rustup target add wasm32-wasip1

fix prebuild
fix clippy
2026-02-26 05:30:50 +08:00 · 2025-02-27 13:28:20 +08:00 · 2025-02-27 11:42:34 +08:00 · 2025-02-27 11:12:51 +08:00 · 2025-02-27 10:30:34 +08:00 · 2025-02-26 21:15:53 +08:00
504 changed files with 41233 additions and 9480 deletions
--- a/.github/workflows/build-and-push-wasm-plugin-image.yaml
+++ b/.github/workflows/build-and-push-wasm-plugin-image.yaml
@@ -3,9 +3,16 @@ name: Build and Push Wasm Plugin Image
 on:
  push:
    tags:
-    - "wasm-go-*-v*.*.*" # 匹配 wasm-go-{pluginName}-vX.Y.Z 格式的标签
+    - "wasm-*-*-v*.*.*" # 匹配 wasm-{go|rust}-{pluginName}-vX.Y.Z 格式的标签
  workflow_dispatch:
    inputs:
+      plugin_type:
+        description: 'Type of the plugin'
+        required: true
+        type: choice
+        options:
+          - go
+          - rust
      plugin_name:
        description: 'Name of the plugin'
        required: true
@@ -23,32 +30,42 @@ jobs:
    env:
      IMAGE_REGISTRY_SERVICE: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
      IMAGE_REPOSITORY: ${{ vars.PLUGIN_IMAGE_REPOSITORY || 'plugins' }}
+      RUST_VERSION: 1.82
      GO_VERSION: 1.19
      TINYGO_VERSION: 0.28.1
      ORAS_VERSION: 1.0.0
    steps:
-      - name: Set plugin_name and version from inputs or ref_name
+      - name: Set plugin_type, plugin_name and version from inputs or ref_name
        id: set_vars
        run: |
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            plugin_type="${{ github.event.inputs.plugin_type }}"
            plugin_name="${{ github.event.inputs.plugin_name }}"
            version="${{ github.event.inputs.version }}"
          else
            ref_name=${{ github.ref_name }}
+            plugin_type=${ref_name#*-} # 删除插件类型前面的字段(wasm-)
+            plugin_type=${plugin_type%%-*} # 删除插件类型后面的字段(-{plugin_name}-vX.Y.Z)
            plugin_name=${ref_name#*-*-} # 删除插件名前面的字段(wasm-go-)
            plugin_name=${plugin_name%-*} # 删除插件名后面的字段(-vX.Y.Z)
            version=$(echo "$ref_name" | awk -F'v' '{print $2}')
          fi
-
+          if [[ "$plugin_type" == "rust" ]]; then
+            builder_image="higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-rust-builder:rust${{ env.RUST_VERSION }}-oras${{ env.ORAS_VERSION }}"
+          else
+            builder_image="higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-go-builder:go${{ env.GO_VERSION }}-tinygo${{ env.TINYGO_VERSION }}-oras${{ env.ORAS_VERSION }}"
+          fi
+          echo "PLUGIN_TYPE=$plugin_type" >> $GITHUB_ENV
          echo "PLUGIN_NAME=$plugin_name" >> $GITHUB_ENV
          echo "VERSION=$version" >> $GITHUB_ENV
+          echo "BUILDER_IMAGE=$builder_image" >> $GITHUB_ENV

      - name: Checkout code
        uses: actions/checkout@v3
      
      - name: File Check
        run: | 
-          workspace=${{ github.workspace }}/plugins/wasm-go/extensions/${PLUGIN_NAME}
+          workspace=${{ github.workspace }}/plugins/wasm-${PLUGIN_TYPE}/extensions/${PLUGIN_NAME}
          push_command="./plugin.tar.gz:application/vnd.oci.image.layer.v1.tar+gzip"

          # 查找spec.yaml
@@ -75,10 +92,10 @@ jobs:

          echo "PUSH_COMMAND=\"$push_command\"" >> $GITHUB_ENV
        
-      - name: Run a wasm-go-builder
+      - name: Run a wasm-builder
        env: 
          PLUGIN_NAME: ${{ env.PLUGIN_NAME }}
-          BUILDER_IMAGE: higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-go-builder:go${{ env.GO_VERSION }}-tinygo${{ env.TINYGO_VERSION }}-oras${{ env.ORAS_VERSION }}
+          BUILDER_IMAGE: ${{ env.BUILDER_IMAGE }}
        run: |
          docker run -itd --name builder -v ${{ github.workspace }}:/workspace -e PLUGIN_NAME=${{ env.PLUGIN_NAME }} --rm ${{ env.BUILDER_IMAGE }} /bin/bash

@@ -89,9 +106,11 @@ jobs:
          push_command=${push_command%\"} # 删除PUSH_COMMAND中的双引号，确保oras push正常解析
          
          target_image="${{ env.IMAGE_REGISTRY_SERVICE }}/${{ env.IMAGE_REPOSITORY}}/${{ env.PLUGIN_NAME }}:${{ env.VERSION }}"
+          target_image_latest="${{ env.IMAGE_REGISTRY_SERVICE }}/${{ env.IMAGE_REPOSITORY}}/${{ env.PLUGIN_NAME }}:latest"
          echo "TargetImage=${target_image}"
+          echo "TargetImageLatest=${target_image_latest}"

-          cd ${{ github.workspace }}/plugins/wasm-go/extensions/${PLUGIN_NAME}
+          cd ${{ github.workspace }}/plugins/wasm-${PLUGIN_TYPE}/extensions/${PLUGIN_NAME}
          if [ -f ./.buildrc ]; then
            echo 'Found .buildrc file, sourcing it...'
            . ./.buildrc
@@ -99,7 +118,7 @@ jobs:
            echo '.buildrc file not found'
          fi
          echo "EXTRA_TAGS=${EXTRA_TAGS}"
-
+          if [ "${PLUGIN_TYPE}" == "go" ]; then
          command="
          set -e
          cd /workspace/plugins/wasm-go/extensions/${PLUGIN_NAME}
@@ -108,7 +127,28 @@ jobs:
          tar czvf plugin.tar.gz plugin.wasm
          echo ${{ secrets.REGISTRY_PASSWORD }} | oras login -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin ${{ env.IMAGE_REGISTRY_SERVICE }}
          oras push ${target_image} ${push_command}
+          oras push ${target_image_latest} ${push_command}
          "
-          docker exec builder bash -c "$command"
+          elif [ "${PLUGIN_TYPE}" == "rust" ]; then
+          command="
+          set -e
+          cd /workspace/plugins/wasm-rust/extensions/${PLUGIN_NAME}
+          if [ -f ./.prebuild ]; then
+            echo 'Found .prebuild file, sourcing it...'
+            . ./.prebuild
+          fi
+          rustup target add wasm32-wasip1
+          cargo build --target wasm32-wasip1 --release
+          cp target/wasm32-wasip1/release/*.wasm plugin.wasm
+          tar czvf plugin.tar.gz plugin.wasm
+          echo ${{ secrets.REGISTRY_PASSWORD }} | oras login -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin ${{ env.IMAGE_REGISTRY_SERVICE }}
+          oras push ${target_image} ${push_command}
+          oras push ${target_image_latest} ${push_command}
+          "
+          else

-          
+          command="
+          echo "unkown type ${PLUGIN_TYPE}"
+          "
+          fi
+          docker exec builder bash -c "$command"
--- a/.github/workflows/build-and-test-plugin.yaml
+++ b/.github/workflows/build-and-test-plugin.yaml
@@ -6,11 +6,15 @@ on:
    paths:
      - 'plugins/**'
      - 'test/**'
+      - 'helm/**'
+      - 'Makefile.core.mk'
  pull_request:
    branches: [ "*" ]
    paths:
      - 'plugins/**'
      - 'test/**'
+      - 'helm/**'
+      - 'Makefile.core.mk'
  workflow_dispatch: ~      

 jobs:
@@ -64,14 +68,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go

-      - name: Setup Submodule Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            .git/modules
-          key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-submodules-cache
-
      - run: git stash # restore patch

      - name: "Run Ingress WasmPlugins Tests"
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -37,14 +37,6 @@ jobs:
        key: ${{ runner.os }}-go-${{ github.run_id }}
        restore-keys: ${{ runner.os }}-go

-    - name: Setup Submodule Caches
-      uses: actions/cache@v4
-      with:
-        path: |-
-            .git/modules
-        key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules-cache
-    
    - run: git stash # restore patch

    # test
@@ -83,14 +75,6 @@ jobs:
          key: ${{ runner.os }}-go-${{ github.run_id }}
          restore-keys: ${{ runner.os }}-go

-      - name: Setup Submodule Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            .git/modules
-          key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-submodules-cache
-
      - run: git stash # restore patch

      - name: "Build Higress Binary"
@@ -137,14 +121,6 @@ jobs:
          ~/go/pkg/mod
        key: ${{ runner.os }}-go-${{ github.run_id }}
        restore-keys: ${{ runner.os }}-go
-      
-    - name: Setup Submodule Caches
-      uses: actions/cache@v4
-      with:
-        path: |-
-            .git/modules
-        key: ${{ runner.os }}-submodules-cache-${{ github.run_id }}
-        restore-keys: ${{ runner.os }}-submodules-cache
          
    - run: git stash # restore patch

--- a/.github/workflows/build-image-and-push.yaml
+++ b/.github/workflows/build-image-and-push.yaml
@@ -1,259 +1,258 @@
-name: Build Docker Images and Push to Image Registry
-
-on:
-  push:
-    tags:
-    - "v*.*.*"
-  workflow_dispatch: ~
-
-jobs:
-  build-controller-image:
-    runs-on: ubuntu-latest
-    environment:
-      name: image-registry-controller
-    env:
-      CONTROLLER_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
-      CONTROLLER_IMAGE_NAME: ${{ vars.CONTROLLER_IMAGE_NAME || 'higress/higress' }}
-    steps:
-      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
-        uses: jlumbroso/free-disk-space@main
-        with:
-          tool-cache: false
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          swap-storage: true
-
-      - name: "Setup Go"
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.21.5
-
-      - name: Setup Golang Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-go
-
-      - name: Setup Submodule Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            envoy
-            istio
-            .git/modules
-          key: ${{ runner.os }}-submodules-new-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-submodules-new
-
-      - name: Calculate Docker metadata
-        id: docker-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.CONTROLLER_IMAGE_REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
-          tags: |
-            type=sha
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
-
-      - name: Login to Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.CONTROLLER_IMAGE_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Build Docker Image and Push
-        run: |
-          GOPROXY="https://proxy.golang.org,direct" make docker-buildx-push
-          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress"
-          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
-          for image in ${IMAGES[@]}; do
-            echo "Image: $image"
-            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
-          done
-
-  build-pilot-image:
-    runs-on: ubuntu-latest
-    environment:
-      name: image-registry-pilot
-    env:
-      PILOT_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
-      PILOT_IMAGE_NAME: ${{ vars.PILOT_IMAGE_NAME || 'higress/pilot' }}
-    steps:
-      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
-        uses: jlumbroso/free-disk-space@main
-        with:
-          tool-cache: false
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          swap-storage: true
-
-      - name: "Setup Go"
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.21.5
-
-      - name: Setup Golang Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-go
-
-      - name: Setup Submodule Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            envoy
-            istio
-            .git/modules
-          key: ${{ runner.os }}-submodules-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-submodules-new
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-
-      - name: Calculate Docker metadata
-        id: docker-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.PILOT_IMAGE_REGISTRY }}/${{ env.PILOT_IMAGE_NAME }}
-          tags: |
-            type=sha
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
-
-      - name: Login to Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.PILOT_IMAGE_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Build Pilot-Discovery Image and Push
-        run: |
-          GOPROXY="https://proxy.golang.org,direct" make build-istio
-          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/pilot"
-          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
-          for image in ${IMAGES[@]}; do
-            echo "Image: $image"
-            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
-          done
-
-
-  build-gateway-image:
-    runs-on: ubuntu-latest
-    environment:
-      name: image-registry-pilot
-    env:
-      GATEWAY_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
-      GATEWAY_IMAGE_NAME: ${{ vars.GATEWAY_IMAGE_NAME || 'higress/gateway' }}
-    steps:
-      - name: "Checkout ${{ github.ref }}"
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
-        uses: jlumbroso/free-disk-space@main
-        with:
-          tool-cache: false
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          swap-storage: true
-
-      - name: "Setup Go"
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.21.5
-
-      - name: Setup Golang Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-go
-
-      - name: Setup Submodule Caches
-        uses: actions/cache@v4
-        with:
-          path: |-
-            envoy
-            istio
-            .git/modules
-          key: ${{ runner.os }}-submodules-${{ github.run_id }}
-          restore-keys: ${{ runner.os }}-submodules-new
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-
-      - name: Calculate Docker metadata
-        id: docker-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.GATEWAY_IMAGE_REGISTRY }}/${{ env.GATEWAY_IMAGE_NAME }}
-          tags: |
-            type=sha
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
-
-      - name: Login to Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GATEWAY_IMAGE_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}            
-          
-      - name: Build Gateway Image and Push
-        run: |
-          GOPROXY="https://proxy.golang.org,direct" make build-gateway
-          BUILT_IMAGE="higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/proxyv2"
-          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
-          for image in ${IMAGES[@]}; do
-            echo "Image: $image"
-            docker buildx imagetools create $BUILT_IMAGE:$GITHUB_SHA --tag $image
-          done
+name: Build Docker Images and Push to Image Registry
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  build-controller-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-controller
+    env:
+      CONTROLLER_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      CONTROLLER_IMAGE_NAME: ${{ vars.CONTROLLER_IMAGE_NAME || 'higress/higress' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.21.5
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v4
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.CONTROLLER_IMAGE_REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.CONTROLLER_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Docker Image and Push
+        run: |
+          BUILT_IMAGE=""
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            if [ "$BUILT_IMAGE" == "" ]; then
+              GOPROXY="https://proxy.golang.org,direct" IMG_URL="$image" make docker-buildx-push
+              BUILT_IMAGE="$image"
+            else
+              docker buildx imagetools create $BUILT_IMAGE --tag $image
+            fi
+          done
+
+  build-pilot-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-pilot
+    env:
+      PILOT_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      PILOT_IMAGE_NAME: ${{ vars.PILOT_IMAGE_NAME || 'higress/pilot' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.21.5
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v4
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v7.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.PILOT_IMAGE_REGISTRY }}/${{ env.PILOT_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.PILOT_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Pilot-Discovery Image and Push
+        run: |
+          BUILT_IMAGE=""
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            if [ "$BUILT_IMAGE" == "" ]; then
+              TAG=${image#*:}
+              HUB=${image%:*}
+              HUB=${HUB%/*}
+              BUILT_IMAGE="$HUB/pilot:$TAG"
+              GOPROXY="https://proxy.golang.org,direct" IMG_URL="$BUILT_IMAGE" make build-istio
+            fi
+            if [ "$BUILT_IMAGE" != "$image" ]; then
+              docker buildx imagetools create $BUILT_IMAGE --tag $image
+            fi
+          done
+
+  build-gateway-image:
+    runs-on: ubuntu-latest
+    environment:
+      name: image-registry-gateway
+    env:
+      GATEWAY_IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'higress-registry.cn-hangzhou.cr.aliyuncs.com' }}
+      GATEWAY_IMAGE_NAME: ${{ vars.GATEWAY_IMAGE_NAME || 'higress/gateway' }}
+    steps:
+      - name: "Checkout ${{ github.ref }}"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Free Up GitHub Actions Ubuntu Runner Disk Space 🔧
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+
+      - name: "Setup Go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.21.5
+
+      - name: Setup Golang Caches
+        uses: actions/cache@v4
+        with:
+          path: |-
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-go
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v7.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Calculate Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.GATEWAY_IMAGE_REGISTRY }}/${{ env.GATEWAY_IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GATEWAY_IMAGE_REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build Gateway Image and Push
+        run: |
+          BUILT_IMAGE=""
+          readarray -t IMAGES <<< "${{ steps.docker-meta.outputs.tags }}"
+          for image in ${IMAGES[@]}; do
+            echo "Image: $image"
+            if [ "$BUILT_IMAGE" == "" ]; then
+              TAG=${image#*:}
+              HUB=${image%:*}
+              HUB=${HUB%/*}
+              BUILT_IMAGE="$HUB/proxyv2:$TAG"
+              GOPROXY="https://proxy.golang.org,direct" IMG_URL="$BUILT_IMAGE" make build-gateway
+            fi
+            if [ "$BUILT_IMAGE" != "$image" ]; then
+              docker buildx imagetools create $BUILT_IMAGE --tag $image
+            fi
+          done
--- a/.github/workflows/deploy-to-oss.yaml
+++ b/.github/workflows/deploy-to-oss.yaml
@@ -19,7 +19,7 @@ jobs:
      - name: Download Helm Charts Index
        uses: doggycool/ossutil-github-action@master
        with:
-          ossArgs: 'cp -r -u oss://higress-website-cn-hongkong/helm-charts/index.yaml ./artifact/'
+          ossArgs: 'cp oss://higress-website-cn-hongkong/helm-charts/index.yaml ./artifact/'
          accessKey: ${{ secrets.ACCESS_KEYID }}
          accessSecret: ${{ secrets.ACCESS_KEYSECRET }}
          endpoint: oss-cn-hongkong.aliyuncs.com
--- a/.github/workflows/helm-docs.yaml
+++ b/.github/workflows/helm-docs.yaml
@@ -0,0 +1,114 @@
+name: "Helm Docs"
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - 'helm/**'
+  workflow_dispatch: ~      
+  push:
+    branches: [ main ]
+    paths:
+      - 'helm/**'    
+
+jobs:
+  helm:
+    name: Helm Docs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22.9'
+
+      - name: Run helm-docs
+        run: |
+          GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.14.2
+          ./helm-docs -c ${GITHUB_WORKSPACE}/helm/higress -f ../core/values.yaml
+          DIFF=$(git diff ${GITHUB_WORKSPACE}/helm/higress/*md)
+          if [ ! -z "$DIFF" ]; then
+            echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart."
+          fi
+          git diff --exit-code
+          rm -f ./helm-docs
+
+  translate-readme:
+    needs: helm
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
+
+      - name: Translate README.md to Chinese
+        env:
+          API_URL: ${{ secrets.HIGRESS_OPENAI_API_URL }}
+          API_KEY: ${{ secrets.HIGRESS_OPENAI_API_KEY }}
+          API_MODEL: ${{ secrets.HIGRESS_OPENAI_API_MODEL }}
+        run: |
+          cd ./helm/higress
+          FILE_CONTENT=$(cat README.md)
+
+          PAYLOAD=$(jq -n \
+            --arg model "$API_MODEL" \
+            --arg content "$FILE_CONTENT" \
+            '{
+              model: $model,
+              messages: [
+                {"role": "system", "content": "You are a translation assistant that translates English Markdown text to Chinese."},
+                {"role": "user", "content": $content}
+              ],
+              temperature: 1.1,
+              stream: false
+            }')
+
+          RESPONSE=$(curl -s -X POST "$API_URL" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer $API_KEY" \
+            -d "$PAYLOAD")
+
+          echo "response: $RESPONSE"
+
+          TRANSLATED_CONTENT=$(echo "$RESPONSE" | jq -r '.choices[0].message.content')
+
+          if [ -z "$TRANSLATED_CONTENT" ]; then
+            echo "Translation failed! Response: $RESPONSE"
+            exit 1
+          fi
+
+          echo "$TRANSLATED_CONTENT" > README.zh.new.md
+          echo "Translation completed and saved to README.zh.new.md."
+
+      - name: Compare README.zh.md
+        id: compare
+        run: |
+          cd ./helm/higress
+          NEW_README_ZH="README.zh.new.md"
+          EXISTING_README_ZH="README.zh.md"
+
+          if [ ! -f "$EXISTING_README_ZH" ]; then
+            echo "Add README.zh.md."
+            mv "$NEW_README_ZH" "$EXISTING_README_ZH"
+            echo "updated=true" >> $GITHUB_ENV
+            exit 0
+          fi
+
+          if ! diff -q "$NEW_README_ZH" "$EXISTING_README_ZH"; then
+            echo "Files are different. Updating README.zh.md."
+            mv "$NEW_README_ZH" "$EXISTING_README_ZH"
+            echo "updated=true" >> $GITHUB_ENV
+          else
+            echo "Files are identical. No update needed."
+            echo "updated=false" >> $GITHUB_ENV
+          fi
--- a/.github/workflows/release-crd.yaml
+++ b/.github/workflows/release-crd.yaml
@@ -0,0 +1,24 @@
+name: Release CRD to GitHub
+
+on:
+  push:
+    tags:
+    - "v*.*.*"
+  workflow_dispatch: ~
+
+jobs:
+  release-crd:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: generate crds
+      run: |
+        cat helm/core/crds/customresourcedefinitions.gen.yaml helm/core/crds/istio-envoyfilter.yaml > crd.yaml
+
+    - name: Upload hgctl packages to the GitHub release
+      uses: softprops/action-gh-release@v2
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: |
+          crd.yaml
--- a/.github/workflows/release-hgctl.yaml
+++ b/.github/workflows/release-hgctl.yaml
@@ -58,7 +58,7 @@ jobs:
          hgctl_${{ env.HGCTL_VERSION }}_darwin_arm64.tar.gz

  release-hgctl-macos-amd64:
-    runs-on: macos-12
+    runs-on: macos-14
    env:
      HGCTL_VERSION: ${{github.ref_name}}
    steps:
--- a/.gitignore
+++ b/.gitignore
@@ -16,4 +16,4 @@ helm/**/charts/**.tgz
 target/
 tools/hack/cluster.conf
 envoy/1.20
-istio/1.12
+istio/1.12
--- a/.licenserc.yaml
+++ b/.licenserc.yaml
@@ -12,6 +12,7 @@ header:
    - 'LICENSE'
    - 'api/**'
    - 'samples/**'
+    - 'docs/**'
    - '.github/**'
    - '.licenserc.yaml'
    - 'helm/**'
--- a/4
+++ b/4
@@ -2,7 +2,9 @@
 /envoy @gengleilei @johnlanni
 /istio @SpecialYang @johnlanni
 /pkg @SpecialYang @johnlanni @CH3CHO
-/plugins @johnlanni @WeixinX @CH3CHO
+/plugins @johnlanni @CH3CHO @rinfx
+/plugins/wasm-go/extensions/ai-proxy @cr7258 @CH3CHO @rinfx
+/plugins/wasm-rust @007gzs @jizhuozhi
 /registry @NameHaibinZhang @2456868764 @johnlanni
 /test @Xunzhuo @2456868764 @CH3CHO
 /tools @johnlanni @Xunzhuo @2456868764
--- a/CONTRIBUTING_EN.md
+++ b/CONTRIBUTING_EN.md
@@ -1,6 +1,6 @@
 # Contributing to Higress

-It is warmly welcomed if you have interest to hack on Higress. First, we encourage this kind of willing very much. And here is a list of contributing guide for you.
+Your interest in contributing to Higress is warmly welcomed. First, we encourage this kind of willing very much. And here is a list of contributing guide for you.

 [[中文贡献文档](./CONTRIBUTING_CN.md)]

--- a/CONTRIBUTING_JP.md
+++ b/CONTRIBUTING_JP.md
@@ -0,0 +1,195 @@
+# Higress への貢献
+
+Higress のハッキングに興味がある場合は、温かく歓迎します。まず、このような意欲を非常に奨励します。そして、以下は貢献ガイドのリストです。
+
+[[中文](./CONTRIBUTING.md)] | [[English Contributing Document](./CONTRIBUTING_EN.md)]
+
+## トピック
+
+- [Higress への貢献](#higress-への貢献)
+  - [トピック](#トピック)
+  - [セキュリティ問題の報告](#セキュリティ問題の報告)
+  - [一般的な問題の報告](#一般的な問題の報告)
+  - [コードとドキュメントの貢献](#コードとドキュメントの貢献)
+    - [ワークスペースの準備](#ワークスペースの準備)
+    - [ブランチの定義](#ブランチの定義)
+    - [コミットルール](#コミットルール)
+      - [コミットメッセージ](#コミットメッセージ)
+      - [コミット内容](#コミット内容)
+    - [PR 説明](#pr-説明)
+  - [テストケースの貢献](#テストケースの貢献)
+  - [何かを手伝うための参加](#何かを手伝うための参加)
+  - [コードスタイル](#コードスタイル)
+
+## セキュリティ問題の報告
+
+セキュリティ問題は常に真剣に扱われます。通常の原則として、セキュリティ問題を広めることは推奨しません。Higress のセキュリティ問題を発見した場合は、公開で議論せず、公開の問題を開かないでください。代わりに、[higress@googlegroups.com](mailto:higress@googlegroups.com) にプライベートなメールを送信して報告することをお勧めします。
+
+## 一般的な問題の報告
+
+正直なところ、Higress のすべてのユーザーを非常に親切な貢献者と見なしています。Higress を体験した後、プロジェクトに対するフィードバックがあるかもしれません。その場合は、[NEW ISSUE](https://github.com/alibaba/higress/issues/new/choose) を通じて問題を開くことを自由に行ってください。
+
+Higress プロジェクトを分散型で協力しているため、**よく書かれた**、**詳細な**、**明確な**問題報告を高く評価します。コミュニケーションをより効率的にするために、問題が検索リストに存在するかどうかを検索することを希望します。存在する場合は、新しい問題を開くのではなく、既存の問題のコメントに詳細を追加してください。
+
+問題の詳細をできるだけ標準化するために、問題報告者のために [ISSUE TEMPLATE](./.github/ISSUE_TEMPLATE) を設定しました。テンプレートのフィールドに従って指示に従って記入してください。
+
+問題を開く場合は多くのケースがあります：
+
+* バグ報告
+* 機能要求
+* パフォーマンス問題
+* 機能提案
+* 機能設計
+* 助けが必要
+* ドキュメントが不完全
+* テストの改善
+* プロジェクトに関する質問
+* その他
+
+また、新しい問題を記入する際には、投稿から機密データを削除することを忘れないでください。機密データには、パスワード、秘密鍵、ネットワークの場所、プライベートなビジネスデータなどが含まれる可能性があります。
+
+## コードとドキュメントの貢献
+
+Higress プロジェクトをより良くするためのすべての行動が奨励されます。GitHub では、Higress のすべての改善は PR（プルリクエストの略）を通じて行うことができます。
+
+* タイプミスを見つけた場合は、修正してみてください！
+* バグを見つけた場合は、修正してみてください！
+* 冗長なコードを見つけた場合は、削除してみてください！
+* 欠落しているテストケースを見つけた場合は、追加してみてください！
+* 機能を強化できる場合は、**ためらわないでください**！
+* コードが不明瞭な場合は、コメントを追加して明確にしてください！
+* コードが醜い場合は、リファクタリングしてみてください！
+* ドキュメントの改善に役立つ場合は、さらに良いです！
+* ドキュメントが不正確な場合は、修正してください！
+* ...
+
+実際には、それらを完全にリストすることは不可能です。1つの原則を覚えておいてください：
+
+> あなたからの PR を楽しみにしています。
+
+Higress を PR で改善する準備ができたら、ここで PR ルールを確認することをお勧めします。
+
+* [ワークスペースの準備](#ワークスペースの準備)
+* [ブランチの定義](#ブランチの定義)
+* [コミットルール](#コミットルール)
+* [PR 説明](#pr-説明)
+
+### ワークスペースの準備
+
+PR を提出するために、GitHub ID に登録していることを前提とします。その後、以下の手順で準備を完了できます：
+
+1. Higress を自分のリポジトリに **FORK** します。この作業を行うには、[alibaba/higress](https://github.com/alibaba/higress) のメインページの右上にある Fork ボタンをクリックするだけです。その後、`https://github.com/<your-username>/higress` に自分のリポジトリが作成されます。ここで、`your-username` はあなたの GitHub ユーザー名です。
+
+2. 自分のリポジトリをローカルに **CLONE** します。`git clone git@github.com:<your-username>/higress.git` を使用してリポジトリをローカルマシンにクローンします。その後、新しいブランチを作成して、行いたい変更を完了できます。
+
+3. リモートを `git@github.com:alibaba/higress.git` に設定します。以下の2つのコマンドを使用します：
+
+```bash
+git remote add upstream git@github.com:alibaba/higress.git
+git remote set-url --push upstream no-pushing
+```
+
+このリモート設定を使用すると、git リモート設定を次のように確認できます：
+
+```shell
+$ git remote -v
+origin     git@github.com:<your-username>/higress.git (fetch)
+origin     git@github.com:<your-username>/higress.git (push)
+upstream   git@github.com:alibaba/higress.git (fetch)
+upstream   no-pushing (push)
+```
+
+これを追加すると、ローカルブランチを上流ブランチと簡単に同期できます。
+
+### ブランチの定義
+
+現在、プルリクエストを通じたすべての貢献は Higress の [main ブランチ](https://github.com/alibaba/higress/tree/main) に対するものであると仮定します。貢献する前に、ブランチの定義を理解することは非常に役立ちます。
+
+貢献者として、プルリクエストを通じたすべての貢献は main ブランチに対するものであることを再度覚えておいてください。Higress プロジェクトには、リリースブランチ（例：0.6.0、0.6.1）、機能ブランチ、ホットフィックスブランチなど、いくつかの他のブランチがあります。
+
+正式にバージョンをリリースする際には、リリースブランチが作成され、バージョン番号で命名されます。
+
+リリース後、リリースブランチのコミットを main ブランチにマージします。
+
+特定のバージョンにバグがある場合、後のバージョンで修正するか、特定のホットフィックスバージョンで修正するかを決定します。ホットフィックスバージョンで修正することを決定した場合、対応するリリースブランチに基づいてホットフィックスブランチをチェックアウトし、コード修正と検証を行い、main ブランチにマージします。
+
+大きな機能については、開発と検証のために機能ブランチを引き出します。
+
+### コミットルール
+
+実際には、Higress ではコミット時に2つのルールを真剣に考えています：
+
+* [コミットメッセージ](#コミットメッセージ)
+* [コミット内容](#コミット内容)
+
+#### コミットメッセージ
+
+コミットメッセージは、提出された PR の目的をレビュアーがよりよく理解するのに役立ちます。また、コードレビューの手続きを加速するのにも役立ちます。貢献者には、曖昧なメッセージではなく、**明確な**コミットメッセージを使用することを奨励します。一般的に、以下のコミットメッセージタイプを推奨します：
+
+* docs: xxxx. 例："docs: add docs about Higress cluster installation".
+* feature: xxxx. 例："feature: use higress config instead of istio config".
+* bugfix: xxxx. 例："bugfix: fix panic when input nil parameter".
+* refactor: xxxx. 例："refactor: simplify to make codes more readable".
+* test: xxx. 例："test: add unit test case for func InsertIntoArray".
+* その他の読みやすく明確な表現方法。
+
+一方で、以下のような方法でのコミットメッセージは推奨しません：
+
+* ~~バグ修正~~
+* ~~更新~~
+* ~~ドキュメント追加~~
+
+迷った場合は、[Git コミットメッセージの書き方](http://chris.beams.io/posts/git-commit/) を参照してください。
+
+#### コミット内容
+
+コミット内容は、1つのコミットに含まれるすべての内容の変更を表します。1つのコミットに、他のコミットの助けを借りずにレビュアーが完全にレビューできる内容を含めるのが最善です。言い換えれば、1つのコミットの内容は CI を通過でき、コードの混乱を避けることができます。簡単に言えば、次の3つの小さなルールを覚えておく必要があります：
+
+* コミットで非常に大きな変更を避ける；
+* 各コミットが完全でレビュー可能であること。
+* コミット時に git config（`user.name`、`user.email`）を確認して、それが GitHub ID に関連付けられていることを確認します。
+
+```bash
+git config --get user.name
+git config --get user.email
+```
+
+* pr を提出する際には、'changes/' フォルダーの下の XXX.md ファイルに現在の変更の簡単な説明を追加してください。
+
+さらに、コード変更部分では、すべての貢献者が Higress の [コードスタイル](#コードスタイル) を読むことをお勧めします。
+
+コミットメッセージやコミット内容に関係なく、コードレビューに重点を置いています。
+
+### PR 説明
+
+PR は Higress プロジェクトファイルを変更する唯一の方法です。レビュアーが目的をよりよく理解できるようにするために、PR 説明は詳細すぎることはありません。貢献者には、[PR テンプレート](./.github/PULL_REQUEST_TEMPLATE.md) に従ってプルリクエストを完了することを奨励します。
+
+### 開発前の準備
+
+```shell
+make prebuild && go mod tidy
+```
+
+## テストケースの貢献
+
+テストケースは歓迎されます。現在、Higress の機能テストケースが高優先度です。
+
+* 単体テストの場合、同じモジュールの test ディレクトリに xxxTest.go という名前のテストファイルを作成する必要があります。
+* 統合テストの場合、統合テストを test ディレクトリに配置できます。
+//TBD
+
+## 何かを手伝うための参加
+
+GitHub を Higress の協力の主要な場所として選択しました。したがって、Higress の最新の更新は常にここにあります。PR を通じた貢献は明確な助けの方法ですが、他の方法も呼びかけています。
+
+* 可能であれば、他の人の質問に返信する；
+* 他のユーザーの問題を解決するのを手伝う；
+* 他の人の PR 設計をレビューするのを手伝う；
+* 他の人の PR のコードをレビューするのを手伝う；
+* Higress について議論して、物事を明確にする；
+* GitHub 以外で Higress 技術を宣伝する；
+* Higress に関するブログを書くなど。
+
+## コードスタイル
+//TBD
+要するに、**どんな助けも貢献です。**
--- a/4
+++ b/4
@@ -32,7 +32,7 @@ export BUILD_WITH_CONTAINER ?= 0

 ifeq ($(BUILD_WITH_CONTAINER),1)

-# An export free of arugments in a Makefile places all variables in the Makefile into the
+# An export free of arguments in a Makefile places all variables in the Makefile into the
 # environment. This is needed to allow overrides from Makefile.overrides.mk.
 export

@@ -60,7 +60,7 @@ else
 $(shell mkdir -p out)
 $(shell $(shell pwd)/tools/hack/setup_env.sh envfile > out/.env)
 include out/.env
-# An export free of arugments in a Makefile places all variables in the Makefile into the
+# An export free of arguments in a Makefile places all variables in the Makefile into the
 # environment. This behavior may be surprising to many that use shell often, which simply
 # displays the existing environment
 export
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -25,7 +25,7 @@ TARGET_ARCH ?= amd64

 GOARCH_LOCAL := $(TARGET_ARCH)
 GOOS_LOCAL := $(TARGET_OS)
-RELEASE_LDFLAGS='$(GO_LDFLAGS) -extldflags -static -s -w -X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn'
+RELEASE_LDFLAGS='$(GO_LDFLAGS) -extldflags -static -s -w'

 export OUT:=$(TARGET_OUT)
 export OUT_LINUX:=$(TARGET_OUT_LINUX)
@@ -68,21 +68,21 @@ default: build

 .PHONY: go.test.coverage
 go.test.coverage: prebuild
-	go test -ldflags "-X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn" ./cmd/... ./pkg/... -race -coverprofile=coverage.xml -covermode=atomic
+	go test ./cmd/... ./pkg/... -race -coverprofile=coverage.xml -covermode=atomic

 .PHONY: build
 build: prebuild $(OUT)
-	GOPROXY=$(GOPROXY) GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT)/ $(HIGRESS_BINARIES)
+	GOPROXY="$(GOPROXY)" GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT)/ $(HIGRESS_BINARIES)

 .PHONY: build-linux
 build-linux: prebuild $(OUT)
-	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT_LINUX)/ $(HIGRESS_BINARIES)
+	GOPROXY="$(GOPROXY)" GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh $(OUT_LINUX)/ $(HIGRESS_BINARIES)

 $(AMD64_OUT_LINUX)/higress:
-	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_amd64/ $(HIGRESS_BINARIES)
+	GOPROXY="$(GOPROXY)" GOOS=linux GOARCH=amd64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_amd64/ $(HIGRESS_BINARIES)

 $(ARM64_OUT_LINUX)/higress:
-	GOPROXY=$(GOPROXY) GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HIGRESS_BINARIES)
+	GOPROXY="$(GOPROXY)" GOOS=linux GOARCH=arm64 LDFLAGS=$(RELEASE_LDFLAGS) tools/hack/gobuild.sh ./out/linux_arm64/ $(HIGRESS_BINARIES)

 .PHONY: build-hgctl
 build-hgctl: prebuild $(OUT)
@@ -101,11 +101,11 @@ build-hgctl-multiarch: prebuild $(OUT)

 .PHONY: build-hgctl-macos-arm64
 build-hgctl-macos-arm64: prebuild $(OUT)
-	CGO_ENABLED=1 GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=arm64 LDFLAGS="-X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn" PROJECT_DIR="$(HGCTL_PROJECT_DIR)" tools/hack/gobuild.sh ../out/darwin_arm64/ $(HGCTL_BINARIES)
+	CGO_ENABLED=1 STATIC=0 GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=arm64 PROJECT_DIR="$(HGCTL_PROJECT_DIR)" tools/hack/gobuild.sh ../out/darwin_arm64/ $(HGCTL_BINARIES)

 .PHONY: build-hgctl-macos-amd64
 build-hgctl-macos-amd64: prebuild $(OUT)
-	CGO_ENABLED=1 GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=amd64 LDFLAGS="-X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn" PROJECT_DIR="$(HGCTL_PROJECT_DIR)" tools/hack/gobuild.sh ../out/darwin_amd64/ $(HGCTL_BINARIES)
+	CGO_ENABLED=1 STATIC=0 GOPROXY=$(GOPROXY) GOOS=darwin GOARCH=amd64 PROJECT_DIR="$(HGCTL_PROJECT_DIR)" tools/hack/gobuild.sh ../out/darwin_amd64/ $(HGCTL_BINARIES)

 # Create targets for OUT_LINUX/binary
 # There are two use cases here:
@@ -144,7 +144,7 @@ docker-buildx-push: clean-env docker.higress-buildx
 export PARENT_GIT_TAG:=$(shell cat VERSION)
 export PARENT_GIT_REVISION:=$(TAG)

-export ENVOY_PACKAGE_URL_PATTERN?=https://github.com/higress-group/proxy/releases/download/v2.0.0-rc.1/envoy-symbol-ARCH.tar.gz
+export ENVOY_PACKAGE_URL_PATTERN?=https://github.com/higress-group/proxy/releases/download/v2.1.1/envoy-symbol-ARCH.tar.gz

 build-envoy: prebuild
 	./tools/hack/build-envoy.sh
@@ -162,13 +162,13 @@ buildx-prepare:
 build-gateway: prebuild buildx-prepare
 	USE_REAL_USER=1 TARGET_ARCH=amd64 DOCKER_TARGETS="docker.proxyv2" ./tools/hack/build-istio-image.sh init
 	USE_REAL_USER=1 TARGET_ARCH=arm64 DOCKER_TARGETS="docker.proxyv2" ./tools/hack/build-istio-image.sh init
-	DOCKER_TARGETS="docker.proxyv2" ./tools/hack/build-istio-image.sh docker.buildx
+	DOCKER_TARGETS="docker.proxyv2" IMG_URL="${IMG_URL}" ./tools/hack/build-istio-image.sh docker.buildx

 build-gateway-local: prebuild
 	TARGET_ARCH=${TARGET_ARCH} DOCKER_TARGETS="docker.proxyv2" ./tools/hack/build-istio-image.sh docker

 build-istio: prebuild buildx-prepare
-	DOCKER_TARGETS="docker.pilot" ./tools/hack/build-istio-image.sh docker.buildx
+	DOCKER_TARGETS="docker.pilot" IMG_URL="${IMG_URL}" ./tools/hack/build-istio-image.sh docker.buildx

 build-istio-local: prebuild
 	TARGET_ARCH=${TARGET_ARCH} DOCKER_TARGETS="docker.pilot" ./tools/hack/build-istio-image.sh docker
@@ -187,8 +187,8 @@ install: pre-install
 	cd helm/higress; helm dependency build
 	helm install higress helm/higress -n higress-system --create-namespace --set 'global.local=true'

-ENVOY_LATEST_IMAGE_TAG ?= a6c313d41b3b54f0e3ed81fc676c520160cfed05
-ISTIO_LATEST_IMAGE_TAG ?= a9a55b3895bbf64a1ad8f724b2de3de017831e38
+ENVOY_LATEST_IMAGE_TAG ?= 958467a353d411ae3f06e03b096bfd342cddb2c6
+ISTIO_LATEST_IMAGE_TAG ?= d9c728d3b01f64855e012b08d136e306f1160397

 install-dev: pre-install
 	helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'pilot.tag=$(ISTIO_LATEST_IMAGE_TAG)' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.local=true'
@@ -221,11 +221,15 @@ clean-higress: ## Cleans all the intermediate files and folders previously gener
 	rm -rf $(DIRS_TO_CLEAN)

 clean-istio:
+	rm -rf external/api
+	rm -rf external/client-go
 	rm -rf external/istio
+	rm -rf external/pkg

 clean-gateway: clean-istio
 	rm -rf external/envoy
 	rm -rf external/proxy
+	rm -rf external/go-control-plane
 	rm -rf external/package/envoy.tar.gz

 clean-env:
@@ -284,28 +288,32 @@ delete-cluster: $(tools/kind) ## Delete kind cluster.
 .PHONY: kube-load-image
 kube-load-image: $(tools/kind) ## Install the Higress image to a kind cluster using the provided $IMAGE and $TAG.
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress $(TAG)
+	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/pilot $(ISTIO_LATEST_IMAGE_TAG)
+	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/gateway $(ENVOY_LATEST_IMAGE_TAG)
 	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/dubbo-provider-demo 0.0.3-x86
-	tools/hack/docker-pull-image.sh docker.io/alihigress/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/nacos-standlone-rc3 1.0.0-RC3
 	tools/hack/docker-pull-image.sh docker.io/hashicorp/consul 1.16.0
 	tools/hack/docker-pull-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
 	tools/hack/docker-pull-image.sh docker.io/bitinit/eureka latest
-	tools/hack/docker-pull-image.sh docker.io/alihigress/httpbin 1.0.2
+	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/httpbin 1.0.2
 	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-server 1.3.0
 	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-server v1.0
 	tools/hack/docker-pull-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-body 1.0.0
-	tools/hack/docker-pull-image.sh openpolicyagent/opa latest
+	tools/hack/docker-pull-image.sh openpolicyagent/opa 0.61.0
+	tools/hack/docker-pull-image.sh curlimages/curl latest
 	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
 	tools/hack/docker-pull-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/dubbo-provider-demo 0.0.3-x86
-	tools/hack/kind-load-image.sh docker.io/alihigress/nacos-standlone-rc3 1.0.0-RC3
+	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/nacos-standlone-rc3 1.0.0-RC3
 	tools/hack/kind-load-image.sh docker.io/hashicorp/consul 1.16.0
-	tools/hack/kind-load-image.sh docker.io/alihigress/httpbin 1.0.2
+	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/httpbin 1.0.2
 	tools/hack/kind-load-image.sh docker.io/charlie1380/eureka-registry-provider v0.3.0
 	tools/hack/kind-load-image.sh docker.io/bitinit/eureka latest
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-server 1.3.0
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-server v1.0
 	tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/echo-body 1.0.0
-	tools/hack/kind-load-image.sh openpolicyagent/opa latest
+	tools/hack/kind-load-image.sh openpolicyagent/opa 0.61.0
+	tools/hack/kind-load-image.sh curlimages/curl latest
 	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/2456868764/httpbin 1.0.2
 	tools/hack/kind-load-image.sh registry.cn-hangzhou.aliyuncs.com/hinsteny/nacos-standlone-rc3 1.0.0-RC3

--- a/README.md
+++ b/README.md
@@ -1,3 +1,4 @@
+<a name="readme-top"></a>
 <h1 align="center">
    <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
  <br>
@@ -5,29 +6,37 @@
 </h1>
 <h4 align="center"> AI Native API Gateway </h4>

+<div align="center">
+    
 [![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
 [![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)

-[**官网**](https://higress.io/) &nbsp; |
-&nbsp; [**文档**](https://higress.io/docs/latest/user/quickstart/) &nbsp; |
-&nbsp; [**博客**](https://higress.io/blog/) &nbsp; |
-&nbsp; [**开发指引**](https://higress.io/docs/latest/dev/architecture/) &nbsp; |
-&nbsp; [**AI插件**](https://higress.io/plugin/) &nbsp;
+<a href="https://trendshift.io/repositories/10918" target="_blank"><img src="https://trendshift.io/api/badge/repositories/10918" alt="alibaba%2Fhigress | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+</div>
+
+[**官网**](https://higress.cn/) &nbsp; |
+&nbsp; [**文档**](https://higress.cn/docs/latest/overview/what-is-higress/) &nbsp; |
+&nbsp; [**博客**](https://higress.cn/blog/) &nbsp; |
+&nbsp; [**电子书**](https://higress.cn/docs/ebook/wasm14/) &nbsp; |
+&nbsp; [**开发指引**](https://higress.cn/docs/latest/dev/architecture/) &nbsp; |
+&nbsp; [**AI插件**](https://higress.cn/plugin/) &nbsp;
+


 <p>
-   <a href="README_EN.md"> English <a/> | 中文
+   <a href="README_EN.md"> English <a/>| 中文 | <a href="README_JP.md"> 日本語 <a/> 
 </p>


-Higress 是基于阿里内部多年的 Envoy Gateway 实践沉淀，以开源 [Istio](https://github.com/istio/istio) 与 [Envoy](https://github.com/envoyproxy/envoy) 为核心构建的云原生 API 网关。
+Higress 是一款云原生 API 网关，内核基于 Istio 和 Envoy，可以用 Go/Rust/JS 等编写 Wasm 插件，提供了数十个现成的通用插件，以及开箱即用的控制台（demo 点[这里](http://demo.higress.io/)）

-Higress 在阿里内部作为 AI 网关，承载了通义千问 APP、百炼大模型 API、机器学习 PAI 平台等 AI 业务的流量。
+Higress 在阿里内部为解决 Tengine reload 对长连接业务有损，以及 gRPC/Dubbo 负载均衡能力不足而诞生。

-Higress 能够用统一的协议对接国内外所有 LLM 模型厂商，同时具备丰富的 AI 可观测、多模型负载均衡/fallback、AI token 流控、AI 缓存等能力：
+阿里云基于 Higress 构建了云原生 API 网关产品，为大量企业客户提供 99.99% 的网关高可用保障服务能力。

-![](https://img.alicdn.com/imgextra/i1/O1CN01fNnhCp1cV8mYPRFeS_!!6000000003605-0-tps-1080-608.jpg)
+Higress 的 AI 网关能力支持国内外所有[主流模型供应商](https://github.com/alibaba/higress/tree/main/plugins/wasm-go/extensions/ai-proxy/provider)和基于 vllm/ollama 等自建的 DeepSeek 模型；在阿里云内部支撑了通义千问 APP、百炼大模型 API、机器学习 PAI 平台等 AI 业务。同时服务国内头部的 AIGC 企业（如零一万物），以及 AI 产品（如 FastGPT）

+![](https://img.alicdn.com/imgextra/i2/O1CN011AbR8023V8R5N0HcA_!!6000000007260-2-tps-1080-606.png)


 ## Summary
@@ -57,32 +66,45 @@ docker run -d --rm --name higress-ai -v ${PWD}:/data \
 - 8080 端口：网关 HTTP 协议入口
 - 8443 端口：网关 HTTPS 协议入口

-**Higress 的所有 Docker 镜像都一直使用自己独享的仓库，不受 Docker Hub 境内不可访问的影响**
+**Higress 的所有 Docker 镜像都一直使用自己独享的仓库，不受 Docker Hub 境内访问受限的影响**

-K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start 文档](https://higress.io/docs/latest/user/quickstart/)。
+K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start 文档](https://higress.cn/docs/latest/user/quickstart/)。
+
+如果您是在云上部署，生产环境推荐使用[企业版](https://higress.io/cloud/)，开发测试可以使用下面一键部署社区版：
+
+[![Deploy on AlibabaCloud ComputeNest](https://service-info-public.oss-cn-hangzhou.aliyuncs.com/computenest.svg)](https://computenest.console.aliyun.com/service/instance/create/default?type=user&ServiceName=Higress社区版)


 ## 使用场景

 - **AI 网关**:

-  Higress 提供了一站式的 AI 插件集，可以增强依赖 AI 能力业务的稳定性、灵活性、可观测性，使得业务与 AI 的集成更加便捷和高效。
+  Higress 能够用统一的协议对接国内外所有 LLM 模型厂商，同时具备丰富的 AI 可观测、多模型负载均衡/fallback、AI token 流控、AI 缓存等能力：
+
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01fNnhCp1cV8mYPRFeS_!!6000000003605-0-tps-1080-608.jpg)

 - **Kubernetes Ingress 网关**:

  Higress 可以作为 K8s 集群的 Ingress 入口网关, 并且兼容了大量 K8s Nginx Ingress 的注解，可以从 K8s Nginx Ingress 快速平滑迁移到 Higress。
  
  支持 [Gateway API](https://gateway-api.sigs.k8s.io/) 标准，支持用户从 Ingress API 平滑迁移到 Gateway API。
+
+  相比 ingress-nginx，资源开销大幅下降，路由变更生效速度有十倍提升：
+
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01bhEtb229eeMNBWmdP_!!6000000008093-2-tps-750-547.png)
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01bqRets1LsBGyitj4S_!!6000000001354-2-tps-887-489.png)
  
 - **微服务网关**:

  Higress 可以作为微服务网关, 能够对接多种类型的注册中心发现服务配置路由，例如 Nacos, ZooKeeper, Consul, Eureka 等。
  
  并且深度集成了 [Dubbo](https://github.com/apache/dubbo), [Nacos](https://github.com/alibaba/nacos), [Sentinel](https://github.com/alibaba/Sentinel) 等微服务技术栈，基于 Envoy C++ 网关内核的出色性能，相比传统 Java 类微服务网关，可以显著降低资源使用率，减少成本。
+
+  ![](https://img.alicdn.com/imgextra/i4/O1CN01v4ZbCj1dBjePSMZ17_!!6000000003698-0-tps-1613-926.jpg)
  
 - **安全防护网关**:

-  Higress 可以作为安全防护网关， 提供 WAF 的能力，并且支持多种认证鉴权策略，例如 key-auth, hmac-auth, jwt-auth, basic-auth, oidc 等。  
+  Higress 可以作为安全防护网关， 提供 WAF 的能力，并且支持多种认证鉴权策略，例如 key-auth, hmac-auth, jwt-auth, basic-auth, oidc 等。 

 ## 核心优势

@@ -164,7 +186,7 @@ K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start

 ### 交流群

-![image](https://img.alicdn.com/imgextra/i2/O1CN01qPd7Ix1uZPVEsWjWp_!!6000000006051-0-tps-720-405.jpg)
+![image](https://img.alicdn.com/imgextra/i2/O1CN01fZefEP1aPWkzG3A19_!!6000000003322-0-tps-720-405.jpg)

 ### 技术分享

@@ -172,3 +194,23 @@ K8s 下使用 Helm 部署等其他安装方式可以参考官网 [Quick Start

 ![](https://img.alicdn.com/imgextra/i1/O1CN01WnQt0q1tcmqVDU73u_!!6000000005923-0-tps-258-258.jpg)

+### 关联仓库
+
+- Higress 控制台：https://github.com/higress-group/higress-console
+- Higress（独立运行版）：https://github.com/higress-group/higress-standalone
+
+### 贡献者
+
+<a href="https://github.com/alibaba/higress/graphs/contributors">
+  <img alt="contributors" src="https://contrib.rocks/image?repo=alibaba/higress"/>
+</a>
+
+### Star History
+
+[![Star History](https://api.star-history.com/svg?repos=alibaba/higress&type=Date)](https://star-history.com/#alibaba/higress&Date)
+
+<p align="right" style="font-size: 14px; color: #555; margin-top: 20px;">
+    <a href="#readme-top" style="text-decoration: none; color: #007bff; font-weight: bold;">
+        ↑ 返回顶部 ↑
+    </a>
+</p>
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,3 +1,4 @@
+<a name="readme-top"></a>
 <h1 align="center">
    <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
  <br>
@@ -15,7 +16,7 @@


 <p>
-   English | <a href="README.md">中文<a/>
+   English | <a href="README.md">中文<a/> | <a href="README_JP.md">日本語<a/>
 </p>

 Higress is a cloud-native api gateway based on Alibaba's internal gateway practices. 
@@ -47,7 +48,7 @@ Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.co

  Higress can function as a microservice gateway, which can discovery microservices from various service registries, such as Nacos, ZooKeeper, Consul, Eureka, etc.
  
-  It deeply integrates of [Dubbo](https://github.com/apache/dubbo), [Nacos](https://github.com/alibaba/nacos), [Sentinel](https://github.com/alibaba/Sentinel) and other microservice technology stacks.
+  It deeply integrates with [Dubbo](https://github.com/apache/dubbo), [Nacos](https://github.com/alibaba/nacos), [Sentinel](https://github.com/alibaba/Sentinel) and other microservice technology stacks.
  
 - **Security gateway**:

@@ -57,7 +58,7 @@ Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.co

 - **Easy to use**

-  Provide one-stop gateway solutions for traffic scheduling, service management, and security protection, support Console, K8s Ingress, and Gateway API configuration methods, and also support HTTP to Dubbo protocol conversion, and easily complete protocol mapping configuration.  
+  Provides one-stop gateway solutions for traffic scheduling, service management, and security protection, support Console, K8s Ingress, and Gateway API configuration methods, and also support HTTP to Dubbo protocol conversion, and easily complete protocol mapping configuration.  
  
 - **Easy to expand**

@@ -73,7 +74,7 @@ Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.co
  
 - **Security**

-  Provides JWT, OIDC, custom authentication and authentication, deeply integrates open source web application firewall.
+  Provides JWT, OIDC, custom authentication and authentication, deeply integrates open-source web application firewall.

 ## Community

@@ -81,4 +82,25 @@ Powered by [Istio](https://github.com/istio/istio) and [Envoy](https://github.co

 ### Thanks

-Higress would not be possible without the valuable open-source work of projects in the community. We would like to extend a special thank-you to Envoy and Istio.
+Higress would not be possible without the valuable open-source work of projects in the community. We would like to extend a special thank you to Envoy and Istio.
+
+### Related Repositories
+
+- Higress Console: https://github.com/higress-group/higress-console
+- Higress Standalone: https://github.com/higress-group/higress-standalone
+
+### Contributors
+
+<a href="https://github.com/alibaba/higress/graphs/contributors">
+  <img alt="contributors" src="https://contrib.rocks/image?repo=alibaba/higress"/>
+</a>
+
+### Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=alibaba/higress&type=Date)](https://star-history.com/#alibaba/higress&Date)
+
+<p align="right" style="font-size: 14px; color: #555; margin-top: 20px;">
+    <a href="#readme-top" style="text-decoration: none; color: #007bff; font-weight: bold;">
+        ↑ Back to Top ↑
+    </a>
+</p>
--- a/README_JP.md
+++ b/README_JP.md
@@ -0,0 +1,206 @@
+<a name="readme-top"></a>
+<h1 align="center">
+    <img src="https://img.alicdn.com/imgextra/i2/O1CN01NwxLDd20nxfGBjxmZ_!!6000000006895-2-tps-960-290.png" alt="Higress" width="240" height="72.5">
+  <br>
+  AIゲートウェイ
+</h1>
+<h4 align="center"> AIネイティブAPIゲートウェイ </h4>
+
+[![Build Status](https://github.com/alibaba/higress/actions/workflows/build-and-test.yaml/badge.svg?branch=main)](https://github.com/alibaba/higress/actions)
+[![license](https://img.shields.io/github/license/alibaba/higress.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
+
+[**公式サイト**](https://higress.cn/) &nbsp; |
+&nbsp; [**ドキュメント**](https://higress.cn/docs/latest/overview/what-is-higress/) &nbsp; |
+&nbsp; [**ブログ**](https://higress.cn/blog/) &nbsp; |
+&nbsp; [**電子書籍**](https://higress.cn/docs/ebook/wasm14/) &nbsp; |
+&nbsp; [**開発ガイド**](https://higress.cn/docs/latest/dev/architecture/) &nbsp; |
+&nbsp; [**AIプラグイン**](https://higress.cn/plugin/) &nbsp;
+
+
+<p>
+   <a href="README_EN.md"> English <a/> | <a href="README.md">中文<a/> | 日本語
+</p>
+
+
+Higressは、IstioとEnvoyをベースにしたクラウドネイティブAPIゲートウェイで、Go/Rust/JSなどを使用してWasmプラグインを作成できます。数十の既製の汎用プラグインと、すぐに使用できるコンソールを提供しています（デモは[こちら](http://demo.higress.io/)）。
+
+Higressは、Tengineのリロードが長時間接続のビジネスに影響を与える問題や、gRPC/Dubboの負荷分散能力の不足を解決するために、Alibaba内部で誕生しました。
+
+Alibaba Cloudは、Higressを基盤にクラウドネイティブAPIゲートウェイ製品を構築し、多くの企業顧客に99.99％のゲートウェイ高可用性保証サービスを提供しています。
+
+Higressは、AIゲートウェイ機能を基盤に、Tongyi Qianwen APP、Bailian大規模モデルAPI、機械学習PAIプラットフォームなどのAIビジネスをサポートしています。また、国内の主要なAIGC企業（例：ZeroOne）やAI製品（例：FastGPT）にもサービスを提供しています。
+
+![](https://img.alicdn.com/imgextra/i2/O1CN011AbR8023V8R5N0HcA_!!6000000007260-2-tps-1080-606.png)
+
+
+## 目次
+
+- [**クイックスタート**](#クイックスタート)    
+- [**機能紹介**](#機能紹介)
+- [**使用シナリオ**](#使用シナリオ)
+- [**主な利点**](#主な利点)
+- [**コミュニティ**](#コミュニティ)
+
+## クイックスタート
+
+HigressはDockerだけで起動でき、個人開発者がローカルで学習用にセットアップしたり、簡易サイトを構築するのに便利です。
+
+```bash
+# 作業ディレクトリを作成
+mkdir higress; cd higress
+# Higressを起動し、設定ファイルを作業ディレクトリに書き込みます
+docker run -d --rm --name higress-ai -v ${PWD}:/data \
+        -p 8001:8001 -p 8080:8080 -p 8443:8443  \
+        higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/all-in-one:latest
+```
+
+リスンポートの説明は以下の通りです：
+
+- 8001ポート：Higress UIコンソールのエントリーポイント
+- 8080ポート：ゲートウェイのHTTPプロトコルエントリーポイント
+- 8443ポート：ゲートウェイのHTTPSプロトコルエントリーポイント
+
+**HigressのすべてのDockerイメージは専用のリポジトリを使用しており、Docker Hubの国内アクセス不可の影響を受けません**
+
+K8sでのHelmデプロイなどの他のインストール方法については、公式サイトの[クイックスタートドキュメント](https://higress.cn/docs/latest/user/quickstart/)を参照してください。
+
+
+## 使用シナリオ
+
+- **AIゲートウェイ**:
+
+  Higressは、国内外のすべてのLLMモデルプロバイダーと統一されたプロトコルで接続でき、豊富なAI可観測性、多モデル負荷分散/フォールバック、AIトークンフロー制御、AIキャッシュなどの機能を備えています。
+
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01fNnhCp1cV8mYPRFeS_!!6000000003605-0-tps-1080-608.jpg)
+
+- **Kubernetes Ingressゲートウェイ**:
+
+  HigressはK8sクラスターのIngressエントリーポイントゲートウェイとして機能し、多くのK8s Nginx Ingressの注釈に対応しています。K8s Nginx IngressからHigressへのスムーズな移行が可能です。
+  
+  [Gateway API](https://gateway-api.sigs.k8s.io/)標準をサポートし、ユーザーがIngress APIからGateway APIにスムーズに移行できるようにします。
+
+  ingress-nginxと比較して、リソースの消費が大幅に減少し、ルーティングの変更が10倍速く反映されます。
+
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01bhEtb229eeMNBWmdP_!!6000000008093-2-tps-750-547.png)
+  ![](https://img.alicdn.com/imgextra/i1/O1CN01bqRets1LsBGyitj4S_!!6000000001354-2-tps-887-489.png)
+  
+- **マイクロサービスゲートウェイ**:
+
+  Higressはマイクロサービスゲートウェイとして機能し、Nacos、ZooKeeper、Consul、Eurekaなどのさまざまなサービスレジストリからサービスを発見し、ルーティングを構成できます。
+  
+  また、[Dubbo](https://github.com/apache/dubbo)、[Nacos](https://github.com/alibaba/nacos)、[Sentinel](https://github.com/alibaba/Sentinel)などのマイクロサービス技術スタックと深く統合されています。Envoy C++ゲートウェイコアの優れたパフォーマンスに基づいて、従来のJavaベースのマイクロサービスゲートウェイと比較して、リソース使用率を大幅に削減し、コストを削減できます。
+
+  ![](https://img.alicdn.com/imgextra/i4/O1CN01v4ZbCj1dBjePSMZ17_!!6000000003698-0-tps-1613-926.jpg)
+  
+- **セキュリティゲートウェイ**:
+
+  Higressはセキュリティゲートウェイとして機能し、WAF機能を提供し、key-auth、hmac-auth、jwt-auth、basic-auth、oidcなどのさまざまな認証戦略をサポートします。 
+
+## 主な利点
+
+- **プロダクションレベル**
+
+  Alibabaで2年以上のプロダクション検証を経た内部製品から派生し、毎秒数十万のリクエストを処理する大規模なシナリオをサポートします。
+
+  Nginxのリロードによるトラフィックの揺れを完全に排除し、構成変更がミリ秒単位で反映され、ビジネスに影響を与えません。AIビジネスなどの長時間接続シナリオに特に適しています。
+
+- **ストリーム処理**
+
+  リクエスト/レスポンスボディの完全なストリーム処理をサポートし、Wasmプラグインを使用してSSE（Server-Sent Events）などのストリームプロトコルのメッセージをカスタマイズして処理できます。
+
+  AIビジネスなどの大帯域幅シナリオで、メモリ使用量を大幅に削減できます。  
+    
+- **拡張性**
+
+  AI、トラフィック管理、セキュリティ保護などの一般的な機能をカバーする豊富な公式プラグインライブラリを提供し、90％以上のビジネスシナリオのニーズを満たします。
+
+  Wasmプラグイン拡張を主力とし、サンドボックス隔離を通じてメモリの安全性を確保し、複数のプログラミング言語をサポートし、プラグインバージョンの独立したアップグレードを許可し、トラフィックに影響を与えずにゲートウェイロジックをホットアップデートできます。
+
+- **安全で使いやすい**
+  
+  Ingress APIおよびGateway API標準に基づき、すぐに使用できるUIコンソールを提供し、WAF保護プラグイン、IP/Cookie CC保護プラグインをすぐに使用できます。
+
+  Let's Encryptの自動証明書発行および更新をサポートし、K8sを使用せずにデプロイでき、1行のDockerコマンドで起動でき、個人開発者にとって便利です。
+
+
+## 機能紹介
+
+### AIゲートウェイデモ展示
+
+[OpenAIから他の大規模モデルへの移行を30秒で完了
+](https://www.bilibili.com/video/BV1dT421a7w7/?spm_id_from=333.788.recommend_more_video.14)
+
+
+### Higress UIコンソール
+    
+- **豊富な可観測性**
+
+  すぐに使用できる可観測性を提供し、Grafana＆Prometheusは組み込みのものを使用することも、自分で構築したものを接続することもできます。
+
+  ![](./docs/images/monitor.gif)
+    
+
+- **プラグイン拡張メカニズム**
+
+  公式にはさまざまなプラグインが提供されており、ユーザーは[独自のプラグインを開発](./plugins/wasm-go)し、Docker/OCIイメージとして構築し、コンソールで構成して、プラグインロジックをリアルタイムで変更できます。トラフィックに影響を与えずにプラグインロジックをホットアップデートできます。
+
+  ![](./docs/images/plugin.gif)
+
+
+- **さまざまなサービス発見**
+
+  デフォルトでK8s Serviceサービス発見を提供し、構成を通じてNacos/ZooKeeperなどのレジストリに接続してサービスを発見することも、静的IPまたはDNSに基づいて発見することもできます。
+
+  ![](./docs/images/service-source.gif)
+    
+
+- **ドメインと証明書**
+
+  TLS証明書を作成および管理し、ドメインのHTTP/HTTPS動作を構成できます。ドメインポリシーでは、特定のドメインに対してプラグインを適用することができます。
+
+  ![](./docs/images/domain.gif)
+
+
+- **豊富なルーティング機能**
+
+  上記で定義されたサービス発見メカニズムを通じて、発見されたサービスはサービスリストに表示されます。ルーティングを作成する際に、ドメインを選択し、ルーティングマッチングメカニズムを定義し、ターゲットサービスを選択してルーティングを行います。ルーティングポリシーでは、特定のルーティングに対してプラグインを適用することができます。
+
+  ![](./docs/images/route-service.gif)
+
+
+## コミュニティ
+
+### 感謝
+
+EnvoyとIstioのオープンソースの取り組みがなければ、Higressは実現できませんでした。これらのプロジェクトに最も誠実な敬意を表します。
+
+### 交流グループ
+
+![image](https://img.alicdn.com/imgextra/i2/O1CN01BkopaB22ZsvamFftE_!!6000000007135-0-tps-720-405.jpg)
+
+### 技術共有
+
+WeChat公式アカウント：
+
+![](https://img.alicdn.com/imgextra/i1/O1CN01WnQt0q1tcmqVDU73u_!!6000000005923-0-tps-258-258.jpg)
+
+### 関連リポジトリ
+
+- Higressコンソール：https://github.com/higress-group/higress-console
+- Higress（スタンドアロン版）：https://github.com/higress-group/higress-standalone
+
+### 貢献者
+
+<a href="https://github.com/alibaba/higress/graphs/contributors">
+  <img alt="contributors" src="https://contrib.rocks/image?repo=alibaba/higress"/>
+</a>
+
+### スターの歴史
+
+[![スターの歴史チャート](https://api.star-history.com/svg?repos=alibaba/higress&type=Date)](https://star-history.com/#alibaba/higress&Date)
+
+<p align="right" style="font-size: 14px; color: #555; margin-top: 20px;">
+    <a href="#readme-top" style="text-decoration: none; color: #007bff; font-weight: bold;">
+        ↑ トップに戻る ↑
+    </a>
+</p>
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,6 +4,7 @@

 | Version | Supported          |
 | ------- | ------------------ |
+| 2.x.x   | :white_check_mark: |
 | 1.x.x   | :white_check_mark: |
 | < 1.0.0   | :x:                |

--- a/2
+++ b/2
@@ -1 +1 @@
-v2.0.0-rc.1
+v2.0.7
--- a/api/extensions/v1alpha1/wasmplugin.pb.go
+++ b/api/extensions/v1alpha1/wasmplugin.pb.go
@@ -17,7 +17,7 @@
 // versions:
 // 	protoc-gen-go v1.31.0
 // 	protoc        (unknown)
-// source: extensions/v1alpha1/wasm.proto
+// source: extensions/v1alpha1/wasmplugin.proto

 // $schema: higress.extensions.v1alpha1.WasmPlugin
 // $title: WasmPlugin
@@ -84,11 +84,11 @@ func (x PluginPhase) String() string {
 }

 func (PluginPhase) Descriptor() protoreflect.EnumDescriptor {
-	return file_extensions_v1alpha1_wasm_proto_enumTypes[0].Descriptor()
+	return file_extensions_v1alpha1_wasmplugin_proto_enumTypes[0].Descriptor()
 }

 func (PluginPhase) Type() protoreflect.EnumType {
-	return &file_extensions_v1alpha1_wasm_proto_enumTypes[0]
+	return &file_extensions_v1alpha1_wasmplugin_proto_enumTypes[0]
 }

 func (x PluginPhase) Number() protoreflect.EnumNumber {
@@ -97,7 +97,7 @@ func (x PluginPhase) Number() protoreflect.EnumNumber {

 // Deprecated: Use PluginPhase.Descriptor instead.
 func (PluginPhase) EnumDescriptor() ([]byte, []int) {
-	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{0}
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP(), []int{0}
 }

 // The pull behaviour to be applied when fetching an OCI image,
@@ -146,11 +146,11 @@ func (x PullPolicy) String() string {
 }

 func (PullPolicy) Descriptor() protoreflect.EnumDescriptor {
-	return file_extensions_v1alpha1_wasm_proto_enumTypes[1].Descriptor()
+	return file_extensions_v1alpha1_wasmplugin_proto_enumTypes[1].Descriptor()
 }

 func (PullPolicy) Type() protoreflect.EnumType {
-	return &file_extensions_v1alpha1_wasm_proto_enumTypes[1]
+	return &file_extensions_v1alpha1_wasmplugin_proto_enumTypes[1]
 }

 func (x PullPolicy) Number() protoreflect.EnumNumber {
@@ -159,7 +159,7 @@ func (x PullPolicy) Number() protoreflect.EnumNumber {

 // Deprecated: Use PullPolicy.Descriptor instead.
 func (PullPolicy) EnumDescriptor() ([]byte, []int) {
-	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{1}
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP(), []int{1}
 }

 type EnvValueSource int32
@@ -194,11 +194,11 @@ func (x EnvValueSource) String() string {
 }

 func (EnvValueSource) Descriptor() protoreflect.EnumDescriptor {
-	return file_extensions_v1alpha1_wasm_proto_enumTypes[2].Descriptor()
+	return file_extensions_v1alpha1_wasmplugin_proto_enumTypes[2].Descriptor()
 }

 func (EnvValueSource) Type() protoreflect.EnumType {
-	return &file_extensions_v1alpha1_wasm_proto_enumTypes[2]
+	return &file_extensions_v1alpha1_wasmplugin_proto_enumTypes[2]
 }

 func (x EnvValueSource) Number() protoreflect.EnumNumber {
@@ -207,7 +207,7 @@ func (x EnvValueSource) Number() protoreflect.EnumNumber {

 // Deprecated: Use EnvValueSource.Descriptor instead.
 func (EnvValueSource) EnumDescriptor() ([]byte, []int) {
-	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{2}
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP(), []int{2}
 }

 type FailStrategy int32
@@ -246,11 +246,11 @@ func (x FailStrategy) String() string {
 }

 func (FailStrategy) Descriptor() protoreflect.EnumDescriptor {
-	return file_extensions_v1alpha1_wasm_proto_enumTypes[3].Descriptor()
+	return file_extensions_v1alpha1_wasmplugin_proto_enumTypes[3].Descriptor()
 }

 func (FailStrategy) Type() protoreflect.EnumType {
-	return &file_extensions_v1alpha1_wasm_proto_enumTypes[3]
+	return &file_extensions_v1alpha1_wasmplugin_proto_enumTypes[3]
 }

 func (x FailStrategy) Number() protoreflect.EnumNumber {
@@ -259,7 +259,7 @@ func (x FailStrategy) Number() protoreflect.EnumNumber {

 // Deprecated: Use FailStrategy.Descriptor instead.
 func (FailStrategy) EnumDescriptor() ([]byte, []int) {
-	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{3}
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP(), []int{3}
 }

 // <!-- crd generation tags
@@ -341,13 +341,13 @@ type WasmPlugin struct {
 	// Extended by Higress, matching rules take effect
 	MatchRules []*MatchRule `protobuf:"bytes,102,rep,name=match_rules,json=matchRules,proto3" json:"match_rules,omitempty"`
 	// disable the default config
-	DefaultConfigDisable bool `protobuf:"varint,103,opt,name=default_config_disable,json=defaultConfigDisable,proto3" json:"default_config_disable,omitempty"`
+	DefaultConfigDisable *wrappers.BoolValue `protobuf:"bytes,103,opt,name=default_config_disable,json=defaultConfigDisable,proto3" json:"default_config_disable,omitempty"`
 }

 func (x *WasmPlugin) Reset() {
 	*x = WasmPlugin{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[0]
+		mi := &file_extensions_v1alpha1_wasmplugin_proto_msgTypes[0]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -360,7 +360,7 @@ func (x *WasmPlugin) String() string {
 func (*WasmPlugin) ProtoMessage() {}

 func (x *WasmPlugin) ProtoReflect() protoreflect.Message {
-	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[0]
+	mi := &file_extensions_v1alpha1_wasmplugin_proto_msgTypes[0]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -373,7 +373,7 @@ func (x *WasmPlugin) ProtoReflect() protoreflect.Message {

 // Deprecated: Use WasmPlugin.ProtoReflect.Descriptor instead.
 func (*WasmPlugin) Descriptor() ([]byte, []int) {
-	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{0}
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP(), []int{0}
 }

 func (x *WasmPlugin) GetUrl() string {
@@ -467,11 +467,11 @@ func (x *WasmPlugin) GetMatchRules() []*MatchRule {
 	return nil
 }

-func (x *WasmPlugin) GetDefaultConfigDisable() bool {
+func (x *WasmPlugin) GetDefaultConfigDisable() *wrappers.BoolValue {
 	if x != nil {
 		return x.DefaultConfigDisable
 	}
-	return false
+	return nil
 }

 // Extended by Higress
@@ -480,17 +480,17 @@ type MatchRule struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Ingress       []string        `protobuf:"bytes,1,rep,name=ingress,proto3" json:"ingress,omitempty"`
-	Domain        []string        `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
-	Config        *_struct.Struct `protobuf:"bytes,3,opt,name=config,proto3" json:"config,omitempty"`
-	ConfigDisable bool            `protobuf:"varint,4,opt,name=config_disable,json=configDisable,proto3" json:"config_disable,omitempty"`
-	Service       []string        `protobuf:"bytes,5,rep,name=service,proto3" json:"service,omitempty"`
+	Ingress       []string            `protobuf:"bytes,1,rep,name=ingress,proto3" json:"ingress,omitempty"`
+	Domain        []string            `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
+	Config        *_struct.Struct     `protobuf:"bytes,3,opt,name=config,proto3" json:"config,omitempty"`
+	ConfigDisable *wrappers.BoolValue `protobuf:"bytes,4,opt,name=config_disable,json=configDisable,proto3" json:"config_disable,omitempty"`
+	Service       []string            `protobuf:"bytes,5,rep,name=service,proto3" json:"service,omitempty"`
 }

 func (x *MatchRule) Reset() {
 	*x = MatchRule{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1]
+		mi := &file_extensions_v1alpha1_wasmplugin_proto_msgTypes[1]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -503,7 +503,7 @@ func (x *MatchRule) String() string {
 func (*MatchRule) ProtoMessage() {}

 func (x *MatchRule) ProtoReflect() protoreflect.Message {
-	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1]
+	mi := &file_extensions_v1alpha1_wasmplugin_proto_msgTypes[1]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -516,7 +516,7 @@ func (x *MatchRule) ProtoReflect() protoreflect.Message {

 // Deprecated: Use MatchRule.ProtoReflect.Descriptor instead.
 func (*MatchRule) Descriptor() ([]byte, []int) {
-	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{1}
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP(), []int{1}
 }

 func (x *MatchRule) GetIngress() []string {
@@ -540,11 +540,11 @@ func (x *MatchRule) GetConfig() *_struct.Struct {
 	return nil
 }

-func (x *MatchRule) GetConfigDisable() bool {
+func (x *MatchRule) GetConfigDisable() *wrappers.BoolValue {
 	if x != nil {
 		return x.ConfigDisable
 	}
-	return false
+	return nil
 }

 func (x *MatchRule) GetService() []string {
@@ -569,7 +569,7 @@ type VmConfig struct {
 func (x *VmConfig) Reset() {
 	*x = VmConfig{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2]
+		mi := &file_extensions_v1alpha1_wasmplugin_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -582,7 +582,7 @@ func (x *VmConfig) String() string {
 func (*VmConfig) ProtoMessage() {}

 func (x *VmConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2]
+	mi := &file_extensions_v1alpha1_wasmplugin_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -595,7 +595,7 @@ func (x *VmConfig) ProtoReflect() protoreflect.Message {

 // Deprecated: Use VmConfig.ProtoReflect.Descriptor instead.
 func (*VmConfig) Descriptor() ([]byte, []int) {
-	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{2}
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP(), []int{2}
 }

 func (x *VmConfig) GetEnv() []*EnvVar {
@@ -625,7 +625,7 @@ type EnvVar struct {
 func (x *EnvVar) Reset() {
 	*x = EnvVar{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3]
+		mi := &file_extensions_v1alpha1_wasmplugin_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -638,7 +638,7 @@ func (x *EnvVar) String() string {
 func (*EnvVar) ProtoMessage() {}

 func (x *EnvVar) ProtoReflect() protoreflect.Message {
-	mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3]
+	mi := &file_extensions_v1alpha1_wasmplugin_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -651,7 +651,7 @@ func (x *EnvVar) ProtoReflect() protoreflect.Message {

 // Deprecated: Use EnvVar.ProtoReflect.Descriptor instead.
 func (*EnvVar) Descriptor() ([]byte, []int) {
-	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{3}
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP(), []int{3}
 }

 func (x *EnvVar) GetName() string {
@@ -675,124 +675,128 @@ func (x *EnvVar) GetValue() string {
 	return ""
 }

-var File_extensions_v1alpha1_wasm_proto protoreflect.FileDescriptor
+var File_extensions_v1alpha1_wasmplugin_proto protoreflect.FileDescriptor

-var file_extensions_v1alpha1_wasm_proto_rawDesc = []byte{
-	0x0a, 0x1e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x77, 0x61, 0x73, 0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x1b, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77,
-	0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73,
-	0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8d, 0x06, 0x0a, 0x0a,
-	0x57, 0x61, 0x73, 0x6d, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72,
-	0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x16, 0x0a, 0x06,
-	0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x68,
-	0x61, 0x32, 0x35, 0x36, 0x12, 0x53, 0x0a, 0x11, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x5f, 0x70, 0x75,
-	0x6c, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x27, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x75,
-	0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x0f, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50,
-	0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x2a, 0x0a, 0x11, 0x69, 0x6d, 0x61,
-	0x67, 0x65, 0x5f, 0x70, 0x75, 0x6c, 0x6c, 0x5f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x05,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x53,
-	0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79,
-	0x12, 0x3c, 0x0a, 0x0d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74,
-	0x52, 0x0c, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1f,
-	0x0a, 0x0b, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x12,
-	0x3e, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x28,
-	0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69,
-	0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6c, 0x75,
-	0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x12,
-	0x37, 0x0a, 0x08, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18, 0x0a, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x08,
-	0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x4e, 0x0a, 0x0d, 0x66, 0x61, 0x69, 0x6c,
-	0x5f, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x29, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x46, 0x61,
-	0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0c, 0x66, 0x61, 0x69, 0x6c,
-	0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x42, 0x0a, 0x09, 0x76, 0x6d, 0x5f, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x68, 0x69,
-	0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x52, 0x08, 0x76, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0e,
-	0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x65,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x0d, 0x64,
-	0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x47, 0x0a, 0x0b,
-	0x6d, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x66, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x26, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65,
+var file_extensions_v1alpha1_wasmplugin_proto_rawDesc = []byte{
+	0x0a, 0x24, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x61,
+	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x77, 0x61, 0x73, 0x6d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e,
+	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
+	0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x22, 0xa9, 0x06, 0x0a, 0x0a, 0x57, 0x61, 0x73, 0x6d, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75,
+	0x72, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x06, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x12, 0x53, 0x0a, 0x11, 0x69, 0x6d,
+	0x61, 0x67, 0x65, 0x5f, 0x70, 0x75, 0x6c, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e,
+	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
+	0x68, 0x61, 0x31, 0x2e, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x0f,
+	0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
+	0x2a, 0x0a, 0x11, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x5f, 0x70, 0x75, 0x6c, 0x6c, 0x5f, 0x73, 0x65,
+	0x63, 0x72, 0x65, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x69, 0x6d, 0x61, 0x67,
+	0x65, 0x50, 0x75, 0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x76,
+	0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x3c, 0x0a, 0x0d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x0c, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x5f, 0x6e,
+	0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6c, 0x75, 0x67, 0x69,
+	0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x3e, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x09,
+	0x20, 0x01, 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65,
+	0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
+	0x61, 0x31, 0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x05,
+	0x70, 0x68, 0x61, 0x73, 0x65, 0x12, 0x37, 0x0a, 0x08, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74,
+	0x79, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56,
+	0x61, 0x6c, 0x75, 0x65, 0x52, 0x08, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x4e,
+	0x0a, 0x0d, 0x66, 0x61, 0x69, 0x6c, 0x5f, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18,
+	0x0d, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e,
+	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
+	0x68, 0x61, 0x31, 0x2e, 0x46, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79,
+	0x52, 0x0c, 0x66, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x42,
+	0x0a, 0x09, 0x76, 0x6d, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x0b, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x25, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65,
 	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
-	0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0a, 0x6d, 0x61, 0x74, 0x63, 0x68,
-	0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x34, 0x0a, 0x16, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74,
-	0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18,
-	0x67, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x22, 0xaf, 0x01, 0x0a, 0x09,
-	0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x69, 0x6e, 0x67,
-	0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x69, 0x6e, 0x67, 0x72,
-	0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20,
-	0x03, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x2f, 0x0a, 0x06, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74,
-	0x72, 0x75, 0x63, 0x74, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e,
-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x61,
-	0x62, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x05,
-	0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x22, 0x41, 0x0a,
-	0x08, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x35, 0x0a, 0x03, 0x65, 0x6e, 0x76,
-	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73,
-	0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c,
-	0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x52, 0x03, 0x65, 0x6e, 0x76,
-	0x22, 0x7e, 0x0a, 0x06, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61,
-	0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x4a,
-	0x0a, 0x0a, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x2b, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74,
-	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52,
-	0x09, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x46, 0x72, 0x6f, 0x6d, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
-	0x2a, 0x45, 0x0a, 0x0b, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12,
-	0x15, 0x0a, 0x11, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50,
-	0x48, 0x41, 0x53, 0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x4e, 0x10,
-	0x01, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05,
-	0x53, 0x54, 0x41, 0x54, 0x53, 0x10, 0x03, 0x2a, 0x42, 0x0a, 0x0a, 0x50, 0x75, 0x6c, 0x6c, 0x50,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x12, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49,
-	0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x10, 0x00, 0x12, 0x10, 0x0a,
-	0x0c, 0x49, 0x66, 0x4e, 0x6f, 0x74, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x10, 0x01, 0x12,
-	0x0a, 0x0a, 0x06, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x10, 0x02, 0x2a, 0x26, 0x0a, 0x0e, 0x45,
-	0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0a, 0x0a,
-	0x06, 0x49, 0x4e, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x4f, 0x53,
-	0x54, 0x10, 0x01, 0x2a, 0x2d, 0x0a, 0x0c, 0x46, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74,
-	0x65, 0x67, 0x79, 0x12, 0x0e, 0x0a, 0x0a, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x43, 0x4c, 0x4f, 0x53,
-	0x45, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x4f, 0x50, 0x45, 0x4e,
-	0x10, 0x01, 0x42, 0x34, 0x5a, 0x32, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
-	0x2f, 0x61, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x2f, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73,
-	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x08, 0x76, 0x6d, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0e, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x63, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72,
+	0x75, 0x63, 0x74, 0x52, 0x0d, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x12, 0x47, 0x0a, 0x0b, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x72, 0x75, 0x6c, 0x65,
+	0x73, 0x18, 0x66, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73,
+	0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61,
+	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x52,
+	0x0a, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x50, 0x0a, 0x16, 0x64,
+	0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69,
+	0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x67, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f,
+	0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x22, 0xcb, 0x01,
+	0x0a, 0x09, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x69,
+	0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x69, 0x6e,
+	0x67, 0x72, 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18,
+	0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x2f, 0x0a,
+	0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x41,
+	0x0a, 0x0e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c,
+	0x75, 0x65, 0x52, 0x0d, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c,
+	0x65, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x05, 0x20, 0x03,
+	0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x22, 0x41, 0x0a, 0x08, 0x56,
+	0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x35, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x01,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65,
+	0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
+	0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x22, 0x7e,
+	0x0a, 0x06, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x4a, 0x0a, 0x0a,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x2b, 0x2e, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e,
+	0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45,
+	0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x09, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x46, 0x72, 0x6f, 0x6d, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x2a, 0x45,
+	0x0a, 0x0b, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x15, 0x0a,
+	0x11, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x48, 0x41,
+	0x53, 0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x4e, 0x10, 0x01, 0x12,
+	0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x53, 0x54,
+	0x41, 0x54, 0x53, 0x10, 0x03, 0x2a, 0x42, 0x0a, 0x0a, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x12, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49,
+	0x45, 0x44, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x49,
+	0x66, 0x4e, 0x6f, 0x74, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x10, 0x01, 0x12, 0x0a, 0x0a,
+	0x06, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x10, 0x02, 0x2a, 0x26, 0x0a, 0x0e, 0x45, 0x6e, 0x76,
+	0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0a, 0x0a, 0x06, 0x49,
+	0x4e, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x4f, 0x53, 0x54, 0x10,
+	0x01, 0x2a, 0x2d, 0x0a, 0x0c, 0x46, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67,
+	0x79, 0x12, 0x0e, 0x0a, 0x0a, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10,
+	0x00, 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x4f, 0x50, 0x45, 0x4e, 0x10, 0x01,
+	0x42, 0x34, 0x5a, 0x32, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61,
+	0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x2f, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2f, 0x61,
+	0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31,
+	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
-	file_extensions_v1alpha1_wasm_proto_rawDescOnce sync.Once
-	file_extensions_v1alpha1_wasm_proto_rawDescData = file_extensions_v1alpha1_wasm_proto_rawDesc
+	file_extensions_v1alpha1_wasmplugin_proto_rawDescOnce sync.Once
+	file_extensions_v1alpha1_wasmplugin_proto_rawDescData = file_extensions_v1alpha1_wasmplugin_proto_rawDesc
 )

-func file_extensions_v1alpha1_wasm_proto_rawDescGZIP() []byte {
-	file_extensions_v1alpha1_wasm_proto_rawDescOnce.Do(func() {
-		file_extensions_v1alpha1_wasm_proto_rawDescData = protoimpl.X.CompressGZIP(file_extensions_v1alpha1_wasm_proto_rawDescData)
+func file_extensions_v1alpha1_wasmplugin_proto_rawDescGZIP() []byte {
+	file_extensions_v1alpha1_wasmplugin_proto_rawDescOnce.Do(func() {
+		file_extensions_v1alpha1_wasmplugin_proto_rawDescData = protoimpl.X.CompressGZIP(file_extensions_v1alpha1_wasmplugin_proto_rawDescData)
 	})
-	return file_extensions_v1alpha1_wasm_proto_rawDescData
+	return file_extensions_v1alpha1_wasmplugin_proto_rawDescData
 }

-var file_extensions_v1alpha1_wasm_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
-var file_extensions_v1alpha1_wasm_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
-var file_extensions_v1alpha1_wasm_proto_goTypes = []interface{}{
+var file_extensions_v1alpha1_wasmplugin_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
+var file_extensions_v1alpha1_wasmplugin_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_extensions_v1alpha1_wasmplugin_proto_goTypes = []interface{}{
 	(PluginPhase)(0),            // 0: higress.extensions.v1alpha1.PluginPhase
 	(PullPolicy)(0),             // 1: higress.extensions.v1alpha1.PullPolicy
 	(EnvValueSource)(0),         // 2: higress.extensions.v1alpha1.EnvValueSource
@@ -803,8 +807,9 @@ var file_extensions_v1alpha1_wasm_proto_goTypes = []interface{}{
 	(*EnvVar)(nil),              // 7: higress.extensions.v1alpha1.EnvVar
 	(*_struct.Struct)(nil),      // 8: google.protobuf.Struct
 	(*wrappers.Int32Value)(nil), // 9: google.protobuf.Int32Value
+	(*wrappers.BoolValue)(nil),  // 10: google.protobuf.BoolValue
 }
-var file_extensions_v1alpha1_wasm_proto_depIdxs = []int32{
+var file_extensions_v1alpha1_wasmplugin_proto_depIdxs = []int32{
 	1,  // 0: higress.extensions.v1alpha1.WasmPlugin.image_pull_policy:type_name -> higress.extensions.v1alpha1.PullPolicy
 	8,  // 1: higress.extensions.v1alpha1.WasmPlugin.plugin_config:type_name -> google.protobuf.Struct
 	0,  // 2: higress.extensions.v1alpha1.WasmPlugin.phase:type_name -> higress.extensions.v1alpha1.PluginPhase
@@ -813,23 +818,25 @@ var file_extensions_v1alpha1_wasm_proto_depIdxs = []int32{
 	6,  // 5: higress.extensions.v1alpha1.WasmPlugin.vm_config:type_name -> higress.extensions.v1alpha1.VmConfig
 	8,  // 6: higress.extensions.v1alpha1.WasmPlugin.default_config:type_name -> google.protobuf.Struct
 	5,  // 7: higress.extensions.v1alpha1.WasmPlugin.match_rules:type_name -> higress.extensions.v1alpha1.MatchRule
-	8,  // 8: higress.extensions.v1alpha1.MatchRule.config:type_name -> google.protobuf.Struct
-	7,  // 9: higress.extensions.v1alpha1.VmConfig.env:type_name -> higress.extensions.v1alpha1.EnvVar
-	2,  // 10: higress.extensions.v1alpha1.EnvVar.value_from:type_name -> higress.extensions.v1alpha1.EnvValueSource
-	11, // [11:11] is the sub-list for method output_type
-	11, // [11:11] is the sub-list for method input_type
-	11, // [11:11] is the sub-list for extension type_name
-	11, // [11:11] is the sub-list for extension extendee
-	0,  // [0:11] is the sub-list for field type_name
+	10, // 8: higress.extensions.v1alpha1.WasmPlugin.default_config_disable:type_name -> google.protobuf.BoolValue
+	8,  // 9: higress.extensions.v1alpha1.MatchRule.config:type_name -> google.protobuf.Struct
+	10, // 10: higress.extensions.v1alpha1.MatchRule.config_disable:type_name -> google.protobuf.BoolValue
+	7,  // 11: higress.extensions.v1alpha1.VmConfig.env:type_name -> higress.extensions.v1alpha1.EnvVar
+	2,  // 12: higress.extensions.v1alpha1.EnvVar.value_from:type_name -> higress.extensions.v1alpha1.EnvValueSource
+	13, // [13:13] is the sub-list for method output_type
+	13, // [13:13] is the sub-list for method input_type
+	13, // [13:13] is the sub-list for extension type_name
+	13, // [13:13] is the sub-list for extension extendee
+	0,  // [0:13] is the sub-list for field type_name
 }

-func init() { file_extensions_v1alpha1_wasm_proto_init() }
-func file_extensions_v1alpha1_wasm_proto_init() {
-	if File_extensions_v1alpha1_wasm_proto != nil {
+func init() { file_extensions_v1alpha1_wasmplugin_proto_init() }
+func file_extensions_v1alpha1_wasmplugin_proto_init() {
+	if File_extensions_v1alpha1_wasmplugin_proto != nil {
 		return
 	}
 	if !protoimpl.UnsafeEnabled {
-		file_extensions_v1alpha1_wasm_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+		file_extensions_v1alpha1_wasmplugin_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*WasmPlugin); i {
 			case 0:
 				return &v.state
@@ -841,7 +848,7 @@ func file_extensions_v1alpha1_wasm_proto_init() {
 				return nil
 			}
 		}
-		file_extensions_v1alpha1_wasm_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+		file_extensions_v1alpha1_wasmplugin_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*MatchRule); i {
 			case 0:
 				return &v.state
@@ -853,7 +860,7 @@ func file_extensions_v1alpha1_wasm_proto_init() {
 				return nil
 			}
 		}
-		file_extensions_v1alpha1_wasm_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+		file_extensions_v1alpha1_wasmplugin_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*VmConfig); i {
 			case 0:
 				return &v.state
@@ -865,7 +872,7 @@ func file_extensions_v1alpha1_wasm_proto_init() {
 				return nil
 			}
 		}
-		file_extensions_v1alpha1_wasm_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+		file_extensions_v1alpha1_wasmplugin_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*EnvVar); i {
 			case 0:
 				return &v.state
@@ -882,19 +889,19 @@ func file_extensions_v1alpha1_wasm_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_extensions_v1alpha1_wasm_proto_rawDesc,
+			RawDescriptor: file_extensions_v1alpha1_wasmplugin_proto_rawDesc,
 			NumEnums:      4,
 			NumMessages:   4,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
-		GoTypes:           file_extensions_v1alpha1_wasm_proto_goTypes,
-		DependencyIndexes: file_extensions_v1alpha1_wasm_proto_depIdxs,
-		EnumInfos:         file_extensions_v1alpha1_wasm_proto_enumTypes,
-		MessageInfos:      file_extensions_v1alpha1_wasm_proto_msgTypes,
+		GoTypes:           file_extensions_v1alpha1_wasmplugin_proto_goTypes,
+		DependencyIndexes: file_extensions_v1alpha1_wasmplugin_proto_depIdxs,
+		EnumInfos:         file_extensions_v1alpha1_wasmplugin_proto_enumTypes,
+		MessageInfos:      file_extensions_v1alpha1_wasmplugin_proto_msgTypes,
 	}.Build()
-	File_extensions_v1alpha1_wasm_proto = out.File
-	file_extensions_v1alpha1_wasm_proto_rawDesc = nil
-	file_extensions_v1alpha1_wasm_proto_goTypes = nil
-	file_extensions_v1alpha1_wasm_proto_depIdxs = nil
+	File_extensions_v1alpha1_wasmplugin_proto = out.File
+	file_extensions_v1alpha1_wasmplugin_proto_rawDesc = nil
+	file_extensions_v1alpha1_wasmplugin_proto_goTypes = nil
+	file_extensions_v1alpha1_wasmplugin_proto_depIdxs = nil
 }
--- a/api/extensions/v1alpha1/wasmplugin.proto
+++ b/api/extensions/v1alpha1/wasmplugin.proto
@@ -112,7 +112,7 @@ message WasmPlugin {
  // Extended by Higress, matching rules take effect
  repeated MatchRule match_rules = 102;
  // disable the default config
-  bool default_config_disable = 103;
+  google.protobuf.BoolValue default_config_disable = 103;
 }

 // Extended by Higress
@@ -120,7 +120,7 @@ message MatchRule {
  repeated string ingress = 1;
  repeated string domain = 2;
  google.protobuf.Struct config = 3;
-  bool config_disable = 4;
+  google.protobuf.BoolValue config_disable = 4;
  repeated string service = 5;
 }

--- a/api/extensions/v1alpha1/wasmplugin_deepcopy.gen.go
+++ b/api/extensions/v1alpha1/wasmplugin_deepcopy.gen.go
--- a/api/extensions/v1alpha1/wasmplugin_json.gen.go
+++ b/api/extensions/v1alpha1/wasmplugin_json.gen.go
@@ -8,49 +8,49 @@ import (

 // MarshalJSON is a custom marshaler for WasmPlugin
 func (this *WasmPlugin) MarshalJSON() ([]byte, error) {
-	str, err := WasmMarshaler.MarshalToString(this)
+	str, err := WasmpluginMarshaler.MarshalToString(this)
 	return []byte(str), err
 }

 // UnmarshalJSON is a custom unmarshaler for WasmPlugin
 func (this *WasmPlugin) UnmarshalJSON(b []byte) error {
-	return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+	return WasmpluginUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }

 // MarshalJSON is a custom marshaler for MatchRule
 func (this *MatchRule) MarshalJSON() ([]byte, error) {
-	str, err := WasmMarshaler.MarshalToString(this)
+	str, err := WasmpluginMarshaler.MarshalToString(this)
 	return []byte(str), err
 }

 // UnmarshalJSON is a custom unmarshaler for MatchRule
 func (this *MatchRule) UnmarshalJSON(b []byte) error {
-	return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+	return WasmpluginUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }

 // MarshalJSON is a custom marshaler for VmConfig
 func (this *VmConfig) MarshalJSON() ([]byte, error) {
-	str, err := WasmMarshaler.MarshalToString(this)
+	str, err := WasmpluginMarshaler.MarshalToString(this)
 	return []byte(str), err
 }

 // UnmarshalJSON is a custom unmarshaler for VmConfig
 func (this *VmConfig) UnmarshalJSON(b []byte) error {
-	return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+	return WasmpluginUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }

 // MarshalJSON is a custom marshaler for EnvVar
 func (this *EnvVar) MarshalJSON() ([]byte, error) {
-	str, err := WasmMarshaler.MarshalToString(this)
+	str, err := WasmpluginMarshaler.MarshalToString(this)
 	return []byte(str), err
 }

 // UnmarshalJSON is a custom unmarshaler for EnvVar
 func (this *EnvVar) UnmarshalJSON(b []byte) error {
-	return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+	return WasmpluginUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }

 var (
-	WasmMarshaler   = &jsonpb.Marshaler{}
-	WasmUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
+	WasmpluginMarshaler   = &jsonpb.Marshaler{}
+	WasmpluginUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
 )
--- a/api/kubernetes/customresourcedefinitions.gen.yaml
+++ b/api/kubernetes/customresourcedefinitions.gen.yaml
@@ -284,6 +284,10 @@ spec:
                      type: string
                    port:
                      type: integer
+                    protocol:
+                      type: string
+                    sni:
+                      type: string
                    type:
                      type: string
                    zkServicesPath:
--- a/api/networking/v1/mcp_bridge.pb.go
+++ b/api/networking/v1/mcp_bridge.pb.go
@@ -126,6 +126,8 @@ type RegistryConfig struct {
 	ConsulServiceTag      string   `protobuf:"bytes,15,opt,name=consulServiceTag,proto3" json:"consulServiceTag,omitempty"`
 	ConsulRefreshInterval int64    `protobuf:"varint,16,opt,name=consulRefreshInterval,proto3" json:"consulRefreshInterval,omitempty"`
 	AuthSecretName        string   `protobuf:"bytes,17,opt,name=authSecretName,proto3" json:"authSecretName,omitempty"`
+	Protocol              string   `protobuf:"bytes,18,opt,name=protocol,proto3" json:"protocol,omitempty"`
+	Sni                   string   `protobuf:"bytes,19,opt,name=sni,proto3" json:"sni,omitempty"`
 }

 func (x *RegistryConfig) Reset() {
@@ -279,6 +281,20 @@ func (x *RegistryConfig) GetAuthSecretName() string {
 	return ""
 }

+func (x *RegistryConfig) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+func (x *RegistryConfig) GetSni() string {
+	if x != nil {
+		return x.Sni
+	}
+	return ""
+}
+
 var File_networking_v1_mcp_bridge_proto protoreflect.FileDescriptor

 var file_networking_v1_mcp_bridge_proto_rawDesc = []byte{
@@ -292,7 +308,7 @@ var file_networking_v1_mcp_bridge_proto_rawDesc = []byte{
 	0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x68, 0x69, 0x67, 0x72,
 	0x65, 0x73, 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76,
 	0x31, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x52, 0x0a, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0xa5, 0x05, 0x0a,
+	0x52, 0x0a, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0xd3, 0x05, 0x0a,
 	0x0e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12,
 	0x17, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0,
 	0x41, 0x02, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
@@ -335,10 +351,13 @@ var file_networking_v1_mcp_bridge_proto_rawDesc = []byte{
 	0x72, 0x65, 0x73, 0x68, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x12, 0x26, 0x0a, 0x0e,
 	0x61, 0x75, 0x74, 0x68, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x11,
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x61, 0x75, 0x74, 0x68, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
-	0x4e, 0x61, 0x6d, 0x65, 0x42, 0x2e, 0x5a, 0x2c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x61, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x2f, 0x68, 0x69, 0x67, 0x72, 0x65,
-	0x73, 0x73, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e,
-	0x67, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+	0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+	0x12, 0x10, 0x0a, 0x03, 0x73, 0x6e, 0x69, 0x18, 0x13, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73,
+	0x6e, 0x69, 0x42, 0x2e, 0x5a, 0x2c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x61, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x2f, 0x68, 0x69, 0x67, 0x72, 0x65, 0x73, 0x73,
+	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f,
+	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/api/networking/v1/mcp_bridge.proto
+++ b/api/networking/v1/mcp_bridge.proto
@@ -64,4 +64,6 @@ message RegistryConfig {
  string consulServiceTag = 15;
  int64  consulRefreshInterval = 16;
  string authSecretName = 17;
+  string protocol = 18;
+  string sni = 19;
 }
--- a/docker/docker.mk
+++ b/docker/docker.mk
@@ -35,6 +35,8 @@ DOCKER_ALL_VARIANTS ?= debug distroless
 INCLUDE_UNTAGGED_DEFAULT ?= false
 DEFAULT_DISTRIBUTION=debug

-HIGRESS_DOCKER_BUILDX_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker buildx create --name higress --node higress0 --platform linux/amd64,linux/arm64 --use && docker buildx build --no-cache --platform linux/amd64,linux/arm64 $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/higress:$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . --push  ); )
-HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/higress:$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . ); )
+IMG ?= higress
+IMG_URL ?= $(HUB)/$(IMG):$(TAG)

+HIGRESS_DOCKER_BUILDX_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker buildx create --name higress --node higress0 --platform linux/amd64,linux/arm64 --use && docker buildx build --no-cache --platform linux/amd64,linux/arm64 $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(IMG_URL)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . --push  ); )
+HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(IMG_URL)$(call variant-tag,$(VARIANT)) -f Dockerfile.higress . ); )
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -0,0 +1,143 @@
+# Higress 核心组件和原理
+
+Higress 是基于 Envoy 和 Istio 进行二次定制化开发构建和功能增强，同时利用 Envoy 和 Istio 一些插件机制，实现了一个轻量级的网关服务。其包括 3 个核心组件：Higress Controller（控制器）、Higress Gateway（网关）和 Higress Console（控制台）。
+下图概况了其核心工作流程：
+
+![img](./images/img_02_01.png)
+
+本章将重点介绍 Higress 的两个核心组件：Higress Controller 和 Higress Gateway。
+
+## 1 Higress Console
+
+Higress Console 是 Higress 网关的管理控制台，主要功能是管理 Higress 网关的路由配置、插件配置等。
+
+### 1.1 Higress Admin SDK
+
+Higress Admin SDK 脱胎于 Higress Console。起初，它作为 Higress Console 的一部分，为前端界面提供实际的功能支持。后来考虑到对接外部系统等需求，将配置管理的部分剥离出来，形成一个独立的逻辑组件，便于和各个系统进行对接。目前支持服务来源管理、服务管理、路由管理、域名管理、证书管理、插件管理等功能。
+Higress Admin SDK 现在只提供 Java 版本，且要求 JDK 版本不低于 17。具体如何集成请参考 Higress 官方 BLOG [如何使用 Higress Admin SDK 进行配置管理](https://higress.io/zh-cn/blog/admin-sdk-intro)。
+
+## 2 Higress Controller
+
+Higress Controller（控制器） 是 Higress 的核心组件，其功能主要是实现 Higress 网关的服务发现、动态配置管理，以及动态下发配置给数据面。Higress Controller 内部包含两个子组件：Discovery 和  Higress Core。
+
+### 2.1 Discovery 组件
+
+Discovery 组件（Istio Pilot-Discovery）是 Istio 的核心组件，负责服务发现、配置管理、证书签发、控制面和数据面之间的通讯和配置下发等。Discovery 内部结构比较复杂，本文只介绍 Discovery 配置管理和服务发现的基本原理，其核心功能的详细介绍可以参考赵化冰老师的 BLOG [Istio Pilot 组件介绍](https://www.zhaohuabing.com/post/2019-10-21-pilot-discovery-code-analysis/)。
+Discovery 将 Kubernetes Service、Gateway API 配置等转换成 Istio 配置，然后将所有 Istio 配置合并转成符合 xDS 接口规范的数据结构，通过 GRPC 下发到数据面的 Envoy。其工作原理如下图：
+
+![img](./images/img_02_02.png)
+
+#### 2.1.1 Config Controller
+
+Discovery 为了更好管理 Istio 配置来源，提供 `Config Controller` 用于管理各种配置来源，目前支持 4 种类型的 `Config Controller`：
+
+- Kubernetes：使用 Kubernetes 作为配置信息来源，该方式的直接依赖 Kubernetes 强大的 CRD 机制来存储配置信息，简单方便，是 Istio 最开始使用的配置信息存储方案, 其中包括 `Kubernetes Controller` 和 `Gateway API Controller` 两个实现。
+- MCP（Mesh Configuration Protocol）：使用 Kubernetes 存储配置数据导致了 Istio 和 Kubernetes 的耦合，限制了 Istio 在非 Kubernetes 环境下的运用。为了解决该耦合，Istio 社区提出了 MCP。
+- Memory：一个基于内存的 Config Controller 实现，主要用于测试。
+- File：一个基于文件的 Config Controller 实现，主要用于测试。
+
+1. Istio 配置
+
+Istio 配置包括：`Gateway`、`VirtualService`、`DestinationRule`、`ServiceEntry`、`EnvoyFilter`、`WasmPlugin`、`WorkloadEntry`、`WorkloadGroup` 等，可以参考 Istio 官方文档[流量管理](https://istio.io/latest/zh/docs/reference/config/networking/)了解更多配置信息。
+
+2. Gateway API 配置
+
+Gateway API 配置包括：`GatewayClass`、`Gateway`、`HttpRoute`、`TCPRoute`、`GRPCRoute` 等, 可以参考 Gateway API 官方文档 [Gateway API](https://gateway-api.sigs.k8s.io/api-types/gateway/) 了解更多配置信息。
+
+3. MCP over xDS
+
+Discovery 作为 MCP Client，任何实现了 MCP 协议的 Server 都可以通过 MCP 协议向 Discovery 下发配置信息，从而消除了 Istio 和 Kubernetes 之间的耦合, 同时使 Istio 的配置信息处理更加灵活和可扩展。
+同时 MCP 是一种基于 xDS 协议的配置管理协议，Higress Core 通过实现 MCP 协议，使 Higress Core 成为 Discovery 的 Istio 配置来源。
+
+4. Config Controller 来源配置
+
+在 `higress-system` 命名空间中，名为 `higress-config` 的 Configmap 中，`mesh` 配置项包含一个 `configSources` 属性用于配置来源。其 Configmap 部分配置项如下：
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: higress-config
+  namespace: higress-system
+data:
+  mesh: |-
+    accessLogEncoding: TEXT
+    ...
+    configSources:
+    - address: xds://127.0.0.1:15051
+    - address: k8s://
+    ...
+  meshNetworks: "networks: {}"
+```
+
+#### 2.1.2 Service Controller
+
+`Service Controller` 用于管理各种 `Service Registry`，提供服务发现数据，目前 Istio 支持的 `Service Registry` 主要包括：
+
+- Kubernetes：对接 Kubernetes Registry，可以将 Kubernetes 中定义的 Service 和 Endpoint 采集到 Istio 中。
+- Memory：一个基于内存的 Service Controller 实现，主要用于测试。
+
+### 2.2 Higress Core 组件
+
+Higress Core 核心逻辑如下图：
+
+![img](./images/img_02_03.png)
+
+
+Higress Core 内部包含两个核心子组件: Ingress Config 和 Cert Server。
+
+#### 2.2.1 Ingress Config
+
+Ingress Config 包含 6 个控制器，各自负责不同的功能：
+
+- Ingress Controller：监听 Ingress 资源，将 Ingress 转换为 Istio 的 Gateway、VirtualService、DestinationRule 等资源。
+- Gateway Controller：监听 Gateway、VirtualService、DestinationRule 等资源。
+- McpBridge Controller：根据 McpBridge 的配置，将来自 Nacos、Eureka、Consul、Zookeeper 等外部注册中心或 DNS 的服务信息转换成 Istio ServiceEntry 资源。
+- Http2Rpc Controller：监听 Http2Rpc 资源，实现 HTTP 协议到 RPC 协议的转换。用户可以通过配置协议转换，将 RPC 服务以 HTTP 接口的形式暴露，从而使用 HTTP 请求调用 RPC 接口。
+- WasmPlugin Controller：监听 WasmPlugin 资源，将 Higress WasmPlugin 转化为 Istio WasmPlugin。Higress WasmPlugin 在 Istio WasmPlugin 的基础上进行了扩展，支持全局、路由、域名、服务级别的配置。
+- ConfigmapMgr：监听 Higress 的全局配置 `higress-config` ConfigMap，可以根据 tracing、gzip 等配置构造 EnvoyFilter。
+
+#### 2.2.2 Cert Server
+
+Cert Server 管理 Secret 资源和证书自动签发。
+
+## 3 Higress Gateway
+
+Higress Gateway 内部包含两个子组件：Pilot Agent 和 Envoy。Pilot Agent 主要负责 Envoy 的启动和配置，同时代理 Envoy xDS 请求到 Discovery。 Envoy 作为数据面，负责接收控制面的配置下发，并代理请求到业务服务。 Pilot Agent 和 Envoy 之间通讯协议是使用 xDS 协议， 通过 Unix Domain Socket（UDS）进行通信。
+Envoy 核心架构如下图：
+
+![img](./images/img_02_04.png)
+
+### 1 Envoy 核心组件
+
+- 下游（Downstream）:
+  下游是 Envoy 的客户端，它们负责发起请求并接收 Envoy 的响应。下游通常是最终用户的设备或服务，它们通过 Envoy 代理与后端服务进行通信。
+
+- 上游（Upstream）:
+  上游是 Envoy 的后端服务器，它们接收 Envoy 代理的连接和请求。上游提供服务或数据，对来自下游客户端的请求进行处理并返回响应。
+
+- 监听器（Listener）:
+  监听器是可以接受来自下游客户端连接的网络地址（如 IP 地址和端口，Unix Domain Socket 等）。Envoy 支持在单个进程中配置任意数量的监听器。监听器可以通过 `Listener Discovery Service（LDS）`来动态发现和更新。
+
+- 路由（Router）:
+  路由器是 Envoy 中连接下游和上游的桥梁。它负责决定如何将监听器接收到的请求路由到适当的集群。路由器根据配置的路由规则，如路径、HTTP 标头 等，来确定请求的目标集群，从而实现精确的流量控制和路由。路由器可以通过 `Route Discovery Service（RDS）`来动态发现和更新。
+
+- 集群（Cluster）:
+  集群是一组逻辑上相似的服务提供者的集合。集群成员的选择由负载均衡策略决定，确保请求能够均匀或按需分配到不同的服务实例。集群可以通过 `Cluster Discovery Service（CDS）`来动态发现和更新。
+
+- 端点（Endpoint）:
+  端点是上游集群中的具体服务实例，可以是 IP 地址和端口号的组合。端点可以通过 `Endpoint Discovery Service（EDS）`来动态发现和更新。
+
+- SSL/TLS:
+  Envoy 可以通过 `Secret Discovery Service (SDS)` 动态获取监听器和集群所需的 TLS 证书、私钥以及信任的根证书和撤销机制等配置信息。
+
+通过这些组件的协同工作，Envoy 能够高效地处理网络请求，提供流量管理、负载均衡、服务发现和动态路由等关键功能。
+要详细了解 Envoy 的工作原理，可以参考[Envoy 官方文档](https://www.envoyproxy.io/docs/envoy/latest/intro/intro)，最佳的方式可以通过一个请求通过 [Envoy 代理的生命周期](https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request)事件的过程来理解 Envoy 的工作原理。
+
+
+## 参考
+
+- [1] [Istio Pilot 组件介绍](https://www.zhaohuabing.com/post/2019-10-21-pilot-discovery-code-analysis/)
+- [2] [Istio 服务注册插件机制代码解析](https://www.zhaohuabing.com/post/2019-02-18-pilot-service-registry-code-analysis/)
+- [3] [Istio Pilot代码深度解析](https://www.zhaohuabing.com/post/2019-10-21-pilot-discovery-code-analysis/)
+- [4] [Envoy 官方文档](https://www.envoyproxy.io/docs/envoy/latest/intro/intro)
--- a/docs/images/img_02_01.png
+++ b/docs/images/img_02_01.png
--- a/docs/images/img_02_02.png
+++ b/docs/images/img_02_02.png
--- a/docs/images/img_02_03.png
+++ b/docs/images/img_02_03.png
--- a/docs/images/img_02_04.png
+++ b/docs/images/img_02_04.png
--- a/envoy/envoy
+++ b/envoy/envoy
--- a/go.mod
+++ b/go.mod
@@ -119,7 +119,6 @@ require (
 	github.com/google/uuid v1.3.1 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
@@ -176,13 +175,13 @@ require (
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/prometheus/prometheus v0.45.0 // indirect
-	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/spf13/cast v1.5.1 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/tetratelabs/wazero v1.7.3 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/toolkits/concurrent v0.0.0-20150624120057-a4371d70e3e3 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1623,7 +1623,6 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
 github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
@@ -1705,6 +1704,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tebeka/strftime v0.1.3 h1:5HQXOqWKYRFfNyBMNVc9z5+QzuBtIXy03psIhtdJYto=
 github.com/tebeka/strftime v0.1.3/go.mod h1:7wJm3dZlpr4l/oVK0t1HYIc4rMzQ2XJlOMIUJUJH6XQ=
+github.com/tetratelabs/wazero v1.7.3 h1:PBH5KVahrt3S2AHgEjKu4u+LlDbbk+nsGE3KLucy6Rw=
+github.com/tetratelabs/wazero v1.7.3/go.mod h1:ytl6Zuh20R/eROuyDaGPkp82O9C/DJfXAwJfQ3X6/7Y=
 github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
 github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
--- a/helm/core/Chart.yaml
+++ b/helm/core/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.0.0-rc.1
+appVersion: 2.0.7
 description: Helm chart for deploying higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -10,4 +10,4 @@ name: higress-core
 sources:
 - http://github.com/alibaba/higress
 type: application
-version: 2.0.0-rc.1
+version: 2.0.7
--- a/helm/core/crds/customresourcedefinitions.gen.yaml
+++ b/helm/core/crds/customresourcedefinitions.gen.yaml
@@ -284,6 +284,10 @@ spec:
                      type: string
                    port:
                      type: integer
+                    protocol:
+                      type: string
+                    sni:
+                      type: string
                    type:
                      type: string
                    zkServicesPath:
@@ -302,3 +306,4 @@ spec:
    subresources:
      status: {}

+---
--- a/helm/core/crds/istio-envoyfilter.yaml
+++ b/helm/core/crds/istio-envoyfilter.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
--- a/helm/core/templates/_helpers.tpl
+++ b/helm/core/templates/_helpers.tpl
@@ -101,3 +101,15 @@ higress: {{ include "controller.name" . }}
 true
 {{- end }}
 {{- end }}
+
+{{- define "gateway.podMonitor.gvk" -}}
+{{- if eq .Values.gateway.metrics.provider "monitoring.coreos.com" -}}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+{{- else if eq .Values.gateway.metrics.provider "operator.victoriametrics.com" -}}
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMPodScrape
+{{- else -}}
+{{- fail "unexpected gateway.metrics.provider" -}}
+{{- end -}}
+{{- end -}}
--- a/helm/core/templates/_pod.tpl
+++ b/helm/core/templates/_pod.tpl
@@ -0,0 +1,319 @@
+
+{{/*
+Rendering the pod template of gateway component.
+*/}}
+{{- define "gateway.podTemplate" -}}
+{{- $o11y := .Values.global.o11y -}}
+template:
+  metadata:
+    annotations:
+    {{- if .Values.gateway.podAnnotations }}
+      {{- toYaml .Values.gateway.podAnnotations | nindent 6 }}
+    {{- end }}
+    labels:
+      sidecar.istio.io/inject: "false"
+      {{- with .Values.gateway.revision }}
+      istio.io/rev: {{ . }}
+      {{- end }}
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  spec:
+    {{- with .Values.gateway.imagePullSecrets }}
+    imagePullSecrets:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+    {{- if .Values.global.priorityClassName }}
+    priorityClassName: "{{ .Values.global.priorityClassName }}"
+    {{- end }}
+    securityContext:
+    {{- if .Values.gateway.securityContext }}
+      {{- toYaml .Values.gateway.securityContext | nindent 6 }}
+    {{- else if and .Values.gateway.unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
+      # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+      sysctls:
+      - name: net.ipv4.ip_unprivileged_port_start
+        value: "0"
+    {{- end }}
+    containers:
+      - name: higress-gateway
+        image: "{{ .Values.gateway.hub | default .Values.global.hub }}/{{ .Values.gateway.image | default "gateway" }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
+        args:
+          - proxy
+          - router
+          - --domain
+          - $(POD_NAMESPACE).svc.cluster.local
+          - --proxyLogLevel=warning
+          - --proxyComponentLogLevel=misc:error
+          - --log_output_level=all:info
+          - --serviceCluster=higress-gateway
+        securityContext:
+        {{- if .Values.gateway.containerSecurityContext }}
+          {{- toYaml .Values.gateway.containerSecurityContext | nindent 10 }}
+        {{- else if and .Values.gateway.unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
+          # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          # When enabling lite metrics, the configuration template files need to be replaced.
+          {{- if not .Values.global.liteMetrics }}
+          readOnlyRootFilesystem: true
+          {{- end }}
+          runAsUser: 1337
+          runAsGroup: 1337
+          runAsNonRoot: true
+        {{- else }}
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - NET_BIND_SERVICE
+          runAsUser: 0
+          runAsGroup: 1337
+          runAsNonRoot: false
+          allowPrivilegeEscalation: true
+        {{- end }}
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.hostIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: PROXY_XDS_VIA_AGENT
+          value: "true"
+        - name: ENABLE_INGRESS_GATEWAY_SDS
+          value: "false"
+        - name: JWT_POLICY
+          value: {{ include "controller.jwtPolicy" . }}
+        - name: ISTIO_META_HTTP10
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ $.Values.clusterName | default `Kubernetes` }}"
+        - name: INSTANCE_NAME
+          value: "higress-gateway"
+        {{- if .Values.global.liteMetrics }}
+        - name: LITE_METRICS
+          value: "on"
+        {{- end }}
+        {{- if include "skywalking.enabled" . }}
+        - name: ISTIO_BOOTSTRAP_OVERRIDE
+          value: /etc/istio/custom-bootstrap/custom_bootstrap.json
+        {{- end }}
+        {{- with .Values.gateway.networkGateway }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: "{{.}}"
+        {{- end }}
+        {{- range $key, $val := .Values.gateway.env }}
+        - name: {{ $key }}
+          value: {{ $val | quote }}
+        {{- end }}
+        ports:
+        - containerPort: 15020
+          protocol: TCP
+          name: istio-prom
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if or .Values.global.local .Values.global.kind }}
+        - containerPort: {{ .Values.gateway.httpPort }}
+          hostPort:  {{ .Values.gateway.httpPort }}
+          name: http
+          protocol: TCP
+        - containerPort:  {{ .Values.gateway.httpsPort }}
+          hostPort:  {{ .Values.gateway.httpsPort }}
+          name: https
+          protocol: TCP
+        {{- end }}
+        readinessProbe:
+          failureThreshold: {{ .Values.gateway.readinessFailureThreshold }}
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: {{ .Values.gateway.readinessInitialDelaySeconds }}
+          periodSeconds: {{ .Values.gateway.readinessPeriodSeconds }}
+          successThreshold: {{ .Values.gateway.readinessSuccessThreshold }}
+          timeoutSeconds: {{ .Values.gateway.readinessTimeoutSeconds }}
+        {{- if not (or .Values.global.local .Values.global.kind) }}
+        resources:
+          {{- toYaml .Values.gateway.resources | nindent 10 }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/credential-uds
+          name: credential-socket
+        - mountPath: /var/run/secrets/workload-spiffe-credentials
+          name: workload-certs
+        {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
+        - name: istio-token
+          mountPath: /var/run/secrets/tokens
+          readOnly: true
+        {{- end }}
+        - name: config
+          mountPath: /etc/istio/config
+        - name: higress-ca-root-cert
+          mountPath: /var/run/secrets/istio
+        - name: istio-data
+          mountPath: /var/lib/istio/data
+        - name: podinfo
+          mountPath: /etc/istio/pod
+        - name: proxy-socket
+          mountPath: /etc/istio/proxy
+        {{- if include "skywalking.enabled" . }}
+        - mountPath: /etc/istio/custom-bootstrap
+          name: custom-bootstrap-volume
+        {{- end }}
+        {{- if .Values.global.volumeWasmPlugins }}
+        - mountPath: /opt/plugins
+          name: local-wasmplugins-volume
+        {{- end }}
+        {{- if $o11y.enabled }}
+        - mountPath: /var/log/proxy
+          name: log
+        {{- end }}
+      {{- if $o11y.enabled }}
+        {{- $config := $o11y.promtail }}
+      - name: promtail
+        image: {{ $config.image.repository }}:{{ $config.image.tag }}
+        imagePullPolicy: IfNotPresent
+        args:
+          - -config.file=/etc/promtail/promtail.yaml
+        env:
+          - name: 'HOSTNAME'
+            valueFrom:
+              fieldRef:
+                fieldPath: 'spec.nodeName'
+        ports:
+          - containerPort: {{ $config.port }}
+            name: http-metrics
+            protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /ready
+            port: {{ $config.port }}
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+          - name: promtail-config
+            mountPath: "/etc/promtail"
+          - name: log
+            mountPath: /var/log/proxy
+          - name: tmp
+            mountPath: /tmp
+      {{- end }}
+    {{- if .Values.gateway.hostNetwork }}
+    hostNetwork: {{ .Values.gateway.hostNetwork }}
+    dnsPolicy: ClusterFirstWithHostNet
+    {{- end }}
+    {{- with .Values.gateway.nodeSelector }}
+    nodeSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.gateway.affinity }}
+    affinity:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.gateway.tolerations }}
+    tolerations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    volumes:
+    - emptyDir: {}
+      name: workload-socket
+    - emptyDir: {}
+      name: credential-socket
+    - emptyDir: {}
+      name: workload-certs
+    {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
+    - name: istio-token
+      projected:
+        sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+    {{- end }}
+    - name: higress-ca-root-cert
+      configMap:
+        name: higress-ca-root-cert
+    - name: config
+      configMap:
+        name: higress-config
+    {{- if include "skywalking.enabled" . }}
+    - configMap:
+        defaultMode: 420
+        name: higress-custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    - name: istio-data
+      emptyDir: {}
+    - name: proxy-socket
+      emptyDir: {}
+    {{- if $o11y.enabled }}
+    - name: log
+      emptyDir: {}
+    - name: tmp
+      emptyDir: {}
+    - name: promtail-config
+      configMap:
+        name: higress-promtail
+    {{- end }}
+    - name: podinfo
+      downwardAPI:
+        defaultMode: 420
+        items:
+        - fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.labels
+          path: labels
+        - fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.annotations
+          path: annotations
+        - path: cpu-request
+          resourceFieldRef:
+            containerName: higress-gateway
+            divisor: 1m
+            resource: requests.cpu
+        - path: cpu-limit
+          resourceFieldRef:
+            containerName: higress-gateway
+            divisor: 1m
+            resource: limits.cpu
+    {{- if .Values.global.volumeWasmPlugins }}
+    - name: local-wasmplugins-volume
+      hostPath:
+        path: /opt/plugins
+        type: Directory
+    {{- end }}
+{{- end -}}
--- a/helm/core/templates/configmap.yaml
+++ b/helm/core/templates/configmap.yaml
@@ -9,7 +9,7 @@
    accessLogFile: "/dev/stdout"
    {{- end }}
    ingressControllerMode: "OFF"
-    accessLogFormat: '{"authority":"%REQ(X-ENVOY-ORIGINAL-HOST?:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","response_code_details":"%RESPONSE_CODE_DETAILS%"}
+    accessLogFormat: '{"ai_log":"%FILTER_STATE(wasm.ai_log:PLAIN)%","authority":"%REQ(X-ENVOY-ORIGINAL-HOST?:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","response_code_details":"%RESPONSE_CODE_DETAILS%"}

    '
    dnsRefreshRate: 200s
@@ -20,11 +20,7 @@
    # When processing a leaf namespace Istio will search for declarations in that namespace first
    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
    # is processed as if it were declared in the leaf namespace.
-    {{- if .Values.global.enableHigressIstio }}
-    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
-    {{- else }}
    rootNamespace: {{ .Release.Namespace }}
-    {{- end }}

    configSources:
      - address: "xds://127.0.0.1:15051"
@@ -85,12 +81,8 @@
      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
      {{- end }}
      {{- else }}
-      {{- if .Values.global.enableHigressIstio }}
-      discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012
-      {{- else }}
      discoveryAddress: {{ include "controller.name" . }}.{{.Release.Namespace}}.svc:15012
      {{- end }}
-      {{- end }}
      proxyStatsMatcher:
        inclusionRegexps:
        - ".*"
@@ -116,6 +108,12 @@ data:
    {{- $existingData = index $existingConfig.data "higress" | default "{}" | fromYaml }}
    {{- end }}
    {{- $newData := dict }}
+    {{- if hasKey .Values "upstream" }}
+    {{- $_ := set $newData "upstream" .Values.upstream }}
+    {{- end }}
+    {{- if hasKey .Values "downstream" }}
+    {{- $_ := set $newData "downstream" .Values.downstream }}
+    {{- end }}
    {{- if and (hasKey .Values "tracing") .Values.tracing.enable }}
    {{- $_ := set $newData "tracing" .Values.tracing }}
    {{- end }}
@@ -155,44 +153,12 @@ data:
            "transport_api_version": "V3",
            "grpc_service": {
              "envoy_grpc": {
-                "cluster_name": "service_skywalking"
+                "cluster_name": "outbound|{{ .Values.tracing.skywalking.port }}||{{ .Values.tracing.skywalking.service }}"
              }
            }
          }
        }
-      ],
-      "static_resources": {
-        "clusters": [
-          {
-            "name": "service_skywalking",
-            "type": "LOGICAL_DNS",
-            "connect_timeout": "5s",
-            "http2_protocol_options": {
-            },
-            "dns_lookup_family": "V4_ONLY",
-            "lb_policy": "ROUND_ROBIN",
-            "load_assignment": {
-              "cluster_name": "service_skywalking",
-              "endpoints": [
-                {
-                  "lb_endpoints": [
-                    {
-                      "endpoint": {
-                        "address": {
-                          "socket_address": {
-                            "address": "{{ .Values.tracing.skywalking.service }}",
-                            "port_value": "{{ .Values.tracing.skywalking.port }}"
-                          }
-                        }
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          }
-        ]
-      }
+      ]
    }
 ---
 {{- end }}
--- a/helm/core/templates/controller-clusterrole.yaml
+++ b/helm/core/templates/controller-clusterrole.yaml
@@ -129,3 +129,10 @@ rules:
  - apiGroups: ["networking.internal.knative.dev"]
    resources: ["ingresses/status"]
    verbs: ["get","patch","update"]
+  # gateway api need
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
--- a/helm/core/templates/controller-deployment.yaml
+++ b/helm/core/templates/controller-deployment.yaml
@@ -69,6 +69,12 @@ spec:
                fieldPath: spec.serviceAccountName
          - name: DOMAIN_SUFFIX
            value: {{ .Values.global.proxy.clusterDomain }}
+          - name: GATEWAY_NAME
+            value: {{ include "gateway.name" . }}
+          - name: PILOT_ENABLE_GATEWAY_API
+            value: "{{ .Values.global.enableGatewayAPI }}"
+          - name: PILOT_ENABLE_ALPHA_GATEWAY_API
+            value: "{{ .Values.global.enableGatewayAPI }}"
          {{- if .Values.controller.env }}
          {{- range $key, $val := .Values.controller.env }}
          - name: {{ $key }}
@@ -90,7 +96,6 @@ spec:
          volumeMounts:
          - name: log
            mountPath: /var/log
-{{- if not .Values.global.enableHigressIstio }}
        - name: discovery
          image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Chart.AppVersion }}"
 {{- if .Values.global.imagePullPolicy }}
@@ -131,8 +136,14 @@ spec:
            periodSeconds: 3
            timeoutSeconds: 5
          env:
+          - name: ENABLE_PUSH_ALL_MCP_CLUSTERS
+            value: "{{ .Values.global.enablePushAllMCPClusters }}"
+          - name: PILOT_ENABLE_LDS_CACHE
+            value: "{{ .Values.global.enableLDSCache }}"
          - name: PILOT_ENABLE_QUIC_LISTENERS
            value: "true"
+          - name: VALIDATION_WEBHOOK_CONFIG_NAME
+            value: ""
          - name: ISTIO_DUAL_STACK
            value: "{{ .Values.global.enableIPv6 }}"
          - name: PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
@@ -213,18 +224,16 @@ spec:
          - name: HIGRESS_ENABLE_ISTIO_API
            value: "true"
          {{- end }}
-          {{- if .Values.global.enableGatewayAPI }}
          - name: PILOT_ENABLE_GATEWAY_API
-            value: "true"
+            value: "false"
+          - name: PILOT_ENABLE_ALPHA_GATEWAY_API
+            value: "false"
          - name: PILOT_ENABLE_GATEWAY_API_STATUS
-            value: "true"
+            value: "false"
          - name: PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER
            value: "false"
-          {{- end }}
-          {{- if not .Values.global.enableHigressIstio }}
          - name: CUSTOM_CA_CERT_NAME
            value: "higress-ca-root-cert"
-          {{- end }}
          {{- if not (or .Values.global.local .Values.global.kind) }}
          resources:
 {{- if .Values.pilot.resources }}
@@ -261,7 +270,6 @@ spec:
          - name: extracacerts
            mountPath: /cacerts
          {{- end }}
-{{- end }}
      {{- with .Values.controller.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -277,7 +285,6 @@ spec:
      volumes:
      - name: log
        emptyDir: {}
-      {{- if not .Values.global.enableHigressIstio }}
      - name: config
        configMap:
          name: higress-config
@@ -309,4 +316,3 @@ spec:
        configMap:
          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- end }}
-      {{- end }}
--- a/helm/core/templates/controller-service.yaml
+++ b/helm/core/templates/controller-service.yaml
@@ -9,7 +9,6 @@ spec:
  type: {{ .Values.controller.service.type }}
  ports:
    {{- toYaml .Values.controller.ports | nindent 4 }}
-    {{- if not .Values.global.enableHigressIstio }}
    - port: 15010
      name: grpc-xds # plaintext
      protocol: TCP
@@ -23,6 +22,5 @@ spec:
    - port: 15014
      name: http-monitoring # prometheus stats
      protocol: TCP
-    {{- end }}
  selector:
    {{- include "controller.selectorLabels" . | nindent 4 }}
--- a/helm/core/templates/daemonset.yaml
+++ b/helm/core/templates/daemonset.yaml
@@ -1,15 +1,19 @@
 {{- if eq .Values.gateway.kind "DaemonSet" -}}
 {{- $o11y := .Values.global.o11y  }}
-{{- $unprivilegedPortSupported := true }}
-{{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
+{{- if eq .Values.gateway.unprivilegedPortSupported nil -}}
+  {{- $unprivilegedPortSupported := true }}
+  {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
    {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
    {{- if $kernelVersion }}
      {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }}
      {{- if and $kernelVersion (semverCompare "<4.11.0" $kernelVersion) }}
-      {{-   $unprivilegedPortSupported = false }}
+      {{- $unprivilegedPortSupported = false }}
      {{- end }}
    {{- end }}
+  {{- end -}}
+  {{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}
 {{- end -}}
+
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -23,310 +27,5 @@ spec:
  selector:
    matchLabels:
      {{- include "gateway.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      annotations:
-      {{- if .Values.global.enableHigressIstio }}
-        "enableHigressIstio": "true"
-      {{- end }}
-      {{- if .Values.gateway.podAnnotations }}
-        {{- toYaml .Values.gateway.podAnnotations | nindent 8 }}
-      {{- end }}
-      labels:
-        sidecar.istio.io/inject: "false"
-        {{- with .Values.gateway.revision }}
-        istio.io/rev: {{ . }}
-        {{- end }}
-        {{- include "gateway.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.gateway.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
-      {{- if .Values.global.priorityClassName }}
-      priorityClassName: "{{ .Values.global.priorityClassName }}"
-      {{- end }}
-      securityContext:
-      {{- if .Values.gateway.securityContext }}
-        {{- toYaml .Values.gateway.securityContext | nindent 8 }}
-      {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
-        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
-        sysctls:
-        - name: net.ipv4.ip_unprivileged_port_start
-          value: "0"
-      {{- end }}
-      containers:
-        {{- if $o11y.enabled }}
-          {{- $config := $o11y.promtail }}
-        - name: promtail
-          image: {{ $config.image.repository }}:{{ $config.image.tag }}
-          imagePullPolicy: IfNotPresent
-          args:
-            - -config.file=/etc/promtail/promtail.yaml
-          env:
-            - name: 'HOSTNAME'
-              valueFrom:
-                fieldRef:
-                  fieldPath: 'spec.nodeName'
-          ports:
-            - containerPort: {{ $config.port }}
-              name: http-metrics
-              protocol: TCP
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /ready
-              port: {{ $config.port }}
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          volumeMounts:
-            - name: promtail-config
-              mountPath: "/etc/promtail"
-            - name: log
-              mountPath: /var/log/proxy
-            - name: tmp
-              mountPath: /tmp
-        {{- end }}
-        - name: higress-gateway
-          image: "{{ .Values.gateway.hub | default .Values.global.hub }}/{{ .Values.gateway.image | default "gateway" }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
-          args:
-            - proxy
-            - router
-            - --domain
-            - $(POD_NAMESPACE).svc.cluster.local
-            - --proxyLogLevel=warning
-            - --proxyComponentLogLevel=misc:error
-            - --log_output_level=all:info
-            - --serviceCluster=higress-gateway
-          securityContext:
-          {{- if .Values.gateway.containerSecurityContext }}
-            {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
-          {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
-            # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
-            capabilities:
-              drop:
-              - ALL
-            allowPrivilegeEscalation: false
-            privileged: false
-          # When enabling lite metrics, the configuration template files need to be replaced.
-          {{- if not .Values.global.liteMetrics }}
-            readOnlyRootFilesystem: true
-          {{- end }}
-            runAsUser: 1337
-            runAsGroup: 1337
-            runAsNonRoot: true
-          {{- else }}
-            capabilities:
-              drop:
-              - ALL
-              add:
-              - NET_BIND_SERVICE
-            runAsUser: 0
-            runAsGroup: 1337
-            runAsNonRoot: false
-            allowPrivilegeEscalation: true
-          {{- end }}
-          env:
-          - name: NODE_NAME
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: spec.nodeName
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.namespace
-          - name: INSTANCE_IP
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: status.podIP
-          - name: HOST_IP
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: status.hostIP
-          - name: SERVICE_ACCOUNT
-            valueFrom:
-              fieldRef:
-                fieldPath: spec.serviceAccountName
-          - name: PILOT_XDS_SEND_TIMEOUT
-            value: 60s
-          - name: PROXY_XDS_VIA_AGENT
-            value: "true"
-          - name: ENABLE_INGRESS_GATEWAY_SDS
-            value: "false"
-          - name: JWT_POLICY
-            value: {{ include "controller.jwtPolicy" . }}
-          - name: ISTIO_META_HTTP10
-            value: "1"
-          - name: ISTIO_META_CLUSTER_ID
-            value: "{{ $.Values.clusterName | default `Kubernetes` }}"
-          - name: INSTANCE_NAME
-            value: "higress-gateway"
-          {{- if .Values.global.liteMetrics }}
-          - name: LITE_METRICS
-            value: "on"
-          {{- end }}
-          {{- if include "skywalking.enabled" . }}
-          - name: ISTIO_BOOTSTRAP_OVERRIDE
-            value: /etc/istio/custom-bootstrap/custom_bootstrap.json
-          {{- end }}
-          {{- with .Values.gateway.networkGateway }}
-          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
-            value: "{{.}}"
-          {{- end }}
-          {{- range $key, $val := .Values.env }}
-          - name: {{ $key }}
-            value: {{ $val | quote }}
-          {{- end }}
-          ports:
-          - containerPort: 15090
-            protocol: TCP
-            name: http-envoy-prom
-          {{- if or .Values.global.local .Values.global.kind }}
-          - containerPort: {{ .Values.gateway.httpPort }}
-            hostPort:  {{ .Values.gateway.httpPort }}
-            name: http
-            protocol: TCP
-          - containerPort:  {{ .Values.gateway.httpsPort }}
-            hostPort:  {{ .Values.gateway.httpsPort }}
-            name: https
-            protocol: TCP
-          {{- end }}
-          readinessProbe:
-            failureThreshold: {{ .Values.gateway.readinessFailureThreshold }}
-            httpGet:
-              path: /healthz/ready
-              port: 15021
-              scheme: HTTP
-            initialDelaySeconds: {{ .Values.gateway.readinessInitialDelaySeconds }}
-            periodSeconds: {{ .Values.gateway.readinessPeriodSeconds }}
-            successThreshold: {{ .Values.gateway.readinessSuccessThreshold }}
-            timeoutSeconds: {{ .Values.gateway.readinessTimeoutSeconds }}
-          {{- if not (or .Values.global.local .Values.global.kind) }}
-          resources:
-            {{- toYaml .Values.gateway.resources | nindent 12 }}
-          {{- end }}
-          volumeMounts:
-          {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
-          - name: istio-token
-            mountPath: /var/run/secrets/tokens
-            readOnly: true
-          {{- end }}
-          - name: config
-            mountPath: /etc/istio/config
-          - name: istio-ca-root-cert
-            mountPath: /var/run/secrets/istio
-          - name: istio-data
-            mountPath: /var/lib/istio/data
-          - name: podinfo
-            mountPath: /etc/istio/pod
-          - name: proxy-socket
-            mountPath: /etc/istio/proxy
-          {{- if include "skywalking.enabled" . }}
-          - mountPath: /etc/istio/custom-bootstrap
-            name: custom-bootstrap-volume
-          {{- end }}
-          {{- if .Values.global.volumeWasmPlugins }}
-          - mountPath: /opt/plugins
-            name: local-wasmplugins-volume
-          {{- end }}
-          {{- if $o11y.enabled }}
-          - mountPath: /var/log/proxy
-            name: log
-          {{- end }}
-      {{- if .Values.gateway.hostNetwork }}
-      hostNetwork: {{ .Values.gateway.hostNetwork }}
-      dnsPolicy: ClusterFirstWithHostNet
-      {{- end }}
-      {{- with .Values.gateway.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.gateway.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.gateway.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      volumes:
-      {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
-      - name: istio-token
-        projected:
-          sources:
-            - serviceAccountToken:
-                audience: istio-ca
-                expirationSeconds: 43200
-                path: istio-token
-      {{- end }}
-      - name: istio-ca-root-cert
-        configMap:
-      {{- if .Values.global.enableHigressIstio }}
-          name: istio-ca-root-cert
-      {{- else }}
-          name: higress-ca-root-cert
-      {{- end }}
-      - name: config
-        configMap:
-          name: higress-config
-      {{- if include "skywalking.enabled" . }}
-      - configMap:
-          defaultMode: 420
-          name: higress-custom-bootstrap
-        name: custom-bootstrap-volume
-      {{- end }}
-      - name: istio-data
-        emptyDir: {}
-      - name: proxy-socket
-        emptyDir: {}
-      {{- if $o11y.enabled }}
-      - name: log
-        emptyDir: {}
-      - name: tmp
-        emptyDir: {}
-      - name: promtail-config
-        configMap:
-          name: higress-promtail
-      {{- end }}
-      - name: podinfo
-        downwardAPI:
-          defaultMode: 420
-          items:
-          - fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.labels
-            path: labels
-          - fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.annotations
-            path: annotations
-          - path: cpu-request
-            resourceFieldRef:
-              containerName: higress-gateway
-              divisor: 1m
-              resource: requests.cpu
-          - path: cpu-limit
-            resourceFieldRef:
-              containerName: higress-gateway
-              divisor: 1m
-              resource: limits.cpu
-      {{- if .Values.global.volumeWasmPlugins }}
-      - name: local-wasmplugins-volume
-        hostPath:
-          path: /opt/plugins
-          type: Directory
-      {{- end }}
+  {{- include "gateway.podTemplate" $ | nindent 2 -}}
 {{- end }}
--- a/helm/core/templates/deployment.yaml
+++ b/helm/core/templates/deployment.yaml
@@ -1,15 +1,18 @@
 {{- if eq .Values.gateway.kind "Deployment" -}}
-{{- $o11y := .Values.global.o11y  }}
-{{- $unprivilegedPortSupported := true }}
-{{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
+{{- if eq .Values.gateway.unprivilegedPortSupported nil -}}
+  {{- $unprivilegedPortSupported := true }}
+  {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
    {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
    {{- if $kernelVersion }}
      {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }}
      {{- if and $kernelVersion (semverCompare "<4.11.0" $kernelVersion) }}
-      {{-   $unprivilegedPortSupported = false }}
+      {{- $unprivilegedPortSupported = false }}
      {{- end }}
    {{- end }}
+  {{- end -}}
+  {{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}
 {{- end -}}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -38,311 +41,7 @@ spec:
      {{- else }}
      maxUnavailable: {{ .Values.gateway.rollingMaxUnavailable }}
      {{- end }}
-  template:
-    metadata:
-      annotations:
-      {{- if .Values.global.enableHigressIstio }}
-        "enableHigressIstio": "true"
-      {{- end }}
-      {{- if .Values.gateway.podAnnotations }}
-        {{- toYaml .Values.gateway.podAnnotations | nindent 8 }}
-      {{- end }}
-      labels:
-        sidecar.istio.io/inject: "false"
-        {{- with .Values.gateway.revision }}
-        istio.io/rev: {{ . }}
-        {{- end }}
-        {{- include "gateway.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.gateway.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
-      {{- if .Values.global.priorityClassName }}
-      priorityClassName: "{{ .Values.global.priorityClassName }}"
-      {{- end }}
-      securityContext:
-      {{- if .Values.gateway.securityContext }}
-        {{- toYaml .Values.gateway.securityContext | nindent 8 }}
-      {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
-        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
-        sysctls:
-        - name: net.ipv4.ip_unprivileged_port_start
-          value: "0"
-      {{- end }}
-      containers:
-        {{- if $o11y.enabled }}
-          {{- $config := $o11y.promtail }}
-        - name: promtail
-          image: {{ $config.image.repository }}:{{ $config.image.tag }}
-          imagePullPolicy: IfNotPresent
-          args:
-            - -config.file=/etc/promtail/promtail.yaml
-          env:
-            - name: 'HOSTNAME'
-              valueFrom:
-                fieldRef:
-                  fieldPath: 'spec.nodeName'
-          ports:
-            - containerPort: {{ $config.port }}
-              name: http-metrics
-              protocol: TCP
-          readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /ready
-              port: {{ $config.port }}
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          volumeMounts:
-            - name: promtail-config
-              mountPath: "/etc/promtail"
-            - name: log
-              mountPath: /var/log/proxy
-            - name: tmp
-              mountPath: /tmp
-        {{- end }}
-        - name: higress-gateway
-          image: "{{ .Values.gateway.hub | default .Values.global.hub }}/{{ .Values.gateway.image | default "gateway" }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
-          args:
-            - proxy
-            - router
-            - --domain
-            - $(POD_NAMESPACE).svc.cluster.local
-            - --proxyLogLevel=warning
-            - --proxyComponentLogLevel=misc:error
-            - --log_output_level=all:info
-            - --serviceCluster=higress-gateway
-          securityContext:
-          {{- if .Values.gateway.containerSecurityContext }}
-            {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
-          {{- else if and $unprivilegedPortSupported (and (not .Values.gateway.hostNetwork) (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion)) }}
-            # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
-            capabilities:
-              drop:
-              - ALL
-            allowPrivilegeEscalation: false
-            privileged: false
-          # When enabling lite metrics, the configuration template files need to be replaced.
-          {{- if not .Values.global.liteMetrics }}
-            readOnlyRootFilesystem: true
-          {{- end }}
-            runAsUser: 1337
-            runAsGroup: 1337
-            runAsNonRoot: true
-          {{- else }}
-            capabilities:
-              drop:
-              - ALL
-              add:
-              - NET_BIND_SERVICE
-            runAsUser: 0
-            runAsGroup: 1337
-            runAsNonRoot: false
-            allowPrivilegeEscalation: true
-          {{- end }}
-          env:
-          - name: NODE_NAME
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: spec.nodeName
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.namespace
-          - name: INSTANCE_IP
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: status.podIP
-          - name: HOST_IP
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: status.hostIP
-          - name: SERVICE_ACCOUNT
-            valueFrom:
-              fieldRef:
-                fieldPath: spec.serviceAccountName
-          - name: PROXY_XDS_VIA_AGENT
-            value: "true"
-          - name: ENABLE_INGRESS_GATEWAY_SDS
-            value: "false"
-          - name: JWT_POLICY
-            value: {{ include "controller.jwtPolicy" . }}
-          - name: ISTIO_META_HTTP10
-            value: "1"
-          - name: ISTIO_META_CLUSTER_ID
-            value: "{{ $.Values.clusterName | default `Kubernetes` }}"
-          - name: INSTANCE_NAME
-            value: "higress-gateway"
-          {{- if .Values.global.liteMetrics }}
-          - name: LITE_METRICS
-            value: "on"
-          {{- end }}
-          {{- if include "skywalking.enabled" . }}
-          - name: ISTIO_BOOTSTRAP_OVERRIDE
-            value: /etc/istio/custom-bootstrap/custom_bootstrap.json
-          {{- end }}
-          {{- with .Values.gateway.networkGateway }}
-          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
-            value: "{{.}}"
-          {{- end }}
-          {{- range $key, $val := .Values.env }}
-          - name: {{ $key }}
-            value: {{ $val | quote }}
-          {{- end }}
-          ports:
-          - containerPort: 15020
-            protocol: TCP
-            name: istio-prom
-          - containerPort: 15090
-            protocol: TCP
-            name: http-envoy-prom
-          {{- if or .Values.global.local .Values.global.kind }}
-          - containerPort: {{ .Values.gateway.httpPort }}
-            hostPort:  {{ .Values.gateway.httpPort }}
-            name: http
-            protocol: TCP
-          - containerPort:  {{ .Values.gateway.httpsPort }}
-            hostPort:  {{ .Values.gateway.httpsPort }}
-            name: https
-            protocol: TCP
-          {{- end }}
-          readinessProbe:
-            failureThreshold: {{ .Values.gateway.readinessFailureThreshold }}
-            httpGet:
-              path: /healthz/ready
-              port: 15021
-              scheme: HTTP
-            initialDelaySeconds: {{ .Values.gateway.readinessInitialDelaySeconds }}
-            periodSeconds: {{ .Values.gateway.readinessPeriodSeconds }}
-            successThreshold: {{ .Values.gateway.readinessSuccessThreshold }}
-            timeoutSeconds: {{ .Values.gateway.readinessTimeoutSeconds }}
-          {{- if not (or .Values.global.local .Values.global.kind) }}
-          resources:
-            {{- toYaml .Values.gateway.resources | nindent 12 }}
-          {{- end }}
-          volumeMounts:
-          {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
-          - name: istio-token
-            mountPath: /var/run/secrets/tokens
-            readOnly: true
-          {{- end }}
-          - name: config
-            mountPath: /etc/istio/config
-          - name: istio-ca-root-cert
-            mountPath: /var/run/secrets/istio
-          - name: istio-data
-            mountPath: /var/lib/istio/data
-          - name: podinfo
-            mountPath: /etc/istio/pod
-          - name: proxy-socket
-            mountPath: /etc/istio/proxy
-          {{- if include "skywalking.enabled" . }}
-          - mountPath: /etc/istio/custom-bootstrap
-            name: custom-bootstrap-volume
-          {{- end }}
-          {{- if .Values.global.volumeWasmPlugins }}
-          - mountPath: /opt/plugins
-            name: local-wasmplugins-volume
-          {{- end }}
-          {{- if $o11y.enabled }}
-          - mountPath: /var/log/proxy
-            name: log
-          {{- end }}
-      {{- if .Values.gateway.hostNetwork }}
-      hostNetwork: {{ .Values.gateway.hostNetwork }}
-      dnsPolicy: ClusterFirstWithHostNet
-      {{- end }}
-      {{- with .Values.gateway.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.gateway.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.gateway.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      volumes:
-      {{- if eq (include "controller.jwtPolicy" .) "third-party-jwt" }}
-      - name: istio-token
-        projected:
-          sources:
-            - serviceAccountToken:
-                audience: istio-ca
-                expirationSeconds: 43200
-                path: istio-token
-      {{- end }}
-      - name: istio-ca-root-cert
-        configMap:
-      {{- if .Values.global.enableHigressIstio }}
-          name: istio-ca-root-cert
-      {{- else }}
-          name: higress-ca-root-cert
-      {{- end }}
-      - name: config
-        configMap:
-          name: higress-config
-      {{- if include "skywalking.enabled" . }}
-      - configMap:
-          defaultMode: 420
-          name: higress-custom-bootstrap
-        name: custom-bootstrap-volume
-      {{- end }}
-      - name: istio-data
-        emptyDir: {}
-      - name: proxy-socket
-        emptyDir: {}
-      {{- if $o11y.enabled }}
-      - name: log
-        emptyDir: {}
-      - name: tmp
-        emptyDir: {}
-      - name: promtail-config
-        configMap:
-          name: higress-promtail
-      {{- end }}
-      - name: podinfo
-        downwardAPI:
-          defaultMode: 420
-          items:
-          - fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.labels
-            path: labels
-          - fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.annotations
-            path: annotations
-          - path: cpu-request
-            resourceFieldRef:
-              containerName: higress-gateway
-              divisor: 1m
-              resource: requests.cpu
-          - path: cpu-limit
-            resourceFieldRef:
-              containerName: higress-gateway
-              divisor: 1m
-              resource: limits.cpu
-      {{- if .Values.global.volumeWasmPlugins }}
-      - name: local-wasmplugins-volume
-        hostPath:
-          path: /opt/plugins
-          type: Directory
-      {{- end }}
+
+  {{- include "gateway.podTemplate" $ | nindent 2 -}}
+
 {{- end }}
--- a/helm/core/templates/fallback-envoyfilter.yaml
+++ b/helm/core/templates/fallback-envoyfilter.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: {{ include "gateway.name" . }}-global-custom-response
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  configPatches:
+    - applyTo: HTTP_FILTER
+      match:
+        context: GATEWAY
+        listener:
+          filterChain:
+            filter:
+              name: envoy.filters.network.http_connection_manager
+      patch:
+        operation: INSERT_FIRST
+        value:
+          name: envoy.filters.http.custom_response
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.custom_response.v3.CustomResponse
--- a/helm/core/templates/ingressclass.yaml
+++ b/helm/core/templates/ingressclass.yaml
@@ -1,6 +1,8 @@
+{{- if .Values.global.ingressClass }}
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
  name: {{ .Values.global.ingressClass }}
 spec:
-  controller: higress.io/higress-controller
+  controller: higress.io/higress-controller
+{{- end }}
--- a/helm/core/templates/podmonitor.yaml
+++ b/helm/core/templates/podmonitor.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.gateway.metrics.enabled }}
+{{- include "gateway.podMonitor.gvk" . }}
+metadata:
+  name: {{ printf "%s-metrics" (include "gateway.name" .) | trunc 63 | trimSuffix "-" }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.gateway.annotations | toYaml | nindent 4 }}
+spec:
+  jobLabel: "app.kubernetes.io/name"
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  podMetricsEndpoints:
+    - port: istio-prom
+      path: /stats/prometheus
+      {{- if .Values.gateway.metrics.interval }}
+      interval: {{ .Values.gateway.metrics.interval }}
+      {{- end }}
+      {{- if .Values.gateway.metrics.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.gateway.metrics.scrapeTimeout }}
+      {{- end }}
+      {{- if .Values.gateway.metrics.honorLabels }}
+      honorLabels: {{ .Values.gateway.metrics.honorLabels }}
+      {{- end }}
+      {{- if .Values.gateway.metrics.metricRelabelings }}
+      metricRelabelings: {{ toYaml .Values.gateway.metrics.metricRelabelings | nindent 8 }}
+      {{- end }}
+      {{- if .Values.gateway.metrics.relabelings }}
+      relabelings: {{ toYaml .Values.gateway.metrics.relabelings | nindent 8 }}
+      {{- end }}
+      {{- if .Values.gateway.metrics.metricRelabelConfigs }}
+      metricRelabelings: {{ toYaml .Values.gateway.metrics.metricRelabelConfigs | nindent 8 }}
+      {{- end }}
+      {{- if .Values.gateway.metrics.relabelConfigs }}
+      relabelings: {{ toYaml .Values.gateway.metrics.relabelConfigs | nindent 8 }}
+      {{- end }}
+      {{- if $.Values.gateway.metrics.rawSpec }}
+      {{- $.Values.gateway.metrics.rawSpec | toYaml | nindent 6 }}
+      {{- end }}
+{{- end }}
--- a/helm/core/templates/service.yaml
+++ b/helm/core/templates/service.yaml
@@ -24,6 +24,9 @@ spec:
 {{- end }}
 {{- with .Values.gateway.service.externalTrafficPolicy }}
  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+{{- with .Values.gateway.service.loadBalancerClass}}
+  loadBalancerClass: "{{ . }}"
 {{- end }}
  type: {{ .Values.gateway.service.type }}
  ports:
--- a/helm/core/values.yaml
+++ b/helm/core/values.yaml
@@ -3,14 +3,16 @@ global:
  enableH3: false
  enableIPv6: false
  enableProxyProtocol: false
-  liteMetrics: true
+  enableLDSCache: false
+  enablePushAllMCPClusters: true
+  liteMetrics: false
  xdsMaxRecvMsgSize: "104857600"
  defaultUpstreamConcurrencyThreshold: 10000
  enableSRDS: true
  onDemandRDS: false
  hostRDSMergeSubset: false
  onlyPushRouteCluster: true
-  # IngressClass filters which ingress resources the higress controller watches.
+  # -- IngressClass filters which ingress resources the higress controller watches.
  # The default ingress class is higress.
  # There are some special cases for special ingress class.
  # 1. When the ingress class is set as nginx, the higress controller will watch ingress
@@ -18,28 +20,38 @@ global:
  # 2. When the ingress class is set empty, the higress controller will watch all ingress
  # resources in the k8s cluster.
  ingressClass: "higress"
+  # -- If not empty, Higress Controller will only watch resources in the specified namespace.
+  # When isolating different business systems using K8s namespace,
+  # if each namespace requires a standalone gateway instance,
+  # this parameter can be used to confine the Ingress watching of Higress within the given namespace.
  watchNamespace: ""
+  # -- Whether to disable HTTP/2 in ALPN
  disableAlpnH2: false
+  # -- If true, Higress Controller will update the status field of Ingress resources.
+  # When migrating from Nginx Ingress, in order to avoid status field of Ingress objects being overwritten,
+  # this parameter needs to be set to false,
+  # so Higress won't write the entry IP to the status field of the corresponding Ingress object.
  enableStatus: true
-  # whether to use autoscaling/v2 template for HPA settings
+  # -- whether to use autoscaling/v2 template for HPA settings
  # for internal usage only, not to be configured by users.
  autoscalingv2API: true
-  local: false # When deploying to a local cluster (e.g.: kind cluster), set this to true.
+  # -- When deploying to a local cluster (e.g.: kind cluster), set this to true.
+  local: false
  kind: false # Deprecated. Please use "global.local" instead. Will be removed later.
-  enableIstioAPI: false
+  # -- If true, Higress Controller will monitor istio resources as well
+  enableIstioAPI: true
+  # -- If true, Higress Controller will monitor Gateway API resources as well
  enableGatewayAPI: false
-  # Deprecated
-  enableHigressIstio: false
-  # Used to locate istiod.
+  # -- Used to locate istiod.
  istioNamespace: istio-system
-  # enable pod disruption budget for the control plane, which is used to
+  # -- enable pod disruption budget for the control plane, which is used to
  # ensure Istio control plane components are gradually upgraded or recovered.
  defaultPodDisruptionBudget:
    enabled: false
    # The values aren't mutable due to a current PodDisruptionBudget limitation
    # minAvailable: 1

-  # A minimal set of requested resources to applied to all deployments so that
+  # -- A minimal set of requested resources to applied to all deployments so that
  # Horizontal Pod Autoscaler will be able to function (if set).
  # Each component can overwrite these default values by adding its own resources
  # block in the relevant section below and setting the desired resources values.
@@ -51,16 +63,16 @@ global:
    #   cpu: 100m
    #   memory: 128Mi

-  # Default hub for Istio images.
+  # -- Default hub for Istio images.
  # Releases are published to docker hub under 'istio' project.
  # Dev builds from prow are on gcr.io
  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress

-  # Specify image pull policy if default behavior isn't desired.
+  # -- Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
  imagePullPolicy: ""

-  # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+  # -- ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
  # to use for pulling any images in pods that reference this ServiceAccount.
  # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
  # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
@@ -68,14 +80,14 @@ global:
  imagePullSecrets: []
  # - private-registry-key

-  # Enabled by default in master for maximising testing.
+  # -- Enabled by default in master for maximising testing.
  istiod:
    enableAnalysis: false

-  # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+  # -- To output all istio components logs in json format by adding --log_as_json argument to each container argument
  logAsJson: false

-  # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+  # -- Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
  # The control plane has different scopes depending on component, but can configure default log level across all components
  # If empty, default scope and level will be used as configured in code
  logging:
@@ -83,11 +95,11 @@ global:

  omitSidecarInjectorConfigMap: false

-  # Whether to restrict the applications namespace the controller manages;
+  # -- Whether to restrict the applications namespace the controller manages;
  # If not set, controller watches all namespaces
  oneNamespace: false

-  # Configure whether Operator manages webhook configurations. The current behavior
+  # -- Configure whether Operator manages webhook configurations. The current behavior
  # of Istiod is to manage its own webhook configurations.
  # When this option is set as true, Istio Operator, instead of webhooks, manages the
  # webhook configurations. When this option is set as false, webhooks manage their
@@ -106,7 +118,7 @@ global:
  #- global
  #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"

-  # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+  # -- Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
  # system-node-critical, it is better to configure this in order to make sure your Istio pods
  # will not be killed because of low priority class.
  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
@@ -116,18 +128,18 @@ global:
  proxy:
    image: proxyv2

-    # This controls the 'policy' in the sidecar injector.
+    # -- This controls the 'policy' in the sidecar injector.
    autoInject: enabled

-    # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+    # -- CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
    # cluster domain. Default value is "cluster.local".
    clusterDomain: "cluster.local"

-    # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+    # -- Per Component log level for proxy, applies to gateways and sidecars. If a component level is
    # not set, then the global "logLevel" will be used.
    componentLogLevel: "misc:error"

-    # If set, newly injected sidecars will have core dumps enabled.
+    # -- If set, newly injected sidecars will have core dumps enabled.
    enableCoreDump: false

    # istio ingress capture allowlist
@@ -136,8 +148,7 @@ global:
    excludeInboundPorts: ""
    includeInboundPorts: "*"

-
-    # istio egress capture allowlist
+    # -- istio egress capture allowlist
    # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
    # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
    # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
@@ -147,29 +158,29 @@ global:
    includeOutboundPorts: ""
    excludeOutboundPorts: ""

-    # Log level for proxy, applies to gateways and sidecars.
+    # -- Log level for proxy, applies to gateways and sidecars.
    # Expected values are: trace|debug|info|warning|error|critical|off
    logLevel: warning

-    #If set to true, istio-proxy container will have privileged securityContext
+    # -- If set to true, istio-proxy container will have privileged securityContext
    privileged: false

-    # The number of successive failed probes before indicating readiness failure.
+    # -- The number of successive failed probes before indicating readiness failure.
    readinessFailureThreshold: 30

-    # The number of successive successed probes before indicating readiness success.
+    # -- The number of successive successed probes before indicating readiness success.
    readinessSuccessThreshold: 30

-    # The initial delay for readiness probes in seconds.
+    # -- The initial delay for readiness probes in seconds.
    readinessInitialDelaySeconds: 1

-    # The period between readiness probes.
+    # -- The period between readiness probes.
    readinessPeriodSeconds: 2

-    # The readiness timeout seconds
+    # -- The readiness timeout seconds
    readinessTimeoutSeconds: 3

-    # Resources for the sidecar.
+    # -- Resources for the sidecar.
    resources:
      requests:
        cpu: 100m
@@ -178,18 +189,18 @@ global:
        cpu: 2000m
        memory: 1024Mi

-    # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+    # -- Default port for Pilot agent health checks. A value of 0 will disable health checking.
    statusPort: 15020

-    # Specify which tracer to use. One of: lightstep, datadog, stackdriver.
+    # -- Specify which tracer to use. One of: lightstep, datadog, stackdriver.
    # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
    tracer: ""

-    # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
+    # -- Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
    holdApplicationUntilProxyStarts: false

  proxy_init:
-    # Base name for the proxy_init container, used to configure iptables.
+    # -- Base name for the proxy_init container, used to configure iptables.
    image: proxyv2
    resources:
      limits:
@@ -199,7 +210,7 @@ global:
        cpu: 10m
        memory: 10Mi

-  # configure remote pilot and istiod service and endpoint
+  # -- configure remote pilot and istiod service and endpoint
  remotePilotAddress: ""

  ##############################################################################################
@@ -207,20 +218,20 @@ global:
  # make sure they are consistent across your Istio helm charts                                #
  ##############################################################################################

-  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # -- The customized CA address to retrieve certificates for the pods in the cluster.
  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
  # If not set explicitly, default to the Istio discovery address.
  caAddress: ""

-  # Configure a remote cluster data plane controlled by an external istiod.
+  # -- Configure a remote cluster data plane controlled by an external istiod.
  # When set to true, istiod is not deployed locally and only a subset of the other
  # discovery charts are enabled.
  externalIstiod: false

-  #  Configure a remote cluster as the config cluster for an external istiod.
+  # -- Configure a remote cluster as the config cluster for an external istiod.
  configCluster: false

-  # Configure the policy for validating JWT.
+  # -- Configure the policy for validating JWT.
  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
  jwtPolicy: "third-party-jwt"

@@ -242,7 +253,7 @@ global:
  # of migration TBD, and it may be a disruptive operation to change the Mesh
  # ID post-install.
  #
-  # If the mesh admin does not specify a value, Istio will use the value of the
+  # -- If the mesh admin does not specify a value, Istio will use the value of the
  # mesh's Trust Domain. The best practice is to select a proper Trust Domain
  # value.
  meshID: ""
@@ -276,68 +287,69 @@ global:
  #
  meshNetworks: {}

-  # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+  # -- Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
  mountMtlsCerts: false

  multiCluster:
-    # Set to true to connect two kubernetes clusters via their respective
+    # -- Set to true to connect two kubernetes clusters via their respective
    # ingressgateway services when pods in each cluster cannot directly
    # talk to one another. All clusters should be using Istio mTLS and must
    # have a shared root CA for this model to work.
    enabled: true
-    # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+    # -- Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
    # to properly label proxies
    clusterName: ""

-  # Network defines the network this cluster belong to. This name
+  # -- Network defines the network this cluster belong to. This name
  # corresponds to the networks in the map of mesh networks.
  network: ""

-  # Configure the certificate provider for control plane communication.
+  # -- Configure the certificate provider for control plane communication.
  # Currently, two providers are supported: "kubernetes" and "istiod".
  # As some platforms may not have kubernetes signing APIs,
  # Istiod is the default
  pilotCertProvider: istiod

  sds:
-    # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+    # -- The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
    # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
    # JWT is intended for the CA.
    token:
      aud: istio-ca

  sts:
-    # The service port used by Security Token Service (STS) server to handle token exchange requests.
+    # -- The service port used by Security Token Service (STS) server to handle token exchange requests.
    # Setting this port to a non-zero value enables STS server.
    servicePort: 0

-  # Configuration for each of the supported tracers
+  # -- Configuration for each of the supported tracers
  tracer:
-    # Configuration for envoy to send trace data to LightStep.
+    # -- Configuration for envoy to send trace data to LightStep.
    # Disabled by default.
    # address: the <host>:<port> of the satellite pool
    # accessToken: required for sending data to the pool
    #
    datadog:
-      # Host:Port for submitting traces to the Datadog agent.
+      # -- Host:Port for submitting traces to the Datadog agent.
      address: "$(HOST_IP):8126"
    lightstep:
-      address: ""                # example: lightstep-satellite:443
-      accessToken: ""            # example: abcdefg1234567
+      # -- example: lightstep-satellite:443
+      address: ""
+      # -- example: abcdefg1234567
+      accessToken: ""
    stackdriver:
-      # enables trace output to stdout.
+      # -- enables trace output to stdout.
      debug: false
-      # The global default max number of message events per span.
+      # -- The global default max number of message events per span.
      maxNumberOfMessageEvents: 200
-      # The global default max number of annotation events per span.
+      # -- The global default max number of annotation events per span.
      maxNumberOfAnnotations: 200
-      # The global default max number of attributes per span.
+      # -- The global default max number of attributes per span.
      maxNumberOfAttributes: 200
-  # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
-
+  # -- Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
  useMCP: false

-  # Observability (o11y) configurations
+  # -- Observability (o11y) configurations
  o11y:
    enabled: false
    promtail:
@@ -351,7 +363,7 @@ global:
          memory: 2Gi
      securityContext: {}

-  # The name of the CA for workload certificates.
+  # -- The name of the CA for workload certificates.
  # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
  # will be used as the certificates for workloads.
  # The default value is "" and when caName="", the CA will be configured by other
@@ -360,7 +372,7 @@ global:
 hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress

 clusterName: ""
-# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+# -- meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
 # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
 meshConfig:
  enablePrometheusMerge: true
@@ -371,14 +383,13 @@ meshConfig:
  # and gradual adoption by setting capture only on specific workloads. It also allows
  # VMs to use other DNS options, like dnsmasq or unbound.

-  # The namespace to treat as the administrative root namespace for Istio configuration.
+  # -- The namespace to treat as the administrative root namespace for Istio configuration.
  # When processing a leaf namespace Istio will search for declarations in that namespace first
  # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
  # is processed as if it were declared in the leaf namespace.
-
  rootNamespace:

-  # The trust domain corresponds to the trust root of a system
+  # -- The trust domain corresponds to the trust root of a system
  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
  trustDomain: "cluster.local"

@@ -392,56 +403,57 @@ meshConfig:

 gateway:
  name: "higress-gateway"
+  # -- Number of Higress Gateway pods
  replicas: 2
  image: gateway

  # -- Use a `DaemonSet` or `Deployment`
  kind: Deployment

-  # The number of successive failed probes before indicating readiness failure.
+  # -- The number of successive failed probes before indicating readiness failure.
  readinessFailureThreshold: 30

-  # The number of successive successed probes before indicating readiness success.
+  # -- The number of successive successed probes before indicating readiness success.
  readinessSuccessThreshold: 1

-  # The initial delay for readiness probes in seconds.
+  # -- The initial delay for readiness probes in seconds.
  readinessInitialDelaySeconds: 1

-  # The period between readiness probes.
+  # -- The period between readiness probes.
  readinessPeriodSeconds: 2

-  # The readiness timeout seconds
+  # -- The readiness timeout seconds
  readinessTimeoutSeconds: 3

  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
  tag: ""
-  # revision declares which revision this gateway is a part of
+  # -- revision declares which revision this gateway is a part of
  revision: ""

  rbac:
-    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # -- If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
    # when using http://gateway-api.org/.
    enabled: true

  serviceAccount:
-    # If set, a service account will be created. Otherwise, the default is used
+    # -- If set, a service account will be created. Otherwise, the default is used
    create: true
-    # Annotations to add to the service account
+    # -- Annotations to add to the service account
    annotations: {}
-    # The name of the service account to use.
+    # -- The name of the service account to use.
    # If not set, the release name is used
    name: ""

-  # Pod environment variables
+  # -- Pod environment variables
  env: {}
  httpPort: 80
  httpsPort: 443
  hostNetwork: false

-  # Labels to apply to all resources
+  # -- Labels to apply to all resources
  labels: {}

-  # Annotations to apply to all resources
+  # -- Annotations to apply to all resources
  annotations: {}

  podAnnotations:
@@ -449,25 +461,26 @@ gateway:
    prometheus.io/scrape: "true"
    prometheus.io/path: "/stats/prometheus"
    sidecar.istio.io/inject: "false"
-  
-  # Define the security context for the pod.
+
+  # -- Define the security context for the pod.
  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
  securityContext: ~
  containerSecurityContext: ~
-  
+  unprivilegedPortSupported: ~
+
  service:
-    # Type of service. Set to "None" to disable the service entirely
+    # -- Type of service. Set to "None" to disable the service entirely
    type: LoadBalancer
    ports:
-    - name: http2
-      port: 80
-      protocol: TCP
-      targetPort: 80
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: 443
+      - name: http2
+        port: 80
+        protocol: TCP
+        targetPort: 80
+      - name: https
+        port: 443
+        protocol: TCP
+        targetPort: 443
    annotations: {}
    loadBalancerIP: ""
    loadBalancerClass: ""
@@ -475,8 +488,9 @@ gateway:
    externalTrafficPolicy: ""

  rollingMaxSurge: 100%
+  # -- If global.local is true, the default value is 100%, otherwise it is 25%
  rollingMaxUnavailable: 25%
-    
+
  resources:
    requests:
      cpu: 2000m
@@ -484,24 +498,42 @@ gateway:
    limits:
      cpu: 2000m
      memory: 2048Mi
-  
+
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 80
-  
+
  nodeSelector: {}
-  
+
  tolerations: []
-  
+
  affinity: {}
-  
-  # If specified, the gateway will act as a network gateway for the given network.
+
+  # -- If specified, the gateway will act as a network gateway for the given network.
  networkGateway: ""
-  
+
+  metrics:
+    # -- If true, create PodMonitor or VMPodScrape for gateway
+    enabled: false
+    # -- provider group name for CustomResourceDefinition, can be monitoring.coreos.com or operator.victoriametrics.com
+    provider: monitoring.coreos.com
+    interval: ""
+    scrapeTimeout: ""
+    honorLabels: false
+    # -- for monitoring.coreos.com/v1.PodMonitor
+    metricRelabelings: []
+    relabelings: []
+    # -- for operator.victoriametrics.com/v1beta1.VMPodScrape
+    metricRelabelConfigs: []
+    relabelConfigs: []
+    # -- some more raw podMetricsEndpoints spec
+    rawSpec: {}
+
 controller:
  name: "higress-controller"
+  # -- Number of Higress Controller pods
  replicas: 1
  image: higress

@@ -510,61 +542,52 @@ controller:
  env: {}

  labels: {}
-  
-  probe: {
-    httpGet: {
-      path: /ready,
-      port: 8888,
-    },
-    initialDelaySeconds: 1,
-    periodSeconds: 3,
-    timeoutSeconds: 5
-  }
-  
+
+  probe:
+    {
+      httpGet: { path: /ready, port: 8888 },
+      initialDelaySeconds: 1,
+      periodSeconds: 3,
+      timeoutSeconds: 5,
+    }
+
  imagePullSecrets: []

  rbac:
    create: true
-  
+
  serviceAccount:
-    # Specifies whether a service account should be created
+    # -- Specifies whether a service account should be created
    create: true
-    # Annotations to add to the service account
+    # -- Annotations to add to the service account
    annotations: {}
-    # The name of the service account to use.
-    # If not set and create is true, a name is generated using the fullname template
+    # -- The name of the service account to use.
+    # -- If not set and create is true, a name is generated using the fullname template
    name: ""
-  
+
  podAnnotations: {}
-  
-  podSecurityContext: {}
+
+  podSecurityContext:
+    {}
    # fsGroup: 2000
-  
-  ports: [
-    {
-      "name": "http",
-      "protocol": "TCP",
-      "port": 8888,
-      "targetPort": 8888,
-    },
-    {
-      "name": "http-solver",
-      "protocol": "TCP",
-      "port": 8889,
-      "targetPort": 8889,
-    },
-    {
-      "name": "grpc",
-      "protocol": "TCP",
-      "port": 15051,
-      "targetPort": 15051,
-    }
-  ]
-  
+
+  ports:
+    [
+      { "name": "http", "protocol": "TCP", "port": 8888, "targetPort": 8888 },
+      {
+        "name": "http-solver",
+        "protocol": "TCP",
+        "port": 8889,
+        "targetPort": 8889,
+      },
+      { "name": "grpc", "protocol": "TCP", "port": 15051, "targetPort": 15051 },
+    ]
+
  service:
    type: ClusterIP
-  
-  securityContext: {}
+
+  securityContext:
+    {}
    # capabilities:
    #   drop:
    #   - ALL
@@ -579,11 +602,11 @@ controller:
    limits:
      cpu: 1000m
      memory: 2048Mi
-  
+
  nodeSelector: {}
-  
+
  tolerations: []
-  
+
  affinity: {}

  autoscaling:
@@ -594,8 +617,8 @@ controller:
  automaticHttps:
    enabled: true
    email: ""
-  
-## Discovery Settings
+
+## -- Discovery Settings
 pilot:
  autoscaleEnabled: false
  autoscaleMin: 1
@@ -607,11 +630,11 @@ pilot:
  hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
  tag: ""

-  # Can be a full hub/image:tag
+  # -- Can be a full hub/image:tag
  image: pilot
  traceSampling: 1.0

-  # Resources for a small pilot install
+  # -- Resources for a small pilot install
  resources:
    requests:
      cpu: 500m
@@ -626,21 +649,21 @@ pilot:
  cpu:
    targetAverageUtilization: 80

-  # if protocol sniffing is enabled for outbound
+  # -- if protocol sniffing is enabled for outbound
  enableProtocolSniffingForOutbound: true
-  # if protocol sniffing is enabled for inbound
+  # -- if protocol sniffing is enabled for inbound
  enableProtocolSniffingForInbound: true

  nodeSelector: {}
  podAnnotations: {}
  serviceAnnotations: {}

-  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # -- You can use jwksResolverExtraRootCA to provide a root certificate
  # in PEM format. This will then be trusted by pilot when resolving
  # JWKS URIs.
  jwksResolverExtraRootCA: ""

-  # This is used to set the source of configuration for
+  # -- This is used to set the source of configuration for
  # the associated address in configSource, if nothing is specified
  # the default MCP is assumed.
  configSource:
@@ -648,34 +671,48 @@ pilot:

  plugins: []

-  # The following is used to limit how long a sidecar can be connected
+  # -- The following is used to limit how long a sidecar can be connected
  # to a pilot. It balances out load across pilot instances at the cost of
  # increasing system churn.
  keepaliveMaxServerConnectionAge: 30m

-  # Additional labels to apply to the deployment.
+  # -- Additional labels to apply to the deployment.
  deploymentLabels: {}

-
  ## Mesh config settings

-  # Install the mesh config map, generated from values.yaml.
+  # -- Install the mesh config map, generated from values.yaml.
  # If false, pilot wil use default values (by default) or user-supplied values.
  configMap: true

-  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  # -- Additional labels to apply on the pod level for monitoring and logging configuration.
  podLabels: {}

-
 # Tracing config settings
 tracing:
  enable: false
  sampling: 100
  timeout: 500
  skywalking:
-   # access_token: ""
-   service: ""
-   port: 11800
+    # access_token: ""
+    service: ""
+    port: 11800
  # zipkin:
-    # service: ""
-    # port: 9411
+  # service: ""
+  # port: 9411
+
+# -- Downstream config settings
+downstream:
+  idleTimeout: 180
+  maxRequestHeadersKb: 60
+  connectionBufferLimits: 32768
+  http2:
+    maxConcurrentStreams: 100
+    initialStreamWindowSize: 65535
+    initialConnectionWindowSize: 1048576
+  routeTimeout: 0
+
+# -- Upstream config settings
+upstream:
+  idleTimeout: 10
+  connectionBufferLimits: 10485760
--- a/helm/higress/Chart.lock
+++ b/helm/higress/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: higress-core
  repository: file://../core
-  version: 2.0.0-rc.1
+  version: 2.0.7
 - name: higress-console
  repository: https://higress.io/helm-charts/
-  version: 1.4.2
-digest: sha256:10375e19aff1cc31e4d450ee5c3124ed684c8bcd2f4c019ea88abf7e3d381d76
-generated: "2024-08-15T19:39:04.526398+08:00"
+  version: 2.0.4
+digest: sha256:ca9cc8bdac0488d79c20e7a4e3d7b3a436a59b697a37728daa462601b4d1ea65
+generated: "2025-02-19T16:23:39.424987+08:00"
--- a/helm/higress/Chart.yaml
+++ b/helm/higress/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.0.0-rc.1
+appVersion: 2.0.7
 description: Helm chart for deploying Higress gateways
 icon: https://higress.io/img/higress_logo_small.png
 home: http://higress.io/
@@ -12,9 +12,9 @@ sources:
 dependencies:
 - name: higress-core
  repository: "file://../core"
-  version: 2.0.0-rc.1
+  version: 2.0.7
 - name: higress-console
  repository: "https://higress.io/helm-charts/"
-  version: 1.4.2
+  version: 2.0.4
 type: application
-version: 2.0.0-rc.1
+version: 2.0.7
--- a/helm/higress/README.md
+++ b/helm/higress/README.md
@@ -1,57 +1,278 @@
-# Higress Helm Chart
-
-Installs the cloud-native gateway [Higress](http://higress.io/)
-
-## Get Repo Info
-
-```console
-helm repo add higress.io https://higress.io/helm-charts
-helm repo update
-```
-
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
-
-## Installing the Chart
-
-To install the chart with the release name `higress`:
-
-```console
-helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
-```
-
-## Uninstalling the Chart
-
-To uninstall/delete the higress deployment:
-
-```console
-helm delete higress -n higress-system
-```
-
-The command removes all the Kubernetes components associated with the chart and deletes the release.
-
-## Configuration
-
-| **Parameter** | **Description** | **Default** |
-|---|---|---|
-| **Global Parameters** |  |  |
-| global.local | Set to `true` if installing to a local K8s cluster (e.g.: Kind, Rancher Desktop, etc.) | false |
-| global.ingressClass | [IngressClass](https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/#ingress-class) which is used to filter Ingress resources Higress Controller watches.<br />If there are multiple gateway instances deployed in the cluster, this parameter can be used to distinguish the scope of each gateway instance.<br />There are some special cases for special IngressClass values:<br />1. If set to "nginx", Higress Controller will watch Ingress resources with the `nginx` IngressClass or without any Ingress class.<br />2. If set to empty, Higress Controller will watch all Ingress resources in the K8s cluster. | higress |
-| global.watchNamespace | If not empty, Higress Controller will only watch resources in the specified namespace. When isolating different business systems using K8s namespace, if each namespace requires a standalone gateway instance, this parameter can be used to confine the Ingress watching of Higress within the given namespace. | "" |
-| global.disableAlpnH2 | Whether to disable HTTP/2 in ALPN | true |
-| global.enableStatus | If `true`, Higress Controller will update the `status` field of Ingress resources.<br />When migrating from Nginx Ingress, in order to avoid `status` field of Ingress objects being overwritten, this parameter needs to be set to false, so Higress won't write the entry IP to the `status` field of the corresponding Ingress object. | true |
-| global.enableIstioAPI | If `true`, Higress Controller will monitor istio resources as well | false |
-| global.enableGatewayAPI | If `true`, Higress Controller will monitor Gateway API resources as well | false |
-| global.istioNamespace | The namespace istio is installed to | istio-system |
-| **Core Paramters** |  |  |
-| higress-core.gateway.replicas | Number of Higress Gateway pods | 2 |
-| higress-core.controller.replicas | Number of Higress Controller pods | 1 |
-| **Console Paramters** |  |  |
-| higress-console.replicaCount | Number of Higress Console pods | 1 |
-| higress-console.service.type | K8s service type used by Higress Console | ClusterIP |
-| higress-console.domain | Domain used to access Higress Console | console.higress.io |
-| higress-console.tlsSecretName | Name of Secret resource used by TLS connections. | "" |
-| higress-console.web.login.prompt | Prompt message to be displayed on the login page | "" |
-| higress-console.admin.password.value | If not empty, the admin password will be configured to the specified value. | "" |
-| higress-console.admin.password.length | The length of random admin password generated during installation. Only works when `higress-console.admin.password.value` is not set. | 8 |
-| higress-console.o11y.enabled | If `true`, o11y suite (Grafana + Promethues) will be installed. | false |
-| higress-console.pvc.rwxSupported | Set to `false` when installing to a standard K8s cluster and the target cluster doesn't support the ReadWriteMany access mode of PersistentVolumeClaim. | true |
+## Higress for Kubernetes
+
+Higress is a cloud-native api gateway based on Alibaba's internal gateway practices.
+
+Powered by Istio and Envoy, Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.
+
+## Setup Repo Info
+
+```console
+helm repo add higress.io https://higress.io/helm-charts
+helm repo update
+```
+
+## Install
+
+To install the chart with the release name `higress`:
+
+```console
+helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
+```
+
+## Uninstall
+
+To uninstall/delete the higress deployment:
+
+```console
+helm delete higress -n higress-system
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| clusterName | string | `""` |  |
+| controller.affinity | object | `{}` |  |
+| controller.automaticHttps.email | string | `""` |  |
+| controller.automaticHttps.enabled | bool | `true` |  |
+| controller.autoscaling.enabled | bool | `false` |  |
+| controller.autoscaling.maxReplicas | int | `5` |  |
+| controller.autoscaling.minReplicas | int | `1` |  |
+| controller.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| controller.env | object | `{}` |  |
+| controller.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| controller.image | string | `"higress"` |  |
+| controller.imagePullSecrets | list | `[]` |  |
+| controller.labels | object | `{}` |  |
+| controller.name | string | `"higress-controller"` |  |
+| controller.nodeSelector | object | `{}` |  |
+| controller.podAnnotations | object | `{}` |  |
+| controller.podSecurityContext | object | `{}` |  |
+| controller.ports[0].name | string | `"http"` |  |
+| controller.ports[0].port | int | `8888` |  |
+| controller.ports[0].protocol | string | `"TCP"` |  |
+| controller.ports[0].targetPort | int | `8888` |  |
+| controller.ports[1].name | string | `"http-solver"` |  |
+| controller.ports[1].port | int | `8889` |  |
+| controller.ports[1].protocol | string | `"TCP"` |  |
+| controller.ports[1].targetPort | int | `8889` |  |
+| controller.ports[2].name | string | `"grpc"` |  |
+| controller.ports[2].port | int | `15051` |  |
+| controller.ports[2].protocol | string | `"TCP"` |  |
+| controller.ports[2].targetPort | int | `15051` |  |
+| controller.probe.httpGet.path | string | `"/ready"` |  |
+| controller.probe.httpGet.port | int | `8888` |  |
+| controller.probe.initialDelaySeconds | int | `1` |  |
+| controller.probe.periodSeconds | int | `3` |  |
+| controller.probe.timeoutSeconds | int | `5` |  |
+| controller.rbac.create | bool | `true` |  |
+| controller.replicas | int | `1` | Number of Higress Controller pods |
+| controller.resources.limits.cpu | string | `"1000m"` |  |
+| controller.resources.limits.memory | string | `"2048Mi"` |  |
+| controller.resources.requests.cpu | string | `"500m"` |  |
+| controller.resources.requests.memory | string | `"2048Mi"` |  |
+| controller.securityContext | object | `{}` |  |
+| controller.service.type | string | `"ClusterIP"` |  |
+| controller.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| controller.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| controller.serviceAccount.name | string | `""` | If not set and create is true, a name is generated using the fullname template |
+| controller.tag | string | `""` |  |
+| controller.tolerations | list | `[]` |  |
+| downstream | object | `{"connectionBufferLimits":32768,"http2":{"initialConnectionWindowSize":1048576,"initialStreamWindowSize":65535,"maxConcurrentStreams":100},"idleTimeout":180,"maxRequestHeadersKb":60,"routeTimeout":0}` | Downstream config settings |
+| gateway.affinity | object | `{}` |  |
+| gateway.annotations | object | `{}` | Annotations to apply to all resources |
+| gateway.autoscaling.enabled | bool | `false` |  |
+| gateway.autoscaling.maxReplicas | int | `5` |  |
+| gateway.autoscaling.minReplicas | int | `1` |  |
+| gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| gateway.containerSecurityContext | string | `nil` |  |
+| gateway.env | object | `{}` | Pod environment variables |
+| gateway.hostNetwork | bool | `false` |  |
+| gateway.httpPort | int | `80` |  |
+| gateway.httpsPort | int | `443` |  |
+| gateway.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| gateway.image | string | `"gateway"` |  |
+| gateway.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` |
+| gateway.labels | object | `{}` | Labels to apply to all resources |
+| gateway.metrics.enabled | bool | `false` | If true, create PodMonitor or VMPodScrape for gateway |
+| gateway.metrics.honorLabels | bool | `false` |  |
+| gateway.metrics.interval | string | `""` |  |
+| gateway.metrics.metricRelabelConfigs | list | `[]` | for operator.victoriametrics.com/v1beta1.VMPodScrape |
+| gateway.metrics.metricRelabelings | list | `[]` | for monitoring.coreos.com/v1.PodMonitor |
+| gateway.metrics.provider | string | `"monitoring.coreos.com"` | provider group name for CustomResourceDefinition, can be monitoring.coreos.com or operator.victoriametrics.com |
+| gateway.metrics.rawSpec | object | `{}` | some more raw podMetricsEndpoints spec |
+| gateway.metrics.relabelConfigs | list | `[]` |  |
+| gateway.metrics.relabelings | list | `[]` |  |
+| gateway.metrics.scrapeTimeout | string | `""` |  |
+| gateway.name | string | `"higress-gateway"` |  |
+| gateway.networkGateway | string | `""` | If specified, the gateway will act as a network gateway for the given network. |
+| gateway.nodeSelector | object | `{}` |  |
+| gateway.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` |  |
+| gateway.podAnnotations."prometheus.io/port" | string | `"15020"` |  |
+| gateway.podAnnotations."prometheus.io/scrape" | string | `"true"` |  |
+| gateway.podAnnotations."sidecar.istio.io/inject" | string | `"false"` |  |
+| gateway.rbac.enabled | bool | `true` | If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed when using http://gateway-api.org/. |
+| gateway.readinessFailureThreshold | int | `30` | The number of successive failed probes before indicating readiness failure. |
+| gateway.readinessInitialDelaySeconds | int | `1` | The initial delay for readiness probes in seconds. |
+| gateway.readinessPeriodSeconds | int | `2` | The period between readiness probes. |
+| gateway.readinessSuccessThreshold | int | `1` | The number of successive successed probes before indicating readiness success. |
+| gateway.readinessTimeoutSeconds | int | `3` | The readiness timeout seconds |
+| gateway.replicas | int | `2` | Number of Higress Gateway pods |
+| gateway.resources.limits.cpu | string | `"2000m"` |  |
+| gateway.resources.limits.memory | string | `"2048Mi"` |  |
+| gateway.resources.requests.cpu | string | `"2000m"` |  |
+| gateway.resources.requests.memory | string | `"2048Mi"` |  |
+| gateway.revision | string | `""` | revision declares which revision this gateway is a part of |
+| gateway.rollingMaxSurge | string | `"100%"` |  |
+| gateway.rollingMaxUnavailable | string | `"25%"` | If global.local is true, the default value is 100%, otherwise it is 25% |
+| gateway.securityContext | string | `nil` | Define the security context for the pod. If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. |
+| gateway.service.annotations | object | `{}` |  |
+| gateway.service.externalTrafficPolicy | string | `""` |  |
+| gateway.service.loadBalancerClass | string | `""` |  |
+| gateway.service.loadBalancerIP | string | `""` |  |
+| gateway.service.loadBalancerSourceRanges | list | `[]` |  |
+| gateway.service.ports[0].name | string | `"http2"` |  |
+| gateway.service.ports[0].port | int | `80` |  |
+| gateway.service.ports[0].protocol | string | `"TCP"` |  |
+| gateway.service.ports[0].targetPort | int | `80` |  |
+| gateway.service.ports[1].name | string | `"https"` |  |
+| gateway.service.ports[1].port | int | `443` |  |
+| gateway.service.ports[1].protocol | string | `"TCP"` |  |
+| gateway.service.ports[1].targetPort | int | `443` |  |
+| gateway.service.type | string | `"LoadBalancer"` | Type of service. Set to "None" to disable the service entirely |
+| gateway.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| gateway.serviceAccount.create | bool | `true` | If set, a service account will be created. Otherwise, the default is used |
+| gateway.serviceAccount.name | string | `""` | The name of the service account to use. If not set, the release name is used |
+| gateway.tag | string | `""` |  |
+| gateway.tolerations | list | `[]` |  |
+| gateway.unprivilegedPortSupported | string | `nil` |  |
+| global.autoscalingv2API | bool | `true` | whether to use autoscaling/v2 template for HPA settings for internal usage only, not to be configured by users. |
+| global.caAddress | string | `""` | The customized CA address to retrieve certificates for the pods in the cluster. CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. If not set explicitly, default to the Istio discovery address. |
+| global.caName | string | `""` | The name of the CA for workload certificates. For example, when caName=GkeWorkloadCertificate, GKE workload certificates will be used as the certificates for workloads. The default value is "" and when caName="", the CA will be configured by other mechanisms (e.g., environmental variable CA_PROVIDER). |
+| global.configCluster | bool | `false` | Configure a remote cluster as the config cluster for an external istiod. |
+| global.defaultPodDisruptionBudget | object | `{"enabled":false}` | enable pod disruption budget for the control plane, which is used to ensure Istio control plane components are gradually upgraded or recovered. |
+| global.defaultResources | object | `{"requests":{"cpu":"10m"}}` | A minimal set of requested resources to applied to all deployments so that Horizontal Pod Autoscaler will be able to function (if set). Each component can overwrite these default values by adding its own resources block in the relevant section below and setting the desired resources values. |
+| global.defaultUpstreamConcurrencyThreshold | int | `10000` |  |
+| global.disableAlpnH2 | bool | `false` | Whether to disable HTTP/2 in ALPN |
+| global.enableGatewayAPI | bool | `false` | If true, Higress Controller will monitor Gateway API resources as well |
+| global.enableH3 | bool | `false` |  |
+| global.enableIPv6 | bool | `false` |  |
+| global.enableIstioAPI | bool | `true` | If true, Higress Controller will monitor istio resources as well |
+| global.enableLDSCache | bool | `false` |  |
+| global.enableProxyProtocol | bool | `false` |  |
+| global.enablePushAllMCPClusters | bool | `true` |  |
+| global.enableSRDS | bool | `true` |  |
+| global.enableStatus | bool | `true` | If true, Higress Controller will update the status field of Ingress resources. When migrating from Nginx Ingress, in order to avoid status field of Ingress objects being overwritten, this parameter needs to be set to false, so Higress won't write the entry IP to the status field of the corresponding Ingress object. |
+| global.externalIstiod | bool | `false` | Configure a remote cluster data plane controlled by an external istiod. When set to true, istiod is not deployed locally and only a subset of the other discovery charts are enabled. |
+| global.hostRDSMergeSubset | bool | `false` |  |
+| global.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | Default hub for Istio images. Releases are published to docker hub under 'istio' project. Dev builds from prow are on gcr.io |
+| global.imagePullPolicy | string | `""` | Specify image pull policy if default behavior isn't desired. Default behavior: latest images will be Always else IfNotPresent. |
+| global.imagePullSecrets | list | `[]` | ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. Must be set for any cluster configured with private docker registry. |
+| global.ingressClass | string | `"higress"` | IngressClass filters which ingress resources the higress controller watches. The default ingress class is higress. There are some special cases for special ingress class. 1. When the ingress class is set as nginx, the higress controller will watch ingress resources with the nginx ingress class or without any ingress class. 2. When the ingress class is set empty, the higress controller will watch all ingress resources in the k8s cluster. |
+| global.istioNamespace | string | `"istio-system"` | Used to locate istiod. |
+| global.istiod | object | `{"enableAnalysis":false}` | Enabled by default in master for maximising testing. |
+| global.jwtPolicy | string | `"third-party-jwt"` | Configure the policy for validating JWT. Currently, two options are supported: "third-party-jwt" and "first-party-jwt". |
+| global.kind | bool | `false` |  |
+| global.liteMetrics | bool | `false` |  |
+| global.local | bool | `false` | When deploying to a local cluster (e.g.: kind cluster), set this to true. |
+| global.logAsJson | bool | `false` |  |
+| global.logging | object | `{"level":"default:info"}` | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level> The control plane has different scopes depending on component, but can configure default log level across all components If empty, default scope and level will be used as configured in code |
+| global.meshID | string | `""` | If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value. |
+| global.meshNetworks | object | `{}` |  |
+| global.mountMtlsCerts | bool | `false` | Use the user-specified, secret volume mounted key and certs for Pilot and workloads. |
+| global.multiCluster.clusterName | string | `""` | Should be set to the name of the cluster this installation will run in. This is required for sidecar injection to properly label proxies |
+| global.multiCluster.enabled | bool | `true` | Set to true to connect two kubernetes clusters via their respective ingressgateway services when pods in each cluster cannot directly talk to one another. All clusters should be using Istio mTLS and must have a shared root CA for this model to work. |
+| global.network | string | `""` | Network defines the network this cluster belong to. This name corresponds to the networks in the map of mesh networks. |
+| global.o11y | object | `{"enabled":false,"promtail":{"image":{"repository":"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/promtail","tag":"2.9.4"},"port":3101,"resources":{"limits":{"cpu":"500m","memory":"2Gi"}},"securityContext":{}}}` | Observability (o11y) configurations |
+| global.omitSidecarInjectorConfigMap | bool | `false` |  |
+| global.onDemandRDS | bool | `false` |  |
+| global.oneNamespace | bool | `false` | Whether to restrict the applications namespace the controller manages; If not set, controller watches all namespaces |
+| global.onlyPushRouteCluster | bool | `true` |  |
+| global.operatorManageWebhooks | bool | `false` | Configure whether Operator manages webhook configurations. The current behavior of Istiod is to manage its own webhook configurations. When this option is set as true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations. |
+| global.pilotCertProvider | string | `"istiod"` | Configure the certificate provider for control plane communication. Currently, two providers are supported: "kubernetes" and "istiod". As some platforms may not have kubernetes signing APIs, Istiod is the default |
+| global.priorityClassName | string | `""` | Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and system-node-critical, it is better to configure this in order to make sure your Istio pods will not be killed because of low priority class. Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass for more detail. |
+| global.proxy.autoInject | string | `"enabled"` | This controls the 'policy' in the sidecar injector. |
+| global.proxy.clusterDomain | string | `"cluster.local"` | CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value cluster domain. Default value is "cluster.local". |
+| global.proxy.componentLogLevel | string | `"misc:error"` | Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. |
+| global.proxy.enableCoreDump | bool | `false` | If set, newly injected sidecars will have core dumps enabled. |
+| global.proxy.excludeIPRanges | string | `""` |  |
+| global.proxy.excludeInboundPorts | string | `""` |  |
+| global.proxy.excludeOutboundPorts | string | `""` |  |
+| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready |
+| global.proxy.image | string | `"proxyv2"` |  |
+| global.proxy.includeIPRanges | string | `"*"` | istio egress capture allowlist https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" would only capture egress traffic on those two IP Ranges, all other outbound traffic would be allowed by the sidecar |
+| global.proxy.includeInboundPorts | string | `"*"` |  |
+| global.proxy.includeOutboundPorts | string | `""` |  |
+| global.proxy.logLevel | string | `"warning"` | Log level for proxy, applies to gateways and sidecars. Expected values are: trace|debug|info|warning|error|critical|off |
+| global.proxy.privileged | bool | `false` | If set to true, istio-proxy container will have privileged securityContext |
+| global.proxy.readinessFailureThreshold | int | `30` | The number of successive failed probes before indicating readiness failure. |
+| global.proxy.readinessInitialDelaySeconds | int | `1` | The initial delay for readiness probes in seconds. |
+| global.proxy.readinessPeriodSeconds | int | `2` | The period between readiness probes. |
+| global.proxy.readinessSuccessThreshold | int | `30` | The number of successive successed probes before indicating readiness success. |
+| global.proxy.readinessTimeoutSeconds | int | `3` | The readiness timeout seconds |
+| global.proxy.resources | object | `{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Resources for the sidecar. |
+| global.proxy.statusPort | int | `15020` | Default port for Pilot agent health checks. A value of 0 will disable health checking. |
+| global.proxy.tracer | string | `""` | Specify which tracer to use. One of: lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. |
+| global.proxy_init.image | string | `"proxyv2"` | Base name for the proxy_init container, used to configure iptables. |
+| global.proxy_init.resources.limits.cpu | string | `"2000m"` |  |
+| global.proxy_init.resources.limits.memory | string | `"1024Mi"` |  |
+| global.proxy_init.resources.requests.cpu | string | `"10m"` |  |
+| global.proxy_init.resources.requests.memory | string | `"10Mi"` |  |
+| global.remotePilotAddress | string | `""` | configure remote pilot and istiod service and endpoint |
+| global.sds.token | object | `{"aud":"istio-ca"}` | The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the JWT is intended for the CA. |
+| global.sts.servicePort | int | `0` | The service port used by Security Token Service (STS) server to handle token exchange requests. Setting this port to a non-zero value enables STS server. |
+| global.tracer | object | `{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":""},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200}}` | Configuration for each of the supported tracers |
+| global.tracer.datadog | object | `{"address":"$(HOST_IP):8126"}` | Configuration for envoy to send trace data to LightStep. Disabled by default. address: the <host>:<port> of the satellite pool accessToken: required for sending data to the pool  |
+| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | Host:Port for submitting traces to the Datadog agent. |
+| global.tracer.lightstep.accessToken | string | `""` | example: abcdefg1234567 |
+| global.tracer.lightstep.address | string | `""` | example: lightstep-satellite:443 |
+| global.tracer.stackdriver.debug | bool | `false` | enables trace output to stdout. |
+| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | The global default max number of annotation events per span. |
+| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | The global default max number of attributes per span. |
+| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | The global default max number of message events per span. |
+| global.useMCP | bool | `false` | Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. |
+| global.watchNamespace | string | `""` | If not empty, Higress Controller will only watch resources in the specified namespace. When isolating different business systems using K8s namespace, if each namespace requires a standalone gateway instance, this parameter can be used to confine the Ingress watching of Higress within the given namespace. |
+| global.xdsMaxRecvMsgSize | string | `"104857600"` |  |
+| hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| meshConfig | object | `{"enablePrometheusMerge":true,"rootNamespace":null,"trustDomain":"cluster.local"}` | meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options |
+| meshConfig.rootNamespace | string | `nil` | The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. |
+| meshConfig.trustDomain | string | `"cluster.local"` | The trust domain corresponds to the trust root of a system Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain |
+| pilot.autoscaleEnabled | bool | `false` |  |
+| pilot.autoscaleMax | int | `5` |  |
+| pilot.autoscaleMin | int | `1` |  |
+| pilot.configMap | bool | `true` | Install the mesh config map, generated from values.yaml. If false, pilot wil use default values (by default) or user-supplied values. |
+| pilot.configSource | object | `{"subscribedResources":[]}` | This is used to set the source of configuration for the associated address in configSource, if nothing is specified the default MCP is assumed. |
+| pilot.cpu.targetAverageUtilization | int | `80` |  |
+| pilot.deploymentLabels | object | `{}` | Additional labels to apply to the deployment. |
+| pilot.enableProtocolSniffingForInbound | bool | `true` | if protocol sniffing is enabled for inbound |
+| pilot.enableProtocolSniffingForOutbound | bool | `true` | if protocol sniffing is enabled for outbound |
+| pilot.env.PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY | string | `"false"` |  |
+| pilot.env.PILOT_ENABLE_METADATA_EXCHANGE | string | `"false"` |  |
+| pilot.env.PILOT_SCOPE_GATEWAY_TO_NAMESPACE | string | `"false"` |  |
+| pilot.env.VALIDATION_ENABLED | string | `"false"` |  |
+| pilot.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| pilot.image | string | `"pilot"` | Can be a full hub/image:tag |
+| pilot.jwksResolverExtraRootCA | string | `""` | You can use jwksResolverExtraRootCA to provide a root certificate in PEM format. This will then be trusted by pilot when resolving JWKS URIs. |
+| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | The following is used to limit how long a sidecar can be connected to a pilot. It balances out load across pilot instances at the cost of increasing system churn. |
+| pilot.nodeSelector | object | `{}` |  |
+| pilot.plugins | list | `[]` |  |
+| pilot.podAnnotations | object | `{}` |  |
+| pilot.podLabels | object | `{}` | Additional labels to apply on the pod level for monitoring and logging configuration. |
+| pilot.replicaCount | int | `1` |  |
+| pilot.resources | object | `{"requests":{"cpu":"500m","memory":"2048Mi"}}` | Resources for a small pilot install |
+| pilot.rollingMaxSurge | string | `"100%"` |  |
+| pilot.rollingMaxUnavailable | string | `"25%"` |  |
+| pilot.serviceAnnotations | object | `{}` |  |
+| pilot.tag | string | `""` |  |
+| pilot.traceSampling | float | `1` |  |
+| revision | string | `""` |  |
+| tracing.enable | bool | `false` |  |
+| tracing.sampling | int | `100` |  |
+| tracing.skywalking.port | int | `11800` |  |
+| tracing.skywalking.service | string | `""` |  |
+| tracing.timeout | int | `500` |  |
+| upstream | object | `{"connectionBufferLimits":10485760,"idleTimeout":10}` | Upstream config settings |
--- a/helm/higress/README.md.gotmpl
+++ b/helm/higress/README.md.gotmpl
@@ -0,0 +1,34 @@
+## Higress for Kubernetes
+
+Higress is a cloud-native api gateway based on Alibaba's internal gateway practices.
+
+Powered by Istio and Envoy, Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance.
+
+## Setup Repo Info
+
+```console
+helm repo add higress.io https://higress.io/helm-charts
+helm repo update
+```
+
+## Install
+
+To install the chart with the release name `higress`:
+
+```console
+helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
+```
+
+## Uninstall
+
+To uninstall/delete the higress deployment:
+
+```console
+helm delete higress -n higress-system
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+{{ template "chart.valuesSection" . }}
--- a/helm/higress/README.zh.md
+++ b/helm/higress/README.zh.md
@@ -0,0 +1,188 @@
+## Higress for Kubernetes
+
+Higress 是基于阿里巴巴内部网关实践构建的云原生 API 网关。
+
+依托 Istio 和 Envoy，Higress 实现了流量网关、微服务网关和安全网关三重架构的融合，从而大幅降低了部署、运维成本。
+
+## 设置仓库信息
+
+```console
+helm repo add higress.io https://higress.io/helm-charts
+helm repo update
+```
+
+## 安装
+
+以 `higress` 为发布名称安装 chart：
+
+```console
+helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes
+```
+
+## 卸载
+
+要卸载/删除 higress 部署：
+
+```console
+helm delete higress -n higress-system
+```
+
+该命令会移除与 chart 相关的所有 Kubernetes 组件，并删除发布。
+
+## 参数
+
+## 值
+
+| 键 | 类型 | 默认值 | 描述 |
+|-----|------|---------|-------------|
+| clusterName | 字符串 | `""` |  |
+| controller.affinity | 对象 | `{}` |  |
+| controller.automaticHttps.email | 字符串 | `""` |  |
+| controller.automaticHttps.enabled | 布尔值 | `true` |  |
+| controller.autoscaling.enabled | 布尔值 | `false` |  |
+| controller.autoscaling.maxReplicas | 整数 | `5` |  |
+| controller.autoscaling.minReplicas | 整数 | `1` |  |
+| controller.autoscaling.targetCPUUtilizationPercentage | 整数 | `80` |  |
+| controller.env | 对象 | `{}` |  |
+| controller.hub | 字符串 | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| controller.image | 字符串 | `"higress"` |  |
+| controller.imagePullSecrets | 列表 | `[]` |  |
+| controller.labels | 对象 | `{}` |  |
+| controller.name | 字符串 | `"higress-controller"` |  |
+| controller.nodeSelector | 对象 | `{}` |  |
+| controller.podAnnotations | 对象 | `{}` |  |
+| controller.podSecurityContext | 对象 | `{}` |  |
+| controller.ports[0].name | 字符串 | `"http"` |  |
+| controller.ports[0].port | 整数 | `8888` |  |
+| controller.ports[0].protocol | 字符串 | `"TCP"` |  |
+| controller.ports[0].targetPort | 整数 | `8888` |  |
+| controller.ports[1].name | 字符串 | `"http-solver"` |  |
+| controller.ports[1].port | 整数 | `8889` |  |
+| controller.ports[1].protocol | 字符串 | `"TCP"` |  |
+| controller.ports[1].targetPort | 整数 | `8889` |  |
+| controller.ports[2].name | 字符串 | `"grpc"` |  |
+| controller.ports[2].port | 整数 | `15051` |  |
+| controller.ports[2].protocol | 字符串 | `"TCP"` |  |
+| controller.ports[2].targetPort | 整数 | `15051` |  |
+| controller.probe.httpGet.path | 字符串 | `"/ready"` |  |
+| controller.probe.httpGet.port | 整数 | `8888` |  |
+| controller.probe.initialDelaySeconds | 整数 | `1` |  |
+| controller.probe.periodSeconds | 整数 | `3` |  |
+| controller.probe.timeoutSeconds | 整数 | `5` |  |
+| controller.rbac.create | 布尔值 | `true` |  |
+| controller.replicas | 整数 | `1` | Higress Controller 的 Pod 数量 |
+| controller.resources.limits.cpu | 字符串 | `"1000m"` |  |
+| controller.resources.limits.memory | 字符串 | `"2048Mi"` |  |
+| controller.resources.requests.cpu | 字符串 | `"500m"` |  |
+| controller.resources.requests.memory | 字符串 | `"2048Mi"` |  |
+| controller.securityContext | 对象 | `{}` |  |
+| controller.service.type | 字符串 | `"ClusterIP"` |  |
+| controller.serviceAccount.annotations | 对象 | `{}` | 添加到服务账户的注解 |
+| controller.serviceAccount.create | 布尔值 | `true` | 指定是否创建服务账户 |
+| controller.serviceAccount.name | 字符串 | `""` | 如果未设置且 create 为 true，则使用 fullname 模板生成名称 |
+| controller.tag | 字符串 | `""` |  |
+| controller.tolerations | 列表 | `[]` |  |
+| downstream | 对象 | `{"connectionBufferLimits":32768,"http2":{"initialConnectionWindowSize":1048576,"initialStreamWindowSize":65535,"maxConcurrentStreams":100},"idleTimeout":180,"maxRequestHeadersKb":60,"routeTimeout":0}` | 下游配置设置 |
+| gateway.affinity | 对象 | `{}` |  |
+| gateway.annotations | 对象 | `{}` | 应用到所有资源的注解 |
+| gateway.autoscaling.enabled | 布尔值 | `false` |  |
+| gateway.autoscaling.maxReplicas | 整数 | `5` |  |
+| gateway.autoscaling.minReplicas | 整数 | `1` |  |
+| gateway.autoscaling.targetCPUUtilizationPercentage | 整数 | `80` |  |
+| gateway.containerSecurityContext | 字符串 | `nil` |  |
+| gateway.env | 对象 | `{}` | Pod 环境变量 |
+| gateway.hostNetwork | 布尔值 | `false` |  |
+| gateway.httpPort | 整数 | `80` |  |
+| gateway.httpsPort | 整数 | `443` |  |
+| gateway.hub | 字符串 | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` |  |
+| gateway.image | 字符串 | `"gateway"` |  |
+| gateway.kind | 字符串 | `"Deployment"` | 使用 `DaemonSet` 或 `Deployment` |
+| gateway.labels | 对象 | `{}` | 应用到所有资源的标签 |
+| gateway.metrics.enabled | 布尔值 | `false` | 如果为 true，则为网关创建 PodMonitor 或 VMPodScrape |
+| gateway.metrics.honorLabels | 布尔值 | `false` |  |
+| gateway.metrics.interval | 字符串 | `""` |  |
+| gateway.metrics.metricRelabelConfigs | 列表 | `[]` | 用于 operator.victoriametrics.com/v1beta1.VMPodScrape |
+| gateway.metrics.metricRelabelings | 列表 | `[]` | 用于 monitoring.coreos.com/v1.PodMonitor |
+| gateway.metrics.provider | 字符串 | `"monitoring.coreos.com"` | CustomResourceDefinition 的提供者组名，可以是 monitoring.coreos.com 或 operator.victoriametrics.com |
+| gateway.metrics.rawSpec | 对象 | `{}` | 更多原始的 podMetricsEndpoints 规范 |
+| gateway.metrics.relabelConfigs | 列表 | `[]` |  |
+| gateway.metrics.relabelings | 列表 | `[]` |  |
+| gateway.metrics.scrapeTimeout | 字符串 | `""` |  |
+| gateway.name | 字符串 | `"higress-gateway"` |  |
+| gateway.networkGateway | 字符串 | `""` | 如果指定，网关将作为给定网络的网络网关。 |
+| gateway.nodeSelector | 对象 | `{}` |  |
+| gateway.podAnnotations."prometheus.io/path" | 字符串 | `"/stats/prometheus"` |  |
+| gateway.podAnnotations."prometheus.io/port" | 字符串 | `"15020"` |  |
+| gateway.podAnnotations."prometheus.io/scrape" | 字符串 | `"true"` |  |
+| gateway.podAnnotations."sidecar.istio.io/inject" | 字符串 | `"false"` |  |
+| gateway.rbac.enabled | 布尔值 | `true` | 如果启用，将创建角色以启用从网关访问证书。当使用 http://gateway-api.org/ 时不需要。 |
+| gateway.readinessFailureThreshold | 整数 | `30` | 指示准备失败前的连续失败探测次数。 |
+| gateway.readinessInitialDelaySeconds | 整数 | `1` | 准备探测的初始延迟秒数。 |
+| gateway.readinessPeriodSeconds | 整数 | `2` | 准备探测之间的间隔。 |
+| gateway.readinessSuccessThreshold | 整数 | `1` | 指示准备成功前的连续成功探测次数。 |
+| gateway.readinessTimeoutSeconds | 整数 | `3` | 准备探测的超时秒数 |
+| gateway.replicas | 整数 | `2` | Higress Gateway 的 Pod 数量 |
+| gateway.resources.limits.cpu | 字符串 | `"2000m"` |  |
+| gateway.resources.limits.memory | 字符串 | `"2048Mi"` |  |
+| gateway.resources.requests.cpu | 字符串 | `"2000m"` |  |
+| gateway.resources.requests.memory | 字符串 | `"2048Mi"` |  |
+| gateway.revision | 字符串 | `""` | 修订声明此网关属于哪个修订 |
+| gateway.rollingMaxSurge | 字符串 | `"100%"` |  |
+| gateway.rollingMaxUnavailable | 字符串 | `"25%"` |  |
+| gateway.securityContext | 字符串 | `nil` | 定义 Pod 的安全上下文。如果未设置，将自动设置为绑定到端口 80 和 443 所需的最小权限。在 Kubernetes 1.22+ 上，这只需要 `net.ipv4.ip_unprivileged_port_start` 系统调用。 |
+| gateway.service.annotations | 对象 | `{}` |  |
+| gateway.service.externalTrafficPolicy | 字符串 | `""` |  |
+| gateway.service.loadBalancerClass | 字符串 | `""` |  |
+| gateway.service.loadBalancerIP | 字符串 | `""` |  |
+| gateway.service.loadBalancerSourceRanges | 列表 | `[]` |  |
+| gateway.service.ports[0].name | 字符串 | `"http2"` |  |
+| gateway.service.ports[0].port | 整数 | `80` |  |
+| gateway.service.ports[0].protocol | 字符串 | `"TCP"` |  |
+| gateway.service.ports[0].targetPort | 整数 | `80` |  |
+| gateway.service.ports[1].name | 字符串 | `"https"` |  |
+| gateway.service.ports[1].port | 整数 | `443` |  |
+| gateway.service.ports[1].protocol | 字符串 | `"TCP"` |  |
+| gateway.service.ports[1].targetPort | 整数 | `443` |  |
+| gateway.service.type | 字符串 | `"LoadBalancer"` | 服务类型。设置为 "None" 以完全禁用服务 |
+| gateway.serviceAccount.annotations | 对象 | `{}` | 添加到服务账户的注解 |
+| gateway.serviceAccount.create | 布尔值 | `true` | 如果设置，将创建服务账户。否则，使用默认值 |
+| gateway.serviceAccount.name | 字符串 | `""` | 要使用的服务账户名称。如果未设置，则使用发布名称 |
+| gateway.tag | 字符串 | `""` |  |
+| gateway.tolerations | 列表 | `[]` |  |
+| gateway.unprivilegedPortSupported | 字符串 | `nil` |  |
+| global.autoscalingv2API | 布尔值 | `true` | 是否使用 autoscaling/v2 模板进行 HPA 设置，仅供内部使用，用户不应配置。 |
+| global.caAddress | 字符串 | `""` | 自定义的 CA 地址，用于为集群中的 Pod 检索证书。CSR 客户端（如 Istio Agent 和 ingress gateways）可以使用此地址指定 CA 端点。如果未明确设置，则默认为 Istio 发现地址。 |
+| global.caName | 字符串 | `""` | 工作负载证书的 CA 名称。例如，当 caName=GkeWorkloadCertificate 时，GKE 工作负载证书将用作工作负载的证书。默认值为 ""，当 caName="" 时，CA 将通过其他机制（如环境变量 CA_PROVIDER）配置。 |
+| global.configCluster | 布尔值 | `false` | 将远程集群配置为外部 istiod 的配置集群。 |
+| global.defaultPodDisruptionBudget | 对象 | `{"enabled":false}` | 为控制平面启用 Pod 中断预算，用于确保 Istio 控制平面组件逐步升级或恢复。 |
+| global.defaultResources | 对象 | `{"requests":{"cpu":"10m"}}` | 应用于所有部署的最小请求资源集，以便 Horizontal Pod Autoscaler 能够正常工作（如果设置）。每个组件可以通过在相关部分添加自己的资源块并设置所需的资源值来覆盖这些默认值。 |
+| global.defaultUpstreamConcurrencyThreshold | 整数 | `10000` |  |
+| global.disableAlpnH2 | 布尔值 | `false` | 是否在 ALPN 中禁用 HTTP/2 |
+| global.enableGatewayAPI | 布尔值 | `false` | 如果为 true，Higress Controller 还将监控 Gateway API 资源 |
+| global.enableH3 | 布尔值 | `false` |  |
+| global.enableIPv6 | 布尔值 | `false` |  |
+| global.enableIstioAPI | 布尔值 | `true` | 如果为 true，Higress Controller 还将监控 istio 资源 |
+| global.enableLDSCache | 布尔值 | `true` |  |
+| global.enableProxyProtocol | 布尔值 | `false` |  |
+| global.enablePushAllMCPClusters | 布尔值 | `true` |  |
+| global.enableSRDS | 布尔值 | `true` |  |
+| global.enableStatus | 布尔值 | `true` | 如果为 true，Higress Controller 将更新 Ingress 资源的状态字段。从 Nginx Ingress 迁移时，为了避免 Ingress 对象的状态字段被覆盖，需要将此参数设置为 false，以便 Higress 不会将入口 IP 写入相应 Ingress 对象的状态字段。 |
+| global.externalIstiod | 布尔值 | `false` | 配置由外部 istiod 控制的远程集群数据平面。当设置为 true 时，本地不部署 istiod，仅启用其他发现 chart 的子集。 |
+| global.hostRDSMergeSubset | 布尔值 | `false` |  |
+| global.hub | 字符串 | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | Istio 镜像的默认仓库。发布版本发布到 docker hub 的 'istio' 项目下。来自 prow 的开发构建位于 gcr.io |
+| global.imagePullPolicy | 字符串 | `""` | 如果不需要默认行为，则指定镜像拉取策略。默认行为：最新镜像将始终拉取，否则 IfNotPresent。 |
+| global.imagePullSecrets | 列表 | `[]` | 所有 ServiceAccount 的 ImagePullSecrets，用于引用此 ServiceAccount 的 Pod 拉取任何镜像的同一命名空间中的秘密列表。对于不使用 ServiceAccount 的组件（即 grafana、servicegraph、tracing），ImagePullSecrets 将添加到相应的 Deployment(StatefulSet) 对象中。对于配置了私有 docker 注册表的任何集群，必须设置。 |
+| global.ingressClass | 字符串 | `"higress"` | IngressClass 过滤 higress controller 监听的 ingress 资源。默认的 ingress class 是 higress。有一些特殊情况用于特殊的 ingress class。1. 当 ingress class 设置为 nginx 时，higress controller 将监听带有 nginx ingress class 或没有任何 ingress class 的 ingress 资源。2. 当 ingress class 设置为空时，higress controller 将监听 k8s 集群中的所有 ingress 资源。 |
+| global.istioNamespace | 字符串 | `"istio-system"` | 用于定位 istiod。 |
+| global.istiod | 对象 | `{"enableAnalysis":false}` | 默认在主分支中启用以最大化测试。 |
+| global.jwtPolicy | 字符串 | `"third-party-jwt"` | 配置验证 JWT 的策略。目前支持两个选项："third-party-jwt" 和 "first-party-jwt"。 |
+| global.kind | 布尔值 | `false` |  |
+| global.liteMetrics | 布尔值 | `false` |  |
+| global.local | 布尔值 | `false` | 当部署到本地集群（如：kind 集群）时，将此设置为 true。 |
+| global.logAsJson | 布尔值 | `false` |  |
+| global.logging | 对象 | `{"level":"default:info"}` | 以逗号分隔的每个范围的最小日志级别，格式为 <scope>:<level>,<scope>:<level> 控制平面根据组件不同有不同的范围，但可以配置所有组件的默认日志级别 如果为空，将使用代码中配置的默认范围和级别 |
+| global.meshID | 字符串 | `""` | 如果网格管理员未指定值，Istio 将使用网格的信任域的值。最佳实践是选择一个合适的信任域值。 |
+| global.meshNetworks | 对象 | `{}` |  |
+| global.mountMtlsCerts | 布尔值 | `false` | 使用用户指定的、挂载的密钥和证书用于 Pilot 和工作负载。 |
+| global.multiCluster.clusterName | 字符串 | `""` | 应设置为此安装运行的集群的名称。这是为了正确标记代理的 sidecar 注入所必需的 |
+| global.multiCluster.enabled | 布尔值 | `true` | 设置为 true 以通过各自的 ingressgateway 服务连接两个 kubernetes 集群，当每个集群中的 Pod 无法直接相互通信时。
--- a/hgctl/pkg/plugin/test/templates.go
+++ b/hgctl/pkg/plugin/test/templates.go
@@ -114,6 +114,8 @@ static_resources:
                            value: |
 {{ .JSONExample }}
                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
    - name: httpbin
      connect_timeout: 30s
--- a/istio/istio
+++ b/istio/istio
--- a/istio/proxy
+++ b/istio/proxy
--- a/pkg/bootstrap/server.go
+++ b/pkg/bootstrap/server.go
@@ -41,11 +41,11 @@ import (
 	"istio.io/istio/pkg/config/schema/kind"
 	"istio.io/istio/pkg/keepalive"
 	istiokube "istio.io/istio/pkg/kube"
+	"istio.io/istio/pkg/log"
 	"istio.io/istio/pkg/security"
 	"istio.io/istio/security/pkg/server/ca/authenticate"
 	"istio.io/istio/security/pkg/server/ca/authenticate/kubeauth"
 	"istio.io/pkg/ledger"
-	"istio.io/pkg/log"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"

--- a/pkg/cert/certmgr.go
+++ b/pkg/cert/certmgr.go
@@ -173,7 +173,7 @@ func (s *CertMgr) Reconcile(ctx context.Context, oldConfig *Config, newConfig *C
 		s.cache.Start()
 		// sync domains
 		s.configMgr.SetConfig(newConfig)
-		CertLog.Infof("certMgr start to manageSync domains:+v%", newDomains)
+		CertLog.Infof("certMgr start to manageSync domains: %+v", newDomains)
 		s.manageSync(context.Background(), newDomains)
 		CertLog.Infof("certMgr manageSync domains done")
 	} else {
--- a/pkg/cert/log.go
+++ b/pkg/cert/log.go
@@ -14,6 +14,6 @@

 package cert

-import "istio.io/pkg/log"
+import "istio.io/istio/pkg/log"

-var CertLog = log.RegisterScope("cert", "Higress Cert process.", 0)
+var CertLog = log.RegisterScope("cert", "Higress Cert process.")
--- a/pkg/cmd/server.go
+++ b/pkg/cmd/server.go
@@ -25,7 +25,7 @@ import (
 	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/env"
 	"istio.io/istio/pkg/keepalive"
-	"istio.io/pkg/log"
+	"istio.io/istio/pkg/log"
 )

 var (
--- a/pkg/common/protocol.go
+++ b/pkg/common/protocol.go
@@ -21,7 +21,10 @@ type Protocol string
 const (
 	TCP         Protocol = "TCP"
 	HTTP        Protocol = "HTTP"
+	HTTP2       Protocol = "HTTP2"
+	HTTPS       Protocol = "HTTPS"
 	GRPC        Protocol = "GRPC"
+	GRPCS       Protocol = "GRPCS"
 	Dubbo       Protocol = "Dubbo"
 	Unsupported Protocol = "UnsupportedProtocol"
 )
@@ -32,8 +35,14 @@ func ParseProtocol(s string) Protocol {
 		return TCP
 	case "http":
 		return HTTP
+	case "https":
+		return HTTPS
+	case "http2":
+		return HTTP2
 	case "grpc", "triple", "tri":
 		return GRPC
+	case "grpcs":
+		return GRPCS
 	case "dubbo":
 		return Dubbo
 	}
@@ -51,7 +60,7 @@ func (p Protocol) IsTCP() bool {

 func (p Protocol) IsHTTP() bool {
 	switch p {
-	case HTTP, GRPC:
+	case HTTP, GRPC, GRPCS, HTTP2, HTTPS:
 		return true
 	default:
 		return false
@@ -60,7 +69,16 @@ func (p Protocol) IsHTTP() bool {

 func (p Protocol) IsGRPC() bool {
 	switch p {
-	case GRPC:
+	case GRPC, GRPCS:
+		return true
+	default:
+		return false
+	}
+}
+
+func (i Protocol) IsHTTPS() bool {
+	switch i {
+	case HTTPS, GRPCS:
 		return true
 	default:
 		return false
--- a/pkg/config/constants/constants.go
+++ b/pkg/config/constants/constants.go
@@ -23,3 +23,7 @@ const KnativeIngressCRDName = "ingresses.networking.internal.knative.dev"
 const KnativeServicesCRDName = "services.serving.knative.dev"

 const ManagedGatewayController = "higress.io/gateway-controller"
+
+const RegistryTypeLabelKey = "higress-registry-type"
+
+const RegistryNameLabelKey = "higress-registry-name"
--- a/pkg/config/envs.go
+++ b/pkg/config/envs.go
@@ -19,6 +19,7 @@ import "istio.io/pkg/env"
 var (
 	PodNamespace = env.RegisterStringVar("POD_NAMESPACE", "higress-system", "").Get()
 	PodName      = env.RegisterStringVar("POD_NAME", "", "").Get()
+	GatewayName  = env.RegisterStringVar("GATEWAY_NAME", "higress-gateway", "").Get()
 	// Revision is the value of the Istio control plane revision, e.g. "canary",
 	// and is the value used by the "istio.io/rev" label.
 	Revision = env.Register("REVISION", "", "").Get()
--- a/pkg/ingress/config/ingress_config.go
+++ b/pkg/ingress/config/ingress_config.go
@@ -34,6 +34,7 @@ import (
 	extensions "istio.io/api/extensions/v1alpha1"
 	networking "istio.io/api/networking/v1alpha3"
 	istiotype "istio.io/api/type/v1beta1"
+	"istio.io/istio/pilot/pkg/features"
 	istiomodel "istio.io/istio/pilot/pkg/model"
 	"istio.io/istio/pilot/pkg/util/protoconv"
 	"istio.io/istio/pkg/cluster"
@@ -53,6 +54,7 @@ import (
 	extlisterv1 "github.com/alibaba/higress/client/pkg/listers/extensions/v1alpha1"
 	netlisterv1 "github.com/alibaba/higress/client/pkg/listers/networking/v1"
 	"github.com/alibaba/higress/pkg/cert"
+	higressconst "github.com/alibaba/higress/pkg/config/constants"
 	"github.com/alibaba/higress/pkg/ingress/kube/annotations"
 	"github.com/alibaba/higress/pkg/ingress/kube/common"
 	"github.com/alibaba/higress/pkg/ingress/kube/configmap"
@@ -234,8 +236,9 @@ func (m *IngressConfig) AddLocalCluster(options common.Options) {
 		ingressController = ingressv1.NewController(m.localKubeClient, m.localKubeClient, options, secretController)
 	}
 	m.remoteIngressControllers[options.ClusterId] = ingressController
-
-	m.remoteGatewayControllers[options.ClusterId] = gateway.NewController(m.localKubeClient, options)
+	if features.EnableGatewayAPI {
+		m.remoteGatewayControllers[options.ClusterId] = gateway.NewController(m.localKubeClient, options)
+	}
 }

 func (m *IngressConfig) List(typ config.GroupVersionKind, namespace string) []config.Config {
@@ -300,21 +303,21 @@ func (m *IngressConfig) listFromIngressControllers(typ config.GroupVersionKind,
 	common.SortIngressByCreationTime(configs)
 	wrapperConfigs := m.createWrapperConfigs(configs)

-	IngressLog.Infof("resource type %s, configs number %d", typ, len(wrapperConfigs))
+	var result []config.Config
 	switch typ {
 	case gvk.Gateway:
-		return m.convertGateways(wrapperConfigs)
+		result = m.convertGateways(wrapperConfigs)
 	case gvk.VirtualService:
-		return m.convertVirtualService(wrapperConfigs)
+		result = m.convertVirtualService(wrapperConfigs)
 	case gvk.DestinationRule:
-		return m.convertDestinationRule(wrapperConfigs)
+		result = m.convertDestinationRule(wrapperConfigs)
 	case gvk.ServiceEntry:
-		return m.convertServiceEntry(wrapperConfigs)
+		result = m.convertServiceEntry(wrapperConfigs)
 	case gvk.WasmPlugin:
-		return m.convertWasmPlugin(wrapperConfigs)
+		result = m.convertWasmPlugin(wrapperConfigs)
 	}
-
-	return nil
+	IngressLog.Infof("resource type %s, ingress number %d, convert configs number %d", typ, len(configs), len(result))
+	return result
 }

 func (m *IngressConfig) listFromGatewayControllers(typ config.GroupVersionKind, namespace string) []config.Config {
@@ -628,8 +631,8 @@ func (m *IngressConfig) convertServiceEntry([]common.WrapperConfig) []config.Con
 	if m.RegistryReconciler == nil {
 		return nil
 	}
-	serviceEntries := m.RegistryReconciler.GetAllServiceEntryWrapper()
-	IngressLog.Infof("Found http2rpc serviceEntries %s", serviceEntries)
+	serviceEntries := m.RegistryReconciler.GetAllServiceWrapper()
+	IngressLog.Infof("Found mcp serviceEntries %v", serviceEntries)
 	out := make([]config.Config, 0, len(serviceEntries))
 	for _, se := range serviceEntries {
 		out = append(out, config.Config{
@@ -638,6 +641,10 @@ func (m *IngressConfig) convertServiceEntry([]common.WrapperConfig) []config.Con
 				Name:              se.ServiceEntry.Hosts[0],
 				Namespace:         "mcp",
 				CreationTimestamp: se.GetCreateTime(),
+				Labels: map[string]string{
+					higressconst.RegistryTypeLabelKey: se.RegistryType,
+					higressconst.RegistryNameLabelKey: se.RegistryName,
+				},
 			},
 			Spec: se.ServiceEntry,
 		})
@@ -703,6 +710,31 @@ func (m *IngressConfig) convertDestinationRule(configs []common.WrapperConfig) [
 		destinationRules[serviceName] = dr
 	}

+	if m.RegistryReconciler != nil {
+		drws := m.RegistryReconciler.GetAllDestinationRuleWrapper()
+		for _, destinationRuleWrapper := range drws {
+			serviceName := destinationRuleWrapper.ServiceKey.ServiceFQDN
+			dr, exist := destinationRules[serviceName]
+			if !exist {
+				destinationRules[serviceName] = destinationRuleWrapper
+			} else if dr.DestinationRule.TrafficPolicy != nil {
+				portTrafficPolicy := destinationRuleWrapper.DestinationRule.TrafficPolicy.PortLevelSettings[0]
+				portUpdated := false
+				for _, policy := range dr.DestinationRule.TrafficPolicy.PortLevelSettings {
+					if policy.Port.Number == portTrafficPolicy.Port.Number {
+						policy.Tls = portTrafficPolicy.Tls
+						portUpdated = true
+						break
+					}
+				}
+				if portUpdated {
+					continue
+				}
+				dr.DestinationRule.TrafficPolicy.PortLevelSettings = append(dr.DestinationRule.TrafficPolicy.PortLevelSettings, portTrafficPolicy)
+			}
+		}
+	}
+
 	out := make([]config.Config, 0, len(destinationRules))
 	for _, dr := range destinationRules {
 		sort.SliceStable(dr.DestinationRule.TrafficPolicy.PortLevelSettings, func(i, j int) bool {
@@ -727,6 +759,7 @@ func (m *IngressConfig) convertDestinationRule(configs []common.WrapperConfig) [
 			Spec: dr.DestinationRule,
 		})
 	}
+
 	return out
 }

@@ -848,7 +881,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 	if result.PluginConfig != nil {
 		return result, nil
 	}
-	if !obj.DefaultConfigDisable {
+	if !isBoolValueTrue(obj.DefaultConfigDisable) {
 		result.PluginConfig = obj.DefaultConfig
 	}
 	hasValidRule := false
@@ -860,7 +893,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 		}
 		var ruleValues []*_struct.Value
 		for _, rule := range obj.MatchRules {
-			if rule.ConfigDisable {
+			if isBoolValueTrue(rule.ConfigDisable) {
 				continue
 			}
 			if rule.Config == nil {
@@ -872,6 +905,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 				StructValue: rule.Config,
 			}

+			validRule := false
 			var matchItems []*_struct.Value
 			// match ingress
 			for _, ing := range rule.Ingress {
@@ -882,6 +916,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 				})
 			}
 			if len(matchItems) > 0 {
+				validRule = true
 				v.StructValue.Fields["_match_route_"] = &_struct.Value{
 					Kind: &_struct.Value_ListValue{
 						ListValue: &_struct.ListValue{
@@ -889,12 +924,9 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 						},
 					},
 				}
-				ruleValues = append(ruleValues, &_struct.Value{
-					Kind: v,
-				})
-				continue
 			}
 			// match service
+			matchItems = nil
 			for _, service := range rule.Service {
 				matchItems = append(matchItems, &_struct.Value{
 					Kind: &_struct.Value_StringValue{
@@ -903,6 +935,7 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 				})
 			}
 			if len(matchItems) > 0 {
+				validRule = true
 				v.StructValue.Fields["_match_service_"] = &_struct.Value{
 					Kind: &_struct.Value_ListValue{
 						ListValue: &_struct.ListValue{
@@ -910,12 +943,9 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 						},
 					},
 				}
-				ruleValues = append(ruleValues, &_struct.Value{
-					Kind: v,
-				})
-				continue
 			}
 			// match domain
+			matchItems = nil
 			for _, domain := range rule.Domain {
 				matchItems = append(matchItems, &_struct.Value{
 					Kind: &_struct.Value_StringValue{
@@ -923,19 +953,23 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 					},
 				})
 			}
-			if len(matchItems) == 0 {
+			if len(matchItems) > 0 {
+				validRule = true
+				v.StructValue.Fields["_match_domain_"] = &_struct.Value{
+					Kind: &_struct.Value_ListValue{
+						ListValue: &_struct.ListValue{
+							Values: matchItems,
+						},
+					},
+				}
+			}
+			if validRule {
+				ruleValues = append(ruleValues, &_struct.Value{
+					Kind: v,
+				})
+			} else {
 				return nil, fmt.Errorf("invalid match rule has no match condition, rule:%v", rule)
 			}
-			v.StructValue.Fields["_match_domain_"] = &_struct.Value{
-				Kind: &_struct.Value_ListValue{
-					ListValue: &_struct.ListValue{
-						Values: matchItems,
-					},
-				},
-			}
-			ruleValues = append(ruleValues, &_struct.Value{
-				Kind: v,
-			})
 		}
 		if len(ruleValues) > 0 {
 			hasValidRule = true
@@ -948,13 +982,17 @@ func (m *IngressConfig) convertIstioWasmPlugin(obj *higressext.WasmPlugin) (*ext
 			}
 		}
 	}
-	if !hasValidRule && obj.DefaultConfigDisable {
+	if !hasValidRule && isBoolValueTrue(obj.DefaultConfigDisable) {
 		return nil, nil
 	}
 	return result, nil

 }

+func isBoolValueTrue(b *wrappers.BoolValue) bool {
+	return b != nil && b.Value
+}
+
 func (m *IngressConfig) AddOrUpdateWasmPlugin(clusterNamespacedName util.ClusterNamespacedName) {
 	if clusterNamespacedName.Namespace != m.namespace {
 		return
@@ -1034,16 +1072,27 @@ func (m *IngressConfig) AddOrUpdateMcpBridge(clusterNamespacedName util.ClusterN
 	}
 	if m.RegistryReconciler == nil {
 		m.RegistryReconciler = reconcile.NewReconciler(func() {
-			metadata := config.Meta{
+			seMetadata := config.Meta{
 				Name:             "mcpbridge-serviceentry",
 				Namespace:        m.namespace,
 				GroupVersionKind: gvk.ServiceEntry,
 				// Set this label so that we do not compare configs and just push.
 				Labels: map[string]string{constants.AlwaysPushLabel: "true"},
 			}
+			drMetadata := config.Meta{
+				Name:             "mcpbridge-destinationrule",
+				Namespace:        m.namespace,
+				GroupVersionKind: gvk.DestinationRule,
+				// Set this label so that we do not compare configs and just push.
+				Labels: map[string]string{constants.AlwaysPushLabel: "true"},
+			}
 			for _, f := range m.serviceEntryHandlers {
 				IngressLog.Debug("McpBridge triggerd serviceEntry update")
-				f(config.Config{Meta: metadata}, config.Config{Meta: metadata}, istiomodel.EventUpdate)
+				f(config.Config{Meta: seMetadata}, config.Config{Meta: seMetadata}, istiomodel.EventUpdate)
+			}
+			for _, f := range m.destinationRuleHandlers {
+				IngressLog.Debug("McpBridge triggerd destinationRule update")
+				f(config.Config{Meta: drMetadata}, config.Config{Meta: drMetadata}, istiomodel.EventUpdate)
 			}
 		}, m.localKubeClient, m.namespace)
 	}
@@ -1489,7 +1538,7 @@ func constructBasicAuthEnvoyFilter(rules *common.BasicAuthRules, namespace strin
 	}, nil
 }

-func QueryByName(serviceEntries []*memory.ServiceEntryWrapper, serviceName string) (*memory.ServiceEntryWrapper, error) {
+func QueryByName(serviceEntries []*memory.ServiceWrapper, serviceName string) (*memory.ServiceWrapper, error) {
 	IngressLog.Infof("Found http2rpc serviceEntries %s", serviceEntries)
 	for _, se := range serviceEntries {
 		if se.ServiceName == serviceName {
@@ -1499,7 +1548,7 @@ func QueryByName(serviceEntries []*memory.ServiceEntryWrapper, serviceName strin
 	return nil, fmt.Errorf("can't find ServiceEntry by serviceName:%v", serviceName)
 }

-func QueryRpcServiceVersion(serviceEntry *memory.ServiceEntryWrapper, serviceName string) (string, error) {
+func QueryRpcServiceVersion(serviceEntry *memory.ServiceWrapper, serviceName string) (string, error) {
 	IngressLog.Infof("Found http2rpc serviceEntry %s", serviceEntry)
 	IngressLog.Infof("Found http2rpc ServiceEntry %s", serviceEntry.ServiceEntry)
 	IngressLog.Infof("Found http2rpc WorkloadSelector %s", serviceEntry.ServiceEntry.WorkloadSelector)
--- a/pkg/ingress/config/kingress_config.go
+++ b/pkg/ingress/config/kingress_config.go
@@ -493,7 +493,7 @@ func (m *KIngressConfig) HasSynced() bool {
 	defer m.mutex.RUnlock()

 	for _, remoteIngressController := range m.remoteIngressControllers {
-		IngressLog.Info("In Kingress Synced.", remoteIngressController)
+		IngressLog.Info("In Kingress Synced.")
 		if !remoteIngressController.HasSynced() {
 			return false
 		}
--- a/pkg/ingress/kube/annotations/annotations.go
+++ b/pkg/ingress/kube/annotations/annotations.go
@@ -69,6 +69,8 @@ type Ingress struct {

 	Auth *AuthConfig

+	Mirror *MirrorConfig
+
 	Destination *DestinationConfig

 	IgnoreCase *IgnoreCaseConfig
@@ -161,6 +163,7 @@ func NewAnnotationHandlerManager() AnnotationHandler {
 			localRateLimit{},
 			fallback{},
 			auth{},
+			mirror{},
 			destination{},
 			ignoreCaseMatching{},
 			match{},
@@ -182,6 +185,7 @@ func NewAnnotationHandlerManager() AnnotationHandler {
 			retry{},
 			localRateLimit{},
 			fallback{},
+			mirror{},
 			ignoreCaseMatching{},
 			match{},
 			headerControl{},
--- a/pkg/ingress/kube/annotations/auth.go
+++ b/pkg/ingress/kube/annotations/auth.go
@@ -15,12 +15,6 @@
 package annotations

 import (
-	"errors"
-	"sort"
-	"strings"
-
-	corev1 "k8s.io/api/core/v1"
-
 	"github.com/alibaba/higress/pkg/ingress/kube/util"
 	. "github.com/alibaba/higress/pkg/ingress/log"
 )
@@ -57,101 +51,10 @@ func (a auth) Parse(annotations Annotations, config *Ingress, globalContext *Glo
 	if !needAuthConfig(annotations) {
 		return nil
 	}
-
-	authConfig := &AuthConfig{
-		AuthType: defaultAuthType,
-	}
-
-	// Check auth type
-	authType, err := annotations.ParseStringASAP(authType)
-	if err != nil {
-		IngressLog.Errorf("Parse auth type error %v within ingress %/%s", err, config.Namespace, config.Name)
-		return nil
-	}
-	if authType != defaultAuthType {
-		IngressLog.Errorf("Auth type %s within ingress %/%s is not supported yet.", authType, config.Namespace, config.Name)
-		return nil
-	}
-
-	secretName, _ := annotations.ParseStringASAP(authSecretAnn)
-	namespaced := util.SplitNamespacedName(secretName)
-	if namespaced.Name == "" {
-		IngressLog.Errorf("Auth secret name within ingress %s/%s is invalid", config.Namespace, config.Name)
-		return nil
-	}
-	if namespaced.Namespace == "" {
-		namespaced.Namespace = config.Namespace
-	}
-
-	configKey := util.ClusterNamespacedName{
-		NamespacedName: namespaced,
-		ClusterId:      config.ClusterId,
-	}
-	authConfig.AuthSecret = configKey
-
-	// Subscribe secret
-	globalContext.WatchedSecrets.Insert(configKey.String())
-
-	secretType := authFileAuthSecretType
-	if rawSecretType, err := annotations.ParseStringASAP(authSecretTypeAnn); err == nil {
-		resultAuthSecretType := authSecretType(rawSecretType)
-		if resultAuthSecretType == authFileAuthSecretType || resultAuthSecretType == authMapAuthSecretType {
-			secretType = resultAuthSecretType
-		}
-	}
-
-	authConfig.AuthRealm, _ = annotations.ParseStringASAP(authRealm)
-
-	// Process credentials.
-	secretLister, exist := globalContext.ClusterSecretLister[config.ClusterId]
-	if !exist {
-		IngressLog.Errorf("secret lister of cluster %s doesn't exist", config.ClusterId)
-		return nil
-	}
-	authSecret, err := secretLister.Secrets(namespaced.Namespace).Get(namespaced.Name)
-	if err != nil {
-		IngressLog.Errorf("Secret %s within ingress %s/%s is not found",
-			namespaced.String(), config.Namespace, config.Name)
-		return nil
-	}
-	credentials, err := convertCredentials(secretType, authSecret)
-	if err != nil {
-		IngressLog.Errorf("Parse auth secret fail, err %v", err)
-		return nil
-	}
-	authConfig.Credentials = credentials
-
-	config.Auth = authConfig
+	IngressLog.Error("The annotation nginx.ingress.kubernetes.io/auth-type is no longer supported after version 2.0.0, please use the higress wasm plugin (e.g., basic-auth) as an alternative.")
 	return nil
 }

-func convertCredentials(secretType authSecretType, secret *corev1.Secret) ([]string, error) {
-	var result []string
-	switch secretType {
-	case authFileAuthSecretType:
-		users, exist := secret.Data[authFileKey]
-		if !exist {
-			return nil, errors.New("the auth file type must has auth key in secret data")
-		}
-		userList := strings.Split(string(users), "\n")
-		for _, item := range userList {
-			if !strings.Contains(item, ":") {
-				continue
-			}
-			result = append(result, item)
-		}
-	case authMapAuthSecretType:
-		for name, password := range secret.Data {
-			result = append(result, name+":"+string(password))
-		}
-	}
-	sort.SliceStable(result, func(i, j int) bool {
-		return result[i] < result[j]
-	})
-
-	return result, nil
-}
-
 func needAuthConfig(annotations Annotations) bool {
 	return annotations.HasASAP(authType) &&
 		annotations.HasASAP(authSecretAnn)
--- a/pkg/ingress/kube/annotations/auth_test.go
+++ b/pkg/ingress/kube/annotations/auth_test.go
@@ -1,197 +0,0 @@
-// Copyright (c) 2022 Alibaba Group Holding Ltd.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package annotations
-
-import (
-	"context"
-	"reflect"
-	"testing"
-	"time"
-
-	"istio.io/istio/pkg/cluster"
-	"istio.io/istio/pkg/util/sets"
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes/fake"
-	listerv1 "k8s.io/client-go/listers/core/v1"
-	"k8s.io/client-go/tools/cache"
-
-	"github.com/alibaba/higress/pkg/ingress/kube/util"
-)
-
-func TestAuthParse(t *testing.T) {
-	auth := auth{}
-	inputCases := []struct {
-		input         map[string]string
-		secret        *v1.Secret
-		expect        *AuthConfig
-		watchedSecret string
-	}{
-		{
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "foo",
-				},
-				Data: map[string][]byte{
-					"auth": []byte("A:a\nB:b"),
-				},
-			},
-		},
-		{
-			input: map[string]string{
-				buildNginxAnnotationKey(authType): "digest",
-			},
-			expect: nil,
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "foo",
-				},
-				Data: map[string][]byte{
-					"auth": []byte("A:a\nB:b"),
-				},
-			},
-		},
-		{
-			input: map[string]string{
-				buildNginxAnnotationKey(authType):        defaultAuthType,
-				buildHigressAnnotationKey(authSecretAnn): "foo/bar",
-			},
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "foo",
-				},
-				Data: map[string][]byte{
-					"auth": []byte("A:a\nB:b"),
-				},
-			},
-			expect: &AuthConfig{
-				AuthType: defaultAuthType,
-				AuthSecret: util.ClusterNamespacedName{
-					NamespacedName: types.NamespacedName{
-						Namespace: "foo",
-						Name:      "bar",
-					},
-					ClusterId: "cluster",
-				},
-				Credentials: []string{"A:a", "B:b"},
-			},
-			watchedSecret: "cluster/foo/bar",
-		},
-		{
-			input: map[string]string{
-				buildNginxAnnotationKey(authType):          defaultAuthType,
-				buildHigressAnnotationKey(authSecretAnn):   "foo/bar",
-				buildNginxAnnotationKey(authSecretTypeAnn): string(authMapAuthSecretType),
-			},
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "foo",
-				},
-				Data: map[string][]byte{
-					"A": []byte("a"),
-					"B": []byte("b"),
-				},
-			},
-			expect: &AuthConfig{
-				AuthType: defaultAuthType,
-				AuthSecret: util.ClusterNamespacedName{
-					NamespacedName: types.NamespacedName{
-						Namespace: "foo",
-						Name:      "bar",
-					},
-					ClusterId: "cluster",
-				},
-				Credentials: []string{"A:a", "B:b"},
-			},
-			watchedSecret: "cluster/foo/bar",
-		},
-		{
-			input: map[string]string{
-				buildNginxAnnotationKey(authType):          defaultAuthType,
-				buildHigressAnnotationKey(authSecretAnn):   "bar",
-				buildNginxAnnotationKey(authSecretTypeAnn): string(authFileAuthSecretType),
-			},
-			secret: &v1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "bar",
-					Namespace: "default",
-				},
-				Data: map[string][]byte{
-					"auth": []byte("A:a\nB:b"),
-				},
-			},
-			expect: &AuthConfig{
-				AuthType: defaultAuthType,
-				AuthSecret: util.ClusterNamespacedName{
-					NamespacedName: types.NamespacedName{
-						Namespace: "default",
-						Name:      "bar",
-					},
-					ClusterId: "cluster",
-				},
-				Credentials: []string{"A:a", "B:b"},
-			},
-			watchedSecret: "cluster/default/bar",
-		},
-	}
-
-	for _, inputCase := range inputCases {
-		t.Run("", func(t *testing.T) {
-			config := &Ingress{
-				Meta: Meta{
-					Namespace: "default",
-					ClusterId: "cluster",
-				},
-			}
-
-			globalContext, cancel := initGlobalContext(inputCase.secret)
-			defer cancel()
-
-			_ = auth.Parse(inputCase.input, config, globalContext)
-			if !reflect.DeepEqual(inputCase.expect, config.Auth) {
-				t.Fatal("Should be equal")
-			}
-
-			if inputCase.watchedSecret != "" {
-				if !globalContext.WatchedSecrets.Contains(inputCase.watchedSecret) {
-					t.Fatalf("Should watch secret %s", inputCase.watchedSecret)
-				}
-			}
-		})
-	}
-}
-
-func initGlobalContext(secret *v1.Secret) (*GlobalContext, context.CancelFunc) {
-	ctx, cancel := context.WithCancel(context.Background())
-
-	client := fake.NewSimpleClientset(secret)
-	informerFactory := informers.NewSharedInformerFactory(client, time.Hour)
-	secretInformer := informerFactory.Core().V1().Secrets()
-	go secretInformer.Informer().Run(ctx.Done())
-	cache.WaitForCacheSync(ctx.Done(), secretInformer.Informer().HasSynced)
-
-	return &GlobalContext{
-		WatchedSecrets: sets.New[string](),
-		ClusterSecretLister: map[cluster.ID]listerv1.SecretLister{
-			"cluster": secretInformer.Lister(),
-		},
-	}, cancel
-}
--- a/pkg/ingress/kube/annotations/downstreamtls.go
+++ b/pkg/ingress/kube/annotations/downstreamtls.go
@@ -15,6 +15,7 @@
 package annotations

 import (
+	"fmt"
 	"strings"

 	networking "istio.io/api/networking/v1alpha3"
@@ -27,9 +28,11 @@ import (
 )

 const (
-	authTLSSecret      = "auth-tls-secret"
-	sslCipher          = "ssl-cipher"
-	gatewaySdsCaSuffix = "-cacert"
+	authTLSSecret           = "auth-tls-secret"
+	sslCipher               = "ssl-cipher"
+	gatewaySdsCaSuffix      = "-cacert"
+	annotationMinTLSVersion = "tls-min-protocol-version"
+	annotationMaxTLSVersion = "tls-max-protocol-version"
 )

 var (
@@ -41,6 +44,8 @@ type DownstreamTLSConfig struct {
 	CipherSuites []string
 	Mode         networking.ServerTLSSettings_TLSmode
 	CASecretName types.NamespacedName
+	MinVersion   string
+	MaxVersion   string
 }

 type downstreamTLS struct{}
@@ -82,6 +87,14 @@ func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *Global
 		downstreamTLSConfig.CipherSuites = validCipherSuite
 	}

+	if minVersion, err := annotations.ParseStringASAP(annotationMinTLSVersion); err == nil {
+		downstreamTLSConfig.MinVersion = minVersion
+	}
+
+	if maxVersion, err := annotations.ParseStringASAP(annotationMaxTLSVersion); err == nil {
+		downstreamTLSConfig.MaxVersion = maxVersion
+	}
+
 	return nil
 }

@@ -107,11 +120,44 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress
 			if len(downstreamTLSConfig.CipherSuites) != 0 {
 				server.Tls.CipherSuites = downstreamTLSConfig.CipherSuites
 			}
+
+			if downstreamTLSConfig.MinVersion != "" {
+				if version, err := convertTLSVersion(downstreamTLSConfig.MinVersion); err != nil {
+					IngressLog.Errorf("Invalid minimum TLS version: %v", err)
+				} else {
+					server.Tls.MinProtocolVersion = version
+				}
+			}
+
+			if downstreamTLSConfig.MaxVersion != "" {
+				if version, err := convertTLSVersion(downstreamTLSConfig.MaxVersion); err != nil {
+					IngressLog.Errorf("Invalid maximum TLS version: %v", err)
+				} else {
+					server.Tls.MaxProtocolVersion = version
+				}
+			}
+
 		}
 	}
 }

 func needDownstreamTLS(annotations Annotations) bool {
 	return annotations.HasASAP(sslCipher) ||
-		annotations.HasASAP(authTLSSecret)
+		annotations.HasASAP(authTLSSecret) ||
+		annotations.HasASAP(annotationMinTLSVersion) ||
+		annotations.HasASAP(annotationMaxTLSVersion)
+}
+
+func convertTLSVersion(version string) (networking.ServerTLSSettings_TLSProtocol, error) {
+	switch version {
+	case "TLSv1.0":
+		return networking.ServerTLSSettings_TLSV1_0, nil
+	case "TLSv1.1":
+		return networking.ServerTLSSettings_TLSV1_1, nil
+	case "TLSv1.2":
+		return networking.ServerTLSSettings_TLSV1_2, nil
+	case "TLSv1.3":
+		return networking.ServerTLSSettings_TLSV1_3, nil
+	}
+	return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("invalid TLS version: %s. Valid values are: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3", version)
 }
--- a/pkg/ingress/kube/annotations/downstreamtls_test.go
+++ b/pkg/ingress/kube/annotations/downstreamtls_test.go
@@ -26,11 +26,15 @@ var parser = downstreamTLS{}

 func TestParse(t *testing.T) {
 	testCases := []struct {
+		name   string
 		input  map[string]string
 		expect *DownstreamTLSConfig
 	}{
-		{},
 		{
+			name: "empty config",
+		},
+		{
+			name: "ssl cipher only",
 			input: map[string]string{
 				buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
 			},
@@ -40,9 +44,24 @@ func TestParse(t *testing.T) {
 			},
 		},
 		{
+			name: "with TLS version config",
 			input: map[string]string{
-				buildNginxAnnotationKey(authTLSSecret): "test",
-				buildNginxAnnotationKey(sslCipher):     "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
+				buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
+				buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
+			},
+			expect: &DownstreamTLSConfig{
+				Mode:       networking.ServerTLSSettings_SIMPLE,
+				MinVersion: "TLSv1.2",
+				MaxVersion: "TLSv1.3",
+			},
+		},
+		{
+			name: "complete config",
+			input: map[string]string{
+				buildNginxAnnotationKey(authTLSSecret):           "test",
+				buildNginxAnnotationKey(sslCipher):               "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
+				buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
+				buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
 			},
 			expect: &DownstreamTLSConfig{
 				CASecretName: types.NamespacedName{
@@ -51,34 +70,79 @@ func TestParse(t *testing.T) {
 				},
 				Mode:         networking.ServerTLSSettings_MUTUAL,
 				CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384", "AES128-SHA"},
-			},
-		},
-		{
-			input: map[string]string{
-				buildHigressAnnotationKey(authTLSSecret):   "test/foo",
-				DefaultAnnotationsPrefix + "/" + sslCipher: "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
-			},
-			expect: &DownstreamTLSConfig{
-				CASecretName: types.NamespacedName{
-					Namespace: "test",
-					Name:      "foo",
-				},
-				Mode:         networking.ServerTLSSettings_MUTUAL,
-				CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384", "AES128-SHA"},
+				MinVersion:   "TLSv1.2",
+				MaxVersion:   "TLSv1.3",
 			},
 		},
 	}

-	for _, testCase := range testCases {
-		t.Run("", func(t *testing.T) {
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
 			config := &Ingress{
 				Meta: Meta{
 					Namespace: "foo",
 				},
 			}
-			_ = parser.Parse(testCase.input, config, nil)
-			if !reflect.DeepEqual(testCase.expect, config.DownstreamTLS) {
-				t.Fatalf("Should be equal")
+			err := parser.Parse(tc.input, config, nil)
+			if err != nil {
+				t.Fatalf("Parse failed: %v", err)
+			}
+			if !reflect.DeepEqual(tc.expect, config.DownstreamTLS) {
+				t.Fatalf("Parse result mismatch:\nExpect: %+v\nGot: %+v", tc.expect, config.DownstreamTLS)
+			}
+		})
+	}
+}
+
+func TestConvertTLSVersion(t *testing.T) {
+	testCases := []struct {
+		name    string
+		version string
+		expect  networking.ServerTLSSettings_TLSProtocol
+		wantErr bool
+	}{
+		{
+			name:    "TLS 1.0",
+			version: "TLSv1.0",
+			expect:  networking.ServerTLSSettings_TLSV1_0,
+		},
+		{
+			name:    "TLS 1.1",
+			version: "TLSv1.1",
+			expect:  networking.ServerTLSSettings_TLSV1_1,
+		},
+		{
+			name:    "TLS 1.2",
+			version: "TLSv1.2",
+			expect:  networking.ServerTLSSettings_TLSV1_2,
+		},
+		{
+			name:    "TLS 1.3",
+			version: "TLSv1.3",
+			expect:  networking.ServerTLSSettings_TLSV1_3,
+		},
+		{
+			name:    "invalid version",
+			version: "invalid",
+			expect:  networking.ServerTLSSettings_TLS_AUTO,
+			wantErr: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result, err := convertTLSVersion(tc.version)
+			if tc.wantErr {
+				if err == nil {
+					t.Error("Expected error but got none")
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Unexpected error: %v", err)
+				}
+				if result != tc.expect {
+					t.Errorf("Expected %v but got %v", tc.expect, result)
+				}
 			}
 		})
 	}
@@ -86,11 +150,13 @@ func TestParse(t *testing.T) {

 func TestApplyGateway(t *testing.T) {
 	testCases := []struct {
+		name   string
 		input  *networking.Gateway
 		config *Ingress
 		expect *networking.Gateway
 	}{
 		{
+			name: "apply TLS version",
 			input: &networking.Gateway{
 				Servers: []*networking.Server{
 					{
@@ -105,7 +171,8 @@ func TestApplyGateway(t *testing.T) {
 			},
 			config: &Ingress{
 				DownstreamTLS: &DownstreamTLSConfig{
-					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+					MinVersion: "TLSv1.2",
+					MaxVersion: "TLSv1.3",
 				},
 			},
 			expect: &networking.Gateway{
@@ -115,14 +182,16 @@ func TestApplyGateway(t *testing.T) {
 							Protocol: "HTTPS",
 						},
 						Tls: &networking.ServerTLSSettings{
-							Mode:         networking.ServerTLSSettings_SIMPLE,
-							CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+							Mode:               networking.ServerTLSSettings_SIMPLE,
+							MinProtocolVersion: networking.ServerTLSSettings_TLSV1_2,
+							MaxProtocolVersion: networking.ServerTLSSettings_TLSV1_3,
 						},
 					},
 				},
 			},
 		},
 		{
+			name: "complete config",
 			input: &networking.Gateway{
 				Servers: []*networking.Server{
 					{
@@ -144,24 +213,28 @@ func TestApplyGateway(t *testing.T) {
 					},
 					Mode:         networking.ServerTLSSettings_MUTUAL,
 					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+					MinVersion:   "TLSv1.2",
+					MaxVersion:   "TLSv1.3",
 				},
 			},
 			expect: &networking.Gateway{
 				Servers: []*networking.Server{
-					{
-						Port: &networking.Port{
-							Protocol: "HTTPS",
-						},
+					{Port: &networking.Port{
+						Protocol: "HTTPS",
+					},
 						Tls: &networking.ServerTLSSettings{
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
-							Mode:           networking.ServerTLSSettings_MUTUAL,
-							CipherSuites:   []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+							CredentialName:     "kubernetes-ingress://cluster/foo/bar",
+							Mode:               networking.ServerTLSSettings_MUTUAL,
+							CipherSuites:       []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+							MinProtocolVersion: networking.ServerTLSSettings_TLSV1_2,
+							MaxProtocolVersion: networking.ServerTLSSettings_TLSV1_3,
 						},
 					},
 				},
 			},
 		},
 		{
+			name: "invalid TLS version",
 			input: &networking.Gateway{
 				Servers: []*networking.Server{
 					{
@@ -169,20 +242,15 @@ func TestApplyGateway(t *testing.T) {
 							Protocol: "HTTPS",
 						},
 						Tls: &networking.ServerTLSSettings{
-							Mode:           networking.ServerTLSSettings_SIMPLE,
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
+							Mode: networking.ServerTLSSettings_SIMPLE,
 						},
 					},
 				},
 			},
 			config: &Ingress{
 				DownstreamTLS: &DownstreamTLSConfig{
-					CASecretName: types.NamespacedName{
-						Namespace: "foo",
-						Name:      "bar-cacert",
-					},
-					Mode:         networking.ServerTLSSettings_MUTUAL,
-					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+					MinVersion: "invalid",
+					MaxVersion: "invalid",
 				},
 			},
 			expect: &networking.Gateway{
@@ -192,48 +260,10 @@ func TestApplyGateway(t *testing.T) {
 							Protocol: "HTTPS",
 						},
 						Tls: &networking.ServerTLSSettings{
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
-							Mode:           networking.ServerTLSSettings_MUTUAL,
-							CipherSuites:   []string{"ECDHE-RSA-AES256-GCM-SHA384"},
-						},
-					},
-				},
-			},
-		},
-		{
-			input: &networking.Gateway{
-				Servers: []*networking.Server{
-					{
-						Port: &networking.Port{
-							Protocol: "HTTPS",
-						},
-						Tls: &networking.ServerTLSSettings{
-							Mode:           networking.ServerTLSSettings_SIMPLE,
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
-						},
-					},
-				},
-			},
-			config: &Ingress{
-				DownstreamTLS: &DownstreamTLSConfig{
-					CASecretName: types.NamespacedName{
-						Namespace: "bar",
-						Name:      "foo",
-					},
-					Mode:         networking.ServerTLSSettings_MUTUAL,
-					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
-				},
-			},
-			expect: &networking.Gateway{
-				Servers: []*networking.Server{
-					{
-						Port: &networking.Port{
-							Protocol: "HTTPS",
-						},
-						Tls: &networking.ServerTLSSettings{
-							CredentialName: "kubernetes-ingress://cluster/foo/bar",
-							Mode:           networking.ServerTLSSettings_SIMPLE,
-							CipherSuites:   []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+							Mode: networking.ServerTLSSettings_SIMPLE,
+							// Invalid versions should default to TLS_AUTO
+							MinProtocolVersion: networking.ServerTLSSettings_TLS_AUTO,
+							MaxProtocolVersion: networking.ServerTLSSettings_TLS_AUTO,
 						},
 					},
 				},
@@ -241,11 +271,59 @@ func TestApplyGateway(t *testing.T) {
 		},
 	}

-	for _, testCase := range testCases {
-		t.Run("", func(t *testing.T) {
-			parser.ApplyGateway(testCase.input, testCase.config)
-			if !reflect.DeepEqual(testCase.input, testCase.expect) {
-				t.Fatalf("Should be equal")
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			parser.ApplyGateway(tc.input, tc.config)
+			if !reflect.DeepEqual(tc.input, tc.expect) {
+				t.Fatalf("ApplyGateway result mismatch for %s:\nExpect: %+v\nGot: %+v",
+					tc.name, tc.expect, tc.input)
+			}
+		})
+	}
+}
+
+func TestNeedDownstreamTLS(t *testing.T) {
+	testCases := []struct {
+		name        string
+		annotations map[string]string
+		expect      bool
+	}{
+		{
+			name:        "empty annotations",
+			annotations: map[string]string{},
+			expect:      false,
+		},
+		{
+			name: "with ssl cipher",
+			annotations: map[string]string{
+				buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384",
+			},
+			expect: true,
+		},
+		{
+			name: "with TLS version",
+			annotations: map[string]string{
+				buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
+			},
+			expect: true,
+		},
+		{
+			name: "with multiple TLS configs",
+			annotations: map[string]string{
+				buildNginxAnnotationKey(sslCipher):               "ECDHE-RSA-AES256-GCM-SHA384",
+				buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
+				buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
+			},
+			expect: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := needDownstreamTLS(tc.annotations)
+			if result != tc.expect {
+				t.Errorf("needDownstreamTLS() for %s = %v, want %v",
+					tc.name, result, tc.expect)
 			}
 		})
 	}
--- a/pkg/ingress/kube/annotations/mirror.go
+++ b/pkg/ingress/kube/annotations/mirror.go
@@ -0,0 +1,118 @@
+// Copyright (c) 2023 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	. "github.com/alibaba/higress/pkg/ingress/log"
+	wrappers "google.golang.org/protobuf/types/known/wrapperspb"
+	networking "istio.io/api/networking/v1alpha3"
+)
+
+const (
+	mirrorTargetService = "mirror-target-service"
+	mirrorPercentage    = "mirror-percentage"
+)
+
+var (
+	_ Parser       = &mirror{}
+	_ RouteHandler = &mirror{}
+)
+
+type MirrorConfig struct {
+	util.ServiceInfo
+	Percentage *wrappers.DoubleValue
+}
+
+type mirror struct{}
+
+func (m mirror) Parse(annotations Annotations, config *Ingress, globalContext *GlobalContext) error {
+	if !needMirror(annotations) {
+		return nil
+	}
+
+	target, err := annotations.ParseStringASAP(mirrorTargetService)
+	if err != nil {
+		IngressLog.Errorf("Get mirror target service fail, err: %v", err)
+		return nil
+	}
+
+	serviceInfo, err := util.ParseServiceInfo(target, config.Namespace)
+	if err != nil {
+		IngressLog.Errorf("Get mirror target service fail, err: %v", err)
+		return nil
+	}
+
+	serviceLister, exist := globalContext.ClusterServiceList[config.ClusterId]
+	if !exist {
+		IngressLog.Errorf("service lister of cluster %s doesn't exist", config.ClusterId)
+		return nil
+	}
+
+	service, err := serviceLister.Services(serviceInfo.Namespace).Get(serviceInfo.Name)
+	if err != nil {
+		IngressLog.Errorf("Mirror service %s/%s within ingress %s/%s is not found, with err: %v",
+			serviceInfo.Namespace, serviceInfo.Name, config.Namespace, config.Name, err)
+		return nil
+	}
+	if service == nil {
+		IngressLog.Errorf("service %s/%s within ingress %s/%s is empty value",
+			serviceInfo.Namespace, serviceInfo.Name, config.Namespace, config.Name)
+		return nil
+	}
+
+	if serviceInfo.Port == 0 {
+		// Use the first port
+		serviceInfo.Port = uint32(service.Spec.Ports[0].Port)
+	}
+
+	var percentage *wrappers.DoubleValue
+	if value, err := annotations.ParseIntASAP(mirrorPercentage); err == nil {
+		if value < 100 {
+			percentage = &wrappers.DoubleValue{
+				Value: float64(value),
+			}
+		}
+	}
+
+	config.Mirror = &MirrorConfig{
+		ServiceInfo: serviceInfo,
+		Percentage:  percentage,
+	}
+	return nil
+}
+
+func (m mirror) ApplyRoute(route *networking.HTTPRoute, config *Ingress) {
+	if config.Mirror == nil {
+		return
+	}
+
+	route.Mirror = &networking.Destination{
+		Host: util.CreateServiceFQDN(config.Mirror.Namespace, config.Mirror.Name),
+		Port: &networking.PortSelector{
+			Number: config.Mirror.Port,
+		},
+	}
+
+	if config.Mirror.Percentage != nil {
+		route.MirrorPercentage = &networking.Percent{
+			Value: config.Mirror.Percentage.GetValue(),
+		}
+	}
+}
+
+func needMirror(annotations Annotations) bool {
+	return annotations.HasASAP(mirrorTargetService)
+}
--- a/pkg/ingress/kube/annotations/mirror_test.go
+++ b/pkg/ingress/kube/annotations/mirror_test.go
@@ -0,0 +1,163 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	"github.com/golang/protobuf/proto"
+	networking "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pilot/pkg/model"
+	"reflect"
+	"testing"
+)
+
+func TestParseMirror(t *testing.T) {
+	testCases := []struct {
+		input  []map[string]string
+		expect *MirrorConfig
+	}{
+		{},
+		{
+			input: []map[string]string{
+				{buildHigressAnnotationKey(mirrorTargetService): "test/app"},
+				{buildNginxAnnotationKey(mirrorTargetService): "test/app"},
+			},
+			expect: &MirrorConfig{
+				ServiceInfo: util.ServiceInfo{
+					NamespacedName: model.NamespacedName{
+						Namespace: "test",
+						Name:      "app",
+					},
+					Port: 80,
+				},
+			},
+		},
+		{
+			input: []map[string]string{
+				{buildHigressAnnotationKey(mirrorTargetService): "test/app:8080"},
+				{buildNginxAnnotationKey(mirrorTargetService): "test/app:8080"},
+			},
+			expect: &MirrorConfig{
+				ServiceInfo: util.ServiceInfo{
+					NamespacedName: model.NamespacedName{
+						Namespace: "test",
+						Name:      "app",
+					},
+					Port: 8080,
+				},
+			},
+		},
+		{
+			input: []map[string]string{
+				{buildHigressAnnotationKey(mirrorTargetService): "test/app:hi"},
+				{buildNginxAnnotationKey(mirrorTargetService): "test/app:hi"},
+			},
+			expect: &MirrorConfig{
+				ServiceInfo: util.ServiceInfo{
+					NamespacedName: model.NamespacedName{
+						Namespace: "test",
+						Name:      "app",
+					},
+					Port: 80,
+				},
+			},
+		},
+		{
+			input: []map[string]string{
+				{buildHigressAnnotationKey(mirrorTargetService): "test/app"},
+				{buildNginxAnnotationKey(mirrorTargetService): "test/app"},
+			},
+			expect: &MirrorConfig{
+				ServiceInfo: util.ServiceInfo{
+					NamespacedName: model.NamespacedName{
+						Namespace: "test",
+						Name:      "app",
+					},
+					Port: 80,
+				},
+			},
+		},
+	}
+
+	mirror := mirror{}
+
+	for _, testCase := range testCases {
+		t.Run("", func(t *testing.T) {
+			config := &Ingress{
+				Meta: Meta{
+					Namespace: "test",
+					ClusterId: "cluster",
+				},
+			}
+			globalContext, cancel := initGlobalContextForService()
+			defer cancel()
+
+			for _, in := range testCase.input {
+				_ = mirror.Parse(in, config, globalContext)
+				if !reflect.DeepEqual(testCase.expect, config.Mirror) {
+					t.Log("expect:", *testCase.expect)
+					t.Log("actual:", *config.Mirror)
+					t.Fatal("Should be equal")
+				}
+			}
+		})
+	}
+}
+
+func TestMirror_ApplyRoute(t *testing.T) {
+	testCases := []struct {
+		config *Ingress
+		input  *networking.HTTPRoute
+		expect *networking.HTTPRoute
+	}{
+		{
+			config: &Ingress{},
+			input:  &networking.HTTPRoute{},
+			expect: &networking.HTTPRoute{},
+		},
+		{
+			config: &Ingress{
+				Mirror: &MirrorConfig{
+					ServiceInfo: util.ServiceInfo{
+						NamespacedName: model.NamespacedName{
+							Namespace: "default",
+							Name:      "test",
+						},
+						Port: 8080,
+					},
+				},
+			},
+			input: &networking.HTTPRoute{},
+			expect: &networking.HTTPRoute{
+				Mirror: &networking.Destination{
+					Host: "test.default.svc.cluster.local",
+					Port: &networking.PortSelector{
+						Number: 8080,
+					},
+				},
+			},
+		},
+	}
+
+	mirror := mirror{}
+	for _, testCase := range testCases {
+		t.Run("", func(t *testing.T) {
+			mirror.ApplyRoute(testCase.input, testCase.config)
+			if !proto.Equal(testCase.input, testCase.expect) {
+				t.Fatal("Must be equal.")
+			}
+		})
+	}
+}
--- a/pkg/ingress/kube/common/controller.go
+++ b/pkg/ingress/kube/common/controller.go
@@ -52,6 +52,15 @@ type WrapperGateway struct {
 	Host          string
 }

+func CreateMcpServiceKey(host string, portNumber int32) ServiceKey {
+	return ServiceKey{
+		Namespace:   "mcp",
+		Name:        host,
+		ServiceFQDN: host,
+		Port:        portNumber,
+	}
+}
+
 func (w *WrapperGateway) IsHTTPS() bool {
 	if w.Gateway == nil || len(w.Gateway.Servers) == 0 {
 		return false
--- a/pkg/ingress/kube/configmap/tracing.go
+++ b/pkg/ingress/kube/configmap/tracing.go
@@ -255,6 +255,59 @@ func (t *TracingController) ConstructEnvoyFilters() ([]*config.Config, error) {
 		return configs, nil
 	}

+	configPatches := []*networking.EnvoyFilter_EnvoyConfigObjectPatch{
+		{
+			ApplyTo: networking.EnvoyFilter_NETWORK_FILTER,
+			Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+				Context: networking.EnvoyFilter_GATEWAY,
+				ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Listener{
+					Listener: &networking.EnvoyFilter_ListenerMatch{
+						FilterChain: &networking.EnvoyFilter_ListenerMatch_FilterChainMatch{
+							Filter: &networking.EnvoyFilter_ListenerMatch_FilterMatch{
+								Name: "envoy.filters.network.http_connection_manager",
+							},
+						},
+					},
+				},
+			},
+			Patch: &networking.EnvoyFilter_Patch{
+				Operation: networking.EnvoyFilter_Patch_MERGE,
+				Value:     util.BuildPatchStruct(tracingConfig),
+			},
+		},
+		{
+			ApplyTo: networking.EnvoyFilter_HTTP_FILTER,
+			Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+				Context: networking.EnvoyFilter_GATEWAY,
+				ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Listener{
+					Listener: &networking.EnvoyFilter_ListenerMatch{
+						FilterChain: &networking.EnvoyFilter_ListenerMatch_FilterChainMatch{
+							Filter: &networking.EnvoyFilter_ListenerMatch_FilterMatch{
+								Name: "envoy.filters.network.http_connection_manager",
+								SubFilter: &networking.EnvoyFilter_ListenerMatch_SubFilterMatch{
+									Name: "envoy.filters.http.router",
+								},
+							},
+						},
+					},
+				},
+			},
+			Patch: &networking.EnvoyFilter_Patch{
+				Operation: networking.EnvoyFilter_Patch_MERGE,
+				Value: util.BuildPatchStruct(`{
+							"name":"envoy.filters.http.router",
+							"typed_config":{
+								"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router",
+								"start_child_span": true
+							}
+						}`),
+			},
+		},
+	}
+
+	patches := t.constructTracingExtendPatches(tracing)
+	configPatches = append(configPatches, patches...)
+
 	config := &config.Config{
 		Meta: config.Meta{
 			GroupVersionKind: gvk.EnvoyFilter,
@@ -262,55 +315,7 @@ func (t *TracingController) ConstructEnvoyFilters() ([]*config.Config, error) {
 			Namespace:        namespace,
 		},
 		Spec: &networking.EnvoyFilter{
-			ConfigPatches: []*networking.EnvoyFilter_EnvoyConfigObjectPatch{
-				{
-					ApplyTo: networking.EnvoyFilter_NETWORK_FILTER,
-					Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
-						Context: networking.EnvoyFilter_GATEWAY,
-						ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Listener{
-							Listener: &networking.EnvoyFilter_ListenerMatch{
-								FilterChain: &networking.EnvoyFilter_ListenerMatch_FilterChainMatch{
-									Filter: &networking.EnvoyFilter_ListenerMatch_FilterMatch{
-										Name: "envoy.filters.network.http_connection_manager",
-									},
-								},
-							},
-						},
-					},
-					Patch: &networking.EnvoyFilter_Patch{
-						Operation: networking.EnvoyFilter_Patch_MERGE,
-						Value:     util.BuildPatchStruct(tracingConfig),
-					},
-				},
-				{
-					ApplyTo: networking.EnvoyFilter_HTTP_FILTER,
-					Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
-						Context: networking.EnvoyFilter_GATEWAY,
-						ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Listener{
-							Listener: &networking.EnvoyFilter_ListenerMatch{
-								FilterChain: &networking.EnvoyFilter_ListenerMatch_FilterChainMatch{
-									Filter: &networking.EnvoyFilter_ListenerMatch_FilterMatch{
-										Name: "envoy.filters.network.http_connection_manager",
-										SubFilter: &networking.EnvoyFilter_ListenerMatch_SubFilterMatch{
-											Name: "envoy.filters.http.router",
-										},
-									},
-								},
-							},
-						},
-					},
-					Patch: &networking.EnvoyFilter_Patch{
-						Operation: networking.EnvoyFilter_Patch_MERGE,
-						Value: util.BuildPatchStruct(`{
-							"name":"envoy.filters.http.router",
-							"typed_config":{
-								"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router",
-								"start_child_span": true
-							}
-						}`),
-					},
-				},
-			},
+			ConfigPatches: configPatches,
 		},
 	}

@@ -318,6 +323,52 @@ func (t *TracingController) ConstructEnvoyFilters() ([]*config.Config, error) {
 	return configs, nil
 }

+func tracingClusterName(port, service string) string {
+	return fmt.Sprintf("outbound|%s||%s", port, service)
+}
+
+func (t *TracingController) constructHTTP2ProtocolOptionsPatch(port, service string) *networking.EnvoyFilter_EnvoyConfigObjectPatch {
+	http2ProtocolOptions := `{"typed_extension_protocol_options": {
+  "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+      "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+		  "explicit_http_config": {
+		        "http2_protocol_options": {}
+		  }
+  }
+}}`
+
+	return &networking.EnvoyFilter_EnvoyConfigObjectPatch{
+		ApplyTo: networking.EnvoyFilter_CLUSTER,
+		Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
+			Context: networking.EnvoyFilter_GATEWAY,
+			ObjectTypes: &networking.EnvoyFilter_EnvoyConfigObjectMatch_Cluster{
+				Cluster: &networking.EnvoyFilter_ClusterMatch{
+					Name: tracingClusterName(port, service),
+				},
+			},
+		},
+		Patch: &networking.EnvoyFilter_Patch{
+			Operation: networking.EnvoyFilter_Patch_MERGE,
+			Value:     util.BuildPatchStruct(http2ProtocolOptions),
+		},
+	}
+}
+
+func (t *TracingController) constructTracingExtendPatches(tracing *Tracing) []*networking.EnvoyFilter_EnvoyConfigObjectPatch {
+	if tracing == nil {
+		return nil
+	}
+	var patches []*networking.EnvoyFilter_EnvoyConfigObjectPatch
+	if skywalking := tracing.Skywalking; skywalking != nil {
+		patches = append(patches, t.constructHTTP2ProtocolOptionsPatch(skywalking.Port, skywalking.Service))
+	}
+	if otel := tracing.OpenTelemetry; otel != nil {
+		patches = append(patches, t.constructHTTP2ProtocolOptionsPatch(otel.Port, otel.Service))
+	}
+
+	return patches
+}
+
 func (t *TracingController) constructTracingTracer(tracing *Tracing, namespace string) string {
 	tracingConfig := ""
 	timeout := float32(tracing.Timeout) / 1000
@@ -338,7 +389,7 @@ func (t *TracingController) constructTracingTracer(tracing *Tracing, namespace s
 					},
 					"grpc_service": {
 						"envoy_grpc": {
-							"cluster_name": "outbound|%s||%s"
+							"cluster_name": "%s"
 						},
 						"timeout": "%.3fs"
 					}
@@ -349,7 +400,7 @@ func (t *TracingController) constructTracingTracer(tracing *Tracing, namespace s
 			}
 		}
 	}
-}`, namespace, skywalking.AccessToken, skywalking.Port, skywalking.Service, timeout, tracing.Sampling)
+}`, namespace, skywalking.AccessToken, tracingClusterName(skywalking.Port, skywalking.Service), timeout, tracing.Sampling)
 	}

 	if tracing.Zipkin != nil {
@@ -363,7 +414,7 @@ func (t *TracingController) constructTracingTracer(tracing *Tracing, namespace s
 				"name": "envoy.tracers.zipkin",
 				"typed_config": {
 					"@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig",
-                                        "collector_cluster": "outbound|%s||%s",
+                                        "collector_cluster": "%s",
                                        "collector_endpoint": "/api/v2/spans",
                                        "collector_hostname": "higress-gateway",
                                        "collector_endpoint_version": "HTTP_JSON",
@@ -375,7 +426,7 @@ func (t *TracingController) constructTracingTracer(tracing *Tracing, namespace s
 			}
 		}
 	}
-}`, zipkin.Port, zipkin.Service, tracing.Sampling)
+}`, tracingClusterName(zipkin.Port, zipkin.Service), tracing.Sampling)
 	}

 	if tracing.OpenTelemetry != nil {
@@ -392,7 +443,7 @@ func (t *TracingController) constructTracingTracer(tracing *Tracing, namespace s
 					"service_name": "higress-gateway.%s",
 					"grpc_service": {
 						"envoy_grpc": {
-							"cluster_name": "outbound|%s||%s"
+							"cluster_name": "%s"
 						},
 						"timeout": "%.3fs"
 					}
@@ -403,7 +454,7 @@ func (t *TracingController) constructTracingTracer(tracing *Tracing, namespace s
 			}
 		}
 	}
-}`, namespace, opentelemetry.Port, opentelemetry.Service, timeout, tracing.Sampling)
+}`, namespace, tracingClusterName(opentelemetry.Port, opentelemetry.Service), timeout, tracing.Sampling)
 	}
 	return tracingConfig
 }
--- a/pkg/ingress/kube/gateway/controller.go
+++ b/pkg/ingress/kube/gateway/controller.go
@@ -22,6 +22,7 @@ import (
 	kubecredentials "istio.io/istio/pilot/pkg/credentials/kube"
 	"istio.io/istio/pilot/pkg/model"
 	kubecontroller "istio.io/istio/pilot/pkg/serviceregistry/kube/controller"
+	"istio.io/istio/pilot/pkg/status"
 	"istio.io/istio/pkg/config"
 	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/config/schema/collection"
@@ -48,6 +49,7 @@ type gatewayController struct {
 	store           model.ConfigStoreController
 	credsController credentials.MulticlusterController
 	istioController *istiogateway.Controller
+	statusManager   *status.Manager

 	resourceUpToDate atomic.Bool
 }
@@ -76,9 +78,10 @@ func NewController(client kube.Client, options common.Options) common.GatewayCon
 		istioController.DefaultGatewaySelector = map[string]string{options.GatewaySelectorKey: options.GatewaySelectorValue}
 	}

+	var statusManager *status.Manager = nil
 	if options.EnableStatus {
-		// TODO: Add status sync support
-		//istioController.SetStatusWrite(true,)
+		statusManager = status.NewManager(store)
+		istioController.SetStatusWrite(true, statusManager)
 	} else {
 		IngressLog.Infof("Disable status update for cluster %s", clusterId)
 	}
@@ -87,6 +90,7 @@ func NewController(client kube.Client, options common.Options) common.GatewayCon
 		store:           store,
 		credsController: credsController,
 		istioController: istioController,
+		statusManager:   statusManager,
 	}
 }

@@ -148,6 +152,9 @@ func (g *gatewayController) Run(stop <-chan struct{}) {
 	})
 	go g.store.Run(stop)
 	go g.istioController.Run(stop)
+	if g.statusManager != nil {
+		g.statusManager.Start(stop)
+	}
 }

 func (g *gatewayController) SetWatchErrorHandler(f func(r *cache.Reflector, err error)) error {
--- a/pkg/ingress/kube/gateway/istio/context.go
+++ b/pkg/ingress/kube/gateway/istio/context.go
@@ -15,26 +15,37 @@
 package istio

 import (
+	"context"
 	"fmt"
 	"sort"
-	"strconv"
 	"strings"

 	networking "istio.io/api/networking/v1alpha3"
 	"istio.io/istio/pilot/pkg/model"
+	serviceRegistryKube "istio.io/istio/pilot/pkg/serviceregistry/kube"
 	"istio.io/istio/pkg/cluster"
-	"istio.io/istio/pkg/config/host"
+	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/kube"
 	"istio.io/istio/pkg/util/sets"
 	corev1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 // GatewayContext contains a minimal subset of push context functionality to be exposed to GatewayAPIControllers
 type GatewayContext struct {
 	ps *model.PushContext
+	// Start - Updated by Higress
+	client       kube.Client
+	domainSuffix string
+	clusterID    cluster.ID
+	// End - Updated by Higress
 }

-func NewGatewayContext(ps *model.PushContext) GatewayContext {
-	return GatewayContext{ps}
+// Start - Updated by Higress
+
+func NewGatewayContext(ps *model.PushContext, client kube.Client, domainSuffix string, clusterID cluster.ID) GatewayContext {
+	return GatewayContext{ps, client, domainSuffix, clusterID}
 }

 // ResolveGatewayInstances attempts to resolve all instances that a gateway will be exposed on.
@@ -59,26 +70,20 @@ func (gc GatewayContext) ResolveGatewayInstances(
 	foundExternal := sets.New[string]()
 	foundPending := sets.New[string]()
 	warnings := []string{}
+
+	// Cache endpoints to reduce redundant queries
+	endpointsCache := make(map[string]*corev1.Endpoints)
+
 	for _, g := range gwsvcs {
-		svc, f := gc.ps.ServiceIndex.HostnameAndNamespace[host.Name(g)][namespace]
-		if !f {
-			otherNamespaces := []string{}
-			for ns := range gc.ps.ServiceIndex.HostnameAndNamespace[host.Name(g)] {
-				otherNamespaces = append(otherNamespaces, `"`+ns+`"`) // Wrap in quotes for output
-			}
-			if len(otherNamespaces) > 0 {
-				sort.Strings(otherNamespaces)
-				warnings = append(warnings, fmt.Sprintf("hostname %q not found in namespace %q, but it was found in namespace(s) %v",
-					g, namespace, strings.Join(otherNamespaces, ", ")))
-			} else {
-				warnings = append(warnings, fmt.Sprintf("hostname %q not found", g))
-			}
+		svc := gc.GetService(g, namespace, gvk.Service.Kind)
+		if svc == nil {
+			warnings = append(warnings, fmt.Sprintf("hostname %q not found", g))
 			continue
 		}
-		svcKey := svc.Key()
+
 		for port := range ports {
-			instances := gc.ps.ServiceInstancesByPort(svc, port, nil)
-			if len(instances) > 0 {
+			exists := checkServicePortExists(svc, port)
+			if exists {
 				foundInternal.Insert(fmt.Sprintf("%s:%d", g, port))
 				if svc.Attributes.ClusterExternalAddresses.Len() > 0 {
 					// Fetch external IPs from all clusters
@@ -92,22 +97,30 @@ func (gc GatewayContext) ResolveGatewayInstances(
 					}
 				}
 			} else {
-				instancesByPort := gc.ps.ServiceInstances(svcKey)
-				if instancesEmpty(instancesByPort) {
+				endpoints, ok := endpointsCache[g]
+				if !ok {
+					endpoints = gc.GetEndpoints(g, namespace)
+					endpointsCache[g] = endpoints
+				}
+
+				if endpoints == nil {
 					warnings = append(warnings, fmt.Sprintf("no instances found for hostname %q", g))
 				} else {
-					hintPort := sets.New[string]()
-					for _, instances := range instancesByPort {
-						for _, i := range instances {
-							if i.Endpoint.EndpointPort == uint32(port) {
-								hintPort.Insert(strconv.Itoa(i.ServicePort.Port))
+					hintWorkloadPort := false
+					for _, subset := range endpoints.Subsets {
+						for _, subSetPort := range subset.Ports {
+							if subSetPort.Port == int32(port) {
+								hintWorkloadPort = true
+								break
 							}
 						}
+						if hintWorkloadPort {
+							break
+						}
 					}
-					if hintPort.Len() > 0 {
+					if hintWorkloadPort {
 						warnings = append(warnings, fmt.Sprintf(
-							"port %d not found for hostname %q (hint: the service port should be specified, not the workload port. Did you mean one of these ports: %v?)",
-							port, g, sets.SortedList(hintPort)))
+							"port %d not found for hostname %q (hint: the service port should be specified, not the workload port", port, g))
 					} else {
 						warnings = append(warnings, fmt.Sprintf("port %d not found for hostname %q", port, g))
 					}
@@ -119,15 +132,60 @@ func (gc GatewayContext) ResolveGatewayInstances(
 	return sets.SortedList(foundInternal), sets.SortedList(foundExternal), sets.SortedList(foundPending), warnings
 }

-func (gc GatewayContext) GetService(hostname, namespace string) *model.Service {
-	return gc.ps.ServiceIndex.HostnameAndNamespace[host.Name(hostname)][namespace]
+func (gc GatewayContext) GetService(hostname, namespace, kind string) *model.Service {
+	// Currently only supports type Kubernetes Service
+	if kind != gvk.Service.Kind {
+		log.Warnf("Unsupported kind: expected 'Service', but got '%s'", kind)
+		return nil
+	}
+	serviceName := extractServiceName(hostname)
+
+	svc, err := gc.client.Kube().CoreV1().Services(namespace).Get(context.TODO(), serviceName, metav1.GetOptions{})
+	if err != nil {
+		if kerrors.IsNotFound(err) {
+			return nil
+		}
+		log.Errorf("failed to get service (serviceName: %s, namespace: %s): %v", serviceName, namespace, err)
+		return nil
+	}
+
+	return serviceRegistryKube.ConvertService(*svc, gc.domainSuffix, gc.clusterID)
 }

-func instancesEmpty(m map[int][]*model.ServiceInstance) bool {
-	for _, instances := range m {
-		if len(instances) > 0 {
-			return false
+func (gc GatewayContext) GetEndpoints(hostname, namespace string) *corev1.Endpoints {
+	serviceName := extractServiceName(hostname)
+
+	endpoints, err := gc.client.Kube().CoreV1().Endpoints(namespace).Get(context.TODO(), serviceName, metav1.GetOptions{})
+
+	if err != nil {
+		if kerrors.IsNotFound(err) {
+			return nil
+		}
+		log.Errorf("failed to get endpoints (serviceName: %s, namespace: %s): %v", serviceName, namespace, err)
+		return nil
+	}
+
+	return endpoints
+}
+
+func checkServicePortExists(svc *model.Service, port int) bool {
+	if svc == nil {
+		return false
+	}
+	for _, svcPort := range svc.Ports {
+		if port == svcPort.Port {
+			return true
 		}
 	}
-	return true
+	return false
 }
+
+func extractServiceName(hostName string) string {
+	parts := strings.Split(hostName, ".")
+	if len(parts) >= 4 {
+		return parts[0]
+	}
+	return ""
+}
+
+// End - Updated by Higress
--- a/pkg/ingress/kube/gateway/istio/controller.go
+++ b/pkg/ingress/kube/gateway/istio/controller.go
@@ -201,7 +201,9 @@ func (c *Controller) Reconcile(ps *model.PushContext) error {
 		ReferenceGrant:         referenceGrant,
 		DefaultGatewaySelector: c.DefaultGatewaySelector,
 		Domain:                 c.domain,
-		Context:                NewGatewayContext(ps),
+		// Start - Updated by Higress
+		Context: NewGatewayContext(ps, c.client, c.domain, c.cluster),
+		// End - Updated by Higress
 	}

 	if !input.hasResources() {
--- a/pkg/ingress/kube/gateway/istio/conversion.go
+++ b/pkg/ingress/kube/gateway/istio/conversion.go
@@ -25,6 +25,7 @@ import (
 	"strings"

 	higressconfig "github.com/alibaba/higress/pkg/config"
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
 	istio "istio.io/api/networking/v1alpha3"
 	"istio.io/istio/pilot/pkg/features"
 	"istio.io/istio/pilot/pkg/model"
@@ -1168,7 +1169,7 @@ func buildDestination(ctx configContext, to k8s.BackendRef, ns string, enforceRe
 			return nil, &ConfigError{Reason: InvalidDestination, Message: "serviceName invalid; the name of the Service must be used, not the hostname."}
 		}
 		hostname := fmt.Sprintf("%s.%s.svc.%s", to.Name, namespace, ctx.Domain)
-		if ctx.Context.GetService(hostname, namespace) == nil {
+		if ctx.Context.GetService(hostname, namespace, gvk.Service.Kind) == nil {
 			invalidBackendErr = &ConfigError{Reason: InvalidDestinationNotFound, Message: fmt.Sprintf("backend(%s) not found", hostname)}
 		}
 		return &istio.Destination{
@@ -1192,7 +1193,7 @@ func buildDestination(ctx configContext, to k8s.BackendRef, ns string, enforceRe
 		if strings.Contains(string(to.Name), ".") {
 			return nil, &ConfigError{Reason: InvalidDestination, Message: "serviceName invalid; the name of the Service must be used, not the hostname."}
 		}
-		if ctx.Context.GetService(hostname, namespace) == nil {
+		if ctx.Context.GetService(hostname, namespace, "ServiceImport") == nil {
 			invalidBackendErr = &ConfigError{Reason: InvalidDestinationNotFound, Message: fmt.Sprintf("backend(%s) not found", hostname)}
 		}
 		return &istio.Destination{
@@ -1210,7 +1211,7 @@ func buildDestination(ctx configContext, to k8s.BackendRef, ns string, enforceRe
 			return nil, &ConfigError{Reason: InvalidDestination, Message: "namespace may not be set with Hostname type"}
 		}
 		hostname := string(to.Name)
-		if ctx.Context.GetService(hostname, namespace) == nil {
+		if ctx.Context.GetService(hostname, namespace, "Hostname") == nil {
 			invalidBackendErr = &ConfigError{Reason: InvalidDestinationNotFound, Message: fmt.Sprintf("backend(%s) not found", hostname)}
 		}
 		return &istio.Destination{
@@ -1880,7 +1881,7 @@ func extractGatewayServices(r GatewayResources, kgw *k8s.GatewaySpec, obj config
 		if len(name) > 0 {
 			return []string{fmt.Sprintf("%s.%s.svc.%v", name, obj.Namespace, r.Domain)}, false, nil
 		}
-		return []string{}, true, nil
+		return []string{fmt.Sprintf("%s.%s.svc.%s", higressconfig.GatewayName, higressconfig.PodNamespace, util.GetDomainSuffix())}, true, nil
 	}
 	gatewayServices := []string{}
 	skippedAddresses := []string{}
--- a/pkg/ingress/kube/gateway/istio/conversion_test.go
+++ b/pkg/ingress/kube/gateway/istio/conversion_test.go
@@ -17,6 +17,7 @@
 package istio

 import (
+	"context"
 	"fmt"
 	"os"
 	"reflect"
@@ -25,6 +26,7 @@ import (
 	"strings"
 	"testing"

+	"github.com/google/go-cmp/cmp"
 	"istio.io/istio/pilot/pkg/config/kube/crd"
 	credentials "istio.io/istio/pilot/pkg/credentials/kube"
 	"istio.io/istio/pilot/pkg/features"
@@ -47,7 +49,8 @@ import (
 	"sigs.k8s.io/yaml"
 )

-var ports = []*model.Port{
+// Start - Updated by Higress
+var ports = []corev1.ServicePort{
 	{
 		Name:     "http",
 		Port:     80,
@@ -64,232 +67,291 @@ var defaultGatewaySelector = map[string]string{
 	"higress": "higress-system-higress-gateway",
 }

-var services = []*model.Service{
+var services = []corev1.Service{
 	{
-		Attributes: model.ServiceAttributes{
+		ObjectMeta: metav1.ObjectMeta{
 			Name:      "higress-gateway",
 			Namespace: "higress-system",
-			ClusterExternalAddresses: &model.AddressMap{
-				Addresses: map[cluster.ID][]string{
-					"Kubernetes": {"1.2.3.4"},
+		},
+		Spec: corev1.ServiceSpec{
+			Ports:       ports,
+			ExternalIPs: []string{"1.2.3.4"},
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "example.com",
+			Namespace: "higress-system",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-apple",
+			Namespace: "apple",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-banana",
+			Namespace: "banana",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-second",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-wildcard",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo-svc",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-other",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "example",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "echo",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin",
+			Namespace: "cert",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-svc",
+			Namespace: "service",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "google.com",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "svc2",
+			Namespace: "allowed-1",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "svc2",
+			Namespace: "allowed-2",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "svc1",
+			Namespace: "allowed-1",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "svc3",
+			Namespace: "allowed-2",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "svc4",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin",
+			Namespace: "group-namespace1",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin",
+			Namespace: "group-namespace2",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-zero",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin",
+			Namespace: "higress-system",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-mirror",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-foo",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-alt",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "higress-controller",
+			Namespace: "higress-system",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "echo",
+			Namespace: "higress-system",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "httpbin-bad",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: ports,
+		},
+	},
+}
+
+var endpoints = []corev1.Endpoints{
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "higress-gateway",
+			Namespace: "higress-system",
+		},
+		Subsets: []corev1.EndpointSubset{
+			{
+				Ports: []corev1.EndpointPort{
+					{
+						Port: 8080,
+					},
 				},
 			},
 		},
-		Ports:    ports,
-		Hostname: "higress-gateway.higress-system.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "higress-system",
-		},
-		Ports:    ports,
-		Hostname: "example.com",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "apple",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-apple.apple.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "banana",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-banana.banana.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-second.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-wildcard.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "foo-svc.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-other.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "example.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "echo.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "echo.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "cert",
-		},
-		Ports:    ports,
-		Hostname: "httpbin.cert.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "service",
-		},
-		Ports:    ports,
-		Hostname: "my-svc.service.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "google.com",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "allowed-1",
-		},
-		Ports:    ports,
-		Hostname: "svc2.allowed-1.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "allowed-2",
-		},
-		Ports:    ports,
-		Hostname: "svc2.allowed-2.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "allowed-1",
-		},
-		Ports:    ports,
-		Hostname: "svc1.allowed-1.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "allowed-2",
-		},
-		Ports:    ports,
-		Hostname: "svc3.allowed-2.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "svc4.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "group-namespace1",
-		},
-		Ports:    ports,
-		Hostname: "httpbin.group-namespace1.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "group-namespace2",
-		},
-		Ports:    ports,
-		Hostname: "httpbin.group-namespace2.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-zero.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "higress-system",
-		},
-		Ports:    ports,
-		Hostname: "httpbin.higress-system.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-mirror.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-foo.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-alt.default.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "higress-system",
-		},
-		Ports:    ports,
-		Hostname: "higress-controller.higress-system.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "higress-system",
-		},
-		Ports:    ports,
-		Hostname: "higress-controller.higress-system.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "higress-system",
-		},
-		Ports:    ports,
-		Hostname: "echo.higress-system.svc.domain.suffix",
-	},
-	{
-		Attributes: model.ServiceAttributes{
-			Namespace: "default",
-		},
-		Ports:    ports,
-		Hostname: "httpbin-bad.default.svc.domain.suffix",
 	},
 }

+// End - Updated by Higress
+
 var (
 	// https://github.com/kubernetes/kubernetes/blob/v1.25.4/staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls_test.go#L31
 	rsaCertPEM = `-----BEGIN CERTIFICATE-----
@@ -364,6 +426,21 @@ func init() {

 func TestConvertResources(t *testing.T) {
 	validator := crdvalidation.NewIstioValidator(t)
+
+	// Start - Updated by Higress
+	client := kube.NewFakeClient()
+	for _, svc := range services {
+		if _, err := client.Kube().CoreV1().Services(svc.Namespace).Create(context.TODO(), &svc, metav1.CreateOptions{}); err != nil {
+			t.Fatal(err)
+		}
+	}
+	for _, endpoint := range endpoints {
+		if _, err := client.Kube().CoreV1().Endpoints(endpoint.Namespace).Create(context.TODO(), &endpoint, metav1.CreateOptions{}); err != nil {
+			t.Fatal(err)
+		}
+	}
+	// End - Updated by Higress
+
 	cases := []struct {
 		name string
 	}{
@@ -374,38 +451,23 @@ func TestConvertResources(t *testing.T) {
 		{"weighted"},
 		{"zero"},
 		{"invalid"},
-		{"multi-gateway"},
+		// 目前仅支持 type 为 Hostname 和 ServiceImport
+		//{"multi-gateway"},
 		{"delegated"},
 		{"route-binding"},
 		{"reference-policy-tls"},
 		{"reference-policy-service"},
-		{"serviceentry"},
+		//{"serviceentry"},
 		{"alias"},
-		{"mcs"},
+		//{"mcs"},
 		{"route-precedence"},
 	}
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			input := readConfig(t, fmt.Sprintf("testdata/%s.yaml", tt.name), validator)
-			// Setup a few preconfigured services
-			instances := []*model.ServiceInstance{}
-			for _, svc := range services {
-				instances = append(instances, &model.ServiceInstance{
-					Service:     svc,
-					ServicePort: ports[0],
-					Endpoint:    &model.IstioEndpoint{EndpointPort: 8080},
-				}, &model.ServiceInstance{
-					Service:     svc,
-					ServicePort: ports[1],
-					Endpoint:    &model.IstioEndpoint{},
-				})
-			}
-			cg := v1alpha3.NewConfigGenTest(t, v1alpha3.TestOptions{
-				Services:  services,
-				Instances: instances,
-			})
+			cg := v1alpha3.NewConfigGenTest(t, v1alpha3.TestOptions{})
 			kr := splitInput(t, input)
-			kr.Context = NewGatewayContext(cg.PushContext())
+			kr.Context = NewGatewayContext(cg.PushContext(), client, "domain.suffix", "")
 			output := convertResources(kr)
 			output.AllowedReferences = AllowedReferences{} // Not tested here
 			output.ReferencedNamespaceKeys = nil           // Not tested here
@@ -427,20 +489,20 @@ func TestConvertResources(t *testing.T) {

 			assert.Equal(t, golden, output)

-			//outputStatus := getStatus(t, kr.GatewayClass, kr.Gateway, kr.HTTPRoute, kr.TLSRoute, kr.TCPRoute)
-			//goldenStatusFile := fmt.Sprintf("testdata/%s.status.yaml.golden", tt.name)
-			//if util.Refresh() {
-			//	if err := os.WriteFile(goldenStatusFile, outputStatus, 0o644); err != nil {
-			//		t.Fatal(err)
-			//	}
-			//}
-			//goldenStatus, err := os.ReadFile(goldenStatusFile)
-			//if err != nil {
-			//	t.Fatal(err)
-			//}
-			//if diff := cmp.Diff(string(goldenStatus), string(outputStatus)); diff != "" {
-			//	t.Fatalf("Diff:\n%s", diff)
-			//}
+			outputStatus := getStatus(t, kr.GatewayClass, kr.Gateway, kr.HTTPRoute, kr.TLSRoute, kr.TCPRoute)
+			goldenStatusFile := fmt.Sprintf("testdata/%s.status.yaml.golden", tt.name)
+			if util.Refresh() {
+				if err := os.WriteFile(goldenStatusFile, outputStatus, 0o644); err != nil {
+					t.Fatal(err)
+				}
+			}
+			goldenStatus, err := os.ReadFile(goldenStatusFile)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if diff := cmp.Diff(string(goldenStatus), string(outputStatus)); diff != "" {
+				t.Fatalf("Diff:\n%s", diff)
+			}
 		})
 	}
 }
@@ -593,7 +655,7 @@ spec:
 			input := readConfigString(t, tt.config, validator)
 			cg := v1alpha3.NewConfigGenTest(t, v1alpha3.TestOptions{})
 			kr := splitInput(t, input)
-			kr.Context = NewGatewayContext(cg.PushContext())
+			kr.Context = NewGatewayContext(cg.PushContext(), nil, "", "")
 			output := convertResources(kr)
 			c := &Controller{
 				state: output,
@@ -814,7 +876,7 @@ func BenchmarkBuildHTTPVirtualServices(b *testing.B) {
 	validator := crdvalidation.NewIstioValidator(b)
 	input := readConfig(b, "testdata/benchmark-httproute.yaml", validator)
 	kr := splitInput(b, input)
-	kr.Context = NewGatewayContext(cg.PushContext())
+	kr.Context = NewGatewayContext(cg.PushContext(), nil, "", "")
 	ctx := configContext{
 		GatewayResources:  kr,
 		AllowedReferences: convertReferencePolicies(kr),
@@ -857,7 +919,7 @@ func TestExtractGatewayServices(t *testing.T) {
 					Namespace: "default",
 				},
 			},
-			gatewayServices:   []string{},
+			gatewayServices:   []string{"higress-gateway.higress-system.svc.cluster.local"},
 			useDefaultService: true,
 		},
 		{
@@ -977,7 +1039,7 @@ func TestExtractGatewayServices(t *testing.T) {
 					Namespace: "default",
 				},
 			},
-			gatewayServices:   []string{},
+			gatewayServices:   []string{"higress-gateway.higress-system.svc.cluster.local"},
 			useDefaultService: true,
 		},
 	}
--- a/pkg/ingress/kube/gateway/istio/testdata/invalid.status.yaml.golden
+++ b/pkg/ingress/kube/gateway/istio/testdata/invalid.status.yaml.golden
@@ -128,8 +128,7 @@ status:
  - lastTransitionTime: fake
    message: 'Failed to assign to any requested addresses: port 8080 not found for
      hostname "higress-gateway.higress-system.svc.domain.suffix" (hint: the service
-      port should be specified, not the workload port. Did you mean one of these ports:
-      [80]?)'
+      port should be specified, not the workload port'
    reason: Invalid
    status: "False"
    type: Programmed
@@ -163,26 +162,6 @@ status:
 ---
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
-metadata:
-  creationTimestamp: null
-  name: invalid-gateway-address
-  namespace: invalid-gateway-address
-spec: null
-status:
-  conditions:
-  - lastTransitionTime: fake
-    message: only Hostname is supported, ignoring [1.2.3.4]
-    reason: UnsupportedAddress
-    status: "False"
-    type: Accepted
-  - lastTransitionTime: fake
-    message: Failed to assign to any requested addresses
-    reason: UnsupportedAddress
-    status: "False"
-    type: Programmed
---
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: Gateway
 metadata:
  creationTimestamp: null
  name: invalid-cert-kind
@@ -477,4 +456,29 @@ status:
      namespace: higress-system
      sectionName: fake
 ---
-
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  creationTimestamp: null
+  name: no-backend
+  namespace: default
+spec: null
+status:
+  parents:
+  - conditions:
+    - lastTransitionTime: fake
+      message: Route was valid
+      reason: Accepted
+      status: "True"
+      type: Accepted
+    - lastTransitionTime: fake
+      message: All references resolved
+      reason: ResolvedRefs
+      status: "True"
+      type: ResolvedRefs
+    controllerName: higress.io/gateway-controller
+    parentRef:
+      group: ""
+      kind: Service
+      name: httpbin
+---
--- a/pkg/ingress/kube/gateway/istio/testdata/invalid.yaml
+++ b/pkg/ingress/kube/gateway/istio/testdata/invalid.yaml
@@ -55,22 +55,23 @@ spec:
    hostname: "*.example"
    port: 8080 # Test service has port 80 with targetPort 8080
    protocol: HTTP
---
-apiVersion: gateway.networking.k8s.io/v1alpha2
-kind: Gateway
-metadata:
-  name: invalid-gateway-address
-  namespace: invalid-gateway-address
-spec:
-  gatewayClassName: higress
-  addresses:
-  - value: 1.2.3.4
-    type: istio.io/FakeType
-  listeners:
-  - name: default
-    hostname: "*.domain.example"
-    port: 80
-    protocol: HTTP
+#---
+# Higress 仅支持 addresses type 为 Hostname
+#apiVersion: gateway.networking.k8s.io/v1alpha2
+#kind: Gateway
+#metadata:
+#  name: invalid-gateway-address
+#  namespace: invalid-gateway-address
+#spec:
+#  gatewayClassName: higress
+#  addresses:
+#  - value: 1.2.3.4
+#    type: istio.io/FakeType
+#  listeners:
+#  - name: default
+#    hostname: "*.domain.example"
+#    port: 80
+#    protocol: HTTP
 ---
 apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: Gateway
--- a/pkg/ingress/kube/gateway/istio/testdata/invalid.yaml.golden
+++ b/pkg/ingress/kube/gateway/istio/testdata/invalid.yaml.golden
@@ -53,25 +53,6 @@ spec:
      protocol: HTTP
 ---
 apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  annotations:
-    internal.istio.io/parents: Gateway/invalid-gateway-address/default.invalid-gateway-address
-  creationTimestamp: null
-  name: invalid-gateway-address-istio-autogenerated-k8s-gateway-default
-  namespace: invalid-gateway-address
-spec:
-  selector:
-    higress: higress-system-higress-gateway
-  servers:
-  - hosts:
-    - invalid-gateway-address/*.domain.example
-    port:
-      name: default
-      number: 80
-      protocol: HTTP
---
-apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
  annotations:
--- a/pkg/ingress/kube/ingress/controller.go
+++ b/pkg/ingress/kube/ingress/controller.go
@@ -920,12 +920,7 @@ func (c *controller) storeBackendTrafficPolicy(wrapper *common.WrapperConfig, ba
 	if common.ValidateBackendResource(backend.Resource) && wrapper.AnnotationsConfig.Destination != nil {
 		for _, dest := range wrapper.AnnotationsConfig.Destination.McpDestination {
 			portNumber := dest.Destination.GetPort().GetNumber()
-			serviceKey := common.ServiceKey{
-				Namespace:   "mcp",
-				Name:        dest.Destination.Host,
-				Port:        int32(portNumber),
-				ServiceFQDN: dest.Destination.Host,
-			}
+			serviceKey := common.CreateMcpServiceKey(dest.Destination.Host, int32(portNumber))
 			if _, exist := store[serviceKey]; !exist {
 				if serviceKey.Port != 0 {
 					store[serviceKey] = &common.WrapperTrafficPolicy{
--- a/pkg/ingress/kube/ingress/status.go
+++ b/pkg/ingress/kube/ingress/status.go
@@ -81,8 +81,6 @@ func (s *statusSyncer) runUpdateStatus() error {
 		return err
 	}

-	IngressLog.Debugf("found number %d of svc", len(svcList))
-
 	lbStatusList := common.GetLbStatusListV1Beta1(svcList)
 	if len(lbStatusList) == 0 {
 		return nil
--- a/pkg/ingress/kube/ingressv1/controller.go
+++ b/pkg/ingress/kube/ingressv1/controller.go
@@ -162,6 +162,7 @@ func (c *controller) onEvent(namespacedName types.NamespacedName) error {
 			delete(c.ingresses, namespacedName.String())
 			c.mutex.Unlock()
 		} else {
+			IngressLog.Warnf("ingressLister Get failed, ingress: %s, err: %v", namespacedName, err)
 			return err
 		}
 	}
@@ -171,7 +172,7 @@ func (c *controller) onEvent(namespacedName types.NamespacedName) error {
 		return nil
 	}

-	IngressLog.Debugf("ingress: %s, event: %s", namespacedName, event)
+	IngressLog.Infof("ingress: %s, event: %s", namespacedName, event)

 	// we should check need process only when event is not delete,
 	// if it is delete event, and previously processed, we need to process too.
@@ -181,7 +182,7 @@ func (c *controller) onEvent(namespacedName types.NamespacedName) error {
 			return err
 		}
 		if !shouldProcess {
-			IngressLog.Infof("no need process, ingress %s", namespacedName)
+			IngressLog.Infof("no need process, ingress: %s", namespacedName)
 			return nil
 		}
 	}
@@ -279,10 +280,17 @@ func (c *controller) List() []config.Config {
 	for _, raw := range c.ingressInformer.Informer.GetStore().List() {
 		ing, ok := raw.(*ingress.Ingress)
 		if !ok {
+			IngressLog.Warnf("get ingress from informer failed: %v", raw)
 			continue
 		}

-		if should, err := c.shouldProcessIngress(ing); !should || err != nil {
+		should, err := c.shouldProcessIngress(ing)
+		if err != nil {
+			IngressLog.Warnf("check should process ingress failed: %v", err)
+			continue
+		}
+		if !should {
+			IngressLog.Debugf("no need process ingress: %s/%s", ing.Namespace, ing.Name)
 			continue
 		}

@@ -900,12 +908,7 @@ func (c *controller) storeBackendTrafficPolicy(wrapper *common.WrapperConfig, ba
 	if common.ValidateBackendResource(backend.Resource) && wrapper.AnnotationsConfig.Destination != nil {
 		for _, dest := range wrapper.AnnotationsConfig.Destination.McpDestination {
 			portNumber := dest.Destination.GetPort().GetNumber()
-			serviceKey := common.ServiceKey{
-				Namespace:   "mcp",
-				Name:        dest.Destination.Host,
-				Port:        int32(portNumber),
-				ServiceFQDN: dest.Destination.Host,
-			}
+			serviceKey := common.CreateMcpServiceKey(dest.Destination.Host, int32(portNumber))
 			if _, exist := store[serviceKey]; !exist {
 				if serviceKey.Port != 0 {
 					store[serviceKey] = &common.WrapperTrafficPolicy{
--- a/pkg/ingress/kube/ingressv1/status.go
+++ b/pkg/ingress/kube/ingressv1/status.go
@@ -81,8 +81,6 @@ func (s *statusSyncer) runUpdateStatus() error {
 		return err
 	}

-	IngressLog.Debugf("found number %d of svc", len(svcList))
-
 	lbStatusList := common.GetLbStatusListV1(svcList)
 	if len(lbStatusList) == 0 {
 		return nil
--- a/pkg/ingress/kube/kingress/status.go
+++ b/pkg/ingress/kube/kingress/status.go
@@ -77,7 +77,6 @@ func (s *statusSyncer) runUpdateStatus() error {
 		return err
 	}

-	IngressLog.Debugf("found number %d of svc", len(svcList))
 	lbStatusList := common2.GetLbStatusList(svcList)
 	return s.updateStatus(lbStatusList)
 }
--- a/pkg/ingress/kube/util/util.go
+++ b/pkg/ingress/kube/util/util.go
@@ -20,8 +20,10 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"istio.io/istio/pilot/pkg/model"
 	"os"
 	"path"
+	"strconv"
 	"strings"

 	"github.com/golang/protobuf/jsonpb"
@@ -113,3 +115,44 @@ func BuildPatchStruct(config string) *_struct.Struct {
 	}
 	return val
 }
+
+type ServiceInfo struct {
+	model.NamespacedName
+	Port uint32
+}
+
+// convertToPort converts a port string to a uint32.
+func convertToPort(v string) (uint32, error) {
+	p, err := strconv.ParseUint(v, 10, 32)
+	if err != nil || p > 65535 {
+		return 0, fmt.Errorf("invalid port %s: %v", v, err)
+	}
+	return uint32(p), nil
+}
+
+func ParseServiceInfo(service string, ingressNamespace string) (ServiceInfo, error) {
+	parts := strings.Split(service, ":")
+	namespacedName := SplitNamespacedName(parts[0])
+
+	if namespacedName.Name == "" {
+		return ServiceInfo{}, errors.New("service name can not be empty")
+	}
+
+	if namespacedName.Namespace == "" {
+		namespacedName.Namespace = ingressNamespace
+	}
+
+	var port uint32
+	if len(parts) == 2 {
+		// If port parse fail, we ignore port and pick the first one.
+		port, _ = convertToPort(parts[1])
+	}
+
+	return ServiceInfo{
+		NamespacedName: model.NamespacedName{
+			Name:      namespacedName.Name,
+			Namespace: namespacedName.Namespace,
+		},
+		Port: port,
+	}, nil
+}
--- a/pkg/ingress/log/log.go
+++ b/pkg/ingress/log/log.go
@@ -14,6 +14,6 @@

 package log

-import "istio.io/pkg/log"
+import "istio.io/istio/pkg/log"

-var IngressLog = log.RegisterScope("ingress", "Higress Ingress process.", 0)
+var IngressLog = log.RegisterScope("ingress", "Higress Ingress process.")
--- a/pkg/ingress/mcp/generator.go
+++ b/pkg/ingress/mcp/generator.go
@@ -64,7 +64,7 @@ func (c ServiceEntryGenerator) Generate(proxy *model.Proxy, w *model.WatchedReso
 			return serviceEntries[i].CreationTimestamp.Before(serviceEntries[j].CreationTimestamp)
 		})
 	}
-	return generate(proxy, serviceEntries, w, updates, false, false)
+	return generate(proxy, serviceEntries, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }

 func (c ServiceEntryGenerator) GenerateDeltas(proxy *model.Proxy, updates *model.PushRequest,
@@ -82,7 +82,7 @@ type VirtualServiceGenerator struct {
 func (c VirtualServiceGenerator) Generate(proxy *model.Proxy, w *model.WatchedResource,
 	updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
 	virtualServices := c.Environment.List(gvk.VirtualService, model.NamespaceAll)
-	return generate(proxy, virtualServices, w, updates, false, false)
+	return generate(proxy, virtualServices, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }

 func (c VirtualServiceGenerator) GenerateDeltas(proxy *model.Proxy, updates *model.PushRequest,
@@ -100,7 +100,7 @@ type DestinationRuleGenerator struct {
 func (c DestinationRuleGenerator) Generate(proxy *model.Proxy, w *model.WatchedResource,
 	updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
 	rules := c.Environment.List(gvk.DestinationRule, model.NamespaceAll)
-	return generate(proxy, rules, w, updates, false, false)
+	return generate(proxy, rules, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }

 func (c DestinationRuleGenerator) GenerateDeltas(proxy *model.Proxy, updates *model.PushRequest,
@@ -118,7 +118,7 @@ type EnvoyFilterGenerator struct {
 func (c EnvoyFilterGenerator) Generate(proxy *model.Proxy, w *model.WatchedResource,
 	updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
 	filters := c.Environment.List(gvk.EnvoyFilter, model.NamespaceAll)
-	return generate(proxy, filters, w, updates, false, false)
+	return generate(proxy, filters, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }

 func (c EnvoyFilterGenerator) GenerateDeltas(proxy *model.Proxy, updates *model.PushRequest,
@@ -154,7 +154,7 @@ type WasmPluginGenerator struct {
 func (c WasmPluginGenerator) Generate(proxy *model.Proxy, w *model.WatchedResource,
 	updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
 	wasmPlugins := c.Environment.List(gvk.WasmPlugin, model.NamespaceAll)
-	return generate(proxy, wasmPlugins, w, updates, false, false)
+	return generate(proxy, wasmPlugins, w, updates, c.GeneratorOptions.KeepConfigLabels, c.GeneratorOptions.KeepConfigAnnotations)
 }

 func (c WasmPluginGenerator) GenerateDeltas(proxy *model.Proxy, push *model.PushContext, updates *model.PushRequest,
--- a/pkg/ingress/translation/translation.go
+++ b/pkg/ingress/translation/translation.go
@@ -187,10 +187,9 @@ func (m *IngressTranslation) List(typ config.GroupVersionKind, namespace string)
 	higressConfig = append(higressConfig, ingressConfig...)
 	if m.kingressConfig != nil {
 		kingressConfig := m.kingressConfig.List(typ, namespace)
-		if kingressConfig == nil {
-			return nil
+		if kingressConfig != nil {
+			higressConfig = append(higressConfig, kingressConfig...)
 		}
-		higressConfig = append(higressConfig, kingressConfig...)
 	}
 	return higressConfig
 }
--- a/plugins/README.md
+++ b/plugins/README.md
@@ -1,5 +1,6 @@
 ## Wasm 插件

+
 目前 Higress 提供了 c++ 和 golang 两种 Wasm 插件开发框架，支持 Wasm 插件路由&域名级匹配生效。

 同时提供了多个内置插件，用户可以基于 Higress 提供的官方镜像仓库直接使用这些插件（以 c++ 版本举例）：
--- a/plugins/wasm-cpp/WORKSPACE
+++ b/plugins/wasm-cpp/WORKSPACE
@@ -16,24 +16,28 @@ load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps")

 container_deps()

-PROXY_WASM_CPP_SDK_SHA = "fd0be8405db25de0264bdb78fae3a82668c03782"
+PROXY_WASM_CPP_SDK_SHA = "eaec483b5b3c7bcb89fd208b5a1fa5d79d626f61"

-PROXY_WASM_CPP_SDK_SHA256 = "c57de2425b5c61d7f630c5061e319b4557ae1f1c7526e5a51c33dc1299471b08"
+PROXY_WASM_CPP_SDK_SHA256 = "1140bc8114d75db56a6ca6b18423d4df50d988d40b4cec929a1eb246cf5a4a3d"

 http_archive(
    name = "proxy_wasm_cpp_sdk",
    sha256 = PROXY_WASM_CPP_SDK_SHA256,
    strip_prefix = "proxy-wasm-cpp-sdk-" + PROXY_WASM_CPP_SDK_SHA,
-    url = "https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/archive/" + PROXY_WASM_CPP_SDK_SHA + ".tar.gz",
+    url = "https://github.com/higress-group/proxy-wasm-cpp-sdk/archive/" + PROXY_WASM_CPP_SDK_SHA + ".tar.gz",
 )

-load("@proxy_wasm_cpp_sdk//bazel/dep:deps.bzl", "wasm_dependencies")
+load("@proxy_wasm_cpp_sdk//bazel:repositories.bzl", "proxy_wasm_cpp_sdk_repositories")

-wasm_dependencies()
+proxy_wasm_cpp_sdk_repositories()

-load("@proxy_wasm_cpp_sdk//bazel/dep:deps_extra.bzl", "wasm_dependencies_extra")
+load("@proxy_wasm_cpp_sdk//bazel:dependencies.bzl", "proxy_wasm_cpp_sdk_dependencies")

-wasm_dependencies_extra()
+proxy_wasm_cpp_sdk_dependencies()
+
+load("@proxy_wasm_cpp_sdk//bazel:dependencies_extra.bzl", "proxy_wasm_cpp_sdk_dependencies_extra")
+
+proxy_wasm_cpp_sdk_dependencies_extra()

 load("@istio_ecosystem_wasm_extensions//bazel:wasm.bzl", "wasm_libraries")

--- a/plugins/wasm-cpp/bazel/absl.patch
+++ b/plugins/wasm-cpp/bazel/absl.patch
@@ -2,16 +2,16 @@ diff --git a/absl/time/internal/cctz/src/time_zone_format.cc b/absl/time/interna
 index d8cb047..0c5f182 100644
 --- a/absl/time/internal/cctz/src/time_zone_format.cc
 +++ b/absl/time/internal/cctz/src/time_zone_format.cc
-@@ -18,6 +18,8 @@
- #endif
- #endif
+@@ -12,6 +12,8 @@
+ //   See the License for the specific language governing permissions and
+ //   limitations under the License.
 
 +#define HAS_STRPTIME 0
 +
- #if defined(HAS_STRPTIME) && HAS_STRPTIME
- #if !defined(_XOPEN_SOURCE)
- #define _XOPEN_SOURCE  // Definedness suffices for strptime.
-@@ -58,7 +60,7 @@ namespace {
+ #if !defined(HAS_STRPTIME)
+ #if !defined(_MSC_VER) && !defined(__MINGW32__)
+ #define HAS_STRPTIME 1  // assume everyone has strptime() except windows
+@@ -58,7 +60,7 @@
 
 #if !HAS_STRPTIME
 // Build a strptime() using C++11's std::get_time().
@@ -20,7 +20,7 @@ index d8cb047..0c5f182 100644
   std::istringstream input(s);
   input >> std::get_time(tm, fmt);
   if (input.fail()) return nullptr;
-@@ -648,7 +650,7 @@ const char* ParseSubSeconds(const char* dp, detail::femtoseconds* subseconds) {
+@@ -648,7 +650,7 @@
 // Parses a string into a std::tm using strptime(3).
 const char* ParseTM(const char* dp, const char* fmt, std::tm* tm) {
   if (dp != nullptr) {
--- a/plugins/wasm-cpp/bazel/wasm.bzl
+++ b/plugins/wasm-cpp/bazel/wasm.bzl
@@ -9,9 +9,9 @@ load(
 def wasm_libraries():
    http_archive(
        name = "com_google_absl",
-        sha256 = "ec8ef47335310cc3382bdc0d0cc1097a001e67dc83fcba807845aa5696e7e1e4",
-        strip_prefix = "abseil-cpp-302b250e1d917ede77b5ff00a6fd9f28430f1563",
-        url = "https://github.com/abseil/abseil-cpp/archive/302b250e1d917ede77b5ff00a6fd9f28430f1563.tar.gz",
+        sha256 = "3a0bb3d2e6f53352526a8d1a7e7b5749c68cd07f2401766a404fb00d2853fa49",
+        strip_prefix = "abseil-cpp-4bbdb026899fea9f882a95cbd7d6a4adaf49b2dd",
+        url = "https://github.com/abseil/abseil-cpp/archive/4bbdb026899fea9f882a95cbd7d6a4adaf49b2dd.tar.gz",
        patch_args = ["-p1"],
        patches = ["//bazel:absl.patch"],
    )
@@ -33,14 +33,14 @@ def wasm_libraries():
        urls = ["https://github.com/google/googletest/archive/release-1.10.0.tar.gz"],
    )

-    PROXY_WASM_CPP_HOST_SHA = "f38347360feaaf5b2a733f219c4d8c9660d626f0"
-    PROXY_WASM_CPP_HOST_SHA256 = "bf10de946eb5785813895c2bf16504afc0cd590b9655d9ee52fb1074d0825ea3"
+    PROXY_WASM_CPP_HOST_SHA = "ecf42a27fcf78f42e64037d4eff1a0ca5a61e403"
+    PROXY_WASM_CPP_HOST_SHA256 = "9748156731e9521837686923321bf12725c32c9fa8355218209831cc3ee87080"

    http_archive(
        name = "proxy_wasm_cpp_host",
        sha256 = PROXY_WASM_CPP_HOST_SHA256,
        strip_prefix = "proxy-wasm-cpp-host-" + PROXY_WASM_CPP_HOST_SHA,
-        url = "https://github.com/proxy-wasm/proxy-wasm-cpp-host/archive/" + PROXY_WASM_CPP_HOST_SHA +".tar.gz",
+        url = "https://github.com/higress-group/proxy-wasm-cpp-host/archive/" + PROXY_WASM_CPP_HOST_SHA +".tar.gz",
    )

    http_archive(
--- a/plugins/wasm-cpp/common/http_util.cc
+++ b/plugins/wasm-cpp/common/http_util.cc
@@ -19,7 +19,6 @@
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_format.h"
 #include "absl/strings/str_split.h"
-
 #include "common/common_util.h"

 namespace Wasm::Common::Http {
@@ -190,7 +189,8 @@ std::vector<std::string> getAllOfHeader(std::string_view key) {
  std::vector<std::string> result;
  auto headers = getRequestHeaderPairs()->pairs();
  for (auto& header : headers) {
-    if (absl::EqualsIgnoreCase(Wasm::Common::stdToAbsl(header.first), Wasm::Common::stdToAbsl(key))) {
+    if (absl::EqualsIgnoreCase(Wasm::Common::stdToAbsl(header.first),
+                               Wasm::Common::stdToAbsl(key))) {
      result.push_back(std::string(header.second));
    }
  }
@@ -225,7 +225,8 @@ void forEachCookie(
        v = v.substr(1, v.size() - 2);
      }

-      if (!cookie_consumer(Wasm::Common::abslToStd(k), Wasm::Common::abslToStd(v))) {
+      if (!cookie_consumer(Wasm::Common::abslToStd(k),
+                           Wasm::Common::abslToStd(v))) {
        return;
      }
    }
@@ -265,7 +266,63 @@ std::string buildOriginalUri(std::optional<uint32_t> max_path_length) {
  auto scheme = scheme_ptr->view();
  auto host_ptr = getRequestHeader(Header::Host);
  auto host = host_ptr->view();
-  return absl::StrCat(Wasm::Common::stdToAbsl(scheme), "://", Wasm::Common::stdToAbsl(host),  Wasm::Common::stdToAbsl(final_path));
+  return absl::StrCat(Wasm::Common::stdToAbsl(scheme), "://",
+                      Wasm::Common::stdToAbsl(host),
+                      Wasm::Common::stdToAbsl(final_path));
+}
+
+void extractHostPathFromUri(const absl::string_view& uri,
+                            absl::string_view& host, absl::string_view& path) {
+  /**
+   *  URI RFC: https://www.ietf.org/rfc/rfc2396.txt
+   *
+   *  Example:
+   *  uri  = "https://example.com:8443/certs"
+   *  pos:         ^
+   *  host_pos:       ^
+   *  path_pos:                       ^
+   *  host = "example.com:8443"
+   *  path = "/certs"
+   */
+  const auto pos = uri.find("://");
+  // Start position of the host
+  const auto host_pos = (pos == std::string::npos) ? 0 : pos + 3;
+  // Start position of the path
+  const auto path_pos = uri.find('/', host_pos);
+  if (path_pos == std::string::npos) {
+    // If uri doesn't have "/", the whole string is treated as host.
+    host = uri.substr(host_pos);
+    path = "/";
+  } else {
+    host = uri.substr(host_pos, path_pos - host_pos);
+    path = uri.substr(path_pos);
+  }
+}
+
+void extractPathWithoutArgsFromUri(const std::string_view& uri,
+                                   std::string_view& path_without_args) {
+  auto params_pos = uri.find('?');
+  size_t uri_end;
+  if (params_pos == std::string::npos) {
+    uri_end = uri.size();
+  } else {
+    uri_end = params_pos;
+  }
+  path_without_args = uri.substr(0, uri_end);
+}
+
+bool hasRequestBody() {
+  auto contentType = getRequestHeader("content-type")->toString();
+  auto contentLengthStr = getRequestHeader("content-length")->toString();
+  auto transferEncoding = getRequestHeader("transfer-encoding")->toString();
+
+  if (!contentType.empty()) {
+    return true;
+  }
+  if (!contentLengthStr.empty()) {
+    return true;
+  }
+  return transferEncoding.find("chunked") != std::string::npos;
 }

 }  // namespace Wasm::Common::Http
--- a/Show More
+++ b/Show More