fix: fallbackForInvalidSecret to return original secret (#1245 )

Add x-forwarded-xxx for ext-auth (#1244 )
feat: support 360 ai model (#1243 )
2026-02-26 05:30:50 +08:00 · 2024-08-25 15:59:12 +08:00 · 2024-08-23 14:49:08 +08:00 · 2024-08-23 11:13:09 +08:00 · 2024-08-22 18:42:16 +08:00 · 2024-08-22 16:33:42 +08:00
693 changed files with 167708 additions and 2122 deletions
--- a/.github/workflows/build-and-push-wasm-plugin-image.yaml
+++ b/.github/workflows/build-and-push-wasm-plugin-image.yaml
@@ -0,0 +1,114 @@
+name: Build and Push Wasm Plugin Image
+
+on:
+  push:
+    tags:
+    - "wasm-go-*-v*.*.*" # 匹配 wasm-go-{pluginName}-vX.Y.Z 格式的标签
+  workflow_dispatch:
+    inputs:
+      plugin_name:
+        description: 'Name of the plugin'
+        required: true
+        type: string
+      version:
+        description: 'Version of the plugin (optional, without leading v)'
+        required: false
+        type: string
+
+jobs:
+  build-and-push-wasm-plugin-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-msg
+    env:
+      IMAGE_REGISTRY_SERVICE: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      IMAGE_REPOSITORY: ${{ vars.PLUGIN_IMAGE_REPOSITORY || 'plugins' }}
+      GO_VERSION: 1.19
+      TINYGO_VERSION: 0.28.1
+      ORAS_VERSION: 1.0.0
+    steps:
+      - name: Set plugin_name and version from inputs or ref_name
+        id: set_vars
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            plugin_name="${{ github.event.inputs.plugin_name }}"
+            version="${{ github.event.inputs.version }}"
+          else
+            ref_name=${{ github.ref_name }}
+            plugin_name=${ref_name#*-*-} # 删除插件名前面的字段(wasm-go-)
+            plugin_name=${plugin_name%-*} # 删除插件名后面的字段(-vX.Y.Z)
+            version=$(echo "$ref_name" | awk -F'v' '{print $2}')
+          fi
+
+          echo "PLUGIN_NAME=$plugin_name" >> $GITHUB_ENV
+          echo "VERSION=$version" >> $GITHUB_ENV
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+      
+      - name: File Check
+        run: | 
+          workspace=${{ github.workspace }}/plugins/wasm-go/extensions/${PLUGIN_NAME}
+          push_command="./plugin.tar.gz:application/vnd.oci.image.layer.v1.tar+gzip"
+
+          # 查找spec.yaml
+          if [ -f "${workspace}/spec.yaml" ]; then
+            echo "spec.yaml exists"
+            push_command="./spec.yaml:application/vnd.module.wasm.spec.v1+yaml $push_command "
+          fi
+
+          # 查找README.md
+          if [ -f "${workspace}/README.md" ];then
+              echo "README.md exists"
+              push_command="./README.md:application/vnd.module.wasm.doc.v1+markdown $push_command "
+          fi
+          
+          # 查找README_{lang}.md
+          for file in ${workspace}/README_*.md; do
+            if [ -f "$file" ]; then
+              file_name=$(basename $file)
+              echo "$file_name exists"
+              lang=$(basename $file | sed 's/README_//; s/.md//')
+              push_command="./$file_name:application/vnd.module.wasm.doc.v1.$lang+markdown $push_command "
+            fi
+          done
+
+          echo "PUSH_COMMAND=\"$push_command\"" >> $GITHUB_ENV
+        
+      - name: Run a wasm-go-builder
+        env: 
+          PLUGIN_NAME: ${{ env.PLUGIN_NAME }}
+          BUILDER_IMAGE: higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-go-builder:go${{ env.GO_VERSION }}-tinygo${{ env.TINYGO_VERSION }}-oras${{ env.ORAS_VERSION }}
+        run: |
+          docker run -itd --name builder -v ${{ github.workspace }}:/workspace -e PLUGIN_NAME=${{ env.PLUGIN_NAME }} --rm ${{ env.BUILDER_IMAGE }} /bin/bash
+
+      - name: Build Image and Push
+        run: |
+          push_command=${{ env.PUSH_COMMAND }}
+          push_command=${push_command#\"}
+          push_command=${push_command%\"} # 删除PUSH_COMMAND中的双引号，确保oras push正常解析
+          
+          target_image="${{ env.IMAGE_REGISTRY_SERVICE }}/${{ env.IMAGE_REPOSITORY}}/${{ env.PLUGIN_NAME }}:${{ env.VERSION }}"
+          echo "TargetImage=${target_image}"
+
+          cd ${{ github.workspace }}/plugins/wasm-go/extensions/${PLUGIN_NAME}
+          if [ -f ./.buildrc ]; then
+            echo 'Found .buildrc file, sourcing it...'
+            . ./.buildrc
+          else
+            echo '.buildrc file not found'
+          fi
+          echo "EXTRA_TAGS=${EXTRA_TAGS}"
+
+          command="
+          set -e
+          cd /workspace/plugins/wasm-go/extensions/${PLUGIN_NAME}
+          go mod tidy
+          tinygo build -o ./plugin.wasm -scheduler=none -target=wasi -gc=custom -tags=\"custommalloc nottinygc_finalizer ${EXTRA_TAGS}\" .
+          tar czvf plugin.tar.gz plugin.wasm
+          echo ${{ secrets.REGISTRY_PASSWORD }} | oras login -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin ${{ env.IMAGE_REGISTRY_SERVICE }}
+          oras push ${target_image} ${push_command}
+          "
+          docker exec builder bash -c "$command"
+
+          
--- a/.github/workflows/build-and-test-plugin.yaml
+++ b/.github/workflows/build-and-test-plugin.yaml
@@ -0,0 +1,89 @@
+name: "Build and Test Plugins"
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'plugins/**'
+      - 'test/**'
+  pull_request:
+    branches: [ "*" ]
+    paths:
+      - 'plugins/**'
+      - 'test/**'
+  workflow_dispatch: ~      
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 1.19
+    # There are too many lint errors in current code bases
+    # uncomment when we decide what lint should be addressed or ignored.
+    # - run: make lint
+
+  higress-wasmplugin-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # TODO(Xunzhuo): Enable C WASM Filters in CI
+        wasmPluginType: [ GO, RUST ]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true      
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.19
+
+      - name: Setup Rust
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+        if: matrix.wasmPluginType == 'RUST'
+      - name: Setup Golang Caches
+        uses: actions/cache@v4
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v4
+        with:
+          path: |-
+            .git/modules
+          key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-cache
+
+      - run: git stash # restore patch
+
+      - name: "Run Ingress WasmPlugins Tests"
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 25
+          max_attempts: 3
+          retry_on: error
+          command: GOPROXY="https://proxy.golang.org,direct" PLUGIN_TYPE=${{ matrix.wasmPluginType }} make higress-wasmplugin-test
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: [ higress-wasmplugin-test ]
+    steps:
+      - uses: actions/checkout@v4
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -10,8 +10,8 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-go@v3
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
      with:
        go-version: 1.19
    # There are too many lint errors in current code bases
@@ -21,10 +21,10 @@ jobs:
  coverage-test:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4

    - name: Setup Golang Caches
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: |-
          ~/.cache/go-build
@@ -33,15 +33,12 @@ jobs:
        restore-keys: ${{ runner.os }}-go

    - name: Setup Submodule Caches
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: |-
-            envoy
-            istio
-            external
            .git/modules
-        key: ${{ runner.os }}-submodules-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules
+        key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-cache
    
    - run: git stash # restore patch

@@ -49,9 +46,9 @@ jobs:
    - name: Run Coverage Tests
      run: GOPROXY="https://proxy.golang.org,direct" make go.test.coverage
    - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@v4
      with:
-        fail_ci_if_error: true
+        fail_ci_if_error: false
        files: ./coverage.xml
        verbose: true

@@ -61,17 +58,17 @@ jobs:
    needs: [lint,coverage-test]
    steps:
      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: "Setup Go"
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: 1.19

      - name: Setup Golang Caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |-
            ~/.cache/go-build
@@ -80,15 +77,12 @@ jobs:
          restore-keys: ${{ runner.os }}-go

      - name: Setup Submodule Caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |-
-            envoy
-            istio
-            external
            .git/modules
-          key: ${{ runner.os }}-submodules-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-submodules
+          key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-cache

      - run: git stash # restore patch

@@ -96,7 +90,7 @@ jobs:
        run: GOPROXY="https://proxy.golang.org,direct" make build

      - name: Upload Higress Binary
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: higress
          path: out/
@@ -114,12 +108,12 @@ jobs:
    - uses: actions/checkout@v3
      
    - name: "Setup Go"
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
      with:
        go-version: 1.19

    - name: Setup Golang Caches
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: |-
          ~/.cache/go-build
@@ -129,64 +123,20 @@ jobs:
          ${{ runner.os }}-go
      
    - name: Setup Submodule Caches
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: |-
-            envoy
-            istio
-            external
            .git/modules
-        key: ${{ runner.os }}-submodules-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules
+        key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-cache
          
    - run: git stash # restore patch

    - name: "Run Higress E2E Conformance Tests"
      run: GOPROXY="https://proxy.golang.org,direct" make higress-conformance-test
      
-  higress-wasmplugin-test:
-    runs-on: ubuntu-latest
-    needs: [build]
-    strategy:
-      matrix:
-        # TODO(Xunzhuo): Enable C WASM Filters in CI
-        wasmPluginType: [ GO ]
-    steps:
-    - uses: actions/checkout@v3
-      
-    - name: "Setup Go"
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-
-    - name: Setup Golang Caches
-      uses: actions/cache@v3
-      with:
-        path: |-
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ github.run_id }}
-        restore-keys: |
-          ${{ runner.os }}-go
-      
-    - name: Setup Submodule Caches
-      uses: actions/cache@v3
-      with:
-        path: |-
-            envoy
-            istio
-            external
-            .git/modules
-        key: ${{ runner.os }}-submodules-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules
-          
-    - run: git stash # restore patch
-
-    - name: "Run Ingress WasmPlugins Tests"
-      run: GOPROXY="https://proxy.golang.org,direct" PLUGIN_TYPE=${{ matrix.wasmPluginType }} make higress-wasmplugin-test
-
  publish:
    runs-on: ubuntu-latest
-    needs: [higress-conformance-test,gateway-conformance-test,higress-wasmplugin-test]
+    needs: [higress-conformance-test,gateway-conformance-test]
    steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
--- a/.github/workflows/build-image-and-push.yaml
+++ b/.github/workflows/build-image-and-push.yaml
@@ -16,17 +16,27 @@ jobs:
      CONTROLLER_IMAGE_NAME: ${{ vars.CONTROLLER_IMAGE_NAME || 'higress/higress' }}
    steps:
      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 1

+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
      - name: "Setup Go"
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: 1.19

      - name: Setup Golang Caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |-
            ~/.cache/go-build
@@ -35,18 +45,18 @@ jobs:
          restore-keys: ${{ runner.os }}-go

      - name: Setup Submodule Caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |-
            envoy
            istio
            .git/modules
-          key: ${{ runner.os }}-submodules-${{ github.run_id }}
+          key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
          restore-keys: ${{ runner.os }}-submodules-new

      - name: Calculate Docker metadata
        id: docker-meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.CONTROLLER_IMAGE_REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
@@ -57,7 +67,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

      - name: Login to Docker Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          registry: ${{ env.CONTROLLER_IMAGE_REGISTRY }}
          username: ${{ secrets.REGISTRY_USERNAME }}
@@ -82,17 +92,27 @@ jobs:
      PILOT_IMAGE_NAME: ${{ vars.PILOT_IMAGE_NAME || 'higress/pilot' }}
    steps:
      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 1

+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
      - name: "Setup Go"
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: 1.19

      - name: Setup Golang Caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |-
            ~/.cache/go-build
@@ -101,7 +121,7 @@ jobs:
          restore-keys: ${{ runner.os }}-go

      - name: Setup Submodule Caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |-
            envoy
@@ -112,7 +132,7 @@ jobs:

      - name: Calculate Docker metadata
        id: docker-meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.PILOT_IMAGE_REGISTRY }}/${{ env.PILOT_IMAGE_NAME }}
@@ -123,7 +143,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

      - name: Login to Docker Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          registry: ${{ env.PILOT_IMAGE_REGISTRY }}
          username: ${{ secrets.REGISTRY_USERNAME }}
@@ -149,17 +169,27 @@ jobs:
      GATEWAY_IMAGE_NAME: ${{ vars.GATEWAY_IMAGE_NAME || 'higress/gateway' }}
    steps:
      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 1

+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
      - name: "Setup Go"
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version: 1.19

      - name: Setup Golang Caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |-
            ~/.cache/go-build
@@ -168,7 +198,7 @@ jobs:
          restore-keys: ${{ runner.os }}-go

      - name: Setup Submodule Caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |-
            envoy
@@ -179,7 +209,7 @@ jobs:

      - name: Calculate Docker metadata
        id: docker-meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.GATEWAY_IMAGE_REGISTRY }}/${{ env.GATEWAY_IMAGE_NAME }}
@@ -190,7 +220,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

      - name: Login to Docker Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          registry: ${{ env.GATEWAY_IMAGE_REGISTRY }}
          username: ${{ secrets.REGISTRY_USERNAME }}
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -34,11 +34,11 @@ jobs:
    steps:
      # step 1
      - name: "Checkout repository"
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4

      # step 2: Initializes the CodeQL tools for scanning.
      - name: "Initialize CodeQL"
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +50,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: "Autobuild"
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2

      # step 4
      # ℹ️ Command-line programs to run using the OS shell.
@@ -66,4 +66,4 @@ jobs:

      # step 5
      - name: "Perform CodeQL Analysis"
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/deploy-standalone-to-oss.yaml
+++ b/.github/workflows/deploy-standalone-to-oss.yaml
@@ -14,7 +14,7 @@ jobs:
    steps:
      # Step 1
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      # Step 2
      - id: package
        name: Prepare Standalone Package
--- a/.github/workflows/deploy-to-oss.yaml
+++ b/.github/workflows/deploy-to-oss.yaml
@@ -14,7 +14,7 @@ jobs:
    steps:
      # Step 1
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      # Step 2
      - name: Download Helm Charts Index
        uses: doggycool/ossutil-github-action@master
--- a/.github/workflows/latest-release.yaml
+++ b/.github/workflows/latest-release.yaml
@@ -9,7 +9,7 @@ jobs:
  latest-release:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4

    - name: Build hgctl latest multiarch binaries
      run: | 
@@ -18,6 +18,8 @@ jobs:
        tar -zcvf hgctl_latest_linux_arm64.tar.gz out/linux_arm64/
        tar -zcvf hgctl_latest_darwin_amd64.tar.gz out/darwin_amd64/
        tar -zcvf hgctl_latest_darwin_arm64.tar.gz out/darwin_arm64/
+        zip -q -r hgctl_latest_windows_amd64.zip out/windows_amd64/
+        zip -q -r hgctl_latest_windows_arm64.zip out/windows_arm64/

    # Ignore the error when we delete the latest release, it might not exist.

@@ -44,7 +46,7 @@ jobs:
        GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }}

    - name: Recreate the Latest Release and Tag
-      uses: softprops/action-gh-release@v1
+      uses: softprops/action-gh-release@v2
      with:
        draft: false
        prerelease: true
@@ -54,6 +56,8 @@ jobs:
          hgctl_latest_linux_arm64.tar.gz
          hgctl_latest_darwin_amd64.tar.gz
          hgctl_latest_darwin_arm64.tar.gz
+          hgctl_latest_windows_amd64.zip
+          hgctl_latest_windows_arm64.zip
        body: |
          This is the "latest" release of **Higress**, which contains the most recent commits from the main branch.
          
--- a/.github/workflows/license-checker.yaml
+++ b/.github/workflows/license-checker.yaml
@@ -10,7 +10,7 @@ jobs:
    steps:
      # step 1
      - name: Checkout
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@v4
      # step 2
      - name: Check License Header
        uses: apache/skywalking-eyes/header@25edfc2fd8d52fb266653fb5f6c42da633d85c07
@@ -24,4 +24,4 @@ jobs:
        with:
          log: info
          config: .licenserc.yaml
-          mode: check
+          mode: check
--- a/.github/workflows/release-hgctl.yaml
+++ b/.github/workflows/release-hgctl.yaml
@@ -0,0 +1,37 @@
+name: Release hgctl to GitHub
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  release-hgctl:
+    runs-on: ubuntu-latest
+    env:
+      HGCTL_VERSION: ${{github.ref_name}}
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Build hgctl latest multiarch binaries
+      run: |
+        GOPROXY="https://proxy.golang.org,direct" make build-hgctl-multiarch
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_linux_amd64.tar.gz out/linux_amd64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_linux_arm64.tar.gz out/linux_arm64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_darwin_amd64.tar.gz out/darwin_amd64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_darwin_arm64.tar.gz out/darwin_arm64/
+        zip -q -r hgctl_${{ env.HGCTL_VERSION }}_windows_amd64.zip out/windows_amd64/
+        zip -q -r hgctl_${{ env.HGCTL_VERSION }}_windows_arm64.zip out/windows_arm64/
+
+    - name: Upload hgctl packages to the GitHub release
+      uses: softprops/action-gh-release@v2
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: |
+          hgctl_${{ env.HGCTL_VERSION }}_linux_amd64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_linux_arm64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_darwin_amd64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_darwin_arm64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_windows_amd64.zip
+          hgctl_${{ env.HGCTL_VERSION }}_windows_arm64.zip
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -26,7 +26,9 @@ header:
    - 'VERSION'
    - 'tools/'
    - 'test/README.md'
-    - 'pkg/cmd/hgctl/testdata/config'
+    - 'test/README_CN.md'
+    - 'cmd/hgctl/config/testdata/config'
+    - 'pkg/cmd/hgctl/manifests'

  comment: on-failure
 dependency:
--- a/14
+++ b/14
@@ -1,10 +1,10 @@
-/api @johnlanni 
-/envoy @gengleilei @johnlanni @Lynskylate
+/api @johnlanni @CH3CHO
+/envoy @gengleilei @johnlanni
 /istio @SpecialYang @johnlanni
-/pkg @SpecialYang @johnlanni @Charlie17Li @Xunzhuo
-/plugins @johnlanni
-/registry @NameHaibinZhang @johnlanni
-/test @Xunzhuo
-/tools @johnlanni @Xunzhuo
+/pkg @SpecialYang @johnlanni @CH3CHO
+/plugins @johnlanni @WeixinX @CH3CHO
+/registry @NameHaibinZhang @2456868764 @johnlanni
+/test @Xunzhuo @2456868764 @CH3CHO
+/tools @johnlanni @Xunzhuo @2456868764


--- a/CONTRIBUTING_CN.md
+++ b/CONTRIBUTING_CN.md
@@ -73,6 +73,7 @@
 * [分支定义](#分支定义)
 * [提交规则](#提交规则)
 * [PR说明](#PR说明)
+* [开发前准备](#开发前准备)

 ### 工作区准备

@@ -168,6 +169,12 @@ git config --get user.email

 PR 是更改 Higress 项目文件的唯一方法。为了帮助审查人更好地理解你的目的，PR 描述不能太详细。我们鼓励贡献者遵循 [PR 模板](./.github/PULL_REQUEST_TEMPLATE.md) 来完成拉取请求。

+### 开发前准备
+
+```shell
+make prebuild && go mod tidy
+```
+
 ## 测试用例贡献

 任何测试用例都会受到欢迎。目前，Higress 功能测试用例是高优先级的。
--- a/CONTRIBUTING_EN.md
+++ b/CONTRIBUTING_EN.md
@@ -169,6 +169,12 @@ No matter commit message, or commit content, we do take more emphasis on code re

 PR is the only way to make change to Higress project files. To help reviewers better get your purpose, PR description could not be too detailed. We encourage contributors to follow the [PR template](./.github/PULL_REQUEST_TEMPLATE.md) to finish the pull request.

+### Pre-development preparation
+
+```shell
+make prebuild && go mod tidy
+```
+
 ## Test case contribution

 Any test case would be welcomed. Currently, Higress function test cases are high priority.
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -15,7 +15,7 @@ GO_LDFLAGS += -X $(VERSION_PACKAGE).higressVersion=$(shell cat VERSION) \

 GO ?= go

-export GOPROXY ?= https://proxy.golang.com.cn,direct
+export GOPROXY ?= https://proxy.golang.org,direct

 TARGET_ARCH ?= amd64

@@ -79,20 +79,21 @@ $(ARM64_OUT_LINUX)/higress:
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HIGRESS_BINARIES)

 .PHONY: build-hgctl
-build-hgctl: $(OUT)
+build-hgctl: prebuild $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT)/ $(HGCTL_BINARIES)

 .PHONY: build-linux-hgctl
-build-linux-hgctl: $(OUT)
+build-linux-hgctl: prebuild $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT_LINUX)/ $(HGCTL_BINARIES)

 .PHONY: build-hgctl-multiarch
-build-hgctl-multiarch: $(OUT)
+build-hgctl-multiarch: prebuild $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_amd64/ $(HGCTL_BINARIES)
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HGCTL_BINARIES)
 	GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/darwin_amd64/ $(HGCTL_BINARIES)
 	GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/darwin_arm64/ $(HGCTL_BINARIES)
-
+	GOPROXY=$(GOPROXY) GOOS=windows GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/windows_amd64/ $(HGCTL_BINARIES)
+	GOPROXY=$(GOPROXY) GOOS=windows GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/windows_arm64/ $(HGCTL_BINARIES)
 # Create targets for OUT_LINUX/binary
 # There are two use cases here:
 # * Building all docker images (generally in CI). In this case we want to build everything at once, so they share work
@@ -137,28 +138,30 @@ export ENVOY_TAR_PATH:=/home/package/envoy.tar.gz

 external/package/envoy-amd64.tar.gz:
 #	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
-	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.0.0/envoy-amd64.tar.gz"
+	cd external/package; wget -O envoy-amd64.tar.gz "https://github.com/alibaba/higress/releases/download/v1.4.1/envoy-symbol-amd64.tar.gz"

 external/package/envoy-arm64.tar.gz:
 #	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
-	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.0.0/envoy-arm64.tar.gz"
-
+	cd external/package; wget -O envoy-arm64.tar.gz "https://github.com/alibaba/higress/releases/download/v1.4.1/envoy-symbol-arm64.tar.gz"

 build-pilot:
 	cd external/istio; rm -rf out/linux_amd64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 make build-linux
 	cd external/istio; rm -rf out/linux_arm64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=arm64 BUILD_WITH_CONTAINER=1 make build-linux

+build-pilot-local:
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=${GOARCH_LOCAL} BUILD_WITH_CONTAINER=1 make build-linux
+
 build-gateway: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz build-pilot
 	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker

-build-gateway-local: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz build-pilot
-	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
+build-gateway-local: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker

 build-istio: prebuild build-pilot
 	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker

-build-istio-local: prebuild build-pilot
-	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
+build-istio-local: prebuild
+	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker

 build-wasmplugins:
 	./tools/hack/build-wasm-plugins.sh
@@ -174,13 +177,13 @@ install: pre-install
 	cd helm/higress; helm dependency build
 	helm install higress helm/higress -n higress-system --create-namespace --set 'global.local=true'

-ENVOY_LATEST_IMAGE_TAG ?= 1.2.0
-ISTIO_LATEST_IMAGE_TAG ?= 1.2.0
+ENVOY_LATEST_IMAGE_TAG ?= sha-59acb61
+ISTIO_LATEST_IMAGE_TAG ?= sha-59acb61

 install-dev: pre-install
 	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
 install-dev-wasmplugin: build-wasmplugins pre-install
-	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true'
+	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true' --set 'global.onlyPushRouteCluster=false'

 uninstall:
 	helm uninstall higress -n higress-system
@@ -230,14 +233,30 @@ include tools/lint.mk
 .PHONY: gateway-conformance-test
 gateway-conformance-test:

+# higress-conformance-test-prepare prepares the environment for higress conformance tests.
+.PHONY: higress-conformance-test-prepare
+higress-conformance-test-prepare: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev
+
 # higress-conformance-test runs ingress api conformance tests.
 .PHONY: higress-conformance-test
 higress-conformance-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev run-higress-e2e-test delete-cluster

+# higress-conformance-test-clean cleans the environment for higress conformance tests.
+.PHONY: higress-conformance-test-clean
+higress-conformance-test-clean: $(tools/kind) delete-cluster
+
+# higress-wasmplugin-test-prepare prepares the environment for higress wasmplugin tests.
+.PHONY: higress-wasmplugin-test-prepare
+higress-wasmplugin-test-prepare: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin
+
 # higress-wasmplugin-test runs ingress wasmplugin tests.
 .PHONY: higress-wasmplugin-test
 higress-wasmplugin-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin run-higress-e2e-test-wasmplugin delete-cluster

+# higress-wasmplugin-test-clean cleans the environment for higress wasmplugin tests.
+.PHONY: higress-wasmplugin-test-clean
+higress-wasmplugin-test-clean: $(tools/kind) delete-cluster
+
 # create-cluster creates a kube cluster with kind.
 .PHONY: create-cluster
 create-cluster: $(tools/kind)
@@ -255,18 +274,29 @@ delete-cluster: $(tools/kind) ## Delete kind cluster.
 .PHONY: kube-load-image
 kube-load-image: $(tools/kind) ## Install the Higress image to a kind cluster using the provided $IMAGE and $TAG.
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress $(TAG)
-	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/dubbo-provider-demo 0.0.1
-	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/dubbo-provider-demo 0.0.3-x86
+	tools/hack/docker-pull-image.sh docker.io/alihigress/nacos-standlone-rc3 1.0.0-RC3
 	tools/hack/docker-pull-image.sh docker.io/hashicorp/consul 1.16.0
 	tools/hack/docker-pull-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
 	tools/hack/docker-pull-image.sh docker.io/bitinit/eureka latest
-	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
-	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/dubbo-provider-demo 0.0.1
-	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/docker-pull-image.sh docker.io/alihigress/httpbin 1.0.2
+	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/dubbo-provider-demo 0.0.3-x86
+	tools/hack/kind-load-image.sh docker.io/alihigress/nacos-standlone-rc3 1.0.0-RC3
 	tools/hack/kind-load-image.sh docker.io/hashicorp/consul 1.16.0
-	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
+	tools/hack/kind-load-image.sh docker.io/alihigress/httpbin 1.0.2
 	tools/hack/kind-load-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
 	tools/hack/kind-load-image.sh docker.io/bitinit/eureka latest
+
+# run-higress-e2e-test-setup starts to setup ingress e2e tests.
+.PHONT: run-higress-e2e-test-setup
+run-higress-e2e-test-setup:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=setup
+
 # run-higress-e2e-test starts to run ingress e2e tests.
 .PHONY: run-higress-e2e-test
 run-higress-e2e-test:
@@ -275,9 +305,39 @@ run-higress-e2e-test:
 	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=all --execute-tests=$(TEST_SHORTNAME)

-# run-higress-e2e-test starts to run ingress e2e tests.
+# run-higress-e2e-test-run starts to run ingress e2e conformance tests.
+.PHONY: run-higress-e2e-test-run
+run-higress-e2e-test-run:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=run --execute-tests=$(TEST_SHORTNAME)
+
+# run-higress-e2e-test-clean starts to clean ingress e2e tests.
+.PHONY: run-higress-e2e-test-clean
+run-higress-e2e-test-clean:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=clean
+
+# run-higress-e2e-test-wasmplugin-setup starts to prepare ingress e2e tests.
+.PHONY: run-higress-e2e-test-wasmplugin-setup
+run-higress-e2e-test-wasmplugin-setup:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=setup
+
+# run-higress-e2e-test-wasmplugin starts to run ingress e2e tests.
 .PHONY: run-higress-e2e-test-wasmplugin
 run-higress-e2e-test-wasmplugin:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
@@ -285,4 +345,24 @@ run-higress-e2e-test-wasmplugin:
 	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=all --execute-tests=$(TEST_SHORTNAME)
+
+# run-higress-e2e-test-wasmplugin-run starts to run ingress e2e conformance tests.
+.PHONY: run-higress-e2e-test-wasmplugin-run
+run-higress-e2e-test-wasmplugin-run:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=run --execute-tests=$(TEST_SHORTNAME)
+
+# run-higress-e2e-test-wasmplugin-clean starts to clean ingress e2e tests.
+.PHONY: run-higress-e2e-test-wasmplugin-clean
+run-higress-e2e-test-wasmplugin-clean:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=clean
--- a/README.md
+++ b/README.md
@@ -1,17 +1,18 @@
 <h1 align="center">
    <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
  <br>
-  Next-generation Cloud Native Gateway
+  AI Gateway
 </h1>
+<h4 align="center"> AI Native API Gateway </h4>

-[![Build Status](https://github.com/alibaba/higress/workflows/build%20and%20codecov/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)

 [**官网**](https://higress.io/) &nbsp; |
-&nbsp; [**文档**](https://higress.io/zh-cn/docs/overview/what-is-higress) &nbsp; |
-&nbsp; [**博客**](https://higress.io/zh-cn/blog) &nbsp; |
-&nbsp; [**开发指引**](https://higress.io/zh-cn/docs/developers/developers_dev) &nbsp; |
-&nbsp; [**Higress 企业版**](https://www.aliyun.com/product/aliware/mse?spm=higress-website.topbar.0.0.0) &nbsp;
+&nbsp; [**文档**](https://higress.io/docs/latest/user/quickstart/) &nbsp; |
+&nbsp; [**博客**](https://higress.io/blog/) &nbsp; |
+&nbsp; [**开发指引**](https://higress.io/docs/latest/dev/architecture/) &nbsp; |
+&nbsp; [**AI插件**](https://higress.io/plugin/) &nbsp;


 <p>
@@ -19,21 +20,54 @@
 </p>


-Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源 [Istio](https://github.com/istio/istio) 与 [Envoy](https://github.com/envoyproxy/envoy) 为核心构建的下一代云原生网关。Higress 实现了安全防护网关、流量网关、微服务网关三层网关合一，可以显著降低网关的部署和运维成本。
+Higress 是基于阿里内部多年的 Envoy Gateway 实践沉淀，以开源 [Istio](https://github.com/istio/istio) 与 [Envoy](https://github.com/envoyproxy/envoy) 为核心构建的云原生 API 网关。
+
+Higress 在阿里内部作为 AI 网关，承载了通义千问 APP、百炼大模型 API、机器学习 PAI 平台等 AI 业务的流量。
+
+Higress 能够用统一的协议对接国内外所有 LLM 模型厂商，同时具备丰富的 AI 可观测、多模型负载均衡/fallback、AI token 流控、AI 缓存等能力：
+
+![](https://img.alicdn.com/imgextra/i1/O1CN01fNnhCp1cV8mYPRFeS_!!6000000003605-0-tps-1080-608.jpg)
+

-![arch](https://img.alicdn.com/imgextra/i1/O1CN01iO9ph825juHbOIg75_!!6000000007563-2-tps-2483-2024.png)

 ## Summary
-    
+
+- [**快速开始**](#快速开始)    
 - [**功能展示**](#功能展示)
 - [**使用场景**](#使用场景)
 - [**核心优势**](#核心优势)
- [**Quick Start**](https://higress.io/zh-cn/docs/user/quickstart)
 - [**社区**](#社区)

+## 快速开始
+
+Higress 只需 Docker 即可启动，方便个人开发者在本地搭建学习，或者用于搭建简易站点:
+
+```bash
+# 创建一个工作目录
+mkdir higress; cd higress
+# 启动 higress，配置文件会写到工作目录下
+docker run -d --rm --name higress-ai -v ${PWD}:/data \
+        -p 8001:8001 -p 8080:8080 -p 8443:8443  \
+        higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/all-in-one:latest
+```
+
+监听端口说明如下：
+
+- 8001 端口：Higress UI 控制台入口
+- 8080 端口：网关 HTTP 协议入口
+- 8443 端口：网关 HTTPS 协议入口
+
+**Higress 的所有 Docker 镜像都一直使用自己独享的仓库，不受 Docker Hub 境内不可访问的影响**
+
+K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start 文档](https://higress.io/docs/latest/user/quickstart/)。
+

 ## 使用场景

+- **AI 网关**:
+
+  Higress 提供了一站式的 AI 插件集，可以增强依赖 AI 能力业务的稳定性、灵活性、可观测性，使得业务与 AI 的集成更加便捷和高效。
+
 - **Kubernetes Ingress 网关**:

  Higress 可以作为 K8s 集群的 Ingress 入口网关, 并且兼容了大量 K8s Nginx Ingress 的注解，可以从 K8s Nginx Ingress 快速平滑迁移到 Higress。
@@ -56,27 +90,36 @@ Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源

  脱胎于阿里巴巴2年多生产验证的内部产品，支持每秒请求量达数十万级的大规模场景。

-  彻底摆脱 reload 引起的流量抖动，配置变更毫秒级生效且业务无感。
-  
- **平滑演进**
+  彻底摆脱 Nginx reload 引起的流量抖动，配置变更毫秒级生效且业务无感。对 AI 业务等长连接场景特别友好。

-  支持 Nacos/Zookeeper/Eureka 等多种注册中心，可以不依赖 K8s Service 进行服务发现，支持非容器架构平滑演进到云原生架构。
+- **流式处理**

-  支持从 Nginx Ingress Controller 平滑迁移，支持平滑过渡到 Gateway API，支持业务架构平滑演进到 ServiceMesh。
+  支持真正的完全流式处理请求/响应 Body，Wasm 插件很方便地自定义处理 SSE （Server-Sent Events）等流式协议的报文。

- **兼收并蓄**
-  
-  兼容 Nginx Ingress Annotation 80%+ 的使用场景，且提供功能更丰富的 Higress Annotation 注解。
-  
-  兼容 Ingress API/Gateway API/Istio API，可以组合多种 CRD 实现流量精细化管理。
-  
+  在 AI 业务等大带宽场景下，可以显著降低内存开销。  
+    
 - **便于扩展**
  
-  提供 Wasm、Lua、进程外三种插件扩展机制，支持多语言编写插件，生效粒度支持全局级、域名级，路由级。
+  提供丰富的官方插件库，涵盖 AI、流量管理、安全防护等常用功能，满足90%以上的业务场景需求。
+
+  主打 Wasm 插件扩展，通过沙箱隔离确保内存安全，支持多种编程语言，允许插件版本独立升级，实现流量无损热更新网关逻辑。
+
+- **安全易用**
+  
+  基于 Ingress API 和 Gateway API 标准，提供开箱即用的 UI 控制台，WAF 防护插件、IP/Cookie CC 防护插件开箱即用。
+
+  支持对接 Let's Encrypt 自动签发和续签免费证书，并且可以脱离 K8s 部署，一行 Docker 命令即可启动，方便个人开发者使用。

-  插件支持热更新，变更插件逻辑和配置都对流量无损。

 ## 功能展示
+
+### AI 网关 Demo 展示
+
+[从 OpenAI 到其他大模型，30 秒完成迁移
+](https://www.bilibili.com/video/BV1dT421a7w7/?spm_id_from=333.788.recommend_more_video.14)
+
+
+### Higress UI 控制台
    
 - **丰富的可观测**

@@ -119,15 +162,13 @@ Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源

 如果没有 Envoy 和 Istio 的开源工作，Higress 就不可能实现，在这里向这两个项目献上最诚挚的敬意。

-### 联系我们
+### 交流群

- Mailing list: higress@googlegroups.com
+![image](https://img.alicdn.com/imgextra/i2/O1CN01qPd7Ix1uZPVEsWjWp_!!6000000006051-0-tps-720-405.jpg)

-社区交流群: 
+### 技术分享

-![image](https://img.alicdn.com/imgextra/i1/O1CN01KWonlE1DkpqaYVTiC_!!6000000000255-0-tps-720-405.jpg)
+微信公众号：

+![](https://img.alicdn.com/imgextra/i1/O1CN01WnQt0q1tcmqVDU73u_!!6000000005923-0-tps-258-258.jpg)

-开发者群：
-
-![image](https://img.alicdn.com/imgextra/i2/O1CN010jFMgn1qTDaHqeIgH_!!6000000005496-2-tps-406-531.png)
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,10 +1,10 @@
 <h1 align="center">
    <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
  <br>
-  Next-generation Cloud Native Gateway
+  Cloud Native API Gateway
 </h1>

-[![Build Status](https://github.com/alibaba/higress/workflows/build%20and%20codecov/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)

 [**Official Site**](https://higress.io/en-us/) &nbsp; |
@@ -18,7 +18,7 @@
   English | <a href="README.md">中文<a/>
 </p>

-Higress is a next-generation cloud-native gateway based on Alibaba's internal gateway practices. 
+Higress is a cloud-native api gateway based on Alibaba's internal gateway practices. 

 Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.com/envoyproxy/envoy), Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.

--- a/2
+++ b/2
@@ -1 +1 @@
-v1.2.0
+v1.4.2
--- a/api/extensions/v1alpha1/wasm.pb.go
+++ b/api/extensions/v1alpha1/wasm.pb.go
@@ -166,7 +166,7 @@ type WasmPlugin struct {
 	// If `priority` is not set, or two `WasmPlugins` exist with the same
 	// value, the ordering will be deterministically derived from name and
 	// namespace of the `WasmPlugins`. Defaults to `0`.
-	Priority *types.Int64Value `protobuf:"bytes,10,opt,name=priority,proto3" json:"priority,omitempty"`
+	Priority *types.Int32Value `protobuf:"bytes,10,opt,name=priority,proto3" json:"priority,omitempty"`
 	// Extended by Higress, the default configuration takes effect globally
 	DefaultConfig *types.Struct `protobuf:"bytes,101,opt,name=default_config,json=defaultConfig,proto3" json:"default_config,omitempty"`
 	// Extended by Higress, matching rules take effect
@@ -267,7 +267,7 @@ func (m *WasmPlugin) GetPhase() PluginPhase {
 	return PluginPhase_UNSPECIFIED_PHASE
 }

-func (m *WasmPlugin) GetPriority() *types.Int64Value {
+func (m *WasmPlugin) GetPriority() *types.Int32Value {
 	if m != nil {
 		return m.Priority
 	}
@@ -301,6 +301,7 @@ type MatchRule struct {
 	Domain               []string      `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
 	Config               *types.Struct `protobuf:"bytes,3,opt,name=config,proto3" json:"config,omitempty"`
 	ConfigDisable        bool          `protobuf:"varint,4,opt,name=config_disable,json=configDisable,proto3" json:"config_disable,omitempty"`
+	Service              []string      `protobuf:"bytes,5,rep,name=service,proto3" json:"service,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
 	XXX_unrecognized     []byte        `json:"-"`
 	XXX_sizecache        int32         `json:"-"`
@@ -367,6 +368,13 @@ func (m *MatchRule) GetConfigDisable() bool {
 	return false
 }

+func (m *MatchRule) GetService() []string {
+	if m != nil {
+		return m.Service
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterEnum("higress.extensions.v1alpha1.PluginPhase", PluginPhase_name, PluginPhase_value)
 	proto.RegisterEnum("higress.extensions.v1alpha1.PullPolicy", PullPolicy_name, PullPolicy_value)
@@ -377,46 +385,47 @@ func init() {
 func init() { proto.RegisterFile("extensions/v1alpha1/wasm.proto", fileDescriptor_4d60b240916c4e18) }

 var fileDescriptor_4d60b240916c4e18 = []byte{
-	// 617 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdf, 0x4e, 0x13, 0x41,
-	0x14, 0xc6, 0xd9, 0x16, 0x0a, 0x3d, 0x05, 0x5c, 0x26, 0x8a, 0x13, 0x30, 0xb5, 0x21, 0x51, 0x57,
-	0x2e, 0x76, 0x43, 0x45, 0xbc, 0x31, 0xc4, 0x02, 0x55, 0x1a, 0xb5, 0x6e, 0x76, 0x41, 0x23, 0x37,
-	0x9b, 0xe9, 0x32, 0xdd, 0x4e, 0x9c, 0xfd, 0x93, 0x9d, 0x59, 0xb0, 0x0f, 0xe2, 0x3b, 0x79, 0xe9,
-	0x23, 0x18, 0xde, 0xc2, 0x3b, 0xd3, 0xd9, 0x2d, 0x6d, 0xd1, 0xf4, 0x6e, 0xe6, 0x9c, 0xdf, 0x39,
-	0xe7, 0xfb, 0xce, 0x4e, 0x16, 0xea, 0xf4, 0xbb, 0xa4, 0x91, 0x60, 0x71, 0x24, 0xac, 0xab, 0x3d,
-	0xc2, 0x93, 0x01, 0xd9, 0xb3, 0xae, 0x89, 0x08, 0xcd, 0x24, 0x8d, 0x65, 0x8c, 0xb6, 0x07, 0x2c,
-	0x48, 0xa9, 0x10, 0xe6, 0x84, 0x33, 0xc7, 0xdc, 0x56, 0x3d, 0x88, 0xe3, 0x80, 0x53, 0x4b, 0xa1,
-	0xbd, 0xac, 0x6f, 0x5d, 0xa7, 0x24, 0x49, 0x68, 0x2a, 0xf2, 0xe2, 0xad, 0x47, 0x77, 0xf3, 0x42,
-	0xa6, 0x99, 0x2f, 0xf3, 0xec, 0xce, 0x9f, 0x45, 0x80, 0x2f, 0x44, 0x84, 0x36, 0xcf, 0x02, 0x16,
-	0x21, 0x1d, 0xca, 0x59, 0xca, 0x71, 0xa9, 0xa1, 0x19, 0x55, 0x67, 0x74, 0x44, 0x9b, 0x50, 0x11,
-	0x03, 0xd2, 0x7c, 0x79, 0x80, 0xcb, 0x2a, 0x58, 0xdc, 0x90, 0x0b, 0x1b, 0x2c, 0x24, 0x01, 0xf5,
-	0x92, 0x8c, 0x73, 0x2f, 0x89, 0x39, 0xf3, 0x87, 0x78, 0xb1, 0xa1, 0x19, 0xeb, 0xcd, 0x67, 0xe6,
-	0x1c, 0xbd, 0xa6, 0x9d, 0x71, 0x6e, 0x2b, 0xdc, 0xb9, 0xa7, 0x3a, 0x4c, 0x02, 0x68, 0x77, 0xa6,
-	0xa9, 0xa0, 0x7e, 0x4a, 0x25, 0x5e, 0x52, 0x73, 0x27, 0xac, 0xab, 0xc2, 0xe8, 0x39, 0xe8, 0x57,
-	0x34, 0x65, 0x7d, 0xe6, 0x13, 0xc9, 0xe2, 0xc8, 0xfb, 0x46, 0x87, 0xb8, 0x92, 0xa3, 0xd3, 0xf1,
-	0xf7, 0x74, 0x88, 0x5e, 0xc3, 0x5a, 0xa2, 0xfc, 0x79, 0x7e, 0x1c, 0xf5, 0x59, 0x80, 0x97, 0x1b,
-	0x9a, 0x51, 0x6b, 0x3e, 0x34, 0xf3, 0xd5, 0x98, 0xe3, 0xd5, 0x98, 0xae, 0x5a, 0x8d, 0xb3, 0x9a,
-	0xd3, 0xc7, 0x0a, 0x46, 0x8f, 0xa1, 0x56, 0x54, 0x47, 0x24, 0xa4, 0x78, 0x45, 0xcd, 0x80, 0x3c,
-	0xd4, 0x25, 0x21, 0x45, 0x87, 0xb0, 0x94, 0x0c, 0x88, 0xa0, 0xb8, 0xaa, 0xec, 0x1b, 0xf3, 0xed,
-	0xab, 0x3a, 0x7b, 0xc4, 0x3b, 0x79, 0x19, 0x7a, 0x05, 0x2b, 0x49, 0xca, 0xe2, 0x94, 0xc9, 0x21,
-	0x06, 0xa5, 0x6c, 0xfb, 0x1f, 0x65, 0x9d, 0x48, 0x1e, 0xec, 0x7f, 0x26, 0x3c, 0xa3, 0xce, 0x2d,
-	0x8c, 0x0e, 0x61, 0xfd, 0x92, 0xf6, 0x49, 0xc6, 0xe5, 0xd8, 0x18, 0x9d, 0x6f, 0x6c, 0xad, 0xc0,
-	0x0b, 0x67, 0xef, 0xa0, 0x16, 0x12, 0xe9, 0x0f, 0xbc, 0x34, 0xe3, 0x54, 0xe0, 0x7e, 0xa3, 0x6c,
-	0xd4, 0x9a, 0x4f, 0xe7, 0xca, 0xff, 0x38, 0xe2, 0x9d, 0x8c, 0x53, 0x07, 0xc2, 0xf1, 0x51, 0xa0,
-	0x7d, 0xd8, 0x9c, 0x15, 0xe2, 0x5d, 0x32, 0x41, 0x7a, 0x9c, 0xe2, 0xa0, 0xa1, 0x19, 0x2b, 0xce,
-	0xfd, 0x99, 0xb9, 0x27, 0x79, 0x6e, 0xe7, 0x87, 0x06, 0xd5, 0xdb, 0x7e, 0x08, 0xc3, 0x32, 0x8b,
-	0xd4, 0x60, 0xac, 0x35, 0xca, 0x46, 0xd5, 0x19, 0x5f, 0x47, 0x4f, 0xf0, 0x32, 0x0e, 0x09, 0x8b,
-	0x70, 0x49, 0x25, 0x8a, 0x1b, 0xb2, 0xa0, 0x52, 0xd8, 0x2e, 0xcf, 0xb7, 0x5d, 0x60, 0xe8, 0x09,
-	0xac, 0xdf, 0x91, 0xb7, 0xa8, 0xe4, 0xad, 0xf9, 0xd3, 0xba, 0x76, 0xdb, 0x50, 0x9b, 0xfa, 0x4a,
-	0xe8, 0x01, 0x6c, 0x9c, 0x77, 0x5d, 0xbb, 0x7d, 0xdc, 0x79, 0xdb, 0x69, 0x9f, 0x78, 0xf6, 0x69,
-	0xcb, 0x6d, 0xeb, 0x0b, 0xa8, 0x0a, 0x4b, 0xad, 0xf3, 0xb3, 0xd3, 0xae, 0xae, 0x8d, 0x8f, 0x17,
-	0x7a, 0x69, 0x74, 0x74, 0xcf, 0x5a, 0x67, 0xae, 0x5e, 0xde, 0x3d, 0x02, 0x98, 0x7a, 0xda, 0x9b,
-	0x80, 0x66, 0xba, 0x7c, 0xfa, 0xd0, 0x39, 0xfe, 0xaa, 0x2f, 0x20, 0x1d, 0x56, 0x3b, 0xfd, 0x6e,
-	0x2c, 0xed, 0x94, 0x0a, 0x1a, 0x49, 0x5d, 0x43, 0x00, 0x95, 0x16, 0xbf, 0x26, 0x43, 0xa1, 0x97,
-	0x8e, 0xde, 0xfc, 0xbc, 0xa9, 0x6b, 0xbf, 0x6e, 0xea, 0xda, 0xef, 0x9b, 0xba, 0x76, 0xd1, 0x0c,
-	0x98, 0x1c, 0x64, 0x3d, 0xd3, 0x8f, 0x43, 0x8b, 0x70, 0xd6, 0x23, 0x3d, 0x62, 0x15, 0x1f, 0xcb,
-	0x22, 0x09, 0xb3, 0xfe, 0xf3, 0x1b, 0xe9, 0x55, 0xd4, 0x32, 0x5e, 0xfc, 0x0d, 0x00, 0x00, 0xff,
-	0xff, 0x48, 0x74, 0xbe, 0xc1, 0x64, 0x04, 0x00, 0x00,
+	// 631 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdd, 0x6e, 0xd3, 0x4c,
+	0x10, 0x86, 0xeb, 0xa4, 0x49, 0x9b, 0x49, 0xdb, 0xcf, 0x5d, 0x7d, 0x94, 0x55, 0x8b, 0x42, 0x54,
+	0x09, 0x30, 0x3d, 0xb0, 0xd5, 0x94, 0x9f, 0x13, 0x54, 0x91, 0xb6, 0x81, 0x46, 0x40, 0xb0, 0xec,
+	0x16, 0x44, 0x4f, 0xac, 0x8d, 0xbb, 0x71, 0x56, 0xac, 0x7f, 0xe4, 0x5d, 0xb7, 0xe4, 0xaa, 0xb8,
+	0x0d, 0x0e, 0xb9, 0x04, 0xd4, 0xbb, 0xe0, 0x0c, 0x65, 0xed, 0x34, 0x49, 0x41, 0x39, 0xdb, 0x9d,
+	0x79, 0x66, 0xe6, 0x7d, 0xc7, 0x2b, 0x43, 0x83, 0x7e, 0x93, 0x34, 0x12, 0x2c, 0x8e, 0x84, 0x75,
+	0xb5, 0x4f, 0x78, 0x32, 0x24, 0xfb, 0xd6, 0x35, 0x11, 0xa1, 0x99, 0xa4, 0xb1, 0x8c, 0xd1, 0xce,
+	0x90, 0x05, 0x29, 0x15, 0xc2, 0x9c, 0x72, 0xe6, 0x84, 0xdb, 0x6e, 0x04, 0x71, 0x1c, 0x70, 0x6a,
+	0x29, 0xb4, 0x9f, 0x0d, 0xac, 0xeb, 0x94, 0x24, 0x09, 0x4d, 0x45, 0x5e, 0xbc, 0xfd, 0xe0, 0x6e,
+	0x5e, 0xc8, 0x34, 0xf3, 0x65, 0x9e, 0xdd, 0xfd, 0xbd, 0x0c, 0xf0, 0x99, 0x88, 0xd0, 0xe6, 0x59,
+	0xc0, 0x22, 0xa4, 0x43, 0x39, 0x4b, 0x39, 0x2e, 0x35, 0x35, 0xa3, 0xe6, 0x8c, 0x8f, 0x68, 0x0b,
+	0xaa, 0x62, 0x48, 0x5a, 0xcf, 0x5f, 0xe0, 0xb2, 0x0a, 0x16, 0x37, 0xe4, 0xc2, 0x26, 0x0b, 0x49,
+	0x40, 0xbd, 0x24, 0xe3, 0xdc, 0x4b, 0x62, 0xce, 0xfc, 0x11, 0x5e, 0x6e, 0x6a, 0xc6, 0x46, 0xeb,
+	0x89, 0xb9, 0x40, 0xaf, 0x69, 0x67, 0x9c, 0xdb, 0x0a, 0x77, 0xfe, 0x53, 0x1d, 0xa6, 0x01, 0xb4,
+	0x37, 0xd7, 0x54, 0x50, 0x3f, 0xa5, 0x12, 0x57, 0xd4, 0xdc, 0x29, 0xeb, 0xaa, 0x30, 0x7a, 0x0a,
+	0xfa, 0x15, 0x4d, 0xd9, 0x80, 0xf9, 0x44, 0xb2, 0x38, 0xf2, 0xbe, 0xd2, 0x11, 0xae, 0xe6, 0xe8,
+	0x6c, 0xfc, 0x1d, 0x1d, 0xa1, 0x57, 0xb0, 0x9e, 0x28, 0x7f, 0x9e, 0x1f, 0x47, 0x03, 0x16, 0xe0,
+	0x95, 0xa6, 0x66, 0xd4, 0x5b, 0xf7, 0xcd, 0x7c, 0x35, 0xe6, 0x64, 0x35, 0xa6, 0xab, 0x56, 0xe3,
+	0xac, 0xe5, 0xf4, 0xb1, 0x82, 0xd1, 0x43, 0xa8, 0x17, 0xd5, 0x11, 0x09, 0x29, 0x5e, 0x55, 0x33,
+	0x20, 0x0f, 0xf5, 0x48, 0x48, 0xd1, 0x21, 0x54, 0x92, 0x21, 0x11, 0x14, 0xd7, 0x94, 0x7d, 0x63,
+	0xb1, 0x7d, 0x55, 0x67, 0x8f, 0x79, 0x27, 0x2f, 0x43, 0x2f, 0x61, 0x35, 0x49, 0x59, 0x9c, 0x32,
+	0x39, 0xc2, 0xa0, 0x94, 0xed, 0xfc, 0xa5, 0xac, 0x1b, 0xc9, 0x83, 0xd6, 0x27, 0xc2, 0x33, 0xea,
+	0xdc, 0xc2, 0xe8, 0x10, 0x36, 0x2e, 0xe9, 0x80, 0x64, 0x5c, 0x4e, 0x8c, 0xd1, 0xc5, 0xc6, 0xd6,
+	0x0b, 0xbc, 0x70, 0xf6, 0x16, 0xea, 0x21, 0x91, 0xfe, 0xd0, 0x4b, 0x33, 0x4e, 0x05, 0x1e, 0x34,
+	0xcb, 0x46, 0xbd, 0xf5, 0x78, 0xa1, 0xfc, 0x0f, 0x63, 0xde, 0xc9, 0x38, 0x75, 0x20, 0x9c, 0x1c,
+	0x05, 0x7a, 0x06, 0x5b, 0xf3, 0x42, 0xbc, 0x4b, 0x26, 0x48, 0x9f, 0x53, 0x1c, 0x34, 0x35, 0x63,
+	0xd5, 0xf9, 0x7f, 0x6e, 0xee, 0x49, 0x9e, 0xdb, 0xfd, 0xae, 0x41, 0xed, 0xb6, 0x1f, 0xc2, 0xb0,
+	0xc2, 0x22, 0x35, 0x18, 0x6b, 0xcd, 0xb2, 0x51, 0x73, 0x26, 0xd7, 0xf1, 0x13, 0xbc, 0x8c, 0x43,
+	0xc2, 0x22, 0x5c, 0x52, 0x89, 0xe2, 0x86, 0x2c, 0xa8, 0x16, 0xb6, 0xcb, 0x8b, 0x6d, 0x17, 0x18,
+	0x7a, 0x04, 0x1b, 0x77, 0xe4, 0x2d, 0x2b, 0x79, 0xeb, 0xfe, 0xac, 0xae, 0xb1, 0x12, 0x41, 0xd3,
+	0x2b, 0xe6, 0x53, 0x5c, 0xc9, 0x95, 0x14, 0xd7, 0xbd, 0x0e, 0xd4, 0x67, 0xbe, 0x1f, 0xba, 0x07,
+	0x9b, 0xe7, 0x3d, 0xd7, 0xee, 0x1c, 0x77, 0xdf, 0x74, 0x3b, 0x27, 0x9e, 0x7d, 0xda, 0x76, 0x3b,
+	0xfa, 0x12, 0xaa, 0x41, 0xa5, 0x7d, 0x7e, 0x76, 0xda, 0xd3, 0xb5, 0xc9, 0xf1, 0x42, 0x2f, 0x8d,
+	0x8f, 0xee, 0x59, 0xfb, 0xcc, 0xd5, 0xcb, 0x7b, 0x47, 0x00, 0x33, 0x8f, 0x7e, 0x0b, 0xd0, 0x5c,
+	0x97, 0x8f, 0xef, 0xbb, 0xc7, 0x5f, 0xf4, 0x25, 0xa4, 0xc3, 0x5a, 0x77, 0xd0, 0x8b, 0xa5, 0x9d,
+	0x52, 0x41, 0x23, 0xa9, 0x6b, 0x08, 0xa0, 0xda, 0xe6, 0xd7, 0x64, 0x24, 0xf4, 0xd2, 0xd1, 0xeb,
+	0x1f, 0x37, 0x0d, 0xed, 0xe7, 0x4d, 0x43, 0xfb, 0x75, 0xd3, 0xd0, 0x2e, 0x5a, 0x01, 0x93, 0xc3,
+	0xac, 0x6f, 0xfa, 0x71, 0x68, 0x11, 0xce, 0xfa, 0xa4, 0x4f, 0xac, 0xe2, 0x33, 0x5a, 0x24, 0x61,
+	0xd6, 0x3f, 0x7e, 0x30, 0xfd, 0xaa, 0x5a, 0xd3, 0xc1, 0x9f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x0b,
+	0x3c, 0xc3, 0xcf, 0x7e, 0x04, 0x00, 0x00,
 }

 func (m *WasmPlugin) Marshal() (dAtA []byte, err error) {
@@ -581,6 +590,15 @@ func (m *MatchRule) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.Service) > 0 {
+		for iNdEx := len(m.Service) - 1; iNdEx >= 0; iNdEx-- {
+			i -= len(m.Service[iNdEx])
+			copy(dAtA[i:], m.Service[iNdEx])
+			i = encodeVarintWasm(dAtA, i, uint64(len(m.Service[iNdEx])))
+			i--
+			dAtA[i] = 0x2a
+		}
+	}
 	if m.ConfigDisable {
 		i--
 		if m.ConfigDisable {
@@ -719,6 +737,12 @@ func (m *MatchRule) Size() (n int) {
 	if m.ConfigDisable {
 		n += 2
 	}
+	if len(m.Service) > 0 {
+		for _, s := range m.Service {
+			l = len(s)
+			n += 1 + l + sovWasm(uint64(l))
+		}
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -1024,7 +1048,7 @@ func (m *WasmPlugin) Unmarshal(dAtA []byte) error {
 				return io.ErrUnexpectedEOF
 			}
 			if m.Priority == nil {
-				m.Priority = &types.Int64Value{}
+				m.Priority = &types.Int32Value{}
 			}
 			if err := m.Priority.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
@@ -1291,6 +1315,38 @@ func (m *MatchRule) Unmarshal(dAtA []byte) error {
 				}
 			}
 			m.ConfigDisable = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Service", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWasm
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthWasm
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthWasm
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Service = append(m.Service, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipWasm(dAtA[iNdEx:])
--- a/api/extensions/v1alpha1/wasm.proto
+++ b/api/extensions/v1alpha1/wasm.proto
@@ -98,7 +98,7 @@ message WasmPlugin {
  // If `priority` is not set, or two `WasmPlugins` exist with the same
  // value, the ordering will be deterministically derived from name and
  // namespace of the `WasmPlugins`. Defaults to `0`.
-  google.protobuf.Int64Value priority = 10;
+  google.protobuf.Int32Value priority = 10;

  // Extended by Higress, the default configuration takes effect globally
  google.protobuf.Struct default_config = 101;
@@ -114,6 +114,7 @@ message MatchRule {
  repeated string domain = 2;
  google.protobuf.Struct config = 3;
  bool config_disable = 4;
+  repeated string service = 5;
 }

 // The phase in the filter chain where the plugin will be injected.
--- a/api/kubernetes/customresourcedefinitions.gen.yaml
+++ b/api/kubernetes/customresourcedefinitions.gen.yaml
@@ -64,6 +64,10 @@ spec:
                      items:
                        type: string
                      type: array
+                    service:
+                      items:
+                        type: string
+                      type: array
                  type: object
                type: array
              phase:
@@ -154,6 +158,11 @@ spec:
                          type: array
                        httpPath:
                          type: string
+                        paramFromEntireBody:
+                          properties:
+                            paramType:
+                              type: string
+                          type: object
                        params:
                          items:
                            properties:
--- a/api/networking/v1/http_2_rpc.pb.go
+++ b/api/networking/v1/http_2_rpc.pb.go
@@ -200,14 +200,15 @@ func (m *DubboService) GetMethods() []*Method {
 }

 type Method struct {
-	ServiceMethod        string   `protobuf:"bytes,1,opt,name=service_method,json=serviceMethod,proto3" json:"service_method,omitempty"`
-	HeadersAttach        string   `protobuf:"bytes,2,opt,name=headers_attach,json=headersAttach,proto3" json:"headers_attach,omitempty"`
-	HttpPath             string   `protobuf:"bytes,3,opt,name=http_path,json=httpPath,proto3" json:"http_path,omitempty"`
-	HttpMethods          []string `protobuf:"bytes,4,rep,name=http_methods,json=httpMethods,proto3" json:"http_methods,omitempty"`
-	Params               []*Param `protobuf:"bytes,5,rep,name=params,proto3" json:"params,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	ServiceMethod        string               `protobuf:"bytes,1,opt,name=service_method,json=serviceMethod,proto3" json:"service_method,omitempty"`
+	HeadersAttach        string               `protobuf:"bytes,2,opt,name=headers_attach,json=headersAttach,proto3" json:"headers_attach,omitempty"`
+	HttpPath             string               `protobuf:"bytes,3,opt,name=http_path,json=httpPath,proto3" json:"http_path,omitempty"`
+	HttpMethods          []string             `protobuf:"bytes,4,rep,name=http_methods,json=httpMethods,proto3" json:"http_methods,omitempty"`
+	Params               []*Param             `protobuf:"bytes,5,rep,name=params,proto3" json:"params,omitempty"`
+	ParamFromEntireBody  *ParamFromEntireBody `protobuf:"bytes,6,opt,name=paramFromEntireBody,proto3" json:"paramFromEntireBody,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
+	XXX_unrecognized     []byte               `json:"-"`
+	XXX_sizecache        int32                `json:"-"`
 }

 func (m *Method) Reset()         { *m = Method{} }
@@ -278,6 +279,13 @@ func (m *Method) GetParams() []*Param {
 	return nil
 }

+func (m *Method) GetParamFromEntireBody() *ParamFromEntireBody {
+	if m != nil {
+		return m.ParamFromEntireBody
+	}
+	return nil
+}
+
 type Param struct {
 	ParamSource          string   `protobuf:"bytes,1,opt,name=param_source,json=paramSource,proto3" json:"param_source,omitempty"`
 	ParamKey             string   `protobuf:"bytes,2,opt,name=param_key,json=paramKey,proto3" json:"param_key,omitempty"`
@@ -341,6 +349,53 @@ func (m *Param) GetParamType() string {
 	return ""
 }

+type ParamFromEntireBody struct {
+	ParamType            string   `protobuf:"bytes,1,opt,name=param_type,json=paramType,proto3" json:"param_type,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ParamFromEntireBody) Reset()         { *m = ParamFromEntireBody{} }
+func (m *ParamFromEntireBody) String() string { return proto.CompactTextString(m) }
+func (*ParamFromEntireBody) ProtoMessage()    {}
+func (*ParamFromEntireBody) Descriptor() ([]byte, []int) {
+	return fileDescriptor_dc706c3b890c1c84, []int{4}
+}
+func (m *ParamFromEntireBody) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *ParamFromEntireBody) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_ParamFromEntireBody.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *ParamFromEntireBody) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ParamFromEntireBody.Merge(m, src)
+}
+func (m *ParamFromEntireBody) XXX_Size() int {
+	return m.Size()
+}
+func (m *ParamFromEntireBody) XXX_DiscardUnknown() {
+	xxx_messageInfo_ParamFromEntireBody.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ParamFromEntireBody proto.InternalMessageInfo
+
+func (m *ParamFromEntireBody) GetParamType() string {
+	if m != nil {
+		return m.ParamType
+	}
+	return ""
+}
+
 type GrpcService struct {
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@@ -351,7 +406,7 @@ func (m *GrpcService) Reset()         { *m = GrpcService{} }
 func (m *GrpcService) String() string { return proto.CompactTextString(m) }
 func (*GrpcService) ProtoMessage()    {}
 func (*GrpcService) Descriptor() ([]byte, []int) {
-	return fileDescriptor_dc706c3b890c1c84, []int{4}
+	return fileDescriptor_dc706c3b890c1c84, []int{5}
 }
 func (m *GrpcService) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -385,42 +440,46 @@ func init() {
 	proto.RegisterType((*DubboService)(nil), "higress.networking.v1.DubboService")
 	proto.RegisterType((*Method)(nil), "higress.networking.v1.Method")
 	proto.RegisterType((*Param)(nil), "higress.networking.v1.Param")
+	proto.RegisterType((*ParamFromEntireBody)(nil), "higress.networking.v1.ParamFromEntireBody")
 	proto.RegisterType((*GrpcService)(nil), "higress.networking.v1.GrpcService")
 }

 func init() { proto.RegisterFile("networking/v1/http_2_rpc.proto", fileDescriptor_dc706c3b890c1c84) }

 var fileDescriptor_dc706c3b890c1c84 = []byte{
-	// 463 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x53, 0xcf, 0x8a, 0xd3, 0x40,
-	0x18, 0x77, 0xba, 0x6d, 0xb7, 0xfb, 0x65, 0xeb, 0x61, 0x40, 0x08, 0x8b, 0xc6, 0x35, 0x7b, 0x70,
-	0x41, 0x49, 0xd8, 0xea, 0x41, 0x14, 0x0f, 0x5b, 0x04, 0x17, 0x44, 0x58, 0xb2, 0x9e, 0xbc, 0x84,
-	0x49, 0x32, 0x66, 0x86, 0x6d, 0x33, 0xc3, 0xcc, 0x34, 0xda, 0xb7, 0xf0, 0x35, 0x7c, 0x13, 0x8f,
-	0x3e, 0x82, 0x14, 0x1f, 0x44, 0x32, 0x93, 0x6e, 0x13, 0xb1, 0xb7, 0xf0, 0xfb, 0x33, 0xdf, 0xef,
-	0xc7, 0xf7, 0x05, 0x82, 0x8a, 0x9a, 0xaf, 0x42, 0xdd, 0xf2, 0xaa, 0x8c, 0xeb, 0x8b, 0x98, 0x19,
-	0x23, 0xd3, 0x59, 0xaa, 0x64, 0x1e, 0x49, 0x25, 0x8c, 0xc0, 0x0f, 0x18, 0x2f, 0x15, 0xd5, 0x3a,
-	0xda, 0xe9, 0xa2, 0xfa, 0xe2, 0xe4, 0x71, 0x29, 0x44, 0xb9, 0xa0, 0x31, 0x91, 0x3c, 0xfe, 0xc2,
-	0xe9, 0xa2, 0x48, 0x33, 0xca, 0x48, 0xcd, 0x85, 0x72, 0xbe, 0xf0, 0x3b, 0x82, 0xc9, 0x95, 0x31,
-	0x72, 0x96, 0xc8, 0x1c, 0xbf, 0x81, 0x51, 0xb1, 0xca, 0x32, 0xe1, 0xa3, 0x53, 0x74, 0xee, 0xcd,
-	0xce, 0xa2, 0xff, 0x3e, 0x1a, 0xbd, 0x6b, 0x34, 0x37, 0x54, 0xd5, 0x3c, 0xa7, 0x57, 0xf7, 0x12,
-	0xe7, 0xc1, 0xaf, 0x60, 0x58, 0x2a, 0x99, 0xfb, 0x03, 0xeb, 0x0d, 0xf7, 0x78, 0xdf, 0x2b, 0x99,
-	0xef, 0xac, 0xd6, 0x31, 0x9f, 0x82, 0x57, 0x50, 0x6d, 0x78, 0x45, 0x0c, 0x17, 0x55, 0xf8, 0x03,
-	0xc1, 0x71, 0x77, 0x04, 0x0e, 0xe0, 0x50, 0xbb, 0x4f, 0x1b, 0xec, 0x68, 0x3e, 0xdc, 0x5c, 0xa2,
-	0x41, 0xb2, 0x05, 0x1b, 0xbe, 0xa6, 0x4a, 0x73, 0x51, 0xd9, 0xe1, 0x77, 0x7c, 0x0b, 0xe2, 0x13,
-	0x18, 0x95, 0x4a, 0xac, 0xa4, 0x7f, 0x70, 0xc7, 0xa2, 0xc4, 0x41, 0xf8, 0x2d, 0x1c, 0x2e, 0xa9,
-	0x61, 0xa2, 0xd0, 0xfe, 0xf0, 0xf4, 0xe0, 0xdc, 0x9b, 0x3d, 0xda, 0x13, 0xfc, 0xa3, 0x55, 0x6d,
-	0x9f, 0x6e, 0x3d, 0xe1, 0x1f, 0x04, 0x63, 0xc7, 0xe0, 0x67, 0x70, 0xbf, 0x0d, 0x94, 0x3a, 0xb6,
-	0x17, 0x76, 0xda, 0x72, 0x3b, 0x31, 0xa3, 0xa4, 0xa0, 0x4a, 0xa7, 0xc4, 0x18, 0x92, 0xb3, 0x4e,
-	0x72, 0x94, 0x4c, 0x5b, 0xee, 0xd2, 0x52, 0xf8, 0x09, 0x1c, 0xd9, 0x7d, 0x4b, 0x62, 0x58, 0xa7,
-	0xc3, 0x20, 0x99, 0x34, 0xf0, 0x35, 0x31, 0x0c, 0x3f, 0x85, 0x63, 0x2b, 0xe9, 0x76, 0xd9, 0xaa,
-	0xbc, 0x86, 0x71, 0x73, 0x35, 0x7e, 0x09, 0x63, 0x49, 0x14, 0x59, 0x6a, 0x7f, 0x64, 0xeb, 0x3e,
-	0xdc, 0x53, 0xf7, 0xba, 0x11, 0x25, 0xad, 0x36, 0xfc, 0x06, 0x23, 0x0b, 0x34, 0x73, 0x2c, 0x94,
-	0x6a, 0xb1, 0x52, 0xff, 0xec, 0xc3, 0xb3, 0xcc, 0x8d, 0x25, 0x9a, 0xcc, 0x4e, 0x78, 0x4b, 0xd7,
-	0xbd, 0xad, 0x4c, 0x2c, 0xfc, 0x81, 0xae, 0xf1, 0x19, 0x80, 0x93, 0x98, 0xb5, 0xa4, 0xbd, 0x5e,
-	0xce, 0xfa, 0x69, 0x2d, 0x69, 0x38, 0x05, 0xaf, 0x73, 0x32, 0xf3, 0xd7, 0x3f, 0x37, 0x01, 0xfa,
-	0xb5, 0x09, 0xd0, 0xef, 0x4d, 0x80, 0x3e, 0x3f, 0x2f, 0xb9, 0x61, 0xab, 0x2c, 0xca, 0xc5, 0x32,
-	0x26, 0x0b, 0x9e, 0x91, 0x8c, 0xc4, 0x6d, 0x1d, 0x7b, 0xf1, 0xbd, 0x7f, 0x26, 0x1b, 0xdb, 0x8b,
-	0x7f, 0xf1, 0x37, 0x00, 0x00, 0xff, 0xff, 0x75, 0x5c, 0x9e, 0x28, 0x4b, 0x03, 0x00, 0x00,
+	// 506 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x93, 0xdf, 0x6e, 0xd3, 0x30,
+	0x14, 0xc6, 0x71, 0xd7, 0x76, 0xdd, 0xc9, 0xca, 0x85, 0x27, 0xa4, 0x68, 0x82, 0x32, 0xb2, 0x0b,
+	0x26, 0x40, 0x89, 0x56, 0xb8, 0x40, 0x43, 0x5c, 0xac, 0xe2, 0xcf, 0x24, 0x84, 0x34, 0x65, 0x5c,
+	0x71, 0x13, 0x39, 0x89, 0x49, 0xac, 0xb5, 0xb1, 0x65, 0xbb, 0x85, 0xbc, 0x05, 0xaf, 0xc1, 0x9b,
+	0xec, 0x92, 0x47, 0x40, 0x7d, 0x12, 0x14, 0x3b, 0x5d, 0x93, 0xa9, 0xdd, 0x5d, 0x74, 0xbe, 0xef,
+	0x77, 0x7c, 0x3e, 0x9f, 0x18, 0x46, 0x05, 0xd5, 0x3f, 0xb9, 0xbc, 0x66, 0x45, 0x16, 0x2c, 0x4e,
+	0x83, 0x5c, 0x6b, 0x11, 0x8d, 0x23, 0x29, 0x12, 0x5f, 0x48, 0xae, 0x39, 0x7e, 0x94, 0xb3, 0x4c,
+	0x52, 0xa5, 0xfc, 0xb5, 0xcf, 0x5f, 0x9c, 0x1e, 0x3e, 0xcd, 0x38, 0xcf, 0xa6, 0x34, 0x20, 0x82,
+	0x05, 0x3f, 0x18, 0x9d, 0xa6, 0x51, 0x4c, 0x73, 0xb2, 0x60, 0x5c, 0x5a, 0xce, 0xfb, 0x8d, 0x60,
+	0x70, 0xa1, 0xb5, 0x18, 0x87, 0x22, 0xc1, 0xef, 0xa0, 0x97, 0xce, 0xe3, 0x98, 0xbb, 0xe8, 0x08,
+	0x9d, 0x38, 0xe3, 0x63, 0x7f, 0x63, 0x53, 0xff, 0x43, 0xe5, 0xb9, 0xa2, 0x72, 0xc1, 0x12, 0x7a,
+	0xf1, 0x20, 0xb4, 0x0c, 0x7e, 0x0b, 0xdd, 0x4c, 0x8a, 0xc4, 0xed, 0x18, 0xd6, 0xdb, 0xc2, 0x7e,
+	0x96, 0x22, 0x59, 0xa3, 0x86, 0x98, 0x0c, 0xc1, 0x49, 0xa9, 0xd2, 0xac, 0x20, 0x9a, 0xf1, 0xc2,
+	0xfb, 0x83, 0x60, 0xbf, 0x79, 0x04, 0x1e, 0xc1, 0xae, 0xb2, 0x9f, 0x66, 0xb0, 0xbd, 0x49, 0x77,
+	0x79, 0x8e, 0x3a, 0xe1, 0xaa, 0x58, 0xe9, 0x0b, 0x2a, 0x15, 0xe3, 0x85, 0x39, 0xfc, 0x56, 0xaf,
+	0x8b, 0xf8, 0x10, 0x7a, 0x99, 0xe4, 0x73, 0xe1, 0xee, 0xdc, 0xaa, 0x28, 0xb4, 0x25, 0xfc, 0x1e,
+	0x76, 0x67, 0x54, 0xe7, 0x3c, 0x55, 0x6e, 0xf7, 0x68, 0xe7, 0xc4, 0x19, 0x3f, 0xd9, 0x32, 0xf8,
+	0x57, 0xe3, 0x5a, 0xb5, 0xae, 0x19, 0xef, 0xa6, 0x03, 0x7d, 0xab, 0xe0, 0x97, 0xf0, 0xb0, 0x1e,
+	0x28, 0xb2, 0x6a, 0x6b, 0xd8, 0x61, 0xad, 0xad, 0xcd, 0x39, 0x25, 0x29, 0x95, 0x2a, 0x22, 0x5a,
+	0x93, 0x24, 0x6f, 0x4c, 0x8e, 0xc2, 0x61, 0xad, 0x9d, 0x1b, 0x09, 0x3f, 0x83, 0x3d, 0xb3, 0x6f,
+	0x41, 0x74, 0xde, 0xc8, 0xd0, 0x09, 0x07, 0x55, 0xf9, 0x92, 0xe8, 0x1c, 0x3f, 0x87, 0x7d, 0x63,
+	0x69, 0x66, 0x59, 0xb9, 0x9c, 0x4a, 0xb1, 0xe7, 0x2a, 0xfc, 0x06, 0xfa, 0x82, 0x48, 0x32, 0x53,
+	0x6e, 0xcf, 0xc4, 0x7d, 0xbc, 0x25, 0xee, 0x65, 0x65, 0x0a, 0x6b, 0x2f, 0x8e, 0xe1, 0xc0, 0x7c,
+	0x7d, 0x92, 0x7c, 0xf6, 0xb1, 0xd0, 0x4c, 0xd2, 0x09, 0x4f, 0x4b, 0xb7, 0x6f, 0x56, 0xfd, 0xe2,
+	0xbe, 0x16, 0x6d, 0xa2, 0xce, 0xb7, 0xa9, 0x99, 0xf7, 0x0b, 0x7a, 0x86, 0xa8, 0xb2, 0x18, 0x3d,
+	0x52, 0x7c, 0x2e, 0xef, 0xec, 0xdc, 0x31, 0xca, 0x95, 0x11, 0xaa, 0x7b, 0xb1, 0xc6, 0x6b, 0x5a,
+	0xb6, 0x36, 0x3f, 0x30, 0xe5, 0x2f, 0xb4, 0xc4, 0xc7, 0x00, 0xd6, 0xa2, 0x4b, 0x41, 0x5b, 0x77,
+	0x67, 0xd1, 0x6f, 0xa5, 0xa0, 0xde, 0x19, 0x1c, 0x6c, 0x98, 0xf5, 0x0e, 0x8b, 0x36, 0xb3, 0x43,
+	0x70, 0x1a, 0xbf, 0xf4, 0xe4, 0xec, 0x66, 0x39, 0x42, 0x7f, 0x97, 0x23, 0xf4, 0x6f, 0x39, 0x42,
+	0xdf, 0x5f, 0x65, 0x4c, 0xe7, 0xf3, 0xd8, 0x4f, 0xf8, 0x2c, 0x20, 0x53, 0x16, 0x93, 0x98, 0x04,
+	0xf5, 0x5d, 0x99, 0x17, 0xd9, 0x7a, 0xd3, 0x71, 0xdf, 0xbc, 0xc8, 0xd7, 0xff, 0x03, 0x00, 0x00,
+	0xff, 0xff, 0x30, 0xef, 0x3d, 0xa9, 0xeb, 0x03, 0x00, 0x00,
 }

 func (m *Http2Rpc) Marshal() (dAtA []byte, err error) {
@@ -587,6 +646,18 @@ func (m *Method) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.ParamFromEntireBody != nil {
+		{
+			size, err := m.ParamFromEntireBody.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintHttp_2Rpc(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x32
+	}
 	if len(m.Params) > 0 {
 		for iNdEx := len(m.Params) - 1; iNdEx >= 0; iNdEx-- {
 			{
@@ -682,6 +753,40 @@ func (m *Param) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }

+func (m *ParamFromEntireBody) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ParamFromEntireBody) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *ParamFromEntireBody) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if len(m.ParamType) > 0 {
+		i -= len(m.ParamType)
+		copy(dAtA[i:], m.ParamType)
+		i = encodeVarintHttp_2Rpc(dAtA, i, uint64(len(m.ParamType)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func (m *GrpcService) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -819,6 +924,10 @@ func (m *Method) Size() (n int) {
 			n += 1 + l + sovHttp_2Rpc(uint64(l))
 		}
 	}
+	if m.ParamFromEntireBody != nil {
+		l = m.ParamFromEntireBody.Size()
+		n += 1 + l + sovHttp_2Rpc(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -849,6 +958,22 @@ func (m *Param) Size() (n int) {
 	return n
 }

+func (m *ParamFromEntireBody) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.ParamType)
+	if l > 0 {
+		n += 1 + l + sovHttp_2Rpc(uint64(l))
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
 func (m *GrpcService) Size() (n int) {
 	if m == nil {
 		return 0
@@ -1360,6 +1485,42 @@ func (m *Method) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ParamFromEntireBody", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowHttp_2Rpc
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ParamFromEntireBody == nil {
+				m.ParamFromEntireBody = &ParamFromEntireBody{}
+			}
+			if err := m.ParamFromEntireBody.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipHttp_2Rpc(dAtA[iNdEx:])
@@ -1529,6 +1690,89 @@ func (m *Param) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *ParamFromEntireBody) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowHttp_2Rpc
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ParamFromEntireBody: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ParamFromEntireBody: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ParamType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowHttp_2Rpc
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ParamType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipHttp_2Rpc(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthHttp_2Rpc
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *GrpcService) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
--- a/api/networking/v1/http_2_rpc.proto
+++ b/api/networking/v1/http_2_rpc.proto
@@ -62,6 +62,7 @@ message Method {
  string http_path = 3 [(google.api.field_behavior) = REQUIRED];
  repeated string http_methods = 4 [(google.api.field_behavior) = REQUIRED];
  repeated Param params = 5;
+  ParamFromEntireBody paramFromEntireBody = 6 [(google.api.field_behavior) = OPTIONAL];
 }

 message Param {
@@ -70,5 +71,9 @@ message Param {
  string param_type = 3 [(google.api.field_behavior) = REQUIRED];
 }

+message ParamFromEntireBody {
+  string param_type = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
 message GrpcService {
 }
--- a/api/networking/v1/http_2_rpc_deepcopy.gen.go
+++ b/api/networking/v1/http_2_rpc_deepcopy.gen.go
@@ -99,6 +99,27 @@ func (in *Param) DeepCopyInterface() interface{} {
 	return in.DeepCopy()
 }

+// DeepCopyInto supports using ParamFromEntireBody within kubernetes types, where deepcopy-gen is used.
+func (in *ParamFromEntireBody) DeepCopyInto(out *ParamFromEntireBody) {
+	p := proto.Clone(in).(*ParamFromEntireBody)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParamFromEntireBody. Required by controller-gen.
+func (in *ParamFromEntireBody) DeepCopy() *ParamFromEntireBody {
+	if in == nil {
+		return nil
+	}
+	out := new(ParamFromEntireBody)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ParamFromEntireBody. Required by controller-gen.
+func (in *ParamFromEntireBody) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
 // DeepCopyInto supports using GrpcService within kubernetes types, where deepcopy-gen is used.
 func (in *GrpcService) DeepCopyInto(out *GrpcService) {
 	p := proto.Clone(in).(*GrpcService)
--- a/api/networking/v1/http_2_rpc_json.gen.go
+++ b/api/networking/v1/http_2_rpc_json.gen.go
@@ -61,6 +61,17 @@ func (this *Param) UnmarshalJSON(b []byte) error {
 	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }

+// MarshalJSON is a custom marshaler for ParamFromEntireBody
+func (this *ParamFromEntireBody) MarshalJSON() ([]byte, error) {
+	str, err := Http_2RpcMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ParamFromEntireBody
+func (this *ParamFromEntireBody) UnmarshalJSON(b []byte) error {
+	return Http_2RpcUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
 // MarshalJSON is a custom marshaler for GrpcService
 func (this *GrpcService) MarshalJSON() ([]byte, error) {
 	str, err := Http_2RpcMarshaler.MarshalToString(this)
--- a/cmd/hgctl/config/gateway_config.go
+++ b/cmd/hgctl/config/gateway_config.go
@@ -0,0 +1,252 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/alibaba/higress/pkg/cmd/hgctl/kubernetes"
+	"github.com/alibaba/higress/pkg/cmd/options"
+	"istio.io/istio/istioctl/pkg/writer/envoy/configdump"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/yaml"
+)
+
+var (
+	BootstrapEnvoyConfigType EnvoyConfigType = "bootstrap"
+	ClusterEnvoyConfigType   EnvoyConfigType = "cluster"
+	EndpointEnvoyConfigType  EnvoyConfigType = "endpoint"
+	ListenerEnvoyConfigType  EnvoyConfigType = "listener"
+	RouteEnvoyConfigType     EnvoyConfigType = "route"
+	AllEnvoyConfigType       EnvoyConfigType = "all"
+)
+
+const (
+	defaultProxyAdminPort = 15000
+)
+
+type EnvoyConfigType string
+
+type GetEnvoyConfigOptions struct {
+	IncludeEds      bool
+	PodName         string
+	PodNamespace    string
+	BindAddress     string
+	Output          string
+	EnvoyConfigType EnvoyConfigType
+}
+
+func NewDefaultGetEnvoyConfigOptions() *GetEnvoyConfigOptions {
+	return &GetEnvoyConfigOptions{
+		IncludeEds:      true,
+		PodName:         "",
+		PodNamespace:    "higress-system",
+		BindAddress:     "localhost",
+		Output:          "json",
+		EnvoyConfigType: AllEnvoyConfigType,
+	}
+}
+
+func setupConfigdumpEnvoyConfigWriter(debug []byte, stdout io.Writer) (*configdump.ConfigWriter, error) {
+	cw := &configdump.ConfigWriter{Stdout: stdout}
+	err := cw.Prime(debug)
+	if err != nil {
+		return nil, err
+	}
+	return cw, nil
+}
+
+func GetEnvoyConfigWriter(config *GetEnvoyConfigOptions, stdout io.Writer) (*configdump.ConfigWriter, error) {
+	configDump, err := retrieveConfigDump(config.PodName, config.PodNamespace, config.BindAddress, config.IncludeEds)
+	if err != nil {
+		return nil, err
+	}
+	return setupConfigdumpEnvoyConfigWriter(configDump, stdout)
+}
+
+func GetEnvoyConfig(config *GetEnvoyConfigOptions) ([]byte, error) {
+	configDump, err := retrieveConfigDump(config.PodName, config.PodNamespace, config.BindAddress, config.IncludeEds)
+	if err != nil {
+		return nil, err
+	}
+	if config.EnvoyConfigType == AllEnvoyConfigType {
+		return configDump, nil
+	}
+	resource, err := getXDSResource(config.EnvoyConfigType, configDump)
+	if err != nil {
+		return nil, err
+	}
+	return formatGatewayConfig(resource, config.Output)
+}
+
+func retrieveConfigDump(podName, podNamespace, bindAddress string, includeEds bool) ([]byte, error) {
+	if podNamespace == "" {
+		return nil, fmt.Errorf("pod namespace is required")
+	}
+
+	if podName == "" {
+		c, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
+		if err != nil {
+			return nil, fmt.Errorf("failed to build kubernetes client: %w", err)
+		}
+		podList, err := c.PodsForSelector(podNamespace, "app=higress-gateway")
+		if err != nil {
+			return nil, err
+		}
+		if len(podList.Items) == 0 {
+			return nil, fmt.Errorf("higress gateway pod is not existed in namespace %s", podNamespace)
+		}
+
+		podName = podList.Items[0].GetName()
+	}
+
+	fw, err := portForwarder(types.NamespacedName{
+		Namespace: podNamespace,
+		Name:      podName,
+	}, bindAddress)
+	if err != nil {
+		return nil, err
+	}
+	if err := fw.Start(); err != nil {
+		return nil, err
+	}
+	defer fw.Stop()
+
+	configDump, err := fetchGatewayConfig(fw, includeEds)
+	if err != nil {
+		return nil, err
+	}
+
+	return configDump, nil
+}
+
+func portForwarder(nn types.NamespacedName, bindAddress string) (kubernetes.PortForwarder, error) {
+	c, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
+	if err != nil {
+		return nil, fmt.Errorf("build CLI client fail: %w", err)
+	}
+
+	pod, err := c.Pod(nn)
+	if err != nil {
+		return nil, fmt.Errorf("get pod %s fail: %w", nn, err)
+	}
+	if pod.Status.Phase != "Running" {
+		return nil, fmt.Errorf("pod %s is not running", nn)
+	}
+
+	fw, err := kubernetes.NewLocalPortForwarder(c, nn, 0, defaultProxyAdminPort, bindAddress)
+	if err != nil {
+		return nil, err
+	}
+
+	return fw, nil
+}
+
+func formatGatewayConfig(configDump any, output string) ([]byte, error) {
+	out, err := json.MarshalIndent(configDump, "", "  ")
+	if err != nil {
+		return nil, err
+	}
+	if output == "yaml" {
+		out, err = yaml.JSONToYAML(out)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return out, nil
+}
+
+func fetchGatewayConfig(fw kubernetes.PortForwarder, includeEds bool) ([]byte, error) {
+	out, err := configDumpRequest(fw.Address(), includeEds)
+	if err != nil {
+		return nil, err
+	}
+
+	return out, nil
+}
+
+func configDumpRequest(address string, includeEds bool) ([]byte, error) {
+	url := fmt.Sprintf("http://%s/config_dump", address)
+	if includeEds {
+		url = fmt.Sprintf("%s?include_eds", url)
+	}
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	return io.ReadAll(resp.Body)
+}
+
+func getXDSResource(resourceType EnvoyConfigType, configDump []byte) (any, error) {
+	cd := map[string]any{}
+	if err := json.Unmarshal(configDump, &cd); err != nil {
+		return nil, err
+	}
+	if resourceType == AllEnvoyConfigType {
+		return cd, nil
+	}
+	configs := cd["configs"]
+	globalConfigs := configs.([]any)
+
+	switch resourceType {
+	case BootstrapEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.BootstrapConfigDump" {
+				return config, nil
+			}
+		}
+	case EndpointEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.EndpointsConfigDump" {
+				return config, nil
+			}
+		}
+
+	case ClusterEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.ClustersConfigDump" {
+				return config, nil
+			}
+		}
+	case ListenerEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.ListenersConfigDump" {
+				return config, nil
+			}
+		}
+	case RouteEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.RoutesConfigDump" {
+				return config, nil
+			}
+		}
+	default:
+		return nil, fmt.Errorf("unknown resourceType %s", resourceType)
+	}
+
+	return nil, fmt.Errorf("unknown resourceType %s", resourceType)
+}
--- a/cmd/hgctl/config/gateway_config_test.go
+++ b/cmd/hgctl/config/gateway_config_test.go
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package hgctl
+package config

 import (
 	"fmt"
@@ -38,7 +38,7 @@ type fakePortForwarder struct {
 }

 func newFakePortForwarder(b []byte) (kubernetes.PortForwarder, error) {
-	p, err := kubernetes.LocalAvailablePort()
+	p, err := kubernetes.LocalAvailablePort("localhost")
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +109,7 @@ func TestExtractAllConfigDump(t *testing.T) {
 		t.Run(tc.output, func(t *testing.T) {
 			configDump, err := fetchGatewayConfig(fw, true)
 			assert.NoError(t, err)
-			data, err := GetXDSResource(AllEnvoyConfigType, configDump)
+			data, err := getXDSResource(AllEnvoyConfigType, configDump)
 			assert.NoError(t, err)
 			got, err := formatGatewayConfig(data, tc.output)
 			assert.NoError(t, err)
@@ -137,7 +137,7 @@ func TestExtractSubResourcesConfigDump(t *testing.T) {
 	cases := []struct {
 		output       string
 		expected     string
-		resourceType envoyConfigType
+		resourceType EnvoyConfigType
 	}{
 		{
 			output:       "json",
@@ -192,7 +192,7 @@ func TestExtractSubResourcesConfigDump(t *testing.T) {
 		t.Run(tc.output, func(t *testing.T) {
 			configDump, err := fetchGatewayConfig(fw, false)
 			assert.NoError(t, err)
-			resource, err := GetXDSResource(tc.resourceType, configDump)
+			resource, err := getXDSResource(tc.resourceType, configDump)
 			assert.NoError(t, err)
 			got, err := formatGatewayConfig(resource, tc.output)
 			assert.NoError(t, err)
--- a/cmd/hgctl/config/testdata/config/input/in.all.json
+++ b/cmd/hgctl/config/testdata/config/input/in.all.json
--- a/cmd/hgctl/config/testdata/config/output/out.all.json
+++ b/cmd/hgctl/config/testdata/config/output/out.all.json
--- a/cmd/hgctl/config/testdata/config/output/out.all.yaml
+++ b/cmd/hgctl/config/testdata/config/output/out.all.yaml
--- a/cmd/hgctl/config/testdata/config/output/out.bootstrap.json
+++ b/cmd/hgctl/config/testdata/config/output/out.bootstrap.json
--- a/cmd/hgctl/config/testdata/config/output/out.bootstrap.yaml
+++ b/cmd/hgctl/config/testdata/config/output/out.bootstrap.yaml
--- a/cmd/hgctl/config/testdata/config/output/out.cluster.json
+++ b/cmd/hgctl/config/testdata/config/output/out.cluster.json
--- a/cmd/hgctl/config/testdata/config/output/out.cluster.yaml
+++ b/cmd/hgctl/config/testdata/config/output/out.cluster.yaml
--- a/cmd/hgctl/config/testdata/config/output/out.endpoints.json
+++ b/cmd/hgctl/config/testdata/config/output/out.endpoints.json
--- a/cmd/hgctl/config/testdata/config/output/out.endpoints.yaml
+++ b/cmd/hgctl/config/testdata/config/output/out.endpoints.yaml
--- a/cmd/hgctl/config/testdata/config/output/out.listener.json
+++ b/cmd/hgctl/config/testdata/config/output/out.listener.json
--- a/cmd/hgctl/config/testdata/config/output/out.listener.yaml
+++ b/cmd/hgctl/config/testdata/config/output/out.listener.yaml
--- a/cmd/hgctl/config/testdata/config/output/out.route.json
+++ b/cmd/hgctl/config/testdata/config/output/out.route.json
--- a/cmd/hgctl/config/testdata/config/output/out.route.yaml
+++ b/cmd/hgctl/config/testdata/config/output/out.route.yaml
--- a/cmd/higress/main.go
+++ b/cmd/higress/main.go
@@ -18,10 +18,13 @@ import (
 	"fmt"
 	"os"

+	"istio.io/pkg/log"
+
 	"github.com/alibaba/higress/pkg/cmd"
 )

 func main() {
+	log.EnableKlogWithCobra()
 	if err := cmd.GetRootCommand().Execute(); err != nil {
 		_, _ = fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
--- a/codecov.yml
+++ b/codecov.yml
@@ -2,7 +2,11 @@ codecov:
  require_ci_to_pass: yes
 coverage:
  status:
-    patch: no
+    patch: 
+      default:
+        target: 50%
+        threshold: 0%
+        if_ci_failed: error # success, failure, error, ignore
    project:
      default:
        target: auto
@@ -17,4 +21,4 @@ ignore:
 comment:
  layout: "reach,diff,flags,tree"
  behavior: default
-  require_changes: no
+  require_changes: no
--- a/envoy/1.20/patches/envoy/20231008-fallback-origin-cluster.patch
+++ b/envoy/1.20/patches/envoy/20231008-fallback-origin-cluster.patch
@@ -0,0 +1,111 @@
+diff -Naur envoy/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc envoy-new/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc
+--- envoy/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc	2023-10-08 15:01:21.960871500 +0800
+++ envoy-new/contrib/custom_cluster_plugins/cluster_fallback/source/filter.cc	2023-09-27 17:03:41.613256338 +0800
+@@ -60,7 +60,7 @@
+ 
+   for (const auto& cluster_name : first_item->second) {
+     if (hasHealthHost(cluster_name)) {
+-      return base.clone(cluster_name);
+      return base.clone(cluster_name, first_item->first);
+     }
+   }
+ 
+@@ -75,7 +75,8 @@
+ 
+   auto search = clusters_config_.find(route_entry.clusterName());
+   if (search == clusters_config_.end()) {
+-    ENVOY_LOG(warn, "there is no fallback cluster config, the original routing cluster is returned");
+    ENVOY_LOG(warn,
+              "there is no fallback cluster config, the original routing cluster is returned");
+     return cluster_entry.getRouteConstSharedPtr();
+   }
+ 
+@@ -87,7 +88,7 @@
+ 
+   for (const auto& cluster_name : search->second) {
+     if (hasHealthHost(cluster_name)) {
+-      return cluster_entry.clone(cluster_name);
+      return cluster_entry.clone(cluster_name, search->first);
+     }
+   }
+ 
+diff -Naur envoy/source/common/http/headers.h envoy-new/source/common/http/headers.h
+--- envoy/source/common/http/headers.h	2023-10-08 15:01:21.968871828 +0800
+++ envoy-new/source/common/http/headers.h	2023-09-27 18:48:50.059419606 +0800
+@@ -124,6 +124,7 @@
+     const LowerCaseString TriStartTime{"req-start-time"};
+     const LowerCaseString TriRespStartTime{"resp-start-time"};
+     const LowerCaseString EnvoyOriginalHost{"original-host"};
+    const LowerCaseString HigressOriginalService{"x-higress-original-service"};
+   } AliExtendedValues;
+ #endif
+ };
+diff -Naur envoy/source/common/router/config_impl.cc envoy-new/source/common/router/config_impl.cc
+--- envoy/source/common/router/config_impl.cc	2023-10-08 15:01:21.968871828 +0800
+++ envoy-new/source/common/router/config_impl.cc	2023-09-27 18:49:18.656592237 +0800
+@@ -563,7 +563,6 @@
+         route.name());
+   }
+   // End Added
+-
+ }
+ 
+ bool RouteEntryImplBase::evaluateRuntimeMatch(const uint64_t random_value) const {
+@@ -662,6 +661,10 @@
+   }
+ 
+ #if defined(ALIMESH)
+  if (!origin_cluster_name_.empty()) {
+    headers.addCopy(Http::CustomHeaders::get().AliExtendedValues.HigressOriginalService,
+                    origin_cluster_name_);
+  }
+   headers.setReferenceKey(Http::CustomHeaders::get().AliExtendedValues.EnvoyOriginalHost,
+                           headers.getHostValue());
+ #endif
+diff -Naur envoy/source/common/router/config_impl.h envoy-new/source/common/router/config_impl.h
+--- envoy/source/common/router/config_impl.h	2023-10-08 15:01:21.968871828 +0800
+++ envoy-new/source/common/router/config_impl.h	2023-09-27 18:59:11.196893507 +0800
+@@ -584,9 +584,13 @@
+     return internal_active_redirect_policy_;
+   }
+ 
+-  RouteConstSharedPtr clone(const std::string& name) const {
+-    return std::make_shared<DynamicRouteEntry>(this, name);
+  RouteConstSharedPtr clone(const std::string& name, const std::string& origin_cluster = "") const {
+    auto entry = std::make_shared<DynamicRouteEntry>(this, name);
+    entry->setOriginClusterName(origin_cluster);
+    return entry;
+   }
+
+  void setOriginClusterName(const std::string& name) const { origin_cluster_name_ = name; }
+ #endif
+   uint32_t retryShadowBufferLimit() const override { return retry_shadow_buffer_limit_; }
+   const std::vector<ShadowPolicyPtr>& shadowPolicies() const override { return shadow_policies_; }
+@@ -787,11 +791,17 @@
+       return parent_->internalActiveRedirectPolicy();
+     }
+ 
+-    RouteConstSharedPtr clone(const std::string& name) const {
+-      return std::make_shared<Envoy::Router::RouteEntryImplBase::DynamicRouteEntry>(parent_, name);
+    RouteConstSharedPtr clone(const std::string& name,
+                              const std::string& origin_cluster = "") const {
+      auto entry =
+          std::make_shared<Envoy::Router::RouteEntryImplBase::DynamicRouteEntry>(parent_, name);
+      entry->setOriginClusterName(origin_cluster);
+      return entry;
+     }
+ 
+     virtual RouteConstSharedPtr getRouteConstSharedPtr() const { return shared_from_this(); }
+
+    void setOriginClusterName(const std::string& name) { parent_->setOriginClusterName(name); }
+ #endif
+ 
+   private:
+@@ -1039,6 +1049,7 @@
+ 
+ #if defined(ALIMESH)
+   const InternalActiveRedirectPoliciesImpl internal_active_redirect_policy_;
+  mutable std::string origin_cluster_name_;
+ #endif
+ };
+ 
--- a/envoy/1.20/patches/envoy/20231124-rds-optimize.patch
+++ b/envoy/1.20/patches/envoy/20231124-rds-optimize.patch
@@ -0,0 +1,315 @@
+diff -Naur envoy/envoy/router/rds.h envoy-new/envoy/router/rds.h
+--- envoy/envoy/router/rds.h	2023-11-24 10:52:39.914235488 +0800
+++ envoy-new/envoy/router/rds.h	2023-11-24 10:47:36.293873127 +0800
+@@ -51,12 +51,6 @@
+   virtual void onConfigUpdate() PURE;
+ 
+   /**
+-   * Validate if the route configuration can be applied to the context of the route config provider.
+-   */
+-  virtual void
+-  validateConfig(const envoy::config::route::v3::RouteConfiguration& config) const PURE;
+-
+-  /**
+    * Callback used to request an update to the route configuration from the management server.
+    * @param for_domain supplies the domain name that virtual hosts must match on
+    * @param thread_local_dispatcher thread-local dispatcher
+diff -Naur envoy/envoy/router/route_config_update_receiver.h envoy-new/envoy/router/route_config_update_receiver.h
+--- envoy/envoy/router/route_config_update_receiver.h	2023-11-24 10:52:39.918235651 +0800
+++ envoy-new/envoy/router/route_config_update_receiver.h	2023-11-24 10:47:36.293873127 +0800
+@@ -27,6 +27,7 @@
+    * @param rc supplies the RouteConfiguration.
+    * @param version_info supplies RouteConfiguration version.
+    * @return bool whether RouteConfiguration has been updated.
+   * @throw EnvoyException if the new config can't be applied.
+    */
+   virtual bool onRdsUpdate(const envoy::config::route::v3::RouteConfiguration& rc,
+                            const std::string& version_info) PURE;
+diff -Naur envoy/source/common/router/rds_impl.cc envoy-new/source/common/router/rds_impl.cc
+--- envoy/source/common/router/rds_impl.cc	2023-11-24 10:52:40.194246888 +0800
+++ envoy-new/source/common/router/rds_impl.cc	2023-11-24 10:47:36.293873127 +0800
+@@ -122,9 +122,6 @@
+     throw EnvoyException(fmt::format("Unexpected RDS configuration (expecting {}): {}",
+                                      route_config_name_, route_config.name()));
+   }
+-  if (route_config_provider_opt_.has_value()) {
+-    route_config_provider_opt_.value()->validateConfig(route_config);
+-  }
+   std::unique_ptr<Init::ManagerImpl> noop_init_manager;
+   std::unique_ptr<Cleanup> resume_rds;
+   if (config_update_info_->onRdsUpdate(route_config, version_info)) {
+@@ -292,12 +289,6 @@
+   }
+ }
+ 
+-void RdsRouteConfigProviderImpl::validateConfig(
+-    const envoy::config::route::v3::RouteConfiguration& config) const {
+-  // TODO(lizan): consider cache the config here until onConfigUpdate.
+-  ConfigImpl validation_config(config, optional_http_filters_, factory_context_, validator_, false);
+-}
+-
+ // Schedules a VHDS request on the main thread and queues up the callback to use when the VHDS
+ // response has been propagated to the worker thread that was the request origin.
+ void RdsRouteConfigProviderImpl::requestVirtualHostsUpdate(
+diff -Naur envoy/source/common/router/rds_impl.h envoy-new/source/common/router/rds_impl.h
+--- envoy/source/common/router/rds_impl.h	2023-11-24 10:52:40.194246888 +0800
+++ envoy-new/source/common/router/rds_impl.h	2023-11-24 10:47:36.293873127 +0800
+@@ -81,7 +81,6 @@
+   }
+   SystemTime lastUpdated() const override { return last_updated_; }
+   void onConfigUpdate() override {}
+-  void validateConfig(const envoy::config::route::v3::RouteConfiguration&) const override {}
+   void requestVirtualHostsUpdate(const std::string&, Event::Dispatcher&,
+                                  std::weak_ptr<Http::RouteConfigUpdatedCallback>) override {
+     NOT_IMPLEMENTED_GCOVR_EXCL_LINE;
+@@ -209,7 +208,6 @@
+   void requestVirtualHostsUpdate(
+       const std::string& for_domain, Event::Dispatcher& thread_local_dispatcher,
+       std::weak_ptr<Http::RouteConfigUpdatedCallback> route_config_updated_cb) override;
+-  void validateConfig(const envoy::config::route::v3::RouteConfiguration& config) const override;
+ 
+ private:
+   struct ThreadLocalConfig : public ThreadLocal::ThreadLocalObject {
+diff -Naur envoy/source/common/router/route_config_update_receiver_impl.cc envoy-new/source/common/router/route_config_update_receiver_impl.cc
+--- envoy/source/common/router/route_config_update_receiver_impl.cc	2023-11-24 10:52:40.194246888 +0800
+++ envoy-new/source/common/router/route_config_update_receiver_impl.cc	2023-11-24 10:47:36.297873290 +0800
+@@ -1,6 +1,7 @@
+ #include "source/common/router/route_config_update_receiver_impl.h"
+ 
+ #include <string>
+#include <utility>
+ 
+ #include "envoy/config/route/v3/route.pb.h"
+ #include "envoy/service/discovery/v3/discovery.pb.h"
+@@ -14,23 +15,49 @@
+ namespace Envoy {
+ namespace Router {
+ 
+namespace {
+
+// Resets 'route_config::virtual_hosts' by merging VirtualHost contained in
+// 'rds_vhosts' and 'vhds_vhosts'.
+void rebuildRouteConfigVirtualHosts(
+    const std::map<std::string, envoy::config::route::v3::VirtualHost>& rds_vhosts,
+    const std::map<std::string, envoy::config::route::v3::VirtualHost>& vhds_vhosts,
+    envoy::config::route::v3::RouteConfiguration& route_config) {
+  route_config.clear_virtual_hosts();
+  for (const auto& vhost : rds_vhosts) {
+    route_config.mutable_virtual_hosts()->Add()->CopyFrom(vhost.second);
+  }
+  for (const auto& vhost : vhds_vhosts) {
+    route_config.mutable_virtual_hosts()->Add()->CopyFrom(vhost.second);
+  }
+}
+
+} // namespace
+
+ bool RouteConfigUpdateReceiverImpl::onRdsUpdate(
+     const envoy::config::route::v3::RouteConfiguration& rc, const std::string& version_info) {
+   const uint64_t new_hash = MessageUtil::hash(rc);
+   if (new_hash == last_config_hash_) {
+     return false;
+   }
+-  route_config_proto_ = std::make_unique<envoy::config::route::v3::RouteConfiguration>(rc);
+-  last_config_hash_ = new_hash;
+   const uint64_t new_vhds_config_hash = rc.has_vhds() ? MessageUtil::hash(rc.vhds()) : 0ul;
+  std::map<std::string, envoy::config::route::v3::VirtualHost> rds_virtual_hosts;
+  for (const auto& vhost : rc.virtual_hosts()) {
+    rds_virtual_hosts.emplace(vhost.name(), vhost);
+  }
+  envoy::config::route::v3::RouteConfiguration new_route_config = rc;
+  rebuildRouteConfigVirtualHosts(rds_virtual_hosts, *vhds_virtual_hosts_, new_route_config);
+  auto new_config = std::make_shared<ConfigImpl>(
+      new_route_config, optional_http_filters_, factory_context_,
+      factory_context_.messageValidationContext().dynamicValidationVisitor(), false);
+  // If the above validation/validation doesn't raise exception, update the
+  // other cached config entries.
+  config_ = new_config;
+  rds_virtual_hosts_ = std::move(rds_virtual_hosts);
+  last_config_hash_ = new_hash;
+  *route_config_proto_ = std::move(new_route_config);
+   vhds_configuration_changed_ = new_vhds_config_hash != last_vhds_config_hash_;
+   last_vhds_config_hash_ = new_vhds_config_hash;
+-  initializeRdsVhosts(*route_config_proto_);
+-
+-  rebuildRouteConfig(rds_virtual_hosts_, *vhds_virtual_hosts_, *route_config_proto_);
+-  config_ = std::make_shared<ConfigImpl>(
+-      *route_config_proto_, optional_http_filters_, factory_context_,
+-      factory_context_.messageValidationContext().dynamicValidationVisitor(), false);
+ 
+   onUpdateCommon(version_info);
+   return true;
+@@ -50,8 +77,8 @@
+   auto route_config_after_this_update =
+       std::make_unique<envoy::config::route::v3::RouteConfiguration>();
+   route_config_after_this_update->CopyFrom(*route_config_proto_);
+-  rebuildRouteConfig(rds_virtual_hosts_, *vhosts_after_this_update,
+-                     *route_config_after_this_update);
+  rebuildRouteConfigVirtualHosts(rds_virtual_hosts_, *vhosts_after_this_update,
+                                 *route_config_after_this_update);
+ 
+   auto new_config = std::make_shared<ConfigImpl>(
+       *route_config_after_this_update, optional_http_filters_, factory_context_,
+@@ -73,14 +100,6 @@
+   config_info_.emplace(RouteConfigProvider::ConfigInfo{*route_config_proto_, last_config_version_});
+ }
+ 
+-void RouteConfigUpdateReceiverImpl::initializeRdsVhosts(
+-    const envoy::config::route::v3::RouteConfiguration& route_configuration) {
+-  rds_virtual_hosts_.clear();
+-  for (const auto& vhost : route_configuration.virtual_hosts()) {
+-    rds_virtual_hosts_.emplace(vhost.name(), vhost);
+-  }
+-}
+-
+ bool RouteConfigUpdateReceiverImpl::removeVhosts(
+     std::map<std::string, envoy::config::route::v3::VirtualHost>& vhosts,
+     const Protobuf::RepeatedPtrField<std::string>& removed_vhost_names) {
+@@ -110,18 +129,5 @@
+   return vhosts_added;
+ }
+ 
+-void RouteConfigUpdateReceiverImpl::rebuildRouteConfig(
+-    const std::map<std::string, envoy::config::route::v3::VirtualHost>& rds_vhosts,
+-    const std::map<std::string, envoy::config::route::v3::VirtualHost>& vhds_vhosts,
+-    envoy::config::route::v3::RouteConfiguration& route_config) {
+-  route_config.clear_virtual_hosts();
+-  for (const auto& vhost : rds_vhosts) {
+-    route_config.mutable_virtual_hosts()->Add()->CopyFrom(vhost.second);
+-  }
+-  for (const auto& vhost : vhds_vhosts) {
+-    route_config.mutable_virtual_hosts()->Add()->CopyFrom(vhost.second);
+-  }
+-}
+-
+ } // namespace Router
+ } // namespace Envoy
+diff -Naur envoy/source/common/router/route_config_update_receiver_impl.h envoy-new/source/common/router/route_config_update_receiver_impl.h
+--- envoy/source/common/router/route_config_update_receiver_impl.h	2023-11-24 10:52:40.194246888 +0800
+++ envoy-new/source/common/router/route_config_update_receiver_impl.h	2023-11-24 10:47:36.297873290 +0800
+@@ -27,15 +27,10 @@
+             std::make_unique<std::map<std::string, envoy::config::route::v3::VirtualHost>>()),
+         vhds_configuration_changed_(true), optional_http_filters_(optional_http_filters) {}
+ 
+-  void initializeRdsVhosts(const envoy::config::route::v3::RouteConfiguration& route_configuration);
+   bool removeVhosts(std::map<std::string, envoy::config::route::v3::VirtualHost>& vhosts,
+                     const Protobuf::RepeatedPtrField<std::string>& removed_vhost_names);
+   bool updateVhosts(std::map<std::string, envoy::config::route::v3::VirtualHost>& vhosts,
+                     const VirtualHostRefVector& added_vhosts);
+-  void rebuildRouteConfig(
+-      const std::map<std::string, envoy::config::route::v3::VirtualHost>& rds_vhosts,
+-      const std::map<std::string, envoy::config::route::v3::VirtualHost>& vhds_vhosts,
+-      envoy::config::route::v3::RouteConfiguration& route_config);
+   bool onDemandFetchFailed(const envoy::service::discovery::v3::Resource& resource) const;
+   void onUpdateCommon(const std::string& version_info);
+ 
+diff -Naur envoy/source/server/admin/admin.h envoy-new/source/server/admin/admin.h
+--- envoy/source/server/admin/admin.h	2023-11-24 10:52:41.358294284 +0800
+++ envoy-new/source/server/admin/admin.h	2023-11-24 10:47:36.297873290 +0800
+@@ -234,7 +234,6 @@
+     absl::optional<ConfigInfo> configInfo() const override { return {}; }
+     SystemTime lastUpdated() const override { return time_source_.systemTime(); }
+     void onConfigUpdate() override {}
+-    void validateConfig(const envoy::config::route::v3::RouteConfiguration&) const override {}
+     void requestVirtualHostsUpdate(const std::string&, Event::Dispatcher&,
+                                    std::weak_ptr<Http::RouteConfigUpdatedCallback>) override {
+       NOT_IMPLEMENTED_GCOVR_EXCL_LINE;
+diff -Naur envoy/test/common/router/rds_impl_test.cc envoy-new/test/common/router/rds_impl_test.cc
+--- envoy/test/common/router/rds_impl_test.cc	2023-11-24 10:52:40.714268062 +0800
+++ envoy-new/test/common/router/rds_impl_test.cc	2023-11-24 10:47:36.297873290 +0800
+@@ -528,34 +528,66 @@
+   rds_callbacks_->onConfigUpdate(decoded_resources.refvec_, response1.version_info());
+ }
+ 
+-// Validate behavior when the config is delivered but it fails PGV validation.
+// Validates behavior when the config is delivered but it fails PGV validation.
+// The invalid config won't affect existing valid config.
+ TEST_F(RdsImplTest, FailureInvalidConfig) {
+   InSequence s;
+ 
+   setup();
+  EXPECT_CALL(init_watcher_, ready());
+ 
+-  const std::string response1_json = R"EOF(
+  const std::string valid_json = R"EOF(
+ {
+   "version_info": "1",
+   "resources": [
+     {
+       "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration",
+-      "name": "INVALID_NAME_FOR_route_config",
+      "name": "foo_route_config",
+       "virtual_hosts": null
+     }
+   ]
+ }
+ )EOF";
+
+   auto response1 =
+-      TestUtility::parseYaml<envoy::service::discovery::v3::DiscoveryResponse>(response1_json);
+      TestUtility::parseYaml<envoy::service::discovery::v3::DiscoveryResponse>(valid_json);
+   const auto decoded_resources =
+       TestUtility::decodeResources<envoy::config::route::v3::RouteConfiguration>(response1);
+  EXPECT_NO_THROW(
+      rds_callbacks_->onConfigUpdate(decoded_resources.refvec_, response1.version_info()));
+  // Sadly the RdsRouteConfigSubscription privately inherited from
+  // SubscriptionCallbacks, so we has to use reinterpret_cast here.
+  RdsRouteConfigSubscription* rds_subscription =
+      reinterpret_cast<RdsRouteConfigSubscription*>(rds_callbacks_);
+  auto config_impl_pointer = rds_subscription->routeConfigProvider().value()->config();
+  // Now send an invalid config update.
+  const std::string invalid_json =
+      R"EOF(
+{
+  "version_info": "1",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration",
+      "name": "INVALID_NAME_FOR_route_config",
+      "virtual_hosts": null
+    }
+  ]
+}
+)EOF";
+
+  auto response2 =
+      TestUtility::parseYaml<envoy::service::discovery::v3::DiscoveryResponse>(invalid_json);
+  const auto decoded_resources_2 =
+      TestUtility::decodeResources<envoy::config::route::v3::RouteConfiguration>(response2);
+ 
+-  EXPECT_CALL(init_watcher_, ready());
+   EXPECT_THROW_WITH_MESSAGE(
+-      rds_callbacks_->onConfigUpdate(decoded_resources.refvec_, response1.version_info()),
+      rds_callbacks_->onConfigUpdate(decoded_resources_2.refvec_, response2.version_info()),
+       EnvoyException,
+-      "Unexpected RDS configuration (expecting foo_route_config): INVALID_NAME_FOR_route_config");
+      "Unexpected RDS configuration (expecting foo_route_config): "
+      "INVALID_NAME_FOR_route_config");
+
+  // Verify that the config is still the old value.
+  ASSERT_EQ(config_impl_pointer, rds_subscription->routeConfigProvider().value()->config());
+ }
+ 
+ // rds and vhds configurations change together
+diff -Naur envoy/test/mocks/router/mocks.h envoy-new/test/mocks/router/mocks.h
+--- envoy/test/mocks/router/mocks.h	2023-11-24 10:52:41.370294773 +0800
+++ envoy-new/test/mocks/router/mocks.h	2023-11-24 10:47:36.301873453 +0800
+@@ -538,7 +538,6 @@
+   MOCK_METHOD(absl::optional<ConfigInfo>, configInfo, (), (const));
+   MOCK_METHOD(SystemTime, lastUpdated, (), (const));
+   MOCK_METHOD(void, onConfigUpdate, ());
+-  MOCK_METHOD(void, validateConfig, (const envoy::config::route::v3::RouteConfiguration&), (const));
+   MOCK_METHOD(void, requestVirtualHostsUpdate,
+               (const std::string&, Event::Dispatcher&,
+                std::weak_ptr<Http::RouteConfigUpdatedCallback> route_config_updated_cb));
+diff -Naur envoy/tools/spelling/spelling_dictionary.txt envoy-new/tools/spelling/spelling_dictionary.txt
+--- envoy/tools/spelling/spelling_dictionary.txt	2023-11-24 10:52:41.370294773 +0800
+++ envoy-new/tools/spelling/spelling_dictionary.txt	2023-11-24 10:48:54.969076506 +0800
+@@ -1303,6 +1303,7 @@
+ ep
+ suri
+ transid
+vhosts
+ WAF
+ TRI
+ tmd
--- a/envoy/1.20/patches/envoy/20231218-dubbo-optimize.patch
+++ b/envoy/1.20/patches/envoy/20231218-dubbo-optimize.patch
--- a/envoy/1.20/patches/envoy/20240104-enhance-srds.patch
+++ b/envoy/1.20/patches/envoy/20240104-enhance-srds.patch
@@ -0,0 +1,483 @@
+diff -Naur envoy/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto envoy-new/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
+--- envoy/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto	2024-01-04 21:07:40.000000000 +0800
+++ envoy-new/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto	2024-01-04 21:09:13.000000000 +0800
+@@ -888,11 +888,31 @@
+         }
+       }
+ 
+      message HostValueExtractor {
+        option (udpa.annotations.versioning).previous_message_type =
+            "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
+            "FragmentBuilder.HostValueExtractor";
+
+        // The maximum number of host superset recomputes. If not specified, defaults to 100.
+        google.protobuf.UInt32Value max_recompute_num = 1;
+      }
+
+      message LocalPortValueExtractor {
+        option (udpa.annotations.versioning).previous_message_type =
+            "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
+            "FragmentBuilder.LocalPortValueExtractor";
+      }
+
+
+       oneof type {
+         option (validate.required) = true;
+ 
+         // Specifies how a header field's value should be extracted.
+         HeaderValueExtractor header_value_extractor = 1;
+
+        HostValueExtractor host_value_extractor = 101;
+
+        LocalPortValueExtractor local_port_value_extractor = 102;
+       }
+     }
+ 
+diff -Naur envoy/envoy/router/scopes.h envoy-new/envoy/router/scopes.h
+--- envoy/envoy/router/scopes.h	2024-01-04 21:07:38.000000000 +0800
+++ envoy-new/envoy/router/scopes.h	2024-01-04 21:09:13.000000000 +0800
+@@ -92,7 +92,12 @@
+    * @param headers the request headers to match the scoped routing configuration against.
+    * @return ConfigConstSharedPtr the router's Config matching the request headers.
+    */
+#if defined ALIMESH
+  virtual ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers,
+                                              const StreamInfo::StreamInfo& info) const PURE;
+#else
+   virtual ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers) const PURE;
+#endif
+ 
+   /**
+    * Based on the incoming HTTP request headers, returns the hash value of its scope key.
+@@ -100,6 +105,12 @@
+    * @return unique_ptr of the scope key computed from header.
+    */
+   virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap&) const { return {}; }
+
+#if defined(ALIMESH)
+  virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap&, const StreamInfo::StreamInfo&) const {
+    return {};
+  };
+#endif
+ };
+ 
+ using ScopedConfigConstSharedPtr = std::shared_ptr<const ScopedConfig>;
+diff -Naur envoy/source/common/http/conn_manager_impl.cc envoy-new/source/common/http/conn_manager_impl.cc
+--- envoy/source/common/http/conn_manager_impl.cc	2024-01-04 21:07:41.000000000 +0800
+++ envoy-new/source/common/http/conn_manager_impl.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -577,8 +577,13 @@
+     requestVhdsUpdate(host_header, thread_local_dispatcher, std::move(route_config_updated_cb));
+     return;
+   } else if (parent_.snapped_scoped_routes_config_ != nullptr) {
+#if defined(ALIMESH)
+    Router::ScopeKeyPtr scope_key = parent_.snapped_scoped_routes_config_->computeScopeKey(
+        *parent_.request_headers_, parent_.connection()->streamInfo());
+#else
+     Router::ScopeKeyPtr scope_key =
+         parent_.snapped_scoped_routes_config_->computeScopeKey(*parent_.request_headers_);
+#endif
+     // If scope_key is not null, the scope exists but RouteConfiguration is not initialized.
+     if (scope_key != nullptr) {
+       requestSrdsUpdate(std::move(scope_key), thread_local_dispatcher,
+@@ -1197,7 +1202,13 @@
+ void ConnectionManagerImpl::ActiveStream::snapScopedRouteConfig() {
+   // NOTE: if a RDS subscription hasn't got a RouteConfiguration back, a Router::NullConfigImpl is
+   // returned, in that case we let it pass.
+#if defined(ALIMESH)
+  snapped_route_config_ =
+      snapped_scoped_routes_config_->getRouteConfig(*request_headers_, connection()->streamInfo());
+#else
+   snapped_route_config_ = snapped_scoped_routes_config_->getRouteConfig(*request_headers_);
+
+#endif
+   if (snapped_route_config_ == nullptr) {
+     ENVOY_STREAM_LOG(trace, "can't find SRDS scope.", *this);
+     // TODO(stevenzzzz): Consider to pass an error message to router filter, so that it can
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-04 21:07:36.000000000 +0800
+++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -6,6 +6,160 @@
+ namespace Envoy {
+ namespace Router {
+ 
+#if defined(ALIMESH)
+namespace {
+
+std::string maskFirstDNSLabel(absl::string_view host) {
+  if (host == "*") {
+    return std::string(host);
+  }
+  if (host.size() < 2) {
+    return "*";
+  }
+  size_t start_pos = (host[0] == '*' && host[1] == '.') ? 2 : 0;
+  size_t dot_pos = host.find('.', start_pos);
+  if (dot_pos != absl::string_view::npos) {
+    return absl::StrCat("*", absl::string_view(host.data() + dot_pos, host.size() - dot_pos));
+  }
+  return "*";
+}
+
+} // namespace
+
+LocalPortValueExtractorImpl::LocalPortValueExtractorImpl(
+    ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config)
+    : FragmentBuilderBase(std::move(config)) {
+  ASSERT(config_.type_case() ==
+             ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kLocalPortValueExtractor,
+         "local_port_value_extractor is not set.");
+}
+
+std::unique_ptr<ScopeKeyFragmentBase> LocalPortValueExtractorImpl::computeFragment(
+    const Http::HeaderMap&, const StreamInfo::StreamInfo& info, ReComputeCbPtr&) const {
+  auto port = info.downstreamAddressProvider().localAddress()->ip()->port();
+  return std::make_unique<StringKeyFragment>(std::to_string(long(port)));
+}
+
+HostValueExtractorImpl::HostValueExtractorImpl(
+    ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config)
+    : FragmentBuilderBase(std::move(config)),
+      host_value_extractor_config_(config_.host_value_extractor()),
+      max_recompute_num_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(
+          host_value_extractor_config_, max_recompute_num, DefaultMaxRecomputeNum)) {
+  ASSERT(config_.type_case() == ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHostValueExtractor,
+         "host_value_extractor is not set.");
+}
+
+std::unique_ptr<ScopeKeyFragmentBase>
+HostValueExtractorImpl::reComputeHelper(const std::string& host, ReComputeCbPtr& next_recompute,
+                                        uint32_t recompute_seq) const {
+  if (recompute_seq == max_recompute_num_) {
+    ENVOY_LOG_MISC(warn,
+                   "recompute host fragment failed, maximum number of recalculations exceeded");
+    return nullptr;
+  }
+  if (host == "*") {
+    *next_recompute = nullptr;
+    return nullptr;
+  }
+  auto masked_host = maskFirstDNSLabel(host);
+  *next_recompute = [this, masked_host, recompute_seq,
+                     next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+    return reComputeHelper(masked_host, next_recompute, recompute_seq + 1);
+  };
+  return std::make_unique<StringKeyFragment>(masked_host);
+}
+
+std::unique_ptr<ScopeKeyFragmentBase>
+HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
+                                        const StreamInfo::StreamInfo&,
+                                        ReComputeCbPtr& recompute) const {
+  auto fragment = computeFragment(headers);
+  auto host = static_cast<const Http::RequestHeaderMap&>(headers).getHostValue();
+  *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+    return reComputeHelper(std::string(host), recompute, 0);
+  };
+  return fragment;
+}
+
+std::unique_ptr<ScopeKeyFragmentBase>
+HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers) const {
+  return std::make_unique<StringKeyFragment>(
+      static_cast<const Http::RequestHeaderMap&>(headers).getHostValue());
+}
+
+std::unique_ptr<ScopeKeyFragmentBase>
+HeaderValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
+                                          const StreamInfo::StreamInfo&, ReComputeCbPtr&) const {
+  return computeFragment(headers);
+}
+
+ScopeKeyPtr ScopeKeyBuilderImpl::computeScopeKey(const Http::HeaderMap& headers,
+                                                 const StreamInfo::StreamInfo& info,
+                                                 std::function<ScopeKeyPtr()>& recompute) const {
+  ScopeKey key;
+  bool recomputeable = false;
+  auto recompute_cbs = std::make_shared<std::vector<ReComputeCbPtr>>();
+  for (const auto& builder : fragment_builders_) {
+    // returns nullopt if a null fragment is found.
+    ReComputeCbPtr recompute_fragment_cb = std::make_shared<ReComputeCb>();
+    std::unique_ptr<ScopeKeyFragmentBase> fragment =
+        builder->computeFragment(headers, info, recompute_fragment_cb);
+    if (fragment == nullptr) {
+      return nullptr;
+    }
+    if (*recompute_fragment_cb == nullptr) {
+      auto key_fragment = static_cast<StringKeyFragment*>(fragment.get());
+      auto copied_fragment = std::make_shared<StringKeyFragment>(*key_fragment);
+      auto recompute_cb =
+          std::make_shared<ReComputeCb>([copied_fragment]() -> std::unique_ptr<StringKeyFragment> {
+            return std::make_unique<StringKeyFragment>(*copied_fragment);
+          });
+      recompute_cbs->push_back(recompute_cb);
+    } else {
+      recomputeable = true;
+      recompute_cbs->push_back(recompute_fragment_cb);
+    }
+    key.addFragment(std::move(fragment));
+  }
+  if (recomputeable) {
+    recompute = [&recompute, recompute_cbs]() mutable -> ScopeKeyPtr {
+      ScopeKey new_key;
+      for (auto& cb : *recompute_cbs) {
+        auto new_fragment = (*cb)();
+        if (new_fragment == nullptr) {
+          return nullptr;
+        }
+        if (*cb == nullptr) {
+          recompute = nullptr;
+        }
+        new_key.addFragment(std::move(new_fragment));
+      }
+      return std::make_unique<ScopeKey>(std::move(new_key));
+    };
+  }
+  return std::make_unique<ScopeKey>(std::move(key));
+}
+
+ScopeKeyPtr ScopedConfigImpl::computeScopeKey(const Http::HeaderMap& headers,
+                                              const StreamInfo::StreamInfo& info) const {
+  std::function<Router::ScopeKeyPtr()> recompute;
+  ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers, info, recompute);
+  if (scope_key == nullptr) {
+    return nullptr;
+  }
+  decltype(scoped_route_info_by_key_.begin()) iter;
+  do {
+    iter = scoped_route_info_by_key_.find(scope_key->hash());
+    if (iter != scoped_route_info_by_key_.end()) {
+      return scope_key;
+    }
+  } while (recompute != nullptr && (scope_key = recompute()));
+  return nullptr;
+}
+
+#endif
+
+ bool ScopeKey::operator!=(const ScopeKey& other) const { return !(*this == other); }
+ 
+ bool ScopeKey::operator==(const ScopeKey& other) const {
+@@ -95,6 +249,16 @@
+     : ScopeKeyBuilderBase(std::move(config)) {
+   for (const auto& fragment_builder : config_.fragments()) {
+     switch (fragment_builder.type_case()) {
+#if defined(ALIMESH)
+    case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHostValueExtractor:
+      fragment_builders_.emplace_back(std::make_unique<HostValueExtractorImpl>(
+          ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
+      break;
+    case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kLocalPortValueExtractor:
+      fragment_builders_.emplace_back(std::make_unique<LocalPortValueExtractorImpl>(
+          ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
+      break;
+#endif
+     case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHeaderValueExtractor:
+       fragment_builders_.emplace_back(std::make_unique<HeaderValueExtractorImpl>(
+           ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
+@@ -143,6 +307,22 @@
+ }
+ 
+ Router::ConfigConstSharedPtr
+#if defined(ALIMESH)
+ScopedConfigImpl::getRouteConfig(const Http::HeaderMap& headers,
+                                 const StreamInfo::StreamInfo& info) const {
+  std::function<ScopeKeyPtr()> recompute;
+  ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers, info, recompute);
+  if (scope_key == nullptr) {
+    return nullptr;
+  }
+  decltype(scoped_route_info_by_key_.begin()) iter;
+  do {
+    iter = scoped_route_info_by_key_.find(scope_key->hash());
+    if (iter != scoped_route_info_by_key_.end()) {
+      return iter->second->routeConfig();
+    }
+  } while (recompute != nullptr && (scope_key = recompute()));
+#else
+ ScopedConfigImpl::getRouteConfig(const Http::HeaderMap& headers) const {
+   ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers);
+   if (scope_key == nullptr) {
+@@ -152,6 +332,7 @@
+   if (iter != scoped_route_info_by_key_.end()) {
+     return iter->second->routeConfig();
+   }
+#endif
+   return nullptr;
+ }
+ 
+diff -Naur envoy/source/common/router/scoped_config_impl.h envoy-new/source/common/router/scoped_config_impl.h
+--- envoy/source/common/router/scoped_config_impl.h	2024-01-04 21:07:36.000000000 +0800
+++ envoy-new/source/common/router/scoped_config_impl.h	2024-01-04 21:09:13.000000000 +0800
+@@ -22,6 +22,11 @@
+ 
+ using envoy::extensions::filters::network::http_connection_manager::v3::ScopedRoutes;
+ 
+#if defined(ALIMESH)
+using ReComputeCb = std::function<std::unique_ptr<ScopeKeyFragmentBase>()>;
+using ReComputeCbPtr = std::shared_ptr<ReComputeCb>;
+#endif
+
+ /**
+  * Base class for fragment builders.
+  */
+@@ -36,6 +41,12 @@
+   virtual std::unique_ptr<ScopeKeyFragmentBase>
+   computeFragment(const Http::HeaderMap& headers) const PURE;
+ 
+#if defined(ALIMESH)
+  virtual std::unique_ptr<ScopeKeyFragmentBase>
+  computeFragment(const Http::HeaderMap& headers, const StreamInfo::StreamInfo& info,
+                  ReComputeCbPtr& recompute) const PURE;
+#endif
+
+ protected:
+   const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder config_;
+ };
+@@ -47,11 +58,54 @@
+   std::unique_ptr<ScopeKeyFragmentBase>
+   computeFragment(const Http::HeaderMap& headers) const override;
+ 
+#if defined(ALIMESH)
+  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
+                                                        const StreamInfo::StreamInfo& info,
+                                                        ReComputeCbPtr& recompute) const override;
+#endif
+
+ private:
+   const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::HeaderValueExtractor&
+       header_value_extractor_config_;
+ };
+ 
+#if defined(ALIMESH)
+class HostValueExtractorImpl : public FragmentBuilderBase {
+public:
+  explicit HostValueExtractorImpl(ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config);
+
+  std::unique_ptr<ScopeKeyFragmentBase>
+  computeFragment(const Http::HeaderMap& headers) const override;
+
+  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
+                                                        const StreamInfo::StreamInfo& info,
+                                                        ReComputeCbPtr& recompute) const override;
+
+private:
+  std::unique_ptr<ScopeKeyFragmentBase> reComputeHelper(const std::string& host,
+                                                        ReComputeCbPtr& next_recompute,
+                                                        uint32_t recompute_seq) const;
+
+  static constexpr uint32_t DefaultMaxRecomputeNum = 100;
+
+  const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::HostValueExtractor&
+      host_value_extractor_config_;
+  const uint32_t max_recompute_num_;
+};
+
+class LocalPortValueExtractorImpl : public FragmentBuilderBase {
+public:
+  explicit LocalPortValueExtractorImpl(ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config);
+
+  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap&) const override {
+    return nullptr;
+  };
+
+  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
+                                                        const StreamInfo::StreamInfo& info,
+                                                        ReComputeCbPtr& recompute) const override;
+};
+#endif
+ /**
+  * Base class for ScopeKeyBuilder implementations.
+  */
+@@ -64,6 +118,12 @@
+   // Computes scope key for given headers, returns nullptr if a key can't be computed.
+   virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const PURE;
+ 
+#if defined(ALIMESH)
+  virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers,
+                                      const StreamInfo::StreamInfo& info,
+                                      std::function<ScopeKeyPtr()>& recompute) const PURE;
+#endif
+
+ protected:
+   const ScopedRoutes::ScopeKeyBuilder config_;
+ };
+@@ -74,6 +134,11 @@
+ 
+   ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const override;
+ 
+#if defined(ALIMESH)
+  ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers, const StreamInfo::StreamInfo& info,
+                              std::function<ScopeKeyPtr()>& recompute) const override;
+#endif
+
+ private:
+   std::vector<std::unique_ptr<FragmentBuilderBase>> fragment_builders_;
+ };
+@@ -118,10 +183,20 @@
+   void removeRoutingScopes(const std::vector<std::string>& scope_names);
+ 
+   // Envoy::Router::ScopedConfig
+#if defined(ALIMESH)
+  Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers,
+                                              const StreamInfo::StreamInfo& info) const override;
+#else
+   Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers) const override;
+#endif
+   // The return value is not null only if the scope corresponding to the header exists.
+   ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const override;
+ 
+#if defined(ALIMESH)
+  ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers,
+                              const StreamInfo::StreamInfo& info) const override;
+#endif
+
+ private:
+   ScopeKeyBuilderImpl scope_key_builder_;
+   // From scope name to cached ScopedRouteInfo.
+@@ -135,9 +210,16 @@
+  */
+ class NullScopedConfigImpl : public ScopedConfig {
+ public:
+#if defined(ALIMESH)
+  Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap&,
+                                              const StreamInfo::StreamInfo&) const override {
+    return std::make_shared<const NullConfigImpl>();
+  }
+#else
+   Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap&) const override {
+     return std::make_shared<const NullConfigImpl>();
+   }
+#endif
+ };
+ 
+ } // namespace Router
+diff -Naur envoy/source/extensions/filters/http/on_demand/on_demand_update.cc envoy-new/source/extensions/filters/http/on_demand/on_demand_update.cc
+--- envoy/source/extensions/filters/http/on_demand/on_demand_update.cc	2024-01-04 21:07:33.000000000 +0800
+++ envoy-new/source/extensions/filters/http/on_demand/on_demand_update.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -50,7 +50,11 @@
+ // This is the callback which is called when an update requested in requestRouteConfigUpdate()
+ // has been propagated to workers, at which point the request processing is restarted from the
+ // beginning.
+#if defined(ALIMESH)
+void OnDemandRouteUpdate::onRouteConfigUpdateCompletion(bool) {
+#else
+ void OnDemandRouteUpdate::onRouteConfigUpdateCompletion(bool route_exists) {
+#endif
+   filter_iteration_state_ = Http::FilterHeadersStatus::Continue;
+ 
+   // Don't call continueDecoding in the middle of decodeHeaders()
+@@ -58,12 +62,14 @@
+     return;
+   }
+ 
+#if !defined(ALIMESH)
+   if (route_exists &&                  // route can be resolved after an on-demand
+                                        // VHDS update
+       !callbacks_->decodingBuffer() && // Redirects with body not yet supported.
+       callbacks_->recreateStream(/*headers=*/nullptr)) {
+     return;
+   }
+#endif
+ 
+   // route cannot be resolved after an on-demand VHDS update or
+   // recreating stream failed, continue the filter-chain
--- a/envoy/1.20/patches/envoy/20240110-fix-srds.patch
+++ b/envoy/1.20/patches/envoy/20240110-fix-srds.patch
@@ -0,0 +1,49 @@
+diff -Naur envoy/source/common/router/BUILD envoy-new/source/common/router/BUILD
+--- envoy/source/common/router/BUILD	2024-01-10 20:10:14.505600746 +0800
+++ envoy-new/source/common/router/BUILD	2024-01-10 20:07:25.960379955 +0800
+@@ -212,6 +212,7 @@
+         "//envoy/router:rds_interface",
+         "//envoy/router:scopes_interface",
+         "//envoy/thread_local:thread_local_interface",
+        "//source/common/http:header_utility_lib",
+         "@envoy_api//envoy/config/route/v3:pkg_cc_proto",
+         "@envoy_api//envoy/extensions/filters/network/http_connection_manager/v3:pkg_cc_proto",
+     ],
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-10 20:10:14.529600924 +0800
+++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-10 20:09:50.161422411 +0800
+@@ -3,6 +3,8 @@
+ #include "envoy/config/route/v3/scoped_route.pb.h"
+ #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h"
+ 
+#include "source/common/http/header_utility.h"
+
+ namespace Envoy {
+ namespace Router {
+ 
+@@ -74,18 +76,20 @@
+ HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
+                                         const StreamInfo::StreamInfo&,
+                                         ReComputeCbPtr& recompute) const {
+-  auto fragment = computeFragment(headers);
+   auto host = static_cast<const Http::RequestHeaderMap&>(headers).getHostValue();
+  auto port_start = Http::HeaderUtility::getPortStart(host);
+  if (port_start != absl::string_view::npos) {
+    host = host.substr(0, port_start);
+  }
+   *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+     return reComputeHelper(std::string(host), recompute, 0);
+   };
+-  return fragment;
+  return std::make_unique<StringKeyFragment>(host);
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>
+-HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers) const {
+-  return std::make_unique<StringKeyFragment>(
+-      static_cast<const Http::RequestHeaderMap&>(headers).getHostValue());
+HostValueExtractorImpl::computeFragment(const Http::HeaderMap&) const {
+  return nullptr;
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>
--- a/envoy/1.20/patches/envoy/20240111-fix-srds-compute.patch
+++ b/envoy/1.20/patches/envoy/20240111-fix-srds-compute.patch
@@ -0,0 +1,65 @@
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-11 16:23:55.407881263 +0800
+++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-11 16:23:42.311786814 +0800
+@@ -53,21 +53,26 @@
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>
+-HostValueExtractorImpl::reComputeHelper(const std::string& host, ReComputeCbPtr& next_recompute,
+HostValueExtractorImpl::reComputeHelper(const std::string& host,
+                                        ReComputeCbWeakPtr& weak_next_recompute,
+                                         uint32_t recompute_seq) const {
+   if (recompute_seq == max_recompute_num_) {
+     ENVOY_LOG_MISC(warn,
+                    "recompute host fragment failed, maximum number of recalculations exceeded");
+     return nullptr;
+   }
+  auto next_recompute = weak_next_recompute.lock();
+  if (!next_recompute) {
+    return nullptr;
+  }
+   if (host == "*") {
+     *next_recompute = nullptr;
+     return nullptr;
+   }
+   auto masked_host = maskFirstDNSLabel(host);
+   *next_recompute = [this, masked_host, recompute_seq,
+-                     next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+-    return reComputeHelper(masked_host, next_recompute, recompute_seq + 1);
+                     weak_next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+    return reComputeHelper(masked_host, weak_next_recompute, recompute_seq + 1);
+   };
+   return std::make_unique<StringKeyFragment>(masked_host);
+ }
+@@ -81,8 +86,9 @@
+   if (port_start != absl::string_view::npos) {
+     host = host.substr(0, port_start);
+   }
+-  *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+-    return reComputeHelper(std::string(host), recompute, 0);
+  *recompute = [this, host, weak_recompute = ReComputeCbWeakPtr(recompute)]() mutable
+      -> std::unique_ptr<ScopeKeyFragmentBase> {
+    return reComputeHelper(std::string(host), weak_recompute, 0);
+   };
+   return std::make_unique<StringKeyFragment>(host);
+ }
+diff -Naur envoy/source/common/router/scoped_config_impl.h envoy-new/source/common/router/scoped_config_impl.h
+--- envoy/source/common/router/scoped_config_impl.h	2024-01-11 16:23:55.407881263 +0800
+++ envoy-new/source/common/router/scoped_config_impl.h	2024-01-11 16:23:42.311786814 +0800
+@@ -25,6 +25,7 @@
+ #if defined(ALIMESH)
+ using ReComputeCb = std::function<std::unique_ptr<ScopeKeyFragmentBase>()>;
+ using ReComputeCbPtr = std::shared_ptr<ReComputeCb>;
+using ReComputeCbWeakPtr = std::weak_ptr<ReComputeCb>;
+ #endif
+ 
+ /**
+@@ -83,7 +84,7 @@
+ 
+ private:
+   std::unique_ptr<ScopeKeyFragmentBase> reComputeHelper(const std::string& host,
+-                                                        ReComputeCbPtr& next_recompute,
+                                                        ReComputeCbWeakPtr& weak_next_recompute,
+                                                         uint32_t recompute_seq) const;
+ 
+   static constexpr uint32_t DefaultMaxRecomputeNum = 100;
--- a/envoy/1.20/patches/envoy/20240116-fix-cve.patch
+++ b/envoy/1.20/patches/envoy/20240116-fix-cve.patch
--- a/envoy/1.20/patches/envoy/20240201-virtual-host-allow-server-name.patch
+++ b/envoy/1.20/patches/envoy/20240201-virtual-host-allow-server-name.patch
--- a/envoy/1.20/patches/envoy/20240519-wasm-upgrade.patch
+++ b/envoy/1.20/patches/envoy/20240519-wasm-upgrade.patch
--- a/envoy/1.20/patches/envoy/20240521-fix-wasm-host.patch
+++ b/envoy/1.20/patches/envoy/20240521-fix-wasm-host.patch
@@ -0,0 +1,14 @@
+diff -Naur envoy/bazel/repository_locations.bzl envoy-new/bazel/repository_locations.bzl
+--- envoy/bazel/repository_locations.bzl	2024-05-21 22:49:46.686598518 +0800
+++ envoy-new/bazel/repository_locations.bzl	2024-05-21 22:49:02.554597652 +0800
+@@ -1031,8 +1031,8 @@
+         project_name = "WebAssembly for Proxies (C++ host implementation)",
+         project_desc = "WebAssembly for Proxies (C++ host implementation)",
+         project_url = "https://github.com/higress-group/proxy-wasm-cpp-host",
+-        version = "f8b624dc6c37d4e0a3c1b332652746793e2031ad",
+-        sha256 = "ba20328101c91d0ae6383947ced99620cd9b4ea22ab2fda6b26f343b38c3be83",
+        version = "cad2eb04d402dbf559101f3cb4f44da0d9c5b0b0",
+        sha256 = "4efbcc97c58994fab92c9dc50c051ad16463647d4c0c6df36a7204d2984c1e63",
+         strip_prefix = "proxy-wasm-cpp-host-{version}",
+         urls = ["https://github.com/higress-group/proxy-wasm-cpp-host/archive/{version}.tar.gz"],
+         use_category = ["dataplane_ext"],
--- a/envoy/1.20/patches/envoy/20240527-fix-wasm-recover.patch
+++ b/envoy/1.20/patches/envoy/20240527-fix-wasm-recover.patch
@@ -0,0 +1,25 @@
+diff -Naur envoy/bazel/repository_locations.bzl envoy-new/bazel/repository_locations.bzl
+--- envoy/bazel/repository_locations.bzl	2024-05-27 18:04:13.116443196 +0800
+++ envoy-new/bazel/repository_locations.bzl	2024-05-27 18:02:24.812441069 +0800
+@@ -1031,8 +1031,8 @@
+         project_name = "WebAssembly for Proxies (C++ host implementation)",
+         project_desc = "WebAssembly for Proxies (C++ host implementation)",
+         project_url = "https://github.com/higress-group/proxy-wasm-cpp-host",
+-        version = "cad2eb04d402dbf559101f3cb4f44da0d9c5b0b0",
+-        sha256 = "4efbcc97c58994fab92c9dc50c051ad16463647d4c0c6df36a7204d2984c1e63",
+        version = "28a33a5a3e6c1ff8f53128a74e89aeca47850f68",
+        sha256 = "1aaa5898c169aeff115eff2fedf58095b3509d2e59861ad498e661a990d78b3d",
+         strip_prefix = "proxy-wasm-cpp-host-{version}",
+         urls = ["https://github.com/higress-group/proxy-wasm-cpp-host/archive/{version}.tar.gz"],
+         use_category = ["dataplane_ext"],
+diff -Naur envoy/source/extensions/filters/http/wasm/wasm_filter.h envoy-new/source/extensions/filters/http/wasm/wasm_filter.h
+--- envoy/source/extensions/filters/http/wasm/wasm_filter.h	2024-05-27 18:04:13.112443196 +0800
+++ envoy-new/source/extensions/filters/http/wasm/wasm_filter.h	2024-05-27 18:03:25.360442258 +0800
+@@ -51,6 +51,7 @@
+       if (opt_ref->recover()) {
+         ENVOY_LOG(info, "wasm vm recover success");
+         wasm = opt_ref->handle()->wasmHandle()->wasm().get();
+        handle = opt_ref->handle();
+       } else {
+         ENVOY_LOG(info, "wasm vm recover failed");
+         failed = true;
--- a/envoy/1.20/patches/envoy/20240610-optimize-xds.patch
+++ b/envoy/1.20/patches/envoy/20240610-optimize-xds.patch
@@ -0,0 +1,259 @@
+diff --git a/source/common/router/BUILD b/source/common/router/BUILD
+index 5c58501..4db76cd 100644
+--- a/source/common/router/BUILD
+++ b/source/common/router/BUILD
+@@ -212,6 +212,7 @@ envoy_cc_library(
+         "//envoy/router:rds_interface",
+         "//envoy/router:scopes_interface",
+         "//envoy/thread_local:thread_local_interface",
+        "//source/common/protobuf:utility_lib",
+         "@envoy_api//envoy/config/route/v3:pkg_cc_proto",
+         "@envoy_api//envoy/extensions/filters/network/http_connection_manager/v3:pkg_cc_proto",
+     ],
+diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc
+index ff7b4c8..5ac4523 100644
+--- a/source/common/router/config_impl.cc
+++ b/source/common/router/config_impl.cc
+@@ -550,19 +550,11 @@ RouteEntryImplBase::RouteEntryImplBase(const VirtualHostImpl& vhost,
+               "not be stripped: {}",
+               path_redirect_);
+   }
+-  ENVOY_LOG(info, "route stats is {}, name is {}", route.stat_prefix(), route.name());
+   if (!route.stat_prefix().empty()) {
+     route_stats_context_ = std::make_unique<RouteStatsContext>(
+         factory_context.scope(), factory_context.routerContext().routeStatNames(), vhost.statName(),
+         route.stat_prefix());
+-  } else if (!route.name().empty()) {
+-    // Added by Ingress
+-    // use route_name as default stat_prefix
+-    route_stats_context_ = std::make_unique<RouteStatsContext>(
+-        factory_context.scope(), factory_context.routerContext().routeStatNames(), vhost.statName(),
+-        route.name());
+   }
+-  // End Added
+ }
+ 
+ bool RouteEntryImplBase::evaluateRuntimeMatch(const uint64_t random_value) const {
+@@ -1415,9 +1407,7 @@ VirtualHostImpl::VirtualHostImpl(
+       retry_shadow_buffer_limit_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(
+           virtual_host, per_request_buffer_limit_bytes, std::numeric_limits<uint32_t>::max())),
+       include_attempt_count_in_request_(virtual_host.include_request_attempt_count()),
+-      include_attempt_count_in_response_(virtual_host.include_attempt_count_in_response()),
+-      virtual_cluster_catch_all_(*vcluster_scope_,
+-                                 factory_context.routerContext().virtualClusterStatNames()) {
+      include_attempt_count_in_response_(virtual_host.include_attempt_count_in_response()) {
+   switch (virtual_host.require_tls()) {
+   case envoy::config::route::v3::VirtualHost::NONE:
+     ssl_requirements_ = SslRequirements::None;
+@@ -1478,10 +1468,14 @@ VirtualHostImpl::VirtualHostImpl(
+     }
+   }
+ 
+-  for (const auto& virtual_cluster : virtual_host.virtual_clusters()) {
+-    virtual_clusters_.push_back(
+-        VirtualClusterEntry(virtual_cluster, *vcluster_scope_,
+-                            factory_context.routerContext().virtualClusterStatNames()));
+  if (!virtual_host.virtual_clusters().empty()) {
+    virtual_cluster_catch_all_ = std::make_unique<CatchAllVirtualCluster>(
+        *vcluster_scope_, factory_context.routerContext().virtualClusterStatNames());
+    for (const auto& virtual_cluster : virtual_host.virtual_clusters()) {
+      virtual_clusters_.push_back(
+          VirtualClusterEntry(virtual_cluster, *vcluster_scope_,
+                              factory_context.routerContext().virtualClusterStatNames()));
+    }
+   }
+ 
+   if (virtual_host.has_cors()) {
+@@ -1774,7 +1768,7 @@ VirtualHostImpl::virtualClusterFromEntries(const Http::HeaderMap& headers) const
+   }
+ 
+   if (!virtual_clusters_.empty()) {
+-    return &virtual_cluster_catch_all_;
+    return virtual_cluster_catch_all_.get();
+   }
+ 
+   return nullptr;
+diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h
+index cf0ddf3..d83eb94 100644
+--- a/source/common/router/config_impl.h
+++ b/source/common/router/config_impl.h
+@@ -352,10 +352,10 @@ private:
+   const bool include_attempt_count_in_response_;
+   absl::optional<envoy::config::route::v3::RetryPolicy> retry_policy_;
+   absl::optional<envoy::config::route::v3::HedgePolicy> hedge_policy_;
+-  const CatchAllVirtualCluster virtual_cluster_catch_all_;
+ #if defined(ALIMESH)
+   std::vector<std::string> allow_server_names_;
+ #endif
+  std::unique_ptr<const CatchAllVirtualCluster> virtual_cluster_catch_all_;
+ };
+ 
+ using VirtualHostSharedPtr = std::shared_ptr<VirtualHostImpl>;
+diff --git a/source/common/router/scoped_config_impl.cc b/source/common/router/scoped_config_impl.cc
+index 594d571..6482615 100644
+--- a/source/common/router/scoped_config_impl.cc
+++ b/source/common/router/scoped_config_impl.cc
+@@ -7,6 +7,8 @@
+ #include "source/common/http/header_utility.h"
+ #endif
+ 
+#include "source/common/protobuf/utility.h"
+
+ namespace Envoy {
+ namespace Router {
+ 
+@@ -239,7 +241,8 @@ HeaderValueExtractorImpl::computeFragment(const Http::HeaderMap& headers) const
+ 
+ ScopedRouteInfo::ScopedRouteInfo(envoy::config::route::v3::ScopedRouteConfiguration&& config_proto,
+                                  ConfigConstSharedPtr&& route_config)
+-    : config_proto_(std::move(config_proto)), route_config_(std::move(route_config)) {
+    : config_proto_(std::move(config_proto)), route_config_(std::move(route_config)),
+      config_hash_(MessageUtil::hash(config_proto)) {
+   // TODO(stevenzzzz): Maybe worth a KeyBuilder abstraction when there are more than one type of
+   // Fragment.
+   for (const auto& fragment : config_proto_.key().fragments()) {
+diff --git a/source/common/router/scoped_config_impl.h b/source/common/router/scoped_config_impl.h
+index 9f6a1b2..28e2ee5 100644
+--- a/source/common/router/scoped_config_impl.h
+++ b/source/common/router/scoped_config_impl.h
+@@ -154,11 +154,13 @@ public:
+     return config_proto_;
+   }
+   const std::string& scopeName() const { return config_proto_.name(); }
+  uint64_t configHash() const { return config_hash_; }
+ 
+ private:
+   envoy::config::route::v3::ScopedRouteConfiguration config_proto_;
+   ScopeKey scope_key_;
+   ConfigConstSharedPtr route_config_;
+  const uint64_t config_hash_;
+ };
+ using ScopedRouteInfoConstSharedPtr = std::shared_ptr<const ScopedRouteInfo>;
+ // Ordered map for consistent config dumping.
+diff --git a/source/common/router/scoped_rds.cc b/source/common/router/scoped_rds.cc
+index 133e91e..9b2096e 100644
+--- a/source/common/router/scoped_rds.cc
+++ b/source/common/router/scoped_rds.cc
+@@ -245,6 +245,11 @@ bool ScopedRdsConfigSubscription::addOrUpdateScopes(
+         dynamic_cast<const envoy::config::route::v3::ScopedRouteConfiguration&>(
+             resource.get().resource());
+     const std::string scope_name = scoped_route_config.name();
+    if (const auto& scope_info_iter = scoped_route_map_.find(scope_name);
+        scope_info_iter != scoped_route_map_.end() &&
+        scope_info_iter->second->configHash() == MessageUtil::hash(scoped_route_config)) {
+      continue;
+    }
+     rds.set_route_config_name(scoped_route_config.route_configuration_name());
+     std::unique_ptr<RdsRouteConfigProviderHelper> rds_config_provider_helper;
+     std::shared_ptr<ScopedRouteInfo> scoped_route_info = nullptr;
+@@ -398,6 +403,7 @@ void ScopedRdsConfigSubscription::onRdsConfigUpdate(const std::string& scope_nam
+   auto new_scoped_route_info = std::make_shared<ScopedRouteInfo>(
+       envoy::config::route::v3::ScopedRouteConfiguration(iter->second->configProto()),
+       std::move(new_rds_config));
+  scoped_route_map_[new_scoped_route_info->scopeName()] = new_scoped_route_info;
+   applyConfigUpdate([new_scoped_route_info](ConfigProvider::ConfigConstSharedPtr config)
+                         -> ConfigProvider::ConfigConstSharedPtr {
+     auto* thread_local_scoped_config =
+diff --git a/source/common/router/scoped_rds.h b/source/common/router/scoped_rds.h
+index d21d812..a510c1f 100644
+--- a/source/common/router/scoped_rds.h
+++ b/source/common/router/scoped_rds.h
+@@ -104,7 +104,7 @@ struct ScopedRdsStats {
+ // A scoped RDS subscription to be used with the dynamic scoped RDS ConfigProvider.
+ class ScopedRdsConfigSubscription
+     : public Envoy::Config::DeltaConfigSubscriptionInstance,
+-      Envoy::Config::SubscriptionBase<envoy::config::route::v3::ScopedRouteConfiguration> {
+      public Envoy::Config::SubscriptionBase<envoy::config::route::v3::ScopedRouteConfiguration> {
+ public:
+   using ScopedRouteConfigurationMap =
+       std::map<std::string, envoy::config::route::v3::ScopedRouteConfiguration>;
+diff --git a/test/common/router/scoped_config_impl_test.cc b/test/common/router/scoped_config_impl_test.cc
+index f63f258..69a2f4b 100644
+--- a/test/common/router/scoped_config_impl_test.cc
+++ b/test/common/router/scoped_config_impl_test.cc
+@@ -452,6 +452,24 @@ TEST_F(ScopedRouteInfoTest, Creation) {
+   EXPECT_EQ(info_->scopeKey(), makeKey({"foo", "bar"}));
+ }
+ 
+// Tests that config hash changes if ScopedRouteConfiguration of the ScopedRouteInfo changes.
+TEST_F(ScopedRouteInfoTest, Hash) {
+  const envoy::config::route::v3::ScopedRouteConfiguration config_copy = scoped_route_config_;
+  info_ = std::make_unique<ScopedRouteInfo>(scoped_route_config_, route_config_);
+  EXPECT_EQ(info_->routeConfig().get(), route_config_.get());
+  EXPECT_TRUE(TestUtility::protoEqual(info_->configProto(), config_copy));
+  EXPECT_EQ(info_->scopeName(), "foo_scope");
+  EXPECT_EQ(info_->scopeKey(), makeKey({"foo", "bar"}));
+
+  const auto info2 = std::make_unique<ScopedRouteInfo>(scoped_route_config_, route_config_);
+  ASSERT_EQ(info2->configHash(), info_->configHash());
+
+  // Mutate the config and hash should be different now.
+  scoped_route_config_.set_on_demand(true);
+  const auto info3 = std::make_unique<ScopedRouteInfo>(scoped_route_config_, route_config_);
+  ASSERT_NE(info3->configHash(), info_->configHash());
+}
+
+ class ScopedConfigImplTest : public testing::Test {
+ public:
+   void SetUp() override {
+diff --git a/test/common/router/scoped_rds_test.cc b/test/common/router/scoped_rds_test.cc
+index 09b96a6..b4776c9 100644
+--- a/test/common/router/scoped_rds_test.cc
+++ b/test/common/router/scoped_rds_test.cc
+@@ -13,6 +13,7 @@
+ #include "envoy/stats/scope.h"
+ 
+ #include "source/common/config/api_version.h"
+#include "source/common/config/config_provider_impl.h"
+ #include "source/common/config/grpc_mux_impl.h"
+ #include "source/common/protobuf/message_validator_impl.h"
+ #include "source/common/router/scoped_rds.h"
+@@ -365,6 +366,48 @@ key:
+                             "Didn't find a registered implementation for name: 'filter.unknown'");
+ }
+ 
+// Test that scopes with same config as existing scopes will be skipped in a config push.
+TEST_F(ScopedRdsTest, UnchangedScopesAreSkipped) {
+  setup();
+  init_watcher_.expectReady();
+  const std::string config_yaml = R"EOF(
+name: foo_scope
+route_configuration_name: foo_routes
+key:
+  fragments:
+    - string_key: x-foo-key
+)EOF";
+  const auto resource = parseScopedRouteConfigurationFromYaml(config_yaml);
+  const std::string config_yaml2 = R"EOF(
+name: foo_scope2
+route_configuration_name: foo_routes
+key:
+  fragments:
+    - string_key: x-bar-key
+)EOF";
+  const auto resource_2 = parseScopedRouteConfigurationFromYaml(config_yaml2);
+
+  // Delta API.
+  const auto decoded_resources = TestUtility::decodeResources({resource, resource_2});
+  context_init_manager_.initialize(init_watcher_);
+  EXPECT_NO_THROW(srds_subscription_->onConfigUpdate(decoded_resources.refvec_, {}, "v1"));
+  EXPECT_EQ(1UL,
+            server_factory_context_.scope_.counter("foo.scoped_rds.foo_scoped_routes.config_reload")
+                .value());
+  EXPECT_EQ(2UL, all_scopes_.value());
+  pushRdsConfig({"foo_routes"}, "111");
+  Envoy::Router::ScopedRdsConfigSubscription* srds_delta_subscription =
+      static_cast<Envoy::Router::ScopedRdsConfigSubscription*>(srds_subscription_);
+  ASSERT_NE(srds_delta_subscription, nullptr);
+  ASSERT_EQ("v1", srds_delta_subscription->configInfo()->last_config_version_);
+  // Push again the same set of config with different version number, the config will be skipped.
+  EXPECT_NO_THROW(srds_subscription_->onConfigUpdate(decoded_resources.refvec_, {}, "123"));
+  ASSERT_EQ("v1", srds_delta_subscription->configInfo()->last_config_version_);
+  EXPECT_EQ(2UL,
+            server_factory_context_.scope_.counter("foo.scoped_rds.foo_scoped_routes.config_reload")
+                .value());
+}
+
+ // Test ignoring the optional unknown factory in the per-virtualhost typed config.
+ TEST_F(ScopedRdsTest, OptionalUnknownFactoryForPerVirtualHostTypedConfig) {
+   OptionalHttpFilters optional_http_filters;
--- a/envoy/1.20/patches/envoy/20240725-rename-original-host-header.patch
+++ b/envoy/1.20/patches/envoy/20240725-rename-original-host-header.patch
@@ -0,0 +1,13 @@
+diff --git a/source/common/http/headers.h b/source/common/http/headers.h
+index a7a8a3393e..6af4a2852d 100644
+--- a/source/common/http/headers.h
+++ b/source/common/http/headers.h
+@@ -123,7 +123,7 @@ public:
+     const LowerCaseString TriCostTime{"req-cost-time"};
+     const LowerCaseString TriStartTime{"req-start-time"};
+     const LowerCaseString TriRespStartTime{"resp-start-time"};
+-    const LowerCaseString EnvoyOriginalHost{"original-host"};
+    const LowerCaseString EnvoyOriginalHost{"x-envoy-original-host"};
+     const LowerCaseString HigressOriginalService{"x-higress-original-service"};
+   } AliExtendedValues;
+ #endif
--- a/envoy/1.20/patches/envoy/20240725-set-buffer-limit.patch
+++ b/envoy/1.20/patches/envoy/20240725-set-buffer-limit.patch
@@ -0,0 +1,43 @@
+diff --git a/source/extensions/common/wasm/context.cc b/source/extensions/common/wasm/context.cc
+index 9642d8abd3..410baa856f 100644
+--- a/source/extensions/common/wasm/context.cc
+++ b/source/extensions/common/wasm/context.cc
+@@ -62,6 +62,21 @@ constexpr absl::string_view CelStateKeyPrefix = "wasm.";
+ #if defined(ALIMESH)
+ constexpr std::string_view ClearRouteCacheKey = "clear_route_cache";
+ constexpr std::string_view DisableClearRouteCache = "off";
+constexpr std::string_view SetDecoderBufferLimit = "set_decoder_buffer_limit";
+constexpr std::string_view SetEncoderBufferLimit = "set_encoder_buffer_limit";
+
+bool stringViewToUint32(std::string_view str, uint32_t& out_value) {
+  try {
+    unsigned long temp = std::stoul(std::string(str));
+    if (temp <= std::numeric_limits<uint32_t>::max()) {
+      out_value = static_cast<uint32_t>(temp);
+      return true;
+    }
+  } catch (const std::exception& e) {
+    ENVOY_LOG_MISC(critical, "stringToUint exception '{}'", e.what());
+  }
+  return false;
+}
+ #endif
+ 
+ using HashPolicy = envoy::config::route::v3::RouteAction::HashPolicy;
+@@ -1280,6 +1295,16 @@ WasmResult Context::setProperty(std::string_view path, std::string_view value) {
+     } else {
+       disable_clear_route_cache_ = false;
+     }
+  } else if (path == SetDecoderBufferLimit && decoder_callbacks_) {
+    uint32_t buffer_limit;
+    if (stringViewToUint32(value, buffer_limit)) {
+      decoder_callbacks_->setDecoderBufferLimit(buffer_limit);
+    }
+  } else if (path == SetEncoderBufferLimit && encoder_callbacks_) {
+    uint32_t buffer_limit;
+    if (stringViewToUint32(value, buffer_limit)) {
+      encoder_callbacks_->setEncoderBufferLimit(buffer_limit);
+    }
+   }
+ #endif
+   if (!state->setValue(toAbslStringView(value))) {
--- a/envoy/1.20/patches/envoy/20240726-custom-span-tag.patch
+++ b/envoy/1.20/patches/envoy/20240726-custom-span-tag.patch
@@ -0,0 +1,106 @@
+diff --git a/envoy/stream_info/stream_info.h b/envoy/stream_info/stream_info.h
+index c6d82db4f4..09717673b0 100644
+--- a/envoy/stream_info/stream_info.h
+++ b/envoy/stream_info/stream_info.h
+@@ -613,7 +613,21 @@ public:
+    * @return the number of times the request was attempted upstream, absl::nullopt if the request
+    * was never attempted upstream.
+    */
+
+   virtual absl::optional<uint32_t> attemptCount() const PURE;
+
+#ifdef ALIMESH
+  /**
+   * @param key the filter state key set by wasm filter.
+   * @param value the filter state value set by wasm filter.
+   */
+  virtual void setCustomSpanTag(const std::string& key, const std::string& value) PURE;
+
+  /**
+   * @return the key-value map of filter states set by wasm filter.
+   */
+  virtual const std::unordered_map<std::string, std::string>& getCustomSpanTagMap() const PURE;
+#endif
+ };
+ 
+ } // namespace StreamInfo
+diff --git a/source/common/stream_info/stream_info_impl.h b/source/common/stream_info/stream_info_impl.h
+index 6ce2afe773..d5e7a80b37 100644
+--- a/source/common/stream_info/stream_info_impl.h
+++ b/source/common/stream_info/stream_info_impl.h
+@@ -291,6 +291,20 @@ struct StreamInfoImpl : public StreamInfo {
+ 
+   absl::optional<uint32_t> attemptCount() const override { return attempt_count_; }
+ 
+#ifdef ALIMESH
+  void setCustomSpanTag(const std::string& key, const std::string& value) override {
+    auto it = custom_span_tags_.find(key);
+    if (it != custom_span_tags_.end()) {
+      it->second = value;
+    } else {
+      custom_span_tags_.emplace(key, value);
+    }
+  }
+
+  const std::unordered_map<std::string, std::string>& getCustomSpanTagMap() const override {
+    return custom_span_tags_;
+  }
+#endif
+   TimeSource& time_source_;
+   const SystemTime start_time_;
+   const MonotonicTime start_time_monotonic_;
+@@ -350,6 +364,9 @@ private:
+   absl::optional<Upstream::ClusterInfoConstSharedPtr> upstream_cluster_info_;
+   std::string filter_chain_name_;
+   Tracing::Reason trace_reason_;
+#ifdef ALIMESH
+  std::unordered_map<std::string, std::string> custom_span_tags_;
+#endif
+ };
+ 
+ } // namespace StreamInfo
+diff --git a/source/common/tracing/http_tracer_impl.cc b/source/common/tracing/http_tracer_impl.cc
+index e55cf00e0a..f94e9101d7 100644
+--- a/source/common/tracing/http_tracer_impl.cc
+++ b/source/common/tracing/http_tracer_impl.cc
+@@ -214,6 +214,14 @@ void HttpTracerUtility::setCommonTags(Span& span, const Http::ResponseHeaderMap*
+ 
+   span.setTag(Tracing::Tags::get().Component, Tracing::Tags::get().Proxy);
+ 
+#ifdef ALIMESH
+  // Wasm filter state
+  const auto& custom_span_tags = stream_info.getCustomSpanTagMap();
+  for (const auto& it : custom_span_tags) {
+    span.setTag(it.first, it.second);
+  }
+#endif
+
+   if (nullptr != stream_info.upstreamHost()) {
+     span.setTag(Tracing::Tags::get().UpstreamCluster, stream_info.upstreamHost()->cluster().name());
+     span.setTag(Tracing::Tags::get().UpstreamClusterName,
+diff --git a/source/extensions/common/wasm/context.cc b/source/extensions/common/wasm/context.cc
+index 410baa856f..b11ecf1cd6 100644
+--- a/source/extensions/common/wasm/context.cc
+++ b/source/extensions/common/wasm/context.cc
+@@ -60,6 +60,7 @@ namespace {
+ constexpr absl::string_view CelStateKeyPrefix = "wasm.";
+ 
+ #if defined(ALIMESH)
+constexpr absl::string_view CustomeTraceSpanTagPrefix = "trace_span_tag.";
+ constexpr std::string_view ClearRouteCacheKey = "clear_route_cache";
+ constexpr std::string_view DisableClearRouteCache = "off";
+ constexpr std::string_view SetDecoderBufferLimit = "set_decoder_buffer_limit";
+@@ -1271,6 +1272,13 @@ WasmResult Context::setProperty(std::string_view path, std::string_view value) {
+   if (!stream_info) {
+     return WasmResult::NotFound;
+   }
+#ifdef ALIMESH
+  if (absl::StartsWith(absl::string_view{path.data(), path.size()}, CustomeTraceSpanTagPrefix)) {
+    stream_info->setCustomSpanTag(std::string(path.substr(CustomeTraceSpanTagPrefix.size())),
+                                  std::string(value));
+    return WasmResult::Ok;
+  }
+#endif
+   std::string key;
+   absl::StrAppend(&key, CelStateKeyPrefix, toAbslStringView(path));
+   CelState* state;
--- a/envoy/1.20/patches/go-control-plane/20240104-enhance-srds.patch
+++ b/envoy/1.20/patches/go-control-plane/20240104-enhance-srds.patch
@@ -0,0 +1,931 @@
+diff -Naur go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go
+--- go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go	2024-01-04 21:07:22.000000000 +0800
+++ go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go	2024-01-04 21:02:10.000000000 +0800
+@@ -2286,6 +2286,8 @@
+ 
+ 	// Types that are assignable to Type:
+ 	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_
+	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_
+	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_
+ 	Type isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type `protobuf_oneof:"type"`
+ }
+ 
+@@ -2335,6 +2337,20 @@
+ 	return nil
+ }
+ 
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder) GetHostValueExtractor() *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor {
+	if x, ok := x.GetType().(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_); ok {
+		return x.HostValueExtractor
+	}
+	return nil
+}
+
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder) GetLocalPortValueExtractor() *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor {
+	if x, ok := x.GetType().(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_); ok {
+		return x.LocalPortValueExtractor
+	}
+	return nil
+}
+
+ type isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type interface {
+ 	isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type()
+ }
+@@ -2344,9 +2360,23 @@
+ 	HeaderValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor `protobuf:"bytes,1,opt,name=header_value_extractor,json=headerValueExtractor,proto3,oneof"`
+ }
+ 
+type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_ struct {
+	HostValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor `protobuf:"bytes,101,opt,name=host_value_extractor,json=hostValueExtractor,proto3,oneof"`
+}
+
+type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_ struct {
+	LocalPortValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor `protobuf:"bytes,102,opt,name=local_port_value_extractor,json=localPortValueExtractor,proto3,oneof"`
+}
+
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
+ }
+ 
+func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
+}
+
+func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
+}
+
+ // Specifies how the value of a header should be extracted.
+ // The following example maps the structure of a header to the fields in this message.
+ //
+@@ -2475,6 +2505,92 @@
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_Element) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_ExtractType() {
+ }
+ 
+type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The maximum number of host superset recomputes. If not specified, defaults to 100.
+	MaxRecomputeNum *wrappers.UInt32Value `protobuf:"bytes,1,opt,name=max_recompute_num,json=maxRecomputeNum,proto3" json:"max_recompute_num,omitempty"`
+}
+
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Reset() {
+	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) ProtoMessage() {}
+
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) ProtoReflect() protoreflect.Message {
+	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.ProtoReflect.Descriptor instead.
+func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Descriptor() ([]byte, []int) {
+	return file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDescGZIP(), []int{5, 0, 0, 1}
+}
+
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) GetMaxRecomputeNum() *wrappers.UInt32Value {
+	if x != nil {
+		return x.MaxRecomputeNum
+	}
+	return nil
+}
+
+type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Reset() {
+	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) ProtoMessage() {}
+
+func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) ProtoReflect() protoreflect.Message {
+	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.ProtoReflect.Descriptor instead.
+func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Descriptor() ([]byte, []int) {
+	return file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDescGZIP(), []int{5, 0, 0, 2}
+}
+
+ // Specifies a header field's key value pair to match on.
+ type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement struct {
+ 	state         protoimpl.MessageState
+@@ -2494,7 +2610,7 @@
+ func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) Reset() {
+ 	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement{}
+ 	if protoimpl.UnsafeEnabled {
+-		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
+		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20]
+ 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ 		ms.StoreMessageInfo(mi)
+ 	}
+@@ -2507,7 +2623,7 @@
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) ProtoMessage() {}
+ 
+ func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) ProtoReflect() protoreflect.Message {
+-	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
+	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20]
+ 	if protoimpl.UnsafeEnabled && x != nil {
+ 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ 		if ms.LoadMessageInfo() == nil {
+@@ -3079,7 +3195,7 @@
+ 	0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61,
+ 	0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52,
+ 	0x6f, 0x75, 0x74, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
+-	0x6e, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x22, 0xe9, 0x0e, 0x0a, 0x0c, 0x53, 0x63, 0x6f, 0x70, 0x65,
+	0x6e, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x22, 0xe1, 0x14, 0x0a, 0x0c, 0x53, 0x63, 0x6f, 0x70, 0x65,
+ 	0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
+ 	0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04,
+ 	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x8f, 0x01, 0x0a, 0x11, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x5f, 0x6b,
+@@ -3114,7 +3230,7 @@
+ 	0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+ 	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
+ 	0x64, 0x52, 0x64, 0x73, 0x48, 0x00, 0x52, 0x09, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64,
+-	0x73, 0x1a, 0xd9, 0x09, 0x0a, 0x0f, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
+	0x73, 0x1a, 0xd1, 0x0f, 0x0a, 0x0f, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
+ 	0x69, 0x6c, 0x64, 0x65, 0x72, 0x12, 0x91, 0x01, 0x0a, 0x09, 0x66, 0x72, 0x61, 0x67, 0x6d, 0x65,
+ 	0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x69, 0x2e, 0x65, 0x6e, 0x76, 0x6f,
+ 	0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c,
+@@ -3124,7 +3240,7 @@
+ 	0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69,
+ 	0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69,
+ 	0x6c, 0x64, 0x65, 0x72, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x09,
+-	0x66, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0xd5, 0x07, 0x0a, 0x0f, 0x46, 0x72,
+	0x66, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0xcd, 0x0d, 0x0a, 0x0f, 0x46, 0x72,
+ 	0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x12, 0xb6, 0x01,
+ 	0x0a, 0x16, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65,
+ 	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x7e,
+@@ -3137,131 +3253,178 @@
+ 	0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
+ 	0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x48, 0x00,
+ 	0x52, 0x14, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
+-	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a, 0x8f, 0x05, 0x0a, 0x14, 0x48, 0x65, 0x61, 0x64, 0x65,
+-	0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12,
+-	0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa,
+-	0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2b, 0x0a, 0x11,
+-	0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f,
+-	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+-	0x53, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x16, 0x0a, 0x05, 0x69, 0x6e, 0x64,
+-	0x65, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x05, 0x69, 0x6e, 0x64, 0x65,
+-	0x78, 0x12, 0xa5, 0x01, 0x0a, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20,
+-	0x01, 0x28, 0x0b, 0x32, 0x88, 0x01, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74,
+-	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e,
+	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0xb0, 0x01, 0x0a, 0x14, 0x68, 0x6f, 0x73, 0x74, 0x5f,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18,
+	0x65, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x7c, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78,
+	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73,
+	0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f,
+	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72,
+	0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
+	0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72,
+	0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72,
+	0x2e, 0x48, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63,
+	0x74, 0x6f, 0x72, 0x48, 0x00, 0x52, 0x12, 0x68, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65,
+	0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0xc1, 0x01, 0x0a, 0x1a, 0x6c, 0x6f,
+	0x63, 0x61, 0x6c, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65,
+	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x66, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x81,
+	0x01, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
+	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
+	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63,
+	0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
+	0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d,
+	0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c,
+	0x50, 0x6f, 0x72, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74,
+	0x6f, 0x72, 0x48, 0x00, 0x52, 0x17, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f, 0x72, 0x74, 0x56,
+	0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a, 0x8f, 0x05,
+	0x0a, 0x14, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
+	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e,
+	0x61, 0x6d, 0x65, 0x12, 0x2b, 0x0a, 0x11, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73,
+	0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10,
+	0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72,
+	0x12, 0x16, 0x0a, 0x05, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x48,
+	0x00, 0x52, 0x05, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x12, 0xa5, 0x01, 0x0a, 0x07, 0x65, 0x6c, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x88, 0x01, 0x2e, 0x65, 0x6e,
+	0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66,
+	0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68,
+	0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42,
+	0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42,
+	0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c,
+	0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x1a, 0xdb, 0x01, 0x0a, 0x09, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x25,
+	0x0a, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x09, 0x73, 0x65, 0x70, 0x61,
+	0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x19, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x6b, 0x65, 0x79,
+	0x3a, 0x8b, 0x01, 0x9a, 0xc5, 0x88, 0x1e, 0x85, 0x01, 0x0a, 0x82, 0x01, 0x65, 0x6e, 0x76, 0x6f,
+	0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e,
+ 	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e,
+ 	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e,
+-	0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e,
+	0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e,
+ 	0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e,
+ 	0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e,
+ 	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61,
+-	0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x48, 0x00,
+-	0x52, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x1a, 0xdb, 0x01, 0x0a, 0x09, 0x4b, 0x76,
+-	0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x25, 0x0a, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72,
+-	0x61, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72,
+-	0x02, 0x10, 0x01, 0x52, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x19,
+-	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04,
+-	0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x3a, 0x8b, 0x01, 0x9a, 0xc5, 0x88, 0x1e,
+-	0x85, 0x01, 0x0a, 0x82, 0x01, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+	0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x3a, 0x7f,
+	0x9a, 0xc5, 0x88, 0x1e, 0x7a, 0x0a, 0x78, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
+	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
+	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63,
+	0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
+	0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d,
+	0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65,
+	0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x42,
+	0x0e, 0x0a, 0x0c, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x1a,
+	0xdd, 0x01, 0x0a, 0x12, 0x48, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
+	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x48, 0x0a, 0x11, 0x6d, 0x61, 0x78, 0x5f, 0x72, 0x65,
+	0x63, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x5f, 0x6e, 0x75, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x75, 0x66, 0x2e, 0x55, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
+	0x0f, 0x6d, 0x61, 0x78, 0x52, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x4e, 0x75, 0x6d,
+	0x3a, 0x7d, 0x9a, 0xc5, 0x88, 0x1e, 0x78, 0x0a, 0x76, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
+	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
+	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
+	0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f,
+	0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61,
+	0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x6f, 0x73,
+	0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a,
+	0x9e, 0x01, 0x0a, 0x17, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f, 0x72, 0x74, 0x56, 0x61, 0x6c,
+	0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x3a, 0x82, 0x01, 0x9a, 0xc5,
+	0x88, 0x1e, 0x7d, 0x0a, 0x7b, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+ 	0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+ 	0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+ 	0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70,
+ 	0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65,
+ 	0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e,
+-	0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56,
+-	0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76,
+-	0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x3a, 0x7f, 0x9a, 0xc5, 0x88, 0x1e, 0x7a, 0x0a, 0x78,
+-	0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c,
+-	0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70,
+-	0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61,
+-	0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75,
+-	0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c,
+-	0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c,
+-	0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45,
+-	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x42, 0x0e, 0x0a, 0x0c, 0x65, 0x78, 0x74, 0x72,
+-	0x61, 0x63, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x3a, 0x6a, 0x9a, 0xc5, 0x88, 0x1e, 0x65, 0x0a,
+-	0x63, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
+-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74,
+-	0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e,
+-	0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f,
+-	0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69,
+-	0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69,
+-	0x6c, 0x64, 0x65, 0x72, 0x42, 0x0b, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x03, 0xf8, 0x42,
+-	0x01, 0x3a, 0x5a, 0x9a, 0xc5, 0x88, 0x1e, 0x55, 0x0a, 0x53, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65,
+-	0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32,
+-	0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63,
+-	0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x3a, 0x4a, 0x9a,
+-	0xc5, 0x88, 0x1e, 0x45, 0x0a, 0x43, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+-	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+-	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f,
+-	0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x42, 0x17, 0x0a, 0x10, 0x63, 0x6f, 0x6e,
+-	0x66, 0x69, 0x67, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x03, 0xf8,
+-	0x42, 0x01, 0x22, 0xf1, 0x01, 0x0a, 0x09, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73,
+-	0x12, 0x65, 0x0a, 0x18, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x5f, 0x72, 0x64, 0x73, 0x5f, 0x63,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01,
+-	0x28, 0x0b, 0x32, 0x22, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+-	0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+-	0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01,
+-	0x52, 0x15, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+-	0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x34, 0x0a, 0x16, 0x73, 0x72, 0x64, 0x73, 0x5f,
+-	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f,
+-	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x73, 0x72, 0x64, 0x73, 0x52, 0x65, 0x73,
+-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x3a, 0x47, 0x9a,
+-	0xc5, 0x88, 0x1e, 0x42, 0x0a, 0x40, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+-	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+-	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f,
+-	0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x22, 0xcc, 0x02, 0x0a, 0x0a, 0x48, 0x74, 0x74, 0x70, 0x46,
+-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20,
+-	0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61,
+-	0x6d, 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x48, 0x00,
+-	0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x58, 0x0a,
+-	0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72,
+-	0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x45,
+-	0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f,
+-	0x75, 0x72, 0x63, 0x65, 0x48, 0x00, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69,
+-	0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x73, 0x5f, 0x6f, 0x70,
+-	0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x73,
+-	0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x3a, 0x48, 0x9a, 0xc5, 0x88, 0x1e, 0x43, 0x0a,
+-	0x41, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
+-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74,
+-	0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e,
+-	0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74,
+-	0x65, 0x72, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x79, 0x70,
+-	0x65, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x63,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x9f, 0x01, 0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+-	0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x37, 0x0a, 0x0c,
+-	0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01,
+-	0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x3a, 0x50, 0x9a, 0xc5, 0x88, 0x1e, 0x4b, 0x0a, 0x49, 0x65, 0x6e,
+	0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f,
+	0x72, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72,
+	0x3a, 0x6a, 0x9a, 0xc5, 0x88, 0x1e, 0x65, 0x0a, 0x63, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
+	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
+	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
+	0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f,
+	0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61,
+	0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x42, 0x0b, 0x0a, 0x04,
+	0x74, 0x79, 0x70, 0x65, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x3a, 0x5a, 0x9a, 0xc5, 0x88, 0x1e, 0x55,
+	0x0a, 0x53, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66,
+	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74,
+	0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52,
+	0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
+	0x69, 0x6c, 0x64, 0x65, 0x72, 0x3a, 0x4a, 0x9a, 0xc5, 0x88, 0x1e, 0x45, 0x0a, 0x43, 0x65, 0x6e,
+ 	0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
+ 	0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63,
+ 	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+-	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78,
+-	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x8e, 0x01, 0x0a, 0x20, 0x45, 0x6e, 0x76, 0x6f,
+-	0x79, 0x4d, 0x6f, 0x62, 0x69, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x12, 0x6a, 0x0a, 0x06,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x52, 0x2e, 0x65,
+-	0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e,
+-	0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e,
+-	0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x43,
+-	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72,
+-	0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x71, 0x0a, 0x49, 0x69, 0x6f, 0x2e, 0x65,
+-	0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
+-	0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f,
+-	0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+-	0x65, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x1a, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74,
+-	0x6f, 0x50, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06, 0x02, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f,
+-	0x74, 0x6f, 0x33,
+	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x42, 0x17, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x70, 0x65, 0x63,
+	0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x22, 0xf1, 0x01, 0x0a, 0x09, 0x53,
+	0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x12, 0x65, 0x0a, 0x18, 0x73, 0x63, 0x6f, 0x70,
+	0x65, 0x64, 0x5f, 0x72, 0x64, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x65, 0x6e, 0x76,
+	0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76,
+	0x33, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x08,
+	0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01, 0x52, 0x15, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64,
+	0x52, 0x64, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12,
+	0x34, 0x0a, 0x16, 0x73, 0x72, 0x64, 0x73, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x73, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x14, 0x73, 0x72, 0x64, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x4c, 0x6f,
+	0x63, 0x61, 0x74, 0x6f, 0x72, 0x3a, 0x47, 0x9a, 0xc5, 0x88, 0x1e, 0x42, 0x0a, 0x40, 0x65, 0x6e,
+	0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
+	0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63,
+	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x22, 0xcc,
+	0x02, 0x0a, 0x0a, 0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x1b, 0x0a,
+	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04,
+	0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x74, 0x79,
+	0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
+	0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x48, 0x00, 0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x58, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f,
+	0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x2b, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63,
+	0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x00, 0x52, 0x0f,
+	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x12,
+	0x1f, 0x0a, 0x0b, 0x69, 0x73, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x06,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x73, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c,
+	0x3a, 0x48, 0x9a, 0xc5, 0x88, 0x1e, 0x43, 0x0a, 0x41, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
+	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
+	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
+	0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a,
+	0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x9f, 0x01,
+	0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e,
+	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x37, 0x0a, 0x0c, 0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79,
+	0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x3a, 0x50, 0x9a,
+	0xc5, 0x88, 0x1e, 0x4b, 0x0a, 0x49, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x22,
+	0x8e, 0x01, 0x0a, 0x20, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x4d, 0x6f, 0x62, 0x69, 0x6c, 0x65, 0x48,
+	0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x72, 0x12, 0x6a, 0x0a, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x52, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74,
+	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e,
+	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e,
+	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e,
+	0x76, 0x33, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+	0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x42, 0x71, 0x0a, 0x49, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78,
+	0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
+	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
+	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x1a, 0x48,
+	0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06,
+	0x02, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ }
+ 
+ var (
+@@ -3277,7 +3440,7 @@
+ }
+ 
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+-var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
+var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes = make([]protoimpl.MessageInfo, 21)
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_goTypes = []interface{}{
+ 	(HttpConnectionManager_CodecType)(0),                                                // 0: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType
+ 	(HttpConnectionManager_ServerHeaderTransformation)(0),                               // 1: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation
+@@ -3302,102 +3465,107 @@
+ 	(*ScopedRoutes_ScopeKeyBuilder)(nil),                                                // 20: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder
+ 	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder)(nil),                                // 21: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder
+ 	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor)(nil),           // 22: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor
+-	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement)(nil), // 23: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
+-	(*v32.RouteConfiguration)(nil),                                                      // 24: envoy.config.route.v3.RouteConfiguration
+-	(*wrappers.BoolValue)(nil),                                                          // 25: google.protobuf.BoolValue
+-	(*v3.HttpProtocolOptions)(nil),                                                      // 26: envoy.config.core.v3.HttpProtocolOptions
+-	(*v3.Http1ProtocolOptions)(nil),                                                     // 27: envoy.config.core.v3.Http1ProtocolOptions
+-	(*v3.Http2ProtocolOptions)(nil),                                                     // 28: envoy.config.core.v3.Http2ProtocolOptions
+-	(*v3.Http3ProtocolOptions)(nil),                                                     // 29: envoy.config.core.v3.Http3ProtocolOptions
+-	(*v3.SchemeHeaderTransformation)(nil),                                               // 30: envoy.config.core.v3.SchemeHeaderTransformation
+-	(*wrappers.UInt32Value)(nil),                                                        // 31: google.protobuf.UInt32Value
+-	(*duration.Duration)(nil),                                                           // 32: google.protobuf.Duration
+-	(*v31.AccessLog)(nil),                                                               // 33: envoy.config.accesslog.v3.AccessLog
+-	(*v3.TypedExtensionConfig)(nil),                                                     // 34: envoy.config.core.v3.TypedExtensionConfig
+-	(*v3.SubstitutionFormatString)(nil),                                                 // 35: envoy.config.core.v3.SubstitutionFormatString
+-	(*v31.AccessLogFilter)(nil),                                                         // 36: envoy.config.accesslog.v3.AccessLogFilter
+-	(*v3.DataSource)(nil),                                                               // 37: envoy.config.core.v3.DataSource
+-	(*v3.HeaderValueOption)(nil),                                                        // 38: envoy.config.core.v3.HeaderValueOption
+-	(*v3.ConfigSource)(nil),                                                             // 39: envoy.config.core.v3.ConfigSource
+-	(*v32.ScopedRouteConfiguration)(nil),                                                // 40: envoy.config.route.v3.ScopedRouteConfiguration
+-	(*any.Any)(nil),                                                                     // 41: google.protobuf.Any
+-	(*v3.ExtensionConfigSource)(nil),                                                    // 42: envoy.config.core.v3.ExtensionConfigSource
+-	(*v33.Percent)(nil),                                                                 // 43: envoy.type.v3.Percent
+-	(*v34.CustomTag)(nil),                                                               // 44: envoy.type.tracing.v3.CustomTag
+-	(*v35.Tracing_Http)(nil),                                                            // 45: envoy.config.trace.v3.Tracing.Http
+-	(*v36.PathTransformation)(nil),                                                      // 46: envoy.type.http.v3.PathTransformation
+	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor)(nil),             // 23: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor
+	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor)(nil),        // 24: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.LocalPortValueExtractor
+	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement)(nil), // 25: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
+	(*v32.RouteConfiguration)(nil),                                                      // 26: envoy.config.route.v3.RouteConfiguration
+	(*wrappers.BoolValue)(nil),                                                          // 27: google.protobuf.BoolValue
+	(*v3.HttpProtocolOptions)(nil),                                                      // 28: envoy.config.core.v3.HttpProtocolOptions
+	(*v3.Http1ProtocolOptions)(nil),                                                     // 29: envoy.config.core.v3.Http1ProtocolOptions
+	(*v3.Http2ProtocolOptions)(nil),                                                     // 30: envoy.config.core.v3.Http2ProtocolOptions
+	(*v3.Http3ProtocolOptions)(nil),                                                     // 31: envoy.config.core.v3.Http3ProtocolOptions
+	(*v3.SchemeHeaderTransformation)(nil),                                               // 32: envoy.config.core.v3.SchemeHeaderTransformation
+	(*wrappers.UInt32Value)(nil),                                                        // 33: google.protobuf.UInt32Value
+	(*duration.Duration)(nil),                                                           // 34: google.protobuf.Duration
+	(*v31.AccessLog)(nil),                                                               // 35: envoy.config.accesslog.v3.AccessLog
+	(*v3.TypedExtensionConfig)(nil),                                                     // 36: envoy.config.core.v3.TypedExtensionConfig
+	(*v3.SubstitutionFormatString)(nil),                                                 // 37: envoy.config.core.v3.SubstitutionFormatString
+	(*v31.AccessLogFilter)(nil),                                                         // 38: envoy.config.accesslog.v3.AccessLogFilter
+	(*v3.DataSource)(nil),                                                               // 39: envoy.config.core.v3.DataSource
+	(*v3.HeaderValueOption)(nil),                                                        // 40: envoy.config.core.v3.HeaderValueOption
+	(*v3.ConfigSource)(nil),                                                             // 41: envoy.config.core.v3.ConfigSource
+	(*v32.ScopedRouteConfiguration)(nil),                                                // 42: envoy.config.route.v3.ScopedRouteConfiguration
+	(*any.Any)(nil),                                                                     // 43: google.protobuf.Any
+	(*v3.ExtensionConfigSource)(nil),                                                    // 44: envoy.config.core.v3.ExtensionConfigSource
+	(*v33.Percent)(nil),                                                                 // 45: envoy.type.v3.Percent
+	(*v34.CustomTag)(nil),                                                               // 46: envoy.type.tracing.v3.CustomTag
+	(*v35.Tracing_Http)(nil),                                                            // 47: envoy.config.trace.v3.Tracing.Http
+	(*v36.PathTransformation)(nil),                                                      // 48: envoy.type.http.v3.PathTransformation
+ }
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_depIdxs = []int32{
+ 	0,  // 0: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType
+ 	8,  // 1: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.rds:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.Rds
+-	24, // 2: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.route_config:type_name -> envoy.config.route.v3.RouteConfiguration
+	26, // 2: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.route_config:type_name -> envoy.config.route.v3.RouteConfiguration
+ 	10, // 3: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scoped_routes:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes
+ 	12, // 4: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_filters:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter
+-	25, // 5: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent:type_name -> google.protobuf.BoolValue
+	27, // 5: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent:type_name -> google.protobuf.BoolValue
+ 	15, // 6: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.tracing:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing
+-	26, // 7: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options:type_name -> envoy.config.core.v3.HttpProtocolOptions
+-	27, // 8: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_protocol_options:type_name -> envoy.config.core.v3.Http1ProtocolOptions
+-	28, // 9: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http2_protocol_options:type_name -> envoy.config.core.v3.Http2ProtocolOptions
+-	29, // 10: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http3_protocol_options:type_name -> envoy.config.core.v3.Http3ProtocolOptions
+	28, // 7: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options:type_name -> envoy.config.core.v3.HttpProtocolOptions
+	29, // 8: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_protocol_options:type_name -> envoy.config.core.v3.Http1ProtocolOptions
+	30, // 9: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http2_protocol_options:type_name -> envoy.config.core.v3.Http2ProtocolOptions
+	31, // 10: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http3_protocol_options:type_name -> envoy.config.core.v3.Http3ProtocolOptions
+ 	1,  // 11: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.server_header_transformation:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation
+-	30, // 12: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scheme_header_transformation:type_name -> envoy.config.core.v3.SchemeHeaderTransformation
+-	31, // 13: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.max_request_headers_kb:type_name -> google.protobuf.UInt32Value
+-	32, // 14: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_idle_timeout:type_name -> google.protobuf.Duration
+-	32, // 15: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_timeout:type_name -> google.protobuf.Duration
+-	32, // 16: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_headers_timeout:type_name -> google.protobuf.Duration
+-	32, // 17: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout:type_name -> google.protobuf.Duration
+-	32, // 18: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.delayed_close_timeout:type_name -> google.protobuf.Duration
+-	33, // 19: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.access_log:type_name -> envoy.config.accesslog.v3.AccessLog
+-	25, // 20: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address:type_name -> google.protobuf.BoolValue
+-	34, // 21: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions:type_name -> envoy.config.core.v3.TypedExtensionConfig
+	32, // 12: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scheme_header_transformation:type_name -> envoy.config.core.v3.SchemeHeaderTransformation
+	33, // 13: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.max_request_headers_kb:type_name -> google.protobuf.UInt32Value
+	34, // 14: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_idle_timeout:type_name -> google.protobuf.Duration
+	34, // 15: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_timeout:type_name -> google.protobuf.Duration
+	34, // 16: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_headers_timeout:type_name -> google.protobuf.Duration
+	34, // 17: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout:type_name -> google.protobuf.Duration
+	34, // 18: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.delayed_close_timeout:type_name -> google.protobuf.Duration
+	35, // 19: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.access_log:type_name -> envoy.config.accesslog.v3.AccessLog
+	27, // 20: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address:type_name -> google.protobuf.BoolValue
+	36, // 21: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions:type_name -> envoy.config.core.v3.TypedExtensionConfig
+ 	16, // 22: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig
+-	25, // 23: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.generate_request_id:type_name -> google.protobuf.BoolValue
+	27, // 23: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.generate_request_id:type_name -> google.protobuf.BoolValue
+ 	2,  // 24: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.forward_client_cert_details:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails
+ 	17, // 25: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.set_current_client_cert_details:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails
+ 	18, // 26: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.upgrade_configs:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig
+-	25, // 27: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path:type_name -> google.protobuf.BoolValue
+	27, // 27: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path:type_name -> google.protobuf.BoolValue
+ 	3,  // 28: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_with_escaped_slashes_action:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathWithEscapedSlashesAction
+ 	13, // 29: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_id_extension:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension
+ 	6,  // 30: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.local_reply_config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig
+-	25, // 31: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message:type_name -> google.protobuf.BoolValue
+	27, // 31: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message:type_name -> google.protobuf.BoolValue
+ 	19, // 32: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_normalization_options:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions
+ 	7,  // 33: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.mappers:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper
+-	35, // 34: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.body_format:type_name -> envoy.config.core.v3.SubstitutionFormatString
+-	36, // 35: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.filter:type_name -> envoy.config.accesslog.v3.AccessLogFilter
+-	31, // 36: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.status_code:type_name -> google.protobuf.UInt32Value
+-	37, // 37: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body:type_name -> envoy.config.core.v3.DataSource
+-	35, // 38: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body_format_override:type_name -> envoy.config.core.v3.SubstitutionFormatString
+-	38, // 39: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.headers_to_add:type_name -> envoy.config.core.v3.HeaderValueOption
+-	39, // 40: envoy.extensions.filters.network.http_connection_manager.v3.Rds.config_source:type_name -> envoy.config.core.v3.ConfigSource
+-	40, // 41: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList.scoped_route_configurations:type_name -> envoy.config.route.v3.ScopedRouteConfiguration
+	37, // 34: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.body_format:type_name -> envoy.config.core.v3.SubstitutionFormatString
+	38, // 35: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.filter:type_name -> envoy.config.accesslog.v3.AccessLogFilter
+	33, // 36: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.status_code:type_name -> google.protobuf.UInt32Value
+	39, // 37: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body:type_name -> envoy.config.core.v3.DataSource
+	37, // 38: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body_format_override:type_name -> envoy.config.core.v3.SubstitutionFormatString
+	40, // 39: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.headers_to_add:type_name -> envoy.config.core.v3.HeaderValueOption
+	41, // 40: envoy.extensions.filters.network.http_connection_manager.v3.Rds.config_source:type_name -> envoy.config.core.v3.ConfigSource
+	42, // 41: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList.scoped_route_configurations:type_name -> envoy.config.route.v3.ScopedRouteConfiguration
+ 	20, // 42: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scope_key_builder:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder
+-	39, // 43: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
+	41, // 43: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
+ 	9,  // 44: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scoped_route_configurations_list:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList
+ 	11, // 45: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scoped_rds:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds
+-	39, // 46: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds.scoped_rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
+-	41, // 47: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.typed_config:type_name -> google.protobuf.Any
+-	42, // 48: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.config_discovery:type_name -> envoy.config.core.v3.ExtensionConfigSource
+-	41, // 49: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension.typed_config:type_name -> google.protobuf.Any
+	41, // 46: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds.scoped_rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
+	43, // 47: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.typed_config:type_name -> google.protobuf.Any
+	44, // 48: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.config_discovery:type_name -> envoy.config.core.v3.ExtensionConfigSource
+	43, // 49: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension.typed_config:type_name -> google.protobuf.Any
+ 	5,  // 50: envoy.extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager.config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+-	43, // 51: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.client_sampling:type_name -> envoy.type.v3.Percent
+-	43, // 52: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.random_sampling:type_name -> envoy.type.v3.Percent
+-	43, // 53: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.overall_sampling:type_name -> envoy.type.v3.Percent
+-	31, // 54: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.max_path_tag_length:type_name -> google.protobuf.UInt32Value
+-	44, // 55: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.custom_tags:type_name -> envoy.type.tracing.v3.CustomTag
+-	45, // 56: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider:type_name -> envoy.config.trace.v3.Tracing.Http
+-	25, // 57: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
+	45, // 51: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.client_sampling:type_name -> envoy.type.v3.Percent
+	45, // 52: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.random_sampling:type_name -> envoy.type.v3.Percent
+	45, // 53: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.overall_sampling:type_name -> envoy.type.v3.Percent
+	33, // 54: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.max_path_tag_length:type_name -> google.protobuf.UInt32Value
+	46, // 55: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.custom_tags:type_name -> envoy.type.tracing.v3.CustomTag
+	47, // 56: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider:type_name -> envoy.config.trace.v3.Tracing.Http
+	27, // 57: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
+ 	12, // 58: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.filters:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter
+-	25, // 59: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.enabled:type_name -> google.protobuf.BoolValue
+-	46, // 60: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.forwarding_transformation:type_name -> envoy.type.http.v3.PathTransformation
+-	46, // 61: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.http_filter_transformation:type_name -> envoy.type.http.v3.PathTransformation
+	27, // 59: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.enabled:type_name -> google.protobuf.BoolValue
+	48, // 60: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.forwarding_transformation:type_name -> envoy.type.http.v3.PathTransformation
+	48, // 61: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.http_filter_transformation:type_name -> envoy.type.http.v3.PathTransformation
+ 	21, // 62: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.fragments:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder
+ 	22, // 63: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.header_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor
+-	23, // 64: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.element:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
+-	65, // [65:65] is the sub-list for method output_type
+-	65, // [65:65] is the sub-list for method input_type
+-	65, // [65:65] is the sub-list for extension type_name
+-	65, // [65:65] is the sub-list for extension extendee
+-	0,  // [0:65] is the sub-list for field type_name
+	23, // 64: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.host_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor
+	24, // 65: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.local_port_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.LocalPortValueExtractor
+	25, // 66: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.element:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
+	33, // 67: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor.max_recompute_num:type_name -> google.protobuf.UInt32Value
+	68, // [68:68] is the sub-list for method output_type
+	68, // [68:68] is the sub-list for method input_type
+	68, // [68:68] is the sub-list for extension type_name
+	68, // [68:68] is the sub-list for extension extendee
+	0,  // [0:68] is the sub-list for field type_name
+ }
+ 
+ func init() {
+@@ -3625,6 +3793,30 @@
+ 			}
+ 		}
+ 		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20].Exporter = func(v interface{}, i int) interface{} {
+ 			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement); i {
+ 			case 0:
+ 				return &v.state
+@@ -3653,6 +3845,8 @@
+ 	}
+ 	file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[16].OneofWrappers = []interface{}{
+ 		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_)(nil),
+		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_)(nil),
+		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_)(nil),
+ 	}
+ 	file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[17].OneofWrappers = []interface{}{
+ 		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_Index)(nil),
+@@ -3664,7 +3858,7 @@
+ 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+ 			RawDescriptor: file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDesc,
+ 			NumEnums:      5,
+-			NumMessages:   19,
+			NumMessages:   21,
+ 			NumExtensions: 0,
+ 			NumServices:   0,
+ 		},
+diff -Naur go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go
+--- go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go	2024-01-04 21:07:22.000000000 +0800
+++ go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go	2024-01-04 21:02:10.000000000 +0800
+@@ -1986,6 +1986,30 @@
+ 			}
+ 		}
+ 
+	case *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_:
+
+		if v, ok := interface{}(m.GetHostValueExtractor()).(interface{ Validate() error }); ok {
+			if err := v.Validate(); err != nil {
+				return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
+					field:  "HostValueExtractor",
+					reason: "embedded message failed validation",
+					cause:  err,
+				}
+			}
+		}
+
+	case *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_:
+
+		if v, ok := interface{}(m.GetLocalPortValueExtractor()).(interface{ Validate() error }); ok {
+			if err := v.Validate(); err != nil {
+				return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
+					field:  "LocalPortValueExtractor",
+					reason: "embedded message failed validation",
+					cause:  err,
+				}
+			}
+		}
+
+ 	default:
+ 		return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
+ 			field:  "Type",
+@@ -2162,6 +2186,172 @@
+ } = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractorValidationError{}
+ 
+ // Validate checks the field values on
+// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor with the
+// rules defined in the proto definition for this message. If any rules are
+// violated, an error is returned.
+func (m *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Validate() error {
+	if m == nil {
+		return nil
+	}
+
+	if v, ok := interface{}(m.GetMaxRecomputeNum()).(interface{ Validate() error }); ok {
+		if err := v.Validate(); err != nil {
+			return ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{
+				field:  "MaxRecomputeNum",
+				reason: "embedded message failed validation",
+				cause:  err,
+			}
+		}
+	}
+
+	return nil
+}
+
+// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError
+// is the validation error returned by
+// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.Validate if
+// the designated constraints aren't met.
+type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Field() string {
+	return e.field
+}
+
+// Reason function returns reason value.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Reason() string {
+	return e.reason
+}
+
+// Cause function returns cause value.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Cause() error {
+	return e.cause
+}
+
+// Key function returns key value.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Key() bool {
+	return e.key
+}
+
+// ErrorName returns error name.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) ErrorName() string {
+	return "ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError"
+}
+
+// Error satisfies the builtin error interface
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{}
+
+// Validate checks the field values on
+// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor with
+// the rules defined in the proto definition for this message. If any rules
+// are violated, an error is returned.
+func (m *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Validate() error {
+	if m == nil {
+		return nil
+	}
+
+	return nil
+}
+
+// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError
+// is the validation error returned by
+// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.Validate
+// if the designated constraints aren't met.
+type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Field() string {
+	return e.field
+}
+
+// Reason function returns reason value.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Reason() string {
+	return e.reason
+}
+
+// Cause function returns cause value.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Cause() error {
+	return e.cause
+}
+
+// Key function returns key value.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Key() bool {
+	return e.key
+}
+
+// ErrorName returns error name.
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) ErrorName() string {
+	return "ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError"
+}
+
+// Error satisfies the builtin error interface
+func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError{}
+
+// Validate checks the field values on
+ // ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement
+ // with the rules defined in the proto definition for this message. If any
+ // rules are violated, an error is returned.
--- a/envoy/1.20/patches/go-control-plane/20240201-virtual-host-allow-server-name.patch
+++ b/envoy/1.20/patches/go-control-plane/20240201-virtual-host-allow-server-name.patch
--- a/get_helm.sh
+++ b/get_helm.sh
@@ -0,0 +1,341 @@
+#!/usr/bin/env bash
+
+# Copyright The Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The install script is based off of the MIT-licensed script from glide,
+# the package manager for Go: https://github.com/Masterminds/glide.sh/blob/master/get
+
+: ${BINARY_NAME:="helm"}
+: ${USE_SUDO:="true"}
+: ${DEBUG:="false"}
+: ${VERIFY_CHECKSUM:="true"}
+: ${VERIFY_SIGNATURES:="false"}
+: ${HELM_INSTALL_DIR:="/usr/local/bin"}
+: ${GPG_PUBRING:="pubring.kbx"}
+
+HAS_CURL="$(type "curl" &> /dev/null && echo true || echo false)"
+HAS_WGET="$(type "wget" &> /dev/null && echo true || echo false)"
+HAS_OPENSSL="$(type "openssl" &> /dev/null && echo true || echo false)"
+HAS_GPG="$(type "gpg" &> /dev/null && echo true || echo false)"
+HAS_GIT="$(type "git" &> /dev/null && echo true || echo false)"
+
+# initArch discovers the architecture for this system.
+initArch() {
+  ARCH=$(uname -m)
+  case $ARCH in
+    armv5*) ARCH="armv5";;
+    armv6*) ARCH="armv6";;
+    armv7*) ARCH="arm";;
+    aarch64) ARCH="arm64";;
+    x86) ARCH="386";;
+    x86_64) ARCH="amd64";;
+    i686) ARCH="386";;
+    i386) ARCH="386";;
+  esac
+}
+
+# initOS discovers the operating system for this system.
+initOS() {
+  OS=$(echo `uname`|tr '[:upper:]' '[:lower:]')
+
+  case "$OS" in
+    # Minimalist GNU for Windows
+    mingw*|cygwin*) OS='windows';;
+  esac
+}
+
+# runs the given command as root (detects if we are root already)
+runAsRoot() {
+  if [ $EUID -ne 0 -a "$USE_SUDO" = "true" ]; then
+    sudo "${@}"
+  else
+    "${@}"
+  fi
+}
+
+# verifySupported checks that the os/arch combination is supported for
+# binary builds, as well whether or not necessary tools are present.
+verifySupported() {
+  local supported="darwin-amd64\ndarwin-arm64\nlinux-386\nlinux-amd64\nlinux-arm\nlinux-arm64\nlinux-ppc64le\nlinux-s390x\nlinux-riscv64\nwindows-amd64\nwindows-arm64"
+  if ! echo "${supported}" | grep -q "${OS}-${ARCH}"; then
+    echo "No prebuilt binary for ${OS}-${ARCH}."
+    echo "To build from source, go to https://github.com/helm/helm"
+    exit 1
+  fi
+
+  if [ "${HAS_CURL}" != "true" ] && [ "${HAS_WGET}" != "true" ]; then
+    echo "Either curl or wget is required"
+    exit 1
+  fi
+
+  if [ "${VERIFY_CHECKSUM}" == "true" ] && [ "${HAS_OPENSSL}" != "true" ]; then
+    echo "In order to verify checksum, openssl must first be installed."
+    echo "Please install openssl or set VERIFY_CHECKSUM=false in your environment."
+    exit 1
+  fi
+
+  if [ "${VERIFY_SIGNATURES}" == "true" ]; then
+    if [ "${HAS_GPG}" != "true" ]; then
+      echo "In order to verify signatures, gpg must first be installed."
+      echo "Please install gpg or set VERIFY_SIGNATURES=false in your environment."
+      exit 1
+    fi
+    if [ "${OS}" != "linux" ]; then
+      echo "Signature verification is currently only supported on Linux."
+      echo "Please set VERIFY_SIGNATURES=false or verify the signatures manually."
+      exit 1
+    fi
+  fi
+
+  if [ "${HAS_GIT}" != "true" ]; then
+    echo "[WARNING] Could not find git. It is required for plugin installation."
+  fi
+}
+
+# checkDesiredVersion checks if the desired version is available.
+checkDesiredVersion() {
+  if [ "x$DESIRED_VERSION" == "x" ]; then
+    # Get tag from release URL
+    local latest_release_url="https://get.helm.sh/helm-latest-version"
+    local latest_release_response=""
+    if [ "${HAS_CURL}" == "true" ]; then
+      latest_release_response=$( curl -L --silent --show-error --fail "$latest_release_url" 2>&1 || true )
+    elif [ "${HAS_WGET}" == "true" ]; then
+      latest_release_response=$( wget "$latest_release_url" -q -O - 2>&1 || true )
+    fi
+    TAG=$( echo "$latest_release_response" | grep '^v[0-9]' )
+    if [ "x$TAG" == "x" ]; then
+      printf "Could not retrieve the latest release tag information from %s: %s\n" "${latest_release_url}" "${latest_release_response}"
+      exit 1
+    fi
+  else
+    TAG=$DESIRED_VERSION
+  fi
+}
+
+# checkHelmInstalledVersion checks which version of helm is installed and
+# if it needs to be changed.
+checkHelmInstalledVersion() {
+  if [[ -f "${HELM_INSTALL_DIR}/${BINARY_NAME}" ]]; then
+    local version=$("${HELM_INSTALL_DIR}/${BINARY_NAME}" version --template="{{ .Version }}")
+    if [[ "$version" == "$TAG" ]]; then
+      echo "Helm ${version} is already ${DESIRED_VERSION:-latest}"
+      return 0
+    else
+      echo "Helm ${TAG} is available. Changing from version ${version}."
+      return 1
+    fi
+  else
+    return 1
+  fi
+}
+
+# downloadFile downloads the latest binary package and also the checksum
+# for that binary.
+downloadFile() {
+  HELM_DIST="helm-$TAG-$OS-$ARCH.tar.gz"
+  DOWNLOAD_URL="https://get.helm.sh/$HELM_DIST"
+  CHECKSUM_URL="$DOWNLOAD_URL.sha256"
+  HELM_TMP_ROOT="$(mktemp -dt helm-installer-XXXXXX)"
+  HELM_TMP_FILE="$HELM_TMP_ROOT/$HELM_DIST"
+  HELM_SUM_FILE="$HELM_TMP_ROOT/$HELM_DIST.sha256"
+  echo "Downloading $DOWNLOAD_URL"
+  if [ "${HAS_CURL}" == "true" ]; then
+    curl -SsL "$CHECKSUM_URL" -o "$HELM_SUM_FILE"
+    curl -SsL "$DOWNLOAD_URL" -o "$HELM_TMP_FILE"
+  elif [ "${HAS_WGET}" == "true" ]; then
+    wget -q -O "$HELM_SUM_FILE" "$CHECKSUM_URL"
+    wget -q -O "$HELM_TMP_FILE" "$DOWNLOAD_URL"
+  fi
+}
+
+# verifyFile verifies the SHA256 checksum of the binary package
+# and the GPG signatures for both the package and checksum file
+# (depending on settings in environment).
+verifyFile() {
+  if [ "${VERIFY_CHECKSUM}" == "true" ]; then
+    verifyChecksum
+  fi
+  if [ "${VERIFY_SIGNATURES}" == "true" ]; then
+    verifySignatures
+  fi
+}
+
+# installFile installs the Helm binary.
+installFile() {
+  HELM_TMP="$HELM_TMP_ROOT/$BINARY_NAME"
+  mkdir -p "$HELM_TMP"
+  tar xf "$HELM_TMP_FILE" -C "$HELM_TMP"
+  HELM_TMP_BIN="$HELM_TMP/$OS-$ARCH/helm"
+  echo "Preparing to install $BINARY_NAME into ${HELM_INSTALL_DIR}"
+  runAsRoot cp "$HELM_TMP_BIN" "$HELM_INSTALL_DIR/$BINARY_NAME"
+  echo "$BINARY_NAME installed into $HELM_INSTALL_DIR/$BINARY_NAME"
+}
+
+# verifyChecksum verifies the SHA256 checksum of the binary package.
+verifyChecksum() {
+  printf "Verifying checksum... "
+  local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}')
+  local expected_sum=$(cat ${HELM_SUM_FILE})
+  if [ "$sum" != "$expected_sum" ]; then
+    echo "SHA sum of ${HELM_TMP_FILE} does not match. Aborting."
+    exit 1
+  fi
+  echo "Done."
+}
+
+# verifySignatures obtains the latest KEYS file from GitHub main branch
+# as well as the signature .asc files from the specific GitHub release,
+# then verifies that the release artifacts were signed by a maintainer's key.
+verifySignatures() {
+  printf "Verifying signatures... "
+  local keys_filename="KEYS"
+  local github_keys_url="https://raw.githubusercontent.com/helm/helm/main/${keys_filename}"
+  if [ "${HAS_CURL}" == "true" ]; then
+    curl -SsL "${github_keys_url}" -o "${HELM_TMP_ROOT}/${keys_filename}"
+  elif [ "${HAS_WGET}" == "true" ]; then
+    wget -q -O "${HELM_TMP_ROOT}/${keys_filename}" "${github_keys_url}"
+  fi
+  local gpg_keyring="${HELM_TMP_ROOT}/keyring.gpg"
+  local gpg_homedir="${HELM_TMP_ROOT}/gnupg"
+  mkdir -p -m 0700 "${gpg_homedir}"
+  local gpg_stderr_device="/dev/null"
+  if [ "${DEBUG}" == "true" ]; then
+    gpg_stderr_device="/dev/stderr"
+  fi
+  gpg --batch --quiet --homedir="${gpg_homedir}" --import "${HELM_TMP_ROOT}/${keys_filename}" 2> "${gpg_stderr_device}"
+  gpg --batch --no-default-keyring --keyring "${gpg_homedir}/${GPG_PUBRING}" --export > "${gpg_keyring}"
+  local github_release_url="https://github.com/helm/helm/releases/download/${TAG}"
+  if [ "${HAS_CURL}" == "true" ]; then
+    curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
+    curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc"
+  elif [ "${HAS_WGET}" == "true" ]; then
+    wget -q -O "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
+    wget -q -O "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc"
+  fi
+  local error_text="If you think this might be a potential security issue,"
+  error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md"
+  local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
+  if [[ ${num_goodlines_sha} -lt 2 ]]; then
+    echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!"
+    echo -e "${error_text}"
+    exit 1
+  fi
+  local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
+  if [[ ${num_goodlines_tar} -lt 2 ]]; then
+    echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!"
+    echo -e "${error_text}"
+    exit 1
+  fi
+  echo "Done."
+}
+
+# fail_trap is executed if an error occurs.
+fail_trap() {
+  result=$?
+  if [ "$result" != "0" ]; then
+    if [[ -n "$INPUT_ARGUMENTS" ]]; then
+      echo "Failed to install $BINARY_NAME with the arguments provided: $INPUT_ARGUMENTS"
+      help
+    else
+      echo "Failed to install $BINARY_NAME"
+    fi
+    echo -e "\tFor support, go to https://github.com/helm/helm."
+  fi
+  cleanup
+  exit $result
+}
+
+# testVersion tests the installed client to make sure it is working.
+testVersion() {
+  set +e
+  HELM="$(command -v $BINARY_NAME)"
+  if [ "$?" = "1" ]; then
+    echo "$BINARY_NAME not found. Is $HELM_INSTALL_DIR on your "'$PATH?'
+    exit 1
+  fi
+  set -e
+}
+
+# help provides possible cli installation arguments
+help () {
+  echo "Accepted cli arguments are:"
+  echo -e "\t[--help|-h ] ->> prints this help"
+  echo -e "\t[--version|-v <desired_version>] . When not defined it fetches the latest release from GitHub"
+  echo -e "\te.g. --version v3.0.0 or -v canary"
+  echo -e "\t[--no-sudo]  ->> install without sudo"
+}
+
+# cleanup temporary files to avoid https://github.com/helm/helm/issues/2977
+cleanup() {
+  if [[ -d "${HELM_TMP_ROOT:-}" ]]; then
+    rm -rf "$HELM_TMP_ROOT"
+  fi
+}
+
+# Execution
+
+#Stop execution on any error
+trap "fail_trap" EXIT
+set -e
+
+# Set debug if desired
+if [ "${DEBUG}" == "true" ]; then
+  set -x
+fi
+
+# Parsing input arguments (if any)
+export INPUT_ARGUMENTS="${@}"
+set -u
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    '--version'|-v)
+       shift
+       if [[ $# -ne 0 ]]; then
+           export DESIRED_VERSION="${1}"
+           if [[ "$1" != "v"* ]]; then
+               echo "Expected version arg ('${DESIRED_VERSION}') to begin with 'v', fixing..."
+               export DESIRED_VERSION="v${1}"
+           fi
+       else
+           echo -e "Please provide the desired version. e.g. --version v3.0.0 or -v canary"
+           exit 0
+       fi
+       ;;
+    '--no-sudo')
+       USE_SUDO="false"
+       ;;
+    '--help'|-h)
+       help
+       exit 0
+       ;;
+    *) exit 1
+       ;;
+  esac
+  shift
+done
+set +u
+
+initArch
+initOS
+verifySupported
+checkDesiredVersion
+if ! checkHelmInstalledVersion; then
+  downloadFile
+  verifyFile
+  installFile
+fi
+testVersion
+cleanup
--- a/go.mod
+++ b/go.mod
@@ -10,17 +10,22 @@ replace github.com/chzyer/logex => github.com/chzyer/logex v1.1.11-0.20170329064
 // Avoid pulling in incompatible libraries
 replace github.com/docker/distribution => github.com/docker/distribution v0.0.0-20191216044856-a8371794149d

-replace github.com/docker/docker => github.com/moby/moby v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible
-
 // Client-go does not handle different versions of mergo due to some breaking changes - use the matching version
 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5

 require (
-	github.com/agiledragon/gomonkey/v2 v2.9.0
+	github.com/AlecAivazis/survey/v2 v2.3.6
+	github.com/agiledragon/gomonkey/v2 v2.11.0
 	github.com/avast/retry-go/v4 v4.3.4
+	github.com/compose-spec/compose-go v1.8.2
+	github.com/docker/cli v20.10.20+incompatible
+	github.com/docker/compose/v2 v2.0.0-00010101000000-000000000000
+	github.com/docker/docker v20.10.20+incompatible
 	github.com/dubbogo/go-zookeeper v1.0.4-0.20211212162352-f9d2183d89d5
 	github.com/dubbogo/gost v1.13.1
 	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1
+	github.com/fatih/color v1.14.1
+	github.com/fatih/structtag v1.2.0
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-cmp v0.5.9
@@ -28,25 +33,31 @@ require (
 	github.com/hashicorp/consul/api v1.23.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hudl/fargo v1.4.0
+	github.com/iancoleman/orderedmap v0.3.0
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nacos-group/nacos-sdk-go v1.0.8
 	github.com/nacos-group/nacos-sdk-go/v2 v2.1.2
 	github.com/pkg/errors v0.9.1
-	github.com/spf13/cobra v1.2.1
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
+	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
+	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.8.3
-	go.uber.org/atomic v1.9.0
+	go.uber.org/atomic v1.11.0
 	google.golang.org/grpc v1.48.0
-	google.golang.org/protobuf v1.28.0
+	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 	istio.io/api v0.0.0-20211122181927-8da52c66ff23
-	istio.io/client-go v1.12.0-rc.1.0.20211118171212-b744b6f111e4
+	istio.io/client-go v1.12.0-rc.1.0.20211118171212-b744b6f111e4 // indirect
 	istio.io/gogo-genproto v0.0.0-20211115195057-0e34bdd2be67
 	istio.io/istio v0.0.0
 	istio.io/pkg v0.0.0-20211115195056-e379f31ee62a
-	k8s.io/api v0.22.5
-	k8s.io/apimachinery v0.22.5
+	k8s.io/api v0.24.1
+	k8s.io/apimachinery v0.24.1
 	k8s.io/cli-runtime v0.22.2
-	k8s.io/client-go v0.22.5
+	k8s.io/client-go v0.24.1
 	k8s.io/kubectl v0.22.2
 	sigs.k8s.io/controller-runtime v0.10.2
 	sigs.k8s.io/yaml v1.3.0
@@ -69,56 +80,63 @@ require (
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/Masterminds/squirrel v1.5.0 // indirect
-	github.com/Microsoft/go-winio v0.5.0 // indirect
-	github.com/Microsoft/hcsshim v0.8.21 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/Microsoft/hcsshim v0.9.6 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/RageCage64/multilinediff v0.2.0 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1704 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
-	github.com/aws/aws-sdk-go v1.41.7 // indirect
+	github.com/aws/aws-sdk-go v1.43.16 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect
 	github.com/braydonk/yaml v0.7.0 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
 	github.com/clbanning/mxj v1.8.4 // indirect
 	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
 	github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect
-	github.com/containerd/containerd v1.5.7 // indirect
-	github.com/containerd/continuity v0.1.0 // indirect
+	github.com/compose-spec/godotenv v1.1.1 // indirect
+	github.com/containerd/cgroups v1.0.4 // indirect
+	github.com/containerd/console v1.0.3 // indirect
+	github.com/containerd/containerd v1.6.14 // indirect
+	github.com/containerd/continuity v0.3.0 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/coreos/go-oidc/v3 v3.1.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect
-	github.com/docker/cli v20.10.7+incompatible // indirect
-	github.com/docker/distribution v2.7.1+incompatible // indirect
-	github.com/docker/docker v20.10.7+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.3 // indirect
+	github.com/distribution/distribution/v3 v3.0.0-20221201083218-92d136e113cf // indirect
+	github.com/docker/buildx v0.9.1 // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v0.1.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
-	github.com/fatih/color v1.14.1 // indirect
 	github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/fvbommel/sortorder v1.0.1 // indirect
+	github.com/fvbommel/sortorder v1.0.2 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-kit/log v0.1.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.0 // indirect
-	github.com/go-logr/logr v1.2.2 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.15 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.4.8 // indirect
+	github.com/gofrs/flock v0.8.0 // indirect
+	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0 // indirect
@@ -133,23 +151,30 @@ require (
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
+	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.5.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-version v1.3.0 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/jaguilar/vt100 v0.0.0-20150826170717-2703a27b14ea // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.1 // indirect
 	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.7 // indirect
@@ -161,21 +186,29 @@ require (
 	github.com/lestrrat/go-file-rotatelogs v0.0.0-20180223000712-d3151e2a480f // indirect
 	github.com/lestrrat/go-strftime v0.0.0-20180220042222-ba3bf9c1d042 // indirect
 	github.com/lib/pq v1.10.0 // indirect
+	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/miekg/dns v1.1.43 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/miekg/dns v1.1.55 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/buildkit v0.10.4 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
+	github.com/moby/sys/mount v0.3.0 // indirect
+	github.com/moby/sys/mountinfo v0.6.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/moby/sys/symlink v0.2.0 // indirect
+	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
@@ -183,9 +216,11 @@ require (
 	github.com/natefinch/lumberjack v2.0.0+incompatible // indirect
 	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
-	github.com/opencontainers/runc v1.0.2 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/opencontainers/runc v1.1.3 // indirect
 	github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.12.2 // indirect
@@ -194,38 +229,48 @@ require (
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/prometheus/statsd_exporter v0.21.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.6.1 // indirect
 	github.com/rubenv/sql-migrate v0.0.0-20210614095031-55d5740dbbcc // indirect
-	github.com/russross/blackfriday v1.5.2 // indirect
+	github.com/russross/blackfriday v1.6.0 // indirect
+	github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
+	github.com/spf13/afero v1.2.2 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/theupdateframework/notary v0.7.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/tonistiigi/fsutil v0.0.0-20220930225714-4638ad635be5 // indirect
+	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/toolkits/concurrent v0.0.0-20150624120057-a4371d70e3e3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
 	github.com/yl2chen/cidranger v1.0.2 // indirect
+	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.12.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	go.uber.org/multierr v1.7.0 // indirect
-	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/oauth2 v0.6.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
+	golang.org/x/tools v0.10.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect
 	gomodules.xyz/orderedmap v0.1.0 // indirect
 	google.golang.org/api v0.61.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211129164237-f09f9a12af12 // indirect
+	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
 	gopkg.in/gcfg.v1 v1.2.3 // indirect
 	gopkg.in/gorp.v1 v1.7.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -233,10 +278,9 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiserver v0.22.2 // indirect
-	k8s.io/component-base v0.22.2 // indirect
-	k8s.io/klog/v2 v2.40.1 // indirect
+	k8s.io/apiserver v0.22.5 // indirect
+	k8s.io/component-base v0.22.5 // indirect
+	k8s.io/klog/v2 v2.60.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c // indirect
 	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
 	oras.land/oras-go v0.4.0 // indirect
@@ -259,29 +303,65 @@ replace istio.io/client-go => ./external/client-go

 replace istio.io/istio => ./external/istio

-replace (
-	github.com/go-logr/logr => github.com/go-logr/logr v0.4.0
-	k8s.io/api => k8s.io/api v0.22.2
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.22.2
-	k8s.io/apimachinery => k8s.io/apimachinery v0.22.2
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.22.2
-	k8s.io/client-go => k8s.io/client-go v0.22.2
-	k8s.io/component-base => k8s.io/component-base v0.22.2
-	k8s.io/klog/v2 => k8s.io/klog/v2 v2.10.0
-	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20211020163157-7327e2aaee2b // indirect
-	k8s.io/kubectl => k8s.io/kubectl v0.22.2
-	k8s.io/utils => k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
-	sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v0.4.0 // indirect
-	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.8.11 // indirect
-	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
-)
+replace github.com/caddyserver/certmagic => github.com/2456868764/certmagic v1.0.2

 require (
+	github.com/caddyserver/certmagic v0.20.0
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/google/yamlfmt v0.10.0
 	github.com/kylelemons/godebug v1.1.0
+	github.com/mholt/acmez v1.2.0
+	github.com/tidwall/gjson v1.17.0
+	go.uber.org/zap v1.24.0
+	golang.org/x/net v0.17.0
 	helm.sh/helm/v3 v3.7.1
 	k8s.io/apiextensions-apiserver v0.25.4
 	knative.dev/networking v0.0.0-20220302134042-e8b2eb995165
 	knative.dev/pkg v0.0.0-20220301181942-2fdd5f232e77
 )
+
+replace (
+	github.com/Sirupsen/logrus => github.com/sirupsen/logrus v1.9.3
+	github.com/go-logr/logr => github.com/go-logr/logr v0.4.0
+
+	k8s.io/api => k8s.io/api v0.22.2
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.22.2
+	k8s.io/apimachinery => k8s.io/apimachinery v0.22.2
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.22.2
+	k8s.io/client-go => k8s.io/client-go v0.22.2
+	k8s.io/code-generator => k8s.io/code-generator v0.22.2
+	k8s.io/component-base => k8s.io/component-base v0.22.2
+	k8s.io/component-helpers => k8s.io/component-helpers v0.22.2
+	k8s.io/klog/v2 => k8s.io/klog/v2 v2.10.0
+	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
+	k8s.io/kubectl => k8s.io/kubectl v0.22.2
+	k8s.io/metrics => k8s.io/metrics v0.22.2
+
+	k8s.io/utils => k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.8.11 // indirect
+	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
+)
+
+// for pkg/cmd/hgctl/docker/compose.go
+// TODO(WeixinX): Wait for the dependency library to upgrade, such as github.com/go-logr/logr from v0.4.0 to v1.2+
+// replace (
+// github.com/compose-spec/compose-go => github.com/compose-spec/compose-go v1.8.2
+// github.com/cucumber/godog => github.com/laurazard/godog v0.0.0-20220922095256-4c4b17abdae7
+// github.com/docker/buildx => github.com/docker/buildx v0.9.1
+// github.com/docker/cli => github.com/docker/cli v20.10.3-0.20221013132413-1d6c6e2367e2+incompatible
+// github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.15.1
+// github.com/docker/docker => github.com/moby/moby v20.10.3-0.20221021173910-5aac513617f0+incompatible
+// github.com/moby/buildkit => github.com/moby/buildkit v0.10.1-0.20220816171719-55ba9d14360a
+// )
+
+replace (
+	github.com/compose-spec/compose-go => github.com/compose-spec/compose-go v1.0.8
+	github.com/docker/buildx => github.com/docker/buildx v0.5.2-0.20210422185057-908a856079fc
+	github.com/docker/cli => github.com/docker/cli v20.10.7+incompatible
+	github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.2.0
+	github.com/docker/docker => github.com/docker/docker v20.10.3+incompatible
+	github.com/jaguilar/vt100 => github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305
+	github.com/moby/buildkit => github.com/moby/buildkit v0.8.2-0.20210401015549-df49b648c8bf
+	github.com/tonistiigi/fsutil => github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85
+	sigs.k8s.io/gateway-api => github.com/johnlanni/gateway-api v0.0.0-20231031082632-72137664e7c7
+)
--- a/go.sum
+++ b/go.sum
--- a/helm/core/Chart.yaml
+++ b/helm/core/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.2.0
+appVersion: 1.4.2
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -10,4 +10,4 @@ name: higress-core
 sources:
 - http://github.com/alibaba/higress
 type: application
-version: 1.2.0
+version: 1.4.2
--- a/helm/core/crds/customresourcedefinitions.gen.yaml
+++ b/helm/core/crds/customresourcedefinitions.gen.yaml
@@ -154,6 +154,11 @@ spec:
                          type: array
                        httpPath:
                          type: string
+                        paramFromEntireBody:
+                          properties:
+                            paramType:
+                              type: string
+                          type: object
                        params:
                          items:
                            properties:
--- a/helm/core/templates/_helpers.tpl
+++ b/helm/core/templates/_helpers.tpl
@@ -97,7 +97,7 @@ higress: {{ include "controller.name" . }}
 {{- end }}

 {{- define "skywalking.enabled" -}}
-{{- if and .Values.skywalking.enabled .Values.skywalking.service.address }}
+{{- if and (hasKey .Values "tracing") .Values.tracing.enable (hasKey .Values.tracing "skywalking") .Values.tracing.skywalking.service }}
 true
 {{- end }}
 {{- end }}
--- a/helm/core/templates/configmap.yaml
+++ b/helm/core/templates/configmap.yaml
@@ -3,9 +3,13 @@
    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
    trustDomain: "cluster.local"
    accessLogEncoding: TEXT
+    {{- if .Values.global.o11y.enabled }}
+    accessLogFile: "/var/log/proxy/access.log"
+    {{- else }}
    accessLogFile: "/dev/stdout"
+    {{- end }}
    ingressControllerMode: "OFF"
-    accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
+    accessLogFormat: '{"authority":"%REQ(X-ENVOY-ORIGINAL-HOST?:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}

    '
    dnsRefreshRate: 200s
@@ -42,10 +46,6 @@
          address: {{ .Values.global.tracer.lightstep.address }}
          # Access Token used to communicate with the Satellite pool
          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
-      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
-        zipkin:
-          # Address of the Zipkin collector
-          address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Release.Namespace ":9411") }}
      {{- else if eq .Values.global.proxy.tracer "datadog" }}
        datadog:
          # Address of the Datadog Agent
@@ -84,7 +84,7 @@
      {{- if .Values.global.enableHigressIstio }}
      discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012
      {{- else }}
-      discoveryAddress: higress-controller.{{.Release.Namespace}}.svc:15012
+      discoveryAddress: {{ include "controller.name" . }}.{{.Release.Namespace}}.svc:15012
      {{- end }}
      {{- end }}
      proxyStatsMatcher:
@@ -105,7 +105,17 @@ metadata:
  labels:
    {{- include "gateway.labels" . | nindent 4 }}    
 data:
-
+  higress: |-
+    {{- $existingConfig := lookup "v1" "ConfigMap" .Release.Namespace "higress-config" }}
+    {{- $existingData := dict }}
+    {{- if $existingConfig }}
+    {{- $existingData = index $existingConfig.data "higress" | default "{}" | fromYaml }}
+    {{- end }}
+    {{- $newData := dict }}
+    {{- if and (hasKey .Values "tracing") .Values.tracing.enable }}
+    {{- $_ := set $newData "tracing" .Values.tracing }}
+    {{- end }}
+    {{- toYaml (merge $existingData $newData) | nindent 4 }}
  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
  meshNetworks: |-
  {{- if .Values.global.meshNetworks }}
@@ -166,8 +176,8 @@ data:
                      "endpoint": {
                        "address": {
                          "socket_address": {
-                            "address": "{{ .Values.skywalking.service.address }}",
-                            "port_value": "{{ .Values.skywalking.service.port }}"
+                            "address": "{{ .Values.tracing.skywalking.service }}",
+                            "port_value": "{{ .Values.tracing.skywalking.port }}"
                          }
                        }
                      }
--- a/helm/core/templates/controller-clusterrole.yaml
+++ b/helm/core/templates/controller-clusterrole.yaml
@@ -9,7 +9,7 @@ rules:
  # ingress controller
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources: ["ingresses"]
-    verbs: ["get", "list", "watch"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["*"]
@@ -36,7 +36,7 @@ rules:
  # Needed for multicluster secret reading, possibly ingress certs in the future
  - apiGroups: [""]
    resources: ["secrets"]
-    verbs: ["get", "watch", "list"]
+    verbs: ["get", "watch", "list", "create", "update", "delete", "patch"]

  - apiGroups: ["networking.higress.io"]
    resources: ["mcpbridges"]
@@ -61,12 +61,12 @@ rules:

  # discovery and routing
  - apiGroups: [""]
-    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints", "deployments"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
-    
+
  # Istiod and bootstrap.
  - apiGroups: ["certificates.k8s.io"]
    resources:
@@ -100,7 +100,7 @@ rules:
  - apiGroups: ["multicluster.x-k8s.io"]
    resources: ["serviceimports"]
    verbs: ["get", "watch", "list"]
-    
+
  # sidecar injection controller
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations"]
--- a/helm/core/templates/controller-deployment.yaml
+++ b/helm/core/templates/controller-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "controller.name" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "controller.labels" . | nindent 4 }}
 spec:
@@ -25,16 +26,73 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "controller.serviceAccountName" . }}
+      {{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+      {{- end }}
      securityContext:
        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.controller.securityContext | nindent 12 }}
+          image: "{{ .Values.controller.hub | default .Values.global.hub }}/{{ .Values.controller.image | default "higress" }}:{{ .Values.controller.tag | default .Chart.AppVersion }}"
+          args:
+          - "serve"
+          - --gatewaySelectorKey=higress
+          - --gatewaySelectorValue={{ .Release.Namespace }}-{{ include "gateway.name" . }}
+          - --gatewayHttpPort={{ .Values.gateway.httpPort }}
+          - --gatewayHttpsPort={{ .Values.gateway.httpsPort }}
+          {{- if not .Values.global.enableStatus }}
+          - --enableStatus={{ .Values.global.enableStatus }}
+          {{- end }}
+          - --ingressClass={{ .Values.global.ingressClass }}
+          {{- if .Values.global.watchNamespace }}
+          - --watchNamespace={{ .Values.global.watchNamespace }}
+          {{- end }}
+          - --enableAutomaticHttps={{ .Values.controller.automaticHttps.enabled }}
+          - --automaticHttpsEmail={{ .Values.controller.automaticHttps.email }}
+          env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: DOMAIN_SUFFIX
+            value: {{ .Values.global.proxy.clusterDomain }}
+          {{- if .Values.controller.env }}
+          {{- range $key, $val := .Values.controller.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          ports:
+            {{- range $idx, $port := .Values.controller.ports }}
+            - name: {{ $port.name }}
+              containerPort: {{ $port.port }}
+              protocol: {{ $port.protocol }}
+            {{- end }}
+          readinessProbe:
+            {{- toYaml .Values.controller.probe | nindent 12 }}
+          {{- if not (or .Values.global.local .Values.global.kind) }}
+          resources:
+            {{- toYaml .Values.controller.resources | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+          - name: log
+            mountPath: /var/log
 {{- if not .Values.global.enableHigressIstio }}
        - name: discovery
-{{- if contains "/" .Values.pilot.image }}
-          image: "{{ .Values.pilot.image }}"
-{{- else }}
          image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Chart.AppVersion }}"
-{{- end }}
 {{- if .Values.global.imagePullPolicy }}
          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
 {{- end }}
@@ -73,8 +131,22 @@ spec:
            periodSeconds: 3
            timeoutSeconds: 5
          env:
+          - name: PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
+            value: "false"
+          - name: HIGRESS_SYSTEM_NS
+            value: "{{ .Release.Namespace }}"
+          - name: DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD
+            value: "{{ .Values.global.defaultUpstreamConcurrencyThreshold }}"
+          - name: ISTIO_GPRC_MAXRECVMSGSIZE
+            value: "{{ .Values.global.xdsMaxRecvMsgSize }}"
+          - name: ENBALE_SCOPED_RDS
+            value: "{{ .Values.global.enableSRDS }}"
+          - name: ON_DEMAND_RDS
+            value: "{{ .Values.global.onDemandRDS }}"
+          - name: HOST_RDS_MERGE_SUBSET
+            value: "{{ .Values.global.hostRDSMergeSubset }}"
          - name: PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
-            value: "true"
+            value: "{{ .Values.global.onlyPushRouteCluster }}"
          - name: HIGRESS_CONTROLLER_SVC
            value: "127.0.0.1"
          - name: HIGRESS_CONTROLLER_PORT
@@ -180,60 +252,6 @@ spec:
            mountPath: /cacerts
          {{- end }}
 {{- end }}
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.controller.securityContext | nindent 12 }}
-          image: "{{ .Values.hub }}/{{ .Values.controller.image }}:{{ .Values.controller.tag | default .Chart.AppVersion }}"
-          args:
-          - "serve"
-          - --gatewaySelectorKey=higress
-          - --gatewaySelectorValue={{ .Release.Namespace }}-{{ include "gateway.name" . }}
-          {{- if not .Values.global.enableStatus }}
-          - --enableStatus={{ .Values.global.enableStatus }}
-          {{- end }}
-          - --ingressClass={{ .Values.global.ingressClass }}
-          {{- if .Values.global.watchNamespace }}
-          - --watchNamespace={{ .Values.global.watchNamespace }}
-          {{- end }}
-          env:
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.namespace
-          - name: SERVICE_ACCOUNT
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: spec.serviceAccountName
-          - name: DOMAIN_SUFFIX
-            value: {{ .Values.global.proxy.clusterDomain }}
-          {{- if .Values.controller.env }}
-          {{- range $key, $val := .Values.controller.env }}
-          - name: {{ $key }}
-            value: "{{ $val }}"
-          {{- end }}
-          {{- end }}
-          ports:
-            {{- range $idx, $port := .Values.controller.ports }}
-            - name: {{ $port.name }}
-              containerPort: {{ $port.port }}
-              protocol: {{ $port.protocol }}
-            {{- end }}
-          readinessProbe:
-            {{- toYaml .Values.controller.probe | nindent 12 }}
-          {{- if not (or .Values.global.local .Values.global.kind) }}
-          resources:
-            {{- toYaml .Values.controller.resources | nindent 12 }}
-          {{- end }}
-          volumeMounts:
-          - name: log
-            mountPath: /var/log
      {{- with .Values.controller.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/helm/core/templates/controller-service.yaml
+++ b/helm/core/templates/controller-service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "controller.name" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "controller.labels" . | nindent 4 }}
 spec:
--- a/helm/core/templates/daemonset.yaml
+++ b/helm/core/templates/daemonset.yaml
@@ -0,0 +1,332 @@
+{{- if eq .Values.gateway.kind "DaemonSet" -}}
+{{- $o11y := .Values.global.o11y  }}
+{{- $unprivilegedPortSupported := true }}
+{{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
+    {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
+    {{- if $kernelVersion }}
+      {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }}
+      {{- if and $kernelVersion (semverCompare "<4.11.0" $kernelVersion) }}
+      {{-   $unprivilegedPortSupported = false }}
+      {{- end }}
+    {{- end }}
+{{- end -}}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.gateway.annotations | toYaml | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+      {{- if .Values.global.enableHigressIstio }}
+        "enableHigressIstio": "true"
+      {{- end }}
+      {{- if .Values.gateway.podAnnotations }}
+        {{- toYaml .Values.gateway.podAnnotations | nindent 8 }}
+      {{- end }}
+      labels:
+        sidecar.istio.io/inject: "false"
+        {{- with .Values.gateway.revision }}
+        istio.io/rev: {{ . }}
+        {{- end }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.gateway.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      {{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+      {{- end }}
+      securityContext:
+      {{- if .Values.gateway.securityContext }}
+        {{- toYaml .Values.gateway.securityContext | nindent 8 }}
+      {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      containers:
+        {{- if $o11y.enabled }}
+          {{- $config := $o11y.promtail }}
+        - name: promtail
+          image: {{ $config.image.repository }}:{{ $config.image.tag }}
+          imagePullPolicy: IfNotPresent
+          args:
+            - -config.file=/etc/promtail/promtail.yaml
+          env:
+            - name: 'HOSTNAME'
+              valueFrom:
+                fieldRef:
+                  fieldPath: 'spec.nodeName'
+          ports:
+            - containerPort: {{ $config.port }}
+              name: http-metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ready
+              port: {{ $config.port }}
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: promtail-config
+              mountPath: "/etc/promtail"
+            - name: log
+              mountPath: /var/log/proxy
+            - name: tmp
+              mountPath: /tmp
+        {{- end }}
+        - name: higress-gateway
+          image: "{{ .Values.gateway.hub | default .Values.global.hub }}/{{ .Values.gateway.image | default "gateway" }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
+          args:
+            - proxy
+            - router
+            - --domain
+            - $(POD_NAMESPACE).svc.cluster.local
+            - --proxyLogLevel=warning
+            - --proxyComponentLogLevel=misc:error
+            - --log_output_level=all:info
+            - --serviceCluster=higress-gateway
+          securityContext:
+          {{- if .Values.gateway.containerSecurityContext }}
+            {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
+          {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
+            # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+          # When enabling lite metrics, the configuration template files need to be replaced.
+          {{- if not .Values.global.liteMetrics }}
+            readOnlyRootFilesystem: true
+          {{- end }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            runAsNonRoot: true
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+              add:
+              - NET_BIND_SERVICE
+            runAsUser: 0
+            runAsGroup: 1337
+            runAsNonRoot: false
+            allowPrivilegeEscalation: true
+          {{- end }}
+          env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.nodeName
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: INSTANCE_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.podIP
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.hostIP
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.serviceAccountName
+          - name: PILOT_XDS_SEND_TIMEOUT
+            value: 60s
+          - name: PROXY_XDS_VIA_AGENT
+            value: "true"
+          - name: ENABLE_INGRESS_GATEWAY_SDS
+            value: "false"
+          - name: JWT_POLICY
+            value: {{ include "controller.jwtPolicy" . }}
+          - name: ISTIO_META_HTTP10
+            value: "1"
+          - name: ISTIO_META_CLUSTER_ID
+            value: "{{ $.Values.clusterName | default `Kubernetes` }}"
+          - name: INSTANCE_NAME
+            value: "higress-gateway"
+          {{- if .Values.global.liteMetrics }}
+          - name: LITE_METRICS
+            value: "on"
+          {{- end }}
+          {{- if include "skywalking.enabled" . }}
+          - name: ISTIO_BOOTSTRAP_OVERRIDE
+            value: /etc/istio/custom-bootstrap/custom_bootstrap.json
+          {{- end }}
+          {{- with .Values.gateway.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          {{- if or .Values.global.local .Values.global.kind }}
+          - containerPort: {{ .Values.gateway.httpPort }}
+            hostPort:  {{ .Values.gateway.httpPort }}
+            name: http
+            protocol: TCP
+          - containerPort:  {{ .Values.gateway.httpsPort }}
+            hostPort:  {{ .Values.gateway.httpsPort }}
+            name: https
+            protocol: TCP
+          {{- end }}
+          readinessProbe:
+            failureThreshold: {{ .Values.gateway.readinessFailureThreshold }}
+            httpGet:
+              path: /healthz/ready
+              port: 15021
+              scheme: HTTP
+            initialDelaySeconds: {{ .Values.gateway.readinessInitialDelaySeconds }}
+            periodSeconds: {{ .Values.gateway.readinessPeriodSeconds }}
+            successThreshold: {{ .Values.gateway.readinessSuccessThreshold }}
+            timeoutSeconds: {{ .Values.gateway.readinessTimeoutSeconds }}
+          {{- if not (or .Values.global.local .Values.global.kind) }}
+          resources:
+            {{- toYaml .Values.gateway.resources | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+          {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          {{- end }}
+          - name: config
+            mountPath: /etc/istio/config
+          - name: istio-ca-root-cert
+            mountPath: /var/run/secrets/istio
+          - name: istio-data
+            mountPath: /var/lib/istio/data
+          - name: podinfo
+            mountPath: /etc/istio/pod
+          - name: proxy-socket
+            mountPath: /etc/istio/proxy
+          {{- if include "skywalking.enabled" . }}
+          - mountPath: /etc/istio/custom-bootstrap
+            name: custom-bootstrap-volume
+          {{- end }}
+          {{- if .Values.global.volumeWasmPlugins }}
+          - mountPath: /opt/plugins
+            name: local-wasmplugins-volume
+          {{- end }}
+          {{- if $o11y.enabled }}
+          - mountPath: /var/log/proxy
+            name: log
+          {{- end }}
+      {{- if .Values.gateway.hostNetwork }}
+      hostNetwork: {{ .Values.gateway.hostNetwork }}
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+      {{- with .Values.gateway.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.gateway.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.gateway.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+      {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: istio-ca
+                expirationSeconds: 43200
+                path: istio-token
+      {{- end }}
+      - name: istio-ca-root-cert
+        configMap:
+      {{- if .Values.global.enableHigressIstio }}
+          name: istio-ca-root-cert
+      {{- else }}
+          name: higress-ca-root-cert
+      {{- end }}
+      - name: config
+        configMap:
+          name: higress-config
+      {{- if include "skywalking.enabled" . }}
+      - configMap:
+          defaultMode: 420
+          name: higress-custom-bootstrap
+        name: custom-bootstrap-volume
+      {{- end }}
+      - name: istio-data
+        emptyDir: {}
+      - name: proxy-socket
+        emptyDir: {}
+      {{- if $o11y.enabled }}
+      - name: log
+        emptyDir: {}
+      - name: tmp
+        emptyDir: {}
+      - name: promtail-config
+        configMap:
+          name: higress-promtail
+      {{- end }}
+      - name: podinfo
+        downwardAPI:
+          defaultMode: 420
+          items:
+          - fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.annotations
+            path: annotations
+          - path: cpu-request
+            resourceFieldRef:
+              containerName: higress-gateway
+              divisor: 1m
+              resource: requests.cpu
+          - path: cpu-limit
+            resourceFieldRef:
+              containerName: higress-gateway
+              divisor: 1m
+              resource: limits.cpu
+      {{- if .Values.global.volumeWasmPlugins }}
+      - name: local-wasmplugins-volume
+        hostPath:
+          path: /opt/plugins
+          type: Directory
+      {{- end }}
+{{- end }}
--- a/helm/core/templates/deployment.yaml
+++ b/helm/core/templates/deployment.yaml
@@ -1,3 +1,5 @@
+{{- if eq .Values.gateway.kind "Deployment" -}}
+{{- $o11y := .Values.global.o11y  }}
 {{- $unprivilegedPortSupported := true }}
 {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
    {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
@@ -57,6 +59,9 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      {{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+      {{- end }}
      securityContext:
      {{- if .Values.gateway.securityContext }}
        {{- toYaml .Values.gateway.securityContext | nindent 8 }}
@@ -68,7 +73,7 @@ spec:
      {{- end }}
      containers:
        - name: higress-gateway
-          image: "{{ .Values.hub }}/{{ .Values.gateway.image }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.gateway.hub | default .Values.global.hub }}/{{ .Values.gateway.image | default "gateway" }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
          args:
            - proxy
            - router
@@ -88,7 +93,10 @@ spec:
              - ALL
            allowPrivilegeEscalation: false
            privileged: false
+          # When enabling lite metrics, the configuration template files need to be replaced.
+          {{- if not .Values.global.liteMetrics }}
            readOnlyRootFilesystem: true
+          {{- end }}
            runAsUser: 1337
            runAsGroup: 1337
            runAsNonRoot: true
@@ -102,7 +110,6 @@ spec:
            runAsGroup: 1337
            runAsNonRoot: false
            allowPrivilegeEscalation: true
-            readOnlyRootFilesystem: true
          {{- end }}
          env:
          - name: NODE_NAME
@@ -134,6 +141,8 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
+          - name: PILOT_XDS_SEND_TIMEOUT
+            value: 60s
          - name: PROXY_XDS_VIA_AGENT
            value: "true"
          - name: ENABLE_INGRESS_GATEWAY_SDS
@@ -146,6 +155,10 @@ spec:
            value: "{{ $.Values.clusterName | default `Kubernetes` }}"
          - name: INSTANCE_NAME
            value: "higress-gateway"
+          {{- if .Values.global.liteMetrics }}
+          - name: LITE_METRICS
+            value: "on"
+          {{- end }}
          {{- if include "skywalking.enabled" . }}
          - name: ISTIO_BOOTSTRAP_OVERRIDE
            value: /etc/istio/custom-bootstrap/custom_bootstrap.json
@@ -159,29 +172,32 @@ spec:
            value: {{ $val | quote }}
          {{- end }}
          ports:
+          - containerPort: 15020
+            protocol: TCP
+            name: istio-prom
          - containerPort: 15090
            protocol: TCP
            name: http-envoy-prom
          {{- if or .Values.global.local .Values.global.kind }}
-          - containerPort: 80
-            hostPort: 80
+          - containerPort: {{ .Values.gateway.httpPort }}
+            hostPort:  {{ .Values.gateway.httpPort }}
            name: http
            protocol: TCP
-          - containerPort: 443
-            hostPort: 443
+          - containerPort:  {{ .Values.gateway.httpsPort }}
+            hostPort:  {{ .Values.gateway.httpsPort }}
            name: https
            protocol: TCP
          {{- end }}
          readinessProbe:
-            failureThreshold: 30
+            failureThreshold: {{ .Values.gateway.readinessFailureThreshold }}
            httpGet:
              path: /healthz/ready
              port: 15021
              scheme: HTTP
-            initialDelaySeconds: 1
-            periodSeconds: 2
-            successThreshold: 1
-            timeoutSeconds: 3
+            initialDelaySeconds: {{ .Values.gateway.readinessInitialDelaySeconds }}
+            periodSeconds: {{ .Values.gateway.readinessPeriodSeconds }}
+            successThreshold: {{ .Values.gateway.readinessSuccessThreshold }}
+            timeoutSeconds: {{ .Values.gateway.readinessTimeoutSeconds }}
          {{- if not (or .Values.global.local .Values.global.kind) }}
          resources:
            {{- toYaml .Values.gateway.resources | nindent 12 }}
@@ -198,7 +214,7 @@ spec:
            mountPath: /var/run/secrets/istio
          - name: istio-data
            mountPath: /var/lib/istio/data
-          - name: podinfo            
+          - name: podinfo
            mountPath: /etc/istio/pod
          - name: proxy-socket
            mountPath: /etc/istio/proxy
@@ -210,6 +226,44 @@ spec:
          - mountPath: /opt/plugins
            name: local-wasmplugins-volume
          {{- end }}
+          {{- if $o11y.enabled }}
+          - mountPath: /var/log/proxy
+            name: log
+          {{- end }}
+        {{- if $o11y.enabled }}
+          {{- $config := $o11y.promtail }}
+        - name: promtail
+          image: {{ $config.image.repository }}:{{ $config.image.tag }}
+          imagePullPolicy: IfNotPresent
+          args:
+            - -config.file=/etc/promtail/promtail.yaml
+          env:
+            - name: 'HOSTNAME'
+              valueFrom:
+                fieldRef:
+                  fieldPath: 'spec.nodeName'
+          ports:
+            - containerPort: {{ $config.port }}
+              name: http-metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ready
+              port: {{ $config.port }}
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: promtail-config
+              mountPath: "/etc/promtail"
+            - name: log
+              mountPath: /var/log/proxy
+            - name: tmp
+              mountPath: /tmp
+        {{- end }}
      {{- if .Values.gateway.hostNetwork }}
      hostNetwork: {{ .Values.gateway.hostNetwork }}
      dnsPolicy: ClusterFirstWithHostNet
@@ -256,6 +310,15 @@ spec:
        emptyDir: {}
      - name: proxy-socket
        emptyDir: {}
+      {{- if $o11y.enabled }}
+      - name: log
+        emptyDir: {}
+      - name: tmp
+        emptyDir: {}
+      - name: promtail-config
+        configMap:
+          name: higress-promtail
+      {{- end }}
      - name: podinfo
        downwardAPI:
          defaultMode: 420
@@ -284,3 +347,4 @@ spec:
          path: /opt/plugins
          type: Directory
      {{- end }}
+{{- end }}
--- a/helm/core/templates/ingressclass.yaml
+++ b/helm/core/templates/ingressclass.yaml
@@ -0,0 +1,6 @@
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: {{ .Values.global.ingressClass }}
+spec:
+  controller: higress.io/higress-controller
--- a/helm/core/templates/promtail.yaml
+++ b/helm/core/templates/promtail.yaml
@@ -0,0 +1,64 @@
+{{- $o11y := .Values.global.o11y  }}
+{{- if $o11y.enabled }}
+{{- $config := $o11y.promtail }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: higress-promtail
+  namespace: {{ .Release.Namespace }}
+data:
+  promtail.yaml: |
+    server:
+      log_level: info
+      http_listen_port: {{ $config.port }}
+
+    clients:
+    - url: http://higress-console-loki.{{ .Release.Namespace }}:3100/loki/api/v1/push
+
+    positions:
+      filename: /tmp/promtail-positions.yaml
+    target_config:
+      sync_period: 10s
+    scrape_configs:
+    - job_name: access-logs
+      static_configs:
+      - targets:
+        - localhost
+        labels:
+          __path__: /var/log/proxy/access.log
+      pipeline_stages:
+      - json:
+          expressions:
+            authority:
+            method:
+            path:
+            protocol:
+            request_id:
+            response_code:
+            response_flags:
+            route_name:
+            trace_id:
+            upstream_cluster:
+            upstream_host:
+            upstream_transport_failure_reason:
+            user_agent:
+            x_forwarded_for:
+      - labels:
+          authority:
+          method:
+          path:
+          protocol:
+          request_id:
+          response_code:
+          response_flags:
+          route_name:
+          trace_id:
+          upstream_cluster:
+          upstream_host:
+          upstream_transport_failure_reason:
+          user_agent:
+          x_forwarded_for:
+      - timestamp:
+          source: timestamp
+          format: RFC3339Nano
+{{- end }}
--- a/helm/core/templates/service.yaml
+++ b/helm/core/templates/service.yaml
@@ -15,6 +15,9 @@ spec:
 {{- with .Values.gateway.service.loadBalancerIP }}
  loadBalancerIP: "{{ . }}"
 {{- end }}
+{{- with .Values.gateway.service.loadBalancerClass }}
+  loadBalancerClass: "{{ . }}"
+{{- end }}
 {{- with .Values.gateway.service.loadBalancerSourceRanges }}
  loadBalancerSourceRanges:
 {{ toYaml . | indent 4 }}
--- a/helm/core/values.yaml
+++ b/helm/core/values.yaml
@@ -1,5 +1,12 @@
 revision: ""
 global:
+  liteMetrics: true
+  xdsMaxRecvMsgSize: "104857600"
+  defaultUpstreamConcurrencyThreshold: 10000
+  enableSRDS: true
+  onDemandRDS: false
+  hostRDSMergeSubset: false
+  onlyPushRouteCluster: true
  # IngressClass filters which ingress resources the higress controller watches.
  # The default ingress class is higress.
  # There are some special cases for special ingress class.
@@ -9,7 +16,7 @@ global:
  # resources in the k8s cluster.
  ingressClass: "higress"
  watchNamespace: ""
-  disableAlpnH2: true
+  disableAlpnH2: false
  enableStatus: true
  # whether to use autoscaling/v2 template for HPA settings
  # for internal usage only, not to be configured by users.
@@ -147,12 +154,18 @@ global:
    # The number of successive failed probes before indicating readiness failure.
    readinessFailureThreshold: 30

+    # The number of successive successed probes before indicating readiness success.
+    readinessSuccessThreshold: 30
+
    # The initial delay for readiness probes in seconds.
    readinessInitialDelaySeconds: 1

    # The period between readiness probes.
    readinessPeriodSeconds: 2

+    # The readiness timeout seconds
+    readinessTimeoutSeconds: 3
+
    # Resources for the sidecar.
    resources:
      requests:
@@ -165,9 +178,9 @@ global:
    # Default port for Pilot agent health checks. A value of 0 will disable health checking.
    statusPort: 15020

-    # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
+    # Specify which tracer to use. One of: lightstep, datadog, stackdriver.
    # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
-    tracer: "zipkin"
+    tracer: ""

    # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
    holdApplicationUntilProxyStarts: false
@@ -317,14 +330,24 @@ global:
      maxNumberOfAnnotations: 200
      # The global default max number of attributes per span.
      maxNumberOfAttributes: 200
-    zipkin:
-      # Host:Port for reporting trace data in zipkin format. If not specified, will default to
-      # zipkin service (port 9411) in the same namespace as the other istio components.
-      address: ""
-
  # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
+
  useMCP: false

+  # Observability (o11y) configurations
+  o11y:
+    enabled: false
+    promtail:
+      image:
+        repository: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/promtail
+        tag: 2.9.4
+      port: 3101
+      resources:
+        limits:
+          cpu: 500m
+          memory: 2Gi
+      securityContext: {}
+
  # The name of the CA for workload certificates.
  # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
  # will be used as the certificates for workloads.
@@ -368,6 +391,26 @@ gateway:
  name: "higress-gateway"
  replicas: 2
  image: gateway
+
+  # -- Use a `DaemonSet` or `Deployment`
+  kind: Deployment
+
+  # The number of successive failed probes before indicating readiness failure.
+  readinessFailureThreshold: 30
+
+  # The number of successive successed probes before indicating readiness success.
+  readinessSuccessThreshold: 1
+
+  # The initial delay for readiness probes in seconds.
+  readinessInitialDelaySeconds: 1
+
+  # The period between readiness probes.
+  readinessPeriodSeconds: 2
+
+  # The readiness timeout seconds
+  readinessTimeoutSeconds: 3
+
+  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
  tag: ""
  # revision declares which revision this gateway is a part of
  revision: ""
@@ -388,7 +431,8 @@ gateway:

  # Pod environment variables
  env: {}
-
+  httpPort: 80
+  httpsPort: 443
  hostNetwork: false

  # Labels to apply to all resources
@@ -423,6 +467,7 @@ gateway:
      targetPort: 443
    annotations: {}
    loadBalancerIP: ""
+    loadBalancerClass: ""
    loadBalancerSourceRanges: []
    externalTrafficPolicy: ""

@@ -456,6 +501,8 @@ controller:
  name: "higress-controller"
  replicas: 1
  image: higress
+
+  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
  tag: ""
  env: {}

@@ -497,6 +544,12 @@ controller:
      "port": 8888,
      "targetPort": 8888,
    },
+    {
+      "name": "http-solver",
+      "protocol": "TCP",
+      "port": 8889,
+      "targetPort": 8889,
+    },
    {
      "name": "grpc",
      "protocol": "TCP",
@@ -535,6 +588,9 @@ controller:
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 80
+  automaticHttps:
+    enabled: true
+    email: ""
  
 ## Discovery Settings
 pilot:
@@ -608,9 +664,15 @@ pilot:
  podLabels: {}


-# Skywalking config settings
-skywalking:
-  enabled: false
-  service:
-    address: ~
-    port: 11800
+# Tracing config settings
+tracing:
+  enable: false
+  sampling: 100
+  timeout: 500
+  skywalking:
+   # access_token: ""
+   service: ""
+   port: 11800
+  # zipkin:
+    # service: ""
+    # port: 9411
--- a/helm/higress/Chart.lock
+++ b/helm/higress/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: higress-core
  repository: file://../core
-  version: 1.2.0
+  version: 1.4.2
 - name: higress-console
  repository: https://higress.io/helm-charts/
-  version: 1.2.0
-digest: sha256:d53c2da70cb3bcace50bce756acb50750a84c0888ec0d4c112939bf3c6e4daeb
-generated: "2023-09-22T16:52:34.940675+08:00"
+  version: 1.4.2
+digest: sha256:31b557e55584e589b140ae9b89cfc8b99df91771c7d28465c3a2b06a4f35a192
+generated: "2024-07-26T13:53:23.225023+08:00"
--- a/helm/higress/Chart.yaml
+++ b/helm/higress/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.2.0
+appVersion: 1.4.2
 description: Helm chart for deploying Higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -12,9 +12,9 @@ sources:
 dependencies:
 - name: higress-core
  repository: "file://../core"
-  version: 1.2.0
+  version: 1.4.2
 - name: higress-console
  repository: "https://higress.io/helm-charts/"
-  version: 1.2.0
+  version: 1.4.2
 type: application
-version: 1.2.0
+version: 1.4.2
--- a/istio/1.12/patches/istio/20230925-gateway-httproute.patch
+++ b/istio/1.12/patches/istio/20230925-gateway-httproute.patch
@@ -0,0 +1,71 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-09-25 17:26:32.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2023-09-25 17:25:27.000000000 +0800
+@@ -656,6 +656,16 @@
+ 			Port: &istio.PortSelector{Number: uint32(*to.Port)},
+ 		}, nil
+ 	}
+	if equal((*string)(to.Group), "networking.higress.io") && nilOrEqual((*string)(to.Kind), "Service") {
+		var port *istio.PortSelector
+		if to.Port != nil {
+			port = &istio.PortSelector{Number: uint32(*to.Port)}
+		}
+		return &istio.Destination{
+			Host: string(to.Name),
+			Port: port,
+		}, nil
+	}
+ 	return nil, &ConfigError{
+ 		Reason:  InvalidDestination,
+ 		Message: fmt.Sprintf("referencing unsupported backendRef: group %q kind %q", emptyIfNil((*string)(to.Group)), emptyIfNil((*string)(to.Kind))),
+@@ -912,7 +922,7 @@
+ 					ObservedGeneration: obj.Generation,
+ 					LastTransitionTime: metav1.Now(),
+ 					Reason:             string(k8s.GatewayClassConditionStatusAccepted),
+-					Message:            "Handled by Istio controller",
+					Message:            "Handled by Higress controller",
+ 				})
+ 				return gcs
+ 			})
+@@ -1371,6 +1381,10 @@
+ 	return d
+ }
+ 
+func equal(have *string, expected string) bool {
+	return have != nil && *have == expected
+}
+
+ func nilOrEqual(have *string, expected string) bool {
+ 	return have == nil || *have == expected
+ }
+diff -Naur istio/pilot/pkg/leaderelection/leaderelection.go istio-new/pilot/pkg/leaderelection/leaderelection.go
+--- istio/pilot/pkg/leaderelection/leaderelection.go	2023-09-25 17:26:31.000000000 +0800
+++ istio-new/pilot/pkg/leaderelection/leaderelection.go	2023-09-25 14:59:39.000000000 +0800
+@@ -35,20 +35,20 @@
+ 
+ // Various locks used throughout the code
+ const (
+-	NamespaceController     = "istio-namespace-controller-election"
+-	ServiceExportController = "istio-serviceexport-controller-election"
+	NamespaceController     = "higress-namespace-controller-election"
+	ServiceExportController = "higress-serviceexport-controller-election"
+ 	// This holds the legacy name to not conflict with older control plane deployments which are just
+ 	// doing the ingress syncing.
+-	IngressController = "istio-leader"
+	IngressController = "higress-leader"
+ 	// GatewayStatusController controls the status of gateway.networking.k8s.io objects. For the v1alpha1
+ 	// this was formally "istio-gateway-leader"; because they are a different API group we need a different
+ 	// election to ensure we do not only handle one or the other.
+-	GatewayStatusController = "istio-gateway-status-leader"
+	GatewayStatusController = "higress-gateway-status-leader"
+ 	// GatewayDeploymentController controls the Deployment/Service generation from Gateways. This is
+ 	// separate from GatewayStatusController to allow running in a separate process (for low priv).
+-	GatewayDeploymentController = "istio-gateway-deployment-leader"
+-	StatusController            = "istio-status-leader"
+-	AnalyzeController           = "istio-analyze-leader"
+	GatewayDeploymentController = "higress-gateway-deployment-leader"
+	StatusController            = "higress-status-leader"
+	AnalyzeController           = "higress-analyze-leader"
+ )
+ 
+ var ClusterScopedNamespaceController = NamespaceController
--- a/istio/1.12/patches/istio/20231008-gateway-fallback.patch
+++ b/istio/1.12/patches/istio/20231008-gateway-fallback.patch
@@ -0,0 +1,90 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-10-08 19:54:47.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2023-09-27 16:10:42.000000000 +0800
+@@ -18,6 +18,7 @@
+ 	"fmt"
+ 	"regexp"
+ 	"sort"
+	"strconv"
+ 	"strings"
+ 
+ 	corev1 "k8s.io/api/core/v1"
+@@ -176,7 +177,9 @@
+ 	hosts := hostnameToStringList(route.Hostnames)
+ 	for _, r := range route.Rules {
+ 		// TODO: implement rewrite, timeout, mirror, corspolicy, retries
+-		vs := &istio.HTTPRoute{}
+		vs := &istio.HTTPRoute{
+			Name: obj.Name,
+		}
+ 		for _, match := range r.Matches {
+ 			uri, err := createURIMatch(match)
+ 			if err != nil {
+@@ -246,7 +249,9 @@
+ 			}}
+ 		}
+ 
+-		route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero)
+		fallbackCluster := obj.Annotations["higress.io/fallback-service"]
+
+		route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero, fallbackCluster)
+ 		if err != nil {
+ 			reportError(err)
+ 			return nil
+@@ -581,11 +586,33 @@
+ 	return r
+ }
+ 
+-func buildHTTPDestination(forwardTo []k8s.HTTPBackendRef, ns string, domain string, totalZero bool) ([]*istio.HTTPRouteDestination, *ConfigError) {
+func buildHTTPDestination(forwardTo []k8s.HTTPBackendRef, ns string, domain string, totalZero bool, fallbackCluster string) ([]*istio.HTTPRouteDestination, *ConfigError) {
+ 	if forwardTo == nil {
+ 		return nil, nil
+ 	}
+ 
+	var fallbackDest *istio.Destination
+	if fallbackCluster != "" {
+		var port uint64
+		host := fallbackCluster
+		colon := strings.LastIndex(fallbackCluster, ":")
+		if colon != -1 {
+			var err error
+			port, err = strconv.ParseUint(fallbackCluster[colon+1:], 10, 32)
+			if err == nil && port > 0 && port < 65536 {
+				host = fallbackCluster[:colon]
+			}
+		}
+		fallbackDest = &istio.Destination{
+			Host: host,
+		}
+		if port > 0 {
+			fallbackDest.Port = &istio.PortSelector{
+				Number: uint32(port),
+			}
+		}
+	}
+
+ 	weights := []int{}
+ 	action := []k8s.HTTPBackendRef{}
+ 	for i, w := range forwardTo {
+@@ -612,6 +639,9 @@
+ 			Destination: dst,
+ 			Weight:      int32(weights[i]),
+ 		}
+		if fallbackDest != nil {
+			rd.FallbackClusters = append(rd.FallbackClusters, fallbackDest)
+		}
+ 		for _, filter := range fwd.Filters {
+ 			switch filter.Type {
+ 			case k8s.HTTPRouteFilterRequestHeaderModifier:
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go
+--- istio/pilot/pkg/networking/core/v1alpha3/route/route.go	2023-10-08 19:54:46.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go	2023-09-27 16:18:16.000000000 +0800
+@@ -669,7 +669,7 @@
+ 		}
+ 		var singleClusterConfig *fallback.ClusterFallbackConfig
+ 		var weightedClusterConfig *fallback.ClusterFallbackConfig
+-		isSupportFallback := supportFallback(node)
+		isSupportFallback := true
+ 		// Added by ingress
+ 		if len(in.Route) == 1 {
+ 			route := in.Route[0]
--- a/istio/1.12/patches/istio/20231024-cds-add-fallback.patch
+++ b/istio/1.12/patches/istio/20231024-cds-add-fallback.patch
@@ -0,0 +1,13 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2023-10-24 10:55:51.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go	2023-10-20 17:00:06.000000000 +0800
+@@ -704,6 +704,9 @@
+ 			if r.Destination != nil {
+ 				out = append(out, r.Destination.Host)
+ 			}
+			for _, d := range r.FallbackClusters {
+				out = append(out, d.Host)
+			}
+ 		}
+ 		if h.Mirror != nil {
+ 			out = append(out, h.Mirror.Host)
--- a/istio/1.12/patches/istio/20231031-gatewayapi-v1beta1.patch
+++ b/istio/1.12/patches/istio/20231031-gatewayapi-v1beta1.patch
--- a/istio/1.12/patches/istio/20231103-gatewayapi-sort.patch
+++ b/istio/1.12/patches/istio/20231103-gatewayapi-sort.patch
@@ -0,0 +1,377 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-11-03 17:18:56.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2023-11-03 17:14:50.000000000 +0800
+@@ -151,15 +151,113 @@
+ 		}
+ 	}
+ 
+	// for gateway routes, build one VS per gateway+host
+	gatewayRoutes := make(map[string]map[string]*config.Config)
+
+ 	for _, obj := range r.HTTPRoute {
+-		if vsConfig := buildHTTPVirtualServices(obj, gatewayMap, r.Domain); vsConfig != nil {
+		buildHTTPVirtualServices(r, obj, gatewayMap, gatewayRoutes, r.Domain)
+	}
+	for _, vsByHost := range gatewayRoutes {
+		for _, vsConfig := range vsByHost {
+ 			result = append(result, *vsConfig)
+ 		}
+ 	}
+ 	return result
+ }
+ 
+-func buildHTTPVirtualServices(obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, domain string) *config.Config {
+// getURIRank ranks a URI match type. Exact > Prefix > Regex
+func getURIRank(match *istio.HTTPMatchRequest) int {
+	if match.Uri == nil {
+		return -1
+	}
+	switch match.Uri.MatchType.(type) {
+	case *istio.StringMatch_Exact:
+		return 3
+	case *istio.StringMatch_Prefix:
+		return 2
+	case *istio.StringMatch_Regex:
+		// TODO optimize in new verison envoy
+		if strings.HasSuffix(match.Uri.GetRegex(), prefixMatchRegex) &&
+			!strings.ContainsAny(strings.TrimSuffix(match.Uri.GetRegex(), prefixMatchRegex), `\.+*?()|[]{}^$`) {
+			return 2
+		}
+		return 1
+	}
+	// should not happen
+	return -1
+}
+
+func getURILength(match *istio.HTTPMatchRequest) int {
+	if match.Uri == nil {
+		return 0
+	}
+	switch match.Uri.MatchType.(type) {
+	case *istio.StringMatch_Prefix:
+		return len(match.Uri.GetPrefix())
+	case *istio.StringMatch_Exact:
+		return len(match.Uri.GetExact())
+	case *istio.StringMatch_Regex:
+		return len(match.Uri.GetRegex())
+	}
+	// should not happen
+	return -1
+}
+
+// sortHTTPRoutes sorts generated vs routes to meet gateway-api requirements
+// see https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRouteRule
+func sortHTTPRoutes(routes []*istio.HTTPRoute) {
+	sort.SliceStable(routes, func(i, j int) bool {
+		if len(routes[i].Match) == 0 {
+			return false
+		} else if len(routes[j].Match) == 0 {
+			return true
+		}
+		// Only look at match[0], we always generate only one match
+		m1, m2 := routes[i].Match[0], routes[j].Match[0]
+		r1, r2 := getURIRank(m1), getURIRank(m2)
+		len1, len2 := getURILength(m1), getURILength(m2)
+		switch {
+		// 1: Exact/Prefix/Regex
+		case r1 != r2:
+			return r1 > r2
+		case len1 != len2:
+			return len1 > len2
+			// 2: method math
+		case (m1.Method == nil) != (m2.Method == nil):
+			return m1.Method != nil
+			// 3: number of header matches
+		case len(m1.Headers) != len(m2.Headers):
+			return len(m1.Headers) > len(m2.Headers)
+			// 4: number of query matches
+		default:
+			return len(m1.QueryParams) > len(m2.QueryParams)
+		}
+	})
+}
+
+func routeMeta(obj config.Config) map[string]string {
+	m := parentMeta(obj, nil)
+	m[constants.InternalRouteSemantics] = constants.RouteSemanticsGateway
+	return m
+}
+
+func filteredReferences(parents []routeParentReference) []routeParentReference {
+	ret := make([]routeParentReference, 0, len(parents))
+	for _, p := range parents {
+		if p.DeniedReason != nil {
+			// We should filter this out
+			continue
+		}
+		ret = append(ret, p)
+	}
+	// To ensure deterministic order, sort them
+	sort.Slice(ret, func(i, j int) bool {
+		return ret[i].InternalName < ret[j].InternalName
+	})
+	return ret
+}
+
+func buildHTTPVirtualServices(ctx *KubernetesResources, obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, gatewayRoutes map[string]map[string]*config.Config, domain string) {
+ 	route := obj.Spec.(*gatewayapiV1beta1.HTTPRouteSpec)
+ 
+ 	parentRefs := extractParentReferenceInfo(gateways, route.ParentRefs, route.Hostnames, gvk.HTTPRoute, obj.Namespace)
+@@ -172,10 +270,7 @@
+ 		})
+ 	}
+ 
+-	name := fmt.Sprintf("%s-%s", obj.Name, constants.KubernetesGatewayName)
+-
+ 	httproutes := []*istio.HTTPRoute{}
+-	hosts := hostnameToStringList(route.Hostnames)
+ 	for _, r := range route.Rules {
+ 		// TODO: implement rewrite, timeout, mirror, corspolicy, retries
+ 		vs := &istio.HTTPRoute{
+@@ -185,22 +280,22 @@
+ 			uri, err := createURIMatch(match)
+ 			if err != nil {
+ 				reportError(err)
+-				return nil
+				return
+ 			}
+ 			headers, err := createHeadersMatch(match)
+ 			if err != nil {
+ 				reportError(err)
+-				return nil
+				return
+ 			}
+ 			qp, err := createQueryParamsMatch(match)
+ 			if err != nil {
+ 				reportError(err)
+-				return nil
+				return
+ 			}
+ 			method, err := createMethodMatch(match)
+ 			if err != nil {
+ 				reportError(err)
+-				return nil
+				return
+ 			}
+ 			vs.Match = append(vs.Match, &istio.HTTPMatchRequest{
+ 				Uri:         uri,
+@@ -219,7 +314,7 @@
+ 				mirror, err := createMirrorFilter(filter.RequestMirror, obj.Namespace, domain)
+ 				if err != nil {
+ 					reportError(err)
+-					return nil
+					return
+ 				}
+ 				vs.Mirror = mirror
+ 			default:
+@@ -227,7 +322,7 @@
+ 					Reason:  InvalidFilter,
+ 					Message: fmt.Sprintf("unsupported filter type %q", filter.Type),
+ 				})
+-				return nil
+				return
+ 			}
+ 		}
+ 
+@@ -255,33 +350,65 @@
+ 		route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero, fallbackCluster)
+ 		if err != nil {
+ 			reportError(err)
+-			return nil
+			return
+ 		}
+ 		vs.Route = route
+ 
+ 		httproutes = append(httproutes, vs)
+ 	}
+ 	reportError(nil)
+-	gatewayNames := referencesToInternalNames(parentRefs)
+-	if len(gatewayNames) == 0 {
+-		return nil
+
+	count := 0
+	for _, parent := range filteredReferences(parentRefs) {
+		// for gateway routes, build one VS per gateway+host
+		routeMap := gatewayRoutes
+		routeKey := parent.InternalName
+		vsHosts := hostnameToStringList(route.Hostnames)
+		routes := httproutes
+		if len(routes) == 0 {
+			continue
+		}
+		if _, f := routeMap[routeKey]; !f {
+			routeMap[routeKey] = make(map[string]*config.Config)
+		}
+
+		// Create one VS per hostname with a single hostname.
+		// This ensures we can treat each hostname independently, as the spec requires
+		for _, h := range vsHosts {
+			if cfg := routeMap[routeKey][h]; cfg != nil {
+				// merge http routes
+				vs := cfg.Spec.(*istio.VirtualService)
+				vs.Http = append(vs.Http, routes...)
+				// append parents
+				cfg.Annotations[constants.InternalParentNames] = fmt.Sprintf("%s,%s/%s.%s",
+					cfg.Annotations[constants.InternalParentNames], obj.GroupVersionKind.Kind, obj.Name, obj.Namespace)
+			} else {
+				name := fmt.Sprintf("%s-%d-%s", obj.Name, count, constants.KubernetesGatewayName)
+				routeMap[routeKey][h] = &config.Config{
+					Meta: config.Meta{
+						CreationTimestamp: obj.CreationTimestamp,
+						GroupVersionKind:  gvk.VirtualService,
+						Name:              name,
+						Annotations:       routeMeta(obj),
+						Namespace:         obj.Namespace,
+						Domain:            ctx.Domain,
+					},
+					Spec: &istio.VirtualService{
+						Hosts:    []string{h},
+						Gateways: []string{parent.InternalName},
+						Http:     routes,
+					},
+				}
+				count++
+			}
+		}
+ 	}
+-	vsConfig := config.Config{
+-		Meta: config.Meta{
+-			CreationTimestamp: obj.CreationTimestamp,
+-			GroupVersionKind:  gvk.VirtualService,
+-			Name:              name,
+-			Annotations:       parentMeta(obj, nil),
+-			Namespace:         obj.Namespace,
+-			Domain:            domain,
+-		},
+-		Spec: &istio.VirtualService{
+-			Hosts:    hosts,
+-			Gateways: gatewayNames,
+-			Http:     httproutes,
+-		},
+	for _, vsByHost := range gatewayRoutes {
+		for _, cfg := range vsByHost {
+			vs := cfg.Spec.(*istio.VirtualService)
+			sortHTTPRoutes(vs.Http)
+		}
+ 	}
+-	return &vsConfig
+ }
+ 
+ func parentMeta(obj config.Config, sectionName *gatewayapiV1beta1.SectionName) map[string]string {
+@@ -1155,9 +1282,11 @@
+ 			}
+ 			gs.Addresses = make([]gatewayapiV1beta1.GatewayAddress, 0, len(addressesToReport))
+ 			for _, addr := range addressesToReport {
+				addrPairs := strings.Split(addr, ":")
+ 				gs.Addresses = append(gs.Addresses, gatewayapiV1beta1.GatewayAddress{
+-					Type:  &addrType,
+-					Value: addr,
+					Type: &addrType,
+					// strip the port
+					Value: addrPairs[0],
+ 				})
+ 			}
+ 			return gs
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2023-11-03 17:18:56.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go	2023-11-03 17:05:47.000000000 +0800
+@@ -841,7 +841,19 @@
+ func (ps *PushContext) VirtualServicesForGateway(proxy *Proxy, gateway string) []config.Config {
+ 	res := ps.virtualServiceIndex.privateByNamespaceAndGateway[proxy.ConfigNamespace][gateway]
+ 	res = append(res, ps.virtualServiceIndex.exportedToNamespaceByGateway[proxy.ConfigNamespace][gateway]...)
+-	res = append(res, ps.virtualServiceIndex.publicByGateway[gateway]...)
+
+	// Favor same-namespace Gateway routes, to give the "consumer override" preference.
+	// We do 2 iterations here to avoid extra allocations.
+	for _, vs := range ps.virtualServiceIndex.publicByGateway[gateway] {
+		if UseGatewaySemantics(vs) && vs.Namespace == proxy.ConfigNamespace {
+			res = append(res, vs)
+		}
+	}
+	for _, vs := range ps.virtualServiceIndex.publicByGateway[gateway] {
+		if !(UseGatewaySemantics(vs) && vs.Namespace == proxy.ConfigNamespace) {
+			res = append(res, vs)
+		}
+	}
+ 	return res
+ }
+ 
+diff -Naur istio/pilot/pkg/model/virtualservice.go istio-new/pilot/pkg/model/virtualservice.go
+--- istio/pilot/pkg/model/virtualservice.go	2023-11-03 17:18:55.000000000 +0800
+++ istio-new/pilot/pkg/model/virtualservice.go	2023-11-03 15:19:08.000000000 +0800
+@@ -76,6 +76,11 @@
+ }
+ 
+ func resolveVirtualServiceShortnames(rule *networking.VirtualService, meta config.Meta) {
+	// Kubernetes Gateway API semantics support shortnames
+	// if UseGatewaySemantics(config.Config{Meta: meta}) {
+	// 	return
+	// }
+
+ 	// resolve top level hosts
+ 	for i, h := range rule.Hosts {
+ 		rule.Hosts[i] = string(ResolveShortnameToFQDN(h, meta))
+@@ -524,3 +529,10 @@
+ 	}
+ 	return false
+ }
+
+// UseGatewaySemantics determines which logic we should use for VirtualService
+// This allows gateway-api and VS to both be represented by VirtualService, but have different
+// semantics.
+func UseGatewaySemantics(cfg config.Config) bool {
+	return cfg.Annotations[constants.InternalRouteSemantics] == constants.RouteSemanticsGateway
+}
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go
+--- istio/pilot/pkg/networking/core/v1alpha3/route/route.go	2023-11-03 17:18:56.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go	2023-11-03 17:05:55.000000000 +0800
+@@ -408,7 +408,6 @@
+ 			break
+ 		}
+ 	}
+-
+ 	if len(out) == 0 {
+ 		return nil, fmt.Errorf("no routes matched")
+ 	}
+@@ -493,6 +492,14 @@
+ 			},
+ 		}
+ 
+		if model.UseGatewaySemantics(virtualService) {
+			if uri, isPrefixReplace := cutPrefix(redirect.Uri, "%PREFIX()%"); isPrefixReplace {
+				action.Redirect.PathRewriteSpecifier = &route.RedirectAction_PrefixRewrite{
+					PrefixRewrite: uri,
+				}
+			}
+		}
+
+ 		if redirect.Scheme != "" {
+ 			action.Redirect.SchemeRewriteSpecifier = &route.RedirectAction_SchemeRedirect{SchemeRedirect: redirect.Scheme}
+ 		}
+@@ -1616,3 +1623,10 @@
+ 	isSupport = curVersion.GreaterThan(notSupportFallback)
+ 	return
+ }
+
+func cutPrefix(s, prefix string) (after string, found bool) {
+	if !strings.HasPrefix(s, prefix) {
+		return s, false
+	}
+	return s[len(prefix):], true
+}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2023-11-03 17:18:54.000000000 +0800
+++ istio-new/pkg/config/constants/constants.go	2023-11-03 14:29:27.000000000 +0800
+@@ -15,6 +15,12 @@
+ package constants
+ 
+ const (
+	InternalParentNames = "internal.istio.io/parents"
+
+	InternalRouteSemantics = "internal.istio.io/route-semantics"
+
+	RouteSemanticsGateway = "gateway"
+
+ 	// UnspecifiedIP constant for empty IP address
+ 	UnspecifiedIP = "0.0.0.0"
+ 
--- a/istio/1.12/patches/istio/20231104-gatewayapi-catchall.patch
+++ b/istio/1.12/patches/istio/20231104-gatewayapi-catchall.patch
@@ -0,0 +1,50 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2023-11-03 20:09:38.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2023-11-03 20:02:26.000000000 +0800
+@@ -165,6 +165,34 @@
+ 	return result
+ }
+ 
+// isCatchAll returns true if HTTPMatchRequest is a catchall match otherwise
+// false. Note - this may not be exactly "catch all" as we don't know the full
+// class of possible inputs As such, this is used only for optimization.
+func isCatchAllMatch(m *istio.HTTPMatchRequest) bool {
+	catchall := false
+	if m.Uri != nil {
+		switch m := m.Uri.MatchType.(type) {
+		case *istio.StringMatch_Prefix:
+			catchall = m.Prefix == "/"
+		case *istio.StringMatch_Regex:
+			catchall = m.Regex == "*"
+		}
+	}
+	// A Match is catch all if and only if it has no match set
+	// and URI has a prefix / or regex *.
+	return catchall &&
+		len(m.Headers) == 0 &&
+		len(m.QueryParams) == 0 &&
+		len(m.SourceLabels) == 0 &&
+		len(m.WithoutHeaders) == 0 &&
+		len(m.Gateways) == 0 &&
+		m.Method == nil &&
+		m.Scheme == nil &&
+		m.Port == 0 &&
+		m.Authority == nil &&
+		m.SourceNamespace == ""
+}
+
+ // getURIRank ranks a URI match type. Exact > Prefix > Regex
+ func getURIRank(match *istio.HTTPMatchRequest) int {
+ 	if match.Uri == nil {
+@@ -212,6 +240,11 @@
+ 		} else if len(routes[j].Match) == 0 {
+ 			return true
+ 		}
+		if isCatchAllMatch(routes[i].Match[0]) {
+			return false
+		} else if isCatchAllMatch(routes[j].Match[0]) {
+			return true
+		}
+ 		// Only look at match[0], we always generate only one match
+ 		m1, m2 := routes[i].Match[0], routes[j].Match[0]
+ 		r1, r2 := getURIRank(m1), getURIRank(m2)
--- a/istio/1.12/patches/istio/20231115-optimize-xds-push.patch
+++ b/istio/1.12/patches/istio/20231115-optimize-xds-push.patch
@@ -0,0 +1,62 @@
+diff -Naur istio/pilot/pkg/xds/ads.go istio-new/pilot/pkg/xds/ads.go
+--- istio/pilot/pkg/xds/ads.go	2023-11-15 20:25:18.000000000 +0800
+++ istio-new/pilot/pkg/xds/ads.go	2023-11-15 20:24:20.000000000 +0800
+@@ -318,6 +318,27 @@
+ 	<-con.initialized
+ 
+ 	for {
+		// Go select{} statements are not ordered; the same channel can be chosen many times.
+		// For requests, these are higher priority (client may be blocked on startup until these are done)
+		// and often very cheap to handle (simple ACK), so we check it first.
+		select {
+		case req, ok := <-con.reqChan:
+			if ok {
+				if err := s.processRequest(req, con); err != nil {
+					return err
+				}
+			} else {
+				// Remote side closed connection or error processing the request.
+				return <-con.errorChan
+			}
+		case <-con.stop:
+			return nil
+		default:
+		}
+		// If there wasn't already a request, poll for requests and pushes. Note: if we have a huge
+		// amount of incoming requests, we may still send some pushes, as we do not `continue` above;
+		// however, requests will be handled ~2x as much as pushes. This ensures a wave of requests
+		// cannot completely starve pushes. However, this scenario is unlikely.
+ 		select {
+ 		case req, ok := <-con.reqChan:
+ 			if ok {
+diff -Naur istio/pilot/pkg/xds/delta.go istio-new/pilot/pkg/xds/delta.go
+--- istio/pilot/pkg/xds/delta.go	2023-11-15 20:25:18.000000000 +0800
+++ istio-new/pilot/pkg/xds/delta.go	2023-11-15 20:24:44.000000000 +0800
+@@ -102,6 +102,27 @@
+ 	<-con.initialized
+ 
+ 	for {
+		// Go select{} statements are not ordered; the same channel can be chosen many times.
+		// For requests, these are higher priority (client may be blocked on startup until these are done)
+		// and often very cheap to handle (simple ACK), so we check it first.
+		select {
+		case req, ok := <-con.deltaReqChan:
+			if ok {
+				if err := s.processDeltaRequest(req, con); err != nil {
+					return err
+				}
+			} else {
+				// Remote side closed connection or error processing the request.
+				return <-con.errorChan
+			}
+		case <-con.stop:
+			return nil
+		default:
+		}
+		// If there wasn't already a request, poll for requests and pushes. Note: if we have a huge
+		// amount of incoming requests, we may still send some pushes, as we do not `continue` above;
+		// however, requests will be handled ~2x as much as pushes. This ensures a wave of requests
+		// cannot completely starve pushes. However, this scenario is unlikely.
+ 		select {
+ 		case req, ok := <-con.deltaReqChan:
+ 			if ok {
--- a/istio/1.12/patches/istio/20240104-enhance-srds.patch
+++ b/istio/1.12/patches/istio/20240104-enhance-srds.patch
@@ -0,0 +1,633 @@
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-01-05 17:58:08.000000000 +0800
+++ istio-new/pilot/pkg/features/pilot.go	2024-01-04 21:20:00.000000000 +0800
+@@ -569,6 +569,12 @@
+ 	// Added by ingress
+ 	CustomCACertConfigMapName = env.RegisterStringVar("CUSTOM_CA_CERT_NAME", "",
+ 		"Defines the configmap's name of  istio's root ca certificate").Get()
+	HostRDSMergeSubset = env.RegisterBoolVar("HOST_RDS_MERGE_SUBSET", true,
+		"If enabled, if host A is a subset of B, then we merge B's routes into A's hostRDS").Get()
+	EnableScopedRDS = env.RegisterBoolVar("ENBALE_SCOPED_RDS", true,
+		"If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
+	OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
+		"If enabled, the on demand filter will be added to the HCM filters").Get()
+ 	// End added by ingress
+ )
+ 
+diff -Naur istio/pilot/pkg/networking/core/configgen.go istio-new/pilot/pkg/networking/core/configgen.go
+--- istio/pilot/pkg/networking/core/configgen.go	2024-01-05 17:58:02.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/configgen.go	2024-01-04 21:20:00.000000000 +0800
+@@ -17,6 +17,7 @@
+ import (
+ 	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+ 	listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+ 	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+ 
+ 	meshconfig "istio.io/api/mesh/v1alpha1"
+@@ -44,6 +45,10 @@
+ 	// BuildHTTPRoutes returns the list of HTTP routes for the given proxy. This is the RDS output
+ 	BuildHTTPRoutes(node *model.Proxy, req *model.PushRequest, routeNames []string) ([]*discovery.Resource, model.XdsLogDetails)
+ 
+	// Added by ingress
+	BuildScopedRoutes(node *model.Proxy, push *model.PushContext) []*route.ScopedRouteConfiguration
+	// End added by ingress
+
+ 	// BuildNameTable returns list of hostnames and the associated IPs
+ 	BuildNameTable(node *model.Proxy, push *model.PushContext) *dnsProto.NameTable
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-05 17:58:07.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-05 11:19:54.000000000 +0800
+@@ -41,7 +41,9 @@
+ 	"istio.io/istio/pilot/pkg/networking/plugin"
+ 	"istio.io/istio/pilot/pkg/networking/util"
+ 	authn_model "istio.io/istio/pilot/pkg/security/model"
+	"istio.io/istio/pilot/pkg/util/sets"
+ 	"istio.io/istio/pkg/config"
+	"istio.io/istio/pkg/config/constants"
+ 	"istio.io/istio/pkg/config/gateway"
+ 	"istio.io/istio/pkg/config/host"
+ 	"istio.io/istio/pkg/config/protocol"
+@@ -104,10 +106,15 @@
+ 			// We can also have QUIC on a given port along with HTTPS/TLS on a given port. It does not
+ 			// cause port-conflict as they use different transport protocols
+ 			opts := &buildListenerOpts{
+-				push:       builder.push,
+-				proxy:      builder.node,
+-				bind:       bind,
+-				port:       &model.Port{Port: int(port.Number)},
+				push:  builder.push,
+				proxy: builder.node,
+				bind:  bind,
+				port: &model.Port{
+					Port: int(port.Number),
+					// Added by ingress
+					Protocol: protocol.Parse(port.Protocol),
+					// End added by ingress
+				},
+ 				bindToPort: true,
+ 				class:      istionetworking.ListenerClassGateway,
+ 				transport:  transport,
+@@ -340,6 +347,269 @@
+ 	return nameToServiceMap
+ }
+ 
+// Added by ingress
+func (configgen *ConfigGeneratorImpl) BuildScopedRoutes(node *model.Proxy, push *model.PushContext) []*route.ScopedRouteConfiguration {
+	if node.MergedGateway == nil {
+		log.Warnf("buildScopedRoutes: no gateways for router %v", node.ID)
+		return nil
+	}
+	merged := node.MergedGateway
+	var out []*route.ScopedRouteConfiguration
+	gatewayVirtualServices := make(map[string][]config.Config)
+	serverIterator := func(listenerPort int, mergedServers map[model.ServerPort]*model.MergedServers) sets.Set {
+		hostSet := sets.NewSet()
+		for port, servers := range mergedServers {
+			if port.Number != uint32(listenerPort) {
+				continue
+			}
+			for _, server := range servers.Servers {
+				gatewayName := merged.GatewayNameForServer[server]
+
+				var virtualServices []config.Config
+				var exists bool
+
+				if virtualServices, exists = gatewayVirtualServices[gatewayName]; !exists {
+					virtualServices = push.VirtualServicesForGateway(node, gatewayName)
+					gatewayVirtualServices[gatewayName] = virtualServices
+				}
+				for _, virtualService := range virtualServices {
+					for _, host := range virtualService.Spec.(*networking.VirtualService).Hosts {
+						hostSet.Insert(host)
+					}
+				}
+			}
+		}
+		return hostSet
+	}
+	buildPortHostScopedRoute := func(listenerPort model.ServerPort) {
+		p := protocol.Parse(listenerPort.Protocol)
+		if !p.IsHTTP() && p != protocol.HTTPS {
+			return
+		}
+		port := strconv.Itoa(int(listenerPort.Number))
+		hostSet := serverIterator(int(listenerPort.Number), merged.MergedServers).
+			Union(serverIterator(int(listenerPort.Number), merged.MergedQUICTransportServers))
+		for host, _ := range hostSet {
+			portKey := &route.ScopedRouteConfiguration_Key_Fragment{
+				Type: &route.ScopedRouteConfiguration_Key_Fragment_StringKey{
+					StringKey: port,
+				},
+			}
+			hostKey := &route.ScopedRouteConfiguration_Key_Fragment{
+				Type: &route.ScopedRouteConfiguration_Key_Fragment_StringKey{
+					StringKey: host,
+				},
+			}
+			name := strings.Join([]string{port, host}, ".")
+			out = append(out, &route.ScopedRouteConfiguration{
+				OnDemand:               features.OnDemandRDS,
+				Name:                   name,
+				RouteConfigurationName: constants.HigressHostRDSNamePrefix + name,
+				Key: &route.ScopedRouteConfiguration_Key{
+					Fragments: []*route.ScopedRouteConfiguration_Key_Fragment{portKey, hostKey},
+				},
+			})
+		}
+	}
+	for _, port := range merged.ServerPorts {
+		buildPortHostScopedRoute(port)
+	}
+	return out
+}
+
+type virtualServiceContext struct {
+	virtualService config.Config
+	server         *networking.Server
+	gatewayName    string
+}
+
+func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(node *model.Proxy, push *model.PushContext,
+	routeName string) *route.RouteConfiguration {
+	var (
+		hostRDSPort string
+		hostRDSHost string
+	)
+	portAndHost := strings.SplitN(strings.TrimPrefix(routeName, constants.HigressHostRDSNamePrefix), ".", 2)
+	if len(portAndHost) != 2 {
+		log.Errorf("Invalid route %s when using Higress hostRDS", routeName)
+		return nil
+	}
+	hostRDSPort = portAndHost[0]
+	hostRDSHost = portAndHost[1]
+	merged := node.MergedGateway
+	log.Debugf("buildGatewayRoutes: gateways after merging: %v", merged)
+	rdsPort, err := strconv.Atoi(hostRDSPort)
+	if err != nil {
+		log.Errorf("Invalid port %s of route %s when using Higress hostRDS", hostRDSPort, routeName)
+		return nil
+	}
+	listenerPort := uint32(rdsPort)
+	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
+
+	isH3DiscoveryNeeded := false
+
+	// When this is true, we add alt-svc header to the response to tell the client
+	// that HTTP/3 over QUIC is available on the same port for this host. This is
+	// very important for discovering HTTP/3 services
+	for port, servers := range merged.MergedQUICTransportServers {
+		if port.Number == listenerPort && len(servers.Servers) > 0 {
+			isH3DiscoveryNeeded = true
+			break
+		}
+	}
+
+	gatewayRoutes := make(map[string]map[string][]*route.Route)
+	gatewayVirtualServices := make(map[string][]config.Config)
+	var selectedVirtualServices []virtualServiceContext
+	var vHost *route.VirtualHost
+	serverIterator := func(mergedServers map[model.ServerPort]*model.MergedServers) {
+		for port, servers := range mergedServers {
+			if port.Number != listenerPort {
+				continue
+			}
+			for _, server := range servers.Servers {
+				gatewayName := merged.GatewayNameForServer[server]
+
+				var virtualServices []config.Config
+				var exists bool
+
+				if virtualServices, exists = gatewayVirtualServices[gatewayName]; !exists {
+					virtualServices = push.VirtualServicesForGateway(node, gatewayName)
+					gatewayVirtualServices[gatewayName] = virtualServices
+				}
+				for _, virtualService := range virtualServices {
+					hostMatch := false
+					var selectHost string
+					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
+					for _, hostname := range virtualServiceHosts {
+						// exact match
+						if hostname == host.Name(hostRDSHost) {
+							hostMatch = true
+							selectHost = hostRDSHost
+							break
+						}
+						if features.HostRDSMergeSubset {
+							// subset match
+							if host.Name(hostRDSHost).SubsetOf(hostname) {
+								hostMatch = true
+								selectHost = string(hostname)
+							}
+						}
+					}
+					if !hostMatch {
+						continue
+					}
+					copiedVS := virtualService.DeepCopy()
+					copiedVS.Spec.(*networking.VirtualService).Hosts = []string{selectHost}
+					selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+						virtualService: copiedVS,
+						server:         server,
+						gatewayName:    gatewayName,
+					})
+				}
+			}
+		}
+	}
+	serverIterator(merged.MergedServers)
+	serverIterator(merged.MergedQUICTransportServers)
+	// Sort by subset
+	// before: ["*.abc.com", "*.com", "www.abc.com"]
+	// after: ["www.abc.com", "*.abc.com", "*.com"]
+	sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
+		return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
+			host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
+	})
+	port := int(listenerPort)
+	for _, ctx := range selectedVirtualServices {
+		virtualService := ctx.virtualService
+		server := ctx.server
+		gatewayName := ctx.gatewayName
+		// Make sure we can obtain services which are visible to this virtualService as much as possible.
+		nameToServiceMap := buildNameToServiceMapForHTTPRoutes(node, push, virtualService)
+
+		var routes []*route.Route
+		var exists bool
+		var err error
+		if _, exists = gatewayRoutes[gatewayName]; !exists {
+			gatewayRoutes[gatewayName] = make(map[string][]*route.Route)
+		}
+
+		vskey := virtualService.Name + "/" + virtualService.Namespace
+
+		if routes, exists = gatewayRoutes[gatewayName][vskey]; !exists {
+			hashByDestination := istio_route.GetConsistentHashForVirtualService(push, node, virtualService, nameToServiceMap)
+			routes, err = istio_route.BuildHTTPRoutesForVirtualServiceWithHTTPFilters(node, virtualService, nameToServiceMap,
+				hashByDestination, port, map[string]bool{gatewayName: true}, isH3DiscoveryNeeded, push.Mesh, globalHTTPFilters)
+			if err != nil {
+				log.Debugf("%s omitting routes for virtual service %v/%v due to error: %v", node.ID, virtualService.Namespace, virtualService.Name, err)
+				continue
+			}
+			gatewayRoutes[gatewayName][vskey] = routes
+		}
+
+		if vHost != nil {
+			vHost.Routes = append(vHost.Routes, routes...)
+			if server.Tls != nil && server.Tls.HttpsRedirect {
+				vHost.RequireTls = route.VirtualHost_ALL
+			}
+		} else {
+			vHost = &route.VirtualHost{
+				Name:                       util.DomainName(hostRDSHost, port),
+				Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
+				Routes:                     routes,
+				IncludeRequestAttemptCount: true,
+				TypedPerFilterConfig:       mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
+			}
+			if server.Tls != nil && server.Tls.HttpsRedirect {
+				vHost.RequireTls = route.VirtualHost_ALL
+			}
+		}
+
+		// check all hostname if is not exist with HttpsRedirect set to true
+		// create VirtualHost to redirect
+		for _, hostname := range server.Hosts {
+			if !server.GetTls().GetHttpsRedirect() {
+				continue
+			}
+			if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
+				vHost.RequireTls = route.VirtualHost_ALL
+				continue
+			}
+			vHost = &route.VirtualHost{
+				Name:                       util.DomainName(hostname, port),
+				Domains:                    buildGatewayVirtualHostDomains(hostname, port),
+				IncludeRequestAttemptCount: true,
+				RequireTls:                 route.VirtualHost_ALL,
+			}
+		}
+
+	}
+	var virtualHosts []*route.VirtualHost
+	if vHost == nil {
+		log.Warnf("constructed http route config for route %s on port %d with no vhosts; Setting up a default 404 vhost", routeName, port)
+		virtualHosts = []*route.VirtualHost{{
+			Name:    util.DomainName("blackhole", port),
+			Domains: []string{"*"},
+			// Empty route list will cause Envoy to 404 NR any requests
+			Routes: []*route.Route{},
+		}}
+	} else {
+		vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
+		virtualHosts = append(virtualHosts, vHost)
+	}
+
+	routeCfg := &route.RouteConfiguration{
+		// Retain the routeName as its used by EnvoyFilter patching logic
+		Name:             routeName,
+		VirtualHosts:     virtualHosts,
+		ValidateClusters: proto.BoolFalse,
+	}
+
+	return routeCfg
+}
+
+// End added by ingress
+
+ func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Proxy, push *model.PushContext,
+ 	routeName string) *route.RouteConfiguration {
+ 	if node.MergedGateway == nil {
+@@ -351,6 +621,12 @@
+ 		}
+ 	}
+ 
+	// Added by ingress
+	if strings.HasPrefix(routeName, constants.HigressHostRDSNamePrefix) {
+		return configgen.buildHostRDSConfig(node, push, routeName)
+	}
+	// End added by ingress
+
+ 	merged := node.MergedGateway
+ 	log.Debugf("buildGatewayRoutes: gateways after merging: %v", merged)
+ 
+@@ -670,7 +946,9 @@
+ // TLS mode      | Mesh-wide SDS | Ingress SDS | Resulting Configuration
+ // SIMPLE/MUTUAL |    ENABLED    |   ENABLED   | support SDS at ingress gateway to terminate SSL communication outside the mesh
+ // ISTIO_MUTUAL  |    ENABLED    |   DISABLED  | support SDS at gateway to terminate workload mTLS, with internal workloads
+-// 											   | for egress or with another trusted cluster for ingress)
+//
+//	| for egress or with another trusted cluster for ingress)
+//
+ // ISTIO_MUTUAL  |    DISABLED   |   DISABLED  | use file-mounted secret paths to terminate workload mTLS from gateway
+ //
+ // Note that ISTIO_MUTUAL TLS mode and ingressSds should not be used simultaneously on the same ingress gateway.
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/listener.go istio-new/pilot/pkg/networking/core/v1alpha3/listener.go
+--- istio/pilot/pkg/networking/core/v1alpha3/listener.go	2024-01-05 17:58:07.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/listener.go	2024-01-05 17:31:10.000000000 +0800
+@@ -1279,8 +1279,48 @@
+ 
+ 	notimeout := durationpb.New(0 * time.Second)
+ 	connectionManager.StreamIdleTimeout = notimeout
+-
+-	if httpOpts.rds != "" {
+	// Added by ingress
+	enableSRDS := false
+	if features.EnableScopedRDS &&
+		(listenerOpts.port.Protocol.IsHTTP() || (listenerOpts.port.Protocol == protocol.HTTPS)) {
+		enableSRDS = true
+		portFragment := &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{
+			Type: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_{
+				LocalPortValueExtractor: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor{},
+			}}
+		hostFragment := &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{
+			Type: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_{
+				HostValueExtractor: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor{},
+			}}
+		scopedRoutes := &hcm.HttpConnectionManager_ScopedRoutes{
+			ScopedRoutes: &hcm.ScopedRoutes{
+				Name: constants.DefaultScopedRouteName,
+				ScopeKeyBuilder: &hcm.ScopedRoutes_ScopeKeyBuilder{
+					Fragments: []*hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{portFragment, hostFragment},
+				},
+				RdsConfigSource: &core.ConfigSource{
+					ConfigSourceSpecifier: &core.ConfigSource_Ads{
+						Ads: &core.AggregatedConfigSource{},
+					},
+					InitialFetchTimeout: durationpb.New(0),
+					ResourceApiVersion:  core.ApiVersion_V3,
+				},
+				ConfigSpecifier: &hcm.ScopedRoutes_ScopedRds{
+					ScopedRds: &hcm.ScopedRds{
+						ScopedRdsConfigSource: &core.ConfigSource{
+							ConfigSourceSpecifier: &core.ConfigSource_Ads{
+								Ads: &core.AggregatedConfigSource{},
+							},
+							InitialFetchTimeout: durationpb.New(0),
+							ResourceApiVersion:  core.ApiVersion_V3,
+						},
+					},
+				},
+			},
+		}
+		connectionManager.RouteSpecifier = scopedRoutes
+	} else if httpOpts.rds != "" {
+		// End added by ingress
+ 		rds := &hcm.HttpConnectionManager_Rds{
+ 			Rds: &hcm.Rds{
+ 				ConfigSource: &core.ConfigSource{
+@@ -1304,8 +1344,15 @@
+ 
+ 	filters := make([]*hcm.HttpFilter, len(httpFilters))
+ 	copy(filters, httpFilters)
+-	// Make sure cors filter always in the first.
+-	filters = append([]*hcm.HttpFilter{xdsfilters.Cors}, filters...)
+	// Added by ingress
+	// Now only support onDemandRDS when enable SRDS
+	if features.OnDemandRDS && enableSRDS {
+		filters = append([]*hcm.HttpFilter{xdsfilters.OnDemand, xdsfilters.Cors}, filters...)
+	} else {
+		// End added by ingress
+		// Make sure cors filter always in the first.
+		filters = append([]*hcm.HttpFilter{xdsfilters.Cors}, filters...)
+	}
+ 
+ 	if features.MetadataExchange {
+ 		filters = append(filters, xdsfilters.HTTPMx)
+diff -Naur istio/pilot/pkg/xds/ads.go istio-new/pilot/pkg/xds/ads.go
+--- istio/pilot/pkg/xds/ads.go	2024-01-05 17:58:08.000000000 +0800
+++ istio-new/pilot/pkg/xds/ads.go	2024-01-05 17:31:44.000000000 +0800
+@@ -797,15 +797,18 @@
+ 
+ // PushOrder defines the order that updates will be pushed in. Any types not listed here will be pushed in random
+ // order after the types listed here
+-var PushOrder = []string{v3.ClusterType, v3.EndpointType, v3.ListenerType, v3.RouteType, v3.SecretType}
+var PushOrder = []string{v3.ClusterType, v3.EndpointType, v3.ListenerType, v3.ScopedRouteType, v3.RouteType, v3.SecretType}
+ 
+ // KnownOrderedTypeUrls has typeUrls for which we know the order of push.
+ var KnownOrderedTypeUrls = map[string]struct{}{
+ 	v3.ClusterType:  {},
+ 	v3.EndpointType: {},
+ 	v3.ListenerType: {},
+-	v3.RouteType:    {},
+-	v3.SecretType:   {},
+	// Added by ingress
+	v3.ScopedRouteType: {},
+	// End added by ingress
+	v3.RouteType:  {},
+	v3.SecretType: {},
+ }
+ 
+ // orderWatchedResources orders the resources in accordance with known push order.
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-01-05 17:58:07.000000000 +0800
+++ istio-new/pilot/pkg/xds/discovery.go	2024-01-04 21:20:00.000000000 +0800
+@@ -589,6 +589,9 @@
+ 	s.Generators[v3.ClusterType] = &CdsGenerator{Server: s}
+ 	s.Generators[v3.ListenerType] = &LdsGenerator{Server: s}
+ 	s.Generators[v3.RouteType] = &RdsGenerator{Server: s}
+	// Added by ingress
+	s.Generators[v3.ScopedRouteType] = &SrdsGenerator{Server: s}
+	// End added by ingress
+ 	s.Generators[v3.EndpointType] = edsGen
+ 	s.Generators[v3.NameTableType] = &NdsGenerator{Server: s}
+ 	s.Generators[v3.ExtensionConfigurationType] = &EcdsGenerator{Server: s}
+diff -Naur istio/pilot/pkg/xds/filters/filters.go istio-new/pilot/pkg/xds/filters/filters.go
+--- istio/pilot/pkg/xds/filters/filters.go	2024-01-05 17:58:03.000000000 +0800
+++ istio-new/pilot/pkg/xds/filters/filters.go	2024-01-04 21:20:00.000000000 +0800
+@@ -21,6 +21,7 @@
+ 	fault "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3"
+ 	grpcstats "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3"
+ 	grpcweb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3"
+	ondemand "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/on_demand/v3"
+ 	router "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3"
+ 	httpwasm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3"
+ 	httpinspector "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3"
+@@ -54,6 +55,14 @@
+ // Define static filters to be reused across the codebase. This avoids duplicate marshaling/unmarshaling
+ // This should not be used for filters that will be mutated
+ var (
+	// Added by ingress
+	OnDemand = &hcm.HttpFilter{
+		Name: "envoy.filters.http.on_demand.v3.OnDemand",
+		ConfigType: &hcm.HttpFilter_TypedConfig{
+			TypedConfig: util.MessageToAny(&ondemand.OnDemand{}),
+		},
+	}
+	// End added by ingress
+ 	Cors = &hcm.HttpFilter{
+ 		Name: wellknown.CORS,
+ 		ConfigType: &hcm.HttpFilter_TypedConfig{
+diff -Naur istio/pilot/pkg/xds/srds.go istio-new/pilot/pkg/xds/srds.go
+--- istio/pilot/pkg/xds/srds.go	1970-01-01 08:00:00.000000000 +0800
+++ istio-new/pilot/pkg/xds/srds.go	2024-01-05 13:45:49.000000000 +0800
+@@ -0,0 +1,79 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package xds
+
+import (
+	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+	"istio.io/istio/pilot/pkg/features"
+	"istio.io/istio/pilot/pkg/model"
+	"istio.io/istio/pilot/pkg/networking/util"
+	"istio.io/istio/pkg/config"
+	"istio.io/istio/pkg/config/schema/gvk"
+)
+
+type SrdsGenerator struct {
+	Server *DiscoveryServer
+}
+
+var _ model.XdsResourceGenerator = &SrdsGenerator{}
+
+// Map of all configs that do not impact SRDS
+var skippedSrdsConfigs = map[config.GroupVersionKind]struct{}{
+	gvk.WorkloadEntry:         {},
+	gvk.WorkloadGroup:         {},
+	gvk.RequestAuthentication: {},
+	gvk.PeerAuthentication:    {},
+	gvk.Secret:                {},
+}
+
+func srdsNeedsPush(req *model.PushRequest) bool {
+	if !features.EnableScopedRDS {
+		return false
+	}
+	if req == nil {
+		return true
+	}
+	if !req.Full {
+		// SRDS only handles full push
+		return false
+	}
+	// If none set, we will always push
+	if len(req.ConfigsUpdated) == 0 {
+		return true
+	}
+	for config := range req.ConfigsUpdated {
+		if _, f := skippedSrdsConfigs[config.Kind]; !f {
+			return true
+		}
+	}
+	return false
+}
+
+func (s SrdsGenerator) Generate(proxy *model.Proxy, push *model.PushContext, w *model.WatchedResource,
+	req *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
+	if !srdsNeedsPush(req) {
+		return nil, model.DefaultXdsLogDetails, nil
+	}
+
+	scopedRoutes := s.Server.ConfigGenerator.BuildScopedRoutes(proxy, push)
+	resources := model.Resources{}
+	for _, sr := range scopedRoutes {
+		resources = append(resources, &discovery.Resource{
+			Name:     sr.Name,
+			Resource: util.MessageToAny(sr),
+		})
+	}
+	return resources, model.DefaultXdsLogDetails, nil
+}
+diff -Naur istio/pilot/pkg/xds/v3/model.go istio-new/pilot/pkg/xds/v3/model.go
+--- istio/pilot/pkg/xds/v3/model.go	2024-01-05 17:58:03.000000000 +0800
+++ istio-new/pilot/pkg/xds/v3/model.go	2024-01-05 16:55:49.000000000 +0800
+@@ -31,6 +31,10 @@
+ 	SecretType                 = resource.SecretType
+ 	ExtensionConfigurationType = resource.ExtensionConfigType
+ 
+	// Added by ingress
+	ScopedRouteType = apiTypePrefix + "envoy.config.route.v3.ScopedRouteConfiguration"
+	// End added by ingress
+
+ 	NameTableType   = apiTypePrefix + "istio.networking.nds.v1.NameTable"
+ 	HealthInfoType  = apiTypePrefix + "istio.v1.HealthInformation"
+ 	ProxyConfigType = apiTypePrefix + "istio.mesh.v1alpha1.ProxyConfig"
+@@ -61,6 +65,10 @@
+ 		return "PCDS"
+ 	case ExtensionConfigurationType:
+ 		return "ECDS"
+	// Added by ingress
+	case ScopedRouteType:
+		return "SRDS"
+	// End added by ingress
+ 	default:
+ 		return typeURL
+ 	}
+@@ -87,6 +95,10 @@
+ 		return "ecds"
+ 	case BootstrapType:
+ 		return "bds"
+	// Added by ingress
+	case ScopedRouteType:
+		return "srds"
+	// End added by ingress
+ 	default:
+ 		return typeURL
+ 	}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2024-01-05 17:58:08.000000000 +0800
+++ istio-new/pkg/config/constants/constants.go	2024-01-04 21:20:00.000000000 +0800
+@@ -143,4 +143,9 @@
+ 	// CertProviderNone does not create any certificates for the control plane. It is assumed that some external
+ 	// load balancer, such as an Istio Gateway, is terminating the TLS.
+ 	CertProviderNone = "none"
+
+	// Added by ingress
+	HigressHostRDSNamePrefix = "higress-rds-"
+	DefaultScopedRouteName   = "scoped-route"
+	// End added by ingress
+ )
--- a/istio/1.12/patches/istio/20240115-optimize-rds-cache.patch
+++ b/istio/1.12/patches/istio/20240115-optimize-rds-cache.patch
@@ -0,0 +1,373 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2024-01-15 20:46:45.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go	2024-01-15 19:20:45.000000000 +0800
+@@ -96,6 +96,9 @@
+ 	publicByGateway map[string][]config.Config
+ 	// root vs namespace/name ->delegate vs virtualservice gvk/namespace/name
+ 	delegates map[ConfigKey][]ConfigKey
+	// Added by ingress
+	byHost map[string][]config.Config
+	// End added by ingress
+ }
+ 
+ func newVirtualServiceIndex() virtualServiceIndex {
+@@ -104,6 +107,9 @@
+ 		privateByNamespaceAndGateway: map[string]map[string][]config.Config{},
+ 		exportedToNamespaceByGateway: map[string]map[string][]config.Config{},
+ 		delegates:                    map[ConfigKey][]ConfigKey{},
+		// Added by ingress
+		byHost: map[string][]config.Config{},
+		// End added by ingress
+ 	}
+ }
+ 
+@@ -857,6 +863,13 @@
+ 	return res
+ }
+ 
+// Added by ingress
+func (ps *PushContext) VirtualServicesForHost(proxy *Proxy, host string) []config.Config {
+	return ps.virtualServiceIndex.byHost[host]
+}
+
+// End added by ingress
+
+ // DelegateVirtualServicesConfigKey lists all the delegate virtual services configkeys associated with the provided virtual services
+ func (ps *PushContext) DelegateVirtualServicesConfigKey(vses []config.Config) []ConfigKey {
+ 	var out []ConfigKey
+@@ -1468,6 +1481,11 @@
+ 	for _, virtualService := range vservices {
+ 		ns := virtualService.Namespace
+ 		rule := virtualService.Spec.(*networking.VirtualService)
+		// Added by ingress
+		for _, host := range rule.Hosts {
+			ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
+		}
+		// End added by ingress
+ 		gwNames := getGatewayNames(rule)
+ 		if len(rule.ExportTo) == 0 {
+ 			// No exportTo in virtualService. Use the global default
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-15 20:46:45.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-15 20:04:05.000000000 +0800
+@@ -28,6 +28,7 @@
+ 	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+ 	hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+ 	tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+ 	"github.com/hashicorp/go-multierror"
+ 
+ 	meshconfig "istio.io/api/mesh/v1alpha1"
+@@ -35,6 +36,7 @@
+ 	"istio.io/istio/pilot/pkg/features"
+ 	"istio.io/istio/pilot/pkg/model"
+ 	istionetworking "istio.io/istio/pilot/pkg/networking"
+	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/envoyfilter"
+ 	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/extension"
+ 	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/mseingress"
+ 	istio_route "istio.io/istio/pilot/pkg/networking/core/v1alpha3/route"
+@@ -423,8 +425,15 @@
+ 	gatewayName    string
+ }
+ 
+-func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(node *model.Proxy, push *model.PushContext,
+-	routeName string) *route.RouteConfiguration {
+func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(
+	node *model.Proxy,
+	req *model.PushRequest,
+	routeName string,
+	vsCache map[int][]virtualServiceContext,
+	efw *model.EnvoyFilterWrapper,
+	efKeys []string,
+) (*discovery.Resource, bool) {
+	push := req.Push
+ 	var (
+ 		hostRDSPort string
+ 		hostRDSHost string
+@@ -432,7 +441,7 @@
+ 	portAndHost := strings.SplitN(strings.TrimPrefix(routeName, constants.HigressHostRDSNamePrefix), ".", 2)
+ 	if len(portAndHost) != 2 {
+ 		log.Errorf("Invalid route %s when using Higress hostRDS", routeName)
+-		return nil
+		return nil, false
+ 	}
+ 	hostRDSPort = portAndHost[0]
+ 	hostRDSHost = portAndHost[1]
+@@ -441,10 +450,24 @@
+ 	rdsPort, err := strconv.Atoi(hostRDSPort)
+ 	if err != nil {
+ 		log.Errorf("Invalid port %s of route %s when using Higress hostRDS", hostRDSPort, routeName)
+-		return nil
+		return nil, false
+	}
+
+	routeCache := &istio_route.Cache{
+		RouteName:    routeName,
+		ProxyVersion: node.Metadata.IstioVersion,
+		ListenerPort: rdsPort,
+		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
+		VirtualServices: push.VirtualServicesForHost(node, hostRDSHost),
+		EnvoyFilterKeys: efKeys,
+	}
+
+	resource, exist := configgen.Cache.Get(routeCache)
+	if exist {
+		return resource, true
+ 	}
+
+ 	listenerPort := uint32(rdsPort)
+-	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
+ 
+ 	isH3DiscoveryNeeded := false
+ 
+@@ -457,9 +480,9 @@
+ 			break
+ 		}
+ 	}
+-
+ 	gatewayRoutes := make(map[string]map[string][]*route.Route)
+ 	gatewayVirtualServices := make(map[string][]config.Config)
+	var listenerVirtualServices []virtualServiceContext
+ 	var selectedVirtualServices []virtualServiceContext
+ 	var vHost *route.VirtualHost
+ 	serverIterator := func(mergedServers map[model.ServerPort]*model.MergedServers) {
+@@ -478,31 +501,8 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
+-					hostMatch := false
+-					var selectHost string
+-					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
+-					for _, hostname := range virtualServiceHosts {
+-						// exact match
+-						if hostname == host.Name(hostRDSHost) {
+-							hostMatch = true
+-							selectHost = hostRDSHost
+-							break
+-						}
+-						if features.HostRDSMergeSubset {
+-							// subset match
+-							if host.Name(hostRDSHost).SubsetOf(hostname) {
+-								hostMatch = true
+-								selectHost = string(hostname)
+-							}
+-						}
+-					}
+-					if !hostMatch {
+-						continue
+-					}
+-					copiedVS := virtualService.DeepCopy()
+-					copiedVS.Spec.(*networking.VirtualService).Hosts = []string{selectHost}
+-					selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+-						virtualService: copiedVS,
+					listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
+						virtualService: virtualService,
+ 						server:         server,
+ 						gatewayName:    gatewayName,
+ 					})
+@@ -510,15 +510,63 @@
+ 			}
+ 		}
+ 	}
+-	serverIterator(merged.MergedServers)
+-	serverIterator(merged.MergedQUICTransportServers)
+-	// Sort by subset
+-	// before: ["*.abc.com", "*.com", "www.abc.com"]
+-	// after: ["www.abc.com", "*.abc.com", "*.com"]
+-	sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
+-		return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
+-			host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
+-	})
+	var vsExists bool
+	if listenerVirtualServices, vsExists = vsCache[rdsPort]; !vsExists {
+		serverIterator(merged.MergedServers)
+		serverIterator(merged.MergedQUICTransportServers)
+		vsCache[rdsPort] = listenerVirtualServices
+	}
+	for _, vsCtx := range listenerVirtualServices {
+		virtualService := vsCtx.virtualService
+		hostMatch := false
+		var selectHost string
+		for _, hostname := range virtualService.Spec.(*networking.VirtualService).Hosts {
+			// exact match
+			if hostname == hostRDSHost {
+				hostMatch = true
+				selectHost = hostRDSHost
+				break
+			}
+			if features.HostRDSMergeSubset {
+				// subset match
+				if host.Name(hostRDSHost).SubsetOf(host.Name(hostname)) {
+					hostMatch = true
+					selectHost = hostname
+				}
+			}
+		}
+		if !hostMatch {
+			continue
+		}
+		if len(virtualService.Spec.(*networking.VirtualService).Hosts) > 1 {
+			copiedVS := &networking.VirtualService{}
+			copiedVS = virtualService.Spec.(*networking.VirtualService)
+			copiedVS.Hosts = []string{selectHost}
+			selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+				virtualService: config.Config{
+					Meta:   virtualService.Meta,
+					Spec:   copiedVS,
+					Status: virtualService.Status,
+				},
+				server:      vsCtx.server,
+				gatewayName: vsCtx.gatewayName,
+			})
+		} else {
+			selectedVirtualServices = append(selectedVirtualServices, vsCtx)
+		}
+	}
+	if features.HostRDSMergeSubset {
+		// Sort by subset
+		// before: ["*.abc.com", "*.com", "www.abc.com"]
+		// after: ["www.abc.com", "*.abc.com", "*.com"]
+		sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
+			return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
+				host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
+		})
+	}
+
+	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
+
+ 	port := int(listenerPort)
+ 	for _, ctx := range selectedVirtualServices {
+ 		virtualService := ctx.virtualService
+@@ -605,25 +653,42 @@
+ 		ValidateClusters: proto.BoolFalse,
+ 	}
+ 
+-	return routeCfg
+	routeCfg = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, routeCfg)
+	resource = &discovery.Resource{
+		Name:     routeName,
+		Resource: util.MessageToAny(routeCfg),
+	}
+
+	if features.EnableRDSCaching {
+		configgen.Cache.Add(routeCache, req, resource)
+	}
+
+	return resource, false
+ }
+ 
+ // End added by ingress
+ 
+-func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Proxy, push *model.PushContext,
+-	routeName string) *route.RouteConfiguration {
+// Modifed by ingress
+func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(
+	node *model.Proxy,
+	req *model.PushRequest,
+	routeName string,
+	vsCache map[int][]virtualServiceContext,
+	efw *model.EnvoyFilterWrapper,
+	efKeys []string,
+) (*discovery.Resource, bool) {
+ 	if node.MergedGateway == nil {
+ 		log.Warnf("buildGatewayRoutes: no gateways for router %v", node.ID)
+-		return &route.RouteConfiguration{
+-			Name:             routeName,
+-			VirtualHosts:     []*route.VirtualHost{},
+-			ValidateClusters: proto.BoolFalse,
+-		}
+		return nil, false
+ 	}
+-
+ 	// Added by ingress
+	push := req.Push
+ 	if strings.HasPrefix(routeName, constants.HigressHostRDSNamePrefix) {
+-		return configgen.buildHostRDSConfig(node, push, routeName)
+		resource, cacheHit := configgen.buildHostRDSConfig(node, req, routeName, vsCache, efw, efKeys)
+		if resource == nil {
+			return nil, false
+		}
+		return resource, cacheHit
+ 	}
+ 	// End added by ingress
+ 
+@@ -636,7 +701,7 @@
+ 
+ 		// This can happen when a gateway has recently been deleted. Envoy will still request route
+ 		// information due to the draining of listeners, so we should not return an error.
+-		return nil
+		return nil, false
+ 	}
+ 
+ 	servers := merged.ServersByRouteName[routeName]
+@@ -768,9 +833,16 @@
+ 		ValidateClusters: proto.BoolFalse,
+ 	}
+ 
+-	return routeCfg
+	routeCfg = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, routeCfg)
+	resource := &discovery.Resource{
+		Name:     routeName,
+		Resource: util.MessageToAny(routeCfg),
+	}
+	return resource, false
+ }
+ 
+// End modified by ingress
+
+ // hashRouteList returns a hash of a list of pointers
+ func hashRouteList(r []*route.Route) uint64 {
+ 	hash := md5.New()
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/httproute.go istio-new/pilot/pkg/networking/core/v1alpha3/httproute.go
+--- istio/pilot/pkg/networking/core/v1alpha3/httproute.go	2024-01-15 20:46:41.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/httproute.go	2024-01-15 10:29:09.000000000 +0800
+@@ -78,17 +78,30 @@
+ 			routeConfigurations = append(routeConfigurations, rc)
+ 		}
+ 	case model.Router:
+		// Modified by ingress
+		vsCache := make(map[int][]virtualServiceContext)
+		envoyfilterKeys := efw.Keys()
+ 		for _, routeName := range routeNames {
+-			rc := configgen.buildGatewayHTTPRouteConfig(node, req.Push, routeName)
+-			if rc != nil {
+-				rc = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, rc)
+-				resource := &discovery.Resource{
+			rc, cached := configgen.buildGatewayHTTPRouteConfig(node, req, routeName, vsCache, efw, envoyfilterKeys)
+			if cached && !features.EnableUnsafeAssertions {
+				hit++
+			} else {
+				miss++
+			}
+			if rc == nil {
+				emptyRoute := &route.RouteConfiguration{
+					Name:             routeName,
+					VirtualHosts:     []*route.VirtualHost{},
+					ValidateClusters: proto.BoolFalse,
+				}
+				rc = &discovery.Resource{
+ 					Name:     routeName,
+-					Resource: util.MessageToAny(rc),
+					Resource: util.MessageToAny(emptyRoute),
+ 				}
+-				routeConfigurations = append(routeConfigurations, resource)
+ 			}
+			routeConfigurations = append(routeConfigurations, rc)
+ 		}
+		// End modified by ingress
+ 	}
+ 	if !features.EnableRDSCaching {
+ 		return routeConfigurations, model.DefaultXdsLogDetails
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-01-15 20:46:45.000000000 +0800
+++ istio-new/pilot/pkg/xds/discovery.go	2024-01-12 19:56:02.000000000 +0800
+@@ -392,6 +392,9 @@
+ // ConfigUpdate implements ConfigUpdater interface, used to request pushes.
+ // It replaces the 'clear cache' from v1.
+ func (s *DiscoveryServer) ConfigUpdate(req *model.PushRequest) {
+	if req.Full {
+		log.Infof("full push happen, reason:%v", req.Reason)
+	}
+ 	inboundConfigUpdates.Increment()
+ 	s.InboundUpdates.Inc()
+ 	s.pushChannel <- req
--- a/istio/1.12/patches/istio/20240201-optimize-default-arg.patch
+++ b/istio/1.12/patches/istio/20240201-optimize-default-arg.patch
@@ -0,0 +1,60 @@
+diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
+--- istio/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-01 10:20:13.000000000 +0800
+++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go	2024-01-31 22:44:53.000000000 +0800
+@@ -73,7 +73,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, readyStatsRegex)
+	readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort)
+ 	stats, err := http.DoHTTPGetWithTimeout(readinessURL, readinessTimeout)
+ 	if err != nil {
+ 		return nil, false, err
+@@ -105,7 +105,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, updateStatsRegex))
+	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-02-01 10:20:17.000000000 +0800
+++ istio-new/pilot/pkg/features/pilot.go	2024-02-01 10:16:18.000000000 +0800
+@@ -575,6 +575,8 @@
+ 		"If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
+ 	OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
+ 		"If enabled, the on demand filter will be added to the HCM filters").Get()
+	DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
+		"The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
+ 	// End added by ingress
+ )
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/cluster.go istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go
+--- istio/pilot/pkg/networking/core/v1alpha3/cluster.go	2024-02-01 10:20:17.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go	2024-02-01 10:16:05.000000000 +0800
+@@ -61,6 +61,7 @@
+ 
+ // getDefaultCircuitBreakerThresholds returns a copy of the default circuit breaker thresholds for the given traffic direction.
+ func getDefaultCircuitBreakerThresholds() *cluster.CircuitBreakers_Thresholds {
+	// Modified by ingress
+ 	return &cluster.CircuitBreakers_Thresholds{
+ 		// DefaultMaxRetries specifies the default for the Envoy circuit breaker parameter max_retries. This
+ 		// defines the maximum number of parallel retries a given Envoy will allow to the upstream cluster. Envoy defaults
+@@ -68,11 +69,12 @@
+ 		// where multiple endpoints in a cluster are terminated. In these scenarios the circuit breaker can kick
+ 		// in before Pilot is able to deliver an updated endpoint list to Envoy, leading to client-facing 503s.
+ 		MaxRetries:         &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxRequests:        &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxConnections:     &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxPendingRequests: &wrappers.UInt32Value{Value: math.MaxUint32},
+		MaxRequests:        &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
+		MaxConnections:     &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
+		MaxPendingRequests: &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
+ 		TrackRemaining:     true,
+ 	}
+	// End modified by ingress
+ }
+ 
+ // BuildClusters returns the list of clusters for the given proxy. This is the CDS output
--- a/istio/1.12/patches/istio/20240201-virtual-host-allow-server-name.patch
+++ b/istio/1.12/patches/istio/20240201-virtual-host-allow-server-name.patch
@@ -0,0 +1,88 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-02-01 13:53:17.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-02-01 13:52:11.000000000 +0800
+@@ -501,6 +501,16 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
+					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
+					serverHosts := host.NamesForNamespace(server.Hosts, virtualService.Namespace)
+
+					// We have two cases here:
+					// 1. virtualService hosts are 1.foo.com, 2.foo.com, 3.foo.com and server hosts are ns/*.foo.com
+					// 2. virtualService hosts are *.foo.com, and server hosts are ns/1.foo.com, ns/2.foo.com, ns/3.foo.com
+					intersectingHosts := serverHosts.Intersection(virtualServiceHosts)
+					if len(intersectingHosts) == 0 {
+						continue
+					}
+ 					listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
+ 						virtualService: virtualService,
+ 						server:         server,
+@@ -615,22 +625,24 @@
+ 
+ 		// check all hostname if is not exist with HttpsRedirect set to true
+ 		// create VirtualHost to redirect
+-		for _, hostname := range server.Hosts {
+-			if !server.GetTls().GetHttpsRedirect() {
+-				continue
+-			}
+-			if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
+		if server.GetTls().GetHttpsRedirect() {
+			if vHost != nil {
+ 				vHost.RequireTls = route.VirtualHost_ALL
+-				continue
+			} else {
+				vHost = &route.VirtualHost{
+					Name:                       util.DomainName(hostRDSHost, port),
+					Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
+					IncludeRequestAttemptCount: true,
+					RequireTls:                 route.VirtualHost_ALL,
+				}
+ 			}
+-			vHost = &route.VirtualHost{
+-				Name:                       util.DomainName(hostname, port),
+-				Domains:                    buildGatewayVirtualHostDomains(hostname, port),
+-				IncludeRequestAttemptCount: true,
+-				RequireTls:                 route.VirtualHost_ALL,
+		} else if vHost != nil {
+			mode := server.GetTls().GetMode()
+			if mode == networking.ServerTLSSettings_MUTUAL ||
+				mode == networking.ServerTLSSettings_ISTIO_MUTUAL {
+				vHost.AllowServerNames = append(vHost.AllowServerNames, server.Hosts...)
+ 			}
+ 		}
+-
+ 	}
+ 	var virtualHosts []*route.VirtualHost
+ 	if vHost == nil {
+@@ -642,6 +654,30 @@
+ 			Routes: []*route.Route{},
+ 		}}
+ 	} else {
+		sort.SliceStable(vHost.AllowServerNames, func(i, j int) bool {
+			hostI := vHost.AllowServerNames[i]
+			hostJ := vHost.AllowServerNames[j]
+			if host.Name(hostI).SubsetOf(host.Name(hostJ)) {
+				return true
+			}
+			return hostI < hostJ
+		})
+		var uniqueServerNames []string
+		hasAllCatch := false
+		for i, name := range vHost.AllowServerNames {
+			if name == "*" {
+				hasAllCatch = true
+				break
+			}
+			if i == 0 || vHost.AllowServerNames[i-1] != name {
+				uniqueServerNames = append(uniqueServerNames, name)
+			}
+		}
+		if hasAllCatch {
+			vHost.AllowServerNames = nil
+		} else {
+			vHost.AllowServerNames = uniqueServerNames
+		}
+ 		vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
+ 		virtualHosts = append(virtualHosts, vHost)
+ 	}
--- a/istio/1.12/patches/istio/20240202-fix-rds-cache.patch
+++ b/istio/1.12/patches/istio/20240202-fix-rds-cache.patch
@@ -0,0 +1,41 @@
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-02-02 16:26:49.000000000 +0800
+++ istio-new/pilot/pkg/xds/discovery.go	2024-02-02 15:38:53.000000000 +0800
+@@ -18,6 +18,7 @@
+ 	"context"
+ 	"fmt"
+ 	"strconv"
+	"strings"
+ 	"sync"
+ 	"time"
+ 
+@@ -41,6 +42,7 @@
+ 	"istio.io/istio/pilot/pkg/util/sets"
+ 	v3 "istio.io/istio/pilot/pkg/xds/v3"
+ 	"istio.io/istio/pkg/cluster"
+	"istio.io/istio/pkg/config/constants"
+ 	"istio.io/istio/pkg/security"
+ )
+ 
+@@ -332,6 +334,21 @@
+ 	} else {
+ 		// Otherwise, just clear the updated configs
+ 		s.Cache.Clear(req.ConfigsUpdated)
+		//Added by ingress
+		trimKeyMap := make(map[model.ConfigKey]struct{})
+		for configKey := range req.ConfigsUpdated {
+			if strings.HasPrefix(configKey.Name, constants.IstioIngressGatewayName+"-") {
+				trimKeyMap[model.ConfigKey{
+					Kind:      configKey.Kind,
+					Name:      strings.TrimPrefix(configKey.Name, constants.IstioIngressGatewayName+"-"),
+					Namespace: configKey.Namespace,
+				}] = struct{}{}
+			}
+		}
+		if len(trimKeyMap) > 0 {
+			s.Cache.Clear(trimKeyMap)
+		}
+		//End added by ingress
+ 	}
+ }
+ 
--- a/istio/1.12/patches/istio/20240204-increase-healthcheck-timeout.patch
+++ b/istio/1.12/patches/istio/20240204-increase-healthcheck-timeout.patch
@@ -0,0 +1,21 @@
+diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
+--- istio/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-04 18:48:18.000000000 +0800
+++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-04 09:35:42.000000000 +0800
+@@ -37,7 +37,7 @@
+ 	updateStatsRegex   = "^(cluster_manager\\.cds|listener_manager\\.lds)\\.(update_success|update_rejected)$"
+ )
+ 
+-var readinessTimeout = time.Second * 3 // Default Readiness timeout. It is set the same in helm charts.
+var readinessTimeout = time.Second * 60 // Default Readiness timeout. It is set the same in helm charts.
+ 
+ type stat struct {
+ 	name  string
+@@ -105,7 +105,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
+	stats, err := http.DoHTTPGetWithTimeout(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort), readinessTimeout)
+ 	if err != nil {
+ 		return nil, err
+ 	}
--- a/istio/1.12/patches/istio/20240304-fix-gwapi-rds-cache.patch
+++ b/istio/1.12/patches/istio/20240304-fix-gwapi-rds-cache.patch
@@ -0,0 +1,132 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2024-03-04 17:35:34.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2024-03-04 16:58:26.000000000 +0800
+@@ -450,7 +450,7 @@
+ 		name = fmt.Sprintf("%s/%s/%s.%s", obj.GroupVersionKind.Kind, obj.Name, *sectionName, obj.Namespace)
+ 	}
+ 	return map[string]string{
+-		constants.InternalParentName: name,
+		constants.InternalParentNames: name,
+ 	}
+ }
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-03-04 17:35:34.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-03-04 17:23:10.000000000 +0800
+@@ -49,6 +49,7 @@
+ 	"istio.io/istio/pkg/config/gateway"
+ 	"istio.io/istio/pkg/config/host"
+ 	"istio.io/istio/pkg/config/protocol"
+	"istio.io/istio/pkg/config/schema/gvk"
+ 	"istio.io/istio/pkg/config/security"
+ 	"istio.io/istio/pkg/proto"
+ 	"istio.io/istio/pkg/util/istiomultierror"
+@@ -453,12 +454,43 @@
+ 		return nil, false
+ 	}
+ 
+	hostVs := push.VirtualServicesForHost(node, hostRDSHost)
+
+	var httpRoutes []config.Config
+
+	for _, vs := range hostVs {
+		if len(vs.Annotations) == 0 {
+			continue
+		}
+		if parents, ok := vs.Annotations[constants.InternalParentNames]; ok {
+			typeNames := strings.Split(parents, ",")
+			for _, typeName := range typeNames {
+				if !strings.HasPrefix(typeName, "HTTPRoute/") {
+					continue
+				}
+				nsNameStr := strings.TrimPrefix(typeName, "HTTPRoute/")
+				nsName := strings.SplitN(nsNameStr, ".", 2)
+				if len(nsName) != 2 {
+					continue
+				}
+				httpRoutes = append(httpRoutes, config.Config{
+					Meta: config.Meta{
+						GroupVersionKind: gvk.HTTPRoute,
+						Name:             nsName[0],
+						Namespace:        nsName[1],
+					},
+				})
+			}
+		}
+	}
+
+ 	routeCache := &istio_route.Cache{
+ 		RouteName:    routeName,
+ 		ProxyVersion: node.Metadata.IstioVersion,
+ 		ListenerPort: rdsPort,
+ 		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
+-		VirtualServices: push.VirtualServicesForHost(node, hostRDSHost),
+		VirtualServices: hostVs,
+		HTTPRoutes:      httpRoutes,
+ 		EnvoyFilterKeys: efKeys,
+ 	}
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route_cache.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route_cache.go
+--- istio/pilot/pkg/networking/core/v1alpha3/route/route_cache.go	2024-03-04 17:35:30.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route_cache.go	2024-03-04 17:24:19.000000000 +0800
+@@ -43,9 +43,12 @@
+ 	// This depends on DNSCapture.
+ 	DNSAutoAllocate bool
+ 
+-	ListenerPort     int
+-	Services         []*model.Service
+-	VirtualServices  []config.Config
+	ListenerPort    int
+	Services        []*model.Service
+	VirtualServices []config.Config
+	// Added by ingress
+	HTTPRoutes []config.Config
+	// End added by ingress
+ 	DestinationRules []*config.Config
+ 	EnvoyFilterKeys  []string
+ }
+@@ -81,6 +84,11 @@
+ 	for _, vs := range r.VirtualServices {
+ 		configs = append(configs, model.ConfigKey{Kind: gvk.VirtualService, Name: vs.Name, Namespace: vs.Namespace})
+ 	}
+	// Added by ingress
+	for _, route := range r.HTTPRoutes {
+		configs = append(configs, model.ConfigKey{Kind: gvk.HTTPRoute, Name: route.Name, Namespace: route.Namespace})
+	}
+	// End added by ingress
+ 	for _, dr := range r.DestinationRules {
+ 		configs = append(configs, model.ConfigKey{Kind: gvk.DestinationRule, Name: dr.Name, Namespace: dr.Namespace})
+ 	}
+@@ -107,6 +115,11 @@
+ 	for _, vs := range r.VirtualServices {
+ 		params = append(params, vs.Name+"/"+vs.Namespace)
+ 	}
+	// Added by ingress
+	for _, route := range r.HTTPRoutes {
+		params = append(params, route.Name+"/"+route.Namespace)
+	}
+	// End added by ingress
+ 	for _, dr := range r.DestinationRules {
+ 		params = append(params, dr.Name+"/"+dr.Namespace)
+ 	}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2024-03-04 17:35:34.000000000 +0800
+++ istio-new/pkg/config/constants/constants.go	2024-03-04 16:58:05.000000000 +0800
+@@ -15,8 +15,6 @@
+ package constants
+ 
+ const (
+-	InternalParentNames = "internal.istio.io/parents"
+-
+ 	InternalRouteSemantics = "internal.istio.io/route-semantics"
+ 
+ 	RouteSemanticsGateway = "gateway"
+@@ -129,7 +127,7 @@
+ 	AlwaysPushLabel = "internal.istio.io/always-push"
+ 
+ 	// InternalParentName declares the original resource of an internally-generate config. This is used by the gateway-api.
+-	InternalParentName = "internal.istio.io/parent"
+	InternalParentNames = "internal.istio.io/parents"
+ 
+ 	// TrustworthyJWTPath is the default 3P token to authenticate with third party services
+ 	TrustworthyJWTPath = "./var/run/secrets/tokens/istio-token"
--- a/istio/1.12/patches/istio/20240308-fix-gateway-api-route-name.patch
+++ b/istio/1.12/patches/istio/20240308-fix-gateway-api-route-name.patch
@@ -0,0 +1,56 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2024-03-08 17:23:49.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2024-03-08 17:02:50.000000000 +0800
+@@ -16,6 +16,7 @@
+ 
+ import (
+ 	"fmt"
+	"path"
+ 	"regexp"
+ 	"sort"
+ 	"strconv"
+@@ -28,6 +29,7 @@
+ 	gatewayapiV1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+ 
+ 	istio "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pilot/pkg/features"
+ 	"istio.io/istio/pilot/pkg/model"
+ 	"istio.io/istio/pilot/pkg/model/credentials"
+ 	"istio.io/istio/pilot/pkg/model/kstatus"
+@@ -290,6 +292,16 @@
+ 	return ret
+ }
+ 
+// Added by ingress
+func generateRouteName(obj config.Config) string {
+	if obj.Namespace == features.HigressSystemNs {
+		return obj.Name
+	}
+	return path.Join(obj.Namespace, obj.Name)
+}
+
+// End added by ingress
+
+ func buildHTTPVirtualServices(ctx *KubernetesResources, obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, gatewayRoutes map[string]map[string]*config.Config, domain string) {
+ 	route := obj.Spec.(*gatewayapiV1beta1.HTTPRouteSpec)
+ 
+@@ -307,7 +319,7 @@
+ 	for _, r := range route.Rules {
+ 		// TODO: implement rewrite, timeout, mirror, corspolicy, retries
+ 		vs := &istio.HTTPRoute{
+-			Name: obj.Name,
+			Name: generateRouteName(obj),
+ 		}
+ 		for _, match := range r.Matches {
+ 			uri, err := createURIMatch(match)
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-03-08 17:23:49.000000000 +0800
+++ istio-new/pilot/pkg/features/pilot.go	2024-03-08 17:00:05.000000000 +0800
+@@ -577,6 +577,7 @@
+ 		"If enabled, the on demand filter will be added to the HCM filters").Get()
+ 	DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
+ 		"The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
+	HigressSystemNs = env.RegisterStringVar("HIGRESS_SYSTEM_NS", "higress-system", "The system namespace of Higress").Get()
+ 	// End added by ingress
+ )
+ 
--- a/istio/1.12/patches/istio/20240422-fix-copyvs.patch
+++ b/istio/1.12/patches/istio/20240422-fix-copyvs.patch
@@ -0,0 +1,20 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-04-22 18:08:26.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-04-22 18:07:46.000000000 +0800
+@@ -581,13 +581,13 @@
+ 			continue
+ 		}
+ 		if len(virtualService.Spec.(*networking.VirtualService).Hosts) > 1 {
+-			copiedVS := &networking.VirtualService{}
+-			copiedVS = virtualService.Spec.(*networking.VirtualService)
+			copiedVS := networking.VirtualService{}
+			copiedVS = *(virtualService.Spec.(*networking.VirtualService))
+ 			copiedVS.Hosts = []string{selectHost}
+ 			selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+ 				virtualService: config.Config{
+ 					Meta:   virtualService.Meta,
+-					Spec:   copiedVS,
+					Spec:   &copiedVS,
+ 					Status: virtualService.Status,
+ 				},
+ 				server:      vsCtx.server,
--- a/istio/1.12/patches/istio/20240518-optimize-rds-cache.patch
+++ b/istio/1.12/patches/istio/20240518-optimize-rds-cache.patch
@@ -0,0 +1,83 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-18 19:09:14.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-18 18:08:30.000000000 +0800
+@@ -457,8 +457,46 @@
+ 	hostVs := push.VirtualServicesForHost(node, hostRDSHost)
+ 
+ 	var httpRoutes []config.Config
+	var vsDependent []config.Config
+
+	cacheable := true
+ 
+ 	for _, vs := range hostVs {
+		vsSpec := vs.Spec.(*networking.VirtualService)
+		for _, vsHttpRoute := range vsSpec.Http {
+			// check if dynamic port exists, we should not cache RDS
+			for _, vsRoute := range vsHttpRoute.Route {
+				if vsRoute.Destination.Port == nil {
+					cacheable = false
+				}
+				for _, fallbackDestination := range vsRoute.FallbackClusters {
+					if fallbackDestination.Port == nil {
+						cacheable = false
+					}
+				}
+			}
+			if vsHttpRoute.Mirror != nil && vsHttpRoute.Mirror.Port == nil {
+				cacheable = false
+			}
+			if vsHttpRoute.Delegate != nil {
+				vsDependent = append(vsDependent, config.Config{
+					Meta: config.Meta{
+						GroupVersionKind: gvk.VirtualService,
+						Name:             vsHttpRoute.Delegate.Name,
+						Namespace:        vsHttpRoute.Delegate.Namespace,
+					},
+					Spec: networking.VirtualService{},
+				})
+			}
+		}
+		vsDependent = append(vsDependent, config.Config{
+			Meta: config.Meta{
+				GroupVersionKind: gvk.VirtualService,
+				Name:             vs.Name,
+				Namespace:        vs.Namespace,
+			},
+			Spec: vs.Spec,
+		})
+ 		if len(vs.Annotations) == 0 {
+ 			continue
+ 		}
+@@ -489,14 +527,19 @@
+ 		ProxyVersion: node.Metadata.IstioVersion,
+ 		ListenerPort: rdsPort,
+ 		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
+-		VirtualServices: hostVs,
+		VirtualServices: vsDependent,
+ 		HTTPRoutes:      httpRoutes,
+ 		EnvoyFilterKeys: efKeys,
+ 	}
+ 
+-	resource, exist := configgen.Cache.Get(routeCache)
+-	if exist {
+-		return resource, true
+	var resource *discovery.Resource
+	if cacheable {
+		resource, exist := configgen.Cache.Get(routeCache)
+		if exist {
+			return resource, true
+		}
+	} else {
+		log.Warnf("route cache is disabled for RDS:%s", routeName)
+ 	}
+ 
+ 	listenerPort := uint32(rdsPort)
+@@ -727,7 +770,7 @@
+ 		Resource: util.MessageToAny(routeCfg),
+ 	}
+ 
+-	if features.EnableRDSCaching {
+	if features.EnableRDSCaching && cacheable {
+ 		configgen.Cache.Add(routeCache, req, resource)
+ 	}
+ 
--- a/istio/1.12/patches/istio/20240519-proxy-start-script.patch
+++ b/istio/1.12/patches/istio/20240519-proxy-start-script.patch
@@ -0,0 +1,752 @@
+diff -Naur istio/pilot/docker/Dockerfile.proxyv2 istio-new/pilot/docker/Dockerfile.proxyv2
+--- istio/pilot/docker/Dockerfile.proxyv2	2024-05-19 16:40:42.706769894 +0800
+++ istio-new/pilot/docker/Dockerfile.proxyv2	2024-05-19 16:07:20.630730574 +0800
+@@ -28,6 +28,7 @@
+ 
+ # Copy Envoy bootstrap templates used by pilot-agent
+ COPY envoy_bootstrap.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
+COPY envoy_bootstrap_lite.json /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json
+ COPY gcp_envoy_bootstrap.json /var/lib/istio/envoy/gcp_envoy_bootstrap_tmpl.json
+ 
+ # Install Envoy.
+@@ -47,5 +48,30 @@
+ # COPY metadata-exchange-filter.wasm /etc/istio/extensions/metadata-exchange-filter.wasm
+ # COPY metadata-exchange-filter.compiled.wasm /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
+ 
+RUN apt-get update && \
+  apt-get install --no-install-recommends -y \
+  logrotate \
+  cron \
+  && apt-get upgrade -y \
+  && apt-get clean
+
+# Latest releases available at https://github.com/aptible/supercronic/releases
+ENV SUPERCRONIC_URL=https://higress.io/release-binary/supercronic-linux-${TARGETARCH:-amd64} \
+    SUPERCRONIC=supercronic-linux-${TARGETARCH:-amd64}
+
+RUN curl -fsSLO "$SUPERCRONIC_URL" \
+ && chmod +x "$SUPERCRONIC" \
+ && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
+ && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
+
+
+COPY higress-proxy-start.sh /usr/local/bin/higress-proxy-start.sh
+
+COPY higress-proxy-container-init.sh /usr/local/bin/higress-proxy-container-init.sh
+
+RUN chmod a+x /usr/local/bin/higress-proxy-container-init.sh;/usr/local/bin/higress-proxy-container-init.sh
+
+RUN chmod a+x /usr/local/bin/higress-proxy-start.sh
+
+ # The pilot-agent will bootstrap Envoy.
+-ENTRYPOINT ["/usr/local/bin/pilot-agent"]
+ENTRYPOINT ["/usr/local/bin/higress-proxy-start.sh"]
+diff -Naur istio/tools/istio-docker.mk istio-new/tools/istio-docker.mk
+--- istio/tools/istio-docker.mk	2024-05-19 16:40:42.734769895 +0800
+++ istio-new/tools/istio-docker.mk	2024-05-19 16:02:43.222725126 +0800
+@@ -96,6 +96,9 @@
+ docker.proxyv2: BUILD_ARGS=--build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} --build-arg istio_version=${VERSION} --build-arg BASE_VERSION=${BASE_VERSION} --build-arg SIDECAR=${SIDECAR} --build-arg HUB=${HUB}
+ docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json
+ docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/gcp_envoy_bootstrap.json
+docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-start.sh
+docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-container-init.sh
+docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap_lite.json
+ docker.proxyv2: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}
+ docker.proxyv2: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}
+ docker.proxyv2: $(ISTIO_OUT_LINUX)/pilot-agent
+diff -Naur istio/tools/packaging/common/envoy_bootstrap_lite.json istio-new/tools/packaging/common/envoy_bootstrap_lite.json
+--- istio/tools/packaging/common/envoy_bootstrap_lite.json	1970-01-01 08:00:00.000000000 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap_lite.json	2024-05-19 16:36:39.274765113 +0800
+@@ -0,0 +1,642 @@
+{
+  "node": {
+    "id": "{{ .nodeID }}",
+    "cluster": "{{ .cluster }}",
+    "locality": {
+      {{- if .region }}
+      "region": "{{ .region }}"
+      {{- end }}
+      {{- if .zone }}
+      {{- if .region }}
+      ,
+      {{- end }}
+      "zone": "{{ .zone }}"
+      {{- end }}
+      {{- if .sub_zone }}
+      {{- if or .region .zone }}
+      ,
+      {{- end }}
+      "sub_zone": "{{ .sub_zone }}"
+      {{- end }}
+    },
+    "metadata": {{ .meta_json_str }}
+  },
+  "layered_runtime": {
+      "layers": [
+          {
+            "name": "global config",
+            "static_layer": {{ .runtime_flags }}
+          },
+          {
+              "name": "admin",
+              "admin_layer": {}
+          }
+      ]
+  },
+  "stats_config": {
+    "use_all_default_tags": false,
+    "stats_tags": [
+      {
+        "tag_name": "response_code_class",
+        "regex": "_rq(_(\\dxx))$"
+      },
+      {
+        "tag_name": "listener_address",
+        "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
+      },
+      {
+        "tag_name": "http_conn_manager_prefix",
+        "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
+      },
+      {
+        "tag_name": "cluster_name",
+        "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
+      }
+    ],
+    "stats_matcher": {
+      "exclusion_list": {
+        "patterns": [
+          {
+            "prefix": "vhost"
+          },
+          {
+            "safe_regex": {"regex": "^http.*rds.*", "google_re2":{}}
+          }
+        ]
+      }
+    }
+  },
+  "admin": {
+    "access_log_path": "/dev/null",
+    "profile_path": "/var/lib/istio/data/envoy.prof",
+    "address": {
+      "socket_address": {
+        "address": "{{ .localhost }}",
+        "port_value": {{ .config.ProxyAdminPort }}
+      }
+    }
+  },
+  "dynamic_resources": {
+    "lds_config": {
+      "ads": {},
+      "initial_fetch_timeout": "0s",
+      "resource_api_version": "V3"
+    },
+    "cds_config": {
+      "ads": {},
+      "initial_fetch_timeout": "0s",
+      "resource_api_version": "V3"
+    },
+    "ads_config": {
+      "api_type": "{{ .xds_type }}",
+      "set_node_on_first_message_only": true,
+      "transport_api_version": "V3",
+      "grpc_services": [
+        {
+          "envoy_grpc": {
+            "cluster_name": "xds-grpc"
+          }
+        }
+      ]
+    }
+  },
+  "static_resources": {
+    "clusters": [
+      {
+        "name": "prometheus_stats",
+        "type": "STATIC",
+        "connect_timeout": "0.250s",
+        "lb_policy": "ROUND_ROBIN",
+        "load_assignment": {
+          "cluster_name": "prometheus_stats",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "socket_address": {
+                    "protocol": "TCP",
+                    "address": "{{ .localhost }}",
+                    "port_value": {{ .config.ProxyAdminPort }}
+                  }
+                }
+              }
+            }]
+          }]
+        }
+      },
+      {
+        "name": "agent",
+        "type": "STATIC",
+        "connect_timeout": "0.250s",
+        "lb_policy": "ROUND_ROBIN",
+        "load_assignment": {
+          "cluster_name": "agent",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "socket_address": {
+                    "protocol": "TCP",
+                    "address": "{{ .localhost }}",
+                    "port_value": {{ .config.StatusPort }}
+                  }
+                }
+              }
+            }]
+          }]
+        }
+      },
+      {
+        "name": "sds-grpc",
+        "type": "STATIC",
+        "typed_extension_protocol_options": {
+          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+           "explicit_http_config": {
+            "http2_protocol_options": {}
+           }
+          }
+        },
+        "connect_timeout": "1s",
+        "lb_policy": "ROUND_ROBIN",
+        "load_assignment": {
+          "cluster_name": "sds-grpc",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "pipe": {
+                    "path": "{{ .config.ConfigPath }}/SDS"
+                  }
+                }
+              }
+            }]
+          }]
+        }
+      },
+      {
+        "name": "xds-grpc",
+        "type" : "STATIC",
+        "connect_timeout": "1s",
+        "lb_policy": "ROUND_ROBIN",
+        "load_assignment": {
+          "cluster_name": "xds-grpc",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "pipe": {
+                    "path": "{{ .config.ConfigPath }}/XDS"
+                  }
+                }
+              }
+            }]
+          }]
+        },
+        "circuit_breakers": {
+          "thresholds": [
+            {
+              "priority": "DEFAULT",
+              "max_connections": 100000,
+              "max_pending_requests": 100000,
+              "max_requests": 100000
+            },
+            {
+              "priority": "HIGH",
+              "max_connections": 100000,
+              "max_pending_requests": 100000,
+              "max_requests": 100000
+            }
+          ]
+        },
+        "upstream_connection_options": {
+          "tcp_keepalive": {
+            "keepalive_time": 300
+          }
+        },
+        "max_requests_per_connection": 1,
+        "typed_extension_protocol_options": {
+          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+           "explicit_http_config": {
+            "http2_protocol_options": {}
+           }
+          }
+        }
+      }
+      {{ if .zipkin }}
+      ,
+      {
+        "name": "zipkin",
+        {{- if .tracing_tls }}
+        "transport_socket": {{ .tracing_tls }},
+        {{- end }}
+        "type": "STRICT_DNS",
+        "respect_dns_ttl": true,
+        "dns_lookup_family": "{{ .dns_lookup_family }}",
+        "dns_refresh_rate": "30s",
+        "connect_timeout": "1s",
+        "lb_policy": "ROUND_ROBIN",
+        "load_assignment": {
+          "cluster_name": "zipkin",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "socket_address": {{ .zipkin }}
+                }
+              }
+            }]
+          }]
+        }
+      }
+      {{ else if .lightstep }}
+      ,
+      {
+        "name": "lightstep",
+        {{- if .tracing_tls }}
+        "transport_socket": {{ .tracing_tls }},
+        {{- end }}
+        "typed_extension_protocol_options": {
+          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+           "explicit_http_config": {
+            "http2_protocol_options": {}
+           }
+          }
+        },
+        "type": "STRICT_DNS",
+        "respect_dns_ttl": true,
+        "dns_lookup_family": "{{ .dns_lookup_family }}",
+        "connect_timeout": "1s",
+        "lb_policy": "ROUND_ROBIN",
+        "load_assignment": {
+          "cluster_name": "lightstep",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "socket_address": {{ .lightstep }}
+                }
+              }
+            }]
+          }]
+        }
+      }
+      {{ else if .datadog }}
+      ,
+      {
+        "name": "datadog_agent",
+        {{- if .tracing_tls }}
+        "transport_socket": {{ .tracing_tls }},
+        {{- end }}
+        "connect_timeout": "1s",
+        "type": "STRICT_DNS",
+        "respect_dns_ttl": true,
+        "dns_lookup_family": "{{ .dns_lookup_family }}",
+        "lb_policy": "ROUND_ROBIN",
+        "load_assignment": {
+          "cluster_name": "datadog_agent",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "socket_address": {{ .datadog }}
+                }
+              }
+            }]
+          }]
+        }
+      }
+      {{ end }}
+      {{- if .envoy_metrics_service_address }}
+      ,
+      {
+        "name": "envoy_metrics_service",
+        "type": "STRICT_DNS",
+      {{- if .envoy_metrics_service_tls }}
+        "transport_socket": {{ .envoy_metrics_service_tls }},
+      {{- end }}
+      {{- if .envoy_metrics_service_tcp_keepalive }}
+        "upstream_connection_options": {{ .envoy_metrics_service_tcp_keepalive }},
+      {{- end }}
+        "respect_dns_ttl": true,
+        "dns_lookup_family": "{{ .dns_lookup_family }}",
+        "connect_timeout": "1s",
+        "lb_policy": "ROUND_ROBIN",
+        "typed_extension_protocol_options": {
+          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+           "explicit_http_config": {
+            "http2_protocol_options": {}
+           }
+          }
+        },
+        "load_assignment": {
+          "cluster_name": "envoy_metrics_service",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "socket_address": {{ .envoy_metrics_service_address }}
+                }
+              }
+            }]
+          }]
+        }
+      }
+      {{ end }}
+      {{ if .envoy_accesslog_service_address }}
+      ,
+      {
+        "name": "envoy_accesslog_service",
+        "type": "STRICT_DNS",
+      {{- if .envoy_accesslog_service_tls }}
+        "transport_socket": {{ .envoy_accesslog_service_tls }},
+      {{- end }}
+      {{- if .envoy_accesslog_service_tcp_keepalive }}
+        "upstream_connection_options": {{ .envoy_accesslog_service_tcp_keepalive }},
+      {{ end }}
+        "respect_dns_ttl": true,
+        "dns_lookup_family": "{{ .dns_lookup_family }}",
+        "connect_timeout": "1s",
+        "lb_policy": "ROUND_ROBIN",
+        "typed_extension_protocol_options": {
+          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+           "explicit_http_config": {
+            "http2_protocol_options": {}
+           }
+          }
+        },
+        "load_assignment": {
+          "cluster_name": "envoy_accesslog_service",
+          "endpoints": [{
+            "lb_endpoints": [{
+              "endpoint": {
+                "address":{
+                  "socket_address": {{ .envoy_accesslog_service_address }}
+                }
+              }
+            }]
+          }]
+        }
+      }
+      {{ end }}
+    ],
+    "listeners":[
+      {
+        "address": {
+          "socket_address": {
+            "protocol": "TCP",
+            "address": "{{ .wildcard }}",
+            "port_value": {{ .envoy_prometheus_port }}
+          }
+        },
+        "filter_chains": [
+          {
+            "filters": [
+              {
+                "name": "envoy.filters.network.http_connection_manager",
+                "typed_config": {
+                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+                  "codec_type": "AUTO",
+                  "stat_prefix": "stats",
+                  "route_config": {
+                    "virtual_hosts": [
+                      {
+                        "name": "backend",
+                        "domains": [
+                          "*"
+                        ],
+                        "routes": [
+                          {
+                            "match": {
+                              "prefix": "/stats/prometheus"
+                            },
+                            "route": {
+                              "cluster": "prometheus_stats"
+                            }
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "http_filters": [{
+                    "name": "envoy.filters.http.router",
+                    "typed_config": {
+                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+                    }
+                  }]
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "address": {
+           "socket_address": {
+             "protocol": "TCP",
+             "address": "{{ .wildcard }}",
+             "port_value": {{ .envoy_status_port }}
+           }
+        },
+        "filter_chains": [
+          {
+            "filters": [
+              {
+                "name": "envoy.filters.network.http_connection_manager",
+                "typed_config": {
+                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+                  "codec_type": "AUTO",
+                  "stat_prefix": "agent",
+                  "route_config": {
+                    "virtual_hosts": [
+                      {
+                        "name": "backend",
+                        "domains": [
+                          "*"
+                        ],
+                        "routes": [
+                          {
+                            "match": {
+                              "prefix": "/healthz/ready"
+                            },
+                            "route": {
+                              "cluster": "agent"
+                            }
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "http_filters": [{
+                    "name": "envoy.filters.http.router",
+                    "typed_config": {
+                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+                    }
+                  }]
+                }
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+  {{- if .zipkin }}
+  ,
+  "tracing": {
+    "http": {
+      "name": "envoy.tracers.zipkin",
+      "typed_config": {
+        "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig",
+        "collector_cluster": "zipkin",
+        "collector_endpoint": "/api/v2/spans",
+        "collector_endpoint_version": "HTTP_JSON",
+        "trace_id_128bit": true,
+        "shared_span_context": false
+      }
+    }
+  }
+  {{- else if .lightstep }}
+  ,
+  "tracing": {
+    "http": {
+      "name": "envoy.tracers.lightstep",
+      "typed_config": {
+        "@type": "type.googleapis.com/envoy.config.trace.v3.LightstepConfig",
+        "collector_cluster": "lightstep",
+        "access_token_file": "{{ .lightstepToken}}"
+      }
+    }
+  }
+  {{- else if .datadog }}
+  ,
+  "tracing": {
+    "http": {
+      "name": "envoy.tracers.datadog",
+      "typed_config": {
+        "@type": "type.googleapis.com/envoy.config.trace.v3.DatadogConfig",
+        "collector_cluster": "datadog_agent",
+        "service_name": "{{ .cluster }}"
+      }
+    }
+  }
+  {{- else if .openCensusAgent }}
+  ,
+  "tracing": {
+    "http": {
+      "name": "envoy.tracers.opencensus",
+      "typed_config": {
+        "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig",
+        "ocagent_exporter_enabled": true,
+        "ocagent_address": "{{ .openCensusAgent }}",
+        "incoming_trace_context": {{ .openCensusAgentContexts }},
+        "outgoing_trace_context": {{ .openCensusAgentContexts }},
+        "trace_config": {
+          "constant_sampler": {
+            "decision": "ALWAYS_PARENT"
+          },
+          "max_number_of_annotations": 200,
+          "max_number_of_attributes": 200,
+          "max_number_of_message_events": 200,
+          "max_number_of_links": 200
+        }
+      }
+    }
+  }
+  {{- else if .stackdriver }}
+  ,
+  "tracing": {
+    "http": {
+      "name": "envoy.tracers.opencensus",
+      "typed_config": {
+      "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig",
+      "stackdriver_exporter_enabled": true,
+      "stackdriver_project_id": "{{ .stackdriverProjectID }}",
+      {{ if .sts_port }}
+      "stackdriver_grpc_service": {
+        "google_grpc": {
+          "target_uri": "cloudtrace.googleapis.com",
+          "stat_prefix": "oc_stackdriver_tracer",
+          "channel_credentials": {
+            "ssl_credentials": {}
+          },
+          "call_credentials": [{
+            "sts_service": {
+              "token_exchange_service_uri": "http://localhost:{{ .sts_port }}/token",
+              "subject_token_path": "/var/run/secrets/tokens/istio-token",
+              "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+              "scope": "https://www.googleapis.com/auth/cloud-platform"
+            }
+          }]
+        },
+        "initial_metadata": [
+        {{ if .gcp_project_id }}
+          {
+            "key": "x-goog-user-project",
+            "value": "{{ .gcp_project_id }}"
+          }
+        {{ end }}
+        ]
+      },
+      {{ end }}
+      "stdout_exporter_enabled": {{ .stackdriverDebug }},
+      "incoming_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"],
+      "outgoing_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"],
+      "trace_config":{
+        "constant_sampler":{
+          "decision": "ALWAYS_PARENT"
+        },
+        "max_number_of_annotations": {{ .stackdriverMaxAnnotations }},
+        "max_number_of_attributes": {{ .stackdriverMaxAttributes }},
+        "max_number_of_message_events": {{ .stackdriverMaxEvents }},
+        "max_number_of_links": 200
+       }
+     }
+  }}
+  {{ end }}
+  {{ if or .envoy_metrics_service_address .statsd }}
+  ,
+  "stats_sinks": [
+    {{ if .envoy_metrics_service_address }}
+    {
+      "name": "envoy.stat_sinks.metrics_service",
+      "typed_config": {
+        "@type": "type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig",
+        "transport_api_version": "V3",
+        "grpc_service": {
+          "envoy_grpc": {
+            "cluster_name": "envoy_metrics_service"
+          }
+        }
+      }
+    }
+    {{ end }}
+    {{ if and .envoy_metrics_service_address .statsd }}
+    ,
+    {{ end }}
+    {{ if .statsd }}
+    {
+      "name": "envoy.stat_sinks.statsd",
+      "typed_config": {
+        "@type": "type.googleapis.com/envoy.config.metrics.v3.StatsdSink",
+        "address": {
+          "socket_address": {{ .statsd }}
+        }
+      }
+    }
+    {{ end }}
+  ]
+  {{ end }}
+  {{ if .outlier_log_path }}
+  ,
+  "cluster_manager": {
+    "outlier_detection": {
+      "event_log_path": "{{ .outlier_log_path }}"
+    }
+  }
+  {{ end }}
+}
+diff -Naur istio/tools/packaging/common/higress-proxy-container-init.sh istio-new/tools/packaging/common/higress-proxy-container-init.sh
+--- istio/tools/packaging/common/higress-proxy-container-init.sh	1970-01-01 08:00:00.000000000 +0800
+++ istio-new/tools/packaging/common/higress-proxy-container-init.sh	2024-05-19 16:30:06.202757394 +0800
+@@ -0,0 +1,32 @@
+#!/bin/bash
+
+mkdir -p /var/log/proxy
+
+mkdir -p /var/lib/istio
+
+chown -R 1337.1337 /var/log/proxy
+
+chown -R 1337.1337 /var/lib/logrotate
+
+chown -R 1337.1337 /var/lib/istio
+
+cat <<EOF > /etc/logrotate.d/higress-logrotate
+/var/log/proxy/access.log
+{
+su 1337 1337
+rotate 5
+create 644 1337 1337
+nocompress
+notifempty
+minsize 100M
+postrotate
+    ps aux|grep "envoy -c"|grep -v "grep"|awk  '{print $2}'|xargs -i kill -SIGUSR1 {}
+endscript
+}
+EOF
+
+chmod -R 0644 /etc/logrotate.d/higress-logrotate
+
+cat <<EOF > /var/lib/istio/cron.txt
+* * * * * /usr/sbin/logrotate /etc/logrotate.d/higress-logrotate
+EOF
+diff -Naur istio/tools/packaging/common/higress-proxy-start.sh istio-new/tools/packaging/common/higress-proxy-start.sh
+--- istio/tools/packaging/common/higress-proxy-start.sh	1970-01-01 08:00:00.000000000 +0800
+++ istio-new/tools/packaging/common/higress-proxy-start.sh	2024-05-19 16:33:18.802761176 +0800
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if [ -n "$LITE_METRICS" ]; then
+    cp /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
+fi
+
+nohup supercronic /var/lib/istio/cron.txt &> /dev/null &
+
+/usr/local/bin/pilot-agent $*
+
--- a/istio/1.12/patches/istio/20240521-optimize-bootstrap.patch
+++ b/istio/1.12/patches/istio/20240521-optimize-bootstrap.patch
@@ -0,0 +1,83 @@
+diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio-new/tools/packaging/common/envoy_bootstrap.json
+--- istio/tools/packaging/common/envoy_bootstrap.json	2024-05-21 23:46:21.000000000 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap.json	2024-05-21 23:47:54.000000000 +0800
+@@ -37,55 +37,15 @@
+     "use_all_default_tags": false,
+     "stats_tags": [
+       {
+-        "tag_name": "phase",
+-        "regex": "(_phase=([a-z_]+))"
+-      },
+-      {
+-        "tag_name": "ruleid",
+-        "regex": "(_ruleid=([0-9]+))"
+-      },
+-      {
+-        "tag_name": "route",
+-        "regex": "^vhost\\..*?\\.route\\.([^\\.]+\\.)upstream"
+-      },
+-      {
+-        "tag_name": "ecds_name",
+-        "regex": "extension_config_discovery\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "rds_name",
+-        "regex": "rds\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "sds_name",
+-        "regex": "sds\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "vhost",
+-        "regex": "^vhost\\.((.*?)\\.)(vcluster|route)"
+-      },
+-      {
+-        "tag_name": "vcluster",
+-        "regex": "vcluster\\.((.*?)\\.)upstream"
+-      },
+-      {
+-        "tag_name": "dest_zone",
+-        "regex": "zone\\.[^\\.]+\\.([^\\.]+\\.)"
+-      },
+-      {
+-        "tag_name": "from_zone",
+-        "regex": "zone\\.([^\\.]+\\.)"
+-      },
+-      {
+         "tag_name": "cluster_name",
+-        "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
+        "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)"
+       },
+       {
+         "tag_name": "tcp_prefix",
+         "regex": "^tcp\\.((.*?)\\.)\\w+?$"
+       },
+       {
+-        "regex": "(response_code=\\.=(.+?);\\.;)|_rq(_(\\.d{3}))$",
+        "regex": "_rq(_(\\d{3}))$",
+         "tag_name": "response_code"
+       },
+       {
+@@ -98,7 +58,7 @@
+       },
+       {
+         "tag_name": "http_conn_manager_prefix",
+-        "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
+        "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
+       },
+       {
+         "tag_name": "listener_address",
+@@ -108,12 +68,6 @@
+         "tag_name": "mongo_prefix",
+         "regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$"
+       },
+-      {{- range $a, $tag := .extraStatTags }}
+-      {
+-        "regex": "({{ $tag }}=\\.=(.*?);\\.;)",
+-        "tag_name": "{{ $tag }}"
+-      },
+-      {{- end }}
+       {
+         "regex": "(cache\\.(.+?)\\.)",
+         "tag_name": "cache"
--- a/istio/1.12/patches/istio/20240527-fix-vs-merge.patch
+++ b/istio/1.12/patches/istio/20240527-fix-vs-merge.patch
@@ -0,0 +1,69 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2024-05-27 23:03:09.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go	2024-05-27 21:33:45.000000000 +0800
+@@ -1482,8 +1482,14 @@
+ 		ns := virtualService.Namespace
+ 		rule := virtualService.Spec.(*networking.VirtualService)
+ 		// Added by ingress
+-		for _, host := range rule.Hosts {
+-			ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
+		if len(rule.Gateways) > 0 {
+			if len(rule.Hosts) == 0 {
+				ps.virtualServiceIndex.byHost[constants.GlobalWildcardHost] = append(ps.virtualServiceIndex.byHost[constants.GlobalWildcardHost], virtualService)
+			} else {
+				for _, host := range rule.Hosts {
+					ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
+				}
+			}
+ 		}
+ 		// End added by ingress
+ 		gwNames := getGatewayNames(rule)
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-27 23:03:09.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-27 22:58:33.000000000 +0800
+@@ -376,8 +376,15 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
+-					for _, host := range virtualService.Spec.(*networking.VirtualService).Hosts {
+-						hostSet.Insert(host)
+					rule := virtualService.Spec.(*networking.VirtualService)
+					if len(rule.Gateways) > 0 {
+						if len(rule.Hosts) == 0 {
+							hostSet.Insert(constants.GlobalWildcardHost)
+							break
+						}
+						for _, host := range rule.Hosts {
+							hostSet.Insert(host)
+						}
+ 					}
+ 				}
+ 			}
+@@ -689,7 +696,7 @@
+ 			vHost = &route.VirtualHost{
+ 				Name:                       util.DomainName(hostRDSHost, port),
+ 				Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
+-				Routes:                     routes,
+				Routes:                     append(routes[:0:0], routes...),
+ 				IncludeRequestAttemptCount: true,
+ 				TypedPerFilterConfig:       mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
+ 			}
+@@ -884,7 +891,7 @@
+ 					newVHost := &route.VirtualHost{
+ 						Name:                       util.DomainName(string(hostname), port),
+ 						Domains:                    buildGatewayVirtualHostDomains(string(hostname), port),
+-						Routes:                     routes,
+						Routes:                     append(routes[:0:0], routes...),
+ 						IncludeRequestAttemptCount: true,
+ 						TypedPerFilterConfig:       mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
+ 					}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2024-05-27 23:03:09.000000000 +0800
+++ istio-new/pkg/config/constants/constants.go	2024-05-27 21:31:58.000000000 +0800
+@@ -145,5 +145,6 @@
+ 	// Added by ingress
+ 	HigressHostRDSNamePrefix = "higress-rds-"
+ 	DefaultScopedRouteName   = "scoped-route"
+	GlobalWildcardHost       = "*"
+ 	// End added by ingress
+ )
--- a/istio/1.12/patches/istio/20240529-optimize-mcp-cds.patch
+++ b/istio/1.12/patches/istio/20240529-optimize-mcp-cds.patch
@@ -0,0 +1,17 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2024-05-29 19:29:45.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go	2024-05-29 19:11:03.000000000 +0800
+@@ -769,6 +769,13 @@
+ 	for _, s := range svcs {
+ 		svcHost := string(s.Hostname)
+ 
+		// Added by ingress
+		if s.Attributes.Namespace == "mcp" {
+			gwSvcs = append(gwSvcs, s)
+			continue
+		}
+		// End added by ingress
+
+ 		if _, ok := hostsFromGateways[svcHost]; ok {
+ 			gwSvcs = append(gwSvcs, s)
+ 		}
--- a/istio/1.12/patches/istio/20240607-fix-stats.patch
+++ b/istio/1.12/patches/istio/20240607-fix-stats.patch
@@ -0,0 +1,21 @@
+diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio-new/tools/packaging/common/envoy_bootstrap.json
+--- istio/tools/packaging/common/envoy_bootstrap.json	2024-06-07 16:50:21.000000000 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap.json	2024-06-07 16:47:42.000000000 +0800
+@@ -38,7 +38,7 @@
+     "stats_tags": [
+       {
+         "tag_name": "cluster_name",
+-        "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)"
+        "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
+       },
+       {
+         "tag_name": "tcp_prefix",
+@@ -58,7 +58,7 @@
+       },
+       {
+         "tag_name": "http_conn_manager_prefix",
+-        "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
+        "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
+       },
+       {
+         "tag_name": "listener_address",
--- a/istio/1.12/patches/istio/20240619-ai-stats.patch
+++ b/istio/1.12/patches/istio/20240619-ai-stats.patch
@@ -0,0 +1,53 @@
+diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio-new/tools/packaging/common/envoy_bootstrap.json
+--- istio/tools/packaging/common/envoy_bootstrap.json	2024-06-19 13:39:49.179159469 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap.json	2024-06-19 13:39:28.299159059 +0800
+@@ -37,6 +37,18 @@
+     "use_all_default_tags": false,
+     "stats_tags": [
+       {
+          "tag_name": "ai_route",
+          "regex": "^wasmcustom\\.route\\.((.*?)\\.)upstream"
+      },
+      {
+          "tag_name": "ai_cluster",
+          "regex": "^wasmcustom\\..*?\\.upstream\\.((.*?)\\.)model"
+      },
+      {
+          "tag_name": "ai_model",
+          "regex": "^wasmcustom\\..*?\\.model\\.((.*?)\\.)(input_token|output_token)"
+      },
+      {
+         "tag_name": "cluster_name",
+         "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
+       },
+diff -Naur istio/tools/packaging/common/envoy_bootstrap_lite.json istio-new/tools/packaging/common/envoy_bootstrap_lite.json
+--- istio/tools/packaging/common/envoy_bootstrap_lite.json	2024-06-19 13:39:49.175159469 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap_lite.json	2024-06-19 13:38:52.283158352 +0800
+@@ -37,6 +37,18 @@
+     "use_all_default_tags": false,
+     "stats_tags": [
+       {
+          "tag_name": "ai_route",
+          "regex": "^wasmcustom\\.route\\.((.*?)\\.)upstream"
+      },
+      {
+          "tag_name": "ai_cluster",
+          "regex": "^wasmcustom\\..*?\\.upstream\\.((.*?)\\.)model"
+      },
+      {
+          "tag_name": "ai_model",
+          "regex": "^wasmcustom\\..*?\\.model\\.((.*?)\\.)(input_token|output_token)"
+      },
+      {
+         "tag_name": "response_code_class",
+         "regex": "_rq(_(\\dxx))$"
+       },
+@@ -60,7 +72,7 @@
+             "prefix": "vhost"
+           },
+           {
+-            "safe_regex": {"regex": "^http.*rds.*", "google_re2":{}}
+            "safe_regex": {"regex": "^http.*\\.rds\\..*", "google_re2":{}}
+           }
+         ]
+       }
--- a/Show More
+++ b/Show More