorage{
+		namespace: namespace,
+		client:    client,
+	}
+	return storage, nil
+}
+
+// Exists returns true if key exists in s.
+func (s *ConfigmapStorage) Exists(_ context.Context, key string) bool {
+	s.mux.RLock()
+	defer s.mux.RUnlock()
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return false
+	}
+	if cm.Data == nil {
+		return false
+	}
+
+	hashKey := fastHash([]byte(key))
+	if _, ok := cm.Data[hashKey]; ok {
+		return true
+	}
+	return false
+}
+
+// Store saves value at key.
+func (s *ConfigmapStorage) Store(_ context.Context, key string, value []byte) error {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return err
+	}
+	if cm.Data == nil {
+		cm.Data = make(map[string]string, 0)
+	}
+
+	hashKey := fastHash([]byte(key))
+	hashV := &HashValue{
+		K: key,
+		V: value,
+	}
+	bytes, err := json.Marshal(hashV)
+	if err != nil {
+		return err
+	}
+	cm.Data[hashKey] = string(bytes)
+	return s.updateConfigmap(cm)
+}
+
+// Load retrieves the value at key.
+func (s *ConfigmapStorage) Load(_ context.Context, key string) ([]byte, error) {
+	s.mux.RLock()
+	defer s.mux.RUnlock()
+	var value []byte
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return value, err
+	}
+	if cm.Data == nil {
+		return value, fs.ErrNotExist
+	}
+
+	hashKey := fastHash([]byte(key))
+	if v, ok := cm.Data[hashKey]; ok {
+		hV := &HashValue{}
+		err = json.Unmarshal([]byte(v), hV)
+		if err != nil {
+			return value, err
+		}
+		return hV.V, nil
+	}
+	return value, fs.ErrNotExist
+}
+
+// Delete deletes the value at key.
+func (s *ConfigmapStorage) Delete(_ context.Context, key string) error {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return err
+	}
+	if cm.Data == nil {
+		cm.Data = make(map[string]string, 0)
+	}
+	hashKey := fastHash([]byte(key))
+	delete(cm.Data, hashKey)
+	return s.updateConfigmap(cm)
+}
+
+// List returns all keys that match the prefix.
+// If the prefix is "/certificates", it retrieves all ConfigMaps, otherwise only one.
+func (s *ConfigmapStorage) List(ctx context.Context, prefix string, recursive bool) ([]string, error) {
+	s.mux.RLock()
+	defer s.mux.RUnlock()
+	var keys []string
+	var configmapKeys []string
+	visitedDirs := make(map[string]struct{})
+
+	// Check if the prefix corresponds to a specific key
+	hashPrefix := fastHash([]byte(prefix))
+	if strings.HasPrefix(prefix, CertificatesPrefix) {
+		// If the prefix is "/certificates", get all ConfigMaps and traverse each one
+		// List all ConfigMaps in the namespace with label higress.io/cert-https=true
+		configmaps, err := s.client.CoreV1().ConfigMaps(s.namespace).List(ctx, metav1.ListOptions{FieldSelector: "metadata.annotations['higress.io/cert-https'] == 'true'"})
+		if err != nil {
+			return keys, err
+		}
+
+		for _, cm := range configmaps.Items {
+			// Check if the ConfigMap name starts with the expected prefix
+			if strings.HasPrefix(cm.Name, ConfigmapStoreCertficatesPrefix) {
+				// Add the keys from Data field to the list
+				for _, v := range cm.Data {
+					// Unmarshal the value into hashValue struct
+					var hv HashValue
+					if err := json.Unmarshal([]byte(v), &hv); err != nil {
+						return nil, err
+					}
+					// Check if the key starts with the specified prefix
+					if strings.HasPrefix(hv.K, prefix) {
+						// Add the key to the list
+						configmapKeys = append(configmapKeys, hv.K)
+					}
+				}
+			}
+		}
+	} else {
+		// If not starting with "/certificates", get the specific ConfigMap
+		cm, err := s.getConfigmapStoreByKey(prefix)
+		if err != nil {
+			return keys, err
+		}
+
+		if _, ok := cm.Data[hashPrefix]; ok {
+			// The prefix corresponds to a specific key, add it to the list
+			configmapKeys = append(configmapKeys, prefix)
+		} else {
+			// The prefix is considered a directory
+			for _, v := range cm.Data {
+				// Unmarshal the value into hashValue struct
+				var hv HashValue
+				if err := json.Unmarshal([]byte(v), &hv); err != nil {
+					return nil, err
+				}
+				// Check if the key starts with the specified prefix
+				if strings.HasPrefix(hv.K, prefix) {
+					// Add the key to the list
+					configmapKeys = append(configmapKeys, hv.K)
+				}
+			}
+		}
+	}
+
+	// return all
+	if recursive {
+		return configmapKeys, nil
+	}
+
+	// only return sub dirs
+	for _, key := range configmapKeys {
+		subPath := strings.TrimPrefix(strings.ReplaceAll(key, prefix, ""), "/")
+		paths := strings.Split(subPath, "/")
+		if len(paths) > 0 {
+			subDir := path.Join(prefix, paths[0])
+			if _, ok := visitedDirs[subDir]; !ok {
+				keys = append(keys, subDir)
+			}
+			visitedDirs[subDir] = struct{}{}
+		}
+	}
+
+	return keys, nil
+}
+
+// Stat returns information about key. only support for no certificates path
+func (s *ConfigmapStorage) Stat(_ context.Context, key string) (certmagic.KeyInfo, error) {
+	s.mux.RLock()
+	defer s.mux.RUnlock()
+	// Create a new KeyInfo struct
+	info := certmagic.KeyInfo{}
+
+	// Get the ConfigMap containing the keys
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return info, err
+	}
+
+	// Check if the key exists in the ConfigMap
+	hashKey := fastHash([]byte(key))
+	if data, ok := cm.Data[hashKey]; ok {
+		// The key exists, populate the KeyInfo struct
+		info.Key = key
+		info.Modified = time.Now() // Since we're not tracking modification time in ConfigMap
+		info.Size = int64(len(data))
+		info.IsTerminal = true
+	} else {
+		// Check if there are other keys with the same prefix
+		prefixKeys := make([]string, 0)
+		for _, v := range cm.Data {
+			var hv HashValue
+			if err := json.Unmarshal([]byte(v), &hv); err != nil {
+				return info, err
+			}
+			// Check if the key starts with the specified prefix
+			if strings.HasPrefix(hv.K, key) {
+				// Add the key to the list
+				prefixKeys = append(prefixKeys, hv.K)
+			}
+		}
+		// If there are multiple keys with the same prefix, then it's not a terminal node
+		if len(prefixKeys) > 0 {
+			info.Key = key
+			info.IsTerminal = false
+		} else {
+			return info, fmt.Errorf("prefix '%s' is not existed", key)
+		}
+	}
+	return info, nil
+}
+
+// Lock obtains a lock named by the given name. It blocks
+// until the lock can be obtained or an error is returned.
+func (s *ConfigmapStorage) Lock(ctx context.Context, name string) error {
+	return nil
+}
+
+// Unlock releases the lock for name.
+func (s *ConfigmapStorage) Unlock(_ context.Context, name string) error {
+	return nil
+}
+
+func (s *ConfigmapStorage) String() string {
+	return "ConfigmapStorage"
+}
+
+func (s *ConfigmapStorage) getConfigmapStoreNameByKey(key string) string {
+	parts := strings.SplitN(key, "/", 10)
+	if len(parts) >= 4 && parts[1] == "certificates" {
+		domain := strings.TrimSuffix(parts[3], ".crt")
+		domain = strings.TrimSuffix(domain, ".key")
+		domain = strings.TrimSuffix(domain, ".json")
+		issuerKey := parts[2]
+		return ConfigmapStoreCertficatesPrefix + fastHash([]byte(issuerKey+domain))
+	}
+	return ConfigmapStoreDefaultName
+}
+
+func (s *ConfigmapStorage) getConfigmapStoreByKey(key string) (*v1.ConfigMap, error) {
+	configmapName := s.getConfigmapStoreNameByKey(key)
+	cm, err := s.client.CoreV1().ConfigMaps(s.namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// Save default ConfigMap
+			cm = &v1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:   s.namespace,
+					Name:        configmapName,
+					Annotations: map[string]string{"higress.io/cert-https": "true"},
+				},
+			}
+			_, err = s.client.CoreV1().ConfigMaps(s.namespace).Create(context.Background(), cm, metav1.CreateOptions{})
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			return nil, err
+		}
+	}
+	return cm, nil
+}
+
+// updateConfigmap adds or updates the annotation higress.io/cert-https to true.
+func (s *ConfigmapStorage) updateConfigmap(configmap *v1.ConfigMap) error {
+	if configmap.ObjectMeta.Annotations == nil {
+		configmap.ObjectMeta.Annotations = make(map[string]string)
+	}
+	configmap.ObjectMeta.Annotations["higress.io/cert-https"] = "true"
+
+	_, err := s.client.CoreV1().ConfigMaps(configmap.Namespace).Update(context.Background(), configmap, metav1.UpdateOptions{})
+	return err
+}

pkg/cert/storage_test.go

@@ -0,0 +1,325 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+func TestGetConfigmapStoreNameByKey(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage := &ConfigmapStorage{
+		namespace: namespace,
+		client:    fakeClient,
+	}
+	tests := []struct {
+		name     string
+		key      string
+		expected string
+	}{
+		{
+			name:     "certificate crt",
+			key:      "/certificates/issuerKey/domain.crt",
+			expected: "higress-cert-store-certificates-" + fastHash([]byte("issuerKey"+"domain")),
+		},
+		{
+			name:     "certificate meta",
+			key:      "/certificates/issuerKey/domain.json",
+			expected: "higress-cert-store-certificates-" + fastHash([]byte("issuerKey"+"domain")),
+		},
+		{
+			name:     "certificate key",
+			key:      "/certificates/issuerKey/domain.key",
+			expected: "higress-cert-store-certificates-" + fastHash([]byte("issuerKey"+"domain")),
+		},
+		{
+			name:     "user key",
+			key:      "/users/hello/2",
+			expected: "higress-cert-store-default",
+		},
+		{
+			name:     "Empty Key",
+			key:      "",
+			expected: "higress-cert-store-default",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			storageName := storage.getConfigmapStoreNameByKey(test.key)
+			assert.Equal(t, test.expected, storageName)
+		})
+	}
+}
+
+func TestExists(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage, err := NewConfigmapStorage(namespace, fakeClient)
+	assert.NoError(t, err)
+
+	// Store a test key
+	testKey := "/certificates/issuer1/domain1.crt"
+	err = storage.Store(context.Background(), testKey, []byte("test-data"))
+	assert.NoError(t, err)
+
+	// Define test cases
+	tests := []struct {
+		name        string
+		key         string
+		shouldExist bool
+	}{
+		{
+			name:        "Existing Key",
+			key:         "/certificates/issuer1/domain1.crt",
+			shouldExist: true,
+		},
+		{
+			name:        "Non-Existent Key1",
+			key:         "/certificates/issuer2/domain2.crt",
+			shouldExist: false,
+		},
+		{
+			name:        "Non-Existent Key2",
+			key:         "/users/hello/a",
+			shouldExist: false,
+		},
+		// Add more test cases as needed
+	}
+
+	// Run tests
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			exists := storage.Exists(context.Background(), test.key)
+			assert.Equal(t, test.shouldExist, exists)
+		})
+	}
+}
+
+func TestLoad(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage, err := NewConfigmapStorage(namespace, fakeClient)
+	assert.NoError(t, err)
+
+	// Store a test key
+	testKey := "/certificates/issuer1/domain1.crt"
+	testValue := []byte("test-data")
+	err = storage.Store(context.Background(), testKey, testValue)
+	assert.NoError(t, err)
+
+	// Define test cases
+	tests := []struct {
+		name        string
+		key         string
+		expected    []byte
+		shouldError bool
+	}{
+		{
+			name:        "Existing Key",
+			key:         "/certificates/issuer1/domain1.crt",
+			expected:    testValue,
+			shouldError: false,
+		},
+		{
+			name:        "Non-Existent Key",
+			key:         "/certificates/issuer2/domain2.crt",
+			expected:    nil,
+			shouldError: true,
+		},
+		// Add more test cases as needed
+	}
+
+	// Run tests
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			value, err := storage.Load(context.Background(), test.key)
+			if test.shouldError {
+				assert.Error(t, err)
+				assert.Nil(t, value)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.expected, value)
+			}
+		})
+	}
+}
+
+func TestStore(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage := ConfigmapStorage{
+		namespace: namespace,
+		client:    fakeClient,
+	}
+
+	// Define test cases
+	tests := []struct {
+		name                  string
+		key                   string
+		value                 []byte
+		expected              map[string]string
+		expectedConfigmapName string
+		shouldError           bool
+	}{
+		{
+			name:                  "Store Key with /certificates prefix",
+			key:                   "/certificates/issuer1/domain1.crt",
+			value:                 []byte("test-data1"),
+			expected:              map[string]string{fastHash([]byte("/certificates/issuer1/domain1.crt")): `{"k":"/certificates/issuer1/domain1.crt","v":"dGVzdC1kYXRhMQ=="}`},
+			expectedConfigmapName: "higress-cert-store-certificates-" + fastHash([]byte("issuer1"+"domain1")),
+			shouldError:           false,
+		},
+		{
+			name:  "Store Key with /certificates prefix (additional data)",
+			key:   "/certificates/issuer2/domain2.crt",
+			value: []byte("test-data2"),
+			expected: map[string]string{
+				fastHash([]byte("/certificates/issuer2/domain2.crt")): `{"k":"/certificates/issuer2/domain2.crt","v":"dGVzdC1kYXRhMg=="}`,
+			},
+			expectedConfigmapName: "higress-cert-store-certificates-" + fastHash([]byte("issuer2"+"domain2")),
+			shouldError:           false,
+		},
+		{
+			name:                  "Store Key without /certificates prefix",
+			key:                   "/other/path/data.txt",
+			value:                 []byte("test-data3"),
+			expected:              map[string]string{fastHash([]byte("/other/path/data.txt")): `{"k":"/other/path/data.txt","v":"dGVzdC1kYXRhMw=="}`},
+			expectedConfigmapName: "higress-cert-store-default",
+			shouldError:           false,
+		},
+		// Add more test cases as needed
+	}
+
+	// Run tests
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			err := storage.Store(context.Background(), test.key, test.value)
+			if test.shouldError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+
+				// Check the contents of the ConfigMap after storing
+				configmapName := storage.getConfigmapStoreNameByKey(test.key)
+				cm, err := fakeClient.CoreV1().ConfigMaps(namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
+				assert.NoError(t, err)
+
+				// Check if the data is as expected
+				assert.Equal(t, test.expected, cm.Data)
+
+				// Check if the configmapName is correct
+				assert.Equal(t, test.expectedConfigmapName, configmapName)
+			}
+		})
+	}
+}
+
+func TestList(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage, err := NewConfigmapStorage(namespace, fakeClient)
+	assert.NoError(t, err)
+
+	// Store some test data
+	// Store some test data
+	testKeys := []string{
+		"/certificates/issuer1/domain1.crt",
+		"/certificates/issuer1/domain2.crt",
+		"/certificates/issuer1/domain3.crt", // Added another domain for issuer1
+		"/certificates/issuer2/domain4.crt",
+		"/certificates/issuer2/domain5.crt",
+		"/certificates/issuer3/subdomain1/domain6.crt",            // Two-level subdirectory under issuer3
+		"/certificates/issuer3/subdomain1/subdomain2/domain7.crt", // Two more levels under issuer3
+		"/other-prefix/key1/file1",
+		"/other-prefix/key1/file2",
+		"/other-prefix/key2/file3",
+		"/other-prefix/key2/file4",
+	}
+
+	for _, key := range testKeys {
+		err := storage.Store(context.Background(), key, []byte("test-data"))
+		assert.NoError(t, err)
+	}
+
+	// Define test cases
+	tests := []struct {
+		name      string
+		prefix    string
+		recursive bool
+		expected  []string
+	}{
+		{
+			name:      "List Certificates (Non-Recursive)",
+			prefix:    "/certificates",
+			recursive: false,
+			expected:  []string{"/certificates/issuer1", "/certificates/issuer2", "/certificates/issuer3"},
+		},
+		{
+			name:      "List Certificates (Recursive)",
+			prefix:    "/certificates",
+			recursive: true,
+			expected:  []string{"/certificates/issuer1/domain1.crt", "/certificates/issuer1/domain2.crt", "/certificates/issuer1/domain3.crt", "/certificates/issuer2/domain4.crt", "/certificates/issuer2/domain5.crt", "/certificates/issuer3/subdomain1/domain6.crt", "/certificates/issuer3/subdomain1/subdomain2/domain7.crt"},
+		},
+		{
+			name:      "List Other Prefix (Non-Recursive)",
+			prefix:    "/other-prefix",
+			recursive: false,
+			expected:  []string{"/other-prefix/key1", "/other-prefix/key2"},
+		},
+
+		{
+			name:      "List Other Prefix (Non-Recursive)",
+			prefix:    "/other-prefix/key1",
+			recursive: false,
+			expected:  []string{"/other-prefix/key1/file1", "/other-prefix/key1/file2"},
+		},
+		{
+			name:      "List Other Prefix (Recursive)",
+			prefix:    "/other-prefix",
+			recursive: true,
+			expected:  []string{"/other-prefix/key1/file1", "/other-prefix/key1/file2", "/other-prefix/key2/file3", "/other-prefix/key2/file4"},
+		},
+	}
+
+	// Run tests
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			keys, err := storage.List(context.Background(), test.prefix, test.recursive)
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, test.expected, keys)
+		})
+	}
+}

pkg/cert/util.go

@@ -0,0 +1,97 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"hash/fnv"
+	"math/rand"
+	"net"
+	"regexp"
+	"time"
+)
+
+// parseCertsFromPEMBundle parses a certificate bundle from top to bottom and returns
+// a slice of x509 certificates. This function will error if no certificates are found.
+func parseCertsFromPEMBundle(bundle []byte) ([]*x509.Certificate, error) {
+	var certificates []*x509.Certificate
+	var certDERBlock *pem.Block
+	for {
+		certDERBlock, bundle = pem.Decode(bundle)
+		if certDERBlock == nil {
+			break
+		}
+		if certDERBlock.Type == "CERTIFICATE" {
+			cert, err := x509.ParseCertificate(certDERBlock.Bytes)
+			if err != nil {
+				return nil, err
+			}
+			certificates = append(certificates, cert)
+		}
+	}
+	if len(certificates) == 0 {
+		return nil, fmt.Errorf("no certificates found in bundle")
+	}
+	return certificates, nil
+}
+
+func notAfter(cert *x509.Certificate) time.Time {
+	if cert == nil {
+		return time.Time{}
+	}
+	return cert.NotAfter.Truncate(time.Second).Add(1 * time.Second)
+}
+
+func notBefore(cert *x509.Certificate) time.Time {
+	if cert == nil {
+		return time.Time{}
+	}
+	return cert.NotBefore.Truncate(time.Second).Add(1 * time.Second)
+}
+
+// hostOnly returns only the host portion of hostport.
+// If there is no port or if there is an error splitting
+// the port off, the whole input string is returned.
+func hostOnly(hostport string) string {
+	host, _, err := net.SplitHostPort(hostport)
+	if err != nil {
+		return hostport // OK; probably had no port to begin with
+	}
+	return host
+}
+
+func rangeRandom(min, max int) (number int) {
+	r := rand.New(rand.NewSource(time.Now().UnixNano()))
+	number = r.Intn(max-min) + min
+	return number
+}
+
+func ValidateEmail(email string) bool {
+	pattern := `^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$`
+	regExp := regexp.MustCompile(pattern)
+	if regExp.MatchString(email) {
+		return true
+	} else {
+		return false
+	}
+}
+
+func fastHash(input []byte) string {
+	h := fnv.New32a()
+	h.Write(input)
+	return fmt.Sprintf("%x", h.Sum32())
+}

pkg/cmd/hgctl/code_debug.go

@@ -0,0 +1,338 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hgctl
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"regexp"
+	"time"
+
+	"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+const (
+	DefaultIp   = "127.0.0.1"
+	DefaultPort = ":15051"
+)
+
+func newCodeDebugCmd() *cobra.Command {
+	codeDebugCmd := &cobra.Command{
+		Use:   "code-debug",
+		Short: "Start or stop code debug",
+	}
+
+	codeDebugCmd.AddCommand(getStartCodeDebugCmd())
+	codeDebugCmd.AddCommand(getStopCodeDebugCmd())
+
+	return codeDebugCmd
+}
+
+func getStartCodeDebugCmd() *cobra.Command {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		fmt.Printf("fail to get user home dir: %v", err)
+		os.Exit(1)
+	}
+	kubeConfigDir := homeDir + "/.kube/config"
+
+	startCodeDebugCmd := &cobra.Command{
+		Use:     "start",
+		Aliases: []string{"start"},
+		Short:   "Start code debug",
+		Example: "hgctl code-debug start",
+		RunE: func(c *cobra.Command, args []string) error {
+			writer := c.OutOrStdout()
+
+			// wait for user to confirm
+			if !promptCodeDebug(writer, "local grpc address") {
+				return nil
+			}
+
+			// check profile type is local or not
+			fmt.Fprintf(writer, "Checking profile type...\n")
+			profiles, err := getAllProfiles()
+			if err != nil {
+				return fmt.Errorf("fail to get all profiles: %v", err)
+			}
+			if len(profiles) == 0 {
+				fmt.Fprintf(writer, "Higress hasn't been installed yet!\n")
+				return nil
+			}
+			for _, profile := range profiles {
+				if profile.Install != helm.InstallLocalK8s {
+					fmt.Fprintf(writer, "\nHigress needs to be installed locally!\n")
+					return nil
+				}
+			}
+
+			// get kubernetes clientSet
+			fmt.Fprintf(writer, "Getting kubernetes clientset...\n")
+			config, err := clientcmd.BuildConfigFromFlags("", kubeConfigDir)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to build config from kubeconfig: %v", err)
+				return nil
+			}
+			clientSet, err := kubernetes.NewForConfig(config)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to create kubernetes clientset: %v", err)
+				return nil
+			}
+
+			// get non-loopback IPv4 address
+			fmt.Fprintf(writer, "Getting non-loopback IPv4 address...\n")
+			ip, err := getNonLoopbackIPv4()
+			if err != nil {
+				fmt.Fprintf(writer, "fail to get non-loopback IPv4 address: %v", err)
+				return nil
+			}
+
+			// update the xds address in higress-config ConfigMap
+			// and trigger rollout for higress-controller and higress-gateway deployments
+			fmt.Fprintf(writer, "Updating xds address in higress-config ConfigMap "+
+				"and triggering rollout for higress-controller and higress-gateway deployments...\n")
+			err = updateXdsIpAndRollout(clientSet, ip, DefaultPort)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to update xds address in higress-config ConfigMap: %v", err)
+				return nil
+			}
+
+			fmt.Fprintf(writer, "Code debug started!\n")
+
+			return nil
+		},
+	}
+
+	startCodeDebugCmd.PersistentFlags().StringVar(&kubeConfigDir, "kubeconfig", kubeConfigDir,
+		"Use a Kubernetes configuration file instead of in-cluster configuration")
+
+	return startCodeDebugCmd
+}
+
+func getStopCodeDebugCmd() *cobra.Command {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		fmt.Printf("fail to get user home dir: %v", err)
+		os.Exit(1)
+	}
+	kubeConfigDir := homeDir + "/.kube/config"
+
+	stopCodeDebugCmd := &cobra.Command{
+		Use:     "stop",
+		Aliases: []string{"stop"},
+		Short:   "Stop code debug",
+		Example: "hgctl code-debug stop",
+		RunE: func(c *cobra.Command, args []string) error {
+			// wait for user to confirm
+			writer := c.OutOrStdout()
+			if !promptCodeDebug(writer, "default grpc address") {
+				return nil
+			}
+
+			// check profile type is local or not
+			fmt.Fprintf(writer, "Checking profile type...\n")
+			profiles, err := getAllProfiles()
+			if err != nil {
+				return fmt.Errorf("fail to get all profiles: %v", err)
+			}
+			if len(profiles) == 0 {
+				fmt.Fprintf(writer, "Higress hasn't been installed yet!\n")
+				return nil
+			}
+			for _, profile := range profiles {
+				if profile.Install != helm.InstallLocalK8s {
+					fmt.Fprintf(writer, "\nHigress needs to be installed locally!\n")
+					return nil
+				}
+			}
+
+			// get kubernetes clientSet
+			fmt.Fprintf(writer, "Getting kubernetes clientset...\n")
+			config, err := clientcmd.BuildConfigFromFlags("", kubeConfigDir)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to build config from kubeconfig: %v", err)
+				return nil
+			}
+			clientSet, err := kubernetes.NewForConfig(config)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to create kubernetes clientset: %v", err)
+				return nil
+			}
+
+			// recover the xds address in higress-config ConfigMap
+			// and trigger rollout for higress-controller and higress-gateway deployments
+			fmt.Fprintf(writer, "Recovering xds address in higress-config ConfigMap "+
+				"and triggering rollout for higress-controller and higress-gateway deployments...\n")
+			err = updateXdsIpAndRollout(clientSet, DefaultIp, DefaultPort)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to recover xds address in higress-config ConfigMap: %v", err)
+				return nil
+			}
+
+			fmt.Fprintf(writer, "Code debug stopped!\n")
+
+			return nil
+		},
+	}
+
+	stopCodeDebugCmd.PersistentFlags().StringVar(&kubeConfigDir, "kubeconfig", kubeConfigDir,
+		"Use a Kubernetes configuration file instead of in-cluster configuration")
+
+	return stopCodeDebugCmd
+}
+
+// getNonLoopbackIPv4 returns the first non-loopback IPv4 address of the host.
+func getNonLoopbackIPv4() (string, error) {
+	// get all network interfaces
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		return "", err
+	}
+
+	// traverse all network interfaces
+	for _, i := range interfaces {
+		// exclude loopback interface and virtual interface
+		if i.Flags&net.FlagLoopback == 0 && i.Flags&net.FlagUp != 0 {
+			// get all addresses of the interface
+			addrs, err := i.Addrs()
+			if err != nil {
+				return "", err
+			}
+
+			// traverse all addresses of the interface
+			for _, addr := range addrs {
+				// check the type of the address is IP address
+				if ipnet, ok := addr.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
+					// check the IP address is IPv4 address
+					if ipnet.IP.To4() != nil {
+						return ipnet.IP.String(), nil
+					}
+				}
+			}
+		}
+	}
+
+	return "", fmt.Errorf("Non-loopback IPv4 address not found")
+}
+
+// updateXdsIpAndRollout updates the xds address in higress-config ConfigMap
+// and triggers rollout for higress-controller and higress-gateway deployments
+// also can recover the xds address in higress-config ConfigMap
+func updateXdsIpAndRollout(c *kubernetes.Clientset, ip string, port string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	// Get higress-config ConfigMap
+	cm, err := c.CoreV1().ConfigMaps("higress-system").Get(ctx, "higress-config", metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	// Update mesh field in higress-config ConfigMap
+	if _, ok := cm.Data["mesh"]; !ok {
+		return fmt.Errorf("mesh not found in configmap higress-config")
+	}
+	mesh := cm.Data["mesh"]
+	newMesh, err := replaceXDSAddress(mesh, ip, port)
+	if err != nil {
+		return err
+	}
+	cm.Data["mesh"] = newMesh
+
+	// Update higress-config ConfigMap
+	_, err = c.CoreV1().ConfigMaps("higress-system").Update(ctx, cm, metav1.UpdateOptions{})
+	if err != nil {
+		return err
+	}
+
+	// Trigger rollout for higress-controller deployment
+	err = triggerRollout(c, "higress-controller")
+	if err != nil {
+		return err
+	}
+
+	// Trigger rollout for higress-gateway deployment
+	err = triggerRollout(c, "higress-gateway")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// triggerRollout triggers rollout for the specified deployment
+func triggerRollout(clientset *kubernetes.Clientset, deploymentName string) error {
+	deploymentsClient := clientset.AppsV1().Deployments("higress-system")
+
+	// Get the deployment
+	deployment, err := deploymentsClient.Get(context.TODO(), deploymentName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	// Increment the deployment's revision to trigger a rollout
+	deployment.Spec.Template.ObjectMeta.Labels["version"] = time.Now().Format("20060102150405")
+
+	// Update the deployment
+	_, err = deploymentsClient.Update(context.TODO(), deployment, metav1.UpdateOptions{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// replaceXDSAddress replaces the xds address in the config string with new IP and Port
+func replaceXDSAddress(configString, newIP, newPort string) (string, error) {
+	// define the regular expression to match xds address
+	xdsRegex := regexp.MustCompile(`xds://[0-9.:]+`)
+
+	// find the first match
+	match := xdsRegex.FindString(configString)
+	if match == "" {
+		// if no match, return error
+		return "", fmt.Errorf("no xds address found in config string")
+	}
+
+	// replace xds address with new IP and Port
+	newXDSAddress := fmt.Sprintf("xds://%s%s", newIP, newPort)
+	result := xdsRegex.ReplaceAllString(configString, newXDSAddress)
+
+	return result, nil
+}
+
+// promptCodeDebug prompts user to confirm code debug
+func promptCodeDebug(writer io.Writer, t string) bool {
+	answer := ""
+	for {
+		fmt.Fprintf(writer, "This will start set xds address to %s in higress-config ConfigMap "+
+			"and trigger rollout for higress-controller and higress-gateway deployments. \nProceed? (y/N)", t)
+		fmt.Scanln(&answer)
+		if answer == "y" {
+			return true
+		}
+		if answer == "N" {
+			fmt.Fprintf(writer, "Cancelled.\n")
+			return false
+		}
+	}
+}