add timeout&local-rate-limt annotations

rel: Release version 1.3.1 (#640 )
optimize xds push (#638 )
2026-02-25 13:10:50 +08:00 · 2023-11-16 17:33:03 +08:00 · 2023-11-16 11:31:37 +08:00 · 2023-11-16 09:32:58 +08:00 · 2023-11-16 09:31:25 +08:00 · 2023-11-15 20:43:49 +08:00
44 changed files with 2294 additions and 151 deletions
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -176,8 +176,8 @@ install: pre-install
 	cd helm/higress; helm dependency build
 	helm install higress helm/higress -n higress-system --create-namespace --set 'global.local=true'

-ENVOY_LATEST_IMAGE_TAG ?= sha-6835486
-ISTIO_LATEST_IMAGE_TAG ?= sha-6835486
+ENVOY_LATEST_IMAGE_TAG ?= sha-34054f8
+ISTIO_LATEST_IMAGE_TAG ?= sha-34054f8

 install-dev: pre-install
 	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
--- a/2
+++ b/2
@@ -1 +1 @@
-v1.3.0
+v1.3.1
--- a/helm/core/Chart.yaml
+++ b/helm/core/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.3.0
+appVersion: 1.3.1
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -10,4 +10,4 @@ name: higress-core
 sources:
 - http://github.com/alibaba/higress
 type: application
-version: 1.3.0
+version: 1.3.1
--- a/helm/core/templates/controller-deployment.yaml
+++ b/helm/core/templates/controller-deployment.yaml
@@ -75,7 +75,7 @@ spec:
            timeoutSeconds: 5
          env:
          - name: PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
-            value: "true"
+            value: "{{ .Values.global.onlyPushRouteCluster }}"
          - name: HIGRESS_CONTROLLER_SVC
            value: "127.0.0.1"
          - name: HIGRESS_CONTROLLER_PORT
--- a/helm/core/templates/deployment.yaml
+++ b/helm/core/templates/deployment.yaml
@@ -134,6 +134,8 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
+          - name: PILOT_XDS_SEND_TIMEOUT
+            value: 60s
          - name: PROXY_XDS_VIA_AGENT
            value: "true"
          - name: ENABLE_INGRESS_GATEWAY_SDS
--- a/helm/core/values.yaml
+++ b/helm/core/values.yaml
@@ -1,5 +1,6 @@
 revision: ""
 global:
+  onlyPushRouteCluster: true
  # IngressClass filters which ingress resources the higress controller watches.
  # The default ingress class is higress.
  # There are some special cases for special ingress class.
--- a/helm/higress/Chart.lock
+++ b/helm/higress/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: higress-core
  repository: file://../core
-  version: 1.3.0
+  version: 1.3.1
 - name: higress-console
  repository: https://higress.io/helm-charts/
-  version: 1.3.0
-digest: sha256:3efc59ad8cd92ab4c3c87abeed8e2fc0288bb3ecc2805888ba6eaaf265ba6a10
-generated: "2023-11-02T11:45:56.011629+08:00"
+  version: 1.3.1
+digest: sha256:980abd3f62b107970555051be7e57dd8d8b69821fe163daa9f3c84521881a05b
+generated: "2023-11-16T11:09:23.463473+08:00"
--- a/helm/higress/Chart.yaml
+++ b/helm/higress/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.3.0
+appVersion: 1.3.1
 description: Helm chart for deploying Higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -12,9 +12,9 @@ sources:
 dependencies:
 - name: higress-core
  repository: "file://../core"
-  version: 1.3.0
+  version: 1.3.1
 - name: higress-console
  repository: "https://higress.io/helm-charts/"
-  version: 1.3.0
+  version: 1.3.1
 type: application
-version: 1.3.0
+version: 1.3.1
--- a/istio/1.12/patches/istio/20231115-optimize-xds-push.patch
+++ b/istio/1.12/patches/istio/20231115-optimize-xds-push.patch
@@ -0,0 +1,62 @@
+diff -Naur istio/pilot/pkg/xds/ads.go istio-new/pilot/pkg/xds/ads.go
+--- istio/pilot/pkg/xds/ads.go	2023-11-15 20:25:18.000000000 +0800
+++ istio-new/pilot/pkg/xds/ads.go	2023-11-15 20:24:20.000000000 +0800
+@@ -318,6 +318,27 @@
+ 	<-con.initialized
+ 
+ 	for {
+		// Go select{} statements are not ordered; the same channel can be chosen many times.
+		// For requests, these are higher priority (client may be blocked on startup until these are done)
+		// and often very cheap to handle (simple ACK), so we check it first.
+		select {
+		case req, ok := <-con.reqChan:
+			if ok {
+				if err := s.processRequest(req, con); err != nil {
+					return err
+				}
+			} else {
+				// Remote side closed connection or error processing the request.
+				return <-con.errorChan
+			}
+		case <-con.stop:
+			return nil
+		default:
+		}
+		// If there wasn't already a request, poll for requests and pushes. Note: if we have a huge
+		// amount of incoming requests, we may still send some pushes, as we do not `continue` above;
+		// however, requests will be handled ~2x as much as pushes. This ensures a wave of requests
+		// cannot completely starve pushes. However, this scenario is unlikely.
+ 		select {
+ 		case req, ok := <-con.reqChan:
+ 			if ok {
+diff -Naur istio/pilot/pkg/xds/delta.go istio-new/pilot/pkg/xds/delta.go
+--- istio/pilot/pkg/xds/delta.go	2023-11-15 20:25:18.000000000 +0800
+++ istio-new/pilot/pkg/xds/delta.go	2023-11-15 20:24:44.000000000 +0800
+@@ -102,6 +102,27 @@
+ 	<-con.initialized
+ 
+ 	for {
+		// Go select{} statements are not ordered; the same channel can be chosen many times.
+		// For requests, these are higher priority (client may be blocked on startup until these are done)
+		// and often very cheap to handle (simple ACK), so we check it first.
+		select {
+		case req, ok := <-con.deltaReqChan:
+			if ok {
+				if err := s.processDeltaRequest(req, con); err != nil {
+					return err
+				}
+			} else {
+				// Remote side closed connection or error processing the request.
+				return <-con.errorChan
+			}
+		case <-con.stop:
+			return nil
+		default:
+		}
+		// If there wasn't already a request, poll for requests and pushes. Note: if we have a huge
+		// amount of incoming requests, we may still send some pushes, as we do not `continue` above;
+		// however, requests will be handled ~2x as much as pushes. This ensures a wave of requests
+		// cannot completely starve pushes. However, this scenario is unlikely.
+ 		select {
+ 		case req, ok := <-con.deltaReqChan:
+ 			if ok {
--- a/pkg/cmd/hgctl/helm/render.go
+++ b/pkg/cmd/hgctl/helm/render.go
@@ -38,6 +38,7 @@ import (
 	"helm.sh/helm/v3/pkg/engine"
 	"helm.sh/helm/v3/pkg/getter"
 	"helm.sh/helm/v3/pkg/repo"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/yaml"
 )

@@ -134,6 +135,12 @@ type RendererOptions struct {
 	// fields for RemoteRenderer
 	Version string
 	RepoURL string
+
+	// Capabilities
+	Capabilities *chartutil.Capabilities
+
+	// rest config
+	restConfig *rest.Config
 }

 type RendererOption func(*RendererOptions)
@@ -174,6 +181,18 @@ func WithRepoURL(repo string) RendererOption {
 	}
 }

+func WithCapabilities(capabilities *chartutil.Capabilities) RendererOption {
+	return func(opts *RendererOptions) {
+		opts.Capabilities = capabilities
+	}
+}
+
+func WithRestConfig(config *rest.Config) RendererOption {
+	return func(opts *RendererOptions) {
+		opts.restConfig = config
+	}
+}
+
 // LocalFileRenderer load yaml files from local file system
 type LocalFileRenderer struct {
 	Opts     *RendererOptions
@@ -418,8 +437,11 @@ func renderManifest(valsYaml string, cht *chart.Chart, builtIn bool, opts *Rende
 		Name:      opts.Name,
 		Namespace: opts.Namespace,
 	}
-	// TODO need to specify k8s version
-	caps := chartutil.DefaultCapabilities
+	var caps *chartutil.Capabilities
+	caps = opts.Capabilities
+	if caps == nil {
+		caps = chartutil.DefaultCapabilities
+	}
 	// maybe we need a configuration to change this caps
 	resVals, err := chartutil.ToRenderValues(cht, valsMap, RelOpts, caps)
 	if err != nil {
@@ -428,7 +450,7 @@ func renderManifest(valsYaml string, cht *chart.Chart, builtIn bool, opts *Rende
 	if builtIn {
 		resVals["Values"].(chartutil.Values)["enabled"] = true
 	}
-	filesMap, err := engine.Render(cht, resVals)
+	filesMap, err := engine.RenderWithClient(cht, resVals, opts.restConfig)
 	if err != nil {
 		return "", fmt.Errorf("Render chart failed err: %s", err)
 	}
--- a/pkg/cmd/hgctl/installer/component.go
+++ b/pkg/cmd/hgctl/installer/component.go
@@ -17,6 +17,7 @@ package installer
 import (
 	"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
 	"github.com/alibaba/higress/pkg/cmd/hgctl/util"
+	"helm.sh/helm/v3/pkg/chartutil"
 	"sigs.k8s.io/yaml"
 )

@@ -49,6 +50,8 @@ type ComponentOptions struct {
 	ChartName string
 	Version   string
 	Quiet     bool
+	// Capabilities
+	Capabilities *chartutil.Capabilities
 }

 type ComponentOption func(*ComponentOptions)
@@ -83,6 +86,12 @@ func WithComponentVersion(version string) ComponentOption {
 	}
 }

+func WithComponentCapabilities(capabilities *chartutil.Capabilities) ComponentOption {
+	return func(opts *ComponentOptions) {
+		opts.Capabilities = capabilities
+	}
+}
+
 func WithQuiet() ComponentOption {
 	return func(opts *ComponentOptions) {
 		opts.Quiet = true
--- a/pkg/cmd/hgctl/installer/gateway_api.go
+++ b/pkg/cmd/hgctl/installer/gateway_api.go
@@ -21,6 +21,7 @@ import (
 	"strings"

 	"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
+	"github.com/alibaba/higress/pkg/cmd/hgctl/kubernetes"
 	"github.com/alibaba/higress/pkg/cmd/hgctl/manifests"
 )

@@ -34,9 +35,10 @@ type GatewayAPIComponent struct {
 	opts     *ComponentOptions
 	renderer helm.Renderer
 	writer   io.Writer
+	kubeCli  kubernetes.CLIClient
 }

-func NewGatewayAPIComponent(profile *helm.Profile, writer io.Writer, opts ...ComponentOption) (Component, error) {
+func NewGatewayAPIComponent(kubeCli kubernetes.CLIClient, profile *helm.Profile, writer io.Writer, opts ...ComponentOption) (Component, error) {
 	newOpts := &ComponentOptions{}
 	for _, opt := range opts {
 		opt(newOpts)
@@ -55,6 +57,8 @@ func NewGatewayAPIComponent(profile *helm.Profile, writer io.Writer, opts ...Com
 		helm.WithVersion(newOpts.Version),
 		helm.WithFS(manifests.BuiltinOrDir("")),
 		helm.WithDir(chartDir),
+		helm.WithCapabilities(newOpts.Capabilities),
+		helm.WithRestConfig(kubeCli.RESTConfig()),
 	)
 	if err != nil {
 		return nil, err
@@ -65,6 +69,7 @@ func NewGatewayAPIComponent(profile *helm.Profile, writer io.Writer, opts ...Com
 		renderer: renderer,
 		opts:     newOpts,
 		writer:   writer,
+		kubeCli:  kubeCli,
 	}
 	return gatewayAPIComponent, nil
 }
--- a/pkg/cmd/hgctl/installer/higress.go
+++ b/pkg/cmd/hgctl/installer/higress.go
@@ -17,8 +17,10 @@ package installer
 import (
 	"errors"
 	"fmt"
-	"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
 	"io"
+
+	"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
+	"github.com/alibaba/higress/pkg/cmd/hgctl/kubernetes"
 )

 const (
@@ -31,6 +33,7 @@ type HigressComponent struct {
 	opts     *ComponentOptions
 	renderer helm.Renderer
 	writer   io.Writer
+	kubeCli  kubernetes.CLIClient
 }

 func (h *HigressComponent) ComponentName() ComponentName {
@@ -89,7 +92,7 @@ func (h *HigressComponent) RenderManifest() (string, error) {
 	return manifest, nil
 }

-func NewHigressComponent(profile *helm.Profile, writer io.Writer, opts ...ComponentOption) (Component, error) {
+func NewHigressComponent(kubeCli kubernetes.CLIClient, profile *helm.Profile, writer io.Writer, opts ...ComponentOption) (Component, error) {
 	newOpts := &ComponentOptions{}
 	for _, opt := range opts {
 		opt(newOpts)
@@ -105,6 +108,8 @@ func NewHigressComponent(profile *helm.Profile, writer io.Writer, opts ...Compon
 		helm.WithNamespace(newOpts.Namespace),
 		helm.WithRepoURL(newOpts.RepoURL),
 		helm.WithVersion(newOpts.Version),
+		helm.WithCapabilities(newOpts.Capabilities),
+		helm.WithRestConfig(kubeCli.RESTConfig()),
 	)
 	if err != nil {
 		return nil, err
@@ -115,6 +120,7 @@ func NewHigressComponent(profile *helm.Profile, writer io.Writer, opts ...Compon
 		renderer: renderer,
 		opts:     newOpts,
 		writer:   writer,
+		kubeCli:  kubeCli,
 	}
 	return higressComponent, nil
 }
--- a/pkg/cmd/hgctl/installer/installer_k8s.go
+++ b/pkg/cmd/hgctl/installer/installer_k8s.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"

 	"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
 	"github.com/alibaba/higress/pkg/cmd/hgctl/helm/object"
@@ -202,6 +203,19 @@ func (o *K8sInstaller) DeleteManifests(manifestMap map[ComponentName]string) err
 	return nil
 }

+// WriteManifests write component manifests to local files
+func (o *K8sInstaller) WriteManifests(manifestMap map[ComponentName]string) error {
+	if o.kubeCli == nil {
+		return errors.New("no injected k8s cli into K8sInstaller")
+	}
+	rootPath, _ := os.Getwd()
+	for name, manifest := range manifestMap {
+		fileName := filepath.Join(rootPath, string(name)+".yaml")
+		util.WriteFileString(fileName, manifest, 0o644)
+	}
+	return nil
+}
+
 // deleteManifest delete manifest to certain namespace
 func (o *K8sInstaller) deleteManifest(manifest string, ns string) error {
 	objs, err := object.ParseK8sObjectsFromYAMLManifest(manifest)
@@ -239,6 +253,14 @@ func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.
 	if profile == nil {
 		return nil, errors.New("install profile is empty")
 	}
+	// initialize server info
+	serverInfo, _ := NewServerInfo(cli)
+	fmt.Fprintf(writer, "\n⌛️ Detecting kubernetes version ... ")
+	capabilities, err := serverInfo.GetCapabilities()
+	if err != nil {
+		return nil, err
+	}
+	fmt.Fprintf(writer, "%s\n", capabilities.KubeVersion.Version)
 	// initialize components
 	components := make(map[ComponentName]Component)
 	opts := []ComponentOption{
@@ -247,11 +269,12 @@ func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.
 		WithComponentVersion(profile.Charts.Higress.Version),
 		WithComponentRepoURL(profile.Charts.Higress.Url),
 		WithComponentChartName(profile.Charts.Higress.Name),
+		WithComponentCapabilities(capabilities),
 	}
 	if quiet {
 		opts = append(opts, WithQuiet())
 	}
-	higressComponent, err := NewHigressComponent(profile, writer, opts...)
+	higressComponent, err := NewHigressComponent(cli, profile, writer, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("NewHigressComponent failed, err: %s", err)
 	}
@@ -267,12 +290,13 @@ func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.
 			WithComponentVersion("1.18.2"),
 			WithComponentRepoURL("embed://istiobase"),
 			WithComponentChartName("istio"),
+			WithComponentCapabilities(capabilities),
 		}
 		if quiet {
 			opts = append(opts, WithQuiet())
 		}

-		istioCRDComponent, err := NewIstioCRDComponent(profile, writer, opts...)
+		istioCRDComponent, err := NewIstioCRDComponent(cli, profile, writer, opts...)
 		if err != nil {
 			return nil, fmt.Errorf("NewIstioCRDComponent failed, err: %s", err)
 		}
@@ -285,12 +309,13 @@ func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.
 			WithComponentVersion("1.0.0"),
 			WithComponentRepoURL("embed://gatewayapi"),
 			WithComponentChartName("gatewayAPI"),
+			WithComponentCapabilities(capabilities),
 		}
 		if quiet {
 			opts = append(opts, WithQuiet())
 		}

-		gatewayAPIComponent, err := NewGatewayAPIComponent(profile, writer, opts...)
+		gatewayAPIComponent, err := NewGatewayAPIComponent(cli, profile, writer, opts...)
 		if err != nil {
 			return nil, fmt.Errorf("NewGatewayAPIComponent failed, err: %s", err)
 		}
--- a/pkg/cmd/hgctl/installer/istio.go
+++ b/pkg/cmd/hgctl/installer/istio.go
@@ -20,6 +20,7 @@ import (
 	"strings"

 	"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
+	"github.com/alibaba/higress/pkg/cmd/hgctl/kubernetes"
 	"github.com/alibaba/higress/pkg/cmd/hgctl/manifests"
 )

@@ -33,9 +34,10 @@ type IstioCRDComponent struct {
 	opts     *ComponentOptions
 	renderer helm.Renderer
 	writer   io.Writer
+	kubeCli  kubernetes.CLIClient
 }

-func NewIstioCRDComponent(profile *helm.Profile, writer io.Writer, opts ...ComponentOption) (Component, error) {
+func NewIstioCRDComponent(kubeCli kubernetes.CLIClient, profile *helm.Profile, writer io.Writer, opts ...ComponentOption) (Component, error) {
 	newOpts := &ComponentOptions{}
 	for _, opt := range opts {
 		opt(newOpts)
@@ -54,6 +56,8 @@ func NewIstioCRDComponent(profile *helm.Profile, writer io.Writer, opts ...Compo
 			helm.WithVersion(newOpts.Version),
 			helm.WithFS(manifests.BuiltinOrDir("")),
 			helm.WithDir(chartDir),
+			helm.WithCapabilities(newOpts.Capabilities),
+			helm.WithRestConfig(kubeCli.RESTConfig()),
 		)
 		if err != nil {
 			return nil, err
@@ -64,6 +68,8 @@ func NewIstioCRDComponent(profile *helm.Profile, writer io.Writer, opts ...Compo
 			helm.WithNamespace(newOpts.Namespace),
 			helm.WithRepoURL(newOpts.RepoURL),
 			helm.WithVersion(newOpts.Version),
+			helm.WithCapabilities(newOpts.Capabilities),
+			helm.WithRestConfig(kubeCli.RESTConfig()),
 		)
 		if err != nil {
 			return nil, err
@@ -75,6 +81,7 @@ func NewIstioCRDComponent(profile *helm.Profile, writer io.Writer, opts ...Compo
 		renderer: renderer,
 		opts:     newOpts,
 		writer:   writer,
+		kubeCli:  kubeCli,
 	}
 	return istioComponent, nil
 }
--- a/pkg/cmd/hgctl/installer/server_info.go
+++ b/pkg/cmd/hgctl/installer/server_info.go
@@ -0,0 +1,66 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package installer
+
+import (
+	"github.com/alibaba/higress/pkg/cmd/hgctl/kubernetes"
+	"github.com/pkg/errors"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"k8s.io/client-go/discovery"
+)
+
+type ServerInfo struct {
+	kubeCli kubernetes.CLIClient
+}
+
+func (c *ServerInfo) GetCapabilities() (*chartutil.Capabilities, error) {
+	// force a discovery cache invalidation to always fetch the latest server version/capabilities.
+	dc := c.kubeCli.KubernetesInterface().Discovery()
+
+	kubeVersion, err := dc.ServerVersion()
+	if err != nil {
+		return nil, errors.Wrap(err, "could not get server version from Kubernetes")
+	}
+	// Issue #6361:
+	// Client-Go emits an error when an API service is registered but unimplemented.
+	// We trap that error here and print a warning. But since the discovery client continues
+	// building the API object, it is correctly populated with all valid APIs.
+	// See https://github.com/kubernetes/kubernetes/issues/72051#issuecomment-521157642
+	apiVersions, err := action.GetVersionSet(dc)
+	if err != nil {
+		if discovery.IsGroupDiscoveryFailedError(err) {
+		} else {
+			return nil, errors.Wrap(err, "could not get apiVersions from Kubernetes")
+		}
+	}
+	capabilities := &chartutil.Capabilities{
+		APIVersions: apiVersions,
+		KubeVersion: chartutil.KubeVersion{
+			Version: kubeVersion.GitVersion,
+			Major:   kubeVersion.Major,
+			Minor:   kubeVersion.Minor,
+		},
+		HelmVersion: chartutil.DefaultCapabilities.HelmVersion,
+	}
+	return capabilities, nil
+}
+
+func NewServerInfo(kubCli kubernetes.CLIClient) (*ServerInfo, error) {
+	serverInfo := &ServerInfo{
+		kubeCli: kubCli,
+	}
+	return serverInfo, nil
+}
--- a/pkg/cmd/hgctl/kubernetes/client.go
+++ b/pkg/cmd/hgctl/kubernetes/client.go
@@ -57,6 +57,9 @@ type CLIClient interface {

 	// CreateNamespace create namespace
 	CreateNamespace(namespace string) error
+
+	// KubernetesInterface get kubernetes interface
+	KubernetesInterface() kubernetes.Interface
 }

 var _ CLIClient = &client{}
@@ -246,3 +249,8 @@ func (c *client) CreateNamespace(namespace string) error {

 	return nil
 }
+
+// KubernetesInterface get kubernetes interface
+func (c *client) KubernetesInterface() kubernetes.Interface {
+	return c.kube
+}
--- a/pkg/cmd/hgctl/uninstall.go
+++ b/pkg/cmd/hgctl/uninstall.go
@@ -26,13 +26,13 @@ import (
 )

 type uninstallArgs struct {
-	// purgeIstioCRD delete  all of Istio resources.
-	purgeIstioCRD bool
+	// purgeResources delete  all of installed resources.
+	purgeResources bool
 }

 func addUninstallFlags(cmd *cobra.Command, args *uninstallArgs) {
-	cmd.PersistentFlags().BoolVarP(&args.purgeIstioCRD, "purge-istio-crd", "", false,
-		"Delete  all of Istio resources")
+	cmd.PersistentFlags().BoolVarP(&args.purgeResources, "purge-resources", "", false,
+		"Delete  all of IstioAPI,GatewayAPI resources")
 }

 // newUninstallCmd command uninstalls Istio from a cluster
@@ -42,11 +42,11 @@ func newUninstallCmd() *cobra.Command {
 		Use:   "uninstall",
 		Short: "Uninstall higress from a cluster",
 		Long:  "The uninstall command uninstalls higress from a cluster or local environment",
-		Example: `  # Uninstall higress 
+		Example: `# Uninstall higress 
  hgctl uninstal
  
-  # Uninstall higress and istio CRD from a cluster
-  hgctl uninstall --purge-istio-crd
+  # Uninstall higress, istioAPI and GatewayAPI from a cluster
+  hgctl uninstall --purge-resources
 `,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return uninstall(cmd.OutOrStdout(), uiArgs)
@@ -82,7 +82,12 @@ func uninstall(writer io.Writer, uiArgs *uninstallArgs) error {
 	}

 	if profile.Global.Install == helm.InstallK8s || profile.Global.Install == helm.InstallLocalK8s {
-		profile.Global.EnableIstioAPI = uiArgs.purgeIstioCRD
+		if profile.Global.EnableIstioAPI {
+			profile.Global.EnableIstioAPI = uiArgs.purgeResources
+		}
+		if profile.Global.EnableGatewayAPI {
+			profile.Global.EnableGatewayAPI = uiArgs.purgeResources
+		}
 	}

 	err = uninstallManifests(profile, writer, uiArgs)
--- a/pkg/ingress/kube/annotations/annotations.go
+++ b/pkg/ingress/kube/annotations/annotations.go
@@ -15,6 +15,8 @@
 package annotations

 import (
+	"strings"
+
 	networking "istio.io/api/networking/v1alpha3"
 	"istio.io/istio/pilot/pkg/util/sets"
 	listersv1 "k8s.io/client-go/listers/core/v1"
@@ -54,10 +56,14 @@ type Ingress struct {

 	IPAccessControl *IPAccessControlConfig

+	Timeout *TimeoutConfig
+
 	Retry *RetryConfig

 	LoadBalance *LoadBalanceConfig

+	localRateLimit *localRateLimitConfig
+
 	Fallback *FallbackConfig

 	Auth *AuthConfig
@@ -73,12 +79,17 @@ type Ingress struct {
 	Http2Rpc *Http2RpcConfig
 }

-func (i *Ingress) NeedRegexMatch() bool {
+func (i *Ingress) NeedRegexMatch(path string) bool {
 	if i.Rewrite == nil {
 		return false
 	}
-
-	return i.Rewrite.RewriteTarget != "" || i.IsPrefixRegexMatch() || i.IsFullPathRegexMatch()
+	if strings.ContainsAny(path, `\.+*?()|[]{}^$`) {
+		return true
+	}
+	if strings.ContainsAny(i.Rewrite.RewriteTarget, `$\`) {
+		return true
+	}
+	return i.IsPrefixRegexMatch() || i.IsFullPathRegexMatch()
 }

 func (i *Ingress) IsPrefixRegexMatch() bool {
@@ -143,8 +154,10 @@ func NewAnnotationHandlerManager() AnnotationHandler {
 			rewrite{},
 			upstreamTLS{},
 			ipAccessControl{},
+			timeout{},
 			retry{},
 			loadBalance{},
+			localRateLimit{},
 			fallback{},
 			auth{},
 			destination{},
@@ -164,7 +177,9 @@ func NewAnnotationHandlerManager() AnnotationHandler {
 			redirect{},
 			rewrite{},
 			ipAccessControl{},
+			timeout{},
 			retry{},
+			localRateLimit{},
 			fallback{},
 			ignoreCaseMatching{},
 			match{},
--- a/pkg/ingress/kube/annotations/annotations_test.go
+++ b/pkg/ingress/kube/annotations/annotations_test.go
@@ -18,8 +18,9 @@ import "testing"

 func TestNeedRegexMatch(t *testing.T) {
 	testCases := []struct {
-		input  *Ingress
-		expect bool
+		input     *Ingress
+		inputPath string
+		expect    bool
 	}{
 		{
 			input:  &Ingress{},
@@ -34,7 +35,7 @@ func TestNeedRegexMatch(t *testing.T) {
 		{
 			input: &Ingress{
 				Rewrite: &RewriteConfig{
-					RewriteTarget: "/test",
+					UseRegex: true,
 				},
 			},
 			expect: true,
@@ -42,17 +43,46 @@ func TestNeedRegexMatch(t *testing.T) {
 		{
 			input: &Ingress{
 				Rewrite: &RewriteConfig{
-					UseRegex: true,
+					UseRegex: false,
+				},
+			},
+			expect: false,
+		},
+		{
+			input: &Ingress{
+				Rewrite: &RewriteConfig{
+					UseRegex:      false,
+					RewriteTarget: "/$1",
 				},
 			},
 			expect: true,
 		},
+		{
+			input: &Ingress{
+				Rewrite: &RewriteConfig{
+					UseRegex:      false,
+					RewriteTarget: "/",
+				},
+			},
+			inputPath: "/.*",
+			expect:    true,
+		},
+		{
+			input: &Ingress{
+				Rewrite: &RewriteConfig{
+					UseRegex:      false,
+					RewriteTarget: "/",
+				},
+			},
+			inputPath: "/",
+			expect:    false,
+		},
 	}

 	for _, testCase := range testCases {
 		t.Run("", func(t *testing.T) {
-			if testCase.input.NeedRegexMatch() != testCase.expect {
-				t.Fatalf("Should be %t, but actual is %t", testCase.expect, testCase.input.NeedRegexMatch())
+			if testCase.input.NeedRegexMatch(testCase.inputPath) != testCase.expect {
+				t.Fatalf("Should be %t, but actual is %t", testCase.expect, !testCase.expect)
 			}
 		})
 	}
--- a/pkg/ingress/kube/annotations/canary.go
+++ b/pkg/ingress/kube/annotations/canary.go
@@ -108,6 +108,8 @@ func ApplyByWeight(canary, route *networking.HTTPRoute, canaryIngress *Ingress)

 	// canary route use the header control applied on itself.
 	headerControl{}.ApplyRoute(canary, canaryIngress)
+	// reset
+	canary.Route[0].FallbackClusters = nil
 	// Move route level to destination level
 	canary.Route[0].Headers = canary.Headers

@@ -127,8 +129,6 @@ func ApplyByHeader(canary, route *networking.HTTPRoute, canaryIngress *Ingress)

 	// Inherit configuration from non-canary rule
 	route.DeepCopyInto(canary)
-	// Assign temp copied canary route match
-	canary.Match = temp.Match
 	// Assign temp copied canary route destination
 	canary.Route = temp.Route

@@ -165,7 +165,7 @@ func ApplyByHeader(canary, route *networking.HTTPRoute, canaryIngress *Ingress)
 			match.Headers = map[string]*networking.StringMatch{
 				"cookie": {
 					MatchType: &networking.StringMatch_Regex{
-						Regex: "^(.\\*?;)?(" + canaryConfig.Cookie + "=always)(;.\\*)?$",
+						Regex: "^(.*?;\\s*)?(" + canaryConfig.Cookie + "=always)(;.*)?$",
 					},
 				},
 			}
--- a/pkg/ingress/kube/annotations/header_control.go
+++ b/pkg/ingress/kube/annotations/header_control.go
@@ -15,6 +15,7 @@
 package annotations

 import (
+	"regexp"
 	"strings"

 	networking "istio.io/api/networking/v1alpha3"
@@ -37,6 +38,8 @@ const (
 var (
 	_ Parser       = headerControl{}
 	_ RouteHandler = headerControl{}
+
+	pattern = regexp.MustCompile(`\s+`)
 )

 type HeaderOperation struct {
@@ -138,6 +141,18 @@ func needHeaderControlConfig(annotations Annotations) bool {
 		annotations.HasHigress(responseHeaderRemove)
 }

+func trimQuotes(s string) string {
+	if len(s) >= 2 {
+		if s[0] == '"' && s[len(s)-1] == '"' {
+			return s[1 : len(s)-1]
+		}
+		if s[0] == '\'' && s[len(s)-1] == '\'' {
+			return s[1 : len(s)-1]
+		}
+	}
+	return s
+}
+
 func convertAddOrUpdate(headers string) map[string]string {
 	result := map[string]string{}
 	parts := strings.Split(headers, "\n")
@@ -147,13 +162,13 @@ func convertAddOrUpdate(headers string) map[string]string {
 			continue
 		}

-		keyValue := strings.Fields(part)
+		keyValue := pattern.Split(part, 2)
 		if len(keyValue) != 2 {
 			IngressLog.Errorf("Header format %s is invalid.", keyValue)
 			continue
 		}
-		key := strings.TrimSpace(keyValue[0])
-		value := strings.TrimSpace(keyValue[1])
+		key := trimQuotes(strings.TrimSpace(keyValue[0]))
+		value := trimQuotes(strings.TrimSpace(keyValue[1]))
 		result[key] = value
 	}
 	return result
--- a/pkg/ingress/kube/annotations/header_control_test.go
+++ b/pkg/ingress/kube/annotations/header_control_test.go
@@ -48,8 +48,8 @@ func TestHeaderControlParse(t *testing.T) {
 		},
 		{
 			input: map[string]string{
-				buildHigressAnnotationKey(requestHeaderAdd):     "one 1\n  two  2\nthree   3  \n",
-				buildHigressAnnotationKey(requestHeaderUpdate):  "two 2",
+				buildHigressAnnotationKey(requestHeaderAdd):     "one 1\n  two  2\nthree   3  \nx-test mse; test=true\nx-pro    mse; pro=true\n",
+				buildHigressAnnotationKey(requestHeaderUpdate):  "two 2\n set-cookie name=test; sameage=111\nset-stage    name=stage;   stage=true\n",
 				buildHigressAnnotationKey(requestHeaderRemove):  "one, two,three\n",
 				buildHigressAnnotationKey(responseHeaderAdd):    "A a\nB b\n",
 				buildHigressAnnotationKey(responseHeaderUpdate): "X x\nY y\n",
@@ -58,12 +58,16 @@ func TestHeaderControlParse(t *testing.T) {
 			expect: &HeaderControlConfig{
 				Request: &HeaderOperation{
 					Add: map[string]string{
-						"one":   "1",
-						"two":   "2",
-						"three": "3",
+						"one":    "1",
+						"two":    "2",
+						"three":  "3",
+						"x-test": "mse; test=true",
+						"x-pro":  "mse; pro=true",
 					},
 					Update: map[string]string{
-						"two": "2",
+						"two":        "2",
+						"set-cookie": "name=test; sameage=111",
+						"set-stage":  "name=stage;   stage=true",
 					},
 					Remove: []string{"one", "two", "three"},
 				},
@@ -122,12 +126,16 @@ func TestHeaderControlApplyRoute(t *testing.T) {
 				HeaderControl: &HeaderControlConfig{
 					Request: &HeaderOperation{
 						Add: map[string]string{
-							"one":   "1",
-							"two":   "2",
-							"three": "3",
+							"one":    "1",
+							"two":    "2",
+							"three":  "3",
+							"x-test": "mse; test=true",
+							"x-pro":  "mse;     pro=true",
 						},
 						Update: map[string]string{
-							"two": "2",
+							"two":        "2",
+							"set-cookie": "name=test; sameage=111",
+							"set-stage":  "name=stage;     sameage=111",
 						},
 						Remove: []string{"one", "two", "three"},
 					},
@@ -138,12 +146,16 @@ func TestHeaderControlApplyRoute(t *testing.T) {
 				Headers: &networking.Headers{
 					Request: &networking.Headers_HeaderOperations{
 						Add: map[string]string{
-							"one":   "1",
-							"two":   "2",
-							"three": "3",
+							"one":    "1",
+							"two":    "2",
+							"three":  "3",
+							"x-test": "mse; test=true",
+							"x-pro":  "mse;     pro=true",
 						},
 						Set: map[string]string{
-							"two": "2",
+							"two":        "2",
+							"set-cookie": "name=test; sameage=111",
+							"set-stage":  "name=stage;     sameage=111",
 						},
 						Remove: []string{"one", "two", "three"},
 					},
--- a/pkg/ingress/kube/annotations/local_rate_limit.go
+++ b/pkg/ingress/kube/annotations/local_rate_limit.go
@@ -0,0 +1,110 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	types "github.com/gogo/protobuf/types"
+
+	networking "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/mseingress"
+)
+
+const (
+	limitRPM             = "route-limit-rpm"
+	limitRPS             = "route-limit-rps"
+	limitBurstMultiplier = "route-limit-burst-multiplier"
+
+	defaultBurstMultiplier = 5
+	defaultStatusCode      = 429
+)
+
+var (
+	_ Parser       = localRateLimit{}
+	_ RouteHandler = localRateLimit{}
+
+	second = &types.Duration{
+		Seconds: 1,
+	}
+
+	minute = &types.Duration{
+		Seconds: 60,
+	}
+)
+
+type localRateLimitConfig struct {
+	TokensPerFill uint32
+	MaxTokens     uint32
+	FillInterval  *types.Duration
+}
+
+type localRateLimit struct{}
+
+func (l localRateLimit) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
+	if !needLocalRateLimitConfig(annotations) {
+		return nil
+	}
+
+	var local *localRateLimitConfig
+	defer func() {
+		config.localRateLimit = local
+	}()
+
+	multiplier := defaultBurstMultiplier
+	if m, err := annotations.ParseIntForHigress(limitBurstMultiplier); err == nil {
+		multiplier = m
+	}
+
+	if rpm, err := annotations.ParseIntForHigress(limitRPM); err == nil {
+		local = &localRateLimitConfig{
+			MaxTokens:     uint32(rpm * multiplier),
+			TokensPerFill: uint32(rpm),
+			FillInterval:  minute,
+		}
+	} else if rps, err := annotations.ParseIntForHigress(limitRPS); err == nil {
+		local = &localRateLimitConfig{
+			MaxTokens:     uint32(rps * multiplier),
+			TokensPerFill: uint32(rps),
+			FillInterval:  second,
+		}
+	}
+
+	return nil
+}
+
+func (l localRateLimit) ApplyRoute(route *networking.HTTPRoute, config *Ingress) {
+	localRateLimitConfig := config.localRateLimit
+	if localRateLimitConfig == nil {
+		return
+	}
+
+	route.RouteHTTPFilters = append(route.RouteHTTPFilters, &networking.HTTPFilter{
+		Name: mseingress.LocalRateLimit,
+		Filter: &networking.HTTPFilter_LocalRateLimit{
+			LocalRateLimit: &networking.LocalRateLimit{
+				TokenBucket: &networking.TokenBucket{
+					MaxTokens:     localRateLimitConfig.MaxTokens,
+					TokensPefFill: localRateLimitConfig.TokensPerFill,
+					FillInterval:  localRateLimitConfig.FillInterval,
+				},
+				StatusCode: defaultStatusCode,
+			},
+		},
+	})
+}
+
+func needLocalRateLimitConfig(annotations Annotations) bool {
+	return annotations.HasHigress(limitRPM) ||
+		annotations.HasHigress(limitRPS)
+}
--- a/pkg/ingress/kube/annotations/local_rate_limit_test.go
+++ b/pkg/ingress/kube/annotations/local_rate_limit_test.go
@@ -0,0 +1,127 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	"reflect"
+	"testing"
+
+	networking "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/mseingress"
+)
+
+func TestLocalRateLimitParse(t *testing.T) {
+	localRateLimit := localRateLimit{}
+	inputCases := []struct {
+		input  map[string]string
+		expect *localRateLimitConfig
+	}{
+		{},
+		{
+			input: map[string]string{
+				buildHigressAnnotationKey(limitRPM): "2",
+			},
+			expect: &localRateLimitConfig{
+				MaxTokens:     10,
+				TokensPerFill: 2,
+				FillInterval:  minute,
+			},
+		},
+		{
+			input: map[string]string{
+				buildHigressAnnotationKey(limitRPM):             "2",
+				buildHigressAnnotationKey(limitRPS):             "3",
+				buildHigressAnnotationKey(limitBurstMultiplier): "10",
+			},
+			expect: &localRateLimitConfig{
+				MaxTokens:     20,
+				TokensPerFill: 2,
+				FillInterval:  minute,
+			},
+		},
+		{
+			input: map[string]string{
+				buildHigressAnnotationKey(limitRPS):             "3",
+				buildHigressAnnotationKey(limitBurstMultiplier): "10",
+			},
+			expect: &localRateLimitConfig{
+				MaxTokens:     30,
+				TokensPerFill: 3,
+				FillInterval:  second,
+			},
+		},
+	}
+
+	for _, inputCase := range inputCases {
+		t.Run("", func(t *testing.T) {
+			config := &Ingress{}
+			_ = localRateLimit.Parse(inputCase.input, config, nil)
+			if !reflect.DeepEqual(inputCase.expect, config.localRateLimit) {
+				t.Fatal("Should be equal")
+			}
+		})
+	}
+}
+
+func TestLocalRateLimitApplyRoute(t *testing.T) {
+	localRateLimit := localRateLimit{}
+	inputCases := []struct {
+		config *Ingress
+		input  *networking.HTTPRoute
+		expect *networking.HTTPRoute
+	}{
+		{
+			config: &Ingress{},
+			input:  &networking.HTTPRoute{},
+			expect: &networking.HTTPRoute{},
+		},
+		{
+			config: &Ingress{
+				localRateLimit: &localRateLimitConfig{
+					MaxTokens:     60,
+					TokensPerFill: 20,
+					FillInterval:  second,
+				},
+			},
+			input: &networking.HTTPRoute{},
+			expect: &networking.HTTPRoute{
+				RouteHTTPFilters: []*networking.HTTPFilter{
+					{
+						Name: mseingress.LocalRateLimit,
+						Filter: &networking.HTTPFilter_LocalRateLimit{
+							LocalRateLimit: &networking.LocalRateLimit{
+								TokenBucket: &networking.TokenBucket{
+									MaxTokens:     60,
+									TokensPefFill: 20,
+									FillInterval:  second,
+								},
+								StatusCode: defaultStatusCode,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, inputCase := range inputCases {
+		t.Run("", func(t *testing.T) {
+			localRateLimit.ApplyRoute(inputCase.input, inputCase.config)
+			if !reflect.DeepEqual(inputCase.input, inputCase.expect) {
+				t.Fatal("Should be equal")
+			}
+		})
+	}
+}
--- a/pkg/ingress/kube/annotations/retry.go
+++ b/pkg/ingress/kube/annotations/retry.go
@@ -70,8 +70,13 @@ func (r retry) Parse(annotations Annotations, config *Ingress, _ *GlobalContext)
 	}

 	if retryOn, err := annotations.ParseStringASAP(retryOn); err == nil {
-		extraConfigs := splitBySeparator(retryOn, ",")
-		conditions := toSet(extraConfigs)
+		var retryOnConditions []string
+		if strings.Contains(retryOn, ",") {
+			retryOnConditions = splitBySeparator(retryOn, ",")
+		} else {
+			retryOnConditions = strings.Fields(retryOn)
+		}
+		conditions := toSet(retryOnConditions)
 		if len(conditions) > 0 {
 			if conditions.Contains("off") {
 				retryConfig.retryCount = 0
@@ -88,7 +93,7 @@ func (r retry) Parse(annotations Annotations, config *Ingress, _ *GlobalContext)
 					stringBuilder.WriteString("non_idempotent,")
 				}
 				// Append the status codes.
-				statusCodes := convertStatusCodes(extraConfigs)
+				statusCodes := convertStatusCodes(retryOnConditions)
 				if len(statusCodes) > 0 {
 					stringBuilder.WriteString(retryStatusCode + ",")
 					for _, code := range statusCodes {
--- a/pkg/ingress/kube/annotations/retry_test.go
+++ b/pkg/ingress/kube/annotations/retry_test.go
@@ -37,8 +37,8 @@ func TestRetryParse(t *testing.T) {
 			},
 			expect: &RetryConfig{
 				retryCount:      1,
-				perRetryTimeout: &types.Duration{},
 				retryOn:         "5xx",
+				perRetryTimeout: &types.Duration{},
 			},
 		},
 		{
@@ -60,8 +60,8 @@ func TestRetryParse(t *testing.T) {
 			},
 			expect: &RetryConfig{
 				retryCount:      0,
-				perRetryTimeout: &types.Duration{},
 				retryOn:         "5xx",
+				perRetryTimeout: &types.Duration{},
 			},
 		},
 		{
@@ -71,8 +71,19 @@ func TestRetryParse(t *testing.T) {
 			},
 			expect: &RetryConfig{
 				retryCount:      2,
-				perRetryTimeout: &types.Duration{},
 				retryOn:         "5xx",
+				perRetryTimeout: &types.Duration{},
+			},
+		},
+		{
+			input: map[string]string{
+				buildNginxAnnotationKey(retryCount): "2",
+				buildNginxAnnotationKey(retryOn):    "error  timeout",
+			},
+			expect: &RetryConfig{
+				retryCount:      2,
+				retryOn:         "5xx",
+				perRetryTimeout: &types.Duration{},
 			},
 		},
 		{
@@ -81,8 +92,18 @@ func TestRetryParse(t *testing.T) {
 			},
 			expect: &RetryConfig{
 				retryCount:      3,
-				perRetryTimeout: &types.Duration{},
 				retryOn:         "5xx,non_idempotent",
+				perRetryTimeout: &types.Duration{},
+			},
+		},
+		{
+			input: map[string]string{
+				buildNginxAnnotationKey(retryOn): "timeout non_idempotent",
+			},
+			expect: &RetryConfig{
+				retryCount:      3,
+				retryOn:         "5xx,non_idempotent",
+				perRetryTimeout: &types.Duration{},
 			},
 		},
 		{
@@ -91,18 +112,18 @@ func TestRetryParse(t *testing.T) {
 			},
 			expect: &RetryConfig{
 				retryCount:      3,
-				perRetryTimeout: &types.Duration{},
 				retryOn:         "5xx,retriable-status-codes,503,502,404",
+				perRetryTimeout: &types.Duration{},
 			},
 		},
 		{
 			input: map[string]string{
-				buildNginxAnnotationKey(retryOn): "timeout,http_505,http_503,http_502,http_404,http_403",
+				buildNginxAnnotationKey(retryOn): "timeout http_503  http_502 http_404",
 			},
 			expect: &RetryConfig{
 				retryCount:      3,
+				retryOn:         "5xx,retriable-status-codes,503,502,404",
 				perRetryTimeout: &types.Duration{},
-				retryOn:         "5xx,retriable-status-codes,505,503,502,404,403",
 			},
 		},
 	}
--- a/pkg/ingress/kube/annotations/rewrite.go
+++ b/pkg/ingress/kube/annotations/rewrite.go
@@ -59,12 +59,6 @@ func (r rewrite) Parse(annotations Annotations, config *Ingress, _ *GlobalContex
 	rewriteConfig.RewritePath, _ = annotations.ParseStringForHigress(rewritePath)

 	if rewriteConfig.RewritePath == "" && rewriteConfig.RewriteTarget != "" {
-		// When rewrite target is present and not empty,
-		// we will enforce regex match on all rules in this ingress.
-		if !rewriteConfig.UseRegex && !rewriteConfig.FullPathRegex {
-			rewriteConfig.UseRegex = true
-		}
-
 		// We should convert nginx regex rule to envoy regex rule.
 		rewriteConfig.RewriteTarget = convertToRE2(rewriteConfig.RewriteTarget)
 	}
@@ -92,9 +86,22 @@ func (r rewrite) ApplyRoute(route *networking.HTTPRoute, config *Ingress) {
 			}
 		}
 	} else if rewriteConfig.RewriteTarget != "" {
-		route.Rewrite.UriRegex = &networking.RegexMatchAndSubstitute{
-			Pattern:      route.Match[0].Uri.GetRegex(),
-			Substitution: rewriteConfig.RewriteTarget,
+		uri := route.Match[0].Uri
+		if uri.GetExact() != "" {
+			route.Rewrite.UriRegex = &networking.RegexMatchAndSubstitute{
+				Pattern:      uri.GetExact(),
+				Substitution: rewriteConfig.RewriteTarget,
+			}
+		} else if uri.GetPrefix() != "" {
+			route.Rewrite.UriRegex = &networking.RegexMatchAndSubstitute{
+				Pattern:      uri.GetPrefix(),
+				Substitution: rewriteConfig.RewriteTarget,
+			}
+		} else {
+			route.Rewrite.UriRegex = &networking.RegexMatchAndSubstitute{
+				Pattern:      uri.GetRegex(),
+				Substitution: rewriteConfig.RewriteTarget,
+			}
 		}
 	}

--- a/pkg/ingress/kube/annotations/rewrite_test.go
+++ b/pkg/ingress/kube/annotations/rewrite_test.go
@@ -77,16 +77,13 @@ func TestRewriteParse(t *testing.T) {
 			},
 			expect: &RewriteConfig{
 				RewriteTarget: "/test",
-				UseRegex:      true,
 			},
 		},
 		{
 			input: Annotations{
 				buildNginxAnnotationKey(rewriteTarget): "",
 			},
-			expect: &RewriteConfig{
-				UseRegex: false,
-			},
+			expect: &RewriteConfig{},
 		},
 		{
 			input: Annotations{
@@ -94,7 +91,6 @@ func TestRewriteParse(t *testing.T) {
 			},
 			expect: &RewriteConfig{
 				RewriteTarget: "/\\2/\\1",
-				UseRegex:      true,
 			},
 		},
 		{
@@ -113,6 +109,16 @@ func TestRewriteParse(t *testing.T) {
 				RewriteHost: "test.com",
 			},
 		},
+		{
+			input: Annotations{
+				buildNginxAnnotationKey(useRegex):      "true",
+				buildNginxAnnotationKey(rewriteTarget): "/$1",
+			},
+			expect: &RewriteConfig{
+				UseRegex:      true,
+				RewriteTarget: "/\\1",
+			},
+		},
 		{
 			input: Annotations{
 				buildNginxAnnotationKey(rewriteTarget): "/$2/$1",
@@ -120,7 +126,6 @@ func TestRewriteParse(t *testing.T) {
 			},
 			expect: &RewriteConfig{
 				RewriteTarget: "/\\2/\\1",
-				UseRegex:      true,
 				RewriteHost:   "test.com",
 			},
 		},
@@ -330,6 +335,76 @@ func TestRewriteApplyRoute(t *testing.T) {
 				},
 			},
 		},
+		{
+			config: &Ingress{
+				Rewrite: &RewriteConfig{
+					RewriteTarget: "/test",
+				},
+			},
+			input: &networking.HTTPRoute{
+				Match: []*networking.HTTPMatchRequest{
+					{
+						Uri: &networking.StringMatch{
+							MatchType: &networking.StringMatch_Exact{
+								Exact: "/exact",
+							},
+						},
+					},
+				},
+			},
+			expect: &networking.HTTPRoute{
+				Match: []*networking.HTTPMatchRequest{
+					{
+						Uri: &networking.StringMatch{
+							MatchType: &networking.StringMatch_Exact{
+								Exact: "/exact",
+							},
+						},
+					},
+				},
+				Rewrite: &networking.HTTPRewrite{
+					UriRegex: &networking.RegexMatchAndSubstitute{
+						Pattern:      "/exact",
+						Substitution: "/test",
+					},
+				},
+			},
+		},
+		{
+			config: &Ingress{
+				Rewrite: &RewriteConfig{
+					RewriteTarget: "/test",
+				},
+			},
+			input: &networking.HTTPRoute{
+				Match: []*networking.HTTPMatchRequest{
+					{
+						Uri: &networking.StringMatch{
+							MatchType: &networking.StringMatch_Prefix{
+								Prefix: "/prefix",
+							},
+						},
+					},
+				},
+			},
+			expect: &networking.HTTPRoute{
+				Match: []*networking.HTTPMatchRequest{
+					{
+						Uri: &networking.StringMatch{
+							MatchType: &networking.StringMatch_Prefix{
+								Prefix: "/prefix",
+							},
+						},
+					},
+				},
+				Rewrite: &networking.HTTPRewrite{
+					UriRegex: &networking.RegexMatchAndSubstitute{
+						Pattern:      "/prefix",
+						Substitution: "/test",
+					},
+				},
+			},
+		},
 	}

 	for _, inputCase := range inputCases {
--- a/pkg/ingress/kube/annotations/timeout.go
+++ b/pkg/ingress/kube/annotations/timeout.go
@@ -0,0 +1,62 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	types "github.com/gogo/protobuf/types"
+
+	networking "istio.io/api/networking/v1alpha3"
+)
+
+const timeoutAnnotation = "timeout"
+
+var (
+	_ Parser       = timeout{}
+	_ RouteHandler = timeout{}
+)
+
+type TimeoutConfig struct {
+	time *types.Duration
+}
+
+type timeout struct{}
+
+func (t timeout) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
+	if !needTimeoutConfig(annotations) {
+		return nil
+	}
+
+	if time, err := annotations.ParseIntForHigress(timeoutAnnotation); err == nil {
+		config.Timeout = &TimeoutConfig{
+			time: &types.Duration{
+				Seconds: int64(time),
+			},
+		}
+	}
+	return nil
+}
+
+func (t timeout) ApplyRoute(route *networking.HTTPRoute, config *Ingress) {
+	timeout := config.Timeout
+	if timeout == nil || timeout.time == nil || timeout.time.Seconds == 0 {
+		return
+	}
+
+	route.Timeout = timeout.time
+}
+
+func needTimeoutConfig(annotations Annotations) bool {
+	return annotations.HasHigress(timeoutAnnotation)
+}
--- a/pkg/ingress/kube/annotations/timeout_test.go
+++ b/pkg/ingress/kube/annotations/timeout_test.go
@@ -0,0 +1,122 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	"reflect"
+	"testing"
+
+	types "github.com/gogo/protobuf/types"
+
+	networking "istio.io/api/networking/v1alpha3"
+)
+
+func TestTimeoutParse(t *testing.T) {
+	timeout := timeout{}
+	inputCases := []struct {
+		input  map[string]string
+		expect *TimeoutConfig
+	}{
+		{},
+		{
+			input: map[string]string{
+				HigressAnnotationsPrefix + "/" + timeoutAnnotation: "",
+			},
+		},
+		{
+			input: map[string]string{
+				HigressAnnotationsPrefix + "/" + timeoutAnnotation: "0",
+			},
+			expect: &TimeoutConfig{
+				time: &types.Duration{},
+			},
+		},
+		{
+			input: map[string]string{
+				HigressAnnotationsPrefix + "/" + timeoutAnnotation: "10",
+			},
+			expect: &TimeoutConfig{
+				time: &types.Duration{
+					Seconds: 10,
+				},
+			},
+		},
+	}
+
+	for _, c := range inputCases {
+		t.Run("", func(t *testing.T) {
+			config := &Ingress{}
+			_ = timeout.Parse(c.input, config, nil)
+			if !reflect.DeepEqual(c.expect, config.Timeout) {
+				t.Fatalf("Should be equal.")
+			}
+		})
+	}
+}
+
+func TestTimeoutApplyRoute(t *testing.T) {
+	timeout := timeout{}
+	inputCases := []struct {
+		config *Ingress
+		input  *networking.HTTPRoute
+		expect *networking.HTTPRoute
+	}{
+		{
+			config: &Ingress{},
+			input:  &networking.HTTPRoute{},
+			expect: &networking.HTTPRoute{},
+		},
+		{
+			config: &Ingress{
+				Timeout: &TimeoutConfig{},
+			},
+			input:  &networking.HTTPRoute{},
+			expect: &networking.HTTPRoute{},
+		},
+		{
+			config: &Ingress{
+				Timeout: &TimeoutConfig{
+					time: &types.Duration{},
+				},
+			},
+			input:  &networking.HTTPRoute{},
+			expect: &networking.HTTPRoute{},
+		},
+		{
+			config: &Ingress{
+				Timeout: &TimeoutConfig{
+					time: &types.Duration{
+						Seconds: 10,
+					},
+				},
+			},
+			input: &networking.HTTPRoute{},
+			expect: &networking.HTTPRoute{
+				Timeout: &types.Duration{
+					Seconds: 10,
+				},
+			},
+		},
+	}
+
+	for _, inputCase := range inputCases {
+		t.Run("", func(t *testing.T) {
+			timeout.ApplyRoute(inputCase.input, inputCase.config)
+			if !reflect.DeepEqual(inputCase.input, inputCase.expect) {
+				t.Fatalf("Should be equal")
+			}
+		})
+	}
+}
--- a/pkg/ingress/kube/ingress/controller.go
+++ b/pkg/ingress/kube/ingress/controller.go
@@ -535,11 +535,11 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra

 			var pathType common.PathType
 			originPath := httpPath.Path
-			if annotationsConfig := wrapper.AnnotationsConfig; annotationsConfig.NeedRegexMatch() {
-				if annotationsConfig.IsPrefixRegexMatch() {
-					pathType = common.PrefixRegex
-				} else if annotationsConfig.IsFullPathRegexMatch() {
+			if annotationsConfig := wrapper.AnnotationsConfig; annotationsConfig.NeedRegexMatch(originPath) {
+				if annotationsConfig.IsFullPathRegexMatch() {
 					pathType = common.FullPathRegex
+				} else {
+					pathType = common.PrefixRegex
 				}
 			} else {
 				switch *httpPath.PathType {
@@ -712,7 +712,7 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w
 		return fmt.Errorf("wrapperConfig is nil")
 	}

-	byHeader, byWeight := wrapper.AnnotationsConfig.CanaryKind()
+	byHeader, _ := wrapper.AnnotationsConfig.CanaryKind()

 	cfg := wrapper.Config
 	ingressV1Beta, ok := cfg.Spec.(ingress.IngressSpec)
@@ -746,11 +746,11 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w

 			var pathType common.PathType
 			originPath := httpPath.Path
-			if annotationsConfig := wrapper.AnnotationsConfig; annotationsConfig.NeedRegexMatch() {
-				if annotationsConfig.IsPrefixRegexMatch() {
-					pathType = common.PrefixRegex
-				} else if annotationsConfig.IsFullPathRegexMatch() {
+			if annotationsConfig := wrapper.AnnotationsConfig; annotationsConfig.NeedRegexMatch(originPath) {
+				if annotationsConfig.IsFullPathRegexMatch() {
 					pathType = common.FullPathRegex
+				} else {
+					pathType = common.PrefixRegex
 				}
 			} else {
 				switch *httpPath.PathType {
@@ -765,9 +765,6 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w
 			}
 			canary.OriginPath = originPath
 			canary.OriginPathType = pathType
-			canary.HTTPRoute.Match = c.generateHttpMatches(pathType, httpPath.Path, nil)
-			canary.HTTPRoute.Name = common.GenerateUniqueRouteName(c.options.SystemNamespace, canary)
-
 			ingressRouteBuilder := convertOptions.IngressRouteCache.New(canary)
 			// backend service check
 			var event common.Event
@@ -781,39 +778,37 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w
 			}
 			canary.RuleKey = createRuleKey(canary.WrapperConfig.Config.Annotations, canary.PathFormat())

-			canaryConfig := wrapper.AnnotationsConfig.Canary
-			if byWeight {
-				canary.HTTPRoute.Route[0].Weight = int32(canaryConfig.Weight)
-			}
-
+			// find the base ingress
 			pos := 0
 			var targetRoute *common.WrapperHTTPRoute
 			for _, route := range routes {
 				if isCanaryRoute(canary, route) {
 					targetRoute = route
-					// Header, Cookie
-					if byHeader {
-						IngressLog.Debug("Insert canary route by header")
-						annotations.ApplyByHeader(canary.HTTPRoute, route.HTTPRoute, canary.WrapperConfig.AnnotationsConfig)
-						canary.HTTPRoute.Name = common.GenerateUniqueRouteName(c.options.SystemNamespace, canary)
-					} else {
-						IngressLog.Debug("Merge canary route by weight")
-						if route.WeightTotal == 0 {
-							route.WeightTotal = int32(canaryConfig.WeightTotal)
-						}
-						annotations.ApplyByWeight(canary.HTTPRoute, route.HTTPRoute, canary.WrapperConfig.AnnotationsConfig)
-					}
-
 					break
 				}
 				pos += 1
 			}
-
-			IngressLog.Debugf("Canary route is %v", canary)
 			if targetRoute == nil {
 				continue
 			}

+			canaryConfig := wrapper.AnnotationsConfig.Canary
+
+			// Header, Cookie
+			if byHeader {
+				IngressLog.Debug("Insert canary route by header")
+				annotations.ApplyByHeader(canary.HTTPRoute, targetRoute.HTTPRoute, canary.WrapperConfig.AnnotationsConfig)
+				canary.HTTPRoute.Name = common.GenerateUniqueRouteName(c.options.SystemNamespace, canary)
+			} else {
+				IngressLog.Debug("Merge canary route by weight")
+				if targetRoute.WeightTotal == 0 {
+					targetRoute.WeightTotal = int32(canaryConfig.WeightTotal)
+				}
+				annotations.ApplyByWeight(canary.HTTPRoute, targetRoute.HTTPRoute, canary.WrapperConfig.AnnotationsConfig)
+			}
+
+			IngressLog.Debugf("Canary route is %v", canary)
+
 			if byHeader {
 				// Inherit policy from normal route
 				canary.WrapperConfig.AnnotationsConfig.Auth = targetRoute.WrapperConfig.AnnotationsConfig.Auth
--- a/pkg/ingress/kube/ingressv1/controller.go
+++ b/pkg/ingress/kube/ingressv1/controller.go
@@ -517,11 +517,11 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra

 			var pathType common.PathType
 			originPath := httpPath.Path
-			if annotationsConfig := wrapper.AnnotationsConfig; annotationsConfig.NeedRegexMatch() {
-				if annotationsConfig.IsPrefixRegexMatch() {
-					pathType = common.PrefixRegex
-				} else if annotationsConfig.IsFullPathRegexMatch() {
+			if annotationsConfig := wrapper.AnnotationsConfig; annotationsConfig.NeedRegexMatch(originPath) {
+				if annotationsConfig.IsFullPathRegexMatch() {
 					pathType = common.FullPathRegex
+				} else {
+					pathType = common.PrefixRegex
 				}
 			} else {
 				switch *httpPath.PathType {
@@ -716,7 +716,7 @@ func (c *controller) ApplyDefaultBackend(convertOptions *common.ConvertOptions,
 }

 func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, wrapper *common.WrapperConfig) error {
-	byHeader, byWeight := wrapper.AnnotationsConfig.CanaryKind()
+	byHeader, _ := wrapper.AnnotationsConfig.CanaryKind()

 	cfg := wrapper.Config
 	ingressV1, ok := cfg.Spec.(ingress.IngressSpec)
@@ -750,11 +750,11 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w

 			var pathType common.PathType
 			originPath := httpPath.Path
-			if annotationsConfig := wrapper.AnnotationsConfig; annotationsConfig.NeedRegexMatch() {
-				if annotationsConfig.IsPrefixRegexMatch() {
-					pathType = common.PrefixRegex
-				} else if annotationsConfig.IsFullPathRegexMatch() {
+			if annotationsConfig := wrapper.AnnotationsConfig; annotationsConfig.NeedRegexMatch(originPath) {
+				if annotationsConfig.IsFullPathRegexMatch() {
 					pathType = common.FullPathRegex
+				} else {
+					pathType = common.PrefixRegex
 				}
 			} else {
 				switch *httpPath.PathType {
@@ -769,8 +769,6 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w
 			}
 			canary.OriginPath = originPath
 			canary.OriginPathType = pathType
-			canary.HTTPRoute.Match = c.generateHttpMatches(pathType, httpPath.Path, nil)
-			canary.HTTPRoute.Name = common.GenerateUniqueRouteName(c.options.SystemNamespace, canary)

 			ingressRouteBuilder := convertOptions.IngressRouteCache.New(canary)
 			// backend service check
@@ -785,39 +783,37 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w
 			}
 			canary.RuleKey = createRuleKey(canary.WrapperConfig.Config.Annotations, canary.PathFormat())

-			canaryConfig := wrapper.AnnotationsConfig.Canary
-			if byWeight {
-				canary.HTTPRoute.Route[0].Weight = int32(canaryConfig.Weight)
-			}
-
+			// find the base ingress
 			pos := 0
 			var targetRoute *common.WrapperHTTPRoute
 			for _, route := range routes {
 				if isCanaryRoute(canary, route) {
 					targetRoute = route
-					// Header, Cookie
-					if byHeader {
-						IngressLog.Debug("Insert canary route by header")
-						annotations.ApplyByHeader(canary.HTTPRoute, route.HTTPRoute, canary.WrapperConfig.AnnotationsConfig)
-						canary.HTTPRoute.Name = common.GenerateUniqueRouteName(c.options.SystemNamespace, canary)
-					} else {
-						IngressLog.Debug("Merge canary route by weight")
-						if route.WeightTotal == 0 {
-							route.WeightTotal = int32(canaryConfig.WeightTotal)
-						}
-						annotations.ApplyByWeight(canary.HTTPRoute, route.HTTPRoute, canary.WrapperConfig.AnnotationsConfig)
-					}
-
 					break
 				}
 				pos += 1
 			}

-			IngressLog.Debugf("Canary route is %v", canary)
 			if targetRoute == nil {
 				continue
 			}

+			canaryConfig := wrapper.AnnotationsConfig.Canary
+
+			// Header, Cookie
+			if byHeader {
+				IngressLog.Debug("Insert canary route by header")
+				annotations.ApplyByHeader(canary.HTTPRoute, targetRoute.HTTPRoute, canary.WrapperConfig.AnnotationsConfig)
+				canary.HTTPRoute.Name = common.GenerateUniqueRouteName(c.options.SystemNamespace, canary)
+			} else {
+				IngressLog.Debug("Merge canary route by weight")
+				if targetRoute.WeightTotal == 0 {
+					targetRoute.WeightTotal = int32(canaryConfig.WeightTotal)
+				}
+				annotations.ApplyByWeight(canary.HTTPRoute, targetRoute.HTTPRoute, canary.WrapperConfig.AnnotationsConfig)
+			}
+			IngressLog.Debugf("Canary route is %v", canary)
+
 			if byHeader {
 				// Inherit policy from normal route
 				canary.WrapperConfig.AnnotationsConfig.Auth = targetRoute.WrapperConfig.AnnotationsConfig.Auth
--- a/plugins/wasm-cpp/common/route_rule_matcher.h
+++ b/plugins/wasm-cpp/common/route_rule_matcher.h
@@ -387,6 +387,8 @@ class RouteRuleMatcher {
      return true;
    }

+    request_host = Wasm::Common::Http::stripPortFromHost(request_host);
+
    for (const auto& host_match : rule.hosts) {
      const auto& host = host_match.second;
      switch (host_match.first) {
--- a/plugins/wasm-cpp/extensions/basic_auth/plugin_test.cc
+++ b/plugins/wasm-cpp/extensions/basic_auth/plugin_test.cc
@@ -584,6 +584,48 @@ TEST_F(BasicAuthTest, RuleWithConsumerAllow) {
            FilterHeadersStatus::Continue);
 }

+TEST_F(BasicAuthTest, GlobalAuthRuleWithDomainPort) {
+  std::string configuration = R"(
+{
+  "global_auth": true,
+  "consumers" : [
+    {"credential" : "ok:test", "name" : "consumer_ok"},
+    {"credential" : "admin2:admin2", "name" : "consumer2"},
+    {"credential" : "YWRtaW4zOmFkbWluMw==", "name" : "consumer3"},
+    {"credential" : "admin:admin", "name" : "consumer"}
+  ],
+  "_rules_" : [
+    {
+      "_match_domain_" : ["test.com", "*.example.com"],
+      "allow" : [ "consumer" ]
+    }
+  ]
+})";
+
+  BufferBase buffer;
+  buffer.set({configuration.data(), configuration.size()});
+
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
+      .WillOnce([&buffer](WasmBufferType) { return &buffer; });
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+
+  authority_ = "www.example.com:8080";
+  cred_ = "admin:admin";
+  authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  cred_ = "admin2:admin2";
+  authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+
+  authority_ = "abc.com";
+  authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+}
+
 TEST_F(BasicAuthTest, RuleWithEncryptedConsumerAllow) {
  std::string configuration = R"(
 {
--- a/plugins/wasm-cpp/extensions/oauth/BUILD
+++ b/plugins/wasm-cpp/extensions/oauth/BUILD
@@ -0,0 +1,80 @@
+# Copyright (c) 2022 Alibaba Group Holding Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load("@proxy_wasm_cpp_sdk//bazel:defs.bzl", "proxy_wasm_cc_binary")
+load("//bazel:wasm.bzl", "declare_wasm_image_targets")
+
+proxy_wasm_cc_binary(
+    name = "oauth.wasm",
+    srcs = [
+        "plugin.cc",
+        "plugin.h",
+    ],
+    deps = [
+        "//common:random_util",
+        "@com_github_thalhammer_jwt_cpp//:lib",
+        "@com_github_mariusbancila_stduuid//:lib",
+        "@com_google_absl//absl/container:btree",
+        "@com_google_absl//absl/strings",
+        "@com_google_absl//absl/strings:str_format",
+        "@com_google_absl//absl/time",
+        "@boringssl//:ssl",        
+        "//common:json_util",
+        "//common:http_util",
+        "//common:rule_util",
+    ],
+)
+
+cc_library(
+    name = "oauth_lib",
+    srcs = [
+        "plugin.cc",
+    ],
+    hdrs = [
+        "plugin.h",
+    ],
+    copts = ["-DNULL_PLUGIN"],
+    deps = [
+        "@com_github_thalhammer_jwt_cpp//:lib",
+        "@com_github_mariusbancila_stduuid//:lib",
+        "@com_google_absl//absl/container:btree",
+        "@com_google_absl//absl/strings",
+        "@com_google_absl//absl/strings:str_format",
+        "@com_google_absl//absl/time",
+        "@boringssl//:ssl",        
+        "//common:json_util",
+        "@proxy_wasm_cpp_host//:lib",
+        "//common:http_util_nullvm",
+        "//common:rule_util_nullvm",
+    ],
+)
+
+cc_test(
+    name = "oauth_test",
+    srcs = [
+        "plugin_test.cc",
+    ],
+    copts = ["-DNULL_PLUGIN"],
+    deps = [
+        ":oauth_lib",
+        "@com_google_googletest//:gtest",
+        "@com_google_googletest//:gtest_main",
+        "@proxy_wasm_cpp_host//:lib",
+    ],
+)
+
+declare_wasm_image_targets(
+    name = "oauth",
+    wasm_file = ":oauth.wasm",
+)
--- a/plugins/wasm-cpp/extensions/oauth/README.md
+++ b/plugins/wasm-cpp/extensions/oauth/README.md
@@ -0,0 +1,129 @@
+# 功能说明
+`OAuth2`插件实现了基于JWT(JSON Web Tokens)进行OAuth2 Access Token签发的能力, 遵循[RFC9068](https://datatracker.ietf.org/doc/html/rfc9068)规范
+
+# 插件配置说明
+
+## 配置字段
+
+| 名称                 | 数据类型        | 填写要求                                    | 默认值          | 描述                                                                   |
+| -----------          | --------------- | ------------------------------------------- | ------          | -----------------------------------------------------------            |
+| `consumers`          | array of object | 必填                                        | -               | 配置服务的调用者，用于对请求进行认证                                   |
+| `_rules_`            | array of object | 选填                                        | -               | 配置特定路由或域名的访问权限列表，用于对请求进行鉴权                   |
+| `issuer`             | string          | 选填                                        | Higress-Gateway | 用于填充JWT中的issuer                                                  |
+| `auth_path`          | string          | 选填                                        | /oauth2/token   | 指定路径后缀用于签发Token，路由级配置时，要确保首先能匹配对应的路由    |
+| `global_credentials` | bool            | 选填                                        | ture            | 是否开启全局凭证，即允许路由A下的auth_path签发的Token可以用于访问路由B |
+| `auth_header_name`   | string          | 选填                                        | Authorization   | 用于指定从哪个请求头获取JWT                                            |
+| `token_ttl`          | number          | 选填                                        | 7200            | token从签发后多久内有效，单位为秒                      |
+| `clock_skew_seconds` | number          | 选填                                        | 60              | 校验JWT的exp和iat字段时允许的时钟偏移量，单位为秒                      |
+| `keep_token`         | bool            | 选填                                        | ture            | 转发给后端时是否保留JWT                                                |
+
+`consumers`中每一项的配置字段说明如下：
+
+| 名称                    | 数据类型          | 填写要求 | 默认值                                            | 描述                     |
+| ----------------------- | ----------------- | -------- | ------------------------------------------------- | ------------------------ |
+| `name`                  | string            | 必填     | -                                                 | 配置该consumer的名称     |
+| `client_id`             | string            | 必填     | -                                                 | OAuth2 client id         |
+| `client_secret`         | string            | 必填     | -                                                 | OAuth2 client secret     |
+
+`_rules_` 中每一项的配置字段说明如下：
+
+| 名称             | 数据类型        | 填写要求                                          | 默认值 | 描述                                               |
+| ---------------- | --------------- | ------------------------------------------------- | ------ | -------------------------------------------------- |
+| `_match_route_`  | array of string | 选填，`_match_route_`，`_match_domain_`中选填一项 | -      | 配置要匹配的路由名称                               |
+| `_match_domain_` | array of string | 选填，`_match_route_`，`_match_domain_`中选填一项 | -      | 配置要匹配的域名                                   |
+| `allow`          | array of string | 必填                                              | -      | 对于符合匹配条件的请求，配置允许访问的consumer名称 |
+
+**注意：**
+- 对于开启该配置的路由，如果路径后缀和`auth_path`匹配，则该路由到原目标服务，而是用于生成Token
+- 如果关闭`global_credentials`,请确保启用此插件的路由不是精确匹配路由，此时若存在另一条前缀匹配路由，则可能导致预期外行为
+- 若不配置`_rules_`字段，则默认对当前网关实例的所有路由开启认证；
+- 对于通过认证鉴权的请求，请求的header会被添加一个`X-Mse-Consumer`字段，用以标识调用者的名称。
+
+## 配置示例
+
+### 对特定路由或域名开启
+
+以下配置将对网关特定路由或域名开启 Jwt Auth 认证和鉴权，注意如果一个JWT能匹配多个`jwks`，则按照配置顺序命中第一个匹配的`consumer`
+
+```yaml
+consumers:
+- name: consumer1
+  client_id: 12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+  client_secret: abcdefgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+- name: consumer2
+  client_id: 87654321-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+  client_secret: hgfedcba-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+# 使用 _rules_ 字段进行细粒度规则配置
+_rules_:
+# 规则一：按路由名称匹配生效
+- _match_route_:
+  - route-a
+  - route-b
+  allow:
+  - consumer1
+# 规则二：按域名匹配生效
+- _match_domain_:
+  - "*.example.com"
+  - test.com
+  allow:
+  - consumer2
+```
+
+此例 `_match_route_` 中指定的 `route-a` 和 `route-b` 即在创建网关路由时填写的路由名称，当匹配到这两个路由时，将允许`name`为`consumer1`的调用者访问，其他调用者不允许访问；
+
+此例 `_match_domain_` 中指定的 `*.example.com` 和 `test.com` 用于匹配请求的域名，当发现域名匹配时，将允许`name`为`consumer2`的调用者访问，其他调用者不允许访问。
+
+#### 使用 Client Credential 授权模式
+
+**获取 AccessToken**
+
+```bash
+
+# 通过 GET 方法获取
+
+curl 'http://test.com/oauth2/token?grant_type=client_credentials&client_id=12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=abcdefgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
+
+# 通过 POST 方法获取 (需要先匹配到有真实目标服务的路由)
+
+curl 'http://test.com/oauth2/token' -H 'content-type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&client_id=12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=abcdefgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
+
+# 获取响应中的 access_token 字段即可:
+{
+  "token_type": "bearer",
+  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uXC9hdCtqd3QifQ.eyJhdWQiOiJkZWZhdWx0IiwiY2xpZW50X2lkIjoiMTIzNDU2NzgteHh4eC14eHh4LXh4eHgteHh4eHh4eHh4eHh4IiwiZXhwIjoxNjg3OTUxNDYzLCJpYXQiOjE2ODc5NDQyNjMsImlzcyI6IkhpZ3Jlc3MtR2F0ZXdheSIsImp0aSI6IjEwOTU5ZDFiLThkNjEtNGRlYy1iZWE3LTk0ODEwMzc1YjYzYyIsInN1YiI6ImNvbnN1bWVyMSJ9.NkT_rG3DcV9543vBQgneVqoGfIhVeOuUBwLJJ4Wycb0",
+  "expires_in": 7200
+}
+
+```
+
+**使用 AccessToken 请求**
+
+```bash
+
+curl 'http://test.com' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uXC9hdCtqd3QifQ.eyJhdWQiOiJkZWZhdWx0IiwiY2xpZW50X2lkIjoiMTIzNDU2NzgteHh4eC14eHh4LXh4eHgteHh4eHh4eHh4eHh4IiwiZXhwIjoxNjg3OTUxNDYzLCJpYXQiOjE2ODc5NDQyNjMsImlzcyI6IkhpZ3Jlc3MtR2F0ZXdheSIsImp0aSI6IjEwOTU5ZDFiLThkNjEtNGRlYy1iZWE3LTk0ODEwMzc1YjYzYyIsInN1YiI6ImNvbnN1bWVyMSJ9.NkT_rG3DcV9543vBQgneVqoGfIhVeOuUBwLJJ4Wycb0'
+
+```
+因为 test.com 仅授权了 consumer2，但这个 Access Token 是基于 consumer1 的 `client_id`，`client_secret` 获取的，因此将返回 `403 Access Denied`
+
+
+### 网关实例级别开启
+
+以下配置未指定`_rules_`字段，因此将对网关实例级别开启 OAuth2 认证
+
+```yaml
+consumers:
+- name: consumer1
+  client_id: 12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+  client_secret: abcdefgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+- name: consumer2
+  client_id: 87654321-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+  client_secret: hgfedcba-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+```
+
+# 常见错误码说明
+
+| HTTP 状态码 | 出错信息               | 原因说明                                                                         |
+| ----------- | ---------------------- | -------------------------------------------------------------------------------- |
+| 401         | Invalid Jwt token      | 请求头未提供JWT, 或者JWT格式错误，或过期等原因                                   |
+| 403         | Access Denied          | 无权限访问当前路由                                                               |
+
--- a/plugins/wasm-cpp/extensions/oauth/plugin.cc
+++ b/plugins/wasm-cpp/extensions/oauth/plugin.cc
@@ -0,0 +1,463 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "extensions/oauth/plugin.h"
+
+#include <algorithm>
+#include <array>
+#include <chrono>
+#include <cstdint>
+#include <memory>
+#include <optional>
+#include <string>
+#include <system_error>
+#include <unordered_set>
+#include <utility>
+
+#include "absl/strings/match.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/str_format.h"
+#include "absl/strings/str_join.h"
+#include "absl/strings/str_split.h"
+#include "common/common_util.h"
+#include "common/http_util.h"
+#include "common/json_util.h"
+#include "uuid.h"
+
+using ::nlohmann::json;
+using ::Wasm::Common::JsonArrayIterate;
+using ::Wasm::Common::JsonGetField;
+using ::Wasm::Common::JsonObjectIterate;
+using ::Wasm::Common::JsonValueAs;
+
+#ifdef NULL_PLUGIN
+
+namespace proxy_wasm {
+namespace null_plugin {
+namespace oauth {
+
+PROXY_WASM_NULL_PLUGIN_REGISTRY
+
+#endif
+namespace {
+constexpr absl::string_view TokenResponseTemplate = R"(
+{
+  "token_type": "bearer",
+  "access_token": "%s",
+  "expires_in": %u
+})";
+const std::string& DefaultAudience = "default";
+const std::string& TypeHeader = "application/at+jwt";
+const std::string& BearerPrefix = "Bearer ";
+const std::string& ClientCredentialsGrant = "client_credentials";
+constexpr uint32_t MaximumUriLength = 256;
+constexpr std::string_view kRcDetailOAuthPrefix = "oauth_access_denied";
+std::string generateRcDetails(std::string_view error_msg) {
+  // Replace space with underscore since RCDetails may be written to access log.
+  // Some log processors assume each log segment is separated by whitespace.
+  return absl::StrCat(kRcDetailOAuthPrefix, "{",
+                      absl::StrJoin(absl::StrSplit(error_msg, ' '), "_"), "}");
+}
+}  // namespace
+static RegisterContextFactory register_OAuth(CONTEXT_FACTORY(PluginContext),
+                                             ROOT_FACTORY(PluginRootContext));
+
+#define JSON_FIND_FIELD(dict, field)               \
+  auto dict##_##field##_json = dict.find(#field);  \
+  if (dict##_##field##_json == dict.end()) {       \
+    LOG_WARN("can't find '" #field "' in " #dict); \
+    return false;                                  \
+  }
+
+#define JSON_VALUE_AS(type, src, dst, err_msg)                      \
+  auto dst##_v = JsonValueAs<type>(src);                            \
+  if (dst##_v.second != Wasm::Common::JsonParserResultDetail::OK || \
+      !dst##_v.first) {                                             \
+    LOG_WARN(#err_msg);                                             \
+    return false;                                                   \
+  }                                                                 \
+  auto& dst = dst##_v.first.value();
+
+#define JSON_FIELD_VALUE_AS(type, dict, field)                       \
+  JSON_VALUE_AS(type, dict##_##field##_json.value(), dict##_##field, \
+                "'" #field "' field in " #dict "convert to " #type " failed")
+
+bool PluginRootContext::generateToken(const OAuthConfigRule& rule,
+                                      const std::string& route_name,
+                                      const absl::string_view& raw_params,
+                                      std::string* token,
+                                      std::string* err_msg) {
+  auto params = Wasm::Common::Http::parseParameters(raw_params, 0, true);
+  auto it = params.find("grant_type");
+  if (it == params.end()) {
+    *err_msg = "grant_type is missing";
+    return false;
+  }
+  if (it->second != ClientCredentialsGrant) {
+    *err_msg = absl::StrFormat("grant_type:%s is not support", it->second);
+    return false;
+  }
+  it = params.find("client_id");
+  if (it == params.end()) {
+    *err_msg = "client_id is missing";
+    return false;
+  }
+  auto c_it = rule.consumers.find(it->second);
+  if (c_it == rule.consumers.end()) {
+    *err_msg = "invalid client_id or client_secret";
+    return false;
+  }
+  const auto& consumer = c_it->second;
+  it = params.find("client_secret");
+  if (it == params.end()) {
+    *err_msg = "client_secret is missing";
+    return false;
+  }
+  if (it->second != consumer.client_secret) {
+    *err_msg = "invalid client_id or client_secret";
+    return false;
+  }
+  auto jwt = jwt::create();
+  if (rule.global_credentials) {
+    jwt.set_audience(DefaultAudience);
+  } else {
+    jwt.set_audience(route_name);
+  }
+  it = params.find("scope");
+  if (it != params.end()) {
+    jwt.set_payload_claim("scope", jwt::claim(it->second));
+  }
+  std::random_device rd;
+  auto seed_data = std::array<int, std::mt19937::state_size>{};
+  std::generate(std::begin(seed_data), std::end(seed_data), std::ref(rd));
+  std::seed_seq seq(std::begin(seed_data), std::end(seed_data));
+  std::mt19937 generator(seq);
+  uuids::uuid_random_generator gen{generator};
+  std::error_code ec;
+  *token = jwt.set_issuer(rule.issuer)
+               .set_type(TypeHeader)
+               .set_subject(consumer.name)
+               .set_issued_at(std::chrono::system_clock::now())
+               .set_expires_at(std::chrono::system_clock::now() +
+                               std::chrono::seconds{rule.token_ttl})
+               .set_payload_claim("client_id", jwt::claim(consumer.client_id))
+               .set_id(uuids::to_string(gen()))
+               .sign(jwt::algorithm::hs256{consumer.client_secret}, ec);
+  if (ec) {
+    *err_msg = absl::StrCat("jwt sign failed: %s", ec.message());
+    return false;
+  }
+  return true;
+}
+
+bool PluginRootContext::parsePluginConfig(const json& conf,
+                                          OAuthConfigRule& rule) {
+  std::unordered_set<std::string> name_set;
+  if (!JsonArrayIterate(conf, "consumers", [&](const json& consumer) -> bool {
+        Consumer c;
+        JSON_FIND_FIELD(consumer, name);
+        JSON_FIELD_VALUE_AS(std::string, consumer, name);
+        if (name_set.count(consumer_name) != 0) {
+          LOG_WARN("consumer already exists: " + consumer_name);
+          return false;
+        }
+        c.name = consumer_name;
+        JSON_FIND_FIELD(consumer, client_id);
+        JSON_FIELD_VALUE_AS(std::string, consumer, client_id);
+        c.client_id = consumer_client_id;
+        if (rule.consumers.find(c.client_id) != rule.consumers.end()) {
+          LOG_WARN("consumer client_id already exists: " + c.client_id);
+          return false;
+        }
+        JSON_FIND_FIELD(consumer, client_secret);
+        JSON_FIELD_VALUE_AS(std::string, consumer, client_secret);
+        c.client_secret = consumer_client_secret;
+        rule.consumers.emplace(c.client_id, std::move(c));
+        name_set.insert(consumer_name);
+        return true;
+      })) {
+    LOG_WARN("failed to parse configuration for consumers.");
+    return false;
+  }
+  // if (rule.consumers.empty()) {
+  //   LOG_INFO("at least one consumer has to be configured for a rule.");
+  //   return false;
+  // }
+  auto conf_issuer_json = conf.find("issuer");
+  if (conf_issuer_json != conf.end()) {
+    JSON_FIELD_VALUE_AS(std::string, conf, issuer);
+    rule.issuer = conf_issuer;
+  }
+  auto conf_auth_header_json = conf.find("auth_header");
+  if (conf_auth_header_json != conf.end()) {
+    JSON_FIELD_VALUE_AS(std::string, conf, auth_header);
+    rule.auth_header_name = conf_auth_header;
+  }
+  auto conf_auth_path_json = conf.find("auth_path");
+  if (conf_auth_path_json != conf.end()) {
+    JSON_FIELD_VALUE_AS(std::string, conf, auth_path);
+    if (conf_auth_path.empty()) {
+      conf_auth_path = "/";
+    } else if (conf_auth_path[0] != '/') {
+      conf_auth_path = absl::StrCat("/", conf_auth_path);
+    }
+    rule.auth_path = conf_auth_path;
+  }
+  auto conf_global_credentials_json = conf.find("global_credentials");
+  if (conf_global_credentials_json != conf.end()) {
+    JSON_FIELD_VALUE_AS(bool, conf, global_credentials);
+    rule.global_credentials = conf_global_credentials;
+  }
+  auto conf_token_ttl_json = conf.find("token_ttl");
+  if (conf_token_ttl_json != conf.end()) {
+    JSON_FIELD_VALUE_AS(uint64_t, conf, token_ttl);
+    rule.token_ttl = conf_token_ttl;
+  }
+  auto conf_keep_token_json = conf.find("keep_token");
+  if (conf_keep_token_json != conf.end()) {
+    JSON_FIELD_VALUE_AS(bool, conf, keep_token);
+    rule.keep_token = conf_keep_token;
+  }
+  auto conf_clock_skew_seconds_json = conf.find("clock_skew_seconds");
+  if (conf_clock_skew_seconds_json != conf.end()) {
+    JSON_FIELD_VALUE_AS(uint64_t, conf, clock_skew_seconds);
+    rule.clock_skew = conf_clock_skew_seconds;
+  }
+  return true;
+}
+
+#define CLAIM_CHECK(token, claim, type)                     \
+  if (!token.has_payload_claim(#claim)) {                   \
+    LOG_DEBUG("claim is missing: " #claim);                 \
+    goto failed;                                            \
+  }                                                         \
+  if (token.get_payload_claim(#claim).get_type() != type) { \
+    LOG_DEBUG("claim is invalid: " #claim);                 \
+    goto failed;                                            \
+  }
+
+bool PluginRootContext::checkPlugin(
+    const OAuthConfigRule& rule,
+    const std::optional<std::unordered_set<std::string>>& allow_set,
+    const std::string& route_name) {
+  auto auth_header = getRequestHeader(rule.auth_header_name)->toString();
+  bool verified = false;
+  std::string token_str;
+  {
+    size_t pos;
+    if (auth_header.empty()) {
+      LOG_DEBUG("auth header is empty");
+      goto failed;
+    }
+    pos = auth_header.find(BearerPrefix);
+    if (pos == std::string::npos) {
+      LOG_DEBUG("auth header is not a bearer token");
+      goto failed;
+    }
+    auto start = pos + BearerPrefix.size();
+    token_str =
+        std::string{auth_header.c_str() + start, auth_header.size() - start};
+    auto token = jwt::decode(token_str);
+    CLAIM_CHECK(token, client_id, jwt::json::type::string);
+    CLAIM_CHECK(token, iss, jwt::json::type::string);
+    CLAIM_CHECK(token, sub, jwt::json::type::string);
+    CLAIM_CHECK(token, aud, jwt::json::type::string);
+    CLAIM_CHECK(token, exp, jwt::json::type::integer);
+    CLAIM_CHECK(token, iat, jwt::json::type::integer);
+    auto client_id = token.get_payload_claim("client_id").as_string();
+    auto it = rule.consumers.find(client_id);
+    if (it == rule.consumers.end()) {
+      LOG_DEBUG(absl::StrFormat("client_id not found:%s", client_id));
+      goto failed;
+    }
+    auto consumer = it->second;
+    auto verifier =
+        jwt::verify()
+            .allow_algorithm(jwt::algorithm::hs256{consumer.client_secret})
+            .with_issuer(rule.issuer)
+            .with_subject(consumer.name)
+            .with_type(TypeHeader)
+            .leeway(rule.clock_skew);
+    std::error_code ec;
+    verifier.verify(token, ec);
+    if (ec) {
+      LOG_INFO(absl::StrFormat("token verify failed, token:%s, reason:%s",
+                               token_str, ec.message()));
+      goto failed;
+    }
+    verified = true;
+    if (allow_set &&
+        allow_set.value().find(consumer.name) == allow_set.value().end()) {
+      LOG_DEBUG(absl::StrFormat("consumer:%s is not in route's:%s allow_set",
+                                consumer.name, route_name));
+      goto failed;
+    }
+    if (!rule.global_credentials) {
+      auto audience_json = token.get_payload_claim("aud");
+      if (audience_json.get_type() != jwt::json::type::string) {
+        LOG_DEBUG(absl::StrFormat("invalid audience, token:%s", token_str));
+        goto failed;
+      }
+      auto audience = audience_json.as_string();
+      if (audience != route_name) {
+        LOG_DEBUG(absl::StrFormat("audience:%s not match this route:%s",
+                                  audience, route_name));
+        goto failed;
+      }
+    }
+    if (!rule.keep_token) {
+      removeRequestHeader(rule.auth_header_name);
+    }
+    addRequestHeader("X-Mse-Consumer", consumer.name);
+    return true;
+  }
+failed:
+  if (!verified) {
+    auto authn_value = absl::StrCat(
+        "Bearer realm=\"",
+        Wasm::Common::Http::buildOriginalUri(MaximumUriLength), "\"");
+    sendLocalResponse(401, kRcDetailOAuthPrefix, "Invalid Jwt token",
+                      {{"WWW-Authenticate", authn_value}});
+  } else {
+    sendLocalResponse(403, kRcDetailOAuthPrefix, "Access Denied", {});
+  }
+  return false;
+}
+
+bool PluginRootContext::onConfigure(size_t size) {
+  // Parse configuration JSON string.
+  if (size > 0 && !configure(size)) {
+    LOG_WARN("configuration has errors initialization will not continue.");
+    setInvalidConfig();
+    return false;
+  }
+  return true;
+}
+
+bool PluginRootContext::configure(size_t configuration_size) {
+  auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
+                                           0, configuration_size);
+  // Parse configuration JSON string.
+  auto result = ::Wasm::Common::JsonParse(configuration_data->view());
+  if (!result) {
+    LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
+                          configuration_data->view()));
+    return false;
+  }
+  if (!parseAuthRuleConfig(result.value())) {
+    LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
+                          configuration_data->view()));
+    return false;
+  }
+  return true;
+}
+
+FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
+  auto* rootCtx = rootContext();
+  auto config = rootCtx->getMatchAuthConfig();
+  if (!config.first) {
+    return FilterHeadersStatus::Continue;
+  }
+  config_ = config.first;
+  getValue({"route_name"}, &route_name_);
+  auto path = getRequestHeader(Wasm::Common::Http::Header::Path)->toString();
+  auto params_pos = path.find('?');
+  size_t uri_end;
+  if (params_pos == std::string::npos) {
+    uri_end = path.size();
+  } else {
+    uri_end = params_pos;
+  }
+  // Authorize request
+  if (absl::EndsWith({path.c_str(), uri_end},
+                     config_.value().get().auth_path)) {
+    std::string err_msg, token;
+    auto method =
+        getRequestHeader(Wasm::Common::Http::Header::Method)->toString();
+    if (method == "GET") {
+      if (params_pos == std::string::npos) {
+        err_msg = "Authorize parameters are missing";
+        goto done;
+      }
+      params_pos++;
+      rootCtx->generateToken(
+          config_.value(), route_name_,
+          {path.c_str() + params_pos, path.size() - params_pos}, &token,
+          &err_msg);
+      goto done;
+    }
+    if (method == "POST") {
+      auto content_type =
+          getRequestHeader(Wasm::Common::Http::Header::ContentType)->toString();
+      if (!absl::StrContains(absl::AsciiStrToLower(content_type),
+                             "application/x-www-form-urlencoded")) {
+        err_msg = "Invalid content-type";
+        goto done;
+      }
+      check_body_params_ = true;
+    }
+  done:
+    if (!err_msg.empty()) {
+      sendLocalResponse(400, generateRcDetails(err_msg), err_msg, {});
+      return FilterHeadersStatus::StopIteration;
+    }
+    if (!token.empty()) {
+      sendLocalResponse(200, "",
+                        absl::StrFormat(TokenResponseTemplate, token,
+                                        config_.value().get().token_ttl),
+                        {{"Content-Type", "application/json"}});
+    }
+    return FilterHeadersStatus::Continue;
+  }
+  return rootCtx->checkAuthRule(
+             [rootCtx, this](const auto& config, const auto& allow_set) {
+               return rootCtx->checkPlugin(config, allow_set, route_name_);
+             })
+             ? FilterHeadersStatus::Continue
+             : FilterHeadersStatus::StopIteration;
+}
+
+FilterDataStatus PluginContext::onRequestBody(size_t body_size,
+                                              bool end_stream) {
+  if (!check_body_params_) {
+    return FilterDataStatus::Continue;
+  }
+  body_total_size_ += body_size;
+  if (!end_stream) {
+    return FilterDataStatus::StopIterationAndBuffer;
+  }
+  auto* rootCtx = rootContext();
+  auto body =
+      getBufferBytes(WasmBufferType::HttpRequestBody, 0, body_total_size_);
+  LOG_DEBUG(absl::StrFormat("authorize request body: %s", body->toString()));
+  std::string token, err_msg;
+  if (rootCtx->generateToken(config_.value(), route_name_, body->view(), &token,
+                             &err_msg)) {
+    sendLocalResponse(200, "",
+                      absl::StrFormat(TokenResponseTemplate, token,
+                                      config_.value().get().token_ttl),
+                      {{"Content-Type", "application/json"}});
+    return FilterDataStatus::Continue;
+  }
+  sendLocalResponse(400, generateRcDetails(err_msg), err_msg, {});
+  return FilterDataStatus::StopIterationNoBuffer;
+}
+
+#ifdef NULL_PLUGIN
+
+}  // namespace oauth
+}  // namespace null_plugin
+}  // namespace proxy_wasm
+
+#endif
--- a/plugins/wasm-cpp/extensions/oauth/plugin.h
+++ b/plugins/wasm-cpp/extensions/oauth/plugin.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2022 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <assert.h>
+
+#include <cstdint>
+#include <string>
+#include <unordered_map>
+#include <unordered_set>
+
+#include "common/route_rule_matcher.h"
+#include "jwt-cpp/jwt.h"
+#define ASSERT(_X) assert(_X)
+
+#ifndef NULL_PLUGIN
+
+#include "proxy_wasm_intrinsics.h"
+
+#else
+
+#include "include/proxy-wasm/null_plugin.h"
+
+namespace proxy_wasm {
+namespace null_plugin {
+namespace oauth {
+
+#endif
+
+struct Consumer {
+  std::string name;
+  std::string client_id;
+  std::string client_secret;
+};
+
+struct OAuthConfigRule {
+  std::unordered_map<std::string, Consumer> consumers;
+  std::string issuer = "Higress-Gateway";
+  std::string auth_header_name = "Authorization";
+  std::string auth_path = "/oauth2/token";
+  bool global_credentials = true;
+  uint64_t token_ttl = 7200;
+  bool keep_token = true;
+  uint64_t clock_skew = 60;
+};
+
+// PluginRootContext is the root context for all streams processed by the
+// thread. It has the same lifetime as the worker thread and acts as target for
+// interactions that outlives individual stream, e.g. timer, async calls.
+class PluginRootContext : public RootContext,
+                          public RouteRuleMatcher<OAuthConfigRule> {
+ public:
+  PluginRootContext(uint32_t id, std::string_view root_id)
+      : RootContext(id, root_id) {}
+  ~PluginRootContext() {}
+  bool onConfigure(size_t) override;
+  bool checkPlugin(const OAuthConfigRule&,
+                   const std::optional<std::unordered_set<std::string>>&,
+                   const std::string&);
+  bool configure(size_t);
+  bool generateToken(const OAuthConfigRule& rule, const std::string& route_name,
+                     const absl::string_view& raw_params, std::string* token,
+                     std::string* err_msg);
+
+ private:
+  bool parsePluginConfig(const json&, OAuthConfigRule&) override;
+};
+
+// Per-stream context.
+class PluginContext : public Context {
+ public:
+  explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
+  FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
+  FilterDataStatus onRequestBody(size_t, bool) override;
+
+ private:
+  inline PluginRootContext* rootContext() {
+    return dynamic_cast<PluginRootContext*>(this->root());
+  }
+
+  std::string route_name_;
+  std::optional<std::reference_wrapper<OAuthConfigRule>> config_;
+  bool check_body_params_ = false;
+  size_t body_total_size_ = 0;
+};
+
+#ifdef NULL_PLUGIN
+
+}  // namespace oauth
+}  // namespace null_plugin
+}  // namespace proxy_wasm
+
+#endif
--- a/plugins/wasm-cpp/extensions/oauth/plugin_test.cc
+++ b/plugins/wasm-cpp/extensions/oauth/plugin_test.cc
@@ -0,0 +1,478 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "extensions/oauth/plugin.h"
+
+#include "gmock/gmock.h"
+#include "gtest/gtest.h"
+#include "include/proxy-wasm/context.h"
+#include "include/proxy-wasm/null.h"
+
+namespace proxy_wasm {
+namespace null_plugin {
+namespace oauth {
+
+NullPluginRegistry* context_registry_;
+RegisterNullVmPluginFactory register_oauth_plugin("oauth", []() {
+  return std::make_unique<NullPlugin>(oauth::context_registry_);
+});
+
+class MockContext : public proxy_wasm::ContextBase {
+ public:
+  MockContext(WasmBase* wasm) : ContextBase(wasm) {}
+
+  MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
+  MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
+  MOCK_METHOD(WasmDataPtr, getBufferBytes, (WasmBufferType, size_t, size_t));
+  MOCK_METHOD(WasmResult, getHeaderMapPairs, (WasmHeaderMapType, Pairs*));
+  MOCK_METHOD(WasmResult, getHeaderMapValue,
+              (WasmHeaderMapType /* type */, std::string_view /* jwt */,
+               std::string_view* /*result */));
+  MOCK_METHOD(WasmResult, addHeaderMapValue,
+              (WasmHeaderMapType /* type */, std::string_view /* jwt */,
+               std::string_view /* value */));
+  MOCK_METHOD(WasmResult, sendLocalResponse,
+              (uint32_t /* response_code */, std::string_view /* body */,
+               Pairs /* additional_headers */, uint32_t /* grpc_status */,
+               std::string_view /* details */));
+  MOCK_METHOD(uint64_t, getCurrentTimeNanoseconds, ());
+  MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
+  MOCK_METHOD(WasmResult, httpCall,
+              (std::string_view, const Pairs&, std::string_view, const Pairs&,
+               int, uint32_t*));
+};
+
+class OAuthTest : public ::testing::Test {
+ protected:
+  OAuthTest() {
+    // Initialize test VM
+    test_vm_ = createNullVm();
+    wasm_base_ = std::make_unique<WasmBase>(
+        std::move(test_vm_), "test-vm", "", "",
+        std::unordered_map<std::string, std::string>{},
+        AllowedCapabilitiesMap{});
+    wasm_base_->load("oauth");
+    wasm_base_->initialize();
+
+    // Initialize host side context
+    mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
+    current_context_ = mock_context_.get();
+
+    ON_CALL(*mock_context_, log(testing::_, testing::_))
+        .WillByDefault([](uint32_t, std::string_view m) {
+          std::cerr << m << "\n";
+          return WasmResult::Ok;
+        });
+
+    ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
+                                              testing::_, testing::_))
+        .WillByDefault([&](WasmHeaderMapType, std::string_view header,
+                           std::string_view* result) {
+          if (header == ":authority") {
+            *result = authority_;
+          }
+          if (header == ":path") {
+            *result = path_;
+          }
+          if (header == ":method") {
+            *result = method_;
+          }
+          if (header == "Authorization") {
+            *result = jwt_header_;
+          }
+          if (header == "content-type") {
+            *result = content_type_;
+          }
+          if (header == "x-custom-header") {
+            *result = custom_header_;
+          }
+          return WasmResult::Ok;
+        });
+    ON_CALL(*mock_context_, addHeaderMapValue(WasmHeaderMapType::RequestHeaders,
+                                              testing::_, testing::_))
+        .WillByDefault([&](WasmHeaderMapType, std::string_view jwt,
+                           std::string_view value) { return WasmResult::Ok; });
+
+    ON_CALL(*mock_context_, getCurrentTimeNanoseconds()).WillByDefault([&]() {
+      return current_time_;
+    });
+
+    ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
+        .WillByDefault([&](std::string_view path, std::string* result) {
+          *result = route_name_;
+          return WasmResult::Ok;
+        });
+
+    ON_CALL(*mock_context_, getBufferBytes(WasmBufferType::HttpCallResponseBody,
+                                           testing::_, testing::_))
+        .WillByDefault([&](WasmBufferType, size_t, size_t) {
+          return std::make_unique<WasmData>(http_call_body_.data(),
+                                            http_call_body_.size());
+        });
+
+    ON_CALL(*mock_context_,
+            getHeaderMapPairs(WasmHeaderMapType::HttpCallResponseHeaders,
+                              testing::_))
+        .WillByDefault([&](WasmHeaderMapType, Pairs* result) {
+          *result = http_call_headers_;
+          return WasmResult::Ok;
+        });
+
+    ON_CALL(*mock_context_, httpCall(testing::_, testing::_, testing::_,
+                                     testing::_, testing::_, testing::_))
+        .WillByDefault([&](std::string_view, const Pairs&, std::string_view,
+                           const Pairs&, int, uint32_t* token_ptr) {
+          root_context_->onHttpCallResponse(
+              *token_ptr, http_call_headers_.size(), http_call_body_.size(), 0);
+          return WasmResult::Ok;
+        });
+
+    // Initialize Wasm sandbox context
+    root_context_ = std::make_unique<PluginRootContext>(0, "");
+    context_ = std::make_unique<PluginContext>(1, root_context_.get());
+  }
+  ~OAuthTest() override {}
+
+  std::unique_ptr<WasmBase> wasm_base_;
+  std::unique_ptr<WasmVm> test_vm_;
+  std::unique_ptr<MockContext> mock_context_;
+
+  std::unique_ptr<PluginRootContext> root_context_;
+  std::unique_ptr<PluginContext> context_;
+
+  std::string path_;
+  std::string method_;
+  std::string authority_;
+  std::string route_name_;
+  std::string jwt_header_;
+  std::string custom_header_;
+  std::string content_type_;
+  uint64_t current_time_;
+
+  Pairs http_call_headers_;
+  std::string http_call_body_;
+};
+
+TEST_F(OAuthTest, generateToken) {
+  std::string configuration = R"(
+{
+    "consumers": [
+        {
+            "name": "consumer1",
+            "client_id": "9515b564-0b1d-11ee-9c4c-00163e1250b5",
+            "client_secret": "9e55de56-0b1d-11ee-b8ec-00163e1250b5"
+        }
+    ],
+    "auth_path": "test/token"
+})";
+  BufferBase buffer;
+  buffer.set({configuration.data(), configuration.size()});
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
+      .WillOnce([&buffer](WasmBufferType) { return &buffer; });
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+  path_ = "/abc/test/token";
+  method_ = "GET";
+  EXPECT_CALL(*mock_context_,
+              sendLocalResponse(
+                  400, std::string_view("Authorize parameters are missing"),
+                  testing::_, testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  path_ = "/abc/test/token?";
+  method_ = "GET";
+  EXPECT_CALL(*mock_context_,
+              sendLocalResponse(400, std::string_view("grant_type is missing"),
+                                testing::_, testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  path_ =
+      "/abc/test/"
+      "token?grant_type=client_credentials";
+  method_ = "GET";
+  EXPECT_CALL(*mock_context_,
+              sendLocalResponse(400, std::string_view("client_id is missing"),
+                                testing::_, testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  path_ =
+      "/abc/test/"
+      "token?grant_type=client_credentials&client_id=9515b564-0b1d-11ee-9c4c-"
+      "00163e1250b5&client_secret=abcd";
+  method_ = "GET";
+  EXPECT_CALL(*mock_context_,
+              sendLocalResponse(
+                  400, std::string_view("invalid client_id or client_secret"),
+                  testing::_, testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  path_ =
+      "/abc/test/"
+      "token?grant_type=client_credentials&client_id=9515b564-0b1d-11ee-9c4c-"
+      "00163e1250b5&client_secret=9e55de56-0b1d-11ee-b8ec-00163e1250b5";
+  method_ = "GET";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(200, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  path_ = "/abc/test/token";
+  method_ = "POST";
+  content_type_ = "application/x-www-form-urlencoded; charset=utf8";
+  std::string body = "grant_type=client_credentials&client_id=wrongid";
+  BufferBase body_buffer;
+  body_buffer.set({body.data(), body.size()});
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::HttpRequestBody))
+      .WillOnce([&body_buffer](WasmBufferType) { return &body_buffer; });
+  EXPECT_CALL(*mock_context_,
+              sendLocalResponse(
+                  400, std::string_view("invalid client_id or client_secret"),
+                  testing::_, testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestBody(body.size(), true),
+            FilterDataStatus::StopIterationNoBuffer);
+
+  path_ = "/abc/test/token";
+  method_ = "POST";
+  content_type_ = "application/x-www-form-urlencoded; charset=utf8";
+  body =
+      "grant_type=client_credentials&client_id=9515b564-0b1d-11ee-9c4c-"
+      "00163e1250b5&client_secret=9e55de56-0b1d-11ee-b8ec-00163e1250b5";
+  body_buffer;
+  body_buffer.set({body.data(), body.size()});
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::HttpRequestBody))
+      .WillOnce([&body_buffer](WasmBufferType) { return &body_buffer; });
+  EXPECT_CALL(*mock_context_, sendLocalResponse(200, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestBody(body.size(), true),
+            FilterDataStatus::Continue);
+}
+
+TEST_F(OAuthTest, invalidToken) {
+  std::string configuration = R"(
+{
+    "consumers": [
+        {
+            "name": "consumer1",
+            "client_id": "9515b564-0b1d-11ee-9c4c-00163e1250b5",
+            "client_secret": "9e55de56-0b1d-11ee-b8ec-00163e1250b5"
+        }
+    ]
+})";
+  BufferBase buffer;
+  buffer.set({configuration.data(), configuration.size()});
+
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
+      .WillOnce([&buffer](WasmBufferType) { return &buffer; });
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+  jwt_header_ = R"(Bearer alksdjf)";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  jwt_header_ = R"(alksdjf)";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  jwt_header_ =
+      R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uL2F0K2p3dCJ9.eyJhdWQiOiJkZWZhdWx0IiwiZXhwIjoxNjY1NjczODI5LCJpYXQiOjE2NjU2NzM4MTksImlzcyI6IkhpZ3Jlc3MtR2F0ZXdheSIsImp0aSI6IjEwOTU5ZDFiLThkNjEtNGRlYy1iZWE3LTk0ODEwMzc1YjYzYyIsInNjb3BlIjoidGVzdCIsInN1YiI6ImNvbnN1bWVyMiJ9.al7eoRdoNQlNx8HCqNesj7woiLOJmJLSqnZ)";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+}
+
+TEST_F(OAuthTest, expire) {
+  std::string configuration = R"(
+{
+    "consumers": [
+        {
+            "name": "consumer1",
+            "client_id": "9515b564-0b1d-11ee-9c4c-00163e1250b5",
+            "client_secret": "9e55de56-0b1d-11ee-b8ec-00163e1250b5"
+        }
+    ]
+})";
+  BufferBase buffer;
+  buffer.set({configuration.data(), configuration.size()});
+
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
+      .WillOnce([&buffer](WasmBufferType) { return &buffer; });
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+  jwt_header_ =
+      R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uL2F0K2p3dCJ9.eyJhdWQiOiJ0ZXN0MiIsImNsaWVudF9pZCI6Ijk1MTViNTY0LTBiMWQtMTFlZS05YzRjLTAwMTYzZTEyNTBiNSIsImV4cCI6MTY2NTY3MzgyOSwiaWF0IjoxNjY1NjczODE5LCJpc3MiOiJIaWdyZXNzLUdhdGV3YXkiLCJqdGkiOiIxMDk1OWQxYi04ZDYxLTRkZWMtYmVhNy05NDgxMDM3NWI2M2MiLCJzY29wZSI6InRlc3QiLCJzdWIiOiJjb25zdW1lcjEifQ.LsZ6mlRxlaqWa0IAZgmGVuDgypRbctkTcOyoCxqLrHY)";
+  route_name_ = "test2";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+}
+
+TEST_F(OAuthTest, routeAuth) {
+  std::string configuration = R"(
+{
+    "consumers": [
+        {
+            "name": "consumer1",
+            "client_id": "9515b564-0b1d-11ee-9c4c-00163e1250b5",
+            "client_secret": "9e55de56-0b1d-11ee-b8ec-00163e1250b5"
+        }
+    ],
+    "global_credentials": false,
+    "clock_skew_seconds": 3153600000
+})";
+  BufferBase buffer;
+  buffer.set({configuration.data(), configuration.size()});
+
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
+      .WillOnce([&buffer](WasmBufferType) { return &buffer; });
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+  jwt_header_ =
+      R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uL2F0K2p3dCJ9.eyJhdWQiOiJ0ZXN0MiIsImNsaWVudF9pZCI6Ijk1MTViNTY0LTBiMWQtMTFlZS05YzRjLTAwMTYzZTEyNTBiNSIsImV4cCI6MTY2NTY3MzgyOSwiaWF0IjoxNjY1NjczODE5LCJpc3MiOiJIaWdyZXNzLUdhdGV3YXkiLCJqdGkiOiIxMDk1OWQxYi04ZDYxLTRkZWMtYmVhNy05NDgxMDM3NWI2M2MiLCJzY29wZSI6InRlc3QiLCJzdWIiOiJjb25zdW1lcjEifQ.LsZ6mlRxlaqWa0IAZgmGVuDgypRbctkTcOyoCxqLrHY)";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  route_name_ = "test2";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+}
+
+TEST_F(OAuthTest, globalAuth) {
+  std::string configuration = R"(
+{
+    "consumers": [
+        {
+            "name": "consumer1",
+            "client_id": "9515b564-0b1d-11ee-9c4c-00163e1250b5",
+            "client_secret": "9e55de56-0b1d-11ee-b8ec-00163e1250b5"
+        }
+    ],
+    "clock_skew_seconds": 3153600000
+})";
+  BufferBase buffer;
+  buffer.set({configuration.data(), configuration.size()});
+
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
+      .WillOnce([&buffer](WasmBufferType) { return &buffer; });
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+  jwt_header_ =
+      R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uL2F0K2p3dCJ9.eyJhdWQiOiJ0ZXN0MiIsImNsaWVudF9pZCI6Ijk1MTViNTY0LTBiMWQtMTFlZS05YzRjLTAwMTYzZTEyNTBiNSIsImV4cCI6MTY2NTY3MzgyOSwiaWF0IjoxNjY1NjczODE5LCJpc3MiOiJIaWdyZXNzLUdhdGV3YXkiLCJqdGkiOiIxMDk1OWQxYi04ZDYxLTRkZWMtYmVhNy05NDgxMDM3NWI2M2MiLCJzY29wZSI6InRlc3QiLCJzdWIiOiJjb25zdW1lcjEifQ.LsZ6mlRxlaqWa0IAZgmGVuDgypRbctkTcOyoCxqLrHY)";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+}
+
+TEST_F(OAuthTest, AuthZ) {
+  std::string configuration = R"(
+{
+    "consumers": [
+        {
+            "name": "consumer1",
+            "client_id": "9515b564-0b1d-11ee-9c4c-00163e1250b5",
+            "client_secret": "9e55de56-0b1d-11ee-b8ec-00163e1250b5"
+        },
+        {
+            "name": "consumer2",
+            "client_id": "d001d242-0bf0-11ee-97cb-00163e1250b5",
+            "client_secret": "d60bdafc-0bf0-11ee-afba-00163e1250b5"
+        }
+    ],
+    "clock_skew_seconds": 3153600000,
+    "global_credentials": true,
+    "_rules_": [
+        {
+            "_match_route_": [
+                "test1"
+            ],
+            "allow": [
+                "consumer2"
+            ]
+        },
+        {
+            "_match_route_": [
+                "test2"
+            ],
+            "allow": [
+                "consumer1"
+            ]
+        }
+    ]
+})";
+  BufferBase buffer;
+  buffer.set({configuration.data(), configuration.size()});
+
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
+      .WillOnce([&buffer](WasmBufferType) { return &buffer; });
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+  jwt_header_ =
+      R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uL2F0K2p3dCJ9.eyJhdWQiOiJ0ZXN0MiIsImNsaWVudF9pZCI6Ijk1MTViNTY0LTBiMWQtMTFlZS05YzRjLTAwMTYzZTEyNTBiNSIsImV4cCI6MTY2NTY3MzgyOSwiaWF0IjoxNjY1NjczODE5LCJpc3MiOiJIaWdyZXNzLUdhdGV3YXkiLCJqdGkiOiIxMDk1OWQxYi04ZDYxLTRkZWMtYmVhNy05NDgxMDM3NWI2M2MiLCJzY29wZSI6InRlc3QiLCJzdWIiOiJjb25zdW1lcjEifQ.LsZ6mlRxlaqWa0IAZgmGVuDgypRbctkTcOyoCxqLrHY)";
+  route_name_ = "test1";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  route_name_ = "test2";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+  jwt_header_ =
+      R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uL2F0K2p3dCJ9.eyJhdWQiOiJkZWZhdWx0IiwiY2xpZW50X2lkIjoiZDAwMWQyNDItMGJmMC0xMWVlLTk3Y2ItMDAxNjNlMTI1MGI1IiwiZXhwIjoxNjY1NjczODI5LCJpYXQiOjE2NjU2NzM4MTksImlzcyI6IkhpZ3Jlc3MtR2F0ZXdheSIsImp0aSI6IjEwOTU5ZDFiLThkNjEtNGRlYy1iZWE3LTk0ODEwMzc1YjYzYyIsInNjb3BlIjoidGVzdCIsInN1YiI6ImNvbnN1bWVyMiJ9.whS5U7llGX2BNAX19mjyxiWXa7wVs0_ONVByKVR9ntM)";
+  route_name_ = "test2";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  route_name_ = "test1";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+}
+
+TEST_F(OAuthTest, EmptyConsumer) {
+  std::string configuration = R"(
+{
+    "consumers": [
+    ],
+    "_rules_": [
+        {
+            "_match_route_": [
+                "test1"
+            ],
+            "allow": [
+            ]
+        }
+    ]
+})";
+  BufferBase buffer;
+  buffer.set({configuration.data(), configuration.size()});
+
+  EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
+      .WillOnce([&buffer](WasmBufferType) { return &buffer; });
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+  jwt_header_ =
+      R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uL2F0K2p3dCJ9.eyJhdWQiOiJ0ZXN0MiIsImNsaWVudF9pZCI6Ijk1MTViNTY0LTBiMWQtMTFlZS05YzRjLTAwMTYzZTEyNTBiNSIsImV4cCI6MTY2NTY3MzgyOSwiaWF0IjoxNjY1NjczODE5LCJpc3MiOiJIaWdyZXNzLUdhdGV3YXkiLCJqdGkiOiIxMDk1OWQxYi04ZDYxLTRkZWMtYmVhNy05NDgxMDM3NWI2M2MiLCJzY29wZSI6InRlc3QiLCJzdWIiOiJjb25zdW1lcjEifQ.LsZ6mlRxlaqWa0IAZgmGVuDgypRbctkTcOyoCxqLrHY)";
+  route_name_ = "test1";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+  route_name_ = "test2";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+}
+
+}  // namespace oauth
+}  // namespace null_plugin
+}  // namespace proxy_wasm
--- a/plugins/wasm-go/pkg/matcher/rule_matcher.go
+++ b/plugins/wasm-go/pkg/matcher/rule_matcher.go
@@ -109,7 +109,6 @@ func (m *RuleMatcher[PluginConfig]) ParseRuleConfig(config gjson.Result,
 	if keyCount > 0 {
 		err := parsePluginConfig(config, &pluginConfig)
 		if err != nil {
-			proxywasm.LogWarnf("parse global config failed, err:%v", err)
 			globalConfigError = err
 		} else {
 			m.globalConfig = pluginConfig
@@ -185,7 +184,25 @@ func (m RuleMatcher[PluginConfig]) parseHostMatchConfig(config gjson.Result) []H
 	return hostMatchers
 }

+func stripPortFromHost(reqHost string) string {
+	// Port removing code is inspired by
+	// https://github.com/envoyproxy/envoy/blob/v1.17.0/source/common/http/header_utility.cc#L219
+	portStart := strings.LastIndexByte(reqHost, ':')
+	if portStart != -1 {
+		// According to RFC3986 v6 address is always enclosed in "[]".
+		// section 3.2.2.
+		v6EndIndex := strings.LastIndexByte(reqHost, ']')
+		if v6EndIndex == -1 || v6EndIndex < portStart {
+			if portStart+1 <= len(reqHost) {
+				return reqHost[:portStart]
+			}
+		}
+	}
+	return reqHost
+}
+
 func (m RuleMatcher[PluginConfig]) hostMatch(rule RuleConfig[PluginConfig], reqHost string) bool {
+	reqHost = stripPortFromHost(reqHost)
 	for _, hostMatch := range rule.hosts {
 		switch hostMatch.matchType {
 		case Suffix:
--- a/plugins/wasm-go/pkg/matcher/rule_matcher_test.go
+++ b/plugins/wasm-go/pkg/matcher/rule_matcher_test.go
@@ -118,6 +118,19 @@ func TestHostMatch(t *testing.T) {
 			host:   "example.com",
 			result: false,
 		},
+		{
+			name: "exact port",
+			config: RuleConfig[customConfig]{
+				hosts: []HostMatcher{
+					{
+						matchType: Exact,
+						host:      "www.example.com",
+					},
+				},
+			},
+			host:   "www.example.com:8080",
+			result: true,
+		},
 		{
 			name: "any",
 			config: RuleConfig[customConfig]{
--- a/test/e2e/conformance/tests/httproute-request-header-control.go
+++ b/test/e2e/conformance/tests/httproute-request-header-control.go
@@ -78,8 +78,10 @@ var HTTPRouteRequestHeaderControl = suite.ConformanceTest{
 							Path: "/foo2",
 							Host: "foo.com",
 							Headers: map[string]string{
-								"stage":  "test",
-								"canary": "true",
+								"stage":   "test",
+								"canary":  "true",
+								"x-test":  "higress; test=true",
+								"x-test2": "higress; test=false",
 							},
 						},
 					},
--- a/test/e2e/conformance/tests/httproute-request-header-control.yaml
+++ b/test/e2e/conformance/tests/httproute-request-header-control.yaml
@@ -40,6 +40,8 @@ metadata:
    higress.io/request-header-control-add: |
      stage test
      canary true
+      x-test "higress; test=true"
+      'x-test2' "higress; test=false"
  name: httproute-request-header-control-add-more
  namespace: higress-conformance-infra
 spec:
Author	SHA1	Message	Date
johnlanni	14742705b1	add timeout&local-rate-limt annotations	2023-11-16 17:33:03 +08:00
澄潭	b204ad4c8d	rel: Release version 1.3.1 (#640 )	2023-11-16 11:31:37 +08:00
澄潭	34054f8c76	optimize xds push (#638 )	2023-11-16 09:32:58 +08:00
澄潭	6803aa44ab	add new helm value for cds push (#639 )	2023-11-16 09:31:25 +08:00
澄潭	e5cd334d5d	support timeout and ratelimit (#637 )	2023-11-15 20:43:49 +08:00
澄潭	88c0386ca3	more compatiable with nginx's rewrite (#636 )	2023-11-14 18:59:13 +08:00
澄潭	5174397e7c	Sync inner fix (#634 )	2023-11-14 11:15:26 +08:00
澄潭	cb0479510f	add oauth2 plugin (#632 )	2023-11-13 11:03:46 +08:00
Jun	57b8cb1d69	fix: fix hgctl in high kubenetes version problem by auto detecting k8s version and adding helm lookup function (#629 )	2023-11-08 20:55:54 +08:00
澄潭	9f5b795a4d	wasm: strip port from host when match host (#626 )	2023-11-07 17:11:56 +08:00