Update Makefile.core.mk

Co-authored-by: Kent Dong <ch3cho@qq.com>

.github/workflows/build-and-test-plugin.yaml

@@ -7,19 +7,20 @@ on:
       - 'plugins/**'
       - 'test/**'
   pull_request:
-    branches: ["*"]
+    branches: [ "*" ]
     paths:
       - 'plugins/**'
       - 'test/**'
+  workflow_dispatch: ~      
 
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
     # There are too many lint errors in current code bases
     # uncomment when we decide what lint should be addressed or ignored.
     # - run: make lint
@@ -31,40 +32,53 @@ jobs:
         # TODO(Xunzhuo): Enable C WASM Filters in CI
         wasmPluginType: [ GO ]
     steps:
-    - uses: actions/checkout@v3
-      
-    - name: "Setup Go"
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
+      - uses: actions/checkout@v3
 
-    - name: Setup Golang Caches
-      uses: actions/cache@v3
-      with:
-        path: |-
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ github.run_id }}
-        restore-keys: |
-          ${{ runner.os }}-go
-      
-    - name: Setup Submodule Caches
-      uses: actions/cache@v3
-      with:
-        path: |-
-            envoy
-            istio
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true      
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-go
+
+      - name: Setup Submodule Caches
+        uses: actions/cache@v3
+        with:
+          path: |-
             .git/modules
-        key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules-new
-          
-    - run: git stash # restore patch
+          key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-cache
 
-    - name: "Run Ingress WasmPlugins Tests"
-      run: GOPROXY="https://proxy.golang.org,direct" PLUGIN_TYPE=${{ matrix.wasmPluginType }} make higress-wasmplugin-test
+      - run: git stash # restore patch
+
+      - name: "Run Ingress WasmPlugins Tests"
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 25
+          max_attempts: 3
+          retry_on: error
+          command: GOPROXY="https://proxy.golang.org,direct" PLUGIN_TYPE=${{ matrix.wasmPluginType }} make higress-wasmplugin-test
 
   publish:
     runs-on: ubuntu-latest
-    needs: [higress-wasmplugin-test]
+    needs: [ higress-wasmplugin-test ]
     steps:
-    - uses: actions/checkout@v3
+      - uses: actions/checkout@v3

.github/workflows/build-and-test.yaml

@@ -36,11 +36,9 @@ jobs:
       uses: actions/cache@v3
       with:
         path: |-
-            envoy
-            istio
             .git/modules
-        key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules-new
+        key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-cache
     
     - run: git stash # restore patch
 
@@ -50,7 +48,7 @@ jobs:
     - name: Upload coverage to Codecov
       uses: codecov/codecov-action@v3
       with:
-        fail_ci_if_error: true
+        fail_ci_if_error: false
         files: ./coverage.xml
         verbose: true
 
@@ -82,11 +80,9 @@ jobs:
         uses: actions/cache@v3
         with:
           path: |-
-            envoy
-            istio
             .git/modules
-          key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-submodules-new
+          key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-submodules-cache
 
       - run: git stash # restore patch
 
@@ -130,11 +126,9 @@ jobs:
       uses: actions/cache@v3
       with:
         path: |-
-            envoy
-            istio
             .git/modules
-        key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules-new
+        key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
+        restore-keys: ${{ runner.os }}-submodules-cache
           
     - run: git stash # restore patch
 

.github/workflows/build-image-and-push.yaml

@@ -20,6 +20,16 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
       - name: "Setup Go"
         uses: actions/setup-go@v3
         with:
@@ -86,6 +96,16 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
       - name: "Setup Go"
         uses: actions/setup-go@v3
         with:
@@ -153,6 +173,16 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
       - name: "Setup Go"
         uses: actions/setup-go@v3
         with:

.github/workflows/latest-release.yaml

@@ -18,6 +18,8 @@ jobs:
         tar -zcvf hgctl_latest_linux_arm64.tar.gz out/linux_arm64/
         tar -zcvf hgctl_latest_darwin_amd64.tar.gz out/darwin_amd64/
         tar -zcvf hgctl_latest_darwin_arm64.tar.gz out/darwin_arm64/
+        zip -q -r hgctl_latest_windows_amd64.zip out/windows_amd64/
+        zip -q -r hgctl_latest_windows_arm64.zip out/windows_arm64/
 
     # Ignore the error when we delete the latest release, it might not exist.
 
@@ -54,6 +56,8 @@ jobs:
           hgctl_latest_linux_arm64.tar.gz
           hgctl_latest_darwin_amd64.tar.gz
           hgctl_latest_darwin_arm64.tar.gz
+          hgctl_latest_windows_amd64.zip
+          hgctl_latest_windows_arm64.zip
         body: |
           This is the "latest" release of **Higress**, which contains the most recent commits from the main branch.
           

.github/workflows/release-hgctl.yaml

@@ -0,0 +1,37 @@
+name: Release hgctl to GitHub
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  release-hgctl:
+    runs-on: ubuntu-latest
+    env:
+      HGCTL_VERSION: ${{github.ref_name}}
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Build hgctl latest multiarch binaries
+      run: |
+        GOPROXY="https://proxy.golang.org,direct" make build-hgctl-multiarch
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_linux_amd64.tar.gz out/linux_amd64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_linux_arm64.tar.gz out/linux_arm64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_darwin_amd64.tar.gz out/darwin_amd64/
+        tar -zcvf hgctl_${{ env.HGCTL_VERSION }}_darwin_arm64.tar.gz out/darwin_arm64/
+        zip -q -r hgctl_${{ env.HGCTL_VERSION }}_windows_amd64.zip out/windows_amd64/
+        zip -q -r hgctl_${{ env.HGCTL_VERSION }}_windows_arm64.zip out/windows_arm64/
+
+    - name: Upload hgctl packages to the GitHub release
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: |
+          hgctl_${{ env.HGCTL_VERSION }}_linux_amd64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_linux_arm64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_darwin_amd64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_darwin_arm64.tar.gz
+          hgctl_${{ env.HGCTL_VERSION }}_windows_amd64.zip
+          hgctl_${{ env.HGCTL_VERSION }}_windows_arm64.zip

.licenserc.yaml

@@ -26,7 +26,8 @@ header:
     - 'VERSION'
     - 'tools/'
     - 'test/README.md'
-    - 'pkg/cmd/hgctl/testdata/config'
+    - 'test/README_CN.md'
+    - 'cmd/hgctl/config/testdata/config'
     - 'pkg/cmd/hgctl/manifests'
 
   comment: on-failure

CODEOWNERS

@@ -1,10 +1,10 @@
-/api @johnlanni 
-/envoy @gengleilei @johnlanni @Lynskylate
+/api @johnlanni @CH3CHO
+/envoy @gengleilei @johnlanni
 /istio @SpecialYang @johnlanni
-/pkg @SpecialYang @johnlanni @Charlie17Li @Xunzhuo
-/plugins @johnlanni
-/registry @NameHaibinZhang @johnlanni
-/test @Xunzhuo
-/tools @johnlanni @Xunzhuo
+/pkg @SpecialYang @johnlanni @CH3CHO
+/plugins @johnlanni @WeixinX @CH3CHO
+/registry @NameHaibinZhang @2456868764 @johnlanni
+/test @Xunzhuo @2456868764 @CH3CHO
+/tools @johnlanni @Xunzhuo @2456868764
 
 

CONTRIBUTING_CN.md

@@ -73,6 +73,7 @@
 * [分支定义](#分支定义)
 * [提交规则](#提交规则)
 * [PR说明](#PR说明)
+* [开发前准备](#开发前准备)
 
 ### 工作区准备
 
@@ -168,6 +169,12 @@ git config --get user.email
 
 PR 是更改 Higress 项目文件的唯一方法。为了帮助审查人更好地理解你的目的，PR 描述不能太详细。我们鼓励贡献者遵循 [PR 模板](./.github/PULL_REQUEST_TEMPLATE.md) 来完成拉取请求。
 
+### 开发前准备
+
+```shell
+make prebuild && go mod tidy
+```
+
 ## 测试用例贡献
 
 任何测试用例都会受到欢迎。目前，Higress 功能测试用例是高优先级的。

CONTRIBUTING_EN.md

@@ -169,6 +169,12 @@ No matter commit message, or commit content, we do take more emphasis on code re
 
 PR is the only way to make change to Higress project files. To help reviewers better get your purpose, PR description could not be too detailed. We encourage contributors to follow the [PR template](./.github/PULL_REQUEST_TEMPLATE.md) to finish the pull request.
 
+### Pre-development preparation
+
+```shell
+make prebuild && go mod tidy
+```
+
 ## Test case contribution
 
 Any test case would be welcomed. Currently, Higress function test cases are high priority.

Makefile.core.mk

@@ -15,7 +15,7 @@ GO_LDFLAGS += -X $(VERSION_PACKAGE).higressVersion=$(shell cat VERSION) \
 
 GO ?= go
 
-export GOPROXY ?= https://proxy.golang.com.cn,direct
+export GOPROXY ?= https://proxy.golang.org,direct
 
 TARGET_ARCH ?= amd64
 
@@ -92,7 +92,8 @@ build-hgctl-multiarch: prebuild $(OUT)
 	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HGCTL_BINARIES)
 	GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/darwin_amd64/ $(HGCTL_BINARIES)
 	GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/darwin_arm64/ $(HGCTL_BINARIES)
-
+	GOPROXY=$(GOPROXY) GOOS=windows GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/windows_amd64/ $(HGCTL_BINARIES)
+	GOPROXY=$(GOPROXY) GOOS=windows GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/windows_arm64/ $(HGCTL_BINARIES)
 # Create targets for OUT_LINUX/binary
 # There are two use cases here:
 # * Building all docker images (generally in CI). In this case we want to build everything at once, so they share work
@@ -137,11 +138,11 @@ export ENVOY_TAR_PATH:=/home/package/envoy.tar.gz
 
 external/package/envoy-amd64.tar.gz:
 #	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
-	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.3.0/envoy-amd64.tar.gz"
+	cd external/package; wget -O envoy-amd64.tar.gz "https://github.com/alibaba/higress/releases/download/v1.4.0-rc.1/envoy-symbol-amd64.tar.gz"
 
 external/package/envoy-arm64.tar.gz:
 #	cd external/proxy; BUILD_WITH_CONTAINER=1  make test_release
-	cd external/package; wget "https://github.com/alibaba/higress/releases/download/v1.3.0/envoy-arm64.tar.gz"
+	cd external/package; wget -O envoy-arm64.tar.gz "https://github.com/alibaba/higress/releases/download/v1.4.0-rc.1/envoy-symbol-arm64.tar.gz"
 
 build-pilot:
 	cd external/istio; rm -rf out/linux_amd64; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 make build-linux
@@ -153,13 +154,13 @@ build-pilot-local:
 build-gateway: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz build-pilot
 	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
 
-build-gateway-local: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz build-pilot
+build-gateway-local: prebuild external/package/envoy-amd64.tar.gz external/package/envoy-arm64.tar.gz
 	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
 
 build-istio: prebuild build-pilot
 	cd external/istio; BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=true DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
 
-build-istio-local: prebuild build-pilot-local
+build-istio-local: prebuild
 	cd external/istio; rm -rf out/linux_${GOARCH_LOCAL}; GOOS_LOCAL=linux TARGET_OS=linux BUILD_WITH_CONTAINER=1 BUILDX_PLATFORM=false DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
 
 build-wasmplugins:
@@ -176,13 +177,13 @@ install: pre-install
 	cd helm/higress; helm dependency build
 	helm install higress helm/higress -n higress-system --create-namespace --set 'global.local=true'
 
-ENVOY_LATEST_IMAGE_TAG ?= sha-2d5d9c0
-ISTIO_LATEST_IMAGE_TAG ?= sha-2d5d9c0
+ENVOY_LATEST_IMAGE_TAG ?= sha-d91b22f
+ISTIO_LATEST_IMAGE_TAG ?= sha-d91b22f
 
 install-dev: pre-install
 	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
 install-dev-wasmplugin: build-wasmplugins pre-install
-	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true'
+	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'  --set 'global.volumeWasmPlugins=true' --set 'global.onlyPushRouteCluster=false'
 
 uninstall:
 	helm uninstall higress -n higress-system
@@ -232,14 +233,30 @@ include tools/lint.mk
 .PHONY: gateway-conformance-test
 gateway-conformance-test:
 
+# higress-conformance-test-prepare prepares the environment for higress conformance tests.
+.PHONY: higress-conformance-test-prepare
+higress-conformance-test-prepare: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev
+
 # higress-conformance-test runs ingress api conformance tests.
 .PHONY: higress-conformance-test
 higress-conformance-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev run-higress-e2e-test delete-cluster
 
+# higress-conformance-test-clean cleans the environment for higress conformance tests.
+.PHONY: higress-conformance-test-clean
+higress-conformance-test-clean: $(tools/kind) delete-cluster
+
+# higress-wasmplugin-test-prepare prepares the environment for higress wasmplugin tests.
+.PHONY: higress-wasmplugin-test-prepare
+higress-wasmplugin-test-prepare: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin
+
 # higress-wasmplugin-test runs ingress wasmplugin tests.
 .PHONY: higress-wasmplugin-test
 higress-wasmplugin-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev-wasmplugin run-higress-e2e-test-wasmplugin delete-cluster
 
+# higress-wasmplugin-test-clean cleans the environment for higress wasmplugin tests.
+.PHONY: higress-wasmplugin-test-clean
+higress-wasmplugin-test-clean: $(tools/kind) delete-cluster
+
 # create-cluster creates a kube cluster with kind.
 .PHONY: create-cluster
 create-cluster: $(tools/kind)
@@ -269,6 +286,17 @@ kube-load-image: $(tools/kind) ## Install the Higress image to a kind cluster us
 	tools/hack/kind-load-image.sh docker.io/alihigress/httpbin 1.0.2
 	tools/hack/kind-load-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
 	tools/hack/kind-load-image.sh docker.io/bitinit/eureka latest
+
+# run-higress-e2e-test-setup starts to setup ingress e2e tests.
+.PHONT: run-higress-e2e-test-setup
+run-higress-e2e-test-setup:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=setup
+
 # run-higress-e2e-test starts to run ingress e2e tests.
 .PHONY: run-higress-e2e-test
 run-higress-e2e-test:
@@ -277,9 +305,39 @@ run-higress-e2e-test:
 	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=all
 
-# run-higress-e2e-test starts to run ingress e2e tests.
+# run-higress-e2e-test-run starts to run ingress e2e conformance tests.
+.PHONY: run-higress-e2e-test-run
+run-higress-e2e-test-run:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=run
+
+# run-higress-e2e-test-clean starts to clean ingress e2e tests.
+.PHONY: run-higress-e2e-test-clean
+run-higress-e2e-test-clean:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go --ingress-class=higress --debug=true --test-area=clean
+
+# run-higress-e2e-test-wasmplugin-setup starts to prepare ingress e2e tests.
+.PHONY: run-higress-e2e-test-wasmplugin-setup
+run-higress-e2e-test-wasmplugin-setup:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=setup
+
+# run-higress-e2e-test-wasmplugin starts to run ingress e2e tests.
 .PHONY: run-higress-e2e-test-wasmplugin
 run-higress-e2e-test-wasmplugin:
 	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
@@ -287,4 +345,24 @@ run-higress-e2e-test-wasmplugin:
 	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
 	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
 	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
-	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=all
+
+# run-higress-e2e-test-wasmplugin-run starts to run ingress e2e conformance tests.
+.PHONY: run-higress-e2e-test-wasmplugin-run
+run-higress-e2e-test-wasmplugin-run:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=run
+
+# run-higress-e2e-test-wasmplugin-clean starts to clean ingress e2e tests.
+.PHONY: run-higress-e2e-test-wasmplugin-clean
+run-higress-e2e-test-wasmplugin-clean:
+	@echo -e "\n\033[36mRunning higress conformance tests...\033[0m"
+	@echo -e "\n\033[36mWaiting higress-controller to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-controller --for=condition=Available
+	@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
+	kubectl wait --timeout=10m -n higress-system deployment/higress-gateway --for=condition=Available
+	go test -v -tags conformance ./test/e2e/e2e_test.go -isWasmPluginTest=true -wasmPluginType=$(PLUGIN_TYPE) -wasmPluginName=$(PLUGIN_NAME) --ingress-class=higress --debug=true --test-area=clean

README.md

@@ -1,10 +1,10 @@
 <h1 align="center">
     <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
   <br>
-  Next-generation Cloud Native Gateway
+  Cloud Native API Gateway
 </h1>
 
-[![Build Status](https://github.com/alibaba/higress/workflows/build%20and%20codecov/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
 
 [**官网**](https://higress.io/) &nbsp; |
@@ -19,7 +19,7 @@
 </p>
 
 
-Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源 [Istio](https://github.com/istio/istio) 与 [Envoy](https://github.com/envoyproxy/envoy) 为核心构建的下一代云原生网关。Higress 实现了安全防护网关、流量网关、微服务网关三层网关合一，可以显著降低网关的部署和运维成本。
+Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源 [Istio](https://github.com/istio/istio) 与 [Envoy](https://github.com/envoyproxy/envoy) 为核心构建的云原生 API 网关。Higress 实现了安全防护网关、流量网关、微服务网关三层网关合一，可以显著降低网关的部署和运维成本。
 
 ![arch](https://img.alicdn.com/imgextra/i1/O1CN01iO9ph825juHbOIg75_!!6000000007563-2-tps-2483-2024.png)
 
@@ -119,9 +119,13 @@ Higress 是基于阿里内部两年多的 Envoy Gateway 实践沉淀，以开源
 
 如果没有 Envoy 和 Istio 的开源工作，Higress 就不可能实现，在这里向这两个项目献上最诚挚的敬意。
 
-### 联系我们
-
-社区交流群: 
+### 交流群
 
 ![image](https://img.alicdn.com/imgextra/i2/O1CN01qPd7Ix1uZPVEsWjWp_!!6000000006051-0-tps-720-405.jpg)
 
+### 技术分享
+
+微信公众号：
+
+![](https://img.alicdn.com/imgextra/i1/O1CN01WnQt0q1tcmqVDU73u_!!6000000005923-0-tps-258-258.jpg)
+

README_EN.md

@@ -1,10 +1,10 @@
 <h1 align="center">
     <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
   <br>
-  Next-generation Cloud Native Gateway
+  Cloud Native API Gateway
 </h1>
 
-[![Build Status](https://github.com/alibaba/higress/workflows/build%20and%20codecov/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
 
 [**Official Site**](https://higress.io/en-us/) &nbsp; |
@@ -18,7 +18,7 @@
    English | <a href="README.md">中文<a/>
 </p>
 
-Higress is a next-generation cloud-native gateway based on Alibaba's internal gateway practices. 
+Higress is a cloud-native api gateway based on Alibaba's internal gateway practices. 
 
 Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.com/envoyproxy/envoy), Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.
 

VERSION

@@ -1 +1 @@
-v1.3.2
+v1.4.0-rc.1

api/extensions/v1alpha1/wasm.pb.go

@@ -166,7 +166,7 @@ type WasmPlugin struct {
 	// If `priority` is not set, or two `WasmPlugins` exist with the same
 	// value, the ordering will be deterministically derived from name and
 	// namespace of the `WasmPlugins`. Defaults to `0`.
-	Priority *types.Int64Value `protobuf:"bytes,10,opt,name=priority,proto3" json:"priority,omitempty"`
+	Priority *types.Int32Value `protobuf:"bytes,10,opt,name=priority,proto3" json:"priority,omitempty"`
 	// Extended by Higress, the default configuration takes effect globally
 	DefaultConfig *types.Struct `protobuf:"bytes,101,opt,name=default_config,json=defaultConfig,proto3" json:"default_config,omitempty"`
 	// Extended by Higress, matching rules take effect
@@ -267,7 +267,7 @@ func (m *WasmPlugin) GetPhase() PluginPhase {
 	return PluginPhase_UNSPECIFIED_PHASE
 }
 
-func (m *WasmPlugin) GetPriority() *types.Int64Value {
+func (m *WasmPlugin) GetPriority() *types.Int32Value {
 	if m != nil {
 		return m.Priority
 	}
@@ -377,46 +377,46 @@ func init() {
 func init() { proto.RegisterFile("extensions/v1alpha1/wasm.proto", fileDescriptor_4d60b240916c4e18) }
 
 var fileDescriptor_4d60b240916c4e18 = []byte{
-	// 617 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdf, 0x4e, 0x13, 0x41,
-	0x14, 0xc6, 0xd9, 0x16, 0x0a, 0x3d, 0x05, 0x5c, 0x26, 0x8a, 0x13, 0x30, 0xb5, 0x21, 0x51, 0x57,
-	0x2e, 0x76, 0x43, 0x45, 0xbc, 0x31, 0xc4, 0x02, 0x55, 0x1a, 0xb5, 0x6e, 0x76, 0x41, 0x23, 0x37,
-	0x9b, 0xe9, 0x32, 0xdd, 0x4e, 0x9c, 0xfd, 0x93, 0x9d, 0x59, 0xb0, 0x0f, 0xe2, 0x3b, 0x79, 0xe9,
-	0x23, 0x18, 0xde, 0xc2, 0x3b, 0xd3, 0xd9, 0x2d, 0x6d, 0xd1, 0xf4, 0x6e, 0xe6, 0x9c, 0xdf, 0x39,
-	0xe7, 0xfb, 0xce, 0x4e, 0x16, 0xea, 0xf4, 0xbb, 0xa4, 0x91, 0x60, 0x71, 0x24, 0xac, 0xab, 0x3d,
-	0xc2, 0x93, 0x01, 0xd9, 0xb3, 0xae, 0x89, 0x08, 0xcd, 0x24, 0x8d, 0x65, 0x8c, 0xb6, 0x07, 0x2c,
-	0x48, 0xa9, 0x10, 0xe6, 0x84, 0x33, 0xc7, 0xdc, 0x56, 0x3d, 0x88, 0xe3, 0x80, 0x53, 0x4b, 0xa1,
-	0xbd, 0xac, 0x6f, 0x5d, 0xa7, 0x24, 0x49, 0x68, 0x2a, 0xf2, 0xe2, 0xad, 0x47, 0x77, 0xf3, 0x42,
-	0xa6, 0x99, 0x2f, 0xf3, 0xec, 0xce, 0x9f, 0x45, 0x80, 0x2f, 0x44, 0x84, 0x36, 0xcf, 0x02, 0x16,
-	0x21, 0x1d, 0xca, 0x59, 0xca, 0x71, 0xa9, 0xa1, 0x19, 0x55, 0x67, 0x74, 0x44, 0x9b, 0x50, 0x11,
-	0x03, 0xd2, 0x7c, 0x79, 0x80, 0xcb, 0x2a, 0x58, 0xdc, 0x90, 0x0b, 0x1b, 0x2c, 0x24, 0x01, 0xf5,
-	0x92, 0x8c, 0x73, 0x2f, 0x89, 0x39, 0xf3, 0x87, 0x78, 0xb1, 0xa1, 0x19, 0xeb, 0xcd, 0x67, 0xe6,
-	0x1c, 0xbd, 0xa6, 0x9d, 0x71, 0x6e, 0x2b, 0xdc, 0xb9, 0xa7, 0x3a, 0x4c, 0x02, 0x68, 0x77, 0xa6,
-	0xa9, 0xa0, 0x7e, 0x4a, 0x25, 0x5e, 0x52, 0x73, 0x27, 0xac, 0xab, 0xc2, 0xe8, 0x39, 0xe8, 0x57,
-	0x34, 0x65, 0x7d, 0xe6, 0x13, 0xc9, 0xe2, 0xc8, 0xfb, 0x46, 0x87, 0xb8, 0x92, 0xa3, 0xd3, 0xf1,
-	0xf7, 0x74, 0x88, 0x5e, 0xc3, 0x5a, 0xa2, 0xfc, 0x79, 0x7e, 0x1c, 0xf5, 0x59, 0x80, 0x97, 0x1b,
-	0x9a, 0x51, 0x6b, 0x3e, 0x34, 0xf3, 0xd5, 0x98, 0xe3, 0xd5, 0x98, 0xae, 0x5a, 0x8d, 0xb3, 0x9a,
-	0xd3, 0xc7, 0x0a, 0x46, 0x8f, 0xa1, 0x56, 0x54, 0x47, 0x24, 0xa4, 0x78, 0x45, 0xcd, 0x80, 0x3c,
-	0xd4, 0x25, 0x21, 0x45, 0x87, 0xb0, 0x94, 0x0c, 0x88, 0xa0, 0xb8, 0xaa, 0xec, 0x1b, 0xf3, 0xed,
-	0xab, 0x3a, 0x7b, 0xc4, 0x3b, 0x79, 0x19, 0x7a, 0x05, 0x2b, 0x49, 0xca, 0xe2, 0x94, 0xc9, 0x21,
-	0x06, 0xa5, 0x6c, 0xfb, 0x1f, 0x65, 0x9d, 0x48, 0x1e, 0xec, 0x7f, 0x26, 0x3c, 0xa3, 0xce, 0x2d,
-	0x8c, 0x0e, 0x61, 0xfd, 0x92, 0xf6, 0x49, 0xc6, 0xe5, 0xd8, 0x18, 0x9d, 0x6f, 0x6c, 0xad, 0xc0,
-	0x0b, 0x67, 0xef, 0xa0, 0x16, 0x12, 0xe9, 0x0f, 0xbc, 0x34, 0xe3, 0x54, 0xe0, 0x7e, 0xa3, 0x6c,
-	0xd4, 0x9a, 0x4f, 0xe7, 0xca, 0xff, 0x38, 0xe2, 0x9d, 0x8c, 0x53, 0x07, 0xc2, 0xf1, 0x51, 0xa0,
-	0x7d, 0xd8, 0x9c, 0x15, 0xe2, 0x5d, 0x32, 0x41, 0x7a, 0x9c, 0xe2, 0xa0, 0xa1, 0x19, 0x2b, 0xce,
-	0xfd, 0x99, 0xb9, 0x27, 0x79, 0x6e, 0xe7, 0x87, 0x06, 0xd5, 0xdb, 0x7e, 0x08, 0xc3, 0x32, 0x8b,
-	0xd4, 0x60, 0xac, 0x35, 0xca, 0x46, 0xd5, 0x19, 0x5f, 0x47, 0x4f, 0xf0, 0x32, 0x0e, 0x09, 0x8b,
-	0x70, 0x49, 0x25, 0x8a, 0x1b, 0xb2, 0xa0, 0x52, 0xd8, 0x2e, 0xcf, 0xb7, 0x5d, 0x60, 0xe8, 0x09,
-	0xac, 0xdf, 0x91, 0xb7, 0xa8, 0xe4, 0xad, 0xf9, 0xd3, 0xba, 0x76, 0xdb, 0x50, 0x9b, 0xfa, 0x4a,
-	0xe8, 0x01, 0x6c, 0x9c, 0x77, 0x5d, 0xbb, 0x7d, 0xdc, 0x79, 0xdb, 0x69, 0x9f, 0x78, 0xf6, 0x69,
-	0xcb, 0x6d, 0xeb, 0x0b, 0xa8, 0x0a, 0x4b, 0xad, 0xf3, 0xb3, 0xd3, 0xae, 0xae, 0x8d, 0x8f, 0x17,
-	0x7a, 0x69, 0x74, 0x74, 0xcf, 0x5a, 0x67, 0xae, 0x5e, 0xde, 0x3d, 0x02, 0x98, 0x7a, 0xda, 0x9b,
-	0x80, 0x66, 0xba, 0x7c, 0xfa, 0xd0, 0x39, 0xfe, 0xaa, 0x2f, 0x20, 0x1d, 0x56, 0x3b, 0xfd, 0x6e,
-	0x2c, 0xed, 0x94, 0x0a, 0x1a, 0x49, 0x5d, 0x43, 0x00, 0x95, 0x16, 0xbf, 0x26, 0x43, 0xa1, 0x97,
-	0x8e, 0xde, 0xfc, 0xbc, 0xa9, 0x6b, 0xbf, 0x6e, 0xea, 0xda, 0xef, 0x9b, 0xba, 0x76, 0xd1, 0x0c,
-	0x98, 0x1c, 0x64, 0x3d, 0xd3, 0x8f, 0x43, 0x8b, 0x70, 0xd6, 0x23, 0x3d, 0x62, 0x15, 0x1f, 0xcb,
-	0x22, 0x09, 0xb3, 0xfe, 0xf3, 0x1b, 0xe9, 0x55, 0xd4, 0x32, 0x5e, 0xfc, 0x0d, 0x00, 0x00, 0xff,
-	0xff, 0x48, 0x74, 0xbe, 0xc1, 0x64, 0x04, 0x00, 0x00,
+	// 619 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdd, 0x4e, 0xdb, 0x4c,
+	0x10, 0x86, 0x71, 0x02, 0x81, 0x4c, 0x80, 0xcf, 0xac, 0xbe, 0xd2, 0x15, 0x54, 0x69, 0x84, 0xd4,
+	0xd6, 0xe5, 0xc0, 0x16, 0xa1, 0x3f, 0x27, 0x15, 0x6a, 0x80, 0xb4, 0x44, 0x6d, 0x53, 0xcb, 0x86,
+	0x56, 0xe5, 0xc4, 0xda, 0x98, 0x8d, 0xb3, 0xea, 0xfa, 0x47, 0xde, 0x35, 0x34, 0x17, 0xd2, 0x7b,
+	0xea, 0x61, 0x2f, 0xa1, 0xe2, 0x2e, 0x7a, 0x56, 0x65, 0x6d, 0x43, 0x42, 0xab, 0x9c, 0xed, 0xce,
+	0x3c, 0x33, 0xf3, 0xbe, 0xe3, 0x95, 0xa1, 0x49, 0xbf, 0x49, 0x1a, 0x09, 0x16, 0x47, 0xc2, 0xba,
+	0xdc, 0x23, 0x3c, 0x19, 0x91, 0x3d, 0xeb, 0x8a, 0x88, 0xd0, 0x4c, 0xd2, 0x58, 0xc6, 0x68, 0x7b,
+	0xc4, 0x82, 0x94, 0x0a, 0x61, 0xde, 0x72, 0x66, 0xc9, 0x6d, 0x35, 0x83, 0x38, 0x0e, 0x38, 0xb5,
+	0x14, 0x3a, 0xc8, 0x86, 0xd6, 0x55, 0x4a, 0x92, 0x84, 0xa6, 0x22, 0x2f, 0xde, 0x7a, 0x70, 0x37,
+	0x2f, 0x64, 0x9a, 0xf9, 0x32, 0xcf, 0xee, 0xfc, 0x5e, 0x04, 0xf8, 0x4c, 0x44, 0x68, 0xf3, 0x2c,
+	0x60, 0x11, 0xd2, 0xa1, 0x9a, 0xa5, 0x1c, 0x57, 0x5a, 0x9a, 0x51, 0x77, 0x26, 0x47, 0xb4, 0x09,
+	0x35, 0x31, 0x22, 0xed, 0xe7, 0x2f, 0x70, 0x55, 0x05, 0x8b, 0x1b, 0x72, 0x61, 0x83, 0x85, 0x24,
+	0xa0, 0x5e, 0x92, 0x71, 0xee, 0x25, 0x31, 0x67, 0xfe, 0x18, 0x2f, 0xb6, 0x34, 0x63, 0xbd, 0xfd,
+	0xc4, 0x9c, 0xa3, 0xd7, 0xb4, 0x33, 0xce, 0x6d, 0x85, 0x3b, 0xff, 0xa9, 0x0e, 0xb7, 0x01, 0xb4,
+	0x3b, 0xd3, 0x54, 0x50, 0x3f, 0xa5, 0x12, 0x2f, 0xa9, 0xb9, 0xb7, 0xac, 0xab, 0xc2, 0xe8, 0x29,
+	0xe8, 0x97, 0x34, 0x65, 0x43, 0xe6, 0x13, 0xc9, 0xe2, 0xc8, 0xfb, 0x4a, 0xc7, 0xb8, 0x96, 0xa3,
+	0xd3, 0xf1, 0x77, 0x74, 0x8c, 0x5e, 0xc1, 0x5a, 0xa2, 0xfc, 0x79, 0x7e, 0x1c, 0x0d, 0x59, 0x80,
+	0x97, 0x5b, 0x9a, 0xd1, 0x68, 0xdf, 0x37, 0xf3, 0xd5, 0x98, 0xe5, 0x6a, 0x4c, 0x57, 0xad, 0xc6,
+	0x59, 0xcd, 0xe9, 0x23, 0x05, 0xa3, 0x87, 0xd0, 0x28, 0xaa, 0x23, 0x12, 0x52, 0xbc, 0xa2, 0x66,
+	0x40, 0x1e, 0xea, 0x93, 0x90, 0xa2, 0x03, 0x58, 0x4a, 0x46, 0x44, 0x50, 0x5c, 0x57, 0xf6, 0x8d,
+	0xf9, 0xf6, 0x55, 0x9d, 0x3d, 0xe1, 0x9d, 0xbc, 0x0c, 0xbd, 0x84, 0x95, 0x24, 0x65, 0x71, 0xca,
+	0xe4, 0x18, 0x83, 0x52, 0xb6, 0xfd, 0x97, 0xb2, 0x5e, 0x24, 0xf7, 0xdb, 0x9f, 0x08, 0xcf, 0xa8,
+	0x73, 0x03, 0xa3, 0x03, 0x58, 0xbf, 0xa0, 0x43, 0x92, 0x71, 0x59, 0x1a, 0xa3, 0xf3, 0x8d, 0xad,
+	0x15, 0x78, 0xe1, 0xec, 0x2d, 0x34, 0x42, 0x22, 0xfd, 0x91, 0x97, 0x66, 0x9c, 0x0a, 0x3c, 0x6c,
+	0x55, 0x8d, 0x46, 0xfb, 0xf1, 0x5c, 0xf9, 0x1f, 0x26, 0xbc, 0x93, 0x71, 0xea, 0x40, 0x58, 0x1e,
+	0x05, 0x7a, 0x06, 0x9b, 0xb3, 0x42, 0xbc, 0x0b, 0x26, 0xc8, 0x80, 0x53, 0x1c, 0xb4, 0x34, 0x63,
+	0xc5, 0xf9, 0x7f, 0x66, 0xee, 0x71, 0x9e, 0xdb, 0xf9, 0xae, 0x41, 0xfd, 0xa6, 0x1f, 0xc2, 0xb0,
+	0xcc, 0x22, 0x35, 0x18, 0x6b, 0xad, 0xaa, 0x51, 0x77, 0xca, 0xeb, 0xe4, 0x09, 0x5e, 0xc4, 0x21,
+	0x61, 0x11, 0xae, 0xa8, 0x44, 0x71, 0x43, 0x16, 0xd4, 0x0a, 0xdb, 0xd5, 0xf9, 0xb6, 0x0b, 0x0c,
+	0x3d, 0x82, 0xf5, 0x3b, 0xf2, 0x16, 0x95, 0xbc, 0x35, 0x7f, 0x5a, 0xd7, 0x6e, 0x17, 0x1a, 0x53,
+	0x5f, 0x09, 0xdd, 0x83, 0x8d, 0xb3, 0xbe, 0x6b, 0x77, 0x8f, 0x7a, 0x6f, 0x7a, 0xdd, 0x63, 0xcf,
+	0x3e, 0xe9, 0xb8, 0x5d, 0x7d, 0x01, 0xd5, 0x61, 0xa9, 0x73, 0x76, 0x7a, 0xd2, 0xd7, 0xb5, 0xf2,
+	0x78, 0xae, 0x57, 0x26, 0x47, 0xf7, 0xb4, 0x73, 0xea, 0xea, 0xd5, 0xdd, 0x43, 0x80, 0xa9, 0xa7,
+	0xbd, 0x09, 0x68, 0xa6, 0xcb, 0xc7, 0xf7, 0xbd, 0xa3, 0x2f, 0xfa, 0x02, 0xd2, 0x61, 0xb5, 0x37,
+	0xec, 0xc7, 0xd2, 0x4e, 0xa9, 0xa0, 0x91, 0xd4, 0x35, 0x04, 0x50, 0xeb, 0xf0, 0x2b, 0x32, 0x16,
+	0x7a, 0xe5, 0xf0, 0xf5, 0x8f, 0xeb, 0xa6, 0xf6, 0xf3, 0xba, 0xa9, 0xfd, 0xba, 0x6e, 0x6a, 0xe7,
+	0xed, 0x80, 0xc9, 0x51, 0x36, 0x30, 0xfd, 0x38, 0xb4, 0x08, 0x67, 0x03, 0x32, 0x20, 0x56, 0xf1,
+	0xb1, 0x2c, 0x92, 0x30, 0xeb, 0x1f, 0xbf, 0x91, 0x41, 0x4d, 0x2d, 0x63, 0xff, 0x4f, 0x00, 0x00,
+	0x00, 0xff, 0xff, 0xb9, 0xf2, 0x67, 0xbe, 0x64, 0x04, 0x00, 0x00,
 }
 
 func (m *WasmPlugin) Marshal() (dAtA []byte, err error) {
@@ -1024,7 +1024,7 @@ func (m *WasmPlugin) Unmarshal(dAtA []byte) error {
 				return io.ErrUnexpectedEOF
 			}
 			if m.Priority == nil {
-				m.Priority = &types.Int64Value{}
+				m.Priority = &types.Int32Value{}
 			}
 			if err := m.Priority.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err

api/extensions/v1alpha1/wasm.proto

@@ -98,7 +98,7 @@ message WasmPlugin {
   // If `priority` is not set, or two `WasmPlugins` exist with the same
   // value, the ordering will be deterministically derived from name and
   // namespace of the `WasmPlugins`. Defaults to `0`.
-  google.protobuf.Int64Value priority = 10;
+  google.protobuf.Int32Value priority = 10;
 
   // Extended by Higress, the default configuration takes effect globally
   google.protobuf.Struct default_config = 101;

cmd/hgctl/config/gateway_config.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package hgctl
+package config
 
 import (
 	"encoding/json"
@@ -27,26 +27,61 @@ import (
 )
 
 var (
-	output       string
-	podName      string
-	podNamespace string
+	BootstrapEnvoyConfigType EnvoyConfigType = "bootstrap"
+	ClusterEnvoyConfigType   EnvoyConfigType = "cluster"
+	EndpointEnvoyConfigType  EnvoyConfigType = "endpoint"
+	ListenerEnvoyConfigType  EnvoyConfigType = "listener"
+	RouteEnvoyConfigType     EnvoyConfigType = "route"
+	AllEnvoyConfigType       EnvoyConfigType = "all"
 )
 
 const (
 	defaultProxyAdminPort = 15000
-	containerName         = "envoy"
 )
 
-func retrieveConfigDump(args []string, includeEds bool) ([]byte, error) {
-	if len(args) != 0 {
-		podName = args[0]
-	}
+type EnvoyConfigType string
 
+type GetEnvoyConfigOptions struct {
+	IncludeEds      bool
+	PodName         string
+	PodNamespace    string
+	BindAddress     string
+	Output          string
+	EnvoyConfigType EnvoyConfigType
+}
+
+func NewDefaultGetEnvoyConfigOptions() *GetEnvoyConfigOptions {
+	return &GetEnvoyConfigOptions{
+		IncludeEds:      true,
+		PodName:         "",
+		PodNamespace:    "higress-system",
+		BindAddress:     "localhost",
+		Output:          "json",
+		EnvoyConfigType: AllEnvoyConfigType,
+	}
+}
+
+func GetEnvoyConfig(config *GetEnvoyConfigOptions) ([]byte, error) {
+	configDump, err := retrieveConfigDump(config.PodName, config.PodNamespace, config.BindAddress, config.IncludeEds)
+	if err != nil {
+		return nil, err
+	}
+	if config.EnvoyConfigType == AllEnvoyConfigType {
+		return configDump, nil
+	}
+	resource, err := getXDSResource(config.EnvoyConfigType, configDump)
+	if err != nil {
+		return nil, err
+	}
+	return formatGatewayConfig(resource, config.Output)
+}
+
+func retrieveConfigDump(podName, podNamespace, bindAddress string, includeEds bool) ([]byte, error) {
 	if podNamespace == "" {
 		return nil, fmt.Errorf("pod namespace is required")
 	}
 
-	if podName == "" || len(args) == 0 {
+	if podName == "" {
 		c, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
 		if err != nil {
 			return nil, fmt.Errorf("failed to build kubernetes client: %w", err)
@@ -65,7 +100,7 @@ func retrieveConfigDump(args []string, includeEds bool) ([]byte, error) {
 	fw, err := portForwarder(types.NamespacedName{
 		Namespace: podNamespace,
 		Name:      podName,
-	})
+	}, bindAddress)
 	if err != nil {
 		return nil, err
 	}
@@ -82,7 +117,7 @@ func retrieveConfigDump(args []string, includeEds bool) ([]byte, error) {
 	return configDump, nil
 }
 
-func portForwarder(nn types.NamespacedName) (kubernetes.PortForwarder, error) {
+func portForwarder(nn types.NamespacedName, bindAddress string) (kubernetes.PortForwarder, error) {
 	c, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
 	if err != nil {
 		return nil, fmt.Errorf("build CLI client fail: %w", err)
@@ -149,3 +184,53 @@ func configDumpRequest(address string, includeEds bool) ([]byte, error) {
 
 	return io.ReadAll(resp.Body)
 }
+
+func getXDSResource(resourceType EnvoyConfigType, configDump []byte) (any, error) {
+	cd := map[string]any{}
+	if err := json.Unmarshal(configDump, &cd); err != nil {
+		return nil, err
+	}
+	if resourceType == AllEnvoyConfigType {
+		return cd, nil
+	}
+	configs := cd["configs"]
+	globalConfigs := configs.([]any)
+
+	switch resourceType {
+	case BootstrapEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.BootstrapConfigDump" {
+				return config, nil
+			}
+		}
+	case EndpointEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.EndpointsConfigDump" {
+				return config, nil
+			}
+		}
+
+	case ClusterEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.ClustersConfigDump" {
+				return config, nil
+			}
+		}
+	case ListenerEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.ListenersConfigDump" {
+				return config, nil
+			}
+		}
+	case RouteEnvoyConfigType:
+		for _, config := range globalConfigs {
+			if config.(map[string]interface{})["@type"] == "type.googleapis.com/envoy.admin.v3.RoutesConfigDump" {
+				return config, nil
+			}
+		}
+	default:
+		return nil, fmt.Errorf("unknown resourceType %s", resourceType)
+	}
+
+	return nil, fmt.Errorf("unknown resourceType %s", resourceType)
+}

cmd/hgctl/config/gateway_config_test.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package hgctl
+package config
 
 import (
 	"fmt"
@@ -109,7 +109,7 @@ func TestExtractAllConfigDump(t *testing.T) {
 		t.Run(tc.output, func(t *testing.T) {
 			configDump, err := fetchGatewayConfig(fw, true)
 			assert.NoError(t, err)
-			data, err := GetXDSResource(AllEnvoyConfigType, configDump)
+			data, err := getXDSResource(AllEnvoyConfigType, configDump)
 			assert.NoError(t, err)
 			got, err := formatGatewayConfig(data, tc.output)
 			assert.NoError(t, err)
@@ -137,7 +137,7 @@ func TestExtractSubResourcesConfigDump(t *testing.T) {
 	cases := []struct {
 		output       string
 		expected     string
-		resourceType envoyConfigType
+		resourceType EnvoyConfigType
 	}{
 		{
 			output:       "json",
@@ -192,7 +192,7 @@ func TestExtractSubResourcesConfigDump(t *testing.T) {
 		t.Run(tc.output, func(t *testing.T) {
 			configDump, err := fetchGatewayConfig(fw, false)
 			assert.NoError(t, err)
-			resource, err := GetXDSResource(tc.resourceType, configDump)
+			resource, err := getXDSResource(tc.resourceType, configDump)
 			assert.NoError(t, err)
 			got, err := formatGatewayConfig(resource, tc.output)
 			assert.NoError(t, err)

cmd/higress/main.go

@@ -18,10 +18,13 @@ import (
 	"fmt"
 	"os"
 
+	"istio.io/pkg/log"
+
 	"github.com/alibaba/higress/pkg/cmd"
 )
 
 func main() {
+	log.EnableKlogWithCobra()
 	if err := cmd.GetRootCommand().Execute(); err != nil {
 		_, _ = fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)

codecov.yml

@@ -2,7 +2,11 @@ codecov:
   require_ci_to_pass: yes
 coverage:
   status:
-    patch: no
+    patch: 
+      default:
+        target: 50%
+        threshold: 0%
+        if_ci_failed: error # success, failure, error, ignore
     project:
       default:
         target: auto
@@ -17,4 +21,4 @@ ignore:
 comment:
   layout: "reach,diff,flags,tree"
   behavior: default
-  require_changes: no
+  require_changes: no

envoy/1.20/patches/envoy/20240104-enhance-srds.patch

@@ -0,0 +1,483 @@
+diff -Naur envoy/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto envoy-new/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
+--- envoy/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto	2024-01-04 21:07:40.000000000 +0800
++++ envoy-new/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto	2024-01-04 21:09:13.000000000 +0800
+@@ -888,11 +888,31 @@
+         }
+       }
+ 
++      message HostValueExtractor {
++        option (udpa.annotations.versioning).previous_message_type =
++            "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
++            "FragmentBuilder.HostValueExtractor";
++
++        // The maximum number of host superset recomputes. If not specified, defaults to 100.
++        google.protobuf.UInt32Value max_recompute_num = 1;
++      }
++
++      message LocalPortValueExtractor {
++        option (udpa.annotations.versioning).previous_message_type =
++            "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
++            "FragmentBuilder.LocalPortValueExtractor";
++      }
++
++
+       oneof type {
+         option (validate.required) = true;
+ 
+         // Specifies how a header field's value should be extracted.
+         HeaderValueExtractor header_value_extractor = 1;
++
++        HostValueExtractor host_value_extractor = 101;
++
++        LocalPortValueExtractor local_port_value_extractor = 102;
+       }
+     }
+ 
+diff -Naur envoy/envoy/router/scopes.h envoy-new/envoy/router/scopes.h
+--- envoy/envoy/router/scopes.h	2024-01-04 21:07:38.000000000 +0800
++++ envoy-new/envoy/router/scopes.h	2024-01-04 21:09:13.000000000 +0800
+@@ -92,7 +92,12 @@
+    * @param headers the request headers to match the scoped routing configuration against.
+    * @return ConfigConstSharedPtr the router's Config matching the request headers.
+    */
++#if defined ALIMESH
++  virtual ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers,
++                                              const StreamInfo::StreamInfo& info) const PURE;
++#else
+   virtual ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers) const PURE;
++#endif
+ 
+   /**
+    * Based on the incoming HTTP request headers, returns the hash value of its scope key.
+@@ -100,6 +105,12 @@
+    * @return unique_ptr of the scope key computed from header.
+    */
+   virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap&) const { return {}; }
++
++#if defined(ALIMESH)
++  virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap&, const StreamInfo::StreamInfo&) const {
++    return {};
++  };
++#endif
+ };
+ 
+ using ScopedConfigConstSharedPtr = std::shared_ptr<const ScopedConfig>;
+diff -Naur envoy/source/common/http/conn_manager_impl.cc envoy-new/source/common/http/conn_manager_impl.cc
+--- envoy/source/common/http/conn_manager_impl.cc	2024-01-04 21:07:41.000000000 +0800
++++ envoy-new/source/common/http/conn_manager_impl.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -577,8 +577,13 @@
+     requestVhdsUpdate(host_header, thread_local_dispatcher, std::move(route_config_updated_cb));
+     return;
+   } else if (parent_.snapped_scoped_routes_config_ != nullptr) {
++#if defined(ALIMESH)
++    Router::ScopeKeyPtr scope_key = parent_.snapped_scoped_routes_config_->computeScopeKey(
++        *parent_.request_headers_, parent_.connection()->streamInfo());
++#else
+     Router::ScopeKeyPtr scope_key =
+         parent_.snapped_scoped_routes_config_->computeScopeKey(*parent_.request_headers_);
++#endif
+     // If scope_key is not null, the scope exists but RouteConfiguration is not initialized.
+     if (scope_key != nullptr) {
+       requestSrdsUpdate(std::move(scope_key), thread_local_dispatcher,
+@@ -1197,7 +1202,13 @@
+ void ConnectionManagerImpl::ActiveStream::snapScopedRouteConfig() {
+   // NOTE: if a RDS subscription hasn't got a RouteConfiguration back, a Router::NullConfigImpl is
+   // returned, in that case we let it pass.
++#if defined(ALIMESH)
++  snapped_route_config_ =
++      snapped_scoped_routes_config_->getRouteConfig(*request_headers_, connection()->streamInfo());
++#else
+   snapped_route_config_ = snapped_scoped_routes_config_->getRouteConfig(*request_headers_);
++
++#endif
+   if (snapped_route_config_ == nullptr) {
+     ENVOY_STREAM_LOG(trace, "can't find SRDS scope.", *this);
+     // TODO(stevenzzzz): Consider to pass an error message to router filter, so that it can
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-04 21:07:36.000000000 +0800
++++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -6,6 +6,160 @@
+ namespace Envoy {
+ namespace Router {
+ 
++#if defined(ALIMESH)
++namespace {
++
++std::string maskFirstDNSLabel(absl::string_view host) {
++  if (host == "*") {
++    return std::string(host);
++  }
++  if (host.size() < 2) {
++    return "*";
++  }
++  size_t start_pos = (host[0] == '*' && host[1] == '.') ? 2 : 0;
++  size_t dot_pos = host.find('.', start_pos);
++  if (dot_pos != absl::string_view::npos) {
++    return absl::StrCat("*", absl::string_view(host.data() + dot_pos, host.size() - dot_pos));
++  }
++  return "*";
++}
++
++} // namespace
++
++LocalPortValueExtractorImpl::LocalPortValueExtractorImpl(
++    ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config)
++    : FragmentBuilderBase(std::move(config)) {
++  ASSERT(config_.type_case() ==
++             ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kLocalPortValueExtractor,
++         "local_port_value_extractor is not set.");
++}
++
++std::unique_ptr<ScopeKeyFragmentBase> LocalPortValueExtractorImpl::computeFragment(
++    const Http::HeaderMap&, const StreamInfo::StreamInfo& info, ReComputeCbPtr&) const {
++  auto port = info.downstreamAddressProvider().localAddress()->ip()->port();
++  return std::make_unique<StringKeyFragment>(std::to_string(long(port)));
++}
++
++HostValueExtractorImpl::HostValueExtractorImpl(
++    ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config)
++    : FragmentBuilderBase(std::move(config)),
++      host_value_extractor_config_(config_.host_value_extractor()),
++      max_recompute_num_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(
++          host_value_extractor_config_, max_recompute_num, DefaultMaxRecomputeNum)) {
++  ASSERT(config_.type_case() == ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHostValueExtractor,
++         "host_value_extractor is not set.");
++}
++
++std::unique_ptr<ScopeKeyFragmentBase>
++HostValueExtractorImpl::reComputeHelper(const std::string& host, ReComputeCbPtr& next_recompute,
++                                        uint32_t recompute_seq) const {
++  if (recompute_seq == max_recompute_num_) {
++    ENVOY_LOG_MISC(warn,
++                   "recompute host fragment failed, maximum number of recalculations exceeded");
++    return nullptr;
++  }
++  if (host == "*") {
++    *next_recompute = nullptr;
++    return nullptr;
++  }
++  auto masked_host = maskFirstDNSLabel(host);
++  *next_recompute = [this, masked_host, recompute_seq,
++                     next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
++    return reComputeHelper(masked_host, next_recompute, recompute_seq + 1);
++  };
++  return std::make_unique<StringKeyFragment>(masked_host);
++}
++
++std::unique_ptr<ScopeKeyFragmentBase>
++HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
++                                        const StreamInfo::StreamInfo&,
++                                        ReComputeCbPtr& recompute) const {
++  auto fragment = computeFragment(headers);
++  auto host = static_cast<const Http::RequestHeaderMap&>(headers).getHostValue();
++  *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
++    return reComputeHelper(std::string(host), recompute, 0);
++  };
++  return fragment;
++}
++
++std::unique_ptr<ScopeKeyFragmentBase>
++HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers) const {
++  return std::make_unique<StringKeyFragment>(
++      static_cast<const Http::RequestHeaderMap&>(headers).getHostValue());
++}
++
++std::unique_ptr<ScopeKeyFragmentBase>
++HeaderValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
++                                          const StreamInfo::StreamInfo&, ReComputeCbPtr&) const {
++  return computeFragment(headers);
++}
++
++ScopeKeyPtr ScopeKeyBuilderImpl::computeScopeKey(const Http::HeaderMap& headers,
++                                                 const StreamInfo::StreamInfo& info,
++                                                 std::function<ScopeKeyPtr()>& recompute) const {
++  ScopeKey key;
++  bool recomputeable = false;
++  auto recompute_cbs = std::make_shared<std::vector<ReComputeCbPtr>>();
++  for (const auto& builder : fragment_builders_) {
++    // returns nullopt if a null fragment is found.
++    ReComputeCbPtr recompute_fragment_cb = std::make_shared<ReComputeCb>();
++    std::unique_ptr<ScopeKeyFragmentBase> fragment =
++        builder->computeFragment(headers, info, recompute_fragment_cb);
++    if (fragment == nullptr) {
++      return nullptr;
++    }
++    if (*recompute_fragment_cb == nullptr) {
++      auto key_fragment = static_cast<StringKeyFragment*>(fragment.get());
++      auto copied_fragment = std::make_shared<StringKeyFragment>(*key_fragment);
++      auto recompute_cb =
++          std::make_shared<ReComputeCb>([copied_fragment]() -> std::unique_ptr<StringKeyFragment> {
++            return std::make_unique<StringKeyFragment>(*copied_fragment);
++          });
++      recompute_cbs->push_back(recompute_cb);
++    } else {
++      recomputeable = true;
++      recompute_cbs->push_back(recompute_fragment_cb);
++    }
++    key.addFragment(std::move(fragment));
++  }
++  if (recomputeable) {
++    recompute = [&recompute, recompute_cbs]() mutable -> ScopeKeyPtr {
++      ScopeKey new_key;
++      for (auto& cb : *recompute_cbs) {
++        auto new_fragment = (*cb)();
++        if (new_fragment == nullptr) {
++          return nullptr;
++        }
++        if (*cb == nullptr) {
++          recompute = nullptr;
++        }
++        new_key.addFragment(std::move(new_fragment));
++      }
++      return std::make_unique<ScopeKey>(std::move(new_key));
++    };
++  }
++  return std::make_unique<ScopeKey>(std::move(key));
++}
++
++ScopeKeyPtr ScopedConfigImpl::computeScopeKey(const Http::HeaderMap& headers,
++                                              const StreamInfo::StreamInfo& info) const {
++  std::function<Router::ScopeKeyPtr()> recompute;
++  ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers, info, recompute);
++  if (scope_key == nullptr) {
++    return nullptr;
++  }
++  decltype(scoped_route_info_by_key_.begin()) iter;
++  do {
++    iter = scoped_route_info_by_key_.find(scope_key->hash());
++    if (iter != scoped_route_info_by_key_.end()) {
++      return scope_key;
++    }
++  } while (recompute != nullptr && (scope_key = recompute()));
++  return nullptr;
++}
++
++#endif
++
+ bool ScopeKey::operator!=(const ScopeKey& other) const { return !(*this == other); }
+ 
+ bool ScopeKey::operator==(const ScopeKey& other) const {
+@@ -95,6 +249,16 @@
+     : ScopeKeyBuilderBase(std::move(config)) {
+   for (const auto& fragment_builder : config_.fragments()) {
+     switch (fragment_builder.type_case()) {
++#if defined(ALIMESH)
++    case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHostValueExtractor:
++      fragment_builders_.emplace_back(std::make_unique<HostValueExtractorImpl>(
++          ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
++      break;
++    case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kLocalPortValueExtractor:
++      fragment_builders_.emplace_back(std::make_unique<LocalPortValueExtractorImpl>(
++          ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
++      break;
++#endif
+     case ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::kHeaderValueExtractor:
+       fragment_builders_.emplace_back(std::make_unique<HeaderValueExtractorImpl>(
+           ScopedRoutes::ScopeKeyBuilder::FragmentBuilder(fragment_builder)));
+@@ -143,6 +307,22 @@
+ }
+ 
+ Router::ConfigConstSharedPtr
++#if defined(ALIMESH)
++ScopedConfigImpl::getRouteConfig(const Http::HeaderMap& headers,
++                                 const StreamInfo::StreamInfo& info) const {
++  std::function<ScopeKeyPtr()> recompute;
++  ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers, info, recompute);
++  if (scope_key == nullptr) {
++    return nullptr;
++  }
++  decltype(scoped_route_info_by_key_.begin()) iter;
++  do {
++    iter = scoped_route_info_by_key_.find(scope_key->hash());
++    if (iter != scoped_route_info_by_key_.end()) {
++      return iter->second->routeConfig();
++    }
++  } while (recompute != nullptr && (scope_key = recompute()));
++#else
+ ScopedConfigImpl::getRouteConfig(const Http::HeaderMap& headers) const {
+   ScopeKeyPtr scope_key = scope_key_builder_.computeScopeKey(headers);
+   if (scope_key == nullptr) {
+@@ -152,6 +332,7 @@
+   if (iter != scoped_route_info_by_key_.end()) {
+     return iter->second->routeConfig();
+   }
++#endif
+   return nullptr;
+ }
+ 
+diff -Naur envoy/source/common/router/scoped_config_impl.h envoy-new/source/common/router/scoped_config_impl.h
+--- envoy/source/common/router/scoped_config_impl.h	2024-01-04 21:07:36.000000000 +0800
++++ envoy-new/source/common/router/scoped_config_impl.h	2024-01-04 21:09:13.000000000 +0800
+@@ -22,6 +22,11 @@
+ 
+ using envoy::extensions::filters::network::http_connection_manager::v3::ScopedRoutes;
+ 
++#if defined(ALIMESH)
++using ReComputeCb = std::function<std::unique_ptr<ScopeKeyFragmentBase>()>;
++using ReComputeCbPtr = std::shared_ptr<ReComputeCb>;
++#endif
++
+ /**
+  * Base class for fragment builders.
+  */
+@@ -36,6 +41,12 @@
+   virtual std::unique_ptr<ScopeKeyFragmentBase>
+   computeFragment(const Http::HeaderMap& headers) const PURE;
+ 
++#if defined(ALIMESH)
++  virtual std::unique_ptr<ScopeKeyFragmentBase>
++  computeFragment(const Http::HeaderMap& headers, const StreamInfo::StreamInfo& info,
++                  ReComputeCbPtr& recompute) const PURE;
++#endif
++
+ protected:
+   const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder config_;
+ };
+@@ -47,11 +58,54 @@
+   std::unique_ptr<ScopeKeyFragmentBase>
+   computeFragment(const Http::HeaderMap& headers) const override;
+ 
++#if defined(ALIMESH)
++  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
++                                                        const StreamInfo::StreamInfo& info,
++                                                        ReComputeCbPtr& recompute) const override;
++#endif
++
+ private:
+   const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::HeaderValueExtractor&
+       header_value_extractor_config_;
+ };
+ 
++#if defined(ALIMESH)
++class HostValueExtractorImpl : public FragmentBuilderBase {
++public:
++  explicit HostValueExtractorImpl(ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config);
++
++  std::unique_ptr<ScopeKeyFragmentBase>
++  computeFragment(const Http::HeaderMap& headers) const override;
++
++  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
++                                                        const StreamInfo::StreamInfo& info,
++                                                        ReComputeCbPtr& recompute) const override;
++
++private:
++  std::unique_ptr<ScopeKeyFragmentBase> reComputeHelper(const std::string& host,
++                                                        ReComputeCbPtr& next_recompute,
++                                                        uint32_t recompute_seq) const;
++
++  static constexpr uint32_t DefaultMaxRecomputeNum = 100;
++
++  const ScopedRoutes::ScopeKeyBuilder::FragmentBuilder::HostValueExtractor&
++      host_value_extractor_config_;
++  const uint32_t max_recompute_num_;
++};
++
++class LocalPortValueExtractorImpl : public FragmentBuilderBase {
++public:
++  explicit LocalPortValueExtractorImpl(ScopedRoutes::ScopeKeyBuilder::FragmentBuilder&& config);
++
++  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap&) const override {
++    return nullptr;
++  };
++
++  std::unique_ptr<ScopeKeyFragmentBase> computeFragment(const Http::HeaderMap& headers,
++                                                        const StreamInfo::StreamInfo& info,
++                                                        ReComputeCbPtr& recompute) const override;
++};
++#endif
+ /**
+  * Base class for ScopeKeyBuilder implementations.
+  */
+@@ -64,6 +118,12 @@
+   // Computes scope key for given headers, returns nullptr if a key can't be computed.
+   virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const PURE;
+ 
++#if defined(ALIMESH)
++  virtual ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers,
++                                      const StreamInfo::StreamInfo& info,
++                                      std::function<ScopeKeyPtr()>& recompute) const PURE;
++#endif
++
+ protected:
+   const ScopedRoutes::ScopeKeyBuilder config_;
+ };
+@@ -74,6 +134,11 @@
+ 
+   ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const override;
+ 
++#if defined(ALIMESH)
++  ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers, const StreamInfo::StreamInfo& info,
++                              std::function<ScopeKeyPtr()>& recompute) const override;
++#endif
++
+ private:
+   std::vector<std::unique_ptr<FragmentBuilderBase>> fragment_builders_;
+ };
+@@ -118,10 +183,20 @@
+   void removeRoutingScopes(const std::vector<std::string>& scope_names);
+ 
+   // Envoy::Router::ScopedConfig
++#if defined(ALIMESH)
++  Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers,
++                                              const StreamInfo::StreamInfo& info) const override;
++#else
+   Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap& headers) const override;
++#endif
+   // The return value is not null only if the scope corresponding to the header exists.
+   ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers) const override;
+ 
++#if defined(ALIMESH)
++  ScopeKeyPtr computeScopeKey(const Http::HeaderMap& headers,
++                              const StreamInfo::StreamInfo& info) const override;
++#endif
++
+ private:
+   ScopeKeyBuilderImpl scope_key_builder_;
+   // From scope name to cached ScopedRouteInfo.
+@@ -135,9 +210,16 @@
+  */
+ class NullScopedConfigImpl : public ScopedConfig {
+ public:
++#if defined(ALIMESH)
++  Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap&,
++                                              const StreamInfo::StreamInfo&) const override {
++    return std::make_shared<const NullConfigImpl>();
++  }
++#else
+   Router::ConfigConstSharedPtr getRouteConfig(const Http::HeaderMap&) const override {
+     return std::make_shared<const NullConfigImpl>();
+   }
++#endif
+ };
+ 
+ } // namespace Router
+diff -Naur envoy/source/extensions/filters/http/on_demand/on_demand_update.cc envoy-new/source/extensions/filters/http/on_demand/on_demand_update.cc
+--- envoy/source/extensions/filters/http/on_demand/on_demand_update.cc	2024-01-04 21:07:33.000000000 +0800
++++ envoy-new/source/extensions/filters/http/on_demand/on_demand_update.cc	2024-01-04 21:09:13.000000000 +0800
+@@ -50,7 +50,11 @@
+ // This is the callback which is called when an update requested in requestRouteConfigUpdate()
+ // has been propagated to workers, at which point the request processing is restarted from the
+ // beginning.
++#if defined(ALIMESH)
++void OnDemandRouteUpdate::onRouteConfigUpdateCompletion(bool) {
++#else
+ void OnDemandRouteUpdate::onRouteConfigUpdateCompletion(bool route_exists) {
++#endif
+   filter_iteration_state_ = Http::FilterHeadersStatus::Continue;
+ 
+   // Don't call continueDecoding in the middle of decodeHeaders()
+@@ -58,12 +62,14 @@
+     return;
+   }
+ 
++#if !defined(ALIMESH)
+   if (route_exists &&                  // route can be resolved after an on-demand
+                                        // VHDS update
+       !callbacks_->decodingBuffer() && // Redirects with body not yet supported.
+       callbacks_->recreateStream(/*headers=*/nullptr)) {
+     return;
+   }
++#endif
+ 
+   // route cannot be resolved after an on-demand VHDS update or
+   // recreating stream failed, continue the filter-chain

envoy/1.20/patches/envoy/20240110-fix-srds.patch

@@ -0,0 +1,49 @@
+diff -Naur envoy/source/common/router/BUILD envoy-new/source/common/router/BUILD
+--- envoy/source/common/router/BUILD	2024-01-10 20:10:14.505600746 +0800
++++ envoy-new/source/common/router/BUILD	2024-01-10 20:07:25.960379955 +0800
+@@ -212,6 +212,7 @@
+         "//envoy/router:rds_interface",
+         "//envoy/router:scopes_interface",
+         "//envoy/thread_local:thread_local_interface",
++        "//source/common/http:header_utility_lib",
+         "@envoy_api//envoy/config/route/v3:pkg_cc_proto",
+         "@envoy_api//envoy/extensions/filters/network/http_connection_manager/v3:pkg_cc_proto",
+     ],
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-10 20:10:14.529600924 +0800
++++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-10 20:09:50.161422411 +0800
+@@ -3,6 +3,8 @@
+ #include "envoy/config/route/v3/scoped_route.pb.h"
+ #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h"
+ 
++#include "source/common/http/header_utility.h"
++
+ namespace Envoy {
+ namespace Router {
+ 
+@@ -74,18 +76,20 @@
+ HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers,
+                                         const StreamInfo::StreamInfo&,
+                                         ReComputeCbPtr& recompute) const {
+-  auto fragment = computeFragment(headers);
+   auto host = static_cast<const Http::RequestHeaderMap&>(headers).getHostValue();
++  auto port_start = Http::HeaderUtility::getPortStart(host);
++  if (port_start != absl::string_view::npos) {
++    host = host.substr(0, port_start);
++  }
+   *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+     return reComputeHelper(std::string(host), recompute, 0);
+   };
+-  return fragment;
++  return std::make_unique<StringKeyFragment>(host);
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>
+-HostValueExtractorImpl::computeFragment(const Http::HeaderMap& headers) const {
+-  return std::make_unique<StringKeyFragment>(
+-      static_cast<const Http::RequestHeaderMap&>(headers).getHostValue());
++HostValueExtractorImpl::computeFragment(const Http::HeaderMap&) const {
++  return nullptr;
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>

envoy/1.20/patches/envoy/20240111-fix-srds-compute.patch

@@ -0,0 +1,65 @@
+diff -Naur envoy/source/common/router/scoped_config_impl.cc envoy-new/source/common/router/scoped_config_impl.cc
+--- envoy/source/common/router/scoped_config_impl.cc	2024-01-11 16:23:55.407881263 +0800
++++ envoy-new/source/common/router/scoped_config_impl.cc	2024-01-11 16:23:42.311786814 +0800
+@@ -53,21 +53,26 @@
+ }
+ 
+ std::unique_ptr<ScopeKeyFragmentBase>
+-HostValueExtractorImpl::reComputeHelper(const std::string& host, ReComputeCbPtr& next_recompute,
++HostValueExtractorImpl::reComputeHelper(const std::string& host,
++                                        ReComputeCbWeakPtr& weak_next_recompute,
+                                         uint32_t recompute_seq) const {
+   if (recompute_seq == max_recompute_num_) {
+     ENVOY_LOG_MISC(warn,
+                    "recompute host fragment failed, maximum number of recalculations exceeded");
+     return nullptr;
+   }
++  auto next_recompute = weak_next_recompute.lock();
++  if (!next_recompute) {
++    return nullptr;
++  }
+   if (host == "*") {
+     *next_recompute = nullptr;
+     return nullptr;
+   }
+   auto masked_host = maskFirstDNSLabel(host);
+   *next_recompute = [this, masked_host, recompute_seq,
+-                     next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+-    return reComputeHelper(masked_host, next_recompute, recompute_seq + 1);
++                     weak_next_recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
++    return reComputeHelper(masked_host, weak_next_recompute, recompute_seq + 1);
+   };
+   return std::make_unique<StringKeyFragment>(masked_host);
+ }
+@@ -81,8 +86,9 @@
+   if (port_start != absl::string_view::npos) {
+     host = host.substr(0, port_start);
+   }
+-  *recompute = [this, host, recompute]() mutable -> std::unique_ptr<ScopeKeyFragmentBase> {
+-    return reComputeHelper(std::string(host), recompute, 0);
++  *recompute = [this, host, weak_recompute = ReComputeCbWeakPtr(recompute)]() mutable
++      -> std::unique_ptr<ScopeKeyFragmentBase> {
++    return reComputeHelper(std::string(host), weak_recompute, 0);
+   };
+   return std::make_unique<StringKeyFragment>(host);
+ }
+diff -Naur envoy/source/common/router/scoped_config_impl.h envoy-new/source/common/router/scoped_config_impl.h
+--- envoy/source/common/router/scoped_config_impl.h	2024-01-11 16:23:55.407881263 +0800
++++ envoy-new/source/common/router/scoped_config_impl.h	2024-01-11 16:23:42.311786814 +0800
+@@ -25,6 +25,7 @@
+ #if defined(ALIMESH)
+ using ReComputeCb = std::function<std::unique_ptr<ScopeKeyFragmentBase>()>;
+ using ReComputeCbPtr = std::shared_ptr<ReComputeCb>;
++using ReComputeCbWeakPtr = std::weak_ptr<ReComputeCb>;
+ #endif
+ 
+ /**
+@@ -83,7 +84,7 @@
+ 
+ private:
+   std::unique_ptr<ScopeKeyFragmentBase> reComputeHelper(const std::string& host,
+-                                                        ReComputeCbPtr& next_recompute,
++                                                        ReComputeCbWeakPtr& weak_next_recompute,
+                                                         uint32_t recompute_seq) const;
+ 
+   static constexpr uint32_t DefaultMaxRecomputeNum = 100;

envoy/1.20/patches/envoy/20240521-fix-wasm-host.patch

@@ -0,0 +1,14 @@
+diff -Naur envoy/bazel/repository_locations.bzl envoy-new/bazel/repository_locations.bzl
+--- envoy/bazel/repository_locations.bzl	2024-05-21 22:49:46.686598518 +0800
++++ envoy-new/bazel/repository_locations.bzl	2024-05-21 22:49:02.554597652 +0800
+@@ -1031,8 +1031,8 @@
+         project_name = "WebAssembly for Proxies (C++ host implementation)",
+         project_desc = "WebAssembly for Proxies (C++ host implementation)",
+         project_url = "https://github.com/higress-group/proxy-wasm-cpp-host",
+-        version = "f8b624dc6c37d4e0a3c1b332652746793e2031ad",
+-        sha256 = "ba20328101c91d0ae6383947ced99620cd9b4ea22ab2fda6b26f343b38c3be83",
++        version = "cad2eb04d402dbf559101f3cb4f44da0d9c5b0b0",
++        sha256 = "4efbcc97c58994fab92c9dc50c051ad16463647d4c0c6df36a7204d2984c1e63",
+         strip_prefix = "proxy-wasm-cpp-host-{version}",
+         urls = ["https://github.com/higress-group/proxy-wasm-cpp-host/archive/{version}.tar.gz"],
+         use_category = ["dataplane_ext"],

envoy/1.20/patches/go-control-plane/20240104-enhance-srds.patch

@@ -0,0 +1,931 @@
+diff -Naur go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go
+--- go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go	2024-01-04 21:07:22.000000000 +0800
++++ go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go	2024-01-04 21:02:10.000000000 +0800
+@@ -2286,6 +2286,8 @@
+ 
+ 	// Types that are assignable to Type:
+ 	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_
++	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_
++	//	*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_
+ 	Type isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type `protobuf_oneof:"type"`
+ }
+ 
+@@ -2335,6 +2337,20 @@
+ 	return nil
+ }
+ 
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder) GetHostValueExtractor() *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor {
++	if x, ok := x.GetType().(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_); ok {
++		return x.HostValueExtractor
++	}
++	return nil
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder) GetLocalPortValueExtractor() *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor {
++	if x, ok := x.GetType().(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_); ok {
++		return x.LocalPortValueExtractor
++	}
++	return nil
++}
++
+ type isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type interface {
+ 	isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type()
+ }
+@@ -2344,9 +2360,23 @@
+ 	HeaderValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor `protobuf:"bytes,1,opt,name=header_value_extractor,json=headerValueExtractor,proto3,oneof"`
+ }
+ 
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_ struct {
++	HostValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor `protobuf:"bytes,101,opt,name=host_value_extractor,json=hostValueExtractor,proto3,oneof"`
++}
++
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_ struct {
++	LocalPortValueExtractor *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor `protobuf:"bytes,102,opt,name=local_port_value_extractor,json=localPortValueExtractor,proto3,oneof"`
++}
++
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
+ }
+ 
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
++}
++
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_Type() {
++}
++
+ // Specifies how the value of a header should be extracted.
+ // The following example maps the structure of a header to the fields in this message.
+ //
+@@ -2475,6 +2505,92 @@
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_Element) isScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_ExtractType() {
+ }
+ 
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor struct {
++	state         protoimpl.MessageState
++	sizeCache     protoimpl.SizeCache
++	unknownFields protoimpl.UnknownFields
++
++	// The maximum number of host superset recomputes. If not specified, defaults to 100.
++	MaxRecomputeNum *wrappers.UInt32Value `protobuf:"bytes,1,opt,name=max_recompute_num,json=maxRecomputeNum,proto3" json:"max_recompute_num,omitempty"`
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Reset() {
++	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor{}
++	if protoimpl.UnsafeEnabled {
++		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
++		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
++		ms.StoreMessageInfo(mi)
++	}
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) String() string {
++	return protoimpl.X.MessageStringOf(x)
++}
++
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) ProtoMessage() {}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) ProtoReflect() protoreflect.Message {
++	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
++	if protoimpl.UnsafeEnabled && x != nil {
++		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
++		if ms.LoadMessageInfo() == nil {
++			ms.StoreMessageInfo(mi)
++		}
++		return ms
++	}
++	return mi.MessageOf(x)
++}
++
++// Deprecated: Use ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.ProtoReflect.Descriptor instead.
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Descriptor() ([]byte, []int) {
++	return file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDescGZIP(), []int{5, 0, 0, 1}
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) GetMaxRecomputeNum() *wrappers.UInt32Value {
++	if x != nil {
++		return x.MaxRecomputeNum
++	}
++	return nil
++}
++
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor struct {
++	state         protoimpl.MessageState
++	sizeCache     protoimpl.SizeCache
++	unknownFields protoimpl.UnknownFields
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Reset() {
++	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor{}
++	if protoimpl.UnsafeEnabled {
++		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19]
++		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
++		ms.StoreMessageInfo(mi)
++	}
++}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) String() string {
++	return protoimpl.X.MessageStringOf(x)
++}
++
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) ProtoMessage() {}
++
++func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) ProtoReflect() protoreflect.Message {
++	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19]
++	if protoimpl.UnsafeEnabled && x != nil {
++		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
++		if ms.LoadMessageInfo() == nil {
++			ms.StoreMessageInfo(mi)
++		}
++		return ms
++	}
++	return mi.MessageOf(x)
++}
++
++// Deprecated: Use ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.ProtoReflect.Descriptor instead.
++func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Descriptor() ([]byte, []int) {
++	return file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDescGZIP(), []int{5, 0, 0, 2}
++}
++
+ // Specifies a header field's key value pair to match on.
+ type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement struct {
+ 	state         protoimpl.MessageState
+@@ -2494,7 +2610,7 @@
+ func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) Reset() {
+ 	*x = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement{}
+ 	if protoimpl.UnsafeEnabled {
+-		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
++		mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20]
+ 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ 		ms.StoreMessageInfo(mi)
+ 	}
+@@ -2507,7 +2623,7 @@
+ func (*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) ProtoMessage() {}
+ 
+ func (x *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement) ProtoReflect() protoreflect.Message {
+-	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18]
++	mi := &file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20]
+ 	if protoimpl.UnsafeEnabled && x != nil {
+ 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ 		if ms.LoadMessageInfo() == nil {
+@@ -3079,7 +3195,7 @@
+ 	0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61,
+ 	0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52,
+ 	0x6f, 0x75, 0x74, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
+-	0x6e, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x22, 0xe9, 0x0e, 0x0a, 0x0c, 0x53, 0x63, 0x6f, 0x70, 0x65,
++	0x6e, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x22, 0xe1, 0x14, 0x0a, 0x0c, 0x53, 0x63, 0x6f, 0x70, 0x65,
+ 	0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
+ 	0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04,
+ 	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x8f, 0x01, 0x0a, 0x11, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x5f, 0x6b,
+@@ -3114,7 +3230,7 @@
+ 	0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+ 	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
+ 	0x64, 0x52, 0x64, 0x73, 0x48, 0x00, 0x52, 0x09, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64,
+-	0x73, 0x1a, 0xd9, 0x09, 0x0a, 0x0f, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
++	0x73, 0x1a, 0xd1, 0x0f, 0x0a, 0x0f, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
+ 	0x69, 0x6c, 0x64, 0x65, 0x72, 0x12, 0x91, 0x01, 0x0a, 0x09, 0x66, 0x72, 0x61, 0x67, 0x6d, 0x65,
+ 	0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x69, 0x2e, 0x65, 0x6e, 0x76, 0x6f,
+ 	0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c,
+@@ -3124,7 +3240,7 @@
+ 	0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69,
+ 	0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69,
+ 	0x6c, 0x64, 0x65, 0x72, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x09,
+-	0x66, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0xd5, 0x07, 0x0a, 0x0f, 0x46, 0x72,
++	0x66, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0xcd, 0x0d, 0x0a, 0x0f, 0x46, 0x72,
+ 	0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x12, 0xb6, 0x01,
+ 	0x0a, 0x16, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65,
+ 	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x7e,
+@@ -3137,131 +3253,178 @@
+ 	0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
+ 	0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x48, 0x00,
+ 	0x52, 0x14, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
+-	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a, 0x8f, 0x05, 0x0a, 0x14, 0x48, 0x65, 0x61, 0x64, 0x65,
+-	0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12,
+-	0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa,
+-	0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2b, 0x0a, 0x11,
+-	0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f,
+-	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+-	0x53, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x16, 0x0a, 0x05, 0x69, 0x6e, 0x64,
+-	0x65, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x05, 0x69, 0x6e, 0x64, 0x65,
+-	0x78, 0x12, 0xa5, 0x01, 0x0a, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20,
+-	0x01, 0x28, 0x0b, 0x32, 0x88, 0x01, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74,
+-	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e,
++	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0xb0, 0x01, 0x0a, 0x14, 0x68, 0x6f, 0x73, 0x74, 0x5f,
++	0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18,
++	0x65, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x7c, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78,
++	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73,
++	0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f,
++	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72,
++	0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
++	0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72,
++	0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72,
++	0x2e, 0x48, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63,
++	0x74, 0x6f, 0x72, 0x48, 0x00, 0x52, 0x12, 0x68, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65,
++	0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0xc1, 0x01, 0x0a, 0x1a, 0x6c, 0x6f,
++	0x63, 0x61, 0x6c, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x65,
++	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x66, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x81,
++	0x01, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
++	0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
++	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
++	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63,
++	0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
++	0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d,
++	0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c,
++	0x50, 0x6f, 0x72, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74,
++	0x6f, 0x72, 0x48, 0x00, 0x52, 0x17, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f, 0x72, 0x74, 0x56,
++	0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a, 0x8f, 0x05,
++	0x0a, 0x14, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
++	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
++	0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e,
++	0x61, 0x6d, 0x65, 0x12, 0x2b, 0x0a, 0x11, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x73,
++	0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10,
++	0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72,
++	0x12, 0x16, 0x0a, 0x05, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x48,
++	0x00, 0x52, 0x05, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x12, 0xa5, 0x01, 0x0a, 0x07, 0x65, 0x6c, 0x65,
++	0x6d, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x88, 0x01, 0x2e, 0x65, 0x6e,
++	0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66,
++	0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68,
++	0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d,
++	0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64,
++	0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42,
++	0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42,
++	0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c,
++	0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c,
++	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x48, 0x00, 0x52, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74,
++	0x1a, 0xdb, 0x01, 0x0a, 0x09, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x25,
++	0x0a, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
++	0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x09, 0x73, 0x65, 0x70, 0x61,
++	0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x19, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
++	0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x6b, 0x65, 0x79,
++	0x3a, 0x8b, 0x01, 0x9a, 0xc5, 0x88, 0x1e, 0x85, 0x01, 0x0a, 0x82, 0x01, 0x65, 0x6e, 0x76, 0x6f,
++	0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e,
+ 	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e,
+ 	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e,
+-	0x76, 0x33, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e,
++	0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e,
+ 	0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e,
+ 	0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e,
+ 	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61,
+-	0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x48, 0x00,
+-	0x52, 0x07, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x1a, 0xdb, 0x01, 0x0a, 0x09, 0x4b, 0x76,
+-	0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x25, 0x0a, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72,
+-	0x61, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72,
+-	0x02, 0x10, 0x01, 0x52, 0x09, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x19,
+-	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04,
+-	0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x3a, 0x8b, 0x01, 0x9a, 0xc5, 0x88, 0x1e,
+-	0x85, 0x01, 0x0a, 0x82, 0x01, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
++	0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x3a, 0x7f,
++	0x9a, 0xc5, 0x88, 0x1e, 0x7a, 0x0a, 0x78, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e,
++	0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
++	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
++	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63,
++	0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65,
++	0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d,
++	0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65,
++	0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x42,
++	0x0e, 0x0a, 0x0c, 0x65, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x1a,
++	0xdd, 0x01, 0x0a, 0x12, 0x48, 0x6f, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74,
++	0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x48, 0x0a, 0x11, 0x6d, 0x61, 0x78, 0x5f, 0x72, 0x65,
++	0x63, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x5f, 0x6e, 0x75, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28,
++	0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
++	0x62, 0x75, 0x66, 0x2e, 0x55, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
++	0x0f, 0x6d, 0x61, 0x78, 0x52, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x4e, 0x75, 0x6d,
++	0x3a, 0x7d, 0x9a, 0xc5, 0x88, 0x1e, 0x78, 0x0a, 0x76, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
++	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
++	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
++	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
++	0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f,
++	0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61,
++	0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x6f, 0x73,
++	0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x1a,
++	0x9e, 0x01, 0x0a, 0x17, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f, 0x72, 0x74, 0x56, 0x61, 0x6c,
++	0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x3a, 0x82, 0x01, 0x9a, 0xc5,
++	0x88, 0x1e, 0x7d, 0x0a, 0x7b, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+ 	0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+ 	0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+ 	0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70,
+ 	0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65,
+ 	0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e,
+-	0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56,
+-	0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4b, 0x76,
+-	0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x3a, 0x7f, 0x9a, 0xc5, 0x88, 0x1e, 0x7a, 0x0a, 0x78,
+-	0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c,
+-	0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70,
+-	0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61,
+-	0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75,
+-	0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c,
+-	0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c,
+-	0x64, 0x65, 0x72, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45,
+-	0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x42, 0x0e, 0x0a, 0x0c, 0x65, 0x78, 0x74, 0x72,
+-	0x61, 0x63, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x3a, 0x6a, 0x9a, 0xc5, 0x88, 0x1e, 0x65, 0x0a,
+-	0x63, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
+-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74,
+-	0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e,
+-	0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f,
+-	0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69,
+-	0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69,
+-	0x6c, 0x64, 0x65, 0x72, 0x42, 0x0b, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x03, 0xf8, 0x42,
+-	0x01, 0x3a, 0x5a, 0x9a, 0xc5, 0x88, 0x1e, 0x55, 0x0a, 0x53, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65,
+-	0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32,
+-	0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63,
+-	0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x3a, 0x4a, 0x9a,
+-	0xc5, 0x88, 0x1e, 0x45, 0x0a, 0x43, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+-	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+-	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f,
+-	0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x42, 0x17, 0x0a, 0x10, 0x63, 0x6f, 0x6e,
+-	0x66, 0x69, 0x67, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x03, 0xf8,
+-	0x42, 0x01, 0x22, 0xf1, 0x01, 0x0a, 0x09, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73,
+-	0x12, 0x65, 0x0a, 0x18, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x5f, 0x72, 0x64, 0x73, 0x5f, 0x63,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01,
+-	0x28, 0x0b, 0x32, 0x22, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+-	0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+-	0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01,
+-	0x52, 0x15, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+-	0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x34, 0x0a, 0x16, 0x73, 0x72, 0x64, 0x73, 0x5f,
+-	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f,
+-	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x73, 0x72, 0x64, 0x73, 0x52, 0x65, 0x73,
+-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x3a, 0x47, 0x9a,
+-	0xc5, 0x88, 0x1e, 0x42, 0x0a, 0x40, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+-	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
+-	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f,
+-	0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x22, 0xcc, 0x02, 0x0a, 0x0a, 0x48, 0x74, 0x74, 0x70, 0x46,
+-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20,
+-	0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61,
+-	0x6d, 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66,
+-	0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x48, 0x00,
+-	0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x58, 0x0a,
+-	0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72,
+-	0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x45,
+-	0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f,
+-	0x75, 0x72, 0x63, 0x65, 0x48, 0x00, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69,
+-	0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x73, 0x5f, 0x6f, 0x70,
+-	0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x73,
+-	0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x3a, 0x48, 0x9a, 0xc5, 0x88, 0x1e, 0x43, 0x0a,
+-	0x41, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
+-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74,
+-	0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e,
+-	0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74,
+-	0x65, 0x72, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x79, 0x70,
+-	0x65, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x63,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x9f, 0x01, 0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+-	0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x37, 0x0a, 0x0c,
+-	0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01,
+-	0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43,
+-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x3a, 0x50, 0x9a, 0xc5, 0x88, 0x1e, 0x4b, 0x0a, 0x49, 0x65, 0x6e,
++	0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f,
++	0x72, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x6f, 0x72,
++	0x3a, 0x6a, 0x9a, 0xc5, 0x88, 0x1e, 0x65, 0x0a, 0x63, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
++	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
++	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
++	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
++	0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f,
++	0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x46, 0x72, 0x61,
++	0x67, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x42, 0x0b, 0x0a, 0x04,
++	0x74, 0x79, 0x70, 0x65, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x3a, 0x5a, 0x9a, 0xc5, 0x88, 0x1e, 0x55,
++	0x0a, 0x53, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66,
++	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74,
++	0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61,
++	0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52,
++	0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x75,
++	0x69, 0x6c, 0x64, 0x65, 0x72, 0x3a, 0x4a, 0x9a, 0xc5, 0x88, 0x1e, 0x45, 0x0a, 0x43, 0x65, 0x6e,
+ 	0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
+ 	0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63,
+ 	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+-	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78,
+-	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x8e, 0x01, 0x0a, 0x20, 0x45, 0x6e, 0x76, 0x6f,
+-	0x79, 0x4d, 0x6f, 0x62, 0x69, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x12, 0x6a, 0x0a, 0x06,
+-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x52, 0x2e, 0x65,
+-	0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e,
+-	0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e,
+-	0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x43,
+-	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72,
+-	0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x71, 0x0a, 0x49, 0x69, 0x6f, 0x2e, 0x65,
+-	0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e,
+-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
+-	0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f,
+-	0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+-	0x65, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x1a, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
+-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74,
+-	0x6f, 0x50, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06, 0x02, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f,
+-	0x74, 0x6f, 0x33,
++	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65,
++	0x73, 0x42, 0x17, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x70, 0x65, 0x63,
++	0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x22, 0xf1, 0x01, 0x0a, 0x09, 0x53,
++	0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x12, 0x65, 0x0a, 0x18, 0x73, 0x63, 0x6f, 0x70,
++	0x65, 0x64, 0x5f, 0x72, 0x64, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x6f,
++	0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x65, 0x6e, 0x76,
++	0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76,
++	0x33, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x08,
++	0xfa, 0x42, 0x05, 0x8a, 0x01, 0x02, 0x10, 0x01, 0x52, 0x15, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x64,
++	0x52, 0x64, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12,
++	0x34, 0x0a, 0x16, 0x73, 0x72, 0x64, 0x73, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
++	0x73, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
++	0x14, 0x73, 0x72, 0x64, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x4c, 0x6f,
++	0x63, 0x61, 0x74, 0x6f, 0x72, 0x3a, 0x47, 0x9a, 0xc5, 0x88, 0x1e, 0x42, 0x0a, 0x40, 0x65, 0x6e,
++	0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
++	0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63,
++	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
++	0x72, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x64, 0x52, 0x64, 0x73, 0x22, 0xcc,
++	0x02, 0x0a, 0x0a, 0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x1b, 0x0a,
++	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04,
++	0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x39, 0x0a, 0x0c, 0x74, 0x79,
++	0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
++	0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
++	0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x48, 0x00, 0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43,
++	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x58, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f,
++	0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
++	0x2b, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63,
++	0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
++	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x00, 0x52, 0x0f,
++	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x12,
++	0x1f, 0x0a, 0x0b, 0x69, 0x73, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x06,
++	0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x73, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c,
++	0x3a, 0x48, 0x9a, 0xc5, 0x88, 0x1e, 0x43, 0x0a, 0x41, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63,
++	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74,
++	0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
++	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e,
++	0x48, 0x74, 0x74, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x6f,
++	0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a,
++	0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x9f, 0x01,
++	0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e,
++	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x37, 0x0a, 0x0c, 0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x63, 0x6f,
++	0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f,
++	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79,
++	0x52, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x3a, 0x50, 0x9a,
++	0xc5, 0x88, 0x1e, 0x4b, 0x0a, 0x49, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
++	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
++	0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
++	0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x52, 0x65, 0x71,
++	0x75, 0x65, 0x73, 0x74, 0x49, 0x44, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x22,
++	0x8e, 0x01, 0x0a, 0x20, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x4d, 0x6f, 0x62, 0x69, 0x6c, 0x65, 0x48,
++	0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e,
++	0x61, 0x67, 0x65, 0x72, 0x12, 0x6a, 0x0a, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01,
++	0x20, 0x01, 0x28, 0x0b, 0x32, 0x52, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74,
++	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e,
++	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e,
++	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e,
++	0x76, 0x33, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
++	0x6e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
++	0x42, 0x71, 0x0a, 0x49, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78,
++	0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
++	0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
++	0x72, 0x6b, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
++	0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x1a, 0x48,
++	0x74, 0x74, 0x70, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x6e,
++	0x61, 0x67, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06,
++	0x02, 0x10, 0x02, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ }
+ 
+ var (
+@@ -3277,7 +3440,7 @@
+ }
+ 
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+-var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
++var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes = make([]protoimpl.MessageInfo, 21)
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_goTypes = []interface{}{
+ 	(HttpConnectionManager_CodecType)(0),                                                // 0: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType
+ 	(HttpConnectionManager_ServerHeaderTransformation)(0),                               // 1: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation
+@@ -3302,102 +3465,107 @@
+ 	(*ScopedRoutes_ScopeKeyBuilder)(nil),                                                // 20: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder
+ 	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder)(nil),                                // 21: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder
+ 	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor)(nil),           // 22: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor
+-	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement)(nil), // 23: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
+-	(*v32.RouteConfiguration)(nil),                                                      // 24: envoy.config.route.v3.RouteConfiguration
+-	(*wrappers.BoolValue)(nil),                                                          // 25: google.protobuf.BoolValue
+-	(*v3.HttpProtocolOptions)(nil),                                                      // 26: envoy.config.core.v3.HttpProtocolOptions
+-	(*v3.Http1ProtocolOptions)(nil),                                                     // 27: envoy.config.core.v3.Http1ProtocolOptions
+-	(*v3.Http2ProtocolOptions)(nil),                                                     // 28: envoy.config.core.v3.Http2ProtocolOptions
+-	(*v3.Http3ProtocolOptions)(nil),                                                     // 29: envoy.config.core.v3.Http3ProtocolOptions
+-	(*v3.SchemeHeaderTransformation)(nil),                                               // 30: envoy.config.core.v3.SchemeHeaderTransformation
+-	(*wrappers.UInt32Value)(nil),                                                        // 31: google.protobuf.UInt32Value
+-	(*duration.Duration)(nil),                                                           // 32: google.protobuf.Duration
+-	(*v31.AccessLog)(nil),                                                               // 33: envoy.config.accesslog.v3.AccessLog
+-	(*v3.TypedExtensionConfig)(nil),                                                     // 34: envoy.config.core.v3.TypedExtensionConfig
+-	(*v3.SubstitutionFormatString)(nil),                                                 // 35: envoy.config.core.v3.SubstitutionFormatString
+-	(*v31.AccessLogFilter)(nil),                                                         // 36: envoy.config.accesslog.v3.AccessLogFilter
+-	(*v3.DataSource)(nil),                                                               // 37: envoy.config.core.v3.DataSource
+-	(*v3.HeaderValueOption)(nil),                                                        // 38: envoy.config.core.v3.HeaderValueOption
+-	(*v3.ConfigSource)(nil),                                                             // 39: envoy.config.core.v3.ConfigSource
+-	(*v32.ScopedRouteConfiguration)(nil),                                                // 40: envoy.config.route.v3.ScopedRouteConfiguration
+-	(*any.Any)(nil),                                                                     // 41: google.protobuf.Any
+-	(*v3.ExtensionConfigSource)(nil),                                                    // 42: envoy.config.core.v3.ExtensionConfigSource
+-	(*v33.Percent)(nil),                                                                 // 43: envoy.type.v3.Percent
+-	(*v34.CustomTag)(nil),                                                               // 44: envoy.type.tracing.v3.CustomTag
+-	(*v35.Tracing_Http)(nil),                                                            // 45: envoy.config.trace.v3.Tracing.Http
+-	(*v36.PathTransformation)(nil),                                                      // 46: envoy.type.http.v3.PathTransformation
++	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor)(nil),             // 23: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor
++	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor)(nil),        // 24: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.LocalPortValueExtractor
++	(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement)(nil), // 25: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
++	(*v32.RouteConfiguration)(nil),                                                      // 26: envoy.config.route.v3.RouteConfiguration
++	(*wrappers.BoolValue)(nil),                                                          // 27: google.protobuf.BoolValue
++	(*v3.HttpProtocolOptions)(nil),                                                      // 28: envoy.config.core.v3.HttpProtocolOptions
++	(*v3.Http1ProtocolOptions)(nil),                                                     // 29: envoy.config.core.v3.Http1ProtocolOptions
++	(*v3.Http2ProtocolOptions)(nil),                                                     // 30: envoy.config.core.v3.Http2ProtocolOptions
++	(*v3.Http3ProtocolOptions)(nil),                                                     // 31: envoy.config.core.v3.Http3ProtocolOptions
++	(*v3.SchemeHeaderTransformation)(nil),                                               // 32: envoy.config.core.v3.SchemeHeaderTransformation
++	(*wrappers.UInt32Value)(nil),                                                        // 33: google.protobuf.UInt32Value
++	(*duration.Duration)(nil),                                                           // 34: google.protobuf.Duration
++	(*v31.AccessLog)(nil),                                                               // 35: envoy.config.accesslog.v3.AccessLog
++	(*v3.TypedExtensionConfig)(nil),                                                     // 36: envoy.config.core.v3.TypedExtensionConfig
++	(*v3.SubstitutionFormatString)(nil),                                                 // 37: envoy.config.core.v3.SubstitutionFormatString
++	(*v31.AccessLogFilter)(nil),                                                         // 38: envoy.config.accesslog.v3.AccessLogFilter
++	(*v3.DataSource)(nil),                                                               // 39: envoy.config.core.v3.DataSource
++	(*v3.HeaderValueOption)(nil),                                                        // 40: envoy.config.core.v3.HeaderValueOption
++	(*v3.ConfigSource)(nil),                                                             // 41: envoy.config.core.v3.ConfigSource
++	(*v32.ScopedRouteConfiguration)(nil),                                                // 42: envoy.config.route.v3.ScopedRouteConfiguration
++	(*any.Any)(nil),                                                                     // 43: google.protobuf.Any
++	(*v3.ExtensionConfigSource)(nil),                                                    // 44: envoy.config.core.v3.ExtensionConfigSource
++	(*v33.Percent)(nil),                                                                 // 45: envoy.type.v3.Percent
++	(*v34.CustomTag)(nil),                                                               // 46: envoy.type.tracing.v3.CustomTag
++	(*v35.Tracing_Http)(nil),                                                            // 47: envoy.config.trace.v3.Tracing.Http
++	(*v36.PathTransformation)(nil),                                                      // 48: envoy.type.http.v3.PathTransformation
+ }
+ var file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_depIdxs = []int32{
+ 	0,  // 0: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType
+ 	8,  // 1: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.rds:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.Rds
+-	24, // 2: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.route_config:type_name -> envoy.config.route.v3.RouteConfiguration
++	26, // 2: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.route_config:type_name -> envoy.config.route.v3.RouteConfiguration
+ 	10, // 3: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scoped_routes:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes
+ 	12, // 4: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_filters:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter
+-	25, // 5: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent:type_name -> google.protobuf.BoolValue
++	27, // 5: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent:type_name -> google.protobuf.BoolValue
+ 	15, // 6: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.tracing:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing
+-	26, // 7: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options:type_name -> envoy.config.core.v3.HttpProtocolOptions
+-	27, // 8: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_protocol_options:type_name -> envoy.config.core.v3.Http1ProtocolOptions
+-	28, // 9: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http2_protocol_options:type_name -> envoy.config.core.v3.Http2ProtocolOptions
+-	29, // 10: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http3_protocol_options:type_name -> envoy.config.core.v3.Http3ProtocolOptions
++	28, // 7: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options:type_name -> envoy.config.core.v3.HttpProtocolOptions
++	29, // 8: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_protocol_options:type_name -> envoy.config.core.v3.Http1ProtocolOptions
++	30, // 9: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http2_protocol_options:type_name -> envoy.config.core.v3.Http2ProtocolOptions
++	31, // 10: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http3_protocol_options:type_name -> envoy.config.core.v3.Http3ProtocolOptions
+ 	1,  // 11: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.server_header_transformation:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation
+-	30, // 12: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scheme_header_transformation:type_name -> envoy.config.core.v3.SchemeHeaderTransformation
+-	31, // 13: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.max_request_headers_kb:type_name -> google.protobuf.UInt32Value
+-	32, // 14: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_idle_timeout:type_name -> google.protobuf.Duration
+-	32, // 15: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_timeout:type_name -> google.protobuf.Duration
+-	32, // 16: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_headers_timeout:type_name -> google.protobuf.Duration
+-	32, // 17: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout:type_name -> google.protobuf.Duration
+-	32, // 18: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.delayed_close_timeout:type_name -> google.protobuf.Duration
+-	33, // 19: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.access_log:type_name -> envoy.config.accesslog.v3.AccessLog
+-	25, // 20: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address:type_name -> google.protobuf.BoolValue
+-	34, // 21: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions:type_name -> envoy.config.core.v3.TypedExtensionConfig
++	32, // 12: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.scheme_header_transformation:type_name -> envoy.config.core.v3.SchemeHeaderTransformation
++	33, // 13: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.max_request_headers_kb:type_name -> google.protobuf.UInt32Value
++	34, // 14: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_idle_timeout:type_name -> google.protobuf.Duration
++	34, // 15: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_timeout:type_name -> google.protobuf.Duration
++	34, // 16: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_headers_timeout:type_name -> google.protobuf.Duration
++	34, // 17: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout:type_name -> google.protobuf.Duration
++	34, // 18: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.delayed_close_timeout:type_name -> google.protobuf.Duration
++	35, // 19: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.access_log:type_name -> envoy.config.accesslog.v3.AccessLog
++	27, // 20: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address:type_name -> google.protobuf.BoolValue
++	36, // 21: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions:type_name -> envoy.config.core.v3.TypedExtensionConfig
+ 	16, // 22: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig
+-	25, // 23: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.generate_request_id:type_name -> google.protobuf.BoolValue
++	27, // 23: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.generate_request_id:type_name -> google.protobuf.BoolValue
+ 	2,  // 24: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.forward_client_cert_details:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails
+ 	17, // 25: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.set_current_client_cert_details:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails
+ 	18, // 26: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.upgrade_configs:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig
+-	25, // 27: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path:type_name -> google.protobuf.BoolValue
++	27, // 27: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path:type_name -> google.protobuf.BoolValue
+ 	3,  // 28: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_with_escaped_slashes_action:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathWithEscapedSlashesAction
+ 	13, // 29: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.request_id_extension:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension
+ 	6,  // 30: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.local_reply_config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig
+-	25, // 31: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message:type_name -> google.protobuf.BoolValue
++	27, // 31: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message:type_name -> google.protobuf.BoolValue
+ 	19, // 32: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_normalization_options:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions
+ 	7,  // 33: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.mappers:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper
+-	35, // 34: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.body_format:type_name -> envoy.config.core.v3.SubstitutionFormatString
+-	36, // 35: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.filter:type_name -> envoy.config.accesslog.v3.AccessLogFilter
+-	31, // 36: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.status_code:type_name -> google.protobuf.UInt32Value
+-	37, // 37: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body:type_name -> envoy.config.core.v3.DataSource
+-	35, // 38: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body_format_override:type_name -> envoy.config.core.v3.SubstitutionFormatString
+-	38, // 39: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.headers_to_add:type_name -> envoy.config.core.v3.HeaderValueOption
+-	39, // 40: envoy.extensions.filters.network.http_connection_manager.v3.Rds.config_source:type_name -> envoy.config.core.v3.ConfigSource
+-	40, // 41: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList.scoped_route_configurations:type_name -> envoy.config.route.v3.ScopedRouteConfiguration
++	37, // 34: envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.body_format:type_name -> envoy.config.core.v3.SubstitutionFormatString
++	38, // 35: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.filter:type_name -> envoy.config.accesslog.v3.AccessLogFilter
++	33, // 36: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.status_code:type_name -> google.protobuf.UInt32Value
++	39, // 37: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body:type_name -> envoy.config.core.v3.DataSource
++	37, // 38: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.body_format_override:type_name -> envoy.config.core.v3.SubstitutionFormatString
++	40, // 39: envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper.headers_to_add:type_name -> envoy.config.core.v3.HeaderValueOption
++	41, // 40: envoy.extensions.filters.network.http_connection_manager.v3.Rds.config_source:type_name -> envoy.config.core.v3.ConfigSource
++	42, // 41: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList.scoped_route_configurations:type_name -> envoy.config.route.v3.ScopedRouteConfiguration
+ 	20, // 42: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scope_key_builder:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder
+-	39, // 43: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
++	41, // 43: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
+ 	9,  // 44: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scoped_route_configurations_list:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList
+ 	11, // 45: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.scoped_rds:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds
+-	39, // 46: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds.scoped_rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
+-	41, // 47: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.typed_config:type_name -> google.protobuf.Any
+-	42, // 48: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.config_discovery:type_name -> envoy.config.core.v3.ExtensionConfigSource
+-	41, // 49: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension.typed_config:type_name -> google.protobuf.Any
++	41, // 46: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds.scoped_rds_config_source:type_name -> envoy.config.core.v3.ConfigSource
++	43, // 47: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.typed_config:type_name -> google.protobuf.Any
++	44, // 48: envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter.config_discovery:type_name -> envoy.config.core.v3.ExtensionConfigSource
++	43, // 49: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension.typed_config:type_name -> google.protobuf.Any
+ 	5,  // 50: envoy.extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager.config:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+-	43, // 51: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.client_sampling:type_name -> envoy.type.v3.Percent
+-	43, // 52: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.random_sampling:type_name -> envoy.type.v3.Percent
+-	43, // 53: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.overall_sampling:type_name -> envoy.type.v3.Percent
+-	31, // 54: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.max_path_tag_length:type_name -> google.protobuf.UInt32Value
+-	44, // 55: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.custom_tags:type_name -> envoy.type.tracing.v3.CustomTag
+-	45, // 56: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider:type_name -> envoy.config.trace.v3.Tracing.Http
+-	25, // 57: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
++	45, // 51: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.client_sampling:type_name -> envoy.type.v3.Percent
++	45, // 52: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.random_sampling:type_name -> envoy.type.v3.Percent
++	45, // 53: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.overall_sampling:type_name -> envoy.type.v3.Percent
++	33, // 54: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.max_path_tag_length:type_name -> google.protobuf.UInt32Value
++	46, // 55: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.custom_tags:type_name -> envoy.type.tracing.v3.CustomTag
++	47, // 56: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider:type_name -> envoy.config.trace.v3.Tracing.Http
++	27, // 57: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
+ 	12, // 58: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.filters:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter
+-	25, // 59: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.enabled:type_name -> google.protobuf.BoolValue
+-	46, // 60: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.forwarding_transformation:type_name -> envoy.type.http.v3.PathTransformation
+-	46, // 61: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.http_filter_transformation:type_name -> envoy.type.http.v3.PathTransformation
++	27, // 59: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig.enabled:type_name -> google.protobuf.BoolValue
++	48, // 60: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.forwarding_transformation:type_name -> envoy.type.http.v3.PathTransformation
++	48, // 61: envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions.http_filter_transformation:type_name -> envoy.type.http.v3.PathTransformation
+ 	21, // 62: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.fragments:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder
+ 	22, // 63: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.header_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor
+-	23, // 64: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.element:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
+-	65, // [65:65] is the sub-list for method output_type
+-	65, // [65:65] is the sub-list for method input_type
+-	65, // [65:65] is the sub-list for extension type_name
+-	65, // [65:65] is the sub-list for extension extendee
+-	0,  // [0:65] is the sub-list for field type_name
++	23, // 64: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.host_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor
++	24, // 65: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.local_port_value_extractor:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.LocalPortValueExtractor
++	25, // 66: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.element:type_name -> envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
++	33, // 67: envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HostValueExtractor.max_recompute_num:type_name -> google.protobuf.UInt32Value
++	68, // [68:68] is the sub-list for method output_type
++	68, // [68:68] is the sub-list for method input_type
++	68, // [68:68] is the sub-list for extension type_name
++	68, // [68:68] is the sub-list for extension extendee
++	0,  // [0:68] is the sub-list for field type_name
+ }
+ 
+ func init() {
+@@ -3625,6 +3793,30 @@
+ 			}
+ 		}
+ 		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[18].Exporter = func(v interface{}, i int) interface{} {
++			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor); i {
++			case 0:
++				return &v.state
++			case 1:
++				return &v.sizeCache
++			case 2:
++				return &v.unknownFields
++			default:
++				return nil
++			}
++		}
++		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[19].Exporter = func(v interface{}, i int) interface{} {
++			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor); i {
++			case 0:
++				return &v.state
++			case 1:
++				return &v.sizeCache
++			case 2:
++				return &v.unknownFields
++			default:
++				return nil
++			}
++		}
++		file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[20].Exporter = func(v interface{}, i int) interface{} {
+ 			switch v := v.(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement); i {
+ 			case 0:
+ 				return &v.state
+@@ -3653,6 +3845,8 @@
+ 	}
+ 	file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[16].OneofWrappers = []interface{}{
+ 		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_)(nil),
++		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_)(nil),
++		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_)(nil),
+ 	}
+ 	file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_msgTypes[17].OneofWrappers = []interface{}{
+ 		(*ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_Index)(nil),
+@@ -3664,7 +3858,7 @@
+ 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+ 			RawDescriptor: file_envoy_extensions_filters_network_http_connection_manager_v3_http_connection_manager_proto_rawDesc,
+ 			NumEnums:      5,
+-			NumMessages:   19,
++			NumMessages:   21,
+ 			NumExtensions: 0,
+ 			NumServices:   0,
+ 		},
+diff -Naur go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go
+--- go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go	2024-01-04 21:07:22.000000000 +0800
++++ go-control-plane-new/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go	2024-01-04 21:02:10.000000000 +0800
+@@ -1986,6 +1986,30 @@
+ 			}
+ 		}
+ 
++	case *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_:
++
++		if v, ok := interface{}(m.GetHostValueExtractor()).(interface{ Validate() error }); ok {
++			if err := v.Validate(); err != nil {
++				return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
++					field:  "HostValueExtractor",
++					reason: "embedded message failed validation",
++					cause:  err,
++				}
++			}
++		}
++
++	case *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_:
++
++		if v, ok := interface{}(m.GetLocalPortValueExtractor()).(interface{ Validate() error }); ok {
++			if err := v.Validate(); err != nil {
++				return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
++					field:  "LocalPortValueExtractor",
++					reason: "embedded message failed validation",
++					cause:  err,
++				}
++			}
++		}
++
+ 	default:
+ 		return ScopedRoutes_ScopeKeyBuilder_FragmentBuilderValidationError{
+ 			field:  "Type",
+@@ -2162,6 +2186,172 @@
+ } = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractorValidationError{}
+ 
+ // Validate checks the field values on
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor with the
++// rules defined in the proto definition for this message. If any rules are
++// violated, an error is returned.
++func (m *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor) Validate() error {
++	if m == nil {
++		return nil
++	}
++
++	if v, ok := interface{}(m.GetMaxRecomputeNum()).(interface{ Validate() error }); ok {
++		if err := v.Validate(); err != nil {
++			return ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{
++				field:  "MaxRecomputeNum",
++				reason: "embedded message failed validation",
++				cause:  err,
++			}
++		}
++	}
++
++	return nil
++}
++
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError
++// is the validation error returned by
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.Validate if
++// the designated constraints aren't met.
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError struct {
++	field  string
++	reason string
++	cause  error
++	key    bool
++}
++
++// Field function returns field value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Field() string {
++	return e.field
++}
++
++// Reason function returns reason value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Reason() string {
++	return e.reason
++}
++
++// Cause function returns cause value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Cause() error {
++	return e.cause
++}
++
++// Key function returns key value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Key() bool {
++	return e.key
++}
++
++// ErrorName returns error name.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) ErrorName() string {
++	return "ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError"
++}
++
++// Error satisfies the builtin error interface
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError) Error() string {
++	cause := ""
++	if e.cause != nil {
++		cause = fmt.Sprintf(" | caused by: %v", e.cause)
++	}
++
++	key := ""
++	if e.key {
++		key = "key for "
++	}
++
++	return fmt.Sprintf(
++		"invalid %sScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor.%s: %s%s",
++		key,
++		e.field,
++		e.reason,
++		cause)
++}
++
++var _ error = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{}
++
++var _ interface {
++	Field() string
++	Reason() string
++	Key() bool
++	Cause() error
++	ErrorName() string
++} = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractorValidationError{}
++
++// Validate checks the field values on
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor with
++// the rules defined in the proto definition for this message. If any rules
++// are violated, an error is returned.
++func (m *ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor) Validate() error {
++	if m == nil {
++		return nil
++	}
++
++	return nil
++}
++
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError
++// is the validation error returned by
++// ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.Validate
++// if the designated constraints aren't met.
++type ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError struct {
++	field  string
++	reason string
++	cause  error
++	key    bool
++}
++
++// Field function returns field value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Field() string {
++	return e.field
++}
++
++// Reason function returns reason value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Reason() string {
++	return e.reason
++}
++
++// Cause function returns cause value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Cause() error {
++	return e.cause
++}
++
++// Key function returns key value.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Key() bool {
++	return e.key
++}
++
++// ErrorName returns error name.
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) ErrorName() string {
++	return "ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError"
++}
++
++// Error satisfies the builtin error interface
++func (e ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError) Error() string {
++	cause := ""
++	if e.cause != nil {
++		cause = fmt.Sprintf(" | caused by: %v", e.cause)
++	}
++
++	key := ""
++	if e.key {
++		key = "key for "
++	}
++
++	return fmt.Sprintf(
++		"invalid %sScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor.%s: %s%s",
++		key,
++		e.field,
++		e.reason,
++		cause)
++}
++
++var _ error = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError{}
++
++var _ interface {
++	Field() string
++	Reason() string
++	Key() bool
++	Cause() error
++	ErrorName() string
++} = ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractorValidationError{}
++
++// Validate checks the field values on
+ // ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement
+ // with the rules defined in the proto definition for this message. If any
+ // rules are violated, an error is returned.

go.mod

@@ -15,7 +15,7 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.6
-	github.com/agiledragon/gomonkey/v2 v2.9.0
+	github.com/agiledragon/gomonkey/v2 v2.11.0
 	github.com/avast/retry-go/v4 v4.3.4
 	github.com/compose-spec/compose-go v1.8.2
 	github.com/docker/cli v20.10.20+incompatible
@@ -44,13 +44,13 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.8.3
-	go.uber.org/atomic v1.9.0
+	go.uber.org/atomic v1.11.0
 	google.golang.org/grpc v1.48.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	istio.io/api v0.0.0-20211122181927-8da52c66ff23
-	istio.io/client-go v1.12.0-rc.1.0.20211118171212-b744b6f111e4
+	istio.io/client-go v1.12.0-rc.1.0.20211118171212-b744b6f111e4 // indirect
 	istio.io/gogo-genproto v0.0.0-20211115195057-0e34bdd2be67
 	istio.io/istio v0.0.0
 	istio.io/pkg v0.0.0-20211115195056-e379f31ee62a
@@ -172,6 +172,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
@@ -185,6 +186,7 @@ require (
 	github.com/lestrrat/go-file-rotatelogs v0.0.0-20180223000712-d3151e2a480f // indirect
 	github.com/lestrrat/go-strftime v0.0.0-20180220042222-ba3bf9c1d042 // indirect
 	github.com/lib/pq v1.10.0 // indirect
+	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -194,7 +196,7 @@ require (
 	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
-	github.com/miekg/dns v1.1.43 // indirect
+	github.com/miekg/dns v1.1.55 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
@@ -238,6 +240,8 @@ require (
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/theupdateframework/notary v0.7.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tonistiigi/fsutil v0.0.0-20220930225714-4638ad635be5 // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/toolkits/concurrent v0.0.0-20150624120057-a4371d70e3e3 // indirect
@@ -246,20 +250,23 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
 	github.com/yl2chen/cidranger v1.0.2 // indirect
+	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.12.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	go.uber.org/multierr v1.7.0 // indirect
-	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.6.0 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
+	golang.org/x/tools v0.10.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect
 	gomodules.xyz/orderedmap v0.1.0 // indirect
@@ -274,8 +281,6 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	k8s.io/apiserver v0.22.5 // indirect
-	k8s.io/component-base v0.22.5 // indirect
-	k8s.io/klog/v2 v2.60.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c // indirect
 	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
 	oras.land/oras-go v0.4.0 // indirect
@@ -298,12 +303,19 @@ replace istio.io/client-go => ./external/client-go
 
 replace istio.io/istio => ./external/istio
 
+replace github.com/caddyserver/certmagic => github.com/2456868764/certmagic v1.0.1
+
 require (
+	github.com/caddyserver/certmagic v0.20.0
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/google/yamlfmt v0.10.0
 	github.com/kylelemons/godebug v1.1.0
+	github.com/mholt/acmez v1.2.0
+	github.com/tidwall/gjson v1.17.0
 	helm.sh/helm/v3 v3.7.1
 	k8s.io/apiextensions-apiserver v0.25.4
+	k8s.io/component-base v0.22.5
+	k8s.io/klog/v2 v2.60.1
 	knative.dev/networking v0.0.0-20220302134042-e8b2eb995165
 	knative.dev/pkg v0.0.0-20220301181942-2fdd5f232e77
 )

go.sum

@@ -61,6 +61,8 @@ dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBr
 dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1:a1inKt/atXimZ4Mv927x+r7UpyzRUf4emIoiiSC2TN4=
 dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU=
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
+github.com/2456868764/certmagic v1.0.1 h1:dRzow2Npe9llFTBhNVl0fVe8Yi/Q14ygNonlaZUyDZQ=
+github.com/2456868764/certmagic v1.0.1/go.mod h1:LOn81EQYMPajdew6Ln6SVdHPxPqPv6jwsUg92kiNlcQ=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20210929163055-e81b3f25be97/go.mod h1:WpB7kf89yJUETZxQnP1kgYPNwlT2jjdDYUCoxVggM3g=
 github.com/AlecAivazis/survey/v2 v2.3.6 h1:NvTuVHISgTHEHeBFqt6BHOe4Ny/NwGZr7w+F8S9ziyw=
 github.com/AlecAivazis/survey/v2 v2.3.6/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
@@ -160,8 +162,8 @@ github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmx
 github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g=
 github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/agiledragon/gomonkey/v2 v2.9.0 h1:PDiKKybR596O6FHW+RVSG0Z7uGCBNbmbUXh3uCNQ7Hc=
-github.com/agiledragon/gomonkey/v2 v2.9.0/go.mod h1:ap1AmDzcVOAz1YpeJ3TCzIgstoaWLA6jbbgxfB4w2iY=
+github.com/agiledragon/gomonkey/v2 v2.11.0 h1:5oxSgA+tC1xuGsrIorR+sYiziYltmJyEZ9qA25b6l5U=
+github.com/agiledragon/gomonkey/v2 v2.11.0/go.mod h1:ap1AmDzcVOAz1YpeJ3TCzIgstoaWLA6jbbgxfB4w2iY=
 github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412/go.mod h1:WPjqKcmVOxf0XSf3YxCJs6N6AOSrOx3obionmG7T0y0=
 github.com/ahmetb/gen-crd-api-reference-docs v0.3.0/go.mod h1:TdjdkYhlOifCQWPs1UdTma97kQQMozf5h26hTuG70u8=
 github.com/alecthomas/jsonschema v0.0.0-20180308105923-f2c93856175a/go.mod h1:qpebaTNSsyUn5rPSJMsfqEtDw71TTggXM6stUDI16HA=
@@ -1006,6 +1008,9 @@ github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY=
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
+github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
+github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -1055,6 +1060,8 @@ github.com/lib/pq v0.0.0-20150723085316-0dad96c0b94f/go.mod h1:5WUZQaWbwv1U+lTRe
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.0 h1:Zx5DJFEYQXio93kgXnQ09fXNiUKsqv4OUEu2UtGcB1E=
 github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
+github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
@@ -1145,13 +1152,16 @@ github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqA
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b h1:j7+1HpAFS1zy5+Q4qx1fWh90gTKwiN4QCGoY9TWyyO4=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
+github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.17/go.mod h1:WgzbA6oji13JREwiNsRDNfl7jYdPnmz+VEuLrA+/48M=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
-github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
+github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
+github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
@@ -1582,6 +1592,12 @@ github.com/tebeka/strftime v0.1.3/go.mod h1:7wJm3dZlpr4l/oVK0t1HYIc4rMzQ2XJlOMIU
 github.com/theupdateframework/notary v0.6.1/go.mod h1:MOfgIfmox8s7/7fduvB2xyPPMJCrjRLRizA8OFwpnKY=
 github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4DzbAiAiEL3c=
 github.com/theupdateframework/notary v0.7.0/go.mod h1:c9DRxcmhHmVLDay4/2fUYdISnHqbFDGRSlXPO0AhYWw=
+github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
+github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -1652,6 +1668,12 @@ github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go
 github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
 github.com/zclconf/go-cty v1.4.0/go.mod h1:nHzOclRkoj++EU9ZjSrZvRG0BXIWt8c7loYc0qXAFGQ=
 github.com/zclconf/go-cty v1.7.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o=
+github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
+github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
+github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
+github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
+github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
+github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs=
 github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
@@ -1705,8 +1727,9 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
@@ -1716,8 +1739,9 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
 go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
@@ -1727,8 +1751,9 @@ go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI=
-go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8=
 go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
+go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
+go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
 golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d/go.mod h1:OWs+y06UdEOHN4y+MfF/py+xQ/tYqIWW03b70/CG9Rw=
 golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -1769,8 +1794,8 @@ golang.org/x/crypto v0.0.0-20210920023735-84f357641f63/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1811,7 +1836,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
+golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1888,8 +1914,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1926,8 +1952,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2068,15 +2094,16 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
-golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2086,8 +2113,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -2176,7 +2203,8 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
+golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

helm/core/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.3.2
+appVersion: 1.4.0-rc.1
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -10,4 +10,4 @@ name: higress-core
 sources:
 - http://github.com/alibaba/higress
 type: application
-version: 1.3.2
+version: 1.4.0-rc.1

helm/core/crds/customresourcedefinitions.gen.yaml

@@ -154,6 +154,11 @@ spec:
                           type: array
                         httpPath:
                           type: string
+                        paramFromEntireBody:
+                          properties:
+                            paramType:
+                              type: string
+                          type: object
                         params:
                           items:
                             properties:

helm/core/templates/configmap.yaml

@@ -3,9 +3,13 @@
     # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
     trustDomain: "cluster.local"
     accessLogEncoding: TEXT
+    {{- if .Values.global.o11y.enabled }}
+    accessLogFile: "/var/log/proxy/access.log"
+    {{- else }}
     accessLogFile: "/dev/stdout"
+    {{- end }}
     ingressControllerMode: "OFF"
-    accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
+    accessLogFormat: '{"authority":"%REQ(X-ENVOY-ORIGINAL-HOST?:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
 
     '
     dnsRefreshRate: 200s

helm/core/templates/controller-deployment.yaml

@@ -70,6 +70,20 @@ spec:
             periodSeconds: 3
             timeoutSeconds: 5
           env:
+          - name: PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
+            value: "false"
+          - name: HIGRESS_SYSTEM_NS
+            value: "{{ .Release.Namespace }}"
+          - name: DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD
+            value: "{{ .Values.global.defaultUpstreamConcurrencyThreshold }}"
+          - name: ISTIO_GPRC_MAXRECVMSGSIZE
+            value: "{{ .Values.global.xdsMaxRecvMsgSize }}"
+          - name: ENBALE_SCOPED_RDS
+            value: "{{ .Values.global.enableSRDS }}"
+          - name: ON_DEMAND_RDS
+            value: "{{ .Values.global.onDemandRDS }}"
+          - name: HOST_RDS_MERGE_SUBSET
+            value: "{{ .Values.global.hostRDSMergeSubset }}"
           - name: PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
             value: "{{ .Values.global.onlyPushRouteCluster }}"
           - name: HIGRESS_CONTROLLER_SVC
@@ -185,6 +199,8 @@ spec:
           - "serve"
           - --gatewaySelectorKey=higress
           - --gatewaySelectorValue={{ .Release.Namespace }}-{{ include "gateway.name" . }}
+          - --gatewayHttpPort={{ .Values.gateway.httpPort }}
+          - --gatewayHttpsPort={{ .Values.gateway.httpsPort }}
           {{- if not .Values.global.enableStatus }}
           - --enableStatus={{ .Values.global.enableStatus }}
           {{- end }}
@@ -192,6 +208,8 @@ spec:
           {{- if .Values.global.watchNamespace }}
           - --watchNamespace={{ .Values.global.watchNamespace }}
           {{- end }}
+          - --enableAutomaticHttps={{ .Values.controller.automaticHttps.enabled }}
+          - --automaticHttpsEmail={{ .Values.controller.automaticHttps.email }}
           env:
           - name: POD_NAME
             valueFrom:

helm/core/templates/deployment.yaml

@@ -1,3 +1,4 @@
+{{- $o11y := .Values.global.o11y  }}
 {{- $unprivilegedPortSupported := true }}
 {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
     {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
@@ -67,6 +68,40 @@ spec:
           value: "0"
       {{- end }}
       containers:
+        {{- if $o11y.enabled }}
+          {{- $config := $o11y.promtail }}
+        - name: promtail
+          image: {{ $config.image.repository }}:{{ $config.image.tag }}
+          imagePullPolicy: IfNotPresent
+          args:
+            - -config.file=/etc/promtail/promtail.yaml
+          env:
+            - name: 'HOSTNAME'
+              valueFrom:
+                fieldRef:
+                  fieldPath: 'spec.nodeName'
+          ports:
+            - containerPort: {{ $config.port }}
+              name: http-metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ready
+              port: {{ $config.port }}
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: promtail-config
+              mountPath: "/etc/promtail"
+            - name: log
+              mountPath: /var/log/proxy
+            - name: tmp
+              mountPath: /tmp
+        {{- end }}
         - name: higress-gateway
           image: "{{ .Values.gateway.hub | default .Values.global.hub }}/{{ .Values.gateway.image | default "gateway" }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
           args:
@@ -88,7 +123,10 @@ spec:
               - ALL
             allowPrivilegeEscalation: false
             privileged: false
+          # When enabling lite metrics, the configuration template files need to be replaced.
+          {{- if not .Values.global.liteMetrics }}
             readOnlyRootFilesystem: true
+          {{- end }}
             runAsUser: 1337
             runAsGroup: 1337
             runAsNonRoot: true
@@ -102,7 +140,6 @@ spec:
             runAsGroup: 1337
             runAsNonRoot: false
             allowPrivilegeEscalation: true
-            readOnlyRootFilesystem: true
           {{- end }}
           env:
           - name: NODE_NAME
@@ -148,6 +185,10 @@ spec:
             value: "{{ $.Values.clusterName | default `Kubernetes` }}"
           - name: INSTANCE_NAME
             value: "higress-gateway"
+          {{- if .Values.global.liteMetrics }}
+          - name: LITE_METRICS
+            value: "on"
+          {{- end }}
           {{- if include "skywalking.enabled" . }}
           - name: ISTIO_BOOTSTRAP_OVERRIDE
             value: /etc/istio/custom-bootstrap/custom_bootstrap.json
@@ -165,25 +206,25 @@ spec:
             protocol: TCP
             name: http-envoy-prom
           {{- if or .Values.global.local .Values.global.kind }}
-          - containerPort: 80
-            hostPort: 80
+          - containerPort: {{ .Values.gateway.httpPort }}
+            hostPort:  {{ .Values.gateway.httpPort }}
             name: http
             protocol: TCP
-          - containerPort: 443
-            hostPort: 443
+          - containerPort:  {{ .Values.gateway.httpsPort }}
+            hostPort:  {{ .Values.gateway.httpsPort }}
             name: https
             protocol: TCP
           {{- end }}
           readinessProbe:
-            failureThreshold: 30
+            failureThreshold: {{ .Values.gateway.readinessFailureThreshold }}
             httpGet:
               path: /healthz/ready
               port: 15021
               scheme: HTTP
-            initialDelaySeconds: 1
-            periodSeconds: 2
-            successThreshold: 1
-            timeoutSeconds: 3
+            initialDelaySeconds: {{ .Values.gateway.readinessInitialDelaySeconds }}
+            periodSeconds: {{ .Values.gateway.readinessPeriodSeconds }}
+            successThreshold: {{ .Values.gateway.readinessSuccessThreshold }}
+            timeoutSeconds: {{ .Values.gateway.readinessTimeoutSeconds }}
           {{- if not (or .Values.global.local .Values.global.kind) }}
           resources:
             {{- toYaml .Values.gateway.resources | nindent 12 }}
@@ -212,6 +253,10 @@ spec:
           - mountPath: /opt/plugins
             name: local-wasmplugins-volume
           {{- end }}
+          {{- if $o11y.enabled }}
+          - mountPath: /var/log/proxy
+            name: log
+          {{- end }}
       {{- if .Values.gateway.hostNetwork }}
       hostNetwork: {{ .Values.gateway.hostNetwork }}
       dnsPolicy: ClusterFirstWithHostNet
@@ -258,6 +303,15 @@ spec:
         emptyDir: {}
       - name: proxy-socket
         emptyDir: {}
+      {{- if $o11y.enabled }}
+      - name: log
+        emptyDir: {}
+      - name: tmp
+        emptyDir: {}
+      - name: promtail-config
+        configMap:
+          name: higress-promtail
+      {{- end }}
       - name: podinfo
         downwardAPI:
           defaultMode: 420

helm/core/templates/promtail.yaml

@@ -0,0 +1,64 @@
+{{- $o11y := .Values.global.o11y  }}
+{{- if $o11y.enabled }}
+{{- $config := $o11y.promtail }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: higress-promtail
+  namespace: {{ .Release.Namespace }}
+data:
+  promtail.yaml: |
+    server:
+      log_level: info
+      http_listen_port: {{ $config.port }}
+
+    clients:
+    - url: http://higress-console-loki.{{ .Release.Namespace }}:3100/loki/api/v1/push
+
+    positions:
+      filename: /tmp/promtail-positions.yaml
+    target_config:
+      sync_period: 10s
+    scrape_configs:
+    - job_name: access-logs
+      static_configs:
+      - targets:
+        - localhost
+        labels:
+          __path__: /var/log/proxy/access.log
+      pipeline_stages:
+      - json:
+          expressions:
+            authority:
+            method:
+            path:
+            protocol:
+            request_id:
+            response_code:
+            response_flags:
+            route_name:
+            trace_id:
+            upstream_cluster:
+            upstream_host:
+            upstream_transport_failure_reason:
+            user_agent:
+            x_forwarded_for:
+      - labels:
+          authority:
+          method:
+          path:
+          protocol:
+          request_id:
+          response_code:
+          response_flags:
+          route_name:
+          trace_id:
+          upstream_cluster:
+          upstream_host:
+          upstream_transport_failure_reason:
+          user_agent:
+          x_forwarded_for:
+      - timestamp:
+          source: timestamp
+          format: RFC3339Nano
+{{- end }}

helm/core/values.yaml

@@ -1,5 +1,11 @@
 revision: ""
 global:
+  liteMetrics: false
+  xdsMaxRecvMsgSize: "104857600"
+  defaultUpstreamConcurrencyThreshold: 10000
+  enableSRDS: true
+  onDemandRDS: false
+  hostRDSMergeSubset: false
   onlyPushRouteCluster: true
   # IngressClass filters which ingress resources the higress controller watches.
   # The default ingress class is higress.
@@ -10,7 +16,7 @@ global:
   # resources in the k8s cluster.
   ingressClass: "higress"
   watchNamespace: ""
-  disableAlpnH2: true
+  disableAlpnH2: false
   enableStatus: true
   # whether to use autoscaling/v2 template for HPA settings
   # for internal usage only, not to be configured by users.
@@ -148,12 +154,18 @@ global:
     # The number of successive failed probes before indicating readiness failure.
     readinessFailureThreshold: 30
 
+    # The number of successive successed probes before indicating readiness success.
+    readinessSuccessThreshold: 30
+
     # The initial delay for readiness probes in seconds.
     readinessInitialDelaySeconds: 1
 
     # The period between readiness probes.
     readinessPeriodSeconds: 2
 
+    # The readiness timeout seconds
+    readinessTimeoutSeconds: 3
+
     # Resources for the sidecar.
     resources:
       requests:
@@ -326,6 +338,20 @@ global:
   # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
   useMCP: false
 
+  # Observability (o11y) configurations
+  o11y:
+    enabled: false
+    promtail:
+      image:
+        repository: grafana/promtail
+        tag: 2.9.4
+      port: 3101
+      resources:
+        limits:
+          cpu: 500m
+          memory: 2Gi
+      securityContext: {}
+
   # The name of the CA for workload certificates.
   # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
   # will be used as the certificates for workloads.
@@ -370,6 +396,21 @@ gateway:
   replicas: 2
   image: gateway
 
+  # The number of successive failed probes before indicating readiness failure.
+  readinessFailureThreshold: 30
+
+  # The number of successive successed probes before indicating readiness success.
+  readinessSuccessThreshold: 1
+
+  # The initial delay for readiness probes in seconds.
+  readinessInitialDelaySeconds: 1
+
+  # The period between readiness probes.
+  readinessPeriodSeconds: 2
+
+  # The readiness timeout seconds
+  readinessTimeoutSeconds: 3
+
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
   tag: ""
   # revision declares which revision this gateway is a part of
@@ -391,7 +432,8 @@ gateway:
 
   # Pod environment variables
   env: {}
-
+  httpPort: 80
+  httpsPort: 443
   hostNetwork: false
 
   # Labels to apply to all resources
@@ -502,6 +544,12 @@ controller:
       "port": 8888,
       "targetPort": 8888,
     },
+    {
+      "name": "http-solver",
+      "protocol": "TCP",
+      "port": 8889,
+      "targetPort": 8889,
+    },
     {
       "name": "grpc",
       "protocol": "TCP",
@@ -540,6 +588,9 @@ controller:
     minReplicas: 1
     maxReplicas: 5
     targetCPUUtilizationPercentage: 80
+  automaticHttps:
+    enabled: false
+    email: ""
   
 ## Discovery Settings
 pilot:

helm/higress/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: higress-core
   repository: file://../core
-  version: 1.3.2
+  version: 1.4.0-rc.1
 - name: higress-console
   repository: https://higress.io/helm-charts/
-  version: 1.3.1
-digest: sha256:cf9b5f572f8e47348b3081a5620ad0165b400e4823a4ed36bd0597f3c794cbf3
-generated: "2023-12-20T19:57:57.037118+08:00"
+  version: 1.4.0
+digest: sha256:320b1b3ed08fad56dff0d21faaffe41a0325fdcdb96847e53a588d6b0df7e73e
+generated: "2024-05-19T17:52:19.676747+08:00"

helm/higress/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.3.2
+appVersion: 1.4.0-rc.1
 description: Helm chart for deploying Higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -12,9 +12,9 @@ sources:
 dependencies:
 - name: higress-core
   repository: "file://../core"
-  version: 1.3.2
+  version: 1.4.0-rc.1
 - name: higress-console
   repository: "https://higress.io/helm-charts/"
-  version: 1.3.1
+  version: 1.4.0
 type: application
-version: 1.3.2
+version: 1.4.0-rc.1

istio/1.12/patches/istio/20240104-enhance-srds.patch

@@ -0,0 +1,633 @@
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-01-05 17:58:08.000000000 +0800
++++ istio-new/pilot/pkg/features/pilot.go	2024-01-04 21:20:00.000000000 +0800
+@@ -569,6 +569,12 @@
+ 	// Added by ingress
+ 	CustomCACertConfigMapName = env.RegisterStringVar("CUSTOM_CA_CERT_NAME", "",
+ 		"Defines the configmap's name of  istio's root ca certificate").Get()
++	HostRDSMergeSubset = env.RegisterBoolVar("HOST_RDS_MERGE_SUBSET", true,
++		"If enabled, if host A is a subset of B, then we merge B's routes into A's hostRDS").Get()
++	EnableScopedRDS = env.RegisterBoolVar("ENBALE_SCOPED_RDS", true,
++		"If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
++	OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
++		"If enabled, the on demand filter will be added to the HCM filters").Get()
+ 	// End added by ingress
+ )
+ 
+diff -Naur istio/pilot/pkg/networking/core/configgen.go istio-new/pilot/pkg/networking/core/configgen.go
+--- istio/pilot/pkg/networking/core/configgen.go	2024-01-05 17:58:02.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/configgen.go	2024-01-04 21:20:00.000000000 +0800
+@@ -17,6 +17,7 @@
+ import (
+ 	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+ 	listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
++	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+ 	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+ 
+ 	meshconfig "istio.io/api/mesh/v1alpha1"
+@@ -44,6 +45,10 @@
+ 	// BuildHTTPRoutes returns the list of HTTP routes for the given proxy. This is the RDS output
+ 	BuildHTTPRoutes(node *model.Proxy, req *model.PushRequest, routeNames []string) ([]*discovery.Resource, model.XdsLogDetails)
+ 
++	// Added by ingress
++	BuildScopedRoutes(node *model.Proxy, push *model.PushContext) []*route.ScopedRouteConfiguration
++	// End added by ingress
++
+ 	// BuildNameTable returns list of hostnames and the associated IPs
+ 	BuildNameTable(node *model.Proxy, push *model.PushContext) *dnsProto.NameTable
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-05 17:58:07.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-05 11:19:54.000000000 +0800
+@@ -41,7 +41,9 @@
+ 	"istio.io/istio/pilot/pkg/networking/plugin"
+ 	"istio.io/istio/pilot/pkg/networking/util"
+ 	authn_model "istio.io/istio/pilot/pkg/security/model"
++	"istio.io/istio/pilot/pkg/util/sets"
+ 	"istio.io/istio/pkg/config"
++	"istio.io/istio/pkg/config/constants"
+ 	"istio.io/istio/pkg/config/gateway"
+ 	"istio.io/istio/pkg/config/host"
+ 	"istio.io/istio/pkg/config/protocol"
+@@ -104,10 +106,15 @@
+ 			// We can also have QUIC on a given port along with HTTPS/TLS on a given port. It does not
+ 			// cause port-conflict as they use different transport protocols
+ 			opts := &buildListenerOpts{
+-				push:       builder.push,
+-				proxy:      builder.node,
+-				bind:       bind,
+-				port:       &model.Port{Port: int(port.Number)},
++				push:  builder.push,
++				proxy: builder.node,
++				bind:  bind,
++				port: &model.Port{
++					Port: int(port.Number),
++					// Added by ingress
++					Protocol: protocol.Parse(port.Protocol),
++					// End added by ingress
++				},
+ 				bindToPort: true,
+ 				class:      istionetworking.ListenerClassGateway,
+ 				transport:  transport,
+@@ -340,6 +347,269 @@
+ 	return nameToServiceMap
+ }
+ 
++// Added by ingress
++func (configgen *ConfigGeneratorImpl) BuildScopedRoutes(node *model.Proxy, push *model.PushContext) []*route.ScopedRouteConfiguration {
++	if node.MergedGateway == nil {
++		log.Warnf("buildScopedRoutes: no gateways for router %v", node.ID)
++		return nil
++	}
++	merged := node.MergedGateway
++	var out []*route.ScopedRouteConfiguration
++	gatewayVirtualServices := make(map[string][]config.Config)
++	serverIterator := func(listenerPort int, mergedServers map[model.ServerPort]*model.MergedServers) sets.Set {
++		hostSet := sets.NewSet()
++		for port, servers := range mergedServers {
++			if port.Number != uint32(listenerPort) {
++				continue
++			}
++			for _, server := range servers.Servers {
++				gatewayName := merged.GatewayNameForServer[server]
++
++				var virtualServices []config.Config
++				var exists bool
++
++				if virtualServices, exists = gatewayVirtualServices[gatewayName]; !exists {
++					virtualServices = push.VirtualServicesForGateway(node, gatewayName)
++					gatewayVirtualServices[gatewayName] = virtualServices
++				}
++				for _, virtualService := range virtualServices {
++					for _, host := range virtualService.Spec.(*networking.VirtualService).Hosts {
++						hostSet.Insert(host)
++					}
++				}
++			}
++		}
++		return hostSet
++	}
++	buildPortHostScopedRoute := func(listenerPort model.ServerPort) {
++		p := protocol.Parse(listenerPort.Protocol)
++		if !p.IsHTTP() && p != protocol.HTTPS {
++			return
++		}
++		port := strconv.Itoa(int(listenerPort.Number))
++		hostSet := serverIterator(int(listenerPort.Number), merged.MergedServers).
++			Union(serverIterator(int(listenerPort.Number), merged.MergedQUICTransportServers))
++		for host, _ := range hostSet {
++			portKey := &route.ScopedRouteConfiguration_Key_Fragment{
++				Type: &route.ScopedRouteConfiguration_Key_Fragment_StringKey{
++					StringKey: port,
++				},
++			}
++			hostKey := &route.ScopedRouteConfiguration_Key_Fragment{
++				Type: &route.ScopedRouteConfiguration_Key_Fragment_StringKey{
++					StringKey: host,
++				},
++			}
++			name := strings.Join([]string{port, host}, ".")
++			out = append(out, &route.ScopedRouteConfiguration{
++				OnDemand:               features.OnDemandRDS,
++				Name:                   name,
++				RouteConfigurationName: constants.HigressHostRDSNamePrefix + name,
++				Key: &route.ScopedRouteConfiguration_Key{
++					Fragments: []*route.ScopedRouteConfiguration_Key_Fragment{portKey, hostKey},
++				},
++			})
++		}
++	}
++	for _, port := range merged.ServerPorts {
++		buildPortHostScopedRoute(port)
++	}
++	return out
++}
++
++type virtualServiceContext struct {
++	virtualService config.Config
++	server         *networking.Server
++	gatewayName    string
++}
++
++func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(node *model.Proxy, push *model.PushContext,
++	routeName string) *route.RouteConfiguration {
++	var (
++		hostRDSPort string
++		hostRDSHost string
++	)
++	portAndHost := strings.SplitN(strings.TrimPrefix(routeName, constants.HigressHostRDSNamePrefix), ".", 2)
++	if len(portAndHost) != 2 {
++		log.Errorf("Invalid route %s when using Higress hostRDS", routeName)
++		return nil
++	}
++	hostRDSPort = portAndHost[0]
++	hostRDSHost = portAndHost[1]
++	merged := node.MergedGateway
++	log.Debugf("buildGatewayRoutes: gateways after merging: %v", merged)
++	rdsPort, err := strconv.Atoi(hostRDSPort)
++	if err != nil {
++		log.Errorf("Invalid port %s of route %s when using Higress hostRDS", hostRDSPort, routeName)
++		return nil
++	}
++	listenerPort := uint32(rdsPort)
++	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
++
++	isH3DiscoveryNeeded := false
++
++	// When this is true, we add alt-svc header to the response to tell the client
++	// that HTTP/3 over QUIC is available on the same port for this host. This is
++	// very important for discovering HTTP/3 services
++	for port, servers := range merged.MergedQUICTransportServers {
++		if port.Number == listenerPort && len(servers.Servers) > 0 {
++			isH3DiscoveryNeeded = true
++			break
++		}
++	}
++
++	gatewayRoutes := make(map[string]map[string][]*route.Route)
++	gatewayVirtualServices := make(map[string][]config.Config)
++	var selectedVirtualServices []virtualServiceContext
++	var vHost *route.VirtualHost
++	serverIterator := func(mergedServers map[model.ServerPort]*model.MergedServers) {
++		for port, servers := range mergedServers {
++			if port.Number != listenerPort {
++				continue
++			}
++			for _, server := range servers.Servers {
++				gatewayName := merged.GatewayNameForServer[server]
++
++				var virtualServices []config.Config
++				var exists bool
++
++				if virtualServices, exists = gatewayVirtualServices[gatewayName]; !exists {
++					virtualServices = push.VirtualServicesForGateway(node, gatewayName)
++					gatewayVirtualServices[gatewayName] = virtualServices
++				}
++				for _, virtualService := range virtualServices {
++					hostMatch := false
++					var selectHost string
++					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
++					for _, hostname := range virtualServiceHosts {
++						// exact match
++						if hostname == host.Name(hostRDSHost) {
++							hostMatch = true
++							selectHost = hostRDSHost
++							break
++						}
++						if features.HostRDSMergeSubset {
++							// subset match
++							if host.Name(hostRDSHost).SubsetOf(hostname) {
++								hostMatch = true
++								selectHost = string(hostname)
++							}
++						}
++					}
++					if !hostMatch {
++						continue
++					}
++					copiedVS := virtualService.DeepCopy()
++					copiedVS.Spec.(*networking.VirtualService).Hosts = []string{selectHost}
++					selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
++						virtualService: copiedVS,
++						server:         server,
++						gatewayName:    gatewayName,
++					})
++				}
++			}
++		}
++	}
++	serverIterator(merged.MergedServers)
++	serverIterator(merged.MergedQUICTransportServers)
++	// Sort by subset
++	// before: ["*.abc.com", "*.com", "www.abc.com"]
++	// after: ["www.abc.com", "*.abc.com", "*.com"]
++	sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
++		return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
++			host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
++	})
++	port := int(listenerPort)
++	for _, ctx := range selectedVirtualServices {
++		virtualService := ctx.virtualService
++		server := ctx.server
++		gatewayName := ctx.gatewayName
++		// Make sure we can obtain services which are visible to this virtualService as much as possible.
++		nameToServiceMap := buildNameToServiceMapForHTTPRoutes(node, push, virtualService)
++
++		var routes []*route.Route
++		var exists bool
++		var err error
++		if _, exists = gatewayRoutes[gatewayName]; !exists {
++			gatewayRoutes[gatewayName] = make(map[string][]*route.Route)
++		}
++
++		vskey := virtualService.Name + "/" + virtualService.Namespace
++
++		if routes, exists = gatewayRoutes[gatewayName][vskey]; !exists {
++			hashByDestination := istio_route.GetConsistentHashForVirtualService(push, node, virtualService, nameToServiceMap)
++			routes, err = istio_route.BuildHTTPRoutesForVirtualServiceWithHTTPFilters(node, virtualService, nameToServiceMap,
++				hashByDestination, port, map[string]bool{gatewayName: true}, isH3DiscoveryNeeded, push.Mesh, globalHTTPFilters)
++			if err != nil {
++				log.Debugf("%s omitting routes for virtual service %v/%v due to error: %v", node.ID, virtualService.Namespace, virtualService.Name, err)
++				continue
++			}
++			gatewayRoutes[gatewayName][vskey] = routes
++		}
++
++		if vHost != nil {
++			vHost.Routes = append(vHost.Routes, routes...)
++			if server.Tls != nil && server.Tls.HttpsRedirect {
++				vHost.RequireTls = route.VirtualHost_ALL
++			}
++		} else {
++			vHost = &route.VirtualHost{
++				Name:                       util.DomainName(hostRDSHost, port),
++				Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
++				Routes:                     routes,
++				IncludeRequestAttemptCount: true,
++				TypedPerFilterConfig:       mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
++			}
++			if server.Tls != nil && server.Tls.HttpsRedirect {
++				vHost.RequireTls = route.VirtualHost_ALL
++			}
++		}
++
++		// check all hostname if is not exist with HttpsRedirect set to true
++		// create VirtualHost to redirect
++		for _, hostname := range server.Hosts {
++			if !server.GetTls().GetHttpsRedirect() {
++				continue
++			}
++			if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
++				vHost.RequireTls = route.VirtualHost_ALL
++				continue
++			}
++			vHost = &route.VirtualHost{
++				Name:                       util.DomainName(hostname, port),
++				Domains:                    buildGatewayVirtualHostDomains(hostname, port),
++				IncludeRequestAttemptCount: true,
++				RequireTls:                 route.VirtualHost_ALL,
++			}
++		}
++
++	}
++	var virtualHosts []*route.VirtualHost
++	if vHost == nil {
++		log.Warnf("constructed http route config for route %s on port %d with no vhosts; Setting up a default 404 vhost", routeName, port)
++		virtualHosts = []*route.VirtualHost{{
++			Name:    util.DomainName("blackhole", port),
++			Domains: []string{"*"},
++			// Empty route list will cause Envoy to 404 NR any requests
++			Routes: []*route.Route{},
++		}}
++	} else {
++		vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
++		virtualHosts = append(virtualHosts, vHost)
++	}
++
++	routeCfg := &route.RouteConfiguration{
++		// Retain the routeName as its used by EnvoyFilter patching logic
++		Name:             routeName,
++		VirtualHosts:     virtualHosts,
++		ValidateClusters: proto.BoolFalse,
++	}
++
++	return routeCfg
++}
++
++// End added by ingress
++
+ func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Proxy, push *model.PushContext,
+ 	routeName string) *route.RouteConfiguration {
+ 	if node.MergedGateway == nil {
+@@ -351,6 +621,12 @@
+ 		}
+ 	}
+ 
++	// Added by ingress
++	if strings.HasPrefix(routeName, constants.HigressHostRDSNamePrefix) {
++		return configgen.buildHostRDSConfig(node, push, routeName)
++	}
++	// End added by ingress
++
+ 	merged := node.MergedGateway
+ 	log.Debugf("buildGatewayRoutes: gateways after merging: %v", merged)
+ 
+@@ -670,7 +946,9 @@
+ // TLS mode      | Mesh-wide SDS | Ingress SDS | Resulting Configuration
+ // SIMPLE/MUTUAL |    ENABLED    |   ENABLED   | support SDS at ingress gateway to terminate SSL communication outside the mesh
+ // ISTIO_MUTUAL  |    ENABLED    |   DISABLED  | support SDS at gateway to terminate workload mTLS, with internal workloads
+-// 											   | for egress or with another trusted cluster for ingress)
++//
++//	| for egress or with another trusted cluster for ingress)
++//
+ // ISTIO_MUTUAL  |    DISABLED   |   DISABLED  | use file-mounted secret paths to terminate workload mTLS from gateway
+ //
+ // Note that ISTIO_MUTUAL TLS mode and ingressSds should not be used simultaneously on the same ingress gateway.
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/listener.go istio-new/pilot/pkg/networking/core/v1alpha3/listener.go
+--- istio/pilot/pkg/networking/core/v1alpha3/listener.go	2024-01-05 17:58:07.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/listener.go	2024-01-05 17:31:10.000000000 +0800
+@@ -1279,8 +1279,48 @@
+ 
+ 	notimeout := durationpb.New(0 * time.Second)
+ 	connectionManager.StreamIdleTimeout = notimeout
+-
+-	if httpOpts.rds != "" {
++	// Added by ingress
++	enableSRDS := false
++	if features.EnableScopedRDS &&
++		(listenerOpts.port.Protocol.IsHTTP() || (listenerOpts.port.Protocol == protocol.HTTPS)) {
++		enableSRDS = true
++		portFragment := &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{
++			Type: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_{
++				LocalPortValueExtractor: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor{},
++			}}
++		hostFragment := &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{
++			Type: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_{
++				HostValueExtractor: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor{},
++			}}
++		scopedRoutes := &hcm.HttpConnectionManager_ScopedRoutes{
++			ScopedRoutes: &hcm.ScopedRoutes{
++				Name: constants.DefaultScopedRouteName,
++				ScopeKeyBuilder: &hcm.ScopedRoutes_ScopeKeyBuilder{
++					Fragments: []*hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{portFragment, hostFragment},
++				},
++				RdsConfigSource: &core.ConfigSource{
++					ConfigSourceSpecifier: &core.ConfigSource_Ads{
++						Ads: &core.AggregatedConfigSource{},
++					},
++					InitialFetchTimeout: durationpb.New(0),
++					ResourceApiVersion:  core.ApiVersion_V3,
++				},
++				ConfigSpecifier: &hcm.ScopedRoutes_ScopedRds{
++					ScopedRds: &hcm.ScopedRds{
++						ScopedRdsConfigSource: &core.ConfigSource{
++							ConfigSourceSpecifier: &core.ConfigSource_Ads{
++								Ads: &core.AggregatedConfigSource{},
++							},
++							InitialFetchTimeout: durationpb.New(0),
++							ResourceApiVersion:  core.ApiVersion_V3,
++						},
++					},
++				},
++			},
++		}
++		connectionManager.RouteSpecifier = scopedRoutes
++	} else if httpOpts.rds != "" {
++		// End added by ingress
+ 		rds := &hcm.HttpConnectionManager_Rds{
+ 			Rds: &hcm.Rds{
+ 				ConfigSource: &core.ConfigSource{
+@@ -1304,8 +1344,15 @@
+ 
+ 	filters := make([]*hcm.HttpFilter, len(httpFilters))
+ 	copy(filters, httpFilters)
+-	// Make sure cors filter always in the first.
+-	filters = append([]*hcm.HttpFilter{xdsfilters.Cors}, filters...)
++	// Added by ingress
++	// Now only support onDemandRDS when enable SRDS
++	if features.OnDemandRDS && enableSRDS {
++		filters = append([]*hcm.HttpFilter{xdsfilters.OnDemand, xdsfilters.Cors}, filters...)
++	} else {
++		// End added by ingress
++		// Make sure cors filter always in the first.
++		filters = append([]*hcm.HttpFilter{xdsfilters.Cors}, filters...)
++	}
+ 
+ 	if features.MetadataExchange {
+ 		filters = append(filters, xdsfilters.HTTPMx)
+diff -Naur istio/pilot/pkg/xds/ads.go istio-new/pilot/pkg/xds/ads.go
+--- istio/pilot/pkg/xds/ads.go	2024-01-05 17:58:08.000000000 +0800
++++ istio-new/pilot/pkg/xds/ads.go	2024-01-05 17:31:44.000000000 +0800
+@@ -797,15 +797,18 @@
+ 
+ // PushOrder defines the order that updates will be pushed in. Any types not listed here will be pushed in random
+ // order after the types listed here
+-var PushOrder = []string{v3.ClusterType, v3.EndpointType, v3.ListenerType, v3.RouteType, v3.SecretType}
++var PushOrder = []string{v3.ClusterType, v3.EndpointType, v3.ListenerType, v3.ScopedRouteType, v3.RouteType, v3.SecretType}
+ 
+ // KnownOrderedTypeUrls has typeUrls for which we know the order of push.
+ var KnownOrderedTypeUrls = map[string]struct{}{
+ 	v3.ClusterType:  {},
+ 	v3.EndpointType: {},
+ 	v3.ListenerType: {},
+-	v3.RouteType:    {},
+-	v3.SecretType:   {},
++	// Added by ingress
++	v3.ScopedRouteType: {},
++	// End added by ingress
++	v3.RouteType:  {},
++	v3.SecretType: {},
+ }
+ 
+ // orderWatchedResources orders the resources in accordance with known push order.
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-01-05 17:58:07.000000000 +0800
++++ istio-new/pilot/pkg/xds/discovery.go	2024-01-04 21:20:00.000000000 +0800
+@@ -589,6 +589,9 @@
+ 	s.Generators[v3.ClusterType] = &CdsGenerator{Server: s}
+ 	s.Generators[v3.ListenerType] = &LdsGenerator{Server: s}
+ 	s.Generators[v3.RouteType] = &RdsGenerator{Server: s}
++	// Added by ingress
++	s.Generators[v3.ScopedRouteType] = &SrdsGenerator{Server: s}
++	// End added by ingress
+ 	s.Generators[v3.EndpointType] = edsGen
+ 	s.Generators[v3.NameTableType] = &NdsGenerator{Server: s}
+ 	s.Generators[v3.ExtensionConfigurationType] = &EcdsGenerator{Server: s}
+diff -Naur istio/pilot/pkg/xds/filters/filters.go istio-new/pilot/pkg/xds/filters/filters.go
+--- istio/pilot/pkg/xds/filters/filters.go	2024-01-05 17:58:03.000000000 +0800
++++ istio-new/pilot/pkg/xds/filters/filters.go	2024-01-04 21:20:00.000000000 +0800
+@@ -21,6 +21,7 @@
+ 	fault "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3"
+ 	grpcstats "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3"
+ 	grpcweb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3"
++	ondemand "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/on_demand/v3"
+ 	router "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3"
+ 	httpwasm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3"
+ 	httpinspector "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3"
+@@ -54,6 +55,14 @@
+ // Define static filters to be reused across the codebase. This avoids duplicate marshaling/unmarshaling
+ // This should not be used for filters that will be mutated
+ var (
++	// Added by ingress
++	OnDemand = &hcm.HttpFilter{
++		Name: "envoy.filters.http.on_demand.v3.OnDemand",
++		ConfigType: &hcm.HttpFilter_TypedConfig{
++			TypedConfig: util.MessageToAny(&ondemand.OnDemand{}),
++		},
++	}
++	// End added by ingress
+ 	Cors = &hcm.HttpFilter{
+ 		Name: wellknown.CORS,
+ 		ConfigType: &hcm.HttpFilter_TypedConfig{
+diff -Naur istio/pilot/pkg/xds/srds.go istio-new/pilot/pkg/xds/srds.go
+--- istio/pilot/pkg/xds/srds.go	1970-01-01 08:00:00.000000000 +0800
++++ istio-new/pilot/pkg/xds/srds.go	2024-01-05 13:45:49.000000000 +0800
+@@ -0,0 +1,79 @@
++// Copyright Istio Authors
++//
++// Licensed under the Apache License, Version 2.0 (the "License");
++// you may not use this file except in compliance with the License.
++// You may obtain a copy of the License at
++//
++//     http://www.apache.org/licenses/LICENSE-2.0
++//
++// Unless required by applicable law or agreed to in writing, software
++// distributed under the License is distributed on an "AS IS" BASIS,
++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++// See the License for the specific language governing permissions and
++// limitations under the License.
++
++package xds
++
++import (
++	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
++	"istio.io/istio/pilot/pkg/features"
++	"istio.io/istio/pilot/pkg/model"
++	"istio.io/istio/pilot/pkg/networking/util"
++	"istio.io/istio/pkg/config"
++	"istio.io/istio/pkg/config/schema/gvk"
++)
++
++type SrdsGenerator struct {
++	Server *DiscoveryServer
++}
++
++var _ model.XdsResourceGenerator = &SrdsGenerator{}
++
++// Map of all configs that do not impact SRDS
++var skippedSrdsConfigs = map[config.GroupVersionKind]struct{}{
++	gvk.WorkloadEntry:         {},
++	gvk.WorkloadGroup:         {},
++	gvk.RequestAuthentication: {},
++	gvk.PeerAuthentication:    {},
++	gvk.Secret:                {},
++}
++
++func srdsNeedsPush(req *model.PushRequest) bool {
++	if !features.EnableScopedRDS {
++		return false
++	}
++	if req == nil {
++		return true
++	}
++	if !req.Full {
++		// SRDS only handles full push
++		return false
++	}
++	// If none set, we will always push
++	if len(req.ConfigsUpdated) == 0 {
++		return true
++	}
++	for config := range req.ConfigsUpdated {
++		if _, f := skippedSrdsConfigs[config.Kind]; !f {
++			return true
++		}
++	}
++	return false
++}
++
++func (s SrdsGenerator) Generate(proxy *model.Proxy, push *model.PushContext, w *model.WatchedResource,
++	req *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
++	if !srdsNeedsPush(req) {
++		return nil, model.DefaultXdsLogDetails, nil
++	}
++
++	scopedRoutes := s.Server.ConfigGenerator.BuildScopedRoutes(proxy, push)
++	resources := model.Resources{}
++	for _, sr := range scopedRoutes {
++		resources = append(resources, &discovery.Resource{
++			Name:     sr.Name,
++			Resource: util.MessageToAny(sr),
++		})
++	}
++	return resources, model.DefaultXdsLogDetails, nil
++}
+diff -Naur istio/pilot/pkg/xds/v3/model.go istio-new/pilot/pkg/xds/v3/model.go
+--- istio/pilot/pkg/xds/v3/model.go	2024-01-05 17:58:03.000000000 +0800
++++ istio-new/pilot/pkg/xds/v3/model.go	2024-01-05 16:55:49.000000000 +0800
+@@ -31,6 +31,10 @@
+ 	SecretType                 = resource.SecretType
+ 	ExtensionConfigurationType = resource.ExtensionConfigType
+ 
++	// Added by ingress
++	ScopedRouteType = apiTypePrefix + "envoy.config.route.v3.ScopedRouteConfiguration"
++	// End added by ingress
++
+ 	NameTableType   = apiTypePrefix + "istio.networking.nds.v1.NameTable"
+ 	HealthInfoType  = apiTypePrefix + "istio.v1.HealthInformation"
+ 	ProxyConfigType = apiTypePrefix + "istio.mesh.v1alpha1.ProxyConfig"
+@@ -61,6 +65,10 @@
+ 		return "PCDS"
+ 	case ExtensionConfigurationType:
+ 		return "ECDS"
++	// Added by ingress
++	case ScopedRouteType:
++		return "SRDS"
++	// End added by ingress
+ 	default:
+ 		return typeURL
+ 	}
+@@ -87,6 +95,10 @@
+ 		return "ecds"
+ 	case BootstrapType:
+ 		return "bds"
++	// Added by ingress
++	case ScopedRouteType:
++		return "srds"
++	// End added by ingress
+ 	default:
+ 		return typeURL
+ 	}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2024-01-05 17:58:08.000000000 +0800
++++ istio-new/pkg/config/constants/constants.go	2024-01-04 21:20:00.000000000 +0800
+@@ -143,4 +143,9 @@
+ 	// CertProviderNone does not create any certificates for the control plane. It is assumed that some external
+ 	// load balancer, such as an Istio Gateway, is terminating the TLS.
+ 	CertProviderNone = "none"
++
++	// Added by ingress
++	HigressHostRDSNamePrefix = "higress-rds-"
++	DefaultScopedRouteName   = "scoped-route"
++	// End added by ingress
+ )

istio/1.12/patches/istio/20240115-optimize-rds-cache.patch

@@ -0,0 +1,373 @@
+diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
+--- istio/pilot/pkg/model/push_context.go	2024-01-15 20:46:45.000000000 +0800
++++ istio-new/pilot/pkg/model/push_context.go	2024-01-15 19:20:45.000000000 +0800
+@@ -96,6 +96,9 @@
+ 	publicByGateway map[string][]config.Config
+ 	// root vs namespace/name ->delegate vs virtualservice gvk/namespace/name
+ 	delegates map[ConfigKey][]ConfigKey
++	// Added by ingress
++	byHost map[string][]config.Config
++	// End added by ingress
+ }
+ 
+ func newVirtualServiceIndex() virtualServiceIndex {
+@@ -104,6 +107,9 @@
+ 		privateByNamespaceAndGateway: map[string]map[string][]config.Config{},
+ 		exportedToNamespaceByGateway: map[string]map[string][]config.Config{},
+ 		delegates:                    map[ConfigKey][]ConfigKey{},
++		// Added by ingress
++		byHost: map[string][]config.Config{},
++		// End added by ingress
+ 	}
+ }
+ 
+@@ -857,6 +863,13 @@
+ 	return res
+ }
+ 
++// Added by ingress
++func (ps *PushContext) VirtualServicesForHost(proxy *Proxy, host string) []config.Config {
++	return ps.virtualServiceIndex.byHost[host]
++}
++
++// End added by ingress
++
+ // DelegateVirtualServicesConfigKey lists all the delegate virtual services configkeys associated with the provided virtual services
+ func (ps *PushContext) DelegateVirtualServicesConfigKey(vses []config.Config) []ConfigKey {
+ 	var out []ConfigKey
+@@ -1468,6 +1481,11 @@
+ 	for _, virtualService := range vservices {
+ 		ns := virtualService.Namespace
+ 		rule := virtualService.Spec.(*networking.VirtualService)
++		// Added by ingress
++		for _, host := range rule.Hosts {
++			ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
++		}
++		// End added by ingress
+ 		gwNames := getGatewayNames(rule)
+ 		if len(rule.ExportTo) == 0 {
+ 			// No exportTo in virtualService. Use the global default
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-15 20:46:45.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-01-15 20:04:05.000000000 +0800
+@@ -28,6 +28,7 @@
+ 	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+ 	hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+ 	tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
++	discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+ 	"github.com/hashicorp/go-multierror"
+ 
+ 	meshconfig "istio.io/api/mesh/v1alpha1"
+@@ -35,6 +36,7 @@
+ 	"istio.io/istio/pilot/pkg/features"
+ 	"istio.io/istio/pilot/pkg/model"
+ 	istionetworking "istio.io/istio/pilot/pkg/networking"
++	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/envoyfilter"
+ 	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/extension"
+ 	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/mseingress"
+ 	istio_route "istio.io/istio/pilot/pkg/networking/core/v1alpha3/route"
+@@ -423,8 +425,15 @@
+ 	gatewayName    string
+ }
+ 
+-func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(node *model.Proxy, push *model.PushContext,
+-	routeName string) *route.RouteConfiguration {
++func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(
++	node *model.Proxy,
++	req *model.PushRequest,
++	routeName string,
++	vsCache map[int][]virtualServiceContext,
++	efw *model.EnvoyFilterWrapper,
++	efKeys []string,
++) (*discovery.Resource, bool) {
++	push := req.Push
+ 	var (
+ 		hostRDSPort string
+ 		hostRDSHost string
+@@ -432,7 +441,7 @@
+ 	portAndHost := strings.SplitN(strings.TrimPrefix(routeName, constants.HigressHostRDSNamePrefix), ".", 2)
+ 	if len(portAndHost) != 2 {
+ 		log.Errorf("Invalid route %s when using Higress hostRDS", routeName)
+-		return nil
++		return nil, false
+ 	}
+ 	hostRDSPort = portAndHost[0]
+ 	hostRDSHost = portAndHost[1]
+@@ -441,10 +450,24 @@
+ 	rdsPort, err := strconv.Atoi(hostRDSPort)
+ 	if err != nil {
+ 		log.Errorf("Invalid port %s of route %s when using Higress hostRDS", hostRDSPort, routeName)
+-		return nil
++		return nil, false
++	}
++
++	routeCache := &istio_route.Cache{
++		RouteName:    routeName,
++		ProxyVersion: node.Metadata.IstioVersion,
++		ListenerPort: rdsPort,
++		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
++		VirtualServices: push.VirtualServicesForHost(node, hostRDSHost),
++		EnvoyFilterKeys: efKeys,
++	}
++
++	resource, exist := configgen.Cache.Get(routeCache)
++	if exist {
++		return resource, true
+ 	}
++
+ 	listenerPort := uint32(rdsPort)
+-	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
+ 
+ 	isH3DiscoveryNeeded := false
+ 
+@@ -457,9 +480,9 @@
+ 			break
+ 		}
+ 	}
+-
+ 	gatewayRoutes := make(map[string]map[string][]*route.Route)
+ 	gatewayVirtualServices := make(map[string][]config.Config)
++	var listenerVirtualServices []virtualServiceContext
+ 	var selectedVirtualServices []virtualServiceContext
+ 	var vHost *route.VirtualHost
+ 	serverIterator := func(mergedServers map[model.ServerPort]*model.MergedServers) {
+@@ -478,31 +501,8 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
+-					hostMatch := false
+-					var selectHost string
+-					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
+-					for _, hostname := range virtualServiceHosts {
+-						// exact match
+-						if hostname == host.Name(hostRDSHost) {
+-							hostMatch = true
+-							selectHost = hostRDSHost
+-							break
+-						}
+-						if features.HostRDSMergeSubset {
+-							// subset match
+-							if host.Name(hostRDSHost).SubsetOf(hostname) {
+-								hostMatch = true
+-								selectHost = string(hostname)
+-							}
+-						}
+-					}
+-					if !hostMatch {
+-						continue
+-					}
+-					copiedVS := virtualService.DeepCopy()
+-					copiedVS.Spec.(*networking.VirtualService).Hosts = []string{selectHost}
+-					selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+-						virtualService: copiedVS,
++					listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
++						virtualService: virtualService,
+ 						server:         server,
+ 						gatewayName:    gatewayName,
+ 					})
+@@ -510,15 +510,63 @@
+ 			}
+ 		}
+ 	}
+-	serverIterator(merged.MergedServers)
+-	serverIterator(merged.MergedQUICTransportServers)
+-	// Sort by subset
+-	// before: ["*.abc.com", "*.com", "www.abc.com"]
+-	// after: ["www.abc.com", "*.abc.com", "*.com"]
+-	sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
+-		return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
+-			host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
+-	})
++	var vsExists bool
++	if listenerVirtualServices, vsExists = vsCache[rdsPort]; !vsExists {
++		serverIterator(merged.MergedServers)
++		serverIterator(merged.MergedQUICTransportServers)
++		vsCache[rdsPort] = listenerVirtualServices
++	}
++	for _, vsCtx := range listenerVirtualServices {
++		virtualService := vsCtx.virtualService
++		hostMatch := false
++		var selectHost string
++		for _, hostname := range virtualService.Spec.(*networking.VirtualService).Hosts {
++			// exact match
++			if hostname == hostRDSHost {
++				hostMatch = true
++				selectHost = hostRDSHost
++				break
++			}
++			if features.HostRDSMergeSubset {
++				// subset match
++				if host.Name(hostRDSHost).SubsetOf(host.Name(hostname)) {
++					hostMatch = true
++					selectHost = hostname
++				}
++			}
++		}
++		if !hostMatch {
++			continue
++		}
++		if len(virtualService.Spec.(*networking.VirtualService).Hosts) > 1 {
++			copiedVS := &networking.VirtualService{}
++			copiedVS = virtualService.Spec.(*networking.VirtualService)
++			copiedVS.Hosts = []string{selectHost}
++			selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
++				virtualService: config.Config{
++					Meta:   virtualService.Meta,
++					Spec:   copiedVS,
++					Status: virtualService.Status,
++				},
++				server:      vsCtx.server,
++				gatewayName: vsCtx.gatewayName,
++			})
++		} else {
++			selectedVirtualServices = append(selectedVirtualServices, vsCtx)
++		}
++	}
++	if features.HostRDSMergeSubset {
++		// Sort by subset
++		// before: ["*.abc.com", "*.com", "www.abc.com"]
++		// after: ["www.abc.com", "*.abc.com", "*.com"]
++		sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
++			return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
++				host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
++		})
++	}
++
++	globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
++
+ 	port := int(listenerPort)
+ 	for _, ctx := range selectedVirtualServices {
+ 		virtualService := ctx.virtualService
+@@ -605,25 +653,42 @@
+ 		ValidateClusters: proto.BoolFalse,
+ 	}
+ 
+-	return routeCfg
++	routeCfg = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, routeCfg)
++	resource = &discovery.Resource{
++		Name:     routeName,
++		Resource: util.MessageToAny(routeCfg),
++	}
++
++	if features.EnableRDSCaching {
++		configgen.Cache.Add(routeCache, req, resource)
++	}
++
++	return resource, false
+ }
+ 
+ // End added by ingress
+ 
+-func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Proxy, push *model.PushContext,
+-	routeName string) *route.RouteConfiguration {
++// Modifed by ingress
++func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(
++	node *model.Proxy,
++	req *model.PushRequest,
++	routeName string,
++	vsCache map[int][]virtualServiceContext,
++	efw *model.EnvoyFilterWrapper,
++	efKeys []string,
++) (*discovery.Resource, bool) {
+ 	if node.MergedGateway == nil {
+ 		log.Warnf("buildGatewayRoutes: no gateways for router %v", node.ID)
+-		return &route.RouteConfiguration{
+-			Name:             routeName,
+-			VirtualHosts:     []*route.VirtualHost{},
+-			ValidateClusters: proto.BoolFalse,
+-		}
++		return nil, false
+ 	}
+-
+ 	// Added by ingress
++	push := req.Push
+ 	if strings.HasPrefix(routeName, constants.HigressHostRDSNamePrefix) {
+-		return configgen.buildHostRDSConfig(node, push, routeName)
++		resource, cacheHit := configgen.buildHostRDSConfig(node, req, routeName, vsCache, efw, efKeys)
++		if resource == nil {
++			return nil, false
++		}
++		return resource, cacheHit
+ 	}
+ 	// End added by ingress
+ 
+@@ -636,7 +701,7 @@
+ 
+ 		// This can happen when a gateway has recently been deleted. Envoy will still request route
+ 		// information due to the draining of listeners, so we should not return an error.
+-		return nil
++		return nil, false
+ 	}
+ 
+ 	servers := merged.ServersByRouteName[routeName]
+@@ -768,9 +833,16 @@
+ 		ValidateClusters: proto.BoolFalse,
+ 	}
+ 
+-	return routeCfg
++	routeCfg = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, routeCfg)
++	resource := &discovery.Resource{
++		Name:     routeName,
++		Resource: util.MessageToAny(routeCfg),
++	}
++	return resource, false
+ }
+ 
++// End modified by ingress
++
+ // hashRouteList returns a hash of a list of pointers
+ func hashRouteList(r []*route.Route) uint64 {
+ 	hash := md5.New()
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/httproute.go istio-new/pilot/pkg/networking/core/v1alpha3/httproute.go
+--- istio/pilot/pkg/networking/core/v1alpha3/httproute.go	2024-01-15 20:46:41.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/httproute.go	2024-01-15 10:29:09.000000000 +0800
+@@ -78,17 +78,30 @@
+ 			routeConfigurations = append(routeConfigurations, rc)
+ 		}
+ 	case model.Router:
++		// Modified by ingress
++		vsCache := make(map[int][]virtualServiceContext)
++		envoyfilterKeys := efw.Keys()
+ 		for _, routeName := range routeNames {
+-			rc := configgen.buildGatewayHTTPRouteConfig(node, req.Push, routeName)
+-			if rc != nil {
+-				rc = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, rc)
+-				resource := &discovery.Resource{
++			rc, cached := configgen.buildGatewayHTTPRouteConfig(node, req, routeName, vsCache, efw, envoyfilterKeys)
++			if cached && !features.EnableUnsafeAssertions {
++				hit++
++			} else {
++				miss++
++			}
++			if rc == nil {
++				emptyRoute := &route.RouteConfiguration{
++					Name:             routeName,
++					VirtualHosts:     []*route.VirtualHost{},
++					ValidateClusters: proto.BoolFalse,
++				}
++				rc = &discovery.Resource{
+ 					Name:     routeName,
+-					Resource: util.MessageToAny(rc),
++					Resource: util.MessageToAny(emptyRoute),
+ 				}
+-				routeConfigurations = append(routeConfigurations, resource)
+ 			}
++			routeConfigurations = append(routeConfigurations, rc)
+ 		}
++		// End modified by ingress
+ 	}
+ 	if !features.EnableRDSCaching {
+ 		return routeConfigurations, model.DefaultXdsLogDetails
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-01-15 20:46:45.000000000 +0800
++++ istio-new/pilot/pkg/xds/discovery.go	2024-01-12 19:56:02.000000000 +0800
+@@ -392,6 +392,9 @@
+ // ConfigUpdate implements ConfigUpdater interface, used to request pushes.
+ // It replaces the 'clear cache' from v1.
+ func (s *DiscoveryServer) ConfigUpdate(req *model.PushRequest) {
++	if req.Full {
++		log.Infof("full push happen, reason:%v", req.Reason)
++	}
+ 	inboundConfigUpdates.Increment()
+ 	s.InboundUpdates.Inc()
+ 	s.pushChannel <- req

istio/1.12/patches/istio/20240201-optimize-default-arg.patch

@@ -0,0 +1,60 @@
+diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
+--- istio/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-01 10:20:13.000000000 +0800
++++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go	2024-01-31 22:44:53.000000000 +0800
+@@ -73,7 +73,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, readyStatsRegex)
++	readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort)
+ 	stats, err := http.DoHTTPGetWithTimeout(readinessURL, readinessTimeout)
+ 	if err != nil {
+ 		return nil, false, err
+@@ -105,7 +105,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, updateStatsRegex))
++	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-02-01 10:20:17.000000000 +0800
++++ istio-new/pilot/pkg/features/pilot.go	2024-02-01 10:16:18.000000000 +0800
+@@ -575,6 +575,8 @@
+ 		"If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
+ 	OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
+ 		"If enabled, the on demand filter will be added to the HCM filters").Get()
++	DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
++		"The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
+ 	// End added by ingress
+ )
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/cluster.go istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go
+--- istio/pilot/pkg/networking/core/v1alpha3/cluster.go	2024-02-01 10:20:17.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go	2024-02-01 10:16:05.000000000 +0800
+@@ -61,6 +61,7 @@
+ 
+ // getDefaultCircuitBreakerThresholds returns a copy of the default circuit breaker thresholds for the given traffic direction.
+ func getDefaultCircuitBreakerThresholds() *cluster.CircuitBreakers_Thresholds {
++	// Modified by ingress
+ 	return &cluster.CircuitBreakers_Thresholds{
+ 		// DefaultMaxRetries specifies the default for the Envoy circuit breaker parameter max_retries. This
+ 		// defines the maximum number of parallel retries a given Envoy will allow to the upstream cluster. Envoy defaults
+@@ -68,11 +69,12 @@
+ 		// where multiple endpoints in a cluster are terminated. In these scenarios the circuit breaker can kick
+ 		// in before Pilot is able to deliver an updated endpoint list to Envoy, leading to client-facing 503s.
+ 		MaxRetries:         &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxRequests:        &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxConnections:     &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxPendingRequests: &wrappers.UInt32Value{Value: math.MaxUint32},
++		MaxRequests:        &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
++		MaxConnections:     &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
++		MaxPendingRequests: &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
+ 		TrackRemaining:     true,
+ 	}
++	// End modified by ingress
+ }
+ 
+ // BuildClusters returns the list of clusters for the given proxy. This is the CDS output

istio/1.12/patches/istio/20240201-virtual-host-allow-server-name.patch

@@ -0,0 +1,88 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-02-01 13:53:17.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-02-01 13:52:11.000000000 +0800
+@@ -501,6 +501,16 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
++					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
++					serverHosts := host.NamesForNamespace(server.Hosts, virtualService.Namespace)
++
++					// We have two cases here:
++					// 1. virtualService hosts are 1.foo.com, 2.foo.com, 3.foo.com and server hosts are ns/*.foo.com
++					// 2. virtualService hosts are *.foo.com, and server hosts are ns/1.foo.com, ns/2.foo.com, ns/3.foo.com
++					intersectingHosts := serverHosts.Intersection(virtualServiceHosts)
++					if len(intersectingHosts) == 0 {
++						continue
++					}
+ 					listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
+ 						virtualService: virtualService,
+ 						server:         server,
+@@ -615,22 +625,24 @@
+ 
+ 		// check all hostname if is not exist with HttpsRedirect set to true
+ 		// create VirtualHost to redirect
+-		for _, hostname := range server.Hosts {
+-			if !server.GetTls().GetHttpsRedirect() {
+-				continue
+-			}
+-			if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
++		if server.GetTls().GetHttpsRedirect() {
++			if vHost != nil {
+ 				vHost.RequireTls = route.VirtualHost_ALL
+-				continue
++			} else {
++				vHost = &route.VirtualHost{
++					Name:                       util.DomainName(hostRDSHost, port),
++					Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
++					IncludeRequestAttemptCount: true,
++					RequireTls:                 route.VirtualHost_ALL,
++				}
+ 			}
+-			vHost = &route.VirtualHost{
+-				Name:                       util.DomainName(hostname, port),
+-				Domains:                    buildGatewayVirtualHostDomains(hostname, port),
+-				IncludeRequestAttemptCount: true,
+-				RequireTls:                 route.VirtualHost_ALL,
++		} else if vHost != nil {
++			mode := server.GetTls().GetMode()
++			if mode == networking.ServerTLSSettings_MUTUAL ||
++				mode == networking.ServerTLSSettings_ISTIO_MUTUAL {
++				vHost.AllowServerNames = append(vHost.AllowServerNames, server.Hosts...)
+ 			}
+ 		}
+-
+ 	}
+ 	var virtualHosts []*route.VirtualHost
+ 	if vHost == nil {
+@@ -642,6 +654,30 @@
+ 			Routes: []*route.Route{},
+ 		}}
+ 	} else {
++		sort.SliceStable(vHost.AllowServerNames, func(i, j int) bool {
++			hostI := vHost.AllowServerNames[i]
++			hostJ := vHost.AllowServerNames[j]
++			if host.Name(hostI).SubsetOf(host.Name(hostJ)) {
++				return true
++			}
++			return hostI < hostJ
++		})
++		var uniqueServerNames []string
++		hasAllCatch := false
++		for i, name := range vHost.AllowServerNames {
++			if name == "*" {
++				hasAllCatch = true
++				break
++			}
++			if i == 0 || vHost.AllowServerNames[i-1] != name {
++				uniqueServerNames = append(uniqueServerNames, name)
++			}
++		}
++		if hasAllCatch {
++			vHost.AllowServerNames = nil
++		} else {
++			vHost.AllowServerNames = uniqueServerNames
++		}
+ 		vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
+ 		virtualHosts = append(virtualHosts, vHost)
+ 	}

istio/1.12/patches/istio/20240202-fix-rds-cache.patch

@@ -0,0 +1,41 @@
+diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
+--- istio/pilot/pkg/xds/discovery.go	2024-02-02 16:26:49.000000000 +0800
++++ istio-new/pilot/pkg/xds/discovery.go	2024-02-02 15:38:53.000000000 +0800
+@@ -18,6 +18,7 @@
+ 	"context"
+ 	"fmt"
+ 	"strconv"
++	"strings"
+ 	"sync"
+ 	"time"
+ 
+@@ -41,6 +42,7 @@
+ 	"istio.io/istio/pilot/pkg/util/sets"
+ 	v3 "istio.io/istio/pilot/pkg/xds/v3"
+ 	"istio.io/istio/pkg/cluster"
++	"istio.io/istio/pkg/config/constants"
+ 	"istio.io/istio/pkg/security"
+ )
+ 
+@@ -332,6 +334,21 @@
+ 	} else {
+ 		// Otherwise, just clear the updated configs
+ 		s.Cache.Clear(req.ConfigsUpdated)
++		//Added by ingress
++		trimKeyMap := make(map[model.ConfigKey]struct{})
++		for configKey := range req.ConfigsUpdated {
++			if strings.HasPrefix(configKey.Name, constants.IstioIngressGatewayName+"-") {
++				trimKeyMap[model.ConfigKey{
++					Kind:      configKey.Kind,
++					Name:      strings.TrimPrefix(configKey.Name, constants.IstioIngressGatewayName+"-"),
++					Namespace: configKey.Namespace,
++				}] = struct{}{}
++			}
++		}
++		if len(trimKeyMap) > 0 {
++			s.Cache.Clear(trimKeyMap)
++		}
++		//End added by ingress
+ 	}
+ }
+ 

istio/1.12/patches/istio/20240204-increase-healthcheck-timeout.patch

@@ -0,0 +1,21 @@
+diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
+--- istio/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-04 18:48:18.000000000 +0800
++++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-04 09:35:42.000000000 +0800
+@@ -37,7 +37,7 @@
+ 	updateStatsRegex   = "^(cluster_manager\\.cds|listener_manager\\.lds)\\.(update_success|update_rejected)$"
+ )
+ 
+-var readinessTimeout = time.Second * 3 // Default Readiness timeout. It is set the same in helm charts.
++var readinessTimeout = time.Second * 60 // Default Readiness timeout. It is set the same in helm charts.
+ 
+ type stat struct {
+ 	name  string
+@@ -105,7 +105,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
++	stats, err := http.DoHTTPGetWithTimeout(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort), readinessTimeout)
+ 	if err != nil {
+ 		return nil, err
+ 	}

istio/1.12/patches/istio/20240304-fix-gwapi-rds-cache.patch

@@ -0,0 +1,132 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2024-03-04 17:35:34.000000000 +0800
++++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2024-03-04 16:58:26.000000000 +0800
+@@ -450,7 +450,7 @@
+ 		name = fmt.Sprintf("%s/%s/%s.%s", obj.GroupVersionKind.Kind, obj.Name, *sectionName, obj.Namespace)
+ 	}
+ 	return map[string]string{
+-		constants.InternalParentName: name,
++		constants.InternalParentNames: name,
+ 	}
+ }
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-03-04 17:35:34.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-03-04 17:23:10.000000000 +0800
+@@ -49,6 +49,7 @@
+ 	"istio.io/istio/pkg/config/gateway"
+ 	"istio.io/istio/pkg/config/host"
+ 	"istio.io/istio/pkg/config/protocol"
++	"istio.io/istio/pkg/config/schema/gvk"
+ 	"istio.io/istio/pkg/config/security"
+ 	"istio.io/istio/pkg/proto"
+ 	"istio.io/istio/pkg/util/istiomultierror"
+@@ -453,12 +454,43 @@
+ 		return nil, false
+ 	}
+ 
++	hostVs := push.VirtualServicesForHost(node, hostRDSHost)
++
++	var httpRoutes []config.Config
++
++	for _, vs := range hostVs {
++		if len(vs.Annotations) == 0 {
++			continue
++		}
++		if parents, ok := vs.Annotations[constants.InternalParentNames]; ok {
++			typeNames := strings.Split(parents, ",")
++			for _, typeName := range typeNames {
++				if !strings.HasPrefix(typeName, "HTTPRoute/") {
++					continue
++				}
++				nsNameStr := strings.TrimPrefix(typeName, "HTTPRoute/")
++				nsName := strings.SplitN(nsNameStr, ".", 2)
++				if len(nsName) != 2 {
++					continue
++				}
++				httpRoutes = append(httpRoutes, config.Config{
++					Meta: config.Meta{
++						GroupVersionKind: gvk.HTTPRoute,
++						Name:             nsName[0],
++						Namespace:        nsName[1],
++					},
++				})
++			}
++		}
++	}
++
+ 	routeCache := &istio_route.Cache{
+ 		RouteName:    routeName,
+ 		ProxyVersion: node.Metadata.IstioVersion,
+ 		ListenerPort: rdsPort,
+ 		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
+-		VirtualServices: push.VirtualServicesForHost(node, hostRDSHost),
++		VirtualServices: hostVs,
++		HTTPRoutes:      httpRoutes,
+ 		EnvoyFilterKeys: efKeys,
+ 	}
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route_cache.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route_cache.go
+--- istio/pilot/pkg/networking/core/v1alpha3/route/route_cache.go	2024-03-04 17:35:30.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route_cache.go	2024-03-04 17:24:19.000000000 +0800
+@@ -43,9 +43,12 @@
+ 	// This depends on DNSCapture.
+ 	DNSAutoAllocate bool
+ 
+-	ListenerPort     int
+-	Services         []*model.Service
+-	VirtualServices  []config.Config
++	ListenerPort    int
++	Services        []*model.Service
++	VirtualServices []config.Config
++	// Added by ingress
++	HTTPRoutes []config.Config
++	// End added by ingress
+ 	DestinationRules []*config.Config
+ 	EnvoyFilterKeys  []string
+ }
+@@ -81,6 +84,11 @@
+ 	for _, vs := range r.VirtualServices {
+ 		configs = append(configs, model.ConfigKey{Kind: gvk.VirtualService, Name: vs.Name, Namespace: vs.Namespace})
+ 	}
++	// Added by ingress
++	for _, route := range r.HTTPRoutes {
++		configs = append(configs, model.ConfigKey{Kind: gvk.HTTPRoute, Name: route.Name, Namespace: route.Namespace})
++	}
++	// End added by ingress
+ 	for _, dr := range r.DestinationRules {
+ 		configs = append(configs, model.ConfigKey{Kind: gvk.DestinationRule, Name: dr.Name, Namespace: dr.Namespace})
+ 	}
+@@ -107,6 +115,11 @@
+ 	for _, vs := range r.VirtualServices {
+ 		params = append(params, vs.Name+"/"+vs.Namespace)
+ 	}
++	// Added by ingress
++	for _, route := range r.HTTPRoutes {
++		params = append(params, route.Name+"/"+route.Namespace)
++	}
++	// End added by ingress
+ 	for _, dr := range r.DestinationRules {
+ 		params = append(params, dr.Name+"/"+dr.Namespace)
+ 	}
+diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
+--- istio/pkg/config/constants/constants.go	2024-03-04 17:35:34.000000000 +0800
++++ istio-new/pkg/config/constants/constants.go	2024-03-04 16:58:05.000000000 +0800
+@@ -15,8 +15,6 @@
+ package constants
+ 
+ const (
+-	InternalParentNames = "internal.istio.io/parents"
+-
+ 	InternalRouteSemantics = "internal.istio.io/route-semantics"
+ 
+ 	RouteSemanticsGateway = "gateway"
+@@ -129,7 +127,7 @@
+ 	AlwaysPushLabel = "internal.istio.io/always-push"
+ 
+ 	// InternalParentName declares the original resource of an internally-generate config. This is used by the gateway-api.
+-	InternalParentName = "internal.istio.io/parent"
++	InternalParentNames = "internal.istio.io/parents"
+ 
+ 	// TrustworthyJWTPath is the default 3P token to authenticate with third party services
+ 	TrustworthyJWTPath = "./var/run/secrets/tokens/istio-token"

istio/1.12/patches/istio/20240308-fix-gateway-api-route-name.patch

@@ -0,0 +1,56 @@
+diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
+--- istio/pilot/pkg/config/kube/gateway/conversion.go	2024-03-08 17:23:49.000000000 +0800
++++ istio-new/pilot/pkg/config/kube/gateway/conversion.go	2024-03-08 17:02:50.000000000 +0800
+@@ -16,6 +16,7 @@
+ 
+ import (
+ 	"fmt"
++	"path"
+ 	"regexp"
+ 	"sort"
+ 	"strconv"
+@@ -28,6 +29,7 @@
+ 	gatewayapiV1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+ 
+ 	istio "istio.io/api/networking/v1alpha3"
++	"istio.io/istio/pilot/pkg/features"
+ 	"istio.io/istio/pilot/pkg/model"
+ 	"istio.io/istio/pilot/pkg/model/credentials"
+ 	"istio.io/istio/pilot/pkg/model/kstatus"
+@@ -290,6 +292,16 @@
+ 	return ret
+ }
+ 
++// Added by ingress
++func generateRouteName(obj config.Config) string {
++	if obj.Namespace == features.HigressSystemNs {
++		return obj.Name
++	}
++	return path.Join(obj.Namespace, obj.Name)
++}
++
++// End added by ingress
++
+ func buildHTTPVirtualServices(ctx *KubernetesResources, obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, gatewayRoutes map[string]map[string]*config.Config, domain string) {
+ 	route := obj.Spec.(*gatewayapiV1beta1.HTTPRouteSpec)
+ 
+@@ -307,7 +319,7 @@
+ 	for _, r := range route.Rules {
+ 		// TODO: implement rewrite, timeout, mirror, corspolicy, retries
+ 		vs := &istio.HTTPRoute{
+-			Name: obj.Name,
++			Name: generateRouteName(obj),
+ 		}
+ 		for _, match := range r.Matches {
+ 			uri, err := createURIMatch(match)
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-03-08 17:23:49.000000000 +0800
++++ istio-new/pilot/pkg/features/pilot.go	2024-03-08 17:00:05.000000000 +0800
+@@ -577,6 +577,7 @@
+ 		"If enabled, the on demand filter will be added to the HCM filters").Get()
+ 	DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
+ 		"The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
++	HigressSystemNs = env.RegisterStringVar("HIGRESS_SYSTEM_NS", "higress-system", "The system namespace of Higress").Get()
+ 	// End added by ingress
+ )
+ 

istio/1.12/patches/istio/20240422-fix-copyvs.patch

@@ -0,0 +1,20 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-04-22 18:08:26.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-04-22 18:07:46.000000000 +0800
+@@ -581,13 +581,13 @@
+ 			continue
+ 		}
+ 		if len(virtualService.Spec.(*networking.VirtualService).Hosts) > 1 {
+-			copiedVS := &networking.VirtualService{}
+-			copiedVS = virtualService.Spec.(*networking.VirtualService)
++			copiedVS := networking.VirtualService{}
++			copiedVS = *(virtualService.Spec.(*networking.VirtualService))
+ 			copiedVS.Hosts = []string{selectHost}
+ 			selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+ 				virtualService: config.Config{
+ 					Meta:   virtualService.Meta,
+-					Spec:   copiedVS,
++					Spec:   &copiedVS,
+ 					Status: virtualService.Status,
+ 				},
+ 				server:      vsCtx.server,

istio/1.12/patches/istio/20240518-optimize-rds-cache.patch

@@ -0,0 +1,83 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-18 19:09:14.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-05-18 18:08:30.000000000 +0800
+@@ -457,8 +457,46 @@
+ 	hostVs := push.VirtualServicesForHost(node, hostRDSHost)
+ 
+ 	var httpRoutes []config.Config
++	var vsDependent []config.Config
++
++	cacheable := true
+ 
+ 	for _, vs := range hostVs {
++		vsSpec := vs.Spec.(*networking.VirtualService)
++		for _, vsHttpRoute := range vsSpec.Http {
++			// check if dynamic port exists, we should not cache RDS
++			for _, vsRoute := range vsHttpRoute.Route {
++				if vsRoute.Destination.Port == nil {
++					cacheable = false
++				}
++				for _, fallbackDestination := range vsRoute.FallbackClusters {
++					if fallbackDestination.Port == nil {
++						cacheable = false
++					}
++				}
++			}
++			if vsHttpRoute.Mirror != nil && vsHttpRoute.Mirror.Port == nil {
++				cacheable = false
++			}
++			if vsHttpRoute.Delegate != nil {
++				vsDependent = append(vsDependent, config.Config{
++					Meta: config.Meta{
++						GroupVersionKind: gvk.VirtualService,
++						Name:             vsHttpRoute.Delegate.Name,
++						Namespace:        vsHttpRoute.Delegate.Namespace,
++					},
++					Spec: networking.VirtualService{},
++				})
++			}
++		}
++		vsDependent = append(vsDependent, config.Config{
++			Meta: config.Meta{
++				GroupVersionKind: gvk.VirtualService,
++				Name:             vs.Name,
++				Namespace:        vs.Namespace,
++			},
++			Spec: vs.Spec,
++		})
+ 		if len(vs.Annotations) == 0 {
+ 			continue
+ 		}
+@@ -489,14 +527,19 @@
+ 		ProxyVersion: node.Metadata.IstioVersion,
+ 		ListenerPort: rdsPort,
+ 		// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
+-		VirtualServices: hostVs,
++		VirtualServices: vsDependent,
+ 		HTTPRoutes:      httpRoutes,
+ 		EnvoyFilterKeys: efKeys,
+ 	}
+ 
+-	resource, exist := configgen.Cache.Get(routeCache)
+-	if exist {
+-		return resource, true
++	var resource *discovery.Resource
++	if cacheable {
++		resource, exist := configgen.Cache.Get(routeCache)
++		if exist {
++			return resource, true
++		}
++	} else {
++		log.Warnf("route cache is disabled for RDS:%s", routeName)
+ 	}
+ 
+ 	listenerPort := uint32(rdsPort)
+@@ -727,7 +770,7 @@
+ 		Resource: util.MessageToAny(routeCfg),
+ 	}
+ 
+-	if features.EnableRDSCaching {
++	if features.EnableRDSCaching && cacheable {
+ 		configgen.Cache.Add(routeCache, req, resource)
+ 	}
+ 

istio/1.12/patches/istio/20240519-proxy-start-script.patch

@@ -0,0 +1,752 @@
+diff -Naur istio/pilot/docker/Dockerfile.proxyv2 istio-new/pilot/docker/Dockerfile.proxyv2
+--- istio/pilot/docker/Dockerfile.proxyv2	2024-05-19 16:40:42.706769894 +0800
++++ istio-new/pilot/docker/Dockerfile.proxyv2	2024-05-19 16:07:20.630730574 +0800
+@@ -28,6 +28,7 @@
+ 
+ # Copy Envoy bootstrap templates used by pilot-agent
+ COPY envoy_bootstrap.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
++COPY envoy_bootstrap_lite.json /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json
+ COPY gcp_envoy_bootstrap.json /var/lib/istio/envoy/gcp_envoy_bootstrap_tmpl.json
+ 
+ # Install Envoy.
+@@ -47,5 +48,30 @@
+ # COPY metadata-exchange-filter.wasm /etc/istio/extensions/metadata-exchange-filter.wasm
+ # COPY metadata-exchange-filter.compiled.wasm /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
+ 
++RUN apt-get update && \
++  apt-get install --no-install-recommends -y \
++  logrotate \
++  cron \
++  && apt-get upgrade -y \
++  && apt-get clean
++
++# Latest releases available at https://github.com/aptible/supercronic/releases
++ENV SUPERCRONIC_URL=https://higress.io/release-binary/supercronic-linux-${TARGETARCH:-amd64} \
++    SUPERCRONIC=supercronic-linux-${TARGETARCH:-amd64}
++
++RUN curl -fsSLO "$SUPERCRONIC_URL" \
++ && chmod +x "$SUPERCRONIC" \
++ && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
++ && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
++
++
++COPY higress-proxy-start.sh /usr/local/bin/higress-proxy-start.sh
++
++COPY higress-proxy-container-init.sh /usr/local/bin/higress-proxy-container-init.sh
++
++RUN chmod a+x /usr/local/bin/higress-proxy-container-init.sh;/usr/local/bin/higress-proxy-container-init.sh
++
++RUN chmod a+x /usr/local/bin/higress-proxy-start.sh
++
+ # The pilot-agent will bootstrap Envoy.
+-ENTRYPOINT ["/usr/local/bin/pilot-agent"]
++ENTRYPOINT ["/usr/local/bin/higress-proxy-start.sh"]
+diff -Naur istio/tools/istio-docker.mk istio-new/tools/istio-docker.mk
+--- istio/tools/istio-docker.mk	2024-05-19 16:40:42.734769895 +0800
++++ istio-new/tools/istio-docker.mk	2024-05-19 16:02:43.222725126 +0800
+@@ -96,6 +96,9 @@
+ docker.proxyv2: BUILD_ARGS=--build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} --build-arg istio_version=${VERSION} --build-arg BASE_VERSION=${BASE_VERSION} --build-arg SIDECAR=${SIDECAR} --build-arg HUB=${HUB}
+ docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json
+ docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/gcp_envoy_bootstrap.json
++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-start.sh
++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-container-init.sh
++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap_lite.json
+ docker.proxyv2: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}
+ docker.proxyv2: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}
+ docker.proxyv2: $(ISTIO_OUT_LINUX)/pilot-agent
+diff -Naur istio/tools/packaging/common/envoy_bootstrap_lite.json istio-new/tools/packaging/common/envoy_bootstrap_lite.json
+--- istio/tools/packaging/common/envoy_bootstrap_lite.json	1970-01-01 08:00:00.000000000 +0800
++++ istio-new/tools/packaging/common/envoy_bootstrap_lite.json	2024-05-19 16:36:39.274765113 +0800
+@@ -0,0 +1,642 @@
++{
++  "node": {
++    "id": "{{ .nodeID }}",
++    "cluster": "{{ .cluster }}",
++    "locality": {
++      {{- if .region }}
++      "region": "{{ .region }}"
++      {{- end }}
++      {{- if .zone }}
++      {{- if .region }}
++      ,
++      {{- end }}
++      "zone": "{{ .zone }}"
++      {{- end }}
++      {{- if .sub_zone }}
++      {{- if or .region .zone }}
++      ,
++      {{- end }}
++      "sub_zone": "{{ .sub_zone }}"
++      {{- end }}
++    },
++    "metadata": {{ .meta_json_str }}
++  },
++  "layered_runtime": {
++      "layers": [
++          {
++            "name": "global config",
++            "static_layer": {{ .runtime_flags }}
++          },
++          {
++              "name": "admin",
++              "admin_layer": {}
++          }
++      ]
++  },
++  "stats_config": {
++    "use_all_default_tags": false,
++    "stats_tags": [
++      {
++        "tag_name": "response_code_class",
++        "regex": "_rq(_(\\dxx))$"
++      },
++      {
++        "tag_name": "listener_address",
++        "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
++      },
++      {
++        "tag_name": "http_conn_manager_prefix",
++        "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
++      },
++      {
++        "tag_name": "cluster_name",
++        "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
++      }
++    ],
++    "stats_matcher": {
++      "exclusion_list": {
++        "patterns": [
++          {
++            "prefix": "vhost"
++          },
++          {
++            "safe_regex": {"regex": "^http.*rds.*", "google_re2":{}}
++          }
++        ]
++      }
++    }
++  },
++  "admin": {
++    "access_log_path": "/dev/null",
++    "profile_path": "/var/lib/istio/data/envoy.prof",
++    "address": {
++      "socket_address": {
++        "address": "{{ .localhost }}",
++        "port_value": {{ .config.ProxyAdminPort }}
++      }
++    }
++  },
++  "dynamic_resources": {
++    "lds_config": {
++      "ads": {},
++      "initial_fetch_timeout": "0s",
++      "resource_api_version": "V3"
++    },
++    "cds_config": {
++      "ads": {},
++      "initial_fetch_timeout": "0s",
++      "resource_api_version": "V3"
++    },
++    "ads_config": {
++      "api_type": "{{ .xds_type }}",
++      "set_node_on_first_message_only": true,
++      "transport_api_version": "V3",
++      "grpc_services": [
++        {
++          "envoy_grpc": {
++            "cluster_name": "xds-grpc"
++          }
++        }
++      ]
++    }
++  },
++  "static_resources": {
++    "clusters": [
++      {
++        "name": "prometheus_stats",
++        "type": "STATIC",
++        "connect_timeout": "0.250s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "prometheus_stats",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {
++                    "protocol": "TCP",
++                    "address": "{{ .localhost }}",
++                    "port_value": {{ .config.ProxyAdminPort }}
++                  }
++                }
++              }
++            }]
++          }]
++        }
++      },
++      {
++        "name": "agent",
++        "type": "STATIC",
++        "connect_timeout": "0.250s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "agent",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {
++                    "protocol": "TCP",
++                    "address": "{{ .localhost }}",
++                    "port_value": {{ .config.StatusPort }}
++                  }
++                }
++              }
++            }]
++          }]
++        }
++      },
++      {
++        "name": "sds-grpc",
++        "type": "STATIC",
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        },
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "sds-grpc",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "pipe": {
++                    "path": "{{ .config.ConfigPath }}/SDS"
++                  }
++                }
++              }
++            }]
++          }]
++        }
++      },
++      {
++        "name": "xds-grpc",
++        "type" : "STATIC",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "xds-grpc",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "pipe": {
++                    "path": "{{ .config.ConfigPath }}/XDS"
++                  }
++                }
++              }
++            }]
++          }]
++        },
++        "circuit_breakers": {
++          "thresholds": [
++            {
++              "priority": "DEFAULT",
++              "max_connections": 100000,
++              "max_pending_requests": 100000,
++              "max_requests": 100000
++            },
++            {
++              "priority": "HIGH",
++              "max_connections": 100000,
++              "max_pending_requests": 100000,
++              "max_requests": 100000
++            }
++          ]
++        },
++        "upstream_connection_options": {
++          "tcp_keepalive": {
++            "keepalive_time": 300
++          }
++        },
++        "max_requests_per_connection": 1,
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        }
++      }
++      {{ if .zipkin }}
++      ,
++      {
++        "name": "zipkin",
++        {{- if .tracing_tls }}
++        "transport_socket": {{ .tracing_tls }},
++        {{- end }}
++        "type": "STRICT_DNS",
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "dns_refresh_rate": "30s",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "zipkin",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .zipkin }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ else if .lightstep }}
++      ,
++      {
++        "name": "lightstep",
++        {{- if .tracing_tls }}
++        "transport_socket": {{ .tracing_tls }},
++        {{- end }}
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        },
++        "type": "STRICT_DNS",
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "lightstep",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .lightstep }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ else if .datadog }}
++      ,
++      {
++        "name": "datadog_agent",
++        {{- if .tracing_tls }}
++        "transport_socket": {{ .tracing_tls }},
++        {{- end }}
++        "connect_timeout": "1s",
++        "type": "STRICT_DNS",
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "lb_policy": "ROUND_ROBIN",
++        "load_assignment": {
++          "cluster_name": "datadog_agent",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .datadog }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ end }}
++      {{- if .envoy_metrics_service_address }}
++      ,
++      {
++        "name": "envoy_metrics_service",
++        "type": "STRICT_DNS",
++      {{- if .envoy_metrics_service_tls }}
++        "transport_socket": {{ .envoy_metrics_service_tls }},
++      {{- end }}
++      {{- if .envoy_metrics_service_tcp_keepalive }}
++        "upstream_connection_options": {{ .envoy_metrics_service_tcp_keepalive }},
++      {{- end }}
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        },
++        "load_assignment": {
++          "cluster_name": "envoy_metrics_service",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .envoy_metrics_service_address }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ end }}
++      {{ if .envoy_accesslog_service_address }}
++      ,
++      {
++        "name": "envoy_accesslog_service",
++        "type": "STRICT_DNS",
++      {{- if .envoy_accesslog_service_tls }}
++        "transport_socket": {{ .envoy_accesslog_service_tls }},
++      {{- end }}
++      {{- if .envoy_accesslog_service_tcp_keepalive }}
++        "upstream_connection_options": {{ .envoy_accesslog_service_tcp_keepalive }},
++      {{ end }}
++        "respect_dns_ttl": true,
++        "dns_lookup_family": "{{ .dns_lookup_family }}",
++        "connect_timeout": "1s",
++        "lb_policy": "ROUND_ROBIN",
++        "typed_extension_protocol_options": {
++          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
++           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
++           "explicit_http_config": {
++            "http2_protocol_options": {}
++           }
++          }
++        },
++        "load_assignment": {
++          "cluster_name": "envoy_accesslog_service",
++          "endpoints": [{
++            "lb_endpoints": [{
++              "endpoint": {
++                "address":{
++                  "socket_address": {{ .envoy_accesslog_service_address }}
++                }
++              }
++            }]
++          }]
++        }
++      }
++      {{ end }}
++    ],
++    "listeners":[
++      {
++        "address": {
++          "socket_address": {
++            "protocol": "TCP",
++            "address": "{{ .wildcard }}",
++            "port_value": {{ .envoy_prometheus_port }}
++          }
++        },
++        "filter_chains": [
++          {
++            "filters": [
++              {
++                "name": "envoy.filters.network.http_connection_manager",
++                "typed_config": {
++                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
++                  "codec_type": "AUTO",
++                  "stat_prefix": "stats",
++                  "route_config": {
++                    "virtual_hosts": [
++                      {
++                        "name": "backend",
++                        "domains": [
++                          "*"
++                        ],
++                        "routes": [
++                          {
++                            "match": {
++                              "prefix": "/stats/prometheus"
++                            },
++                            "route": {
++                              "cluster": "prometheus_stats"
++                            }
++                          }
++                        ]
++                      }
++                    ]
++                  },
++                  "http_filters": [{
++                    "name": "envoy.filters.http.router",
++                    "typed_config": {
++                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
++                    }
++                  }]
++                }
++              }
++            ]
++          }
++        ]
++      },
++      {
++        "address": {
++           "socket_address": {
++             "protocol": "TCP",
++             "address": "{{ .wildcard }}",
++             "port_value": {{ .envoy_status_port }}
++           }
++        },
++        "filter_chains": [
++          {
++            "filters": [
++              {
++                "name": "envoy.filters.network.http_connection_manager",
++                "typed_config": {
++                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
++                  "codec_type": "AUTO",
++                  "stat_prefix": "agent",
++                  "route_config": {
++                    "virtual_hosts": [
++                      {
++                        "name": "backend",
++                        "domains": [
++                          "*"
++                        ],
++                        "routes": [
++                          {
++                            "match": {
++                              "prefix": "/healthz/ready"
++                            },
++                            "route": {
++                              "cluster": "agent"
++                            }
++                          }
++                        ]
++                      }
++                    ]
++                  },
++                  "http_filters": [{
++                    "name": "envoy.filters.http.router",
++                    "typed_config": {
++                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
++                    }
++                  }]
++                }
++              }
++            ]
++          }
++        ]
++      }
++    ]
++  }
++  {{- if .zipkin }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.zipkin",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig",
++        "collector_cluster": "zipkin",
++        "collector_endpoint": "/api/v2/spans",
++        "collector_endpoint_version": "HTTP_JSON",
++        "trace_id_128bit": true,
++        "shared_span_context": false
++      }
++    }
++  }
++  {{- else if .lightstep }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.lightstep",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.trace.v3.LightstepConfig",
++        "collector_cluster": "lightstep",
++        "access_token_file": "{{ .lightstepToken}}"
++      }
++    }
++  }
++  {{- else if .datadog }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.datadog",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.trace.v3.DatadogConfig",
++        "collector_cluster": "datadog_agent",
++        "service_name": "{{ .cluster }}"
++      }
++    }
++  }
++  {{- else if .openCensusAgent }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.opencensus",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig",
++        "ocagent_exporter_enabled": true,
++        "ocagent_address": "{{ .openCensusAgent }}",
++        "incoming_trace_context": {{ .openCensusAgentContexts }},
++        "outgoing_trace_context": {{ .openCensusAgentContexts }},
++        "trace_config": {
++          "constant_sampler": {
++            "decision": "ALWAYS_PARENT"
++          },
++          "max_number_of_annotations": 200,
++          "max_number_of_attributes": 200,
++          "max_number_of_message_events": 200,
++          "max_number_of_links": 200
++        }
++      }
++    }
++  }
++  {{- else if .stackdriver }}
++  ,
++  "tracing": {
++    "http": {
++      "name": "envoy.tracers.opencensus",
++      "typed_config": {
++      "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig",
++      "stackdriver_exporter_enabled": true,
++      "stackdriver_project_id": "{{ .stackdriverProjectID }}",
++      {{ if .sts_port }}
++      "stackdriver_grpc_service": {
++        "google_grpc": {
++          "target_uri": "cloudtrace.googleapis.com",
++          "stat_prefix": "oc_stackdriver_tracer",
++          "channel_credentials": {
++            "ssl_credentials": {}
++          },
++          "call_credentials": [{
++            "sts_service": {
++              "token_exchange_service_uri": "http://localhost:{{ .sts_port }}/token",
++              "subject_token_path": "/var/run/secrets/tokens/istio-token",
++              "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
++              "scope": "https://www.googleapis.com/auth/cloud-platform"
++            }
++          }]
++        },
++        "initial_metadata": [
++        {{ if .gcp_project_id }}
++          {
++            "key": "x-goog-user-project",
++            "value": "{{ .gcp_project_id }}"
++          }
++        {{ end }}
++        ]
++      },
++      {{ end }}
++      "stdout_exporter_enabled": {{ .stackdriverDebug }},
++      "incoming_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"],
++      "outgoing_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"],
++      "trace_config":{
++        "constant_sampler":{
++          "decision": "ALWAYS_PARENT"
++        },
++        "max_number_of_annotations": {{ .stackdriverMaxAnnotations }},
++        "max_number_of_attributes": {{ .stackdriverMaxAttributes }},
++        "max_number_of_message_events": {{ .stackdriverMaxEvents }},
++        "max_number_of_links": 200
++       }
++     }
++  }}
++  {{ end }}
++  {{ if or .envoy_metrics_service_address .statsd }}
++  ,
++  "stats_sinks": [
++    {{ if .envoy_metrics_service_address }}
++    {
++      "name": "envoy.stat_sinks.metrics_service",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig",
++        "transport_api_version": "V3",
++        "grpc_service": {
++          "envoy_grpc": {
++            "cluster_name": "envoy_metrics_service"
++          }
++        }
++      }
++    }
++    {{ end }}
++    {{ if and .envoy_metrics_service_address .statsd }}
++    ,
++    {{ end }}
++    {{ if .statsd }}
++    {
++      "name": "envoy.stat_sinks.statsd",
++      "typed_config": {
++        "@type": "type.googleapis.com/envoy.config.metrics.v3.StatsdSink",
++        "address": {
++          "socket_address": {{ .statsd }}
++        }
++      }
++    }
++    {{ end }}
++  ]
++  {{ end }}
++  {{ if .outlier_log_path }}
++  ,
++  "cluster_manager": {
++    "outlier_detection": {
++      "event_log_path": "{{ .outlier_log_path }}"
++    }
++  }
++  {{ end }}
++}
+diff -Naur istio/tools/packaging/common/higress-proxy-container-init.sh istio-new/tools/packaging/common/higress-proxy-container-init.sh
+--- istio/tools/packaging/common/higress-proxy-container-init.sh	1970-01-01 08:00:00.000000000 +0800
++++ istio-new/tools/packaging/common/higress-proxy-container-init.sh	2024-05-19 16:30:06.202757394 +0800
+@@ -0,0 +1,32 @@
++#!/bin/bash
++
++mkdir -p /var/log/proxy
++
++mkdir -p /var/lib/istio
++
++chown -R 1337.1337 /var/log/proxy
++
++chown -R 1337.1337 /var/lib/logrotate
++
++chown -R 1337.1337 /var/lib/istio
++
++cat <<EOF > /etc/logrotate.d/higress-logrotate
++/var/log/proxy/access.log
++{
++su 1337 1337
++rotate 5
++create 644 1337 1337
++nocompress
++notifempty
++minsize 100M
++postrotate
++    ps aux|grep "envoy -c"|grep -v "grep"|awk  '{print $2}'|xargs -i kill -SIGUSR1 {}
++endscript
++}
++EOF
++
++chmod -R 0644 /etc/logrotate.d/higress-logrotate
++
++cat <<EOF > /var/lib/istio/cron.txt
++* * * * * /usr/sbin/logrotate /etc/logrotate.d/higress-logrotate
++EOF
+diff -Naur istio/tools/packaging/common/higress-proxy-start.sh istio-new/tools/packaging/common/higress-proxy-start.sh
+--- istio/tools/packaging/common/higress-proxy-start.sh	1970-01-01 08:00:00.000000000 +0800
++++ istio-new/tools/packaging/common/higress-proxy-start.sh	2024-05-19 16:33:18.802761176 +0800
+@@ -0,0 +1,10 @@
++#!/bin/bash
++
++if [ -n "$LITE_METRICS" ]; then
++    cp /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
++fi
++
++nohup supercronic /var/lib/istio/cron.txt &> /dev/null &
++
++/usr/local/bin/pilot-agent $*
++

istio/1.12/patches/istio/20240521-optimize-bootstrap.patch

@@ -0,0 +1,83 @@
+diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio-new/tools/packaging/common/envoy_bootstrap.json
+--- istio/tools/packaging/common/envoy_bootstrap.json	2024-05-21 23:46:21.000000000 +0800
++++ istio-new/tools/packaging/common/envoy_bootstrap.json	2024-05-21 23:47:54.000000000 +0800
+@@ -37,55 +37,15 @@
+     "use_all_default_tags": false,
+     "stats_tags": [
+       {
+-        "tag_name": "phase",
+-        "regex": "(_phase=([a-z_]+))"
+-      },
+-      {
+-        "tag_name": "ruleid",
+-        "regex": "(_ruleid=([0-9]+))"
+-      },
+-      {
+-        "tag_name": "route",
+-        "regex": "^vhost\\..*?\\.route\\.([^\\.]+\\.)upstream"
+-      },
+-      {
+-        "tag_name": "ecds_name",
+-        "regex": "extension_config_discovery\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "rds_name",
+-        "regex": "rds\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "sds_name",
+-        "regex": "sds\\.(.*?\\.)[^\\.]+$"
+-      },
+-      {
+-        "tag_name": "vhost",
+-        "regex": "^vhost\\.((.*?)\\.)(vcluster|route)"
+-      },
+-      {
+-        "tag_name": "vcluster",
+-        "regex": "vcluster\\.((.*?)\\.)upstream"
+-      },
+-      {
+-        "tag_name": "dest_zone",
+-        "regex": "zone\\.[^\\.]+\\.([^\\.]+\\.)"
+-      },
+-      {
+-        "tag_name": "from_zone",
+-        "regex": "zone\\.([^\\.]+\\.)"
+-      },
+-      {
+         "tag_name": "cluster_name",
+-        "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
++        "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)"
+       },
+       {
+         "tag_name": "tcp_prefix",
+         "regex": "^tcp\\.((.*?)\\.)\\w+?$"
+       },
+       {
+-        "regex": "(response_code=\\.=(.+?);\\.;)|_rq(_(\\.d{3}))$",
++        "regex": "_rq(_(\\d{3}))$",
+         "tag_name": "response_code"
+       },
+       {
+@@ -98,7 +58,7 @@
+       },
+       {
+         "tag_name": "http_conn_manager_prefix",
+-        "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
++        "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
+       },
+       {
+         "tag_name": "listener_address",
+@@ -108,12 +68,6 @@
+         "tag_name": "mongo_prefix",
+         "regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$"
+       },
+-      {{- range $a, $tag := .extraStatTags }}
+-      {
+-        "regex": "({{ $tag }}=\\.=(.*?);\\.;)",
+-        "tag_name": "{{ $tag }}"
+-      },
+-      {{- end }}
+       {
+         "regex": "(cache\\.(.+?)\\.)",
+         "tag_name": "cache"

istio/1.12/patches/proxy/20240519-v8-upgrade.patch

@@ -0,0 +1,38 @@
+diff -Naur proxy/scripts/release-binary.sh proxy-new/scripts/release-binary.sh
+--- proxy/scripts/release-binary.sh     2024-05-19 12:33:33.254478650 +0800
++++ proxy-new/scripts/release-binary.sh 2024-05-19 12:31:11.714475870 +0800
+@@ -112,7 +112,7 @@
+ # k8-opt is the output directory for x86_64 optimized builds (-c opt, so --config=release-symbol and --config=release).
+ # k8-dbg is the output directory for -c dbg builds.
+ #for config in release release-symbol debug
+-for config in release
++for config in release release-symbol
+ do
+   case $config in
+     "release" )
+diff -Naur proxy/scripts/release-binary.sh proxy-new/scripts/release-binary.sh
+--- proxy/scripts/release-binary.sh	2024-05-19 12:27:51.030471929 +0800
++++ proxy-new/scripts/release-binary.sh	2024-05-19 12:04:55.738444918 +0800
+@@ -152,10 +152,6 @@
+   echo "Building ${config} proxy"
+   BINARY_NAME="${HOME}/package/${BINARY_BASE_NAME}.tar.gz"
+   SHA256_NAME="${HOME}/${BINARY_BASE_NAME}-${SHA}.sha256"
+-  # All cores are used by com_googlesource_chromium_v8:build within. 
+-  # Prebuild this target to avoid stacking this ram intensive task with others.
+-  # shellcheck disable=SC2086
+-  bazel build ${BAZEL_BUILD_ARGS} ${CONFIG_PARAMS} @com_googlesource_chromium_v8//:build
+   # shellcheck disable=SC2086
+   bazel build ${BAZEL_BUILD_ARGS} ${CONFIG_PARAMS} //src/envoy:envoy_tar
+   BAZEL_TARGET="${BAZEL_OUT}/src/envoy/envoy_tar.tar.gz"
+diff -Naur proxy/tools/deb/test/build_docker.sh proxy-new/tools/deb/test/build_docker.sh
+--- proxy/tools/deb/test/build_docker.sh	2024-05-19 12:27:51.030471929 +0800
++++ proxy-new/tools/deb/test/build_docker.sh	2024-05-19 12:05:07.978445159 +0800
+@@ -20,8 +20,6 @@
+ # Script requires a working docker on the test machine
+ # It is run in the proxy dir, will create a docker image with proxy deb installed
+ 
+-
+-bazel build @com_googlesource_chromium_v8//:build
+ bazel build tools/deb:istio-proxy
+ 
+ PROJECT="istio-testing"

pkg/bootstrap/server.go

@@ -20,6 +20,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/alibaba/higress/pkg/cert"
 	"github.com/alibaba/higress/pkg/ingress/kube/common"
 	"github.com/alibaba/higress/pkg/ingress/mcp"
 	"github.com/alibaba/higress/pkg/ingress/translation"
@@ -110,6 +111,11 @@ type ServerArgs struct {
 	KeepStaleWhenEmpty   bool
 	GatewaySelectorKey   string
 	GatewaySelectorValue string
+	GatewayHttpPort      uint32
+	GatewayHttpsPort     uint32
+	EnableAutomaticHttps bool
+	AutomaticHttpsEmail  string
+	CertHttpAddress      string
 }
 
 type readinessProbe func() (bool, error)
@@ -131,6 +137,7 @@ type Server struct {
 	xdsServer        *xds.DiscoveryServer
 	server           server.Instance
 	readinessProbes  map[string]readinessProbe
+	certServer       *cert.Server
 }
 
 var (
@@ -166,6 +173,7 @@ func NewServer(args *ServerArgs) (*Server, error) {
 		s.initConfigController,
 		s.initRegistryEventHandlers,
 		s.initAuthenticators,
+		s.initAutomaticHttps,
 	}
 
 	for _, f := range initFuncList {
@@ -220,6 +228,8 @@ func (s *Server) initConfigController() error {
 		SystemNamespace:      ns,
 		GatewaySelectorKey:   s.GatewaySelectorKey,
 		GatewaySelectorValue: s.GatewaySelectorValue,
+		GatewayHttpPort:      s.GatewayHttpPort,
+		GatewayHttpsPort:     s.GatewayHttpsPort,
 	}
 	if options.ClusterId == "Kubernetes" {
 		options.ClusterId = ""
@@ -283,6 +293,15 @@ func (s *Server) Start(stop <-chan struct{}) error {
 		}
 	}()
 
+	if s.EnableAutomaticHttps {
+		go func() {
+			log.Infof("starting Automatic Cert HTTP service at %s", s.CertHttpAddress)
+			if err := s.certServer.Run(stop); err != nil {
+				log.Errorf("error serving Automatic Cert HTTP server: %v", err)
+			}
+		}()
+	}
+
 	s.waitForShutDown(stop)
 	return nil
 }
@@ -366,6 +385,26 @@ func (s *Server) initAuthenticators() error {
 	return nil
 }
 
+func (s *Server) initAutomaticHttps() error {
+	certOption := &cert.Option{
+		Namespace:     PodNamespace,
+		ServerAddress: s.CertHttpAddress,
+		Email:         s.AutomaticHttpsEmail,
+	}
+	certServer, err := cert.NewServer(s.kubeClient.Kube(), certOption)
+	if err != nil {
+		return err
+	}
+	s.certServer = certServer
+	log.Infof("init cert default config")
+	s.certServer.InitDefaultConfig()
+	if !s.EnableAutomaticHttps {
+		log.Info("automatic https is disabled")
+		return nil
+	}
+	return s.certServer.InitServer()
+}
+
 func (s *Server) initKubeClient() error {
 	if s.kubeClient != nil {
 		// Already initialized by startup arguments
@@ -394,6 +433,7 @@ func (s *Server) initHttpServer() error {
 	}
 	s.xdsServer.AddDebugHandlers(s.httpMux, nil, true, nil)
 	s.httpMux.HandleFunc("/ready", s.readyHandler)
+	s.httpMux.HandleFunc("/registry/watcherStatus", s.registryWatcherStatusHandler)
 	return nil
 }
 
@@ -409,6 +449,43 @@ func (s *Server) readyHandler(w http.ResponseWriter, _ *http.Request) {
 	w.WriteHeader(http.StatusOK)
 }
 
+func (s *Server) registryWatcherStatusHandler(w http.ResponseWriter, _ *http.Request) {
+	ingressTranslation, ok := s.environment.IngressStore.(*translation.IngressTranslation)
+	if !ok {
+		http.Error(w, "IngressStore not found", http.StatusNotFound)
+		return
+	}
+
+	ingressConfig := ingressTranslation.GetIngressConfig()
+	if ingressConfig == nil {
+		http.Error(w, "IngressConfig not found", http.StatusNotFound)
+		return
+	}
+
+	registryReconciler := ingressConfig.RegistryReconciler
+	if registryReconciler == nil {
+		http.Error(w, "RegistryReconciler not found", http.StatusNotFound)
+		return
+	}
+
+	watcherStatusList := registryReconciler.GetRegistryWatcherStatusList()
+	writeJSON(w, watcherStatusList)
+}
+
+func writeJSON(w http.ResponseWriter, obj interface{}) {
+	w.Header().Set("Content-Type", "application/json")
+	b, err := config.ToJSON(obj)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		_, _ = w.Write([]byte(err.Error()))
+		return
+	}
+	_, err = w.Write(b)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+}
+
 // cachesSynced checks whether caches have been synced.
 func (s *Server) cachesSynced() bool {
 	return s.configController.HasSynced()

pkg/cert/certmgr.go

@@ -0,0 +1,219 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/mholt/acmez"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	EventCertObtained = "cert_obtained"
+)
+
+type CertMgr struct {
+	cfg           *certmagic.Config
+	client        kubernetes.Interface
+	namespace     string
+	mux           sync.RWMutex
+	storage       certmagic.Storage
+	cache         *certmagic.Cache
+	myACME        *certmagic.ACMEIssuer
+	ingressSolver acmez.Solver
+	configMgr     *ConfigMgr
+	secretMgr     *SecretMgr
+}
+
+func InitCertMgr(opts *Option, clientSet kubernetes.Interface, config *Config) (*CertMgr, error) {
+	CertLog.Infof("certmgr init config: %+v", config)
+	// Init certmagic config
+	// First make a pointer to a Cache as we need to reference the same Cache in
+	// GetConfigForCert below.
+	var cache *certmagic.Cache
+	var storage certmagic.Storage
+	storage, _ = NewConfigmapStorage(opts.Namespace, clientSet)
+	renewalWindowRatio := float64(config.RenewBeforeDays / RenewMaxDays)
+	magicConfig := certmagic.Config{
+		RenewalWindowRatio: renewalWindowRatio,
+		Storage:            storage,
+	}
+	cache = certmagic.NewCache(certmagic.CacheOptions{
+		GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
+			// Here we use New to get a valid Config associated with the same cache.
+			// The provided Config is used as a template and will be completed with
+			// any defaults that are set in the Default config.
+			return certmagic.New(cache, magicConfig), nil
+		},
+	})
+	// init certmagic
+	cfg := certmagic.New(cache, magicConfig)
+	// Init certmagic acme
+	issuer := config.GetIssuer(IssuerTypeLetsencrypt)
+	if issuer == nil {
+		// should never happen here
+		return nil, fmt.Errorf("there is no Letsencrypt Issuer found in config")
+	}
+
+	myACME := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
+		//CA:                      certmagic.LetsEncryptStagingCA,
+		CA:                      certmagic.LetsEncryptProductionCA,
+		Email:                   issuer.Email,
+		Agreed:                  true,
+		DisableHTTPChallenge:    false,
+		DisableTLSALPNChallenge: true,
+	})
+	// inject http01 solver
+	ingressSolver, _ := NewIngressSolver(opts.Namespace, clientSet, myACME)
+	myACME.Http01Solver = ingressSolver
+	// init issuers
+	cfg.Issuers = []certmagic.Issuer{myACME}
+
+	configMgr, _ := NewConfigMgr(opts.Namespace, clientSet)
+	secretMgr, _ := NewSecretMgr(opts.Namespace, clientSet)
+
+	certMgr := &CertMgr{
+		cfg:           cfg,
+		client:        clientSet,
+		namespace:     opts.Namespace,
+		myACME:        myACME,
+		ingressSolver: ingressSolver,
+		configMgr:     configMgr,
+		secretMgr:     secretMgr,
+		cache:         cache,
+	}
+	certMgr.cfg.OnEvent = certMgr.OnEvent
+	return certMgr, nil
+}
+func (s *CertMgr) Reconcile(ctx context.Context, oldConfig *Config, newConfig *Config) error {
+	CertLog.Infof("cermgr reconcile old config:%+v to new config:%+v", oldConfig, newConfig)
+	// sync email
+	if oldConfig != nil && newConfig != nil {
+		oldIssuer := oldConfig.GetIssuer(IssuerTypeLetsencrypt)
+		newIssuer := newConfig.GetIssuer(IssuerTypeLetsencrypt)
+		if oldIssuer.Email != newIssuer.Email {
+			// TODO before sync email, maybe need to clean up cache and account
+		}
+	}
+
+	// sync domains
+	newDomains := make([]string, 0)
+	newDomainsMap := make(map[string]string, 0)
+	removeDomains := make([]string, 0)
+
+	if newConfig != nil {
+		for _, config := range newConfig.CredentialConfig {
+			if config.TLSIssuer == IssuerTypeLetsencrypt {
+				for _, newDomain := range config.Domains {
+					newDomains = append(newDomains, newDomain)
+					newDomainsMap[newDomain] = newDomain
+				}
+
+			}
+		}
+	}
+
+	if oldConfig != nil {
+		for _, config := range oldConfig.CredentialConfig {
+			if config.TLSIssuer == IssuerTypeLetsencrypt {
+				for _, oldDomain := range config.Domains {
+					if _, ok := newDomainsMap[oldDomain]; !ok {
+						removeDomains = append(removeDomains, oldDomain)
+					}
+				}
+
+			}
+		}
+	}
+
+	if newConfig.AutomaticHttps == true {
+		newIssuer := newConfig.GetIssuer(IssuerTypeLetsencrypt)
+		// clean up  unused domains
+		s.cleanSync(context.Background(), removeDomains)
+		// sync email
+		s.myACME.Email = newIssuer.Email
+		// sync RenewalWindowRatio
+		s.cfg.RenewalWindowRatio = float64(newConfig.RenewBeforeDays / RenewMaxDays)
+		// start cache
+		s.cache.Start()
+		// sync domains
+		s.manageSync(context.Background(), newDomains)
+		s.configMgr.SetConfig(newConfig)
+	} else {
+		// stop cache  maintainAssets
+		s.cache.Stop()
+		s.configMgr.SetConfig(newConfig)
+	}
+
+	return nil
+}
+
+func (s *CertMgr) manageSync(ctx context.Context, domainNames []string) error {
+	CertLog.Infof("cert manage sync domains:%v", domainNames)
+	return s.cfg.ManageSync(ctx, domainNames)
+}
+
+func (s *CertMgr) cleanSync(ctx context.Context, domainNames []string) error {
+	//TODO implement clean up domains
+	CertLog.Infof("cert clean sync domains:%v", domainNames)
+	return nil
+}
+
+func (s *CertMgr) OnEvent(ctx context.Context, event string, data map[string]any) error {
+	CertLog.Infof("certmgr receive event:% data:%+v", event, data)
+	/**
+	event: cert_obtained
+	cfg.emit(ctx, "cert_obtained", map[string]any{
+		"renewal":          true,
+		"remaining":        timeLeft,
+		"identifier":       name,
+		"issuer":           issuerKey,
+		"storage_path":     StorageKeys.CertsSitePrefix(issuerKey, certKey),
+		"private_key_path": StorageKeys.SitePrivateKey(issuerKey, certKey),
+		"certificate_path": StorageKeys.SiteCert(issuerKey, certKey),
+		"metadata_path":    StorageKeys.SiteMeta(issuerKey, certKey),
+	})
+	*/
+	if event == EventCertObtained {
+		// obtain certificate and update secret
+		domain := data["identifier"].(string)
+		isRenew := data["renewal"].(bool)
+		privateKeyPath := data["private_key_path"].(string)
+		certificatePath := data["certificate_path"].(string)
+		privateKey, err := s.cfg.Storage.Load(context.Background(), privateKeyPath)
+		certificate, err := s.cfg.Storage.Load(context.Background(), certificatePath)
+		certChain, err := parseCertsFromPEMBundle(certificate)
+		if err != nil {
+			return err
+		}
+		notAfterTime := notAfter(certChain[0])
+		notBeforeTime := notBefore(certChain[0])
+		secretName := s.configMgr.GetConfig().GetSecretNameByDomain(IssuerTypeLetsencrypt, domain)
+		if len(secretName) == 0 {
+			CertLog.Errorf("can not find secret name for domain % in config", domain)
+			return nil
+		}
+		err2 := s.secretMgr.Update(domain, secretName, privateKey, certificate, notBeforeTime, notAfterTime, isRenew)
+		if err2 != nil {
+			CertLog.Errorf("update secretName %s for domain %s error: %v", secretName, domain, err2)
+		}
+		return err
+	}
+	return nil
+}

pkg/cert/config.go

@@ -0,0 +1,290 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"istio.io/istio/pkg/config/host"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	ConfigmapCertName      = "higress-https"
+	ConfigmapCertConfigKey = "cert"
+	DefaultRenewBeforeDays = 30
+	RenewMaxDays           = 90
+)
+
+type IssuerName string
+
+const (
+	IssuerTypeAliyunSSL   IssuerName = "aliyunssl"
+	IssuerTypeLetsencrypt IssuerName = "letsencrypt"
+)
+
+// Config is the configuration of automatic https.
+type Config struct {
+	AutomaticHttps   bool              `json:"automaticHttps"`
+	RenewBeforeDays  int               `json:"renewBeforeDays"`
+	CredentialConfig []CredentialEntry `json:"credentialConfig"`
+	ACMEIssuer       []ACMEIssuerEntry `json:"acmeIssuer"`
+	Version          string            `json:"version"`
+}
+
+func (c *Config) GetIssuer(issuerName IssuerName) *ACMEIssuerEntry {
+	for _, issuer := range c.ACMEIssuer {
+		if issuer.Name == issuerName {
+			return &issuer
+		}
+	}
+	return nil
+}
+
+func (c *Config) MatchSecretNameByDomain(domain string) string {
+	for _, credential := range c.CredentialConfig {
+		for _, credDomain := range credential.Domains {
+			if host.Name(strings.ToLower(domain)).SubsetOf(host.Name(strings.ToLower(credDomain))) {
+				return credential.TLSSecret
+			}
+		}
+	}
+	return ""
+}
+
+func (c *Config) GetSecretNameByDomain(issuerName IssuerName, domain string) string {
+	for _, credential := range c.CredentialConfig {
+		if credential.TLSIssuer == issuerName {
+			for _, credDomain := range credential.Domains {
+				if host.Name(strings.ToLower(domain)).SubsetOf(host.Name(strings.ToLower(credDomain))) {
+					return credential.TLSSecret
+				}
+			}
+		}
+	}
+	return ""
+}
+
+func (c *Config) Validate() error {
+	// check acmeIssuer
+	if len(c.ACMEIssuer) == 0 {
+		return fmt.Errorf("acmeIssuer is empty")
+	}
+	for _, issuer := range c.ACMEIssuer {
+		switch issuer.Name {
+		case IssuerTypeLetsencrypt:
+			if issuer.Email == "" {
+				return fmt.Errorf("acmeIssuer %s email is empty", issuer.Name)
+			}
+			if !ValidateEmail(issuer.Email) {
+				return fmt.Errorf("acmeIssuer %s email %s is invalid", issuer.Name, issuer.Email)
+			}
+		default:
+			return fmt.Errorf("acmeIssuer name %s is not supported", issuer.Name)
+		}
+	}
+	// check credentialConfig
+	for _, credential := range c.CredentialConfig {
+		if len(credential.Domains) == 0 {
+			return fmt.Errorf("credentialConfig domains is empty")
+		}
+		if credential.TLSSecret == "" {
+			return fmt.Errorf("credentialConfig tlsSecret is empty")
+		}
+		if credential.TLSIssuer == IssuerTypeLetsencrypt {
+			if len(credential.Domains) > 1 {
+				return fmt.Errorf("credentialConfig tlsIssuer %s only support one domain", credential.TLSIssuer)
+			}
+		}
+		if credential.TLSIssuer != IssuerTypeLetsencrypt && len(credential.TLSIssuer) > 0 {
+			return fmt.Errorf("credential tls issuer %s is not support", credential.TLSIssuer)
+		}
+	}
+
+	if c.RenewBeforeDays <= 0 {
+		return fmt.Errorf("RenewBeforeDays should be large than zero")
+	}
+
+	if c.RenewBeforeDays >= RenewMaxDays {
+		return fmt.Errorf("RenewBeforeDays should be less than %d", RenewMaxDays)
+	}
+	return nil
+}
+
+type CredentialEntry struct {
+	Domains      []string   `json:"domains"`
+	TLSIssuer    IssuerName `json:"tlsIssuer,omitempty"`
+	TLSSecret    string     `json:"tlsSecret,omitempty"`
+	CACertSecret string     `json:"cacertSecret,omitempty"`
+}
+
+type ACMEIssuerEntry struct {
+	Name  IssuerName `json:"name"`
+	Email string     `json:"email"`
+	AK    string     `json:"ak"` // Only applicable for certain issuers like 'aliyunssl'
+	SK    string     `json:"sk"` // Only applicable for certain issuers like 'aliyunssl'
+}
+type ConfigMgr struct {
+	client    kubernetes.Interface
+	config    atomic.Value
+	namespace string
+}
+
+func (c *ConfigMgr) SetConfig(config *Config) {
+	c.config.Store(config)
+}
+
+func (c *ConfigMgr) GetConfig() *Config {
+	value := c.config.Load()
+	if value != nil {
+		if config, ok := value.(*Config); ok {
+			return config
+		}
+	}
+	return nil
+}
+
+func (c *ConfigMgr) InitConfig(email string) (*Config, error) {
+	var defaultConfig *Config
+	cm, err := c.GetConfigmap()
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if len(strings.TrimSpace(email)) == 0 {
+				email = getRandEmail()
+			}
+			defaultConfig = newDefaultConfig(email)
+			err2 := c.ApplyConfigmap(defaultConfig)
+			if err2 != nil {
+				return nil, err2
+			}
+		}
+		return nil, err
+	} else {
+		defaultConfig, err = c.ParseConfigFromConfigmap(cm)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return defaultConfig, nil
+}
+
+func (c *ConfigMgr) ParseConfigFromConfigmap(configmap *v1.ConfigMap) (*Config, error) {
+	if _, ok := configmap.Data[ConfigmapCertConfigKey]; !ok {
+		return nil, fmt.Errorf("no cert key %s in configmap %s", ConfigmapCertConfigKey, configmap.Name)
+	}
+
+	config := newDefaultConfig("")
+	if err := yaml.Unmarshal([]byte(configmap.Data[ConfigmapCertConfigKey]), config); err != nil {
+		return nil, fmt.Errorf("data:%s,  convert to higress config error, error: %+v", configmap.Data[ConfigmapCertConfigKey], err)
+	}
+	// validate config
+	if err := config.Validate(); err != nil {
+		return nil, err
+	}
+	return config, nil
+}
+
+func (c *ConfigMgr) GetConfigFromConfigmap() (*Config, error) {
+	var config *Config
+	cm, err := c.GetConfigmap()
+	if err != nil {
+		return nil, err
+	} else {
+		config, err = c.ParseConfigFromConfigmap(cm)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return config, nil
+}
+
+func (c *ConfigMgr) GetConfigmap() (configmap *v1.ConfigMap, err error) {
+	configmapName := ConfigmapCertName
+	cm, err := c.client.CoreV1().ConfigMaps(c.namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
+	return cm, err
+}
+
+func (c *ConfigMgr) ApplyConfigmap(config *Config) error {
+	configmapName := ConfigmapCertName
+	cm := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: c.namespace,
+			Name:      configmapName,
+		},
+	}
+	bytes, err := yaml.Marshal(config)
+	if err != nil {
+		return err
+	}
+	cm.Data = make(map[string]string, 0)
+	cm.Data[ConfigmapCertConfigKey] = string(bytes)
+
+	_, err = c.client.CoreV1().ConfigMaps(c.namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			if _, err = c.client.CoreV1().ConfigMaps(c.namespace).Create(context.Background(), cm, metav1.CreateOptions{}); err != nil {
+				return err
+			}
+		} else {
+			return err
+		}
+	} else {
+		if _, err = c.client.CoreV1().ConfigMaps(c.namespace).Update(context.Background(), cm, metav1.UpdateOptions{}); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func NewConfigMgr(namespace string, client kubernetes.Interface) (*ConfigMgr, error) {
+	configMgr := &ConfigMgr{
+		client:    client,
+		namespace: namespace,
+	}
+	return configMgr, nil
+}
+
+func newDefaultConfig(email string) *Config {
+
+	defaultIssuer := []ACMEIssuerEntry{
+		{
+			Name:  IssuerTypeLetsencrypt,
+			Email: email,
+		},
+	}
+	defaultCredentialConfig := make([]CredentialEntry, 0)
+	config := &Config{
+		AutomaticHttps:   true,
+		RenewBeforeDays:  DefaultRenewBeforeDays,
+		ACMEIssuer:       defaultIssuer,
+		CredentialConfig: defaultCredentialConfig,
+		Version:          time.Now().Format("20060102030405"),
+	}
+	return config
+}
+
+func getRandEmail() string {
+	num1 := rangeRandom(100, 100000)
+	num2 := rangeRandom(100, 100000)
+	return fmt.Sprintf("your%d@yours%d.com", num1, num2)
+}

pkg/cert/config_test.go

@@ -0,0 +1,122 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMatchSecretNameByDomain(t *testing.T) {
+	tests := []struct {
+		name          string
+		domain        string
+		credentialCfg []CredentialEntry
+		expected      string
+	}{
+		{
+			name:   "Exact match",
+			domain: "example.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"example.com"},
+					TLSSecret: "example-com-tls",
+				},
+			},
+			expected: "example-com-tls",
+		},
+
+		{
+			name:   "Exact match ignore case ",
+			domain: "eXample.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"example.com"},
+					TLSSecret: "example-com-tls",
+				},
+			},
+			expected: "example-com-tls",
+		},
+		{
+			name:   "Wildcard match",
+			domain: "sub.example.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"*.example.com"},
+					TLSSecret: "wildcard-example-com-tls",
+				},
+			},
+			expected: "wildcard-example-com-tls",
+		},
+
+		{
+			name:   "Wildcard match ignore case",
+			domain: "sub.Example.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"*.example.com"},
+					TLSSecret: "wildcard-example-com-tls",
+				},
+			},
+			expected: "wildcard-example-com-tls",
+		},
+		{
+			name:   "* match",
+			domain: "blog.example.co.uk",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"*"},
+					TLSSecret: "blog-co-uk-tls",
+				},
+			},
+			expected: "blog-co-uk-tls",
+		},
+		{
+			name:   "No match",
+			domain: "unknown.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"example.com"},
+					TLSSecret: "example-com-tls",
+				},
+			},
+			expected: "",
+		},
+		{
+			name:   "Multiple matches - first match wins",
+			domain: "example.com",
+			credentialCfg: []CredentialEntry{
+				{
+					Domains:   []string{"example.com"},
+					TLSSecret: "example-com-tls",
+				},
+				{
+					Domains:   []string{"*.example.com"},
+					TLSSecret: "wildcard-example-com-tls",
+				},
+			},
+			expected: "example-com-tls",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := Config{CredentialConfig: tt.credentialCfg}
+			result := cfg.MatchSecretNameByDomain(tt.domain)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}

pkg/cert/controller.go

@@ -0,0 +1,165 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/informers"
+	v1informer "k8s.io/client-go/informers/core/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+)
+
+const (
+	workNum       = 1
+	maxRetry      = 2
+	configMapName = "higress-https"
+)
+
+type Controller struct {
+	namespace         string
+	ConfigMapInformer v1informer.ConfigMapInformer
+	client            kubernetes.Interface
+	queue             workqueue.RateLimitingInterface
+	configMgr         *ConfigMgr
+	server            *Server
+	certMgr           *CertMgr
+	factory           informers.SharedInformerFactory
+}
+
+func (c *Controller) addConfigmap(obj interface{}) {
+	key, err := cache.MetaNamespaceKeyFunc(obj)
+	if err != nil {
+		return
+	}
+	namespace, name, _ := cache.SplitMetaNamespaceKey(key)
+	if namespace != c.namespace || name != configMapName {
+		return
+	}
+	c.enqueue(name)
+
+}
+func (c *Controller) updateConfigmap(oldObj interface{}, newObj interface{}) {
+	key, err := cache.MetaNamespaceKeyFunc(oldObj)
+	if err != nil {
+		return
+	}
+	namespace, name, _ := cache.SplitMetaNamespaceKey(key)
+	if namespace != c.namespace || name != configMapName {
+		return
+	}
+	if reflect.DeepEqual(oldObj, newObj) {
+		return
+	}
+	c.enqueue(name)
+}
+
+func (c *Controller) enqueue(name string) {
+	c.queue.Add(name)
+}
+
+func (c *Controller) cachesSynced() bool {
+	return c.ConfigMapInformer.Informer().HasSynced()
+}
+
+func (c *Controller) Run(stopCh <-chan struct{}) error {
+	defer runtime.HandleCrash()
+	defer c.queue.ShutDown()
+	CertLog.Info("Waiting for informer caches to sync")
+	c.factory.Start(stopCh)
+	if ok := cache.WaitForCacheSync(stopCh, c.cachesSynced); !ok {
+		return fmt.Errorf("failed to wait for caches to sync")
+	}
+	CertLog.Info("Starting controller")
+	// Launch one workers to process configmap resources
+	for i := 0; i < workNum; i++ {
+		go wait.Until(c.worker, time.Minute, stopCh)
+	}
+	CertLog.Info("Started workers")
+	<-stopCh
+	CertLog.Info("Shutting down workers")
+
+	return nil
+}
+
+func (c *Controller) worker() {
+	for c.processNextItem() {
+
+	}
+}
+
+func (c *Controller) processNextItem() bool {
+	item, shutdown := c.queue.Get()
+	if shutdown {
+		return false
+	}
+	defer c.queue.Done(item)
+	key := item.(string)
+	CertLog.Infof("controller process item:%s", key)
+	err := c.syncConfigmap(key)
+	if err != nil {
+		c.handleError(key, err)
+	}
+	return true
+}
+
+func (c *Controller) syncConfigmap(key string) error {
+	configmap, err := c.ConfigMapInformer.Lister().ConfigMaps(c.namespace).Get(key)
+	if err != nil {
+		return err
+	}
+	newConfig, err := c.configMgr.ParseConfigFromConfigmap(configmap)
+	if err != nil {
+		return err
+	}
+	oldConfig := c.configMgr.GetConfig()
+	// reconcile old config and new config
+	return c.certMgr.Reconcile(context.Background(), oldConfig, newConfig)
+}
+
+func (c *Controller) handleError(key string, err error) {
+	runtime.HandleError(err)
+	CertLog.Errorf("%+v", err)
+	c.queue.Forget(key)
+}
+
+func NewController(client kubernetes.Interface, namespace string, certMgr *CertMgr, configMgr *ConfigMgr) (*Controller, error) {
+	kubeInformerFactory := informers.NewSharedInformerFactoryWithOptions(client, 0, informers.WithNamespace(namespace))
+	configmapInformer := kubeInformerFactory.Core().V1().ConfigMaps()
+	c := &Controller{
+		certMgr:           certMgr,
+		configMgr:         configMgr,
+		client:            client,
+		namespace:         namespace,
+		factory:           kubeInformerFactory,
+		ConfigMapInformer: configmapInformer,
+		queue:             workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "ingressManage"),
+	}
+
+	CertLog.Info("Setting up configmap informer event handlers")
+	configmapInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc:    c.addConfigmap,
+		UpdateFunc: c.updateConfigmap,
+	})
+
+	return c, nil
+}

pkg/cert/ingress.go

@@ -0,0 +1,158 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/mholt/acmez"
+	"github.com/mholt/acmez/acme"
+	v1 "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	IngressClassName   = "higress"
+	IngressServiceName = "higress-controller"
+	IngressNamePefix   = "higress-http-solver-"
+	IngressPathPrefix  = "/.well-known/acme-challenge/"
+	IngressServicePort = 8889
+)
+
+type IngressSolver struct {
+	client       kubernetes.Interface
+	acmeIssuer   *certmagic.ACMEIssuer
+	solversMu    sync.Mutex
+	namespace    string
+	ingressDelay time.Duration
+}
+
+func NewIngressSolver(namespace string, client kubernetes.Interface, acmeIssuer *certmagic.ACMEIssuer) (acmez.Solver, error) {
+	solver := &IngressSolver{
+		namespace:    namespace,
+		client:       client,
+		acmeIssuer:   acmeIssuer,
+		ingressDelay: 5 * time.Second,
+	}
+	return solver, nil
+}
+
+func (s *IngressSolver) Present(_ context.Context, challenge acme.Challenge) error {
+	CertLog.Infof("ingress solver present challenge:%+v", challenge)
+	s.solversMu.Lock()
+	defer s.solversMu.Unlock()
+	ingressName := s.getIngressName(challenge)
+	ingress := s.constructIngress(challenge)
+	CertLog.Infof("update ingress name:%s, ingress:%v", ingressName, ingress)
+	_, err := s.client.NetworkingV1().Ingresses(s.namespace).Get(context.Background(), ingressName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// create ingress
+			_, err2 := s.client.NetworkingV1().Ingresses(s.namespace).Create(context.Background(), ingress, metav1.CreateOptions{})
+			return err2
+		}
+		return err
+	}
+	_, err1 := s.client.NetworkingV1().Ingresses(s.namespace).Update(context.Background(), ingress, metav1.UpdateOptions{})
+	if err1 != nil {
+		return err1
+	}
+	return nil
+}
+
+func (s *IngressSolver) Wait(ctx context.Context, challenge acme.Challenge) error {
+	CertLog.Infof("ingress solver wait challenge:%+v", challenge)
+	// wait for ingress ready
+	if s.ingressDelay > 0 {
+		select {
+		case <-time.After(s.ingressDelay):
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	CertLog.Infof("ingress solver wait challenge done")
+	return nil
+}
+
+func (s *IngressSolver) CleanUp(_ context.Context, challenge acme.Challenge) error {
+	CertLog.Infof("ingress solver cleanup challenge:%+v", challenge)
+	s.solversMu.Lock()
+	defer s.solversMu.Unlock()
+	ingressName := s.getIngressName(challenge)
+	CertLog.Infof("cleanup ingress name:%s", ingressName)
+	err := s.client.NetworkingV1().Ingresses(s.namespace).Delete(context.Background(), ingressName, metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *IngressSolver) Delete(_ context.Context, challenge acme.Challenge) error {
+	s.solversMu.Lock()
+	defer s.solversMu.Unlock()
+	err := s.client.NetworkingV1().Ingresses(s.namespace).Delete(context.Background(), s.getIngressName(challenge), metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *IngressSolver) getIngressName(challenge acme.Challenge) string {
+	return IngressNamePefix + strings.ReplaceAll(challenge.Identifier.Value, ".", "-")
+}
+
+func (s *IngressSolver) constructIngress(challenge acme.Challenge) *v1.Ingress {
+	ingressClassName := IngressClassName
+	ingressDomain := challenge.Identifier.Value
+	ingressPath := IngressPathPrefix + challenge.Token
+	ingress := v1.Ingress{}
+	ingress.Name = s.getIngressName(challenge)
+	ingress.Namespace = s.namespace
+	pathType := v1.PathTypePrefix
+	ingress.Spec = v1.IngressSpec{
+		IngressClassName: &ingressClassName,
+		Rules: []v1.IngressRule{
+			{
+				Host: ingressDomain,
+				IngressRuleValue: v1.IngressRuleValue{
+					HTTP: &v1.HTTPIngressRuleValue{
+						Paths: []v1.HTTPIngressPath{
+							{
+								Path:     ingressPath,
+								PathType: &pathType,
+								Backend: v1.IngressBackend{
+									Service: &v1.IngressServiceBackend{
+										Name: IngressServiceName,
+										Port: v1.ServiceBackendPort{
+											Number: IngressServicePort,
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	return &ingress
+}

pkg/cert/log.go

@@ -0,0 +1,19 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import "istio.io/pkg/log"
+
+var CertLog = log.RegisterScope("cert", "Higress Cert process.", 0)

pkg/cert/secret.go

@@ -0,0 +1,108 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	SecretNamePrefix = "higress-secret-"
+)
+
+type SecretMgr struct {
+	client    kubernetes.Interface
+	namespace string
+}
+
+func NewSecretMgr(namespace string, client kubernetes.Interface) (*SecretMgr, error) {
+	secretMgr := &SecretMgr{
+		namespace: namespace,
+		client:    client,
+	}
+
+	return secretMgr, nil
+}
+
+func (s *SecretMgr) Update(domain string, secretName string, privateKey []byte, certificate []byte, notBefore time.Time, notAfter time.Time, isRenew bool) error {
+	//secretName := s.getSecretName(domain)
+	secret := s.constructSecret(domain, privateKey, certificate, notBefore, notAfter, isRenew)
+	_, err := s.client.CoreV1().Secrets(s.namespace).Get(context.Background(), secretName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// create secret
+			_, err2 := s.client.CoreV1().Secrets(s.namespace).Create(context.Background(), secret, metav1.CreateOptions{})
+			return err2
+		}
+		return err
+	}
+	// check secret annotations
+	if _, ok := secret.Annotations["higress.io/cert-domain"]; !ok {
+		return fmt.Errorf("the secret name %s is not automatic https secret name for the domain:%s, please rename it in config", secretName, domain)
+	}
+	_, err1 := s.client.CoreV1().Secrets(s.namespace).Update(context.Background(), secret, metav1.UpdateOptions{})
+	if err1 != nil {
+		return err1
+	}
+
+	return nil
+}
+
+func (s *SecretMgr) Delete(domain string) error {
+	secretName := s.getSecretName(domain)
+	err := s.client.CoreV1().Secrets(s.namespace).Delete(context.Background(), secretName, metav1.DeleteOptions{})
+	return err
+}
+
+func (s *SecretMgr) getSecretName(domain string) string {
+	return SecretNamePrefix + strings.ReplaceAll(strings.TrimSpace(domain), ".", "-")
+}
+
+func (s *SecretMgr) constructSecret(domain string, privateKey []byte, certificate []byte, notBefore time.Time, notAfter time.Time, isRenew bool) *v1.Secret {
+	secretName := s.getSecretName(domain)
+	annotationMap := make(map[string]string, 0)
+	annotationMap["higress.io/cert-domain"] = domain
+	annotationMap["higress.io/cert-notAfter"] = notAfter.Format("2006-01-02 15:04:05")
+	annotationMap["higress.io/cert-notBefore"] = notBefore.Format("2006-01-02 15:04:05")
+	annotationMap["higress.io/cert-renew"] = strconv.FormatBool(isRenew)
+	if isRenew {
+		annotationMap["higress.io/cert-renew-time"] = time.Now().Format("2006-01-02 15:04:05")
+	}
+	// Required fields:
+	// - Secret.Data["tls.key"] - TLS private key.
+	//   Secret.Data["tls.crt"] - TLS certificate.
+	dataMap := make(map[string][]byte, 0)
+	dataMap["tls.key"] = privateKey
+	dataMap["tls.crt"] = certificate
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        secretName,
+			Namespace:   s.namespace,
+			Annotations: annotationMap,
+		},
+		Type: v1.SecretTypeTLS,
+		Data: dataMap,
+	}
+	return secret
+}

pkg/cert/server.go

@@ -0,0 +1,115 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/caddyserver/certmagic"
+	"k8s.io/client-go/kubernetes"
+)
+
+type Option struct {
+	Namespace     string
+	ServerAddress string
+	Email         string
+}
+
+type Server struct {
+	httpServer *http.Server
+	opts       *Option
+	clientSet  kubernetes.Interface
+	controller *Controller
+	certMgr    *CertMgr
+}
+
+func NewServer(clientSet kubernetes.Interface, opts *Option) (*Server, error) {
+	server := &Server{
+		clientSet: clientSet,
+		opts:      opts,
+	}
+	return server, nil
+}
+
+func (s *Server) InitDefaultConfig() error {
+	configMgr, _ := NewConfigMgr(s.opts.Namespace, s.clientSet)
+	// init config if there is not existed
+	_, err := configMgr.InitConfig(s.opts.Email)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *Server) InitServer() error {
+	configMgr, _ := NewConfigMgr(s.opts.Namespace, s.clientSet)
+	// init config if there is not existed
+	defaultConfig, err := configMgr.InitConfig(s.opts.Email)
+	if err != nil {
+		return err
+	}
+	// init certmgr
+	certMgr, err := InitCertMgr(s.opts, s.clientSet, defaultConfig) // config and start
+	s.certMgr = certMgr
+	// init controller
+	controller, err := NewController(s.clientSet, s.opts.Namespace, certMgr, configMgr)
+	s.controller = controller
+	// init http server
+	s.initHttpServer()
+	return nil
+}
+
+func (s *Server) initHttpServer() error {
+	CertLog.Infof("server init http server")
+	ctx := context.Background()
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "Lookit my cool website over HTTPS!")
+	})
+	httpServer := &http.Server{
+		ReadHeaderTimeout: 5 * time.Second,
+		ReadTimeout:       5 * time.Second,
+		WriteTimeout:      5 * time.Second,
+		IdleTimeout:       5 * time.Second,
+		Addr:              s.opts.ServerAddress,
+		BaseContext:       func(listener net.Listener) context.Context { return ctx },
+	}
+	cfg := s.certMgr.cfg
+	if len(cfg.Issuers) > 0 {
+		if am, ok := cfg.Issuers[0].(*certmagic.ACMEIssuer); ok {
+			httpServer.Handler = am.HTTPChallengeHandler(mux)
+		}
+	} else {
+		httpServer.Handler = mux
+	}
+	s.httpServer = httpServer
+	return nil
+}
+
+func (s *Server) Run(stopCh <-chan struct{}) error {
+	go s.controller.Run(stopCh)
+	CertLog.Infof("server run")
+	go func() {
+		<-stopCh
+		CertLog.Infof("server http server shutdown now...")
+		s.httpServer.Shutdown(context.Background())
+	}()
+	err := s.httpServer.ListenAndServe()
+	return err
+}

pkg/cert/storage.go

@@ -0,0 +1,337 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/fs"
+	"path"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/caddyserver/certmagic"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	CertificatesPrefix              = "/certificates"
+	ConfigmapStoreCertficatesPrefix = "higress-cert-store-certificates-"
+	ConfigmapStoreDefaultName       = "higress-cert-store-default"
+)
+
+var _ certmagic.Storage = (*ConfigmapStorage)(nil)
+
+type ConfigmapStorage struct {
+	namespace string
+	client    kubernetes.Interface
+	mux       sync.RWMutex
+}
+
+type HashValue struct {
+	K string `json:"k,omitempty"`
+	V []byte `json:"v,omitempty"`
+}
+
+func NewConfigmapStorage(namespace string, client kubernetes.Interface) (certmagic.Storage, error) {
+	storage := &ConfigmapStorage{
+		namespace: namespace,
+		client:    client,
+	}
+	return storage, nil
+}
+
+// Exists returns true if key exists in s.
+func (s *ConfigmapStorage) Exists(_ context.Context, key string) bool {
+	s.mux.RLock()
+	defer s.mux.RUnlock()
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return false
+	}
+	if cm.Data == nil {
+		return false
+	}
+
+	hashKey := fastHash([]byte(key))
+	if _, ok := cm.Data[hashKey]; ok {
+		return true
+	}
+	return false
+}
+
+// Store saves value at key.
+func (s *ConfigmapStorage) Store(_ context.Context, key string, value []byte) error {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return err
+	}
+	if cm.Data == nil {
+		cm.Data = make(map[string]string, 0)
+	}
+
+	hashKey := fastHash([]byte(key))
+	hashV := &HashValue{
+		K: key,
+		V: value,
+	}
+	bytes, err := json.Marshal(hashV)
+	if err != nil {
+		return err
+	}
+	cm.Data[hashKey] = string(bytes)
+	return s.updateConfigmap(cm)
+}
+
+// Load retrieves the value at key.
+func (s *ConfigmapStorage) Load(_ context.Context, key string) ([]byte, error) {
+	s.mux.RLock()
+	defer s.mux.RUnlock()
+	var value []byte
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return value, err
+	}
+	if cm.Data == nil {
+		return value, fs.ErrNotExist
+	}
+
+	hashKey := fastHash([]byte(key))
+	if v, ok := cm.Data[hashKey]; ok {
+		hV := &HashValue{}
+		err = json.Unmarshal([]byte(v), hV)
+		if err != nil {
+			return value, err
+		}
+		return hV.V, nil
+	}
+	return value, fs.ErrNotExist
+}
+
+// Delete deletes the value at key.
+func (s *ConfigmapStorage) Delete(_ context.Context, key string) error {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return err
+	}
+	if cm.Data == nil {
+		cm.Data = make(map[string]string, 0)
+	}
+	hashKey := fastHash([]byte(key))
+	delete(cm.Data, hashKey)
+	return s.updateConfigmap(cm)
+}
+
+// List returns all keys that match the prefix.
+// If the prefix is "/certificates", it retrieves all ConfigMaps, otherwise only one.
+func (s *ConfigmapStorage) List(ctx context.Context, prefix string, recursive bool) ([]string, error) {
+	s.mux.RLock()
+	defer s.mux.RUnlock()
+	var keys []string
+	var configmapKeys []string
+	visitedDirs := make(map[string]struct{})
+
+	// Check if the prefix corresponds to a specific key
+	hashPrefix := fastHash([]byte(prefix))
+	if strings.HasPrefix(prefix, CertificatesPrefix) {
+		// If the prefix is "/certificates", get all ConfigMaps and traverse each one
+		// List all ConfigMaps in the namespace with label higress.io/cert-https=true
+		configmaps, err := s.client.CoreV1().ConfigMaps(s.namespace).List(ctx, metav1.ListOptions{FieldSelector: "metadata.annotations['higress.io/cert-https'] == 'true'"})
+		if err != nil {
+			return keys, err
+		}
+
+		for _, cm := range configmaps.Items {
+			// Check if the ConfigMap name starts with the expected prefix
+			if strings.HasPrefix(cm.Name, ConfigmapStoreCertficatesPrefix) {
+				// Add the keys from Data field to the list
+				for _, v := range cm.Data {
+					// Unmarshal the value into hashValue struct
+					var hv HashValue
+					if err := json.Unmarshal([]byte(v), &hv); err != nil {
+						return nil, err
+					}
+					// Check if the key starts with the specified prefix
+					if strings.HasPrefix(hv.K, prefix) {
+						// Add the key to the list
+						configmapKeys = append(configmapKeys, hv.K)
+					}
+				}
+			}
+		}
+	} else {
+		// If not starting with "/certificates", get the specific ConfigMap
+		cm, err := s.getConfigmapStoreByKey(prefix)
+		if err != nil {
+			return keys, err
+		}
+
+		if _, ok := cm.Data[hashPrefix]; ok {
+			// The prefix corresponds to a specific key, add it to the list
+			configmapKeys = append(configmapKeys, prefix)
+		} else {
+			// The prefix is considered a directory
+			for _, v := range cm.Data {
+				// Unmarshal the value into hashValue struct
+				var hv HashValue
+				if err := json.Unmarshal([]byte(v), &hv); err != nil {
+					return nil, err
+				}
+				// Check if the key starts with the specified prefix
+				if strings.HasPrefix(hv.K, prefix) {
+					// Add the key to the list
+					configmapKeys = append(configmapKeys, hv.K)
+				}
+			}
+		}
+	}
+
+	// return all
+	if recursive {
+		return configmapKeys, nil
+	}
+
+	// only return sub dirs
+	for _, key := range configmapKeys {
+		subPath := strings.TrimPrefix(strings.ReplaceAll(key, prefix, ""), "/")
+		paths := strings.Split(subPath, "/")
+		if len(paths) > 0 {
+			subDir := path.Join(prefix, paths[0])
+			if _, ok := visitedDirs[subDir]; !ok {
+				keys = append(keys, subDir)
+			}
+			visitedDirs[subDir] = struct{}{}
+		}
+	}
+
+	return keys, nil
+}
+
+// Stat returns information about key. only support for no certificates path
+func (s *ConfigmapStorage) Stat(_ context.Context, key string) (certmagic.KeyInfo, error) {
+	s.mux.RLock()
+	defer s.mux.RUnlock()
+	// Create a new KeyInfo struct
+	info := certmagic.KeyInfo{}
+
+	// Get the ConfigMap containing the keys
+	cm, err := s.getConfigmapStoreByKey(key)
+	if err != nil {
+		return info, err
+	}
+
+	// Check if the key exists in the ConfigMap
+	hashKey := fastHash([]byte(key))
+	if data, ok := cm.Data[hashKey]; ok {
+		// The key exists, populate the KeyInfo struct
+		info.Key = key
+		info.Modified = time.Now() // Since we're not tracking modification time in ConfigMap
+		info.Size = int64(len(data))
+		info.IsTerminal = true
+	} else {
+		// Check if there are other keys with the same prefix
+		prefixKeys := make([]string, 0)
+		for _, v := range cm.Data {
+			var hv HashValue
+			if err := json.Unmarshal([]byte(v), &hv); err != nil {
+				return info, err
+			}
+			// Check if the key starts with the specified prefix
+			if strings.HasPrefix(hv.K, key) {
+				// Add the key to the list
+				prefixKeys = append(prefixKeys, hv.K)
+			}
+		}
+		// If there are multiple keys with the same prefix, then it's not a terminal node
+		if len(prefixKeys) > 0 {
+			info.Key = key
+			info.IsTerminal = false
+		} else {
+			return info, fmt.Errorf("prefix '%s' is not existed", key)
+		}
+	}
+	return info, nil
+}
+
+// Lock obtains a lock named by the given name. It blocks
+// until the lock can be obtained or an error is returned.
+func (s *ConfigmapStorage) Lock(ctx context.Context, name string) error {
+	return nil
+}
+
+// Unlock releases the lock for name.
+func (s *ConfigmapStorage) Unlock(_ context.Context, name string) error {
+	return nil
+}
+
+func (s *ConfigmapStorage) String() string {
+	return "ConfigmapStorage"
+}
+
+func (s *ConfigmapStorage) getConfigmapStoreNameByKey(key string) string {
+	parts := strings.SplitN(key, "/", 10)
+	if len(parts) >= 4 && parts[1] == "certificates" {
+		domain := strings.TrimSuffix(parts[3], ".crt")
+		domain = strings.TrimSuffix(domain, ".key")
+		domain = strings.TrimSuffix(domain, ".json")
+		issuerKey := parts[2]
+		return ConfigmapStoreCertficatesPrefix + fastHash([]byte(issuerKey+domain))
+	}
+	return ConfigmapStoreDefaultName
+}
+
+func (s *ConfigmapStorage) getConfigmapStoreByKey(key string) (*v1.ConfigMap, error) {
+	configmapName := s.getConfigmapStoreNameByKey(key)
+	cm, err := s.client.CoreV1().ConfigMaps(s.namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// Save default ConfigMap
+			cm = &v1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:   s.namespace,
+					Name:        configmapName,
+					Annotations: map[string]string{"higress.io/cert-https": "true"},
+				},
+			}
+			_, err = s.client.CoreV1().ConfigMaps(s.namespace).Create(context.Background(), cm, metav1.CreateOptions{})
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			return nil, err
+		}
+	}
+	return cm, nil
+}
+
+// updateConfigmap adds or updates the annotation higress.io/cert-https to true.
+func (s *ConfigmapStorage) updateConfigmap(configmap *v1.ConfigMap) error {
+	if configmap.ObjectMeta.Annotations == nil {
+		configmap.ObjectMeta.Annotations = make(map[string]string)
+	}
+	configmap.ObjectMeta.Annotations["higress.io/cert-https"] = "true"
+
+	_, err := s.client.CoreV1().ConfigMaps(configmap.Namespace).Update(context.Background(), configmap, metav1.UpdateOptions{})
+	return err
+}

pkg/cert/storage_test.go

@@ -0,0 +1,325 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"context"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+func TestGetConfigmapStoreNameByKey(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage := &ConfigmapStorage{
+		namespace: namespace,
+		client:    fakeClient,
+	}
+	tests := []struct {
+		name     string
+		key      string
+		expected string
+	}{
+		{
+			name:     "certificate crt",
+			key:      "/certificates/issuerKey/domain.crt",
+			expected: "higress-cert-store-certificates-" + fastHash([]byte("issuerKey"+"domain")),
+		},
+		{
+			name:     "certificate meta",
+			key:      "/certificates/issuerKey/domain.json",
+			expected: "higress-cert-store-certificates-" + fastHash([]byte("issuerKey"+"domain")),
+		},
+		{
+			name:     "certificate key",
+			key:      "/certificates/issuerKey/domain.key",
+			expected: "higress-cert-store-certificates-" + fastHash([]byte("issuerKey"+"domain")),
+		},
+		{
+			name:     "user key",
+			key:      "/users/hello/2",
+			expected: "higress-cert-store-default",
+		},
+		{
+			name:     "Empty Key",
+			key:      "",
+			expected: "higress-cert-store-default",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			storageName := storage.getConfigmapStoreNameByKey(test.key)
+			assert.Equal(t, test.expected, storageName)
+		})
+	}
+}
+
+func TestExists(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage, err := NewConfigmapStorage(namespace, fakeClient)
+	assert.NoError(t, err)
+
+	// Store a test key
+	testKey := "/certificates/issuer1/domain1.crt"
+	err = storage.Store(context.Background(), testKey, []byte("test-data"))
+	assert.NoError(t, err)
+
+	// Define test cases
+	tests := []struct {
+		name        string
+		key         string
+		shouldExist bool
+	}{
+		{
+			name:        "Existing Key",
+			key:         "/certificates/issuer1/domain1.crt",
+			shouldExist: true,
+		},
+		{
+			name:        "Non-Existent Key1",
+			key:         "/certificates/issuer2/domain2.crt",
+			shouldExist: false,
+		},
+		{
+			name:        "Non-Existent Key2",
+			key:         "/users/hello/a",
+			shouldExist: false,
+		},
+		// Add more test cases as needed
+	}
+
+	// Run tests
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			exists := storage.Exists(context.Background(), test.key)
+			assert.Equal(t, test.shouldExist, exists)
+		})
+	}
+}
+
+func TestLoad(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage, err := NewConfigmapStorage(namespace, fakeClient)
+	assert.NoError(t, err)
+
+	// Store a test key
+	testKey := "/certificates/issuer1/domain1.crt"
+	testValue := []byte("test-data")
+	err = storage.Store(context.Background(), testKey, testValue)
+	assert.NoError(t, err)
+
+	// Define test cases
+	tests := []struct {
+		name        string
+		key         string
+		expected    []byte
+		shouldError bool
+	}{
+		{
+			name:        "Existing Key",
+			key:         "/certificates/issuer1/domain1.crt",
+			expected:    testValue,
+			shouldError: false,
+		},
+		{
+			name:        "Non-Existent Key",
+			key:         "/certificates/issuer2/domain2.crt",
+			expected:    nil,
+			shouldError: true,
+		},
+		// Add more test cases as needed
+	}
+
+	// Run tests
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			value, err := storage.Load(context.Background(), test.key)
+			if test.shouldError {
+				assert.Error(t, err)
+				assert.Nil(t, value)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.expected, value)
+			}
+		})
+	}
+}
+
+func TestStore(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage := ConfigmapStorage{
+		namespace: namespace,
+		client:    fakeClient,
+	}
+
+	// Define test cases
+	tests := []struct {
+		name                  string
+		key                   string
+		value                 []byte
+		expected              map[string]string
+		expectedConfigmapName string
+		shouldError           bool
+	}{
+		{
+			name:                  "Store Key with /certificates prefix",
+			key:                   "/certificates/issuer1/domain1.crt",
+			value:                 []byte("test-data1"),
+			expected:              map[string]string{fastHash([]byte("/certificates/issuer1/domain1.crt")): `{"k":"/certificates/issuer1/domain1.crt","v":"dGVzdC1kYXRhMQ=="}`},
+			expectedConfigmapName: "higress-cert-store-certificates-" + fastHash([]byte("issuer1"+"domain1")),
+			shouldError:           false,
+		},
+		{
+			name:  "Store Key with /certificates prefix (additional data)",
+			key:   "/certificates/issuer2/domain2.crt",
+			value: []byte("test-data2"),
+			expected: map[string]string{
+				fastHash([]byte("/certificates/issuer2/domain2.crt")): `{"k":"/certificates/issuer2/domain2.crt","v":"dGVzdC1kYXRhMg=="}`,
+			},
+			expectedConfigmapName: "higress-cert-store-certificates-" + fastHash([]byte("issuer2"+"domain2")),
+			shouldError:           false,
+		},
+		{
+			name:                  "Store Key without /certificates prefix",
+			key:                   "/other/path/data.txt",
+			value:                 []byte("test-data3"),
+			expected:              map[string]string{fastHash([]byte("/other/path/data.txt")): `{"k":"/other/path/data.txt","v":"dGVzdC1kYXRhMw=="}`},
+			expectedConfigmapName: "higress-cert-store-default",
+			shouldError:           false,
+		},
+		// Add more test cases as needed
+	}
+
+	// Run tests
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			err := storage.Store(context.Background(), test.key, test.value)
+			if test.shouldError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+
+				// Check the contents of the ConfigMap after storing
+				configmapName := storage.getConfigmapStoreNameByKey(test.key)
+				cm, err := fakeClient.CoreV1().ConfigMaps(namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
+				assert.NoError(t, err)
+
+				// Check if the data is as expected
+				assert.Equal(t, test.expected, cm.Data)
+
+				// Check if the configmapName is correct
+				assert.Equal(t, test.expectedConfigmapName, configmapName)
+			}
+		})
+	}
+}
+
+func TestList(t *testing.T) {
+	// Create a fake client for testing
+	fakeClient := fake.NewSimpleClientset()
+
+	// Create a new ConfigmapStorage instance for testing
+	namespace := "your-namespace"
+	storage, err := NewConfigmapStorage(namespace, fakeClient)
+	assert.NoError(t, err)
+
+	// Store some test data
+	// Store some test data
+	testKeys := []string{
+		"/certificates/issuer1/domain1.crt",
+		"/certificates/issuer1/domain2.crt",
+		"/certificates/issuer1/domain3.crt", // Added another domain for issuer1
+		"/certificates/issuer2/domain4.crt",
+		"/certificates/issuer2/domain5.crt",
+		"/certificates/issuer3/subdomain1/domain6.crt",            // Two-level subdirectory under issuer3
+		"/certificates/issuer3/subdomain1/subdomain2/domain7.crt", // Two more levels under issuer3
+		"/other-prefix/key1/file1",
+		"/other-prefix/key1/file2",
+		"/other-prefix/key2/file3",
+		"/other-prefix/key2/file4",
+	}
+
+	for _, key := range testKeys {
+		err := storage.Store(context.Background(), key, []byte("test-data"))
+		assert.NoError(t, err)
+	}
+
+	// Define test cases
+	tests := []struct {
+		name      string
+		prefix    string
+		recursive bool
+		expected  []string
+	}{
+		{
+			name:      "List Certificates (Non-Recursive)",
+			prefix:    "/certificates",
+			recursive: false,
+			expected:  []string{"/certificates/issuer1", "/certificates/issuer2", "/certificates/issuer3"},
+		},
+		{
+			name:      "List Certificates (Recursive)",
+			prefix:    "/certificates",
+			recursive: true,
+			expected:  []string{"/certificates/issuer1/domain1.crt", "/certificates/issuer1/domain2.crt", "/certificates/issuer1/domain3.crt", "/certificates/issuer2/domain4.crt", "/certificates/issuer2/domain5.crt", "/certificates/issuer3/subdomain1/domain6.crt", "/certificates/issuer3/subdomain1/subdomain2/domain7.crt"},
+		},
+		{
+			name:      "List Other Prefix (Non-Recursive)",
+			prefix:    "/other-prefix",
+			recursive: false,
+			expected:  []string{"/other-prefix/key1", "/other-prefix/key2"},
+		},
+
+		{
+			name:      "List Other Prefix (Non-Recursive)",
+			prefix:    "/other-prefix/key1",
+			recursive: false,
+			expected:  []string{"/other-prefix/key1/file1", "/other-prefix/key1/file2"},
+		},
+		{
+			name:      "List Other Prefix (Recursive)",
+			prefix:    "/other-prefix",
+			recursive: true,
+			expected:  []string{"/other-prefix/key1/file1", "/other-prefix/key1/file2", "/other-prefix/key2/file3", "/other-prefix/key2/file4"},
+		},
+	}
+
+	// Run tests
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			keys, err := storage.List(context.Background(), test.prefix, test.recursive)
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, test.expected, keys)
+		})
+	}
+}

pkg/cert/util.go

@@ -0,0 +1,97 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cert
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"hash/fnv"
+	"math/rand"
+	"net"
+	"regexp"
+	"time"
+)
+
+// parseCertsFromPEMBundle parses a certificate bundle from top to bottom and returns
+// a slice of x509 certificates. This function will error if no certificates are found.
+func parseCertsFromPEMBundle(bundle []byte) ([]*x509.Certificate, error) {
+	var certificates []*x509.Certificate
+	var certDERBlock *pem.Block
+	for {
+		certDERBlock, bundle = pem.Decode(bundle)
+		if certDERBlock == nil {
+			break
+		}
+		if certDERBlock.Type == "CERTIFICATE" {
+			cert, err := x509.ParseCertificate(certDERBlock.Bytes)
+			if err != nil {
+				return nil, err
+			}
+			certificates = append(certificates, cert)
+		}
+	}
+	if len(certificates) == 0 {
+		return nil, fmt.Errorf("no certificates found in bundle")
+	}
+	return certificates, nil
+}
+
+func notAfter(cert *x509.Certificate) time.Time {
+	if cert == nil {
+		return time.Time{}
+	}
+	return cert.NotAfter.Truncate(time.Second).Add(1 * time.Second)
+}
+
+func notBefore(cert *x509.Certificate) time.Time {
+	if cert == nil {
+		return time.Time{}
+	}
+	return cert.NotBefore.Truncate(time.Second).Add(1 * time.Second)
+}
+
+// hostOnly returns only the host portion of hostport.
+// If there is no port or if there is an error splitting
+// the port off, the whole input string is returned.
+func hostOnly(hostport string) string {
+	host, _, err := net.SplitHostPort(hostport)
+	if err != nil {
+		return hostport // OK; probably had no port to begin with
+	}
+	return host
+}
+
+func rangeRandom(min, max int) (number int) {
+	r := rand.New(rand.NewSource(time.Now().UnixNano()))
+	number = r.Intn(max-min) + min
+	return number
+}
+
+func ValidateEmail(email string) bool {
+	pattern := `^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$`
+	regExp := regexp.MustCompile(pattern)
+	if regExp.MatchString(email) {
+		return true
+	} else {
+		return false
+	}
+}
+
+func fastHash(input []byte) string {
+	h := fnv.New32a()
+	h.Write(input)
+	return fmt.Sprintf("%x", h.Sum32())
+}

pkg/cmd/hgctl/code_debug.go

@@ -0,0 +1,338 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hgctl
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"regexp"
+	"time"
+
+	"github.com/alibaba/higress/pkg/cmd/hgctl/helm"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+const (
+	DefaultIp   = "127.0.0.1"
+	DefaultPort = ":15051"
+)
+
+func newCodeDebugCmd() *cobra.Command {
+	codeDebugCmd := &cobra.Command{
+		Use:   "code-debug",
+		Short: "Start or stop code debug",
+	}
+
+	codeDebugCmd.AddCommand(getStartCodeDebugCmd())
+	codeDebugCmd.AddCommand(getStopCodeDebugCmd())
+
+	return codeDebugCmd
+}
+
+func getStartCodeDebugCmd() *cobra.Command {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		fmt.Printf("fail to get user home dir: %v", err)
+		os.Exit(1)
+	}
+	kubeConfigDir := homeDir + "/.kube/config"
+
+	startCodeDebugCmd := &cobra.Command{
+		Use:     "start",
+		Aliases: []string{"start"},
+		Short:   "Start code debug",
+		Example: "hgctl code-debug start",
+		RunE: func(c *cobra.Command, args []string) error {
+			writer := c.OutOrStdout()
+
+			// wait for user to confirm
+			if !promptCodeDebug(writer, "local grpc address") {
+				return nil
+			}
+
+			// check profile type is local or not
+			fmt.Fprintf(writer, "Checking profile type...\n")
+			profiles, err := getAllProfiles()
+			if err != nil {
+				return fmt.Errorf("fail to get all profiles: %v", err)
+			}
+			if len(profiles) == 0 {
+				fmt.Fprintf(writer, "Higress hasn't been installed yet!\n")
+				return nil
+			}
+			for _, profile := range profiles {
+				if profile.Install != helm.InstallLocalK8s {
+					fmt.Fprintf(writer, "\nHigress needs to be installed locally!\n")
+					return nil
+				}
+			}
+
+			// get kubernetes clientSet
+			fmt.Fprintf(writer, "Getting kubernetes clientset...\n")
+			config, err := clientcmd.BuildConfigFromFlags("", kubeConfigDir)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to build config from kubeconfig: %v", err)
+				return nil
+			}
+			clientSet, err := kubernetes.NewForConfig(config)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to create kubernetes clientset: %v", err)
+				return nil
+			}
+
+			// get non-loopback IPv4 address
+			fmt.Fprintf(writer, "Getting non-loopback IPv4 address...\n")
+			ip, err := getNonLoopbackIPv4()
+			if err != nil {
+				fmt.Fprintf(writer, "fail to get non-loopback IPv4 address: %v", err)
+				return nil
+			}
+
+			// update the xds address in higress-config ConfigMap
+			// and trigger rollout for higress-controller and higress-gateway deployments
+			fmt.Fprintf(writer, "Updating xds address in higress-config ConfigMap "+
+				"and triggering rollout for higress-controller and higress-gateway deployments...\n")
+			err = updateXdsIpAndRollout(clientSet, ip, DefaultPort)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to update xds address in higress-config ConfigMap: %v", err)
+				return nil
+			}
+
+			fmt.Fprintf(writer, "Code debug started!\n")
+
+			return nil
+		},
+	}
+
+	startCodeDebugCmd.PersistentFlags().StringVar(&kubeConfigDir, "kubeconfig", kubeConfigDir,
+		"Use a Kubernetes configuration file instead of in-cluster configuration")
+
+	return startCodeDebugCmd
+}
+
+func getStopCodeDebugCmd() *cobra.Command {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		fmt.Printf("fail to get user home dir: %v", err)
+		os.Exit(1)
+	}
+	kubeConfigDir := homeDir + "/.kube/config"
+
+	stopCodeDebugCmd := &cobra.Command{
+		Use:     "stop",
+		Aliases: []string{"stop"},
+		Short:   "Stop code debug",
+		Example: "hgctl code-debug stop",
+		RunE: func(c *cobra.Command, args []string) error {
+			// wait for user to confirm
+			writer := c.OutOrStdout()
+			if !promptCodeDebug(writer, "default grpc address") {
+				return nil
+			}
+
+			// check profile type is local or not
+			fmt.Fprintf(writer, "Checking profile type...\n")
+			profiles, err := getAllProfiles()
+			if err != nil {
+				return fmt.Errorf("fail to get all profiles: %v", err)
+			}
+			if len(profiles) == 0 {
+				fmt.Fprintf(writer, "Higress hasn't been installed yet!\n")
+				return nil
+			}
+			for _, profile := range profiles {
+				if profile.Install != helm.InstallLocalK8s {
+					fmt.Fprintf(writer, "\nHigress needs to be installed locally!\n")
+					return nil
+				}
+			}
+
+			// get kubernetes clientSet
+			fmt.Fprintf(writer, "Getting kubernetes clientset...\n")
+			config, err := clientcmd.BuildConfigFromFlags("", kubeConfigDir)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to build config from kubeconfig: %v", err)
+				return nil
+			}
+			clientSet, err := kubernetes.NewForConfig(config)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to create kubernetes clientset: %v", err)
+				return nil
+			}
+
+			// recover the xds address in higress-config ConfigMap
+			// and trigger rollout for higress-controller and higress-gateway deployments
+			fmt.Fprintf(writer, "Recovering xds address in higress-config ConfigMap "+
+				"and triggering rollout for higress-controller and higress-gateway deployments...\n")
+			err = updateXdsIpAndRollout(clientSet, DefaultIp, DefaultPort)
+			if err != nil {
+				fmt.Fprintf(writer, "fail to recover xds address in higress-config ConfigMap: %v", err)
+				return nil
+			}
+
+			fmt.Fprintf(writer, "Code debug stopped!\n")
+
+			return nil
+		},
+	}
+
+	stopCodeDebugCmd.PersistentFlags().StringVar(&kubeConfigDir, "kubeconfig", kubeConfigDir,
+		"Use a Kubernetes configuration file instead of in-cluster configuration")
+
+	return stopCodeDebugCmd
+}
+
+// getNonLoopbackIPv4 returns the first non-loopback IPv4 address of the host.
+func getNonLoopbackIPv4() (string, error) {
+	// get all network interfaces
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		return "", err
+	}
+
+	// traverse all network interfaces
+	for _, i := range interfaces {
+		// exclude loopback interface and virtual interface
+		if i.Flags&net.FlagLoopback == 0 && i.Flags&net.FlagUp != 0 {
+			// get all addresses of the interface
+			addrs, err := i.Addrs()
+			if err != nil {
+				return "", err
+			}
+
+			// traverse all addresses of the interface
+			for _, addr := range addrs {
+				// check the type of the address is IP address
+				if ipnet, ok := addr.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
+					// check the IP address is IPv4 address
+					if ipnet.IP.To4() != nil {
+						return ipnet.IP.String(), nil
+					}
+				}
+			}
+		}
+	}
+
+	return "", fmt.Errorf("Non-loopback IPv4 address not found")
+}
+
+// updateXdsIpAndRollout updates the xds address in higress-config ConfigMap
+// and triggers rollout for higress-controller and higress-gateway deployments
+// also can recover the xds address in higress-config ConfigMap
+func updateXdsIpAndRollout(c *kubernetes.Clientset, ip string, port string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	// Get higress-config ConfigMap
+	cm, err := c.CoreV1().ConfigMaps("higress-system").Get(ctx, "higress-config", metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	// Update mesh field in higress-config ConfigMap
+	if _, ok := cm.Data["mesh"]; !ok {
+		return fmt.Errorf("mesh not found in configmap higress-config")
+	}
+	mesh := cm.Data["mesh"]
+	newMesh, err := replaceXDSAddress(mesh, ip, port)
+	if err != nil {
+		return err
+	}
+	cm.Data["mesh"] = newMesh
+
+	// Update higress-config ConfigMap
+	_, err = c.CoreV1().ConfigMaps("higress-system").Update(ctx, cm, metav1.UpdateOptions{})
+	if err != nil {
+		return err
+	}
+
+	// Trigger rollout for higress-controller deployment
+	err = triggerRollout(c, "higress-controller")
+	if err != nil {
+		return err
+	}
+
+	// Trigger rollout for higress-gateway deployment
+	err = triggerRollout(c, "higress-gateway")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// triggerRollout triggers rollout for the specified deployment
+func triggerRollout(clientset *kubernetes.Clientset, deploymentName string) error {
+	deploymentsClient := clientset.AppsV1().Deployments("higress-system")
+
+	// Get the deployment
+	deployment, err := deploymentsClient.Get(context.TODO(), deploymentName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	// Increment the deployment's revision to trigger a rollout
+	deployment.Spec.Template.ObjectMeta.Labels["version"] = time.Now().Format("20060102150405")
+
+	// Update the deployment
+	_, err = deploymentsClient.Update(context.TODO(), deployment, metav1.UpdateOptions{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// replaceXDSAddress replaces the xds address in the config string with new IP and Port
+func replaceXDSAddress(configString, newIP, newPort string) (string, error) {
+	// define the regular expression to match xds address
+	xdsRegex := regexp.MustCompile(`xds://[0-9.:]+`)
+
+	// find the first match
+	match := xdsRegex.FindString(configString)
+	if match == "" {
+		// if no match, return error
+		return "", fmt.Errorf("no xds address found in config string")
+	}
+
+	// replace xds address with new IP and Port
+	newXDSAddress := fmt.Sprintf("xds://%s%s", newIP, newPort)
+	result := xdsRegex.ReplaceAllString(configString, newXDSAddress)
+
+	return result, nil
+}
+
+// promptCodeDebug prompts user to confirm code debug
+func promptCodeDebug(writer io.Writer, t string) bool {
+	answer := ""
+	for {
+		fmt.Fprintf(writer, "This will start set xds address to %s in higress-config ConfigMap "+
+			"and trigger rollout for higress-controller and higress-gateway deployments. \nProceed? (y/N)", t)
+		fmt.Scanln(&answer)
+		if answer == "y" {
+			return true
+		}
+		if answer == "N" {
+			fmt.Fprintf(writer, "Cancelled.\n")
+			return false
+		}
+	}
+}

pkg/cmd/hgctl/config_bootstrap.go

@@ -17,6 +17,7 @@ package hgctl
 import (
 	"fmt"
 
+	"github.com/alibaba/higress/cmd/hgctl/config"
 	"github.com/spf13/cobra"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
@@ -45,21 +46,20 @@ func bootstrapConfigCmd() *cobra.Command {
 }
 
 func runBootstrapConfig(c *cobra.Command, args []string) error {
-	configDump, err := retrieveConfigDump(args, false)
+	if len(args) != 0 {
+		podName = args[0]
+	}
+	envoyConfig, err := config.GetEnvoyConfig(&config.GetEnvoyConfigOptions{
+		PodName:         podName,
+		PodNamespace:    podNamespace,
+		BindAddress:     bindAddress,
+		Output:          output,
+		EnvoyConfigType: config.BootstrapEnvoyConfigType,
+		IncludeEds:      true,
+	})
 	if err != nil {
 		return err
 	}
-
-	bootstrap, err := GetXDSResource(BootstrapEnvoyConfigType, configDump)
-	if err != nil {
-		return err
-	}
-
-	out, err := formatGatewayConfig(bootstrap, output)
-	if err != nil {
-		return err
-	}
-
-	_, err = fmt.Fprintln(c.OutOrStdout(), string(out))
+	_, err = fmt.Fprintln(c.OutOrStdout(), string(envoyConfig))
 	return err
 }

pkg/cmd/hgctl/config_cluster.go

@@ -11,11 +11,13 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package hgctl
 
 import (
 	"fmt"
 
+	"github.com/alibaba/higress/cmd/hgctl/config"
 	"github.com/spf13/cobra"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
@@ -44,21 +46,20 @@ func clusterConfigCmd() *cobra.Command {
 }
 
 func runClusterConfig(c *cobra.Command, args []string) error {
-	configDump, err := retrieveConfigDump(args, false)
+	if len(args) != 0 {
+		podName = args[0]
+	}
+	envoyConfig, err := config.GetEnvoyConfig(&config.GetEnvoyConfigOptions{
+		PodName:         podName,
+		PodNamespace:    podNamespace,
+		BindAddress:     bindAddress,
+		Output:          output,
+		EnvoyConfigType: config.ClusterEnvoyConfigType,
+		IncludeEds:      true,
+	})
 	if err != nil {
 		return err
 	}
-
-	cluster, err := GetXDSResource(ClusterEnvoyConfigType, configDump)
-	if err != nil {
-		return err
-	}
-
-	out, err := formatGatewayConfig(cluster, output)
-	if err != nil {
-		return err
-	}
-
-	_, err = fmt.Fprintln(c.OutOrStdout(), string(out))
+	_, err = fmt.Fprintln(c.OutOrStdout(), string(envoyConfig))
 	return err
 }

pkg/cmd/hgctl/config_cmd.go

@@ -17,11 +17,23 @@ package hgctl
 import (
 	"fmt"
 
+	"github.com/alibaba/higress/cmd/hgctl/config"
 	"github.com/alibaba/higress/pkg/cmd/options"
 	"github.com/spf13/cobra"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
 
+var (
+	output       string
+	podName      string
+	podNamespace string
+)
+
+const (
+	defaultProxyAdminPort = 15000
+	containerName         = "envoy"
+)
+
 func newConfigCommand() *cobra.Command {
 	cfgCommand := &cobra.Command{
 		Use:     "gateway-config",
@@ -69,11 +81,20 @@ func allConfigCmd() *cobra.Command {
 }
 
 func runAllConfig(c *cobra.Command, args []string) error {
-	configDump, err := retrieveConfigDump(args, true)
+	if len(args) != 0 {
+		podName = args[0]
+	}
+	envoyConfig, err := config.GetEnvoyConfig(&config.GetEnvoyConfigOptions{
+		PodName:         podName,
+		PodNamespace:    podNamespace,
+		BindAddress:     bindAddress,
+		Output:          output,
+		EnvoyConfigType: config.AllEnvoyConfigType,
+		IncludeEds:      true,
+	})
 	if err != nil {
 		return err
 	}
-
-	_, err = fmt.Fprintln(c.OutOrStdout(), string(configDump))
+	_, err = fmt.Fprintln(c.OutOrStdout(), string(envoyConfig))
 	return err
 }

pkg/cmd/hgctl/config_endpoint.go

@@ -17,6 +17,7 @@ package hgctl
 import (
 	"fmt"
 
+	"github.com/alibaba/higress/cmd/hgctl/config"
 	"github.com/spf13/cobra"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
@@ -45,21 +46,20 @@ func endpointConfigCmd() *cobra.Command {
 }
 
 func runEndpointConfig(c *cobra.Command, args []string) error {
-	configDump, err := retrieveConfigDump(args, true)
+	if len(args) != 0 {
+		podName = args[0]
+	}
+	envoyConfig, err := config.GetEnvoyConfig(&config.GetEnvoyConfigOptions{
+		PodName:         podName,
+		PodNamespace:    podNamespace,
+		BindAddress:     bindAddress,
+		Output:          output,
+		EnvoyConfigType: config.EndpointEnvoyConfigType,
+		IncludeEds:      true,
+	})
 	if err != nil {
 		return err
 	}
-
-	endpoint, err := GetXDSResource(EndpointEnvoyConfigType, configDump)
-	if err != nil {
-		return err
-	}
-
-	out, err := formatGatewayConfig(endpoint, output)
-	if err != nil {
-		return err
-	}
-
-	_, err = fmt.Fprintln(c.OutOrStdout(), string(out))
+	_, err = fmt.Fprintln(c.OutOrStdout(), string(envoyConfig))
 	return err
 }

pkg/cmd/hgctl/config_listener.go

@@ -17,6 +17,7 @@ package hgctl
 import (
 	"fmt"
 
+	"github.com/alibaba/higress/cmd/hgctl/config"
 	"github.com/spf13/cobra"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
@@ -45,21 +46,20 @@ func listenerConfigCmd() *cobra.Command {
 }
 
 func runListenerConfig(c *cobra.Command, args []string) error {
-	configDump, err := retrieveConfigDump(args, false)
+	if len(args) != 0 {
+		podName = args[0]
+	}
+	envoyConfig, err := config.GetEnvoyConfig(&config.GetEnvoyConfigOptions{
+		PodName:         podName,
+		PodNamespace:    podNamespace,
+		BindAddress:     bindAddress,
+		Output:          output,
+		EnvoyConfigType: config.ListenerEnvoyConfigType,
+		IncludeEds:      true,
+	})
 	if err != nil {
 		return err
 	}
-
-	listener, err := GetXDSResource(ListenerEnvoyConfigType, configDump)
-	if err != nil {
-		return err
-	}
-
-	out, err := formatGatewayConfig(listener, output)
-	if err != nil {
-		return err
-	}
-
-	_, err = fmt.Fprintln(c.OutOrStdout(), string(out))
+	_, err = fmt.Fprintln(c.OutOrStdout(), string(envoyConfig))
 	return err
 }

pkg/cmd/hgctl/config_route.go

@@ -17,6 +17,7 @@ package hgctl
 import (
 	"fmt"
 
+	"github.com/alibaba/higress/cmd/hgctl/config"
 	"github.com/spf13/cobra"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
@@ -45,21 +46,20 @@ func routeConfigCmd() *cobra.Command {
 }
 
 func runRouteConfig(c *cobra.Command, args []string) error {
-	configDump, err := retrieveConfigDump(args, false)
+	if len(args) != 0 {
+		podName = args[0]
+	}
+	envoyConfig, err := config.GetEnvoyConfig(&config.GetEnvoyConfigOptions{
+		PodName:         podName,
+		PodNamespace:    podNamespace,
+		BindAddress:     bindAddress,
+		Output:          output,
+		EnvoyConfigType: config.RouteEnvoyConfigType,
+		IncludeEds:      true,
+	})
 	if err != nil {
 		return err
 	}
-
-	route, err := GetXDSResource(RouteEnvoyConfigType, configDump)
-	if err != nil {
-		return err
-	}
-
-	out, err := formatGatewayConfig(route, output)
-	if err != nil {
-		return err
-	}
-
-	_, err = fmt.Fprintln(c.OutOrStdout(), string(out))
+	_, err = fmt.Fprintln(c.OutOrStdout(), string(envoyConfig))
 	return err
 }

pkg/cmd/hgctl/dashboard.go

@@ -24,14 +24,13 @@ import (
 	"runtime"
 	"strings"
 
-	"github.com/alibaba/higress/pkg/cmd/hgctl/kubernetes"
-	"github.com/alibaba/higress/pkg/cmd/options"
-	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/flags"
-	types2 "github.com/docker/docker/api/types"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/alibaba/higress/pkg/cmd/hgctl/docker"
+	"github.com/alibaba/higress/pkg/cmd/hgctl/kubernetes"
+	"github.com/alibaba/higress/pkg/cmd/options"
 )
 
 var (
@@ -55,7 +54,9 @@ var (
 
 	proxyAdminPort int
 
-	docker = false
+	project = "higress"
+
+	dockerCli = false
 )
 
 const (
@@ -107,7 +108,7 @@ func newDashboardCmd() *cobra.Command {
 
 	consoleCmd := consoleDashCmd()
 	consoleCmd.PersistentFlags().IntVar(&consolePort, "ui-port", defaultConsolePort, "The component dashboard UI port.")
-	consoleCmd.PersistentFlags().BoolVar(&docker, "docker", false, "Search higress console from docker")
+	consoleCmd.PersistentFlags().BoolVar(&dockerCli, "docker", false, "Search higress console from docker")
 	dashboardCmd.AddCommand(consoleCmd)
 
 	controllerDebugCmd := controllerDebugCmd()
@@ -165,23 +166,23 @@ func consoleDashCmd() *cobra.Command {
   hgctl dash console
   hgctl d console`,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			if docker {
-				return accessDocker(cmd)
+			if dockerCli {
+				return accessDockerCompose(cmd)
 			}
 			client, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
 			if err != nil {
 				fmt.Printf("build kubernetes CLI client fail: %v\ntry to access docker container\n", err)
-				return accessDocker(cmd)
+				return accessDockerCompose(cmd)
 			}
 			pl, err := client.PodsForSelector(addonNamespace, "app.kubernetes.io/name=higress-console")
 			if err != nil {
 				fmt.Printf("build kubernetes CLI client fail: %v\ntry to access docker container\n", err)
-				return accessDocker(cmd)
+				return accessDockerCompose(cmd)
 			}
 
 			if len(pl.Items) < 1 {
 				fmt.Printf("no higress console pods found\ntry to access docker container\n")
-				return accessDocker(cmd)
+				return accessDockerCompose(cmd)
 			}
 
 			// only use the first pod in the list
@@ -193,27 +194,26 @@ func consoleDashCmd() *cobra.Command {
 	return cmd
 }
 
-// accessDocker access docker container
-func accessDocker(cmd *cobra.Command) error {
-	dockerCli, err := command.NewDockerCli(command.WithCombinedStreams(os.Stdout))
+// accessDockerCompose access docker compose ps
+func accessDockerCompose(cmd *cobra.Command) error {
+	cli, err := docker.NewCompose(cmd.OutOrStdout())
 	if err != nil {
-		return fmt.Errorf("build docker CLI client fail: %w", err)
+		return errors.Wrap(err, "failed to build the docker compose client")
 	}
-	err = dockerCli.Initialize(flags.NewClientOptions())
+
+	list, err := cli.Ps(context.TODO(), project)
 	if err != nil {
-		return fmt.Errorf("docker client initialize fail: %w", err)
+		return errors.Wrap(err, "failed to build the docker compose ps")
 	}
-	apiClient := dockerCli.Client()
-	list, err := apiClient.ContainerList(context.Background(), types2.ContainerListOptions{})
 	for _, container := range list {
-		for i, name := range container.Names {
-			if strings.Contains(name, "higress-console") {
-				port := container.Ports[i].PublicPort
-				// not support define ip address
-				url := fmt.Sprintf("http://localhost:%d", port)
+		if strings.Contains(container.Service, "console") {
+			// not support define ip address
+			if container.Publishers != nil {
+				url := fmt.Sprintf("http://localhost:%d", container.Publishers[0].PublishedPort)
 				openBrowser(url, cmd.OutOrStdout(), browser)
-				return nil
 			}
+
+			return nil
 		}
 	}
 	return errors.New("no higress console container found")

pkg/cmd/hgctl/docker/compose.go

@@ -109,3 +109,7 @@ func (c Compose) List(ctx context.Context) ([]api.Stack, error) {
 func (c Compose) Down(ctx context.Context, name string) error {
 	return c.client.Down(ctx, name, api.DownOptions{})
 }
+
+func (c Compose) Ps(ctx context.Context, name string) ([]api.ContainerSummary, error) {
+	return c.client.Ps(ctx, name, api.PsOptions{})
+}

pkg/cmd/hgctl/helm/profile.go

@@ -17,6 +17,7 @@ package helm
 import (
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 
 	"istio.io/istio/operator/pkg/util"
@@ -84,9 +85,10 @@ func (p ProfileGlobal) Validate(install InstallMode) []error {
 }
 
 type ProfileConsole struct {
-	Port        uint32 `json:"port,omitempty"`
-	Replicas    uint32 `json:"replicas,omitempty"`
-	O11yEnabled bool   `json:"o11YEnabled,omitempty"`
+	Port        uint32   `json:"port,omitempty"`
+	Replicas    uint32   `json:"replicas,omitempty"`
+	O11yEnabled bool     `json:"o11YEnabled,omitempty"`
+	Resources   Resource `json:"resources,omitempty"`
 }
 
 func (p ProfileConsole) SetFlags(install InstallMode) ([]string, error) {
@@ -112,14 +114,31 @@ func (p ProfileConsole) Validate(install InstallMode) []error {
 		}
 	}
 
+	// set default value
+	if p.Resources.Requests.CPU == "" {
+		p.Resources.Requests.CPU = "250m"
+	}
+	if p.Resources.Requests.Memory == "" {
+		p.Resources.Requests.Memory = "512Mi"
+	}
+	if p.Resources.Limits.CPU == "" {
+		p.Resources.Limits.CPU = "2000m"
+	}
+	if p.Resources.Limits.Memory == "" {
+		p.Resources.Limits.Memory = "2048Mi"
+	}
+
+	errs = append(errs, p.Resources.Validate()...)
+
 	return errs
 }
 
 type ProfileGateway struct {
-	Replicas    uint32 `json:"replicas,omitempty"`
-	HttpPort    uint32 `json:"httpPort,omitempty"`
-	HttpsPort   uint32 `json:"httpsPort,omitempty"`
-	MetricsPort uint32 `json:"metricsPort,omitempty"`
+	Replicas    uint32   `json:"replicas,omitempty"`
+	HttpPort    uint32   `json:"httpPort,omitempty"`
+	HttpsPort   uint32   `json:"httpsPort,omitempty"`
+	MetricsPort uint32   `json:"metricsPort,omitempty"`
+	Resources   Resource `json:"resources,omitempty"`
 }
 
 func (p ProfileGateway) SetFlags(install InstallMode) ([]string, error) {
@@ -149,11 +168,29 @@ func (p ProfileGateway) Validate(install InstallMode) []error {
 			errs = append(errs, errors.New("gateway.MetricsPort need be large than zero"))
 		}
 	}
+
+	// set default value
+	if p.Resources.Requests.CPU == "" {
+		p.Resources.Requests.CPU = "2000m"
+	}
+	if p.Resources.Requests.Memory == "" {
+		p.Resources.Requests.Memory = "2048Mi"
+	}
+	if p.Resources.Limits.CPU == "" {
+		p.Resources.Limits.CPU = "2000m"
+	}
+	if p.Resources.Limits.Memory == "" {
+		p.Resources.Limits.Memory = "2048Mi"
+	}
+
+	errs = append(errs, p.Resources.Validate()...)
+
 	return errs
 }
 
 type ProfileController struct {
-	Replicas uint32 `json:"replicas,omitempty"`
+	Replicas  uint32   `json:"replicas,omitempty"`
+	Resources Resource `json:"resources,omitempty"`
 }
 
 func (p ProfileController) SetFlags(install InstallMode) ([]string, error) {
@@ -171,6 +208,23 @@ func (p ProfileController) Validate(install InstallMode) []error {
 			errs = append(errs, errors.New("controller.replica need be large than zero"))
 		}
 	}
+
+	// set default value
+	if p.Resources.Requests.CPU == "" {
+		p.Resources.Requests.CPU = "500m"
+	}
+	if p.Resources.Requests.Memory == "" {
+		p.Resources.Requests.Memory = "2048Mi"
+	}
+	if p.Resources.Limits.CPU == "" {
+		p.Resources.Limits.CPU = "1000m"
+	}
+	if p.Resources.Limits.Memory == "" {
+		p.Resources.Limits.Memory = "2048Mi"
+	}
+
+	errs = append(errs, p.Resources.Validate()...)
+
 	return errs
 }
 
@@ -248,14 +302,62 @@ func (p *Profile) ValuesYaml() (string, error) {
 	setFlags = append(setFlags, controllerFlags...)
 
 	valueOverlayYAML := ""
-	if p.Values != nil {
-		out, err := yaml.Marshal(p.Values)
-		if err != nil {
-			return "", err
-		}
-		valueOverlayYAML = string(out)
+	if p.Values == nil {
+		p.Values = make(map[string]any)
 	}
 
+	resourceMap := make(map[string]any)
+	resourceMap["higress-core"] = map[string]interface{}{
+		"controller": map[string]interface{}{
+			"resources": map[string]interface{}{
+				"requests": map[string]interface{}{
+					"cpu":    p.Controller.Resources.Requests.CPU,
+					"memory": p.Controller.Resources.Requests.Memory,
+				},
+				"limits": map[string]interface{}{
+					"cpu":    p.Controller.Resources.Limits.CPU,
+					"memory": p.Controller.Resources.Limits.Memory,
+				},
+			},
+		},
+		"gateway": map[string]interface{}{
+			"resources": map[string]interface{}{
+				"requests": map[string]interface{}{
+					"cpu":    p.Gateway.Resources.Requests.CPU,
+					"memory": p.Gateway.Resources.Requests.Memory,
+				},
+				"limits": map[string]interface{}{
+					"cpu":    p.Gateway.Resources.Limits.CPU,
+					"memory": p.Gateway.Resources.Limits.Memory,
+				},
+			},
+		},
+	}
+	resourceMap["higress-console"] = map[string]interface{}{
+		"resources": map[string]interface{}{
+			"requests": map[string]interface{}{
+				"cpu":    p.Console.Resources.Requests.CPU,
+				"memory": p.Console.Resources.Requests.Memory,
+			},
+			"limits": map[string]interface{}{
+				"cpu":    p.Console.Resources.Limits.CPU,
+				"memory": p.Console.Resources.Limits.Memory,
+			},
+		},
+	}
+
+	resourceYAML, err := yaml.Marshal(resourceMap)
+	if err != nil {
+		return "", err
+	}
+
+	out, err := yaml.Marshal(p.Values)
+	if err != nil {
+		return "", err
+	}
+
+	valueOverlayYAML, err = util.OverlayYAML(string(resourceYAML), string(out))
+
 	flagsYAML, err := overlaySetFlagValues("", setFlags)
 	if err != nil {
 		return "", err
@@ -343,3 +445,54 @@ func ToString(errors []error, separator string) string {
 	}
 	return out
 }
+
+type Resource struct {
+	Requests Requests `json:"requests,omitempty"`
+	Limits   Limits   `json:"limits,omitempty"`
+}
+
+type Requests struct {
+	CPU    string `json:"cpu,omitempty"`
+	Memory string `json:"memory,omitempty"`
+}
+
+type Limits struct {
+	CPU    string `json:"cpu,omitempty"`
+	Memory string `json:"memory,omitempty"`
+}
+
+func (r Resource) Validate() []error {
+	errs := make([]error, 0)
+
+	r.Requests.CPU = strings.ReplaceAll(r.Requests.CPU, " ", "")
+	r.Requests.Memory = strings.ReplaceAll(r.Requests.Memory, " ", "")
+	r.Limits.CPU = strings.ReplaceAll(r.Limits.CPU, " ", "")
+	r.Limits.Memory = strings.ReplaceAll(r.Limits.Memory, " ", "")
+
+	if !isValidK8SResourceFormat(r.Requests.CPU) {
+		errs = append(errs, fmt.Errorf("requests CPU has invalid format"))
+	}
+	if !isValidK8SResourceFormat(r.Requests.Memory) {
+		errs = append(errs, fmt.Errorf("requests memory has invalid format"))
+	}
+	if !isValidK8SResourceFormat(r.Limits.CPU) {
+		errs = append(errs, fmt.Errorf("limits CPU has invalid format"))
+	}
+	if !isValidK8SResourceFormat(r.Limits.Memory) {
+		errs = append(errs, fmt.Errorf("limits memory has invalid format"))
+	}
+	return errs
+}
+
+func isValidK8SResourceFormat(resource string) bool {
+	pattern := `^\d+((n|u|m|k|Ki|M|Mi|G|Gi|T|Ti|P|Pi|E|Ei)?)$`
+	match, _ := regexp.MatchString(pattern, resource)
+	if !match {
+		return false
+	}
+
+	if len(resource) == 0 || resource[0] == '-' || resource[0] == '0' {
+		return false
+	}
+	return true
+}

pkg/cmd/hgctl/helm/render.go

@@ -584,7 +584,7 @@ func locateChart(cpOpts *action.ChartPathOptions, name string, settings *cli.Env
 	return fileAbsPath, nil
 }
 
-func ParseLatestVersion(repoUrl string, version string) (string, error) {
+func ParseLatestVersion(repoUrl string, version string, devel bool) (string, error) {
 
 	cpOpts := &action.ChartPathOptions{
 		RepoURL: repoUrl,
@@ -632,7 +632,16 @@ func ParseLatestVersion(repoUrl string, version string) (string, error) {
 
 	// get higress helm chart latest version
 	if entries, ok := indexFile.Entries[RepoChartIndexYamlHigressIndex]; ok {
-		return entries[0].AppVersion, nil
+		if devel {
+			return entries[0].AppVersion, nil
+		}
+
+		if chatVersion, err := indexFile.Get(RepoChartIndexYamlHigressIndex, ""); err != nil {
+			return "", errors.New("can't find higress latest version")
+		} else {
+			return chatVersion.Version, nil
+		}
+
 	}
 
 	return "", errors.New("can't find higress latest version")

pkg/cmd/hgctl/install.go

@@ -52,6 +52,8 @@ type InstallArgs struct {
 	Set []string
 	// ManifestsPath is a path to a ManifestsPath and profiles directory in the local filesystem with a release tgz.
 	ManifestsPath string
+	// Devel if set true when version is latest, it will get latest version, otherwise it will get latest stable version
+	Devel bool
 }
 
 func (a *InstallArgs) String() string {
@@ -67,6 +69,7 @@ func addInstallFlags(cmd *cobra.Command, args *InstallArgs) {
 	cmd.PersistentFlags().StringSliceVarP(&args.InFilenames, "filename", "f", nil, filenameFlagHelpStr)
 	cmd.PersistentFlags().StringArrayVarP(&args.Set, "set", "s", nil, setFlagHelpStr)
 	cmd.PersistentFlags().StringVarP(&args.ManifestsPath, "manifests", "d", "", manifestsFlagHelpStr)
+	cmd.PersistentFlags().BoolVar(&args.Devel, "devel", false, "use development versions (alpha, beta, and release candidate releases), If version is set, this is ignored")
 }
 
 // --manifests is an alias for --set installPackagePath=
@@ -141,7 +144,7 @@ func install(writer io.Writer, iArgs *InstallArgs) error {
 		return err
 	}
 
-	err = installManifests(profile, writer)
+	err = installManifests(profile, writer, iArgs.Devel)
 	if err != nil {
 		return fmt.Errorf("failed to install manifests: %v", err)
 	}
@@ -192,8 +195,8 @@ func promptProfileName(writer io.Writer) string {
 
 }
 
-func installManifests(profile *helm.Profile, writer io.Writer) error {
-	installer, err := installer.NewInstaller(profile, writer, false)
+func installManifests(profile *helm.Profile, writer io.Writer, devel bool) error {
+	installer, err := installer.NewInstaller(profile, writer, false, devel, installer.InstallInstallerMode)
 	if err != nil {
 		return err
 	}

pkg/cmd/hgctl/installer/component.go

@@ -52,6 +52,8 @@ type ComponentOptions struct {
 	Quiet     bool
 	// Capabilities
 	Capabilities *chartutil.Capabilities
+	// devel
+	Devel bool
 }
 
 type ComponentOption func(*ComponentOptions)
@@ -98,6 +100,12 @@ func WithQuiet() ComponentOption {
 	}
 }
 
+func WithDevel(devel bool) ComponentOption {
+	return func(opts *ComponentOptions) {
+		opts.Devel = devel
+	}
+}
+
 func renderComponentManifest(spec any, renderer helm.Renderer, addOn bool, name ComponentName, namespace string) (string, error) {
 	var valsBytes []byte
 	var valsYaml string

pkg/cmd/hgctl/installer/higress.go

@@ -52,7 +52,7 @@ func (h *HigressComponent) Run() error {
 	// Parse latest version
 	if h.opts.Version == helm.RepoLatestVersion {
 
-		latestVersion, err := helm.ParseLatestVersion(h.opts.RepoURL, h.opts.Version)
+		latestVersion, err := helm.ParseLatestVersion(h.opts.RepoURL, h.opts.Version, h.opts.Devel)
 		if err != nil {
 			return err
 		}

pkg/cmd/hgctl/installer/installer.go

@@ -28,6 +28,8 @@ import (
 	"k8s.io/client-go/util/homedir"
 )
 
+type InstallerMode int32
+
 const (
 	HgctlHomeDirPath           = ".hgctl"
 	StandaloneInstalledPath    = "higress-standalone"
@@ -37,20 +39,26 @@ const (
 	DefaultIstioNamespace      = "istio-system"
 )
 
+const (
+	InstallInstallerMode InstallerMode = iota
+	UpgradeInstallerMode
+	UninstallInstallerMode
+)
+
 type Installer interface {
 	Install() error
 	UnInstall() error
 	Upgrade() error
 }
 
-func NewInstaller(profile *helm.Profile, writer io.Writer, quiet bool) (Installer, error) {
+func NewInstaller(profile *helm.Profile, writer io.Writer, quiet bool, devel bool, installerMode InstallerMode) (Installer, error) {
 	switch profile.Global.Install {
 	case helm.InstallK8s, helm.InstallLocalK8s:
 		cliClient, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
 		if err != nil {
 			return nil, fmt.Errorf("failed to build kubernetes client: %w", err)
 		}
-		installer, err := NewK8sInstaller(profile, cliClient, writer, quiet)
+		installer, err := NewK8sInstaller(profile, cliClient, writer, quiet, devel, installerMode)
 		return installer, err
 	case helm.InstallLocalDocker:
 		installer, err := NewDockerInstaller(profile, writer, quiet)

pkg/cmd/hgctl/installer/installer_k8s.go

@@ -254,7 +254,7 @@ func (o *K8sInstaller) isNamespacedObject(obj *object.K8sObject) bool {
 	return false
 }
 
-func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.Writer, quiet bool) (*K8sInstaller, error) {
+func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.Writer, quiet bool, devel bool, installerMode InstallerMode) (*K8sInstaller, error) {
 	if profile == nil {
 		return nil, errors.New("install profile is empty")
 	}
@@ -267,14 +267,20 @@ func NewK8sInstaller(profile *helm.Profile, cli kubernetes.CLIClient, writer io.
 	}
 	fmt.Fprintf(writer, "%s\n", capabilities.KubeVersion.Version)
 	// initialize components
+	higressVersion := profile.Charts.Higress.Version
+	if installerMode == UninstallInstallerMode {
+		// uninstall
+		higressVersion = profile.HigressVersion
+	}
 	components := make(map[ComponentName]Component)
 	opts := []ComponentOption{
 		WithComponentNamespace(profile.Global.Namespace),
 		WithComponentChartPath(profile.InstallPackagePath),
-		WithComponentVersion(profile.Charts.Higress.Version),
+		WithComponentVersion(higressVersion),
 		WithComponentRepoURL(profile.Charts.Higress.Url),
 		WithComponentChartName(profile.Charts.Higress.Name),
 		WithComponentCapabilities(capabilities),
+		WithDevel(devel),
 	}
 	if quiet {
 		opts = append(opts, WithQuiet())

pkg/cmd/hgctl/manifest.go

@@ -37,6 +37,8 @@ type ManifestArgs struct {
 	Set []string
 	// ManifestsPath is a path to a ManifestsPath and profiles directory in the local filesystem with a release tgz.
 	ManifestsPath string
+	// Devel if set true when version is latest, it will get latest version, otherwise it will get latest stable version
+	Devel bool
 }
 
 func (a *ManifestArgs) String() string {
@@ -70,6 +72,7 @@ func addManifestFlags(cmd *cobra.Command, args *ManifestArgs) {
 	cmd.PersistentFlags().StringSliceVarP(&args.InFilenames, "filename", "f", nil, filenameFlagHelpStr)
 	cmd.PersistentFlags().StringArrayVarP(&args.Set, "set", "s", nil, setFlagHelpStr)
 	cmd.PersistentFlags().StringVarP(&args.ManifestsPath, "manifests", "d", "", manifestsFlagHelpStr)
+	cmd.PersistentFlags().BoolVar(&args.Devel, "devel", false, "use development versions (alpha, beta, and release candidate releases), If version is set, this is ignored")
 }
 
 // newManifestGenerateCmd generates a higress install manifest and applies it to a cluster
@@ -113,20 +116,20 @@ func generate(writer io.Writer, iArgs *ManifestArgs) error {
 		return err
 	}
 
-	err = genManifests(profile, writer)
+	err = genManifests(profile, writer, iArgs.Devel)
 	if err != nil {
 		return fmt.Errorf("failed to install manifests: %v", err)
 	}
 	return nil
 }
 
-func genManifests(profile *helm.Profile, writer io.Writer) error {
+func genManifests(profile *helm.Profile, writer io.Writer, devel bool) error {
 	cliClient, err := kubernetes.NewCLIClient(options.DefaultConfigFlags.ToRawKubeConfigLoader())
 	if err != nil {
 		return fmt.Errorf("failed to build kubernetes client: %w", err)
 	}
 
-	op, err := installer.NewK8sInstaller(profile, cliClient, writer, true)
+	op, err := installer.NewK8sInstaller(profile, cliClient, writer, true, devel, installer.InstallInstallerMode)
 	if err != nil {
 		return err
 	}

pkg/cmd/hgctl/manifests/profiles/_all.yaml

@@ -10,15 +10,36 @@ console:
   port: 8080
   replicas: 1
   o11yEnabled: false
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 2000m
+      memory: 2048Mi
 
 gateway:
   replicas: 1
   httpPort: 80
   httpsPort: 443
   metricsPort: 15020
+  resources:
+    requests:
+      cpu: 2000m
+      memory: 2048Mi
+    limits:
+      cpu: 2000m
+      memory: 2048Mi
 
 controller:
   replicas: 1
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
 
 storage:
   url: nacos://127.0.0.1:8848 #  file://opt/higress/conf

pkg/cmd/hgctl/manifests/profiles/k8s.yaml

@@ -9,12 +9,33 @@ global:
 console:
   replicas: 1
   o11yEnabled: false
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 2000m
+      memory: 2048Mi
 
 gateway:
   replicas: 2
+  resources:
+    requests:
+      cpu: 2000m
+      memory: 2048Mi
+    limits:
+      cpu: 2000m
+      memory: 2048Mi
 
 controller:
   replicas: 1
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
 
 # values passed through to helm
 values:

pkg/cmd/hgctl/manifests/profiles/local-k8s.yaml

@@ -9,12 +9,33 @@ global:
 console:
   replicas: 1
   o11yEnabled: true
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 2000m
+      memory: 2048Mi
 
 gateway:
   replicas: 1
+  resources:
+    requests:
+      cpu: 2000m
+      memory: 2048Mi
+    limits:
+      cpu: 2000m
+      memory: 2048Mi
 
 controller:
   replicas: 1
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
 
 # values passed through to helm
 values:

pkg/cmd/hgctl/plugin/build/build.go

@@ -20,10 +20,8 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"os/signal"
 	"os/user"
 	"strings"
-	"syscall"
 
 	"github.com/alibaba/higress/pkg/cmd/hgctl/plugin/option"
 	ptypes "github.com/alibaba/higress/pkg/cmd/hgctl/plugin/types"
@@ -633,11 +631,7 @@ func (b *Builder) config(f ConfigFunc) (err error) {
 		b.w = os.Stdout
 	}
 
-	b.sig = make(chan os.Signal, 1)
-	b.stop = make(chan struct{}, 1)
-	b.done = make(chan struct{}, 1)
-	signal.Notify(b.sig, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM,
-		syscall.SIGUSR1, syscall.SIGUSR2, syscall.SIGQUIT, syscall.SIGTSTP)
+	signalNotify(b)
 
 	if b.Debugger == nil {
 		b.Debugger = utils.NewDefaultDebugger(b.Debug, b.w)

pkg/cmd/hgctl/plugin/build/signal.go

@@ -0,0 +1,31 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build linux || darwin || bsd
+
+package build
+
+import (
+	"os"
+	"os/signal"
+	"syscall"
+)
+
+func signalNotify(b *Builder) {
+	b.sig = make(chan os.Signal, 1)
+	b.stop = make(chan struct{}, 1)
+	b.done = make(chan struct{}, 1)
+	signal.Notify(b.sig, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM,
+		syscall.SIGUSR1, syscall.SIGUSR2, syscall.SIGQUIT, syscall.SIGTSTP)
+}

pkg/cmd/hgctl/plugin/build/signal_windows.go

@@ -0,0 +1,31 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build windows
+
+package build
+
+import (
+	"os"
+	"os/signal"
+	"syscall"
+)
+
+func signalNotify(b *Builder) {
+	b.sig = make(chan os.Signal, 1)
+	b.stop = make(chan struct{}, 1)
+	b.done = make(chan struct{}, 1)
+	signal.Notify(b.sig, syscall.SIGHUP, syscall.SIGINT,
+		syscall.SIGTERM, syscall.SIGQUIT)
+}